ML20114B562
| ML20114B562 | |
| Person / Time | |
|---|---|
| Site: | Oyster Creek |
| Issue date: | 06/30/1992 |
| From: | GENERAL PUBLIC UTILITIES CORP. |
| To: | |
| Shared Package | |
| ML20114B566 | List: |
| References | |
| NUDOCS 9208280381 | |
| Download: ML20114B562 (56) | |
Text
_
Oyster Creek ndividual Plant Examination Subm:ittal Report 1
-i t
i June 1992 l
l f
R DO K O O219 i
P PDR
!_a 4..a g
a 4
f s.
hae W
-4 4h.
2_,JJ,.4
.a_J 4
1.AasvJa.Aam_3..we 4A_a
.s.~me,5-_
w4 w.=4_T.
,1a O
OYSTER CREEK IPE SUBMITTAL REPORT JUNE 1992 O
l p-j I-c
q TABLE OF CONTENTS
}
1.0 Introduction.....................
1-1 1.1 IPE Approach and Scope.............
1 -1 1.2 I P E Te am.................................
1-1
. 3 Plant Documentation Sources
.........................1-1 1.4 Plant Familiarization......
1-2 1.5 Independent Review..........
1-3 1.6 Other PRAs Reviewed...................
1-3 1.7 Report Organization......
1-4 2.0 Res ults Summary........................................
2-1 2.1 Level 1 Analysis Results...
2-1 2.1.1 Initiating Event importance to Core Damage Frequency.............
2-2 2.1.2 System (or Top Event) Importance to Core Damage Frequency 2-3 2.1.3 Operator Action importance to Total Core Damage Frequency.......
2-4 2.1.4 Individual Sequence importance to Core Damage Frequency........
2-5 2.2 Internal Flooding Results...........
2-6 2.3 Level 2 Analysis Results...........
2-7 3.0 Application of the Generic Letter Screening Process............
...........3-1 3.1 Reportable Sequences 3-1 O
3.2 Vulnerability Screenir.g......................
3-2 G
4.0 Containment Performance improvement (CPI) Issues.......
41 4.1 Alternative Water Supply for Drywell SprayNessel injection 4-1 4.2 Enhanced Reactor Pressure Vessel (RPV) Depressurization System Reliability.
4-4 4.3 Emergency Procedures and Training..
45 5.0 Unresolved Safety issue A Shutdown Decay Heat Removal Requirements 5-1 6.0 Other Unresolved Safety Issues (USIs).................
6-1 6.1 Unresolved Safety issue A System Interaction in Nuclear Power Plants....
6-1 6.2 Unresolved Safety issue A Safety implications of Control Systems.
6-3 7.0 Generic Safety issues (GSIs)....
.................,.....7-1 7.1 GI-101 BWR Water Level Redundancy.........
7-l 7.2 Gl 105 Interfacing System LOCA at BWRs 7-4
(]m lPE I
05/29/92
1 l
TABLE OF CONTENTS (Continued)
%r 8.0 Conclusions and Planned Actions......................................
B-1 8.1 Level 1 P RA....................................................
8-1 8.1.1 Loss of Offsite Power............
.........................8 8.1.2 D C Powe r...............................................
8-2 8.1.3 Containment Spray / Emergency Service Water....................
8-3 8.1.4 Reactor Feedwater Control (RPV high level excursion).............
8-3 8.1.5 Operator Action Error Rates................
8-4 8.2 Leve l 2 P RA.....................,..............................
8-4 8.3 Schedule for implementation....
.. B-5 9.0 References...................
9-1 i
Appendix A, Contributors to System Failure..............
A-1 Appendix B, Contributors to Operator Error Rates......,......................
B p ts w
\\
IPE ii 05/29/92
LIST OF TABLES Table 1.1 1 Comparison of NUREG-1335 and OCPRA Report Fmmats...........
1-5 Table 2.1-1, initiating Event importance (Top 10 Contributors)....................
2-2 Table 2.12 Top Event importance (Ranked by independent Failure)..
2-3 Table 2.1-3 _ Operator Action importance to Total CDF........................
2-4 Table 2.1-4 Individuat Operator Action importance......................
2-5 Table 2.15 Top Ten OCPRA Core Damage Sequences.................,,.....
2-6 Table 2.2-1 Summary of Internal Flooding Results..................
2-7 Table 2.3-1 General Release Category Groups.....................
2-7 r
LIST OF FIGURES Figure 2.1-1 Calculated Total Core Damage Frequency........................
21 AU
- f"N g
IPE iii 05/29/92 I
.1.0 latroduction~
l The GPU Nuclear response to Generic Letter 88-20, " individual Plant Examination", Supplement -
1 is comprised of three reports:
1.
The IPE Submittal Report 2.
De Oyster Creek Probabilistic Risk Assessment (Level 1) 3.
The Oyster Creek Probabilistic Risk Assessment (Level 2)
The IPE Submittal Report (this report) serves as an overview summary of the methods and results
= of the level 1 and 2 PRAs, provides a cross reference ("roadmap") for locating appropriate sections of the level 1 PRA with respect to the requested IPE submittal format, and provides the documentation of the GPU Nuclear response to specific issues such as the loss of decay heat removal issue 'and resolution of selected USis and GSis, it also co t in a ns conclusions, recommendations and planned actions emanating from the IPE and planned schbuules for their implementation.
1.1 IPE Approach and Scope GPU Nuclear Corporation chose to respond to Generic Let'er 88-20, Supplement 1 by performing i level 1 and 2 PRAs for the Oyster Creek Nuclear Generating Station. The PRAs utilize state of the art techniques of the "large event tree - small fault tree" methodology. Recent advances in personal computer speed and calculational ability has allowed for the logic of the plant model to be entered as logic statements ar d eliminates the need for pictorial event trees. These logic statements (referred to as " rules file 'ar " modules") can be directly linked eliminating the need for support states. Details on the methods used in the OCPRA in the development and quantification of the plant model are presented in Section 7.1 of the level 1 PRA report.
The level 1 and 2 PRAs are considered full scope PRAs for internal events. A separate analysis
-using screening techniques was conducted for internal floods and is documented in Section 10 of the level 1 PRA report.
1.2 - IPE Team
' The study was conducted in a manner that maximized the use cf in-house personnel. GPUN in-
- house PRA analysts, engineers and operators who are familiar with the details of the design,.
controls, procedures, and system configurations were heavily involved in the analysis as well as the technical review. PLG Inc., as principal contractor, developed initial approaches on much of the analysis as well as provided guidance and assistance in using the PC software package, RISKMAN.
The makeup of the team differed depending upon the specific task or portion of the study involved.- A complete listing of participants is provided for each major work element in the Acknowledgement section in the level 1 and 2 PRA reports.
1.3 Plant Documentation Sources -
The development of the level 1 'and 2 PRAs required the collection and review of many sources IPE 1-1 05/29/92
.r
-li--
.y+
,e y w m
n
-w, tv 1.m K re -
M
--2---e*
---e7 e
sw
- T
' +-
k NN'
" - --T
f 1
of plant information and documentation. These sources included.
Final Updated Safety Anelysis Report (FSAR). The FSAR was used in the developunent of the plant model with emphasis on the plant response to design basis accidents. Also, the FSAR was used to determine the original list of systorns to be modeled.
Operation Plant Manual (OPM). The OPM provides details on system design, operatic'n and controls and was used extensively in the developmerd of the individual systems analyses and in the determination of system dependencies.
Emergency Operating Procedures (EOP). Emergency operating procedures were used in the development of the plant model and operator action analysis.
System Surveillance, Abnormal and Oparating ProcedJtes Were Ubod in the developnent of the individual system analyses as well as for the collection of system demands in the data analysis task. Abnormal and operating procedures were used in the human act!on analysis task.
Piping and Instrumsnt Diagrams (P&lDs) and Electrical Diagrams were used in the system analyses as well as in dete'.nination of system dependencies.
Transient Assessment departs (TARS) were used in the development of the plant model (actual data on plant respense to transients) as well as the data ana'ysis task (actual trip data).
Maintenance V!ork Orders (MWOs) and Switching and Tagging Requests were used in the data analysis task to provide plant specific component maintenance and failure data.
O TechnicalData Reports (TDRs) and ThermalHydraulic Calculations were used in the devolopment of success criteria cod integrated plant response to off normal events.
Each section of the level 1 and 2 PRAs contain a iist of the references used to oevelop the analysis.
1,4 Plant Familiarization Engineering knowledge of plant systems and integrated plant response to off normal events are essential elements of a PRA. The OCPRA team performed walkdowns of Oyster Creek at various points in the project to assure correct modeling of the plant and plant systems. Walkdowns estly in the projet.t assured familiarization of the OCPRA team with the general arrangement of the plant and plant systems. Walkdowns were also performed in support of the systems analysis, human action m.
' sis, plant modeling and the internal flooding analysis tasks.
General Walkdowns.
The first walkdowns performed by the OCPRA team consisted of generalized walkdowns to familianze the team with ine arrangement of the site and plant systems.
Systems Analysis Walkdowns. The first step in the preparation of the qualitative system analyses -
is the development of the system workbooks (Appendix F). System workbooks are developed using all available documentation of the system including FSAR, system descriptions (OPMs),
plant procedures (maintenance, testing, operation and abnormal), system drawings and plant IPE 12 05/29/92
-_=- -.-.
walkdowns. Following the review of all portin(nt information, plant walkdowns were performed by the responsible GPU systems analyst. These walkdowns were often performed with the O
assistance of knowledgeable plant engineers, STAS, and operations personnel. Also, system engineers responsible for the review of the OCPRA systems regularly walkdown the systems for which they are responsible.
Human Action Walkdowns. The OCPRA team members resporalble for the performance of the human action analysis task performed walkdowns to familiarlie 'homselves with the operator actions modeled in the OCPRA as well as to verify curator actbr, questionnaires. These walkdowns were performed with experienced operations personnel.
Plant Model Walkdowns. Knowledge of the integrated plant response to off-narme! arcots is essentialin assuring the validity of the plant mode!. Walkdowns were performed to verify impacts of initiating events, system interactions and system dependencies.
Internal Flooding Analysis Walkdowns. Initial wVswns were performed in the internal flooding analysis to verify component locations, collec1 source information, determine propagation paths and determine flooding impacts. Subsequent walkdowns determined the potential for flood mitigation including verification of flooding impacts, dral" system mitigation and operator intervention.
- Containment Walkdown. A walkdown of the containment was conducted to verify pertinent containment featuras and configurations. A videotace of the reactor vessel pedestal area and drywell was made and used for reference during performance of the level 2 PRA analysis.
1.5 Independent Review
- Level 1 PRA -
Two lndependent reviews of the level 1 study were performet one conducted by an independent in-hvuse review group consisting of managers of key organizations, and one performed by an external consultant. The purpose of the independent in-house review was to ensure the accuracy of the documentation and to validate the PRA process and its results. The external consultant review was conducted to ensure that proper PRA techniques were employed and that key issues were addressed. The results of these reviews are provided in Appendix D of the level 1 report.
Level 2 PRA
-Two independent reviews of the level 2 study were also performed: one conducted by an independent in-house review group consisting of managers and senior engineers.from key
' organizations, and one performed oy an extemal consultant. The results of these reviews are-provided in Appendix D of the level 2 PRA report.
1.6-Other PRAs Reviewed -
A number of othar PRAs were reviewed in conjunction with different parts of the study. The purpose of these reviews was to gain some knowledge of the approaches taken on certain issues in other studies and to compare results. Generally, these reviews were not fully IPE 13 05/29/92
comprehensive or done in great depth, but v!ere sufficiently detailed to grasp the essentials of the approaches and the conclusions or results. The principle contractor for the study, PLG c.,
g had extensive experience in performing PRAs and in reviewing other PRAs, and this experience W
and added perspectivo was applied to this study. Other PRAs reviewod included:
NUREG-1150, Peach Bottom and Grand Gulf Fermi Beznau TMI-1 Beaver Valley 2 Shoreham Millstone 1 a
Pilgrim in addition various NSAC reports, and specifically NSAC-152, "EPRI PRA Repository" were selectively reviewed; as were many NUREG reports and ANS Transactions.
Specific references that apply directly to varlaus portions of the analyses are listed in their respectiva sections in the icvel 1 and 2 reports.
1.7 Report Organization The level 1 PRA effort was begun prior to the issuance of Generic Letter 88-20, Supplement 1 therofore, the report organization differs from that described in NUREG-1335. A *Roadmap* which compares the NUREG-1335 format and the applicable sections of this report and the level 1 PRA report is provided in Table 1.1-1.
The level 2 PRA report is organized using the NUREG-1335 suggested format.
IPE 14 05/29/92
Table 1.1 1 Comparison of NUREG-1335 and OCPRA Repo-t Formats NUREG-1335 iPE Report (this report)
OCPRA (Level 1)
- 1. Execuuve Summary 1.1 Background and Section 1.0 Introouction ObjectNes 12 Plant Familiarlzation Section 1.4 Plant Fam'liarization 1.3 Overal! Methodology Section 2.0 Risk Model Development Process 1.4 Summary of Major Secticn 2.0 Resutts Summary Section 3.0 Major Results Findings Appenda C Detailed Resune
- 2. Examination Procesa 2.1 Introduction Section 2.0 Risk Mode Development Process 2 2 Conformance with Section 1.1 iPE Approach and Scope Generic Letter and Section 12 IPE Team Supporting Materiais Sect.on 1.3 Plant Documentation Sources ALL Section 1.4 Plant Familiarl.tation Section 1.5 Independent Review Section 1.6 Ot.5er PRAs Reviewed Section 1.7 Report Organization f
2.3 General Mebodology Section 2.0 Risk Model Development orocess
(
Seccon 4,1 Overview of the Data Analysis Process Section 5.1 Overview and Scope of Syvem Analysis Sen: tion 6.1 Operator Action Analysis Apptcach Section 7.1 Introduction to the Plant Model Section 8.1 Introduction to Endstates Section 9.1 Introduction to Uncertainty Propagation Section 10.1 Introduction to the intoma! Flooding Analysis 2 4 Information Assembly Section 1.3 Plant Documentation Sources Section 1.4 Plant Familiwization Section 1.6 Other PRAs Re iewed O
- 3. Front-End Analysis 3.1 Accident Sequence
, Section 7.0 Plant Model Delineation
- 31.1 initiating Events Section 7.2 Definition of initiat:ng Events 3.1.2 Front-Line Event Section 7,5 General Transient Module Trees Section 7.6 Loss of Feedwater Control Section 7.7 Long Term General Transient Module Section 7.8 Smal. LOCA Module Section 7.9 Large LOCA Module Section 7.10 Long Term LOCA Response i
IPE 15 05/29/92 l
l
NUREG-1335 IPE Repot1(this report)
OCPRA (Laval 1) 3.2.3 Special Event Trees Section 7.11 Pecovery Module 0.1.4 Suppod System Evant Section 7.4 Support System Module j
Trees Section B Plant Model Endstates 3.1.5 Sequence Grouping and Backend interiace 3.2 System Anahsis Section 5 System Analysis 3.2.1 System Descriptions Appendix F Individual System Anafyse.
3.2.2 System Analysis (tault Appendor f individual System Anatyees j
trees) 3.2.3 System Dependencies Appendix F individual System Analyses (dependence Section 7.3 Dependence Matrices matrices) 3.3 Sequence Quantification 3.3.1 List of Generic Data Section 4 Data Ana!ysis 3.3.2 Plant Specific Data section 4 Data Analysis i
and Analysis i
3.3.3 Human Failure Data Section 6 Human Action Analysis (Deneric and plant specific) 3.3 4 Common Cause Section 4.4 Common Cause Failure Parameters Failure Data 3 3.5 Quantification of Appendix F Individual System Analyses Unavailab;!ity of Systems and Functions 3.3.6 Generation of Surport Not applicabla in methodology used in OCPRA System States and quantification.
their Probabilities 3.3.7 Quantif. cation of Appendix C.5 Individual Sequence importance to Sequence CDF Frequencies 3 3.8 l.iternal Flooding Section 10 Intemal Flooding Arialysis Analysis 3 4 Results and Screening Section 2.0 Results Summary Section 3.0 Major Resu!ts Process 3 4.1 Application of Generic Section 3.0 Apphcation of the Genoric AppenGx C Detailed Resu!:s Letter Screening Letter Screening Process Process Section 3.1 Roportabie Sequences IPE 1-6 05/29/92
i 1
NUREG-1335 IPE Report (this toport)
OCPRA (Level 1) 3.42 Vulnerability Section 02 Vulnerabiltty Screening Screening s
s 3.4.3 Decay Heat Remov !
Section 5.0 UnresoNed Safety issue
~
Evaluation A45. Shutdown Decay Heat Removal Requirements 3.4.4 USl and GSI Section 6.0 Otho' UnresoNed Safety Screening issues (US!s)
Section 7.0 Generic Safety lasees
...?
(GSis)
W
- 5. UtHrty Participation a Section 12 iPE Team Section 1.1 Backgrour.d and Objo:tives Internal Revis y Team Acknowledgement Page 5.1 IPE Program Acknowledgement Page Organization 52 Composition of' Section 1.5 independent Rdview Appendix D Independent Review hdependent Review Team 5.3 Areas of Review and Appendix D Independent Review Major Comments Appondix D Independent Review 5 4 Reelution of Comments
- 6. Plant improvements and Section 8.0 Conclusions and Pienned
,\\
Unique dafety Features Actions
~
- 7. Summary and Section 5.0 Unresolved Safety issue Section 3.0 Malor Results Conclusions (including A 45 proposed resolution of Section G.0 Other UnresoNed Safety USie and GSla issutm Section 7.0 Geneiic Safety issues Secdon 8.0 Conclusions and planned Actions
.()'
IPE 1 -7 05/29/92 l
l
2.0 Results Gummary
^
The major results of this study are provided in Secticn 3 and Appendix C of the level 1 PRA report and Section 12 of the level 2 PRA report. Salient points are exceipted below.
2.1 Level 1 Analysis Ecsults 4
The calculated mean core damage frequency due to internal initiators in this study is 3.69x10 per year. The uncertainty due to dispersion in the input data, that is, uncertainty in the failure rate database, and human action error rates are reflected in Figure 2.1-1.
Figure 2.1 1 Calculated Total Cure Damage Frequency 1.00
~~
[l s
(
J
^
B 0.50 7
/
I
'%.).
L I
Y
[
j i
4 0.00 1.00E47 1.00E-06 1.00E45 1.00E-04 CORE DAMAGE FREQUEN0Y A detailed discussion of the uncertainty in the calculated total CDF is provided in Section 9 of level.1 PRA report, however Figure 2.1-1 depicts that the uncertainty due to input data results in a ca!culated core damage frequency (CDF) between 1.31x104 (5% confidence) and 9.82x10 4 4
(95% confidence). The point estimate mean core damage frequency is calculated to be 3.69x10 per year.
k IPE 2-1 05/29/92
2.1.1 lattiating Event importance to Core Damage Frequency There are a total of 28 initiating event groups modeled in the levc! 1 PRA. These are described
' in detail in Section 7.2 of the level 1 report. These initiating event groups can be categorized into
- three general types:
General Transient (15). Events that lead to a demand for a turbine or reactor trip but are not a loss of coolant accident.
Smallloss of Coolant Accidents (6). Loss of coolant accidents small enough to require ADS actuation to depressurize the reactor vecsel to ensure adequate core cooling using low pressure injection systems.
Large loss of Coolant Accidents (7). Loss of coolant accidents large enough not to require ADS actuation to depressurize the reacter vessel to allow adequate core cooling using low pressure injection systems.
A breakdown of the individual initiating events by importance is given in Table 2.1-1 for tha top 10 contributors.
Table 2.1-1 Initiating Event importance (Top 10 Contributors)
Description initiator Core Damage Percent Designator Frequency Contribution 4
Loss of Offsite Power LOSP 1.21 x10 32.6 %
Turbine Trip TT 4.C5x10'7 13.1 %
Reactor Trip RT 2.83x10'7 7.7%
MSlV Closure CMSIV 2.56x10'7 6.9%
Total Loss of Feedwater LOFW 2.09x10'7 5.7%
7 Loss of Condenser Vacuum LOCV 1.48x10 4.0%
Loss of TBCCW LOTB 1.47x10'7 4.0%
Loss of Intake Structure LOIS 1.20x10'7 3'.3%
Electric Pressure Reg.ilator Failure EPRL 1.19x10'7 3.2%
(Sensing Low).
Large Bdow Core Inside Containment LBI 1.08x10'7 2.9%
4 TOTAL (Top 10 Contributors)
ABOVE 3.08x10 83.6 %
IPE 2-2 05/29/92
2,1.2 System (or Top Event) Importance to Core Damage Frequency System importance provides the relative contributions of the systems modeled in the level 1 PRA to total core damage frequency. System top events reflect the individual tunctions mndeled in the level 1 PRA. Split fractions developed for each top event provide the probability of failure of a system to function as defined in the system success criteria (see Section 5 of the level 1 report),
Twenty-five (25) systems are modeled in the level 1 PRA. Individual system availability results are provided in Appendix F of the level 1 report. These systems (in addition to other special analysos) resulted in the development of 59 top events or system functions. Table 2.1-2 lilustrates the top ten system contributors to the total CDF and percentages of independent failure.
Table 2,1-2 Top Event importance (Ranked by Independent Failure)
Description Percent CDF" EMRV Closure 48%
4160 VAC essential Bus 1D 37 %
4160 VAC essential Bus 1C 37%
125 VDC Bus C 33%
125 VDC Bus B 31 %
Recovery from Loss of Of' site Power 26%
Core Spray 21 %
Reactor Scram 6%
4160 VAC Bus 1 A 5%
4160 VAC Bus 1B 4%-
o-The percent CDF listed is that percentage resulting from the summation of the frequency of all sequences involving failure of the top event. It represents the percentage decrease in the CDF that would result if the top event failure rate could be made zero. The sum of all percentages is' greater than 100% because more than one top event failure will typically occur in any given core damage sequence.
IPE 2-3 05/29/92
2.1.3 Operator Action importance to Total Core Damage Frequency j
This section describes the importance of operator actions to total core damage frequency. The operator betions modeled in the level 1 PRA, range from the normal post trip control of the plant, to Emergency Operating Procedure actions, to recovery from systemic or functional failures.
Detailed operator action failure rates are provided in Section 6 of the level 1 report.
Of the 66 separate operator actions modeled, many are functanally similar but have varying support systems out of service or changes in time available for performance of the action. For cxample, four (4) separate operator actions were modeled for the injection of boron following failure of the reactor trip function. Therefore,in actuality, there are only 34 functionally different operator actions.
A'l of the modeled operator actions contribute approximately 21% of the tot zl CDF. That is: if these actions could be made perfect (zero error rate) the total CDF would be reduced by 21%.
The operator actions are grouped into nine (9) general categories. These are presented below with their respective contributions to the total core damage frequency:
Table 2,1-3 Operator Action importance to Total CDF J
l c
i Group Description Percent Number CDF 1
Operator Actions During Normal 2.1%
g; Plant Trip Response W'
2 Operator Actions to Maintain IC 1.5%
Makeup j
3 Operator Actions to Establish RPV 4.3%
injection 4
Operator Actions to Remove 4.3%
Containment Heat 5
Operator Actions to Mitigate 2.3%
Reactor Scram Failure (ATWS) 6 Operator Response to Support 2.6%
System Failures 7
Operator Response to Recover 0.4%
from Actuation Logic Failures a
Operator Actions to Recover from 0.6%
Errors or Failures 9
Operator Actions to Recover 2.7%
Containment Heat Removal IPE 4
05/29/92
-l
~ Table 2.1-4 provides the top ten spec:fic operator actions in order of decreasing importance to total CDF.
i Table 2.1-4 Individual Operator Action importancs Group Description of -
Tot Number Failed Operator Actions CDF Contribution e-4 Initiation of Containment 2.76 %
Cooling 3-Core Spray (Manualinit! ate or 2.70 %
Injection with fire protection) 9 9.ccovery of DC power 2.50%
6 Recovery of Offsite Power 2.20 %
2 initiation of IC makeup 1.51 %
4-Containment Venting 1.47 %
3 ManualInitiation of ADS 1.23 %
5 initiation of Boron injection 1.22%.
Following ATWS.
5-Level and Power Control 1.08%
Following ATWS 1
Control of Post Trip RPV Level 1.03% ]
'2.1.4 Individual Sequence importance to Core Damage Frequency The individual requence importance to the total core damage frequency provides, in ranked order, the seqdonces which contribute significantly to the total core damage frequencyc This information provides insights into plant spedfic bahavior following initiating events wn:ch result in core damage. This perspective also reflec:s the initiating event importance and system importance highlighted in previous sub-sections.
Table 2.15 provides the top ten sequences of the level 1 PRA with their frequency, percent of total CDF, and cumulative percent of total CDF.
l g
IPE 2-5 05/E9/92
Table 2.15 Top Ten OCPRA Core Damage Sequences j
Description Sequence Percent of Cumulative j
Frequency Total Percent of CDF Total CDF Loss o i AC power (station 7.69x10'7 20.8 %
21 %
blackout) with failure of an EMRV to reclose.
Turbins 1,ip with loss of all DC power.
2.59x10'7 7.0%
28%
Reactor trip with bss of all DC powar.
- 2. t Ox10'7 5.7%
34 %
e inadvertent MSIV closure with loss of 1.23x10-7 3.3%
37%
all DC power.
Loss of offsite power with EMRV 1.16x10'7 3.2%
40%
l failure to close and core spray failure.
' Loss of TBCCW with EMRV failure to 1.04x10~7 2.8%
43%
close and core spray failure.
4 Large below core loss of coolant with 9.61 x10 2.6%
45%
failure of core spray.
4 RWCU Overpressurization with core
- 7. Gx10 2.0%
47%
spray failu e.
4 Loss of intake flow with EMRV failure 7.24x10 2.0%
49%
,(
to close and core spray failure.
4 Loss of condenser vacuum with ioss 6.52x10 1.8%
51 %
of all DC power.
2.2 Internal Flooding Results The level 1 flooding analysis (Section 10 of the level 1 report) made the observation that no flood could be identified which,esulted in' core damage due to the impacts of the flood alone. This then required each of the floods of interest to be quantified through the a revised version of the level 1 plant model, as opposed to estimating specific core damage frequencies for each scenario manually, as had been done in flooding analyses for some other plants.
Therefore, flooding frequencies were generated for 24 potentially significant floods, as detailed in Sections 10.5 (reactor building),10.6 (turbine build:ng) and 10.8 (other areas) of the level 1 report. Of these,17 can occur in the reactor building and 7 can occur in the turbine buuding.
Due to the approximate nature of the flooding data and the ?pproximations made in these calculations; the results describod below are judged to represent a bounding calculation, rather
' than the less approximato (that is, more rigorous) results shown for the internal event model, as described in Section 3 of the level 1 seport. In other words, the point estimate mean value of IPE 2-6 05/29/92
core damage frequency due to intomal floods is expected to be no higher than that shown
~q:
below At this bounding value, core damage due to intetnal flooding represents approximately
- h 5% of the level 1 core damage frequency, Overall, the damage frequency results from internal flooding initiators can be summarized as shown in Table 2.2-1, below.
Table 2.2-1 Summary of Internal Flooding Results Plant Damage Frequency Core from Floods in the:
Total Damage Reactor Turbine Building Building Frequency 4.60x10*
1,62x10'7 2.08x10'7 Percent 22%
78 %
100 %
of Total V
2.3 Level 2 Analysis Results Detailed analysis results are presented in Section 12 in the level 2 PRA report, in summary the individual release categories are binned into six major groups. See Table 2.51 beiow.
Table 2.31 General Release Category Groups General Release Description Percentage of Category Group CDF Analyzed
- IA Large, Early Containmunt Failures 15.8
.IB Bypasses 7.3 11 Small, Early Containment Failures 0.06 i,1 Late Containment Failures 26.3 IV Long-Term, Contained Releases 0.00 (containment intact following vessel breach)
V Vessel Breach Prevented 50.4 t
4
- CD: Analyzed = 3.17x10 per reactor year L
J As can be seen from this table, large early containment failures account for 15.0% of the CDF
- analyzed. Late containment tallures account for 26.3% of analyzed CDF, and vessel breach is L
expected to be prevented in 50.4% of the CDF analyzed. Containment bypass (2.11x10'7 per reactor year) accounts for 7.3% of the analyzed CDF.
O y
IPE 2-7 05/29/92 L
4 l
~
~. - -
3.0 Application of the Gene:sc Letter Screening Process The Oyster Creek PRA StiFzed a plant modeling approach that produces systemic core damage sequences. Therefo:e, the reporting guidelines in Section 2.1.6 of NUREG-1335 fnr systemic sequences were used.
3,1 Reportable Sequences The top ten systemic sequences which represent 51% of the total calculated core damage frequency are reported in summary fashion in Section 2.0 above and in Section 3.2,5a in the level 1 PRA report. A list of the top 100 scoraries (sequen00s) which represent 82% of the calculated e
core damage frequency are provided in tab!e C.5-1 in Appendix C of the level 1 report. Detailed narrative descriptions of 26 of the most important scenarios are provided in Sections C.S.1
.. through C.S.26 in Appendix C of the level 1 report.
Regarding the reporting guidelines in NUREG 1335 for systemic core damage sequences, the following points are noted:
1.
The top 100 sequences are reported in the level 1 PRA report.
2.
Only the top six sequences have frequencies greater than 1x10'7 per reactor year. See Table 2.1-5.
3.
Four sequences contribute more than 1x10* per reactor year to i
containment bypass frequency:
Sequence No. 8 -
RWCU overpressurization with core. spray failure (7.25x10* per reactor year).
Sequence No. 22 -
Loss of offsite power with SDV failure to 4
isolate and core spray failure (2.68x10 per reactor year).
Sequence No. 23 -
ISLOCA overpressurizatica of core spray with failure of core spray and feedwater 4
(2.48x10 per reactor year).
Sequence No' 25 -
Loss of feedwater with SDV lailure to isolate 4
and failure of ADS (2.18x10 per ' reactor year),
? All sequences are binned into plant damage states (PDSs) according to endstate characteristics.
. Then a set;of key plant damage states is selected for input (initiators) to a conteinment event tree (CET) which is phenomenologically based. The core damage sequences selected to represent each key PDS are described in Section 8 of the level 2 report. The CET sequences contributing
-p Q
IPE 3-1 05/29/92 s
l to each roloaso category are provided in Section 12 of the level 2 PRA report. All sequences with 4
frequenclos above 1x10 por roactor year are reported, 3.2 Vulnerability Scrooning 4
A vulnerability is definod as any core damage sequence that exceeds 1x10 per reactor year, or any containment bypat,s sequence or large early comtainment falluto coquence that exceeds 4
1710 por reactor year.
No vulnerabilitios were found. However, a number of potential areas for low cost improvements were identified that could enhance overall reactor safety. Those areas were identified by a review of:
1.
The detailed results contained in the I., vel 1 and 2 PRA reports.
2.
The contributors to system unavailability contained in Appendix F of the lovel 1 PRA report 3.
The contributors to oporator action error rates in Section 6 of the lovel 1 PRA report.
The results of the reviews for iterns 2 and 3 are contained in Appendicos A and B raspectively of this repo1 The conclusions and planned actions from the above reviews are provided in Section 8 of this report.
IPE 32 05/29/92
4.0 Containment Performance Improvement (CPI) lasuos
/~~N.
I
'Q In Enebsure 2 to Supplement i nf Generic Letter 88 20, the NRC staff Identified certain containment performance improvcments that could reduce the vulnerability of the Mark I containment to severe accident challenges, and requested licensees to consider these.
Improvements as part of the IPE. The specific improvements which the NRC staff requested to be considered are listed below:-
Alternative Water Supply for Drywell SprayNossel injection Enhanced Reactor Pressure Vessel (RPV) Dopressurization System Reliability Emergency Procedures and Training
+
The desirability of each of those improvements was evaluated for Oyster Creek. The results of the evaluations are reported in the following subsections.
4.1 Alternative Water Supply for Drywell SprayNe -
Injection The staff stated in Enclosure 2 of Supplement 1 to Generic Letter 88-20 that:
An important improvement would be to employ a backup or alternate supply of water and a pumping capability that is independent of normal and emergency AC
. power.- By connecting this source to the low pressure residual heat removal D.
(U system (RHR) as well as to the existing drywell sprays, water could be deitvered either into the reactor vessel or into the drywell, by use of the appropriate valving arrangement.
An vnate source of water injection into the reactor vessel would greatly reduce the likelihood of care melt due to station blackout or loss oflong-term decay heat removal, as wcIl as provide significant acci.hnt management capability.
Water for the drywell sprays would also provide significant mitigative capability to cool core debris, to cool the containment steel shall to delay or prevent its failure,
. and scrub airbome paniculate fission products from the atmosphere.
A review of some BWR Mark I facilities indicates that most plants have one or more diesel driven pumps which could be used to provide an attemate water supply.
. The flow rate using this backup water system may be significantly !ess than the
' design flow for drywell sprays. The potential benefit of modifying the spray headers to assure a spray were compared to having water run out the spray nozzles. Fission product removalin the small crowded volume in which the sprays would be effective was judged to be small compared with the benefit of having a water pool on top of the core debris.
A
.d.
IPE 41 05/29/92
A. Response: Alternative Water Supolv for Vessel Inicctiqr}
The Oyster Croek Nuclear Gonorating Station (OCNGS) curren'Jy has a low pressure fire protection water system which is independent of normal and emergency power. This system consists of two redundant diosel driven pumps which supply tho fire protection suppression
- water to Oyster Creek.
l Existing connections of the fire protection header to the core spray system can provide vessel Invento y makeup in long-term station blackout scenarios fonowing successful manua!
manipulation of several valves. Both divisions of core spray have a connection to the fire protection water header. Both the hardware and operctor actions tssociated with the cross-tie of fire protection water to core spray are modeled in the level 1 PRA performed for Oyster Creek, and thus the results reflect the benefits of this feature.
It should be noted that in many accident sequences the fire protection crocs-tie was conservatively assumed to take place too late to prevent core damage but timely enough and sufficient to prevent vessel breach. Tiris phonomena is modeled in the lovel 2 PRA in which an in vessel recovery event for those sequences in which the fire protection system was successfully aligned to the low pressure core spray. In vessel recovery is addressed by top even' VB in the level 2 PRA.
B. Response: Alternative Water Supply for Crvwell Sprays
- The OCNGS has no alternative water supply for the drywell spray system. The staff has stated that the benefits of a connection of are protection water to the drywell spray system are: provido a capability to cool core debris, to cool the containment steel shell to delay or provent its failure, and scrub airborno particulate fission products.
The results of the level 1 OCPRA indicate that those core damage scer;arios which result in "no
-water to the core debris" becount for 3.23x10# per reactor year of th' total core damage frequency of 3.69x10 per reactor year. Therefore, the "no water to core aebris" endstate 4
contributes 8.75% to the total calculated core damage frequency ' The addition of a connection between the fire protection system to the drywell sprays would not result in the complete elimination et this contribution, in f act, the sizable fraction of this percentage is a result of the failure of the fire protection pumps to operate and operators failure to align the system. Also, model conservatisms contribute an additional sizable fraction of this percentage. Therefore the addition of a connection between the fire protection water system and the drywell spray system would not significantiy reduce the contribution of the "no water to core debris" endstate. In f act, the decrease in contribution of the endstate "no water te core debris" as a result of the proposed modification would likely be less than 1x10, or less than 2% of the total 8.75% contribution.
The addition of a connection between the fire protection water system and the drywell spray system would provide no reduction in total core damage frequency since the fire protection The contribution of "no water to core debris" is determined by the addition of the contributions of all "xxHx" and "xxGx" plant damage states from Table C.4-2.
IPE 42 05/29/92
injection through the core cpray system is already availab!o. In actuality, the reduction in CDF would be zero since the additional flow paths for fire protection water would not provide water to the in-vessel core. The inciemental irnprovement in the ability to cool core debris ex-vessel is judged to minimal cirte core damage and subsequent vessel t, reach would allow fire protection injection threvgh core spray to exit the bottom of the reactor vessel through the same path as the exiting coriam and therefere provide. water to the debris.
Additionallyi since the e sisting fire protection water system is significantly lower in design flowrate
- than tne drvwell spray header, exiting water would not develop a full spray distribution, rather it would run out of the spray nozzMs. Without a fully developed spray, the capability to cool the containment shell is greatly reduced. It is highly likely that fire protection water exiting the hole in the vessel left by the exiting corium would provide a comparable degree of containment shell coohng because the drywell would rapidly fill to the he.s t of the torus downcomers. Also, a
without a fully developed containraent spray, fission product scrubbing effectiveness would be greatly reduced.
Despito - these shortcomings, soveral options for implementing this improvement were investigated.
Installation of an extension of the fire protection piping to the containment spray system upstream of the existing pump manual isolation and check valves, and the addition of two remotely operated motor or air operated valves.
Manual operation of one of these valves and remote operation of O'
a second isolation valve with extension of the fire protection piping to the containment spray system : upstream of the containment spray pump manual isolation and check valves.
Entirely local manual operation of both valves with extension of the fire protection piping to the containment spray system upstream of the containment spray pump manual isolation and check valves.
The most likely sequences in which fire protection water injection through the drywell sprays is necessary are long term _ station blackout events. The firr* two options which utilize motor or air operated valves would not provide assurance that the system could be operated following these events and therefore,- are not analyzed further.
Tho third option, entirely manual operation, would be acceptable for mitigation in these scenarios, however, the local manual operation of these valves would most likely occur post core damage and radiological dose would be a significant factor and thus shielding would be required as pan of this modification. The costs of this modification would be expected to be quite high.
'in summary, the installation of a connection between the fire protection water system and the drywell sprays is judged to have w limal benefit due to the fact that it would have no impact ca -
total coro damage frequency and c ny a minorimpact on the availabil.ity of water to core debris, j-containment shell cooling and fission product scrubbing. Because of these minimal benefits and the anticipated high costs, it was concluded that the modification would not be cost beneficial.
IPE 43 05/29/92
~.
OCPRA Refarences:
O 1.
Section 8, Plant Model Endstates, Section 8.3, Plant Damage States y
P.
Appendix C, Detailed Results, Appendix C.5, Plant Damage State importance 3.
Appendix F, System Analyses, Appendix F.5, Core Spray System 4.
Appendix F, System Analyses, Appendix F.19, Fire Protection System Analysis 4.2 Enhanced Reactor Pressure Vessel (RPV) Depressurization System Rellability in Enclosure 2, to Supplement 1 of Generic Letter 88-20 the staff has defined a containment improvement entitled " Enhanced Reactor Pressure Vessel (RPV) Depressurization System Reliability". The staff further states that:
The Automatic Depressurization System (ADS) consists of relief velves which can manually operated to depressurize the reactor coolant system. Actuation of the ADS valves requires DC power and pneumatic supply, la an extended station bla-kout alter station batteries have been depleted, the ADS wculd not be available and the reactor would be re-pressurized. With enhanced RPV depressurization system reliability, depressurzation of the reactor coolant system would have a greater degree of assurance. Together with a low pressure alternate source of water injection into the reactor vessel, the rt;njor benefit of enhanced depressurization reliability would be to provide an a6 tonalsource of core cooling which could significantly reduce the likelihood of h.
vessure severe accidents, such as from the short-term station blackout.
t l
l Another important benefit is in the area of accident tnitigation. Reduced reactor pressure would greatly reduce the possibility of core debris being expelled under high pressure, given a core melt and failure of thG reactor pressure vessel.
Enhanced RPV depressurization system reliability wculd also delay coraainment failure and reduce the quantity and type of fission products ultimately released to the environment. In order to increase the rellat.,ility of the RPV depressurization system, assurance ai electrical power beyond the requirements of existing regulations may be necessary. Performance of cables needs to be reviewed for temperature capability during severe accidents as wellI!: the capacity of the l.
pneumatic supply.
l Response: Enhanced Reactor Vessel Depressurization System Reliability Response l
The Oyster Creek Nuclear Generating Station Automatic Depressurization System (ADS) consists of five electromatic relief valves w~nich may be manuelly operated to depressurize the reactor pressure vessel (only three of the five need to open to ensure successful ADS). The system is designed such that only DC power is required for its operation; no pneumatics bre required.
IPE 44 05/20/92
in extended station blackout scenarios, the batteries are not expected to be depleted for at least W
three hours. The likelihood of an extended station blackout is significantly reduced by an
(
altomate AC cource connection which is scheduled for implemsntation in the 14R refueling outage. The current system design'a.4d the planned addition of an alternato AC source are judged to provide e.n enhanced RPV depressurization system reliabilie at Oyster Creek.
4,3 Emergency Procedures and Train'ng in Enclosure 2 of Supplement 1 of Generic Letter 80 20 the staff has defined a containment performance improvnent entitled " Emergency Procedures and Training". The staff states:
NRC has recently reviewed and approved Revision 4 of the BWR Owners Group EPGs (General Electric Topical,'.. port NEDO-31331, BWR Owner's Group
- Emergency Procedure Guidelines, Revision 4,* Maruh 1987).
Revision 4 to the BWR Owners Group EPG is a significant improvement over early versions i, hat they continue to be based on symptoms, they have been simplified, and all open items from provious versions have been resolved. The BWR EPGs extend vell beyond design basos andinclude many actions appropriate for savoro accident management.
The improvement to EPGs is only as good as the plant specific EOP implementation and the training that oporators receive on the use the improved procedures. The NRC staff encourages licensees to implement Revision 4 of the EPGs and recognize the need for oroper implementation and training of operators.
'Q Response: Emercenpy Frocedures and Trainina The Oyster Creek Nuclear Generating Station has implemented Dvision 4 of the EPGs. These procedures are trained on extensively and as such this CPI issua is considered implemented.
The operator actione associated with these procedures are modeled in the PRA. See Section 6, Human Action Analysis, of the level 1 PRA report.
IPE-45 05/29/92 g
5.0 Unresolved Safety lasue A 45 Shutdown Docay Hort Removal Requirements Gonoric Lottor 66 20 states that *You should ensure that your IPE particularly Idantifies decay hoat removal vulnerab/lities.", and considor the docay heat removalIrwlghts provided in Appondix 5 of the gonoric lotter. The response to the Unrosolved Safoty issuo / 15 is given below.
Response: Untosolved Safety issuo A-45 The loss of decay heat removal at Oystor Crook requires the falluto of the following decay hoat rejection paths:
Docay Hoat Romoval Through the Main Condonsor. This path is tho normal pa'h for decay host romoval and normal shutdown. Uso of this docay heat removal path requires that MSIVs are opon and that the main condonsor and its support systems are availablo.
Decay Hoat Romoval Through the Isolation Condonsor. This docay heat romoval path is utilized following roactor isolation transients whoro olther the
-main condonsor is unavailablo or MSIVs aro closod. This path requires succo :sful initiation of 1 of 2 isolation condonsors and successful long term sholl sido makeup from olthor the condensato transfer system of the firo protection water system. In this path, decay heat is dischargod to tho atmosphoto via boll-off of shell sido inventory.
Docay Hoat Removal Through Containmont Spray /Emorgency Servico Wator.
Should the Isc'11 tion condonsors or their support fall, core docay heat is i
dischargointo the containment through tho operation of rotief or safety valvos or through the break in the event a LOCA has occurred. The docay heat is removod by the containment spray /omorgoney servico water system to the intake canal.
Docay Hoat Romoval Through tho Hardoned Vant. Thu. Jocay heat romoval
=
(
path utilizes the hardoned vont system folhwing the failure of the containmo".t spray /omorgency servico water t tem when docay heat is boing rejected to the containment.
Decay heat is discharged to the atmospliero via th9 hardoned vont p. ping and the plant stcck.
The level 1 PRA mndels successful mitigation as 'ho vanous combinations of reactor vessel inventory makoup and the above decay heat remow Nojection pathways. Soction 8.2 of the levol
~ 1 report presents the completo success ondstato pa'hs. Mnimal ciodit is taken for human action recoveries. Appendix B.4 outlinos the rocovery of containment heat removal. Section 7.11 (Recovery Module) of ti e lovel 1 report identifies tno applica4on of the r]covery in the plant model.
Falluto to for
.a docay heat is reflected in the icvol 1 PRA damago states which consist of the designator xLHx where tha "x" represents any charactor and the "LH" represents the loss of all containment decay heat removel. Thoroforo, the sum of the "xLHx" damago states represents bg IPE 51 05/29/92
the probability that coro damage would occur due to the fallure of the decay hoat romoval 7
function. This value is given in Appondix C of the level 1 report, Table C.4 2, as 1.46x10 por reactor year and represents 3.96% of the total calculated coro damage frequoney. This value is considorod low and thus A45 is considorod closod.
OCPRA Roforencos:
1.
Plant Model, Sortion 7.11, Rocovory Modulo 2.
Endstato Ansignment, Section 8.3, Plant Damage Statos 3.
Rocovery from a Loss of Containment Hoat Ro.mova., Appondix B.4 4.
Detailed Results, Appendix C.4, Plant Damage Stato importance 5.
System Analysis, Appondix F.25, Containment Vent O
IPE 5-2 05/29/92
6.0 Other boresolved Safety issues (USis)
NUREG-0933 was reviewed to dolormino those untosolved and generic safety issues which wore treatable by probabilistic techniques. The following unrosolved safoty issues (USts) woro dotormined to be directly treatablo by PRA techniques and could be readily addressed by the Oyster Crooi PRA models and/or results:
A 17 Systom intoraction in Nuclear Power Plants A-47 Safety implications of Control Systems The abovo issuos are treated separately in the sub sections below. In some casos the issuos are treated by rotorenco to specific sections of the OCPRA. In other casos additional analysis was required to address the issue and this analysis appears in the individual subsoctions.
G.1 Unrosolved Safety issuo A 17 System intoraction in Nuclear Power Plants Gonorle Letter 8917 ontitled, Rosolution of Unrosolved Safety issuo A 17,
- Systems interactions in Nuclear Power Plants' informs licensees and applicants of the final resolution of A 17. In onclosuro 1 the staff outlinos the actions required by the licenseos. The actions which are appropriate to Oyster Croek and treatable by PRA techniques, as stated in the gonoric letter are given below. It should also be noted that Generic Safoty issuo 77, f loding of Safety Equipment Compartments by Backflow throu0h Floor Drains has boon subsumed into USI A 47 and is also addressed in the following paragraphs.
(a) Water Intrusion and Floodino From intomal Sources As part of the resolution of USI A 17, the staff has identified that water intrusion and flooding of equipment from intornal plant sources may result in risk significant adverso systems intoraction. Such events could cause a transient and could also disable the equipment nooded to mitigate the consequence of the event. The appendix to NUREG-1174 (reforance 1) providos insights regarding plant vulnerabilities to flooding and water intrusion from internalplant sources. it is expected that those insights will be considered in implomonting Generic Letter 88 20 [ Individual Plant Examination (IPE)] which includes an assessment of infomal hooding.
The staff continues and states:
(c) Probabilistic Risk Analvsos or Other Systematic Plant Reviews Existino Plants The Commission's Savoro Accident Policy, 50 FR 32128 (August 8,1985), calls for all existing plants to pedorm a plant specific scarch for vulnotabilities. Such scarches, referred to as individual plant examinations (IPEs), involvo a systomatic plant review (which could be a PRA-type analysis). NRC is issuing guidance for performing such
.gQ IPE 6-1 05/29/92
roviows. One subject aroa to be troatod by the IPEs is common-causo failuros (or dopondant failuros), USI A-17 recognizos that ASIS ato a subsot of this broador subject aroa and, thorofore, is prov' ding for the dissomination of tho insights gainod in the A 17 program for uso in the IPE work.
A. Resolution: Wnter Intrusion and Floodina from Internal Sources Tho.ovel 1 OCPRA contains a scrooning analysis of the probability of coro damage to internal flooding. Th..a analysis is presented in Section 10 of the levol 1 PRA. The upper bound of coro damaDo frequency duo to internal flooding at Oystor Crook is 2.08x10# por reactor year. The analysis considered the frequency of internal pipo broaks and the offect of the resulting flood and its propagation. The frequency of tho floods and resulting fallod systems (impacts) woro incorporated into a 'tooding version' of the internal events model. Limited credit is assessed for mitigation in the form of operator actions. No vulnorabilitics were identified in tho Oystor Crook 4
J flooding analysis.
Also, part of the Oystor Creek bounding flooding analysis, backflow through floor drains j
(proviously, Generic issue 77, Flooding of Safoty Equ!prnent Compartmonts by Back Flow Through Floor Drains) was considorod. During Phase 2 *Definitinn of Flooding initiating Evonts",
component and sourco location information was used to defino the internal flooding initiating ovents including associated propagation paths and impacted equipment. The propagation paths included the potential for backflow through drainage pathways. Also, Phaso 4
- Mitigation of Significant Flooding Sconarios" investigated the potential for the mitigation of individual flooding scenarios and includod credit for drainage system isolation and operator intervention. The probability of drainago isolation failure was also incorporated into the flooding study, No vulnerabilitics wero identified. Although flooding events do not contributo significantly to total calculated coro damago frequency a ro'ommendation for a chango to plant procedures is expected to improve operator responso to internal flooding events. Soo Conclusions and Planned Actions section of this report.
B. Resolution: Probabilistic Risk Analyses or Other Systomatic Plant Reviews The Oyster Crook PRA analyzos the offect of common-causo failures extensively. Plant specific dat$ is collected on components modeled in the OCPRA and common cause failures were also invr stigated on a plant specific basis. Plant specific data collection consisted of the review of
- maiatonance work orders, switchir,g and tagging requests, licensco event report (LERs) and transient assessment reports (TARS). Details on the plant specific and generic data as well as methodology used in the assessment of common-cause data are presented in Section 4 of the lovel 1 PRA report. Each system of the PRA (Appendix F.1 through F.25) presents the application of plant specific and common-causo failures. On the basis of the abovo, this issue is considered cbsod.
IPE 62 05/29/92 A.
.- -a
OCPRA
References:
U 1.
Section 10, internal Flooding Analysis, all sub sections 2.
Section 4, Data Analysis, all sub-soctions 3.
Appendix F, Individual System Analyses, F.1 through F.25 t
6.2 Unresolved Safety lasue A-47 Safety implications of Control Systems Genoric lotter 89-19 ontitled, Request for Action Related to Resolution of Untosolved Safety issue A-47,
- Safety implications of Control Systems in LWR Nuclear Power Plants" Pursuant to 10 CFR 50.54(f) states:
As a result of the technicalresolution of USI A-47, " Safety Implications of ControlSystems in I.WR NucIcar Power Plants", the NRC has concluded that protection should bo
+
provided for cortain control system fallares and that selected omergancy proceduros
. should be modified to assure that plant transients resulting from control system failuros do not compromiso pubilo safety.
The staff further statos:
... all BWR plants should provido automatic reactor vossal overfill protection, and that plant proceduros and technical specifications for all plants should include provisions to varity parlodically the oporability of the overfill protection and to assure that automatic overfill protoction is available to mitigato main foodwater ovorfill avants during reactor power operation....
Resolution: Unresolved Safety issue A-47 The level 1 OCPRA plant model addresses r9 actor overfill events. Both an initiating event entitled
" Loss of Foodwater Control (LOFC)" and a top event " Control of Feedwater (RF)" are assessed.
The initiator is modeled as the result of a failure of the main feedwater control system while at power operation. The top event modols the failure of foodwater cotilrol system (Iow level seldown) following all other initiators modeled in the PRA. The initiating event (LOFC) and the failure of the top ovont (RF) result in a demand for the automatic closure of the MSIVs on either high steamline flow or low steamline pressure. The automatic MSIV closure on high flow is the assumed result of two phase flow passing through the steamline venturis. Should this fall to cause automatic closure of the MSIVs, the main steamline pipe downstream of the MSIV is assumed to rupture due to the loads associated with two phase flow through the steamline. The rupture of the steamline creates a demanC for the automatic closure of MSIVs on low steamline pressure.
Following a loss of foedwater control and failure of tho MSIVs to close a loss of coolant outside the containment is assumed to occur. Spatial impacts of the induced loss of coolant accident are in turn assumed to result in the loss of safoty related equipment either in the reactor or IPE 6-3 05/29192
z,1N, A&qp istalls of the modeling of the loss of foodwater control Initiator are available
/ o of tno lovel 1 PRA report.
m - '
l it, W. PRA reports total calculated core damage due to this induced loss of coolant accident as 8.38x10 per reactor year (PRA level 1 report Table C.1-1a) from the loss of 4
4 toodwater control (LOFC) initiating event and 4.06x10 por reactor year from failure of top event RF for a total core damage frequency due to overfill events of 1.24x10'7 por reactor yoar. This 2
corresponds to approximately 3.4% of the total calculated core damage frequency. While the contribution to coro damage frequency is low, the likolihood of the initiating ovent and the f ailure of the operator to recover before significant damage to the main steam lines (estimated to be approximatoly 3x10'3 por reactor year ) is judged to be high enough to warrant plant changos.
3 Thorofore, while the loss of foodwater control is not considered a vulnerability from a coro damago standpoint, the transient could pose a considerable oconomic loss in terms of damaged equipment and unit down timo. Thorofore, Oyster Crook currently plans to install a Roactor Overfill Protection System (ROPS) in 15R refueling outage.
OCPRA
References:
1.
Section 7.6, Loss of Feodwater Contrni Module 2.
Section 7.5, General Transient Modulo, Top Event RF 3.
Section 3, Major Results 4.
Appendix C, Dotalled Results O
2 Contribution of top ovent RF is calculated by multiplying its independent top event importance from Table C.2-1 (Appendix C of the level 1 PRA report) by the total core 4
damage frequency (1.1% of 3.69x10 ).
3 Estimato based on the product of LOFC initiator frequency and split fraction RF1 (operator fails to recover from feedwater regulator valvo lockup).
IPE 6-4 05/29/92
1 7,0 Generic Safety issues (GSis)
/\\b NUREG-0933 was also reviewod to dolormine which generic safoty issues (GSis) wero treatable
+
by probabilistic techniques. The following generic safety issuos (GSis) were dotormined to be treatable by PRA techniques, and could be readily addressed by the Oystor Crook PRA models and/or results:
GI-101 BWR Water Lovel Redundancy GI-105 Interfacing System LOCA at BWRs The above genoric safety issues (GSis) are addressod in individual sub-soctions below.
7.1 GI 101 BWR Water Lovel Rodundancy The staff has indicated in NUREG-0933, Supplomont 10, that a break in a single water levol instrumont reference line wil1 causo a falso *high" level indication and will result in all Instrumentation which utilize that reforonw column to indicato full scale high. The subsequent transient may occur without safety system actuation. Also, a singlo failure of the second referenco column may completely disable safoty systems.
The Oyster Crook reactor vossol water level measuremont employs two general systems: a cold leg system and a heated reference log system with each of those systems containing two referenco legs. Soveral reactor water levol subsystems are associated with the two roference log system. These are:
D
. Cold Roference Loa Heated Refotonce Loa Low vossol lovel Wide range GEMAC lovel Narrow range (GEMAC) level Contro: tcom vossol level Low-Low vessel lovel Barton low-low-low lovel Fuel zone level Those subsystems utilize differont differential pressure and lovel transmittors and actuato various Oyster Crook systems including indication, ECCS, turbine and reactor protection systems and foodwater control. The cold and heated reference leg water level measutomont systems are discussed under individual headings below.
Cold Reference Log System All GEMAC instruments are connected to the cold reference leg system. The wide range GEMAC provHes level indication in the control room in the range of 70 to 430 inches above the top of active fuel (TAF). No automatic actuations are associated with the wide range vessel level GEMAC instrument (LT 1 A12). Two narrow rango levol GEMAC instruments provide indication in the range of 90 to 186 inchos abovo TAF in the control room on panel 4F (foodwatcr controller) and on panels 5F/6F. The two narrow range lovel instruments utilize the cold reference log system and are density compensated. The narrow range GEMAC instruments provide input to the feedwater control system.
IPE 71 05/29/92 y
t.-
,.e w-y
Tho low-lowlow level Barton instruments (RE18A through RE18D) provido indication on instrument racks RK01 and RK02 in the rango of 56 to 206 inchos above TAF. The Bartons input lovel signals to various control and logic circuits to initiate the following actions: RBCCW to drywellisolation and Automatic Depressurization System (ADS) actuation as well as low-low low levol alarms. The Barton instrumonts utilize the cold log referenco system.
The fuel zono lovelinstruments are off during normal power oporation and havo no indication or automatic actions associated with thom and as such they are not discussed further in this analysis.
Given the above configuration a cold referenco log falluto will causo GEMAC instruments to indicate high which will result in a foodwater runback and subsequent reactor trip on vossollow lovel sensed on tho heated referenco log lovel system. All RPS and ECCS systems romain unaffected by the failure of the cold log vossollovel moasuromont system and the plant response to the transient is similar to that of a partialloss of foodwater ovent. Coincident failure of the heated log referenco system 13 accounted for in tho OCPRA model by tho top event RL which models failure of low-low levellogic consors, transmittors and relays. Other actuation system failures are also modoled in the OCPRA including tho failuro ol high RPV pressuro (at top ovont PR) and high drywell pressure (at top event DP). As such this ovont is considorod accounted for by the partial loss of foodwator initiator in the lovel 1 OCPRA (Soo pago 7.2-6) which contributos a calculated coro damage frequency of 7.00x10* por reactor year or 2.1% of total CDF. (Soo Tablo C.11a of the lovol 1 OCPRA).
Hoated Reference Log System The low roactor water vossol level instrumonts (RE05A and B) provide lovel Indication in the controlioom over the rango of 85 to 185 inches abovo TAF. Thoso instruments support a turbino trip at 175 inches abovo TAF and a roactor scram (and low lovel alarm) at 138 inchos abovo TAF.
Tho low lovelinstruments utilize tho heated rotorenco log system.
The control room vessel lovel instruments (RE-05/19A and B) provido analog indication in the control room (panels 5F/6F and 18R and 19R) over the rango of 85 to 185 inchos abovo TAF.
A digital indicator on panol 4F Indicates over the same rango. Thoso instruments are supplied by the samo variablo and reference logs (heated log ioferenco log system) as the low vossellovel instruments and provido an automatic turbino trip (at 175 inchos) and a rcactor trip (and low level alarm) at 138 inches.
The low low lovel instruments (RE-02A through D) provido lovel indication in the control room (panels 18R and 19R) over the rango of 85 to 1C5 inches abovo TAF. These instruments automatically actuato the following:
Coro Spray System Reactor Isolation Recirculation Pump Trip Standby Gas Treatment System Isolation Condonsor Diosol Generator Start Alternato Rod insertion (ARI)
IPE 7-2 05/29/92
Those instruments are suppliod by the same variable and reference logs (hoated log referenco systom) as the instruments RE05A/B,19A/B.
Given the above configuration of the Oystor Croek reactor vossollovel measutomont systems a heated log reference log failure will result in flashing of the reference log such that allinstrument subsystems will road offscale high. An automatic turbine trip (at a sensed reactor wator lovol of 175 inchos above TAF) will result in an automatic reactor trip on turbino stop valvo closure.
Although two channels of actuation logic are failed due to the single reference lino failure, RPS and ECCS equipment which actuates on low low RPV lovel will automatically actuato on the romaining two channols. A single failure of the romaining channels would disablo ECCS automatic actuation, however the main foodwater system and lovel indication (GEMAC subsystems) romain availablo. Isolation condonsors initiate following the pressure spike due to the closure of the turbino stop valvos (high pressure actuation logic romains unaffected by the loss of the hoated log reference system).
Thoroforo, a heated reference log failuro and a singlo failure will not result in coro damage.
Foilowing a heated reference log failuto, without an additional single failure, ECCS systems will automatically actuato and, in any scenario, manual operator action to initiato ECCS systems romains an option. Since the loss of reactor coolant from the reference lino remains within the capability of the CRD, and the CRD system romains available during this event, the heated reference log failure most closely resembles a turbine trip with coincident degradation of the low low level actuation logic.
The frequoney of a turbine trip coincident with a random failuro of the reactor low low levollogic is modelod with the turbino trip initiating event contributing approximately 13.1% or 4.05x10' to O
total coro damage frequency. The independent failuto contribution of the reactor low low levol logic to total coro damage frequency is insignificant (0.00%),
However, the level 1 OCPRA does not specifically model turbine trip with heated log reforonce lino break (l.o. with coincident degradation of the low low level logic).
Thoroforo, a roquantification of the OCPRA model was performed for the turbine trip initiating event with the reactor low low levollogic (top ovent RL) cons;rvatively set to a guarantood f ailure. Although the probability, order and composition of individual sequences did change as_ a result. of the toquantibcation, the total calculated coro damage frequency did not change.
Nono of the significant contributors or conclusions were altered by the model.run. As such this transient is considorod bounded by the original OCPRA and no vulnerabilitios have been identified.-- This issue is considered closed.
OCPRA
References:
1; Section 7.2, Dofinition of Initiating Events, Page 7.2-6, 2.
Appendix C, Detailed Results, Table C.11 A.
3.
Section 7.3, Dopondenco Matrices, Tablo 7.3-10.
IPE 73 05/29/92 i
ii.
l 7.2 Gl.105 Interf acir.g System LOCA at BWRs Appendix B.3 of the OCPRA, Interfacing Systems LOCA Analysis (ISLOCA), prosonts the methods and results of the Oystor Crook plant specific ISLOCA analysis. The QCPRA interfacing loss of coolant analysis found two systems which have tho potential to create an ISLOCA. Those are:
d Coro Spray Roactor Wator Cleanup System (RWCU)
The OCPRA ISLOCA analysis determined the frequency of the various potential failuros and incorporated thoso frequencies and impactw into the plant model in the form of initiating ovents.
A summary of the findings are presented below:
Core Spray The coro spray system has a design prossure of 400 psig. The boundary for the design Prossure chango to RPV design pressure occurs at the (normally opon) common dischargo valvo for each loop, with the parallel isolation valves acting as the actual pressure boundary betwoon RPV and coro spray system pressure.
The system is normally lined up with both parallel isolation valvoo closed in each loop Parallel isolation valve failure is mitigated by the prosonce of parallel tostable check valvos, both of which must seat to isolate the system from reactor operating pressoro if eithor parallo! Isolation valve fails.
Following failuro of at least one parallot isolation valve and at least ono testable check valve to seat, system overpressurizathn protection is provided through a 2 inch reliof valvo, which roliovos to th3 reactor building equipment drain tank. Ovorflow of this tank can load to spatial interactions with equipment in the southwont corner room.
The initiating event, small below core and outsido the drywell LOCA (EBO), is incorporatoo into the plant modol. The probability of an i3LOCA due to failure of the coro spray sys'.om oue to overptcssurization (SBO) is 2.86x10 per reactor year. The potential for the core spray system 4
to rupturo is also analyzed. Soo Appendix B.3, Section B.3.4 of the level 1 PRA report for the-calculation of the total SCO frequency calculation.
Reactor Water Cleanup System (RWCU)
The reactor water cleanup system has a design pressure of 150 psig. Fo! lowing failure of the pressure regulating valvo and the automatic system isolation function the system will Un;solated LOCAs which are not induced by overprossuritation such as unisolated d
LOC As outside the containment and the scram discharge volumo (SDV) failure to isolato (discussed in Appenoix B.3) are not considorod ISLOCAs: rather they are considered isolation failures and are incorporated into the model as containment bypass events.
05/29/92 IPE 74
overprossurize. The subsequent falluto of the reactor water cleanup system due to ovorpressure results in throo possible outcomes.
The first outcomo of RWCU overpressurization is the dischargo of reactor coolant to both the reactor building equipment drain tank through a one Inch relief and to the torus through a clx inch roliof valvs. Due to the uniquo combinations of impacts for the discharge of roactor coolant to the roactor building (RBEDT is located in the southwest cornor room) and the largo dischargo to the torus, the initiating event defined as a largo below core I.OCA insido/outside containment (LBIO) consisting of RWCU overpressurization, was incorporated into the plant model. The 4
4 frequency of LBIO initiating event is 8.23x10 por reactor year (point estimato) or 8.37x10 por reactor year (monto carlo calculation). See Section B.3.3 of Appendix B.3 of the level 1 PRA report.
The second outcomo of RWCU overpressurization is the discharge to the torus with failure of the ono inch reliof valve. This RWCU ovorprossurization impacts the plant in a similar mannor to the largo below coro LOCA and inside the containmont. However, due to its low frequency of occurrenco (2.7x10*) this event !s presented for information only and not considered in the plant model.
The third outcomo of RWCU overpressurization is the failure of system piping (due to the failure of adequate rollof). However, due to the low frequency of occurronco of this event (1.08x1042)
It is prosonted for information only and not considered in the plant model.
Total intortacing System LOCA (ISLOCA) Frequency An interfacing systom LOCA is defined as a loss of coolant dm to iho failuro of low pressure system piping due to the pressurization by high prossuro systems. In the Oystor Crook model, v
those ISLOCAs do not include loss of coolant accidents which are outsido the containmont and not duo to overpressurization. Initiating ovents for unisolated LOCAs and SDV failure to isolato are not includod. Tholofore, the frequoney of ISLOCAs at Oyster Crook is oqual to the sum of:
Core Spray System Overpressurization (SBO) 4 Discharge to RBEDT 2.86x10 Piping or Pump Seal Failure 5.58x10'"
Reactor Water Cleanup System Overpressurization (LBIO) 4 Discharge to Torus and RBEDT 8.23x10 Dischargo to Torus Only 2.70x10*
System Rupture 1.0Sx10 z a
( TOTAL ISLOCA FREQUENCY 1.11 x10 5
. The ISLOCA frequency is incorporated in tho plant model as contributors to the small below coro and outside (SBO) and large above and below core (LBIO) LOCA initiating events.
IPE 75 05/29/92
ISLOCA Contribution to Total Core Damage Frequoney The contribution of ISLOCA to the total coro damago froquoney is calculated by the sum of the SBO LOCA (due to core spray system overpressurization) and the LBIO LOCA contributions.
4 The contribution of the SBO iniiNtor to total calculated coro damage is 2.64x10 per reactor year or 0.7% of total coro damago frequency. The contribution of the LBIO initiator to total coro damage frequoney is equal to 7.70x10* per ronctor year or 21% of total coro darnage frequoney.
Thorofore, the total contribution of IDLOCA to coro damagu f;oquoney is'
\\
SBO (dvo to coro spray system overpressurization) + LBIO =
2.64x10* + 7.70x104=
1 1.03x10# por reactor year or 2.8% of total CDF No vulnerabilitios woro identified and as such this issuo is considorod closed.
OCPRA Referencos:
1.
Appendix B.3, Interfacing Systems LOCA Analysis.
2.
Appondix C, Dotallod Results, Tables C.1-1b and c.
O IPE 76 05/29/92
- _ _. ~.-- -- - -
8.0 Conclusions and ~ lanned Actions This soction presents the lovel 1 and 2 PRA conclusions and planned actions in individual subsec'ior.s below.
8.1 Levol1 PRA The results of this study indicate a total calculafsd point estimato mean core damage frequoney 4
from internal initiators from at power conditions to be 3.69dO por year, which is comparablo to other BWRs. Generally, this reasonably low value is concluded to be due to the many ways (success paths) available to cool the coro at Oystor Creek. In addition to the normal heat rejection paths to the main condensor under post trip conditions, the plant is equippod with two redundant isolation condonsors (ICs) which initiato indopondent of AC power in the ovont of reactor isolation. Multiple makeup sources, condensato transfer and fire protection water (suppliod from electric driven or diosol driven fire pumps) make this a very reliable long term means of tomoving docay heat. If ICs become unavailable, EMRVs can be used to reject heat to the torus for extended periods without cooling. With torus cooling and an RPV injection source this heat rejection path can be maintained indefinitely. Even without cooling, a hard piped vont (planned for installallon in 14R) can be used to protect from a containment overpressure and is sizad to removo suffielont decay heat to prcelude core damage provided a RPV makeup sourco is available. Under LOCA conditlans, two fully rodundant coro spray systems can be used. Other makeup sourcos include feodwater, and under low RPV pressuro conditions the condensato system can provide rnakeup througn the fcedwater system or fire protection water can bo injected through the coro spray system. This vorsatility providos numorous success paths for cooling the core, all of which have boon incorporated into the croceduros. In addition, operators are trained extensively on their use.
The study found that lossos of offsite power events are important contributors to co, amago frequency. This is amotiorated, to some extent, by a reasonably reliable onsite system and an altornate AC source (combustion turbinos located on the Forkod River site) which can be used (atfor 14R) la the ovent of a station blackout.
l The study also affirms the importanco of DC power as tho source of control power for.much of l
the plant equipment. While DC sources are generally relicble, the consequences of their failure L
are very difficult to cope with, and thus battery maintenance and monitoring continue to be important.
t The ADS valvos (EMRVs) are DC operated and require no air. Therefore, their operation is not degraded under clovated pressure conditions inside the drywell. However, failure of those valves to close is an important contriostor to total CDF, and thus their maintenance must be regarded as a priority in maintaining plant safety. The results of this study also re-emphasize the importance of reactor isolation modos where heat is rejected to the torus through EMRVs and then removed by containment spray /ESW system. While this cooling mode is a viable backup to the main condonsor and the isolation condensors, there is little backup if it should fail.
Venting of the containment would be tho only alternative at inat point, and while this is feasiblo it is not a preferrod cooling mode. Therefore, maintaining a reliable containment spray /ESW system is important.
IPE 81 05/29/92
-w.-
e-
__,..g.
~,,...d-.--,
--,m
,5--.$,..__,,.
,m...#..
.(.%4.,
4.
....p-m
~
,,s
_..m
.,,m,y,,_,g._,,,,.w
i i
ATWS is not a major contributor to total CDF because of modifications to the plant to improvo reactor scram systom ieliability and the mitigativo operator actions which have boon incorporated Into the Emergency Operating Proceduros (EOPs). This study also showed that the EOPs are l
well thought out, incorporated in the operations staffs' philosophy, and provide a number of options for dealing with degraded core cooling conditions.
The most likely ways to experienco a sovolo accident involve multiplo AC olectrical plant failurcs coupled with an EMRV failuro to closo. Other likely ways are transients of various kinds coupled with multiple DC power failuros. Overall however, it is concludod that the total core damsgo (sovoro accideat) likolihood due to internally initiated events is reasonably small, and that no vulnerabilitios exist.
However, a review of the detailed results and the contributors to individual system unavailability and operator action error rates indicatos that certain low cost improvements could be impicmented that would improve overall reactor safoty. These planned actions are described below.
8.1.1 Loss of Offsite Power The loss of offsite power initiating ovent contributes 33% to the total calculated core damage frequency. The risk proSlo due to the " family" of loss of ofisite power events consists of both short and long term !ossos of offsito power. Short term lossos of offsito power followed by other failures such as the common cause fallure of both diosol generators combined with EMRV failure to recloso or other ECCS systems failuro contribute s;gnificantly to the risk profile. Lon0 term lossos of offsito power cencurront with failures of diosol generators and ECCS systems combined with battery depletion result in eventual coro damago.
A station blackout technical basis document is under development. This document is to sorve as tho basis for the creation of a station blackout proceduro. Completion of the station blackout technical basis report and the creation of an Oyster Crook plant specific intograted loss of offsite power procoduro (larger in scope than the original station blackout procoduto) could provide improved operator coping ability in loss of offsito power events. This procedure will be completed and will includo provisions for.
Rocovering offsito power or onsito sources and appropriately aligning or cross ticing buses to power critical equipment.
The startup and alignment of the alternato AC capability.
8.1.2 DC Power The failure of all DC power events contributo significantly to total coro damage frequency. Long term loss of DC power following station blackout events is also a significant contributor to the risk profile. Fellowing a long term station blackout the eventual depletion of DC battories contnbutos significantly to too OCPRA risk profilo. Several actions could increase operators j
ability to cope with loss of all DC power events and reduce the contribution of DC power failures l
to total coro damage frequency, t
i IPE 82 05/29/92
- 1. A loss of all DC power procodure will be developed and coordinated with the D
Integrated loss of all AC power proceduro, it willincludo guidanco on the cross connection of essential loads to the "A" battery.
- 2. A portablo DC generator and equipment nocessary to supply essentialloads will be considorod for procuromont, if procured,it will be stagod and procedurally directod for uso in coping with long term losses of DC power.
8.1.3 Containment Spray /Emergoney Sorvico Water Basod on the observations in Soction 11 of Appondix A of this report, the following actions aio plannod:
- 1. Sinco tho oporator plays a major rolo in successful initiation of the containment spray system, these actions will be omphasized in training.
- 2. Changus to tho coordination of provontivo rnalntenanco on the containmont spray systom could result in decreased outago timo. Thorofore, containment spray host exchangor, containmont spray pumps, ESW pump proventivo maintonanco should be coordinated to coincide with plannod tofueling outages. For example. planned refueling outagos willinclude the replacoment of hoat exchangor anodos and cloaning as noodod. In casos whoro maintenanco must be performod during operation on a singlo componont in the systom (which rosults in the unavailability
('
of an entiro systom) other system proventivo maintenanco tasks will be considorod and schodulod to be performod during this same outage ilmo if possible.
- 3. Ellorts to reduco the likollhood of hoat exchangor blockago will continuo.
Romoval of tho damagod sections of tho ESW pipe coating and the chlorination system modification have boon major improvements. Further enhancoments to the chlorination system (to chlorinato a largor segment of the system) that are planned for the next refueling outage will be comploted as schodulod.
8.1.4 Hoactor Foodwater Control (RPV high level excursion)
Based on the observations in Section 13 of Appondix A of this report, the following action is plannod:
The loss of foMwate: i ontrol or high level excurrion contributes loss than 2% to the total coro damago frequoney, however high tovel excursions represent potentially sovoro transients and may pocsibly procood to main steam lino failuro in the mest sovere casos. The planned modification to post trip ioactor foodwater control system (Roactor Overfill Protection System (ROPS))
scheduled for implementation in 15R is expected to substantially decrease the risk of reactor vossol high lovel excursions, and thus will bo ?mplomonted as scheduled.
V n
o.3 osmm
8.1.5 Operator Action Error Ratos Based on the observations in Append!x B cf this report, the following actions will be reviewod and considorod ior appropriato implomontation. Refer to Appondix E of the level 1 PRA report for specifics on each operr.'t action.
- 1. Consider the developrnont of specific procodutos, guidanco and training on reactor overfill translents, spocifically for operator actions (OF1 and ME2).
- 2. During operator tralning point out that consistently successful performance of the following actions can positively affect overall coro damage risk as dolorminod by the PRA.
a.
Oporator Injocts through core spray with fire protection during loss of all AC power (CSS) b.
Operator linos up firo water in}oction through coro opray during LOCA conditions outsido containment (unisolated LOCA) (FS1) c.
Operator inhibits ADS and controls lovel noar TAF during ATWS with FW availablo and condensor failed with EMRV/SV closuto (01.2) d.
Oporator inhibits ADS dui;ag ATWS with FW fallod and EMRV/SV closure (OL3) o.
Operator manually ro-onorglzos bus 1 A1/1B and to-starts at least one TBCCW pump following a loss of offsito power (TB5) f.
Operator trips reactor after TT falluto (hlgh lovol) (RS3) g.
Oporator securos or isolates condensato transfor heador to roactor building within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensato transfer supply line broak in the reactor building (FTB)
I h.
Operator trips plant and isolatos foodwater following foodwater line broak in the trunnlon room (FTD) 8.2 Lovel 2 PRA The results of the study indicoto that a reasonably low fraction of the CDF analyzod (15.8%)
would result in largo early failure of containment. The likelihood of containment bypass is 4
2.11x10 por reactor year or 7.3% ci analyzed CDF. Lato containmont failures constituto 26.3%
of analyzed CDF which is considered a conservative result because no post-vossol broach recovbrios woro modelod. Approximatoly half (50.4%) of tho analyzod CDF is due to soquences 4 are recoverablo In-vessol, thus no containment breach would be expoctod to occur.
IPE 84 08/11/92
l The study highli0 hts the importanco of certain containment featuros to the mitigation of sovoro
[
j accidonts. The drywoll floor concreto curb is a main contributcr in roducing the likotihood of a Q
linor mott.through, and the structural upgrados to tho torus in tho early 1980's improvod its pressure capacity by 25% Tho sandbod roglon of tht, drywell has experienced some thinning duo to corrosion and was dotorminod to be the limiting location with rospoct to pressuro capacity. Drywoll head lift was judgod to be a sliDhtly loss likoly overprossure falluto modo, but this conclusion is sensitivo to assumptions mado in tho analysis.
The earliost roloaso would bo expectod to tako placo no soonor than two hours aftoi an accident.
Tho largost (worst) roloaso would bo duo to a containmont bypass scenario involving falluto of the scram dischargo volume to isolato. Such a roloaso would occur somo 10 nours attor the accidont.
Bocause of the relatively low frequoncios associated with tho various containment failuro modos, no spocific hardwaro modifications or cham)os to existing proceduros boyond those Idontified in the lovt,I 1 analysis are planned at this 'Jmo. The lovel 2 PRA will be usod as a major input to the development of accident managorront guidelinos, t
8.3 Schedule for implomontatfor, All of tho actions idontified in Section 8.1 nro plan 7ed for completion prior to startup from refueling outago 15R, except itorn 8.1.2.2. It - n 8.1.2.2 will bo considorod and a decision reachod on its implomontation prior to refueling outago 15R.
(D b
p
\\)
LPE 8-5 08/11/92 e
z=
9,0 References 91 GPU Nuclear, Memorandum, inclusion of Gonoric issuos in the OCPRA, J. S. Wotmore to R. A. Pinelli, 5430-88-0059, Octobor 12,1988.
92 Nuclear Rogulatory Commission, initiation of the lodividual Plant Enmination for Sovoro Accident Vulnerabilities - 10 CFR 50.54 - Genoric Lstter 88 20, Supplomont No.1, August 29,1989.
93 Nuclear Rogulatory Commkslon, Roquest for Action Rotated to Resoiution of Unrosolvod Safety issuo A 47
- Safety implicatlon of Control Systems in LWR Nuclear Power Plants' Pursuant to 10 CFR 50.54(f)- Generic Letter 89-19, September 20,1989.
9-4 Nuclear Rogulatory Commission, Individual Plant Examination for-Sovoro Accident Vulnotabilities 10 CFR 50.54(f), Generic Lottor Number 88 20, Novembor 23,1988.
9-5
- Nuclear Regulatory Commission, Accident Management Stratoglos for Consideration in the Individual Plant Examination P ocess Generic Lottor 88 20, Supplomont No. 2, April 4,1990.
9-6
. Nuclear Regulatory Commission, Prioritization of Gonoric Safoty issues, NUREG-0933, Supplomont Number 1, July 1984.
97
- Nuclear Regulatory Commission, Prioritization of Generic Safety losuos, NUREG-0933,
}
Supplomont Number 2, January 1985.
9-8 Nuclear Regulatory Commission, Prioritization of Gonoric Safety Issuos, NUREG-0933 Supplomont Numbur 3, July 1985.
99 Nuclear Regulatory Commission, Peloritization of Gonoric Safoty Issues, NUREG-0933, Supplomont Number 4, February 1988.
9 10 Nuclear Regulatory Commission, Prioritization of Generic Safoty issues; NURPG 0933, Supplomont Number 5, September 1986.
9 11 Nuclear Regulatory Commission, Prioritization of Osnotic Safety issues, NUREG-0933, Supplomont Number 6 December 31,1986.
9-12 Nuclear Regulatory Commission, Prioritization of Gonoric Safoty Issuco, NUREG 0933, Supplomont Number 7, April 1988.
9-13 Nuclear Regulatory Commission, Prioritization of Genoric Safety issues, NUREG 0933, Supplomont Number 8, November 1988.
9-14 Nuclear _Rogutatory Commission, Priorit!zation of Generic Safety issues. ^,UPEG-0933, Supplement Number 9, April 1989.
j IPE 9-1 05/29/92
915 Nucicar Regulatory Commission, Prioritization of Gonoric Safoty issues, NUREG4933, 4
Supplomont Number 10, December 1G09.
9-16 Nuclear Regulatory Commission, Priuritization of Gonoric Safety issuos, NUREG-0933, Supplomant Number 11, July 1990, 1
9 17 Nuclear Rogulatory Commission, Prioritization of Gonoric Saloty Isr.uos, NUREG-0933, Supplomont Numbor 12, January 1990.
j 9-18 Nuclear Rogulatory Ccmmission, SECY 99-260, Shutdown Docay Heat Rornoval Requirements (USI A-45), Goptember 13,1988.
9-19 Oystor Crack Nuctoar Generatlag Station, Operations Plant Manual, Volumo 8, Modulo 55, Reactor Vessel Instrumontation System, Rovlslon 2, Novombor 28,1989.
9-20 Nuclear Rogu!atory Ccmmission, Resolution ol Unresolved Safety issuo A 17," Systems intoractions in Nuclear Power Plants" (Generic Letter 89-18), September 8,1989.
9-21 IJuclear Regulatory Commission, Evaluation of Safoty implications of Control Systems in LWR Nuclear Power Plants, NUREG 1217, Apri; 1988.
9 22 Nuclear Rogulatory Commission, Rogulatory Analysis for Proposed Rosolution of USl A-47, NUREG 1218, April 1908, 9-23 Nuclear Regulatory Commitslon, Individual Plant Examination: Submittal Guidanco, g
NUREG 1335, August 1989.
T; 0-24 Nuclear Rogulatory Comm:ssion, Shutdown Decay Heat Removal Analysis of a Gonoral i
Floctr:c BWR3/ Mark I, NUREG/CR-4448, March 1987.
9 25 GPU Nucicer, F; ping and instrument Diagram, Reactor Vossel Levol/Prossurorromporaturo Instruments,148F712, Rovision 23, July 3,1991.
IPE 9-2 05/29/S2 j
~.
.. ~... -.
. _... ~. -
... -.. -... ~.. -.-
L 8
APPENDIX A CONTR!B'CTORS TO SYSTEM FAILURE b
I, l
l.
l.
1 I-s
(O/
TABLE OF CONTENTS 1.
Isolation Condonsor (Appendix F.1)..
A3 2.
Turbino Trip and Bypass (Appendix F.2; A-5 3.
AC Electric Power (Appendix F.3)..
A7 4,
125 VDC Power (Appendix F.4)...............................
A 12 5.
ESF Actuation Systems (ESFAS Appendix F.5)..................
A-15 6.
Reactor Protection System (Appendix F.6).......................
A.17 7.
Ser/ico Water (Appondix F.7).................................
A-19 8.
Tvolne Bul ding Closed Cooting Water (Appendix F.8).............
A 21 9.
Main cM IC Stoam isolation (Appendix F.9)....................
A 23
~
10.
Core Spray (Appordx f.10)..............
A-26 11.
Containment Spray /ESW (Appandix F.11)............
A-29 12.
Rocirculation Pump Trip (Appenda F.12).............
A-32 13.
Condonsato and Feedwater (Appendix F.13)....,................
A-34 14.
Circulating Wator (Appendix F.14)...............
A-38 15.
Automath D3 pressurization (Appendix F.15).....................
A-40 16.
Standby Uquid Contiof (Appendix F.16)............,............
A 42 17.
Primary Containment Isolation (Appendix F.17)...................
A 44 10.
Standby Gas Treatment (Appondix F.18)........................
A-46 19.
Fire Protection (Appendix F.19)................
A-48 20.
Condonsato Transfor (Appendix F.20)...............
A-50 21.
Instrument Air (Appendix F.21)........
A-52 22.
Control Rod Hydraullas (Appendix F.22)............
A 54 23.
Roactor Building isolation (Appendix F.23)..............
A 56 24.
Main Steam Safety and Relief Valvos (Appendix F.24)..
A 58 25.
Containment Vont (Appendix F.25)....................
A-60 O
V IPE A-i 05/29/92
i j
Ust of Tables Tablo 1 Isolation Condonsor System Contributors........................
A-4 Tablo 2 Turbine Trip and Bypass Contributors...........................
A4 Table 3 Non Essential AC Power Contributors..............
A9 Table 3a Essential Bus 1 C Contributors................................
A 10 Table 3b Essential Bus 1 D Contributors................................
A 11 i
Table 4 125 VDC Power System Contributors..............
A 14 Tablo 5 ESF Actuation System (ESFAS) Contributors....................
A 16 Table 6 Reactor Protoetion System Cont.lbutors.........................
A 16 Table 7 Service Water System Contributors............................
A 20 Table 8 Standby Gas Treatment System ConPibutors.....................
A 22
- Tablo 9 Main Steam isolation System Contributors.......................-
A 24
' Tablo 9a IC lsolation System Contributors..............................
A 25 Table 10 Coro Spray System Contributors..............................
A-28 Tablo 11 Containmont Spray Systom Contributors........................
A 31 Tablo 12 Reactor Recirculation Pump Trip Contributors....................
A 33 Table 13 Condensate and Foodwater System Contributors.................
A 36 Table 13a RPV Lovel Control System Contributors........................
A 37 Table 14 Circulating Water System Contributors..........................
A 39
-(
Table 15 Automatic Depressurization System Contributors..................
A 41 Table 16 Uquid Polson Injoction System Contributors.....................
A-43 Tablo17 Primary Containmolit isolation System Contributore................
A-45 Tabio 18 Standby Gas Treatment System Contributors...................
A 47 Table 19 Firo Protection System Contributors..,,....
A-49 Table 20 Condensate Trcnsfer System Contributors...............
A-51 Tablo 21 Instrument Air System Contributors...........................
A 53 Table 22 CRD Hydraulic System Contributors A 55 Table 23 Reactor Bailding isolation System Contributors.................,.
A-57 Table 24 r41cin Steam Safety Valve Contributors.. -...
A 59 Table 24a EM RV Contributor s.......................................
A-59 Tablo 25 Containment Vent System Contributors...,,...................
A-61 IPE A-li 05/29/92
,._,<-,__.,-.-y-
,,w
iniroduction O(Q The purpose of this document is to present a summary of major system analysis tosults, and to provido a list of insights and observations on the significant contributors to systom unavailability of the 25 systems modelod in the lovel 1 PRA. This document contains recommendations for impiovements and sorvos as input to the Conc!usions and Planned Actions section of the IPE Submittal Report (Section 0.0). The format of the individual system summarios.s as follows:
System name and top ovont
+
System contribution to total coro damage frequoney Narrativo description of the significant contributors to system unavailability Obsorvations
+
Rocommendations
+
Summary Tablos (by top event)
System name and top event. The system namo provides the namo of the system and the corresponding levol 1 PRA Appendix F section number. Those names occasionally differ from plant nomenclaturo du? to system boundary and PRA modeling simplifications and rostrictions.
. O.
Therefore, system functions which are more appropriately modolod together from a PRA V
perspectivo nppear within a singlo system analysis. This frequently results in multiplo top ovonts being analyzed within a single systems analysis. Those top events are described in the introductory paragraphs. Additional Information on any system or top event is availablo in Appondix F of the lovol 1 PRA report.
System contribution to coro damage is provided to give a perspectivo on the relativo importance of the system within the plant model. The percentago given is the sum of the frequoney of each soquence in which the top event (split fraction) are failed, divided by tho total core damage frequoney. This results in a total coro damage frequency due to all top events of more than 100%, sinco, due to the redundancy of the Oyster Crook design, all soquences contain more than one failed top event (split fraction).-
Narrativo descrip' ion of significant contributors to system unavailability presents the narrative description of the major contributors to system unavailability as well as any assumptions, conditions or observations which impact its contribution to total coro damage frequoney. The narrativos typically describe hardware contributors, maintenance outago time, manual actuation and partialloss of support systems where appropriate.
Hardware contributors contain those compononts of the system
=.
which significantly contribute to system falluto rato. Soveral sub-sections are used to present each significant contribution M
IPE g
A1 05/29/92
separately.
MaIntonanco outage timo prosonts the contribution of system s
maintenance to system unavailability and the conditions under which maintenanco most significantly contr sutos to overall system unavailability.
Manualactuation prosents the conditions under which the system o
is expected to be manually operated and the contributions (oporator survey results) which contributo significantly to the calculation of the operator error rato.
Partialloss of support prosonts the affect (shift in contributors) of
=
degraded support system operation, such as the loss of ono division of cloctric power.
Observations. This section providos a list of insights and observations rogarding tha significant contributors to systern unavailability.
Rocommendations. This soction providos rocommendations to improvo system availability.1his section includos only those recommendations which would result in changos in maintenanco practicos, proceduros, training or hardwaro modifications that are doomod nocessary, based on the observations regarding system unavailability.
Summary tables (by top ovent) provido the coro damago contributions due to each of tho individual split fractions. Those tablos also show the relativo contributions of various significant contributors to system failure under the various analyzed conditions. The significanco of each of thoso contributors is discussed in the narrativo section.
IPE A-2 05/29/92
- 1. Isolation wndensor (Appendix F.1)
L)
A. System Contributors. The isolation condonsor (IC) system is analyzod as OCPRA top event IC. Failure of this top event contributos 0.6% to total CDF. Soo Tablo 1.
- 1. Valvo failure. Condonsato return valvo f ailuro dominatos (96%) IC f ailure rate with both ICs available (101) and significantly impacts (60%) IC f ailuro when only one IC is available or following reactor trip failuro (roquiring both ICs to actuato).
- 2. Isolation condonsor f ailure. Indapendent IC failuro (heat exchangor blockage or fouling) contributes slightly (4%) to system failuro with both ICs available and contributos 28% of system f ailure when one IC is availablo or following reactor trip failure.
- 3. Maintenance outa00 time. System failuro whilo performing maintenanco on one train is a significant (11%) contributor for split fractions following failuro of 4160V bus 1C or 1D or following reactor trip failure.
4.
Manual actuation. Following failure of IC actuation logic (high RPV pressuro or low-low RPV water levol), manual IC actuation is required (104). This split fraction is dominated (99%) by operator action falluto.
- 5. Partialloss of support. The loss of one train of support (4160V bus 1C or 1D, split fraction IC2) results in an increase in system failuto rate by a factor of lb) approximately 30.
This abo reduces the relativo impact of the dominant contributor to systom f a!!uro (valve f ailurc), shifting f allcro rato contribution towards IC failuro (28%) and maintenance outage timo (11%).
- 6. ATWS conditions. Following reactor trip failuro (ATWS),2 of 2 ICs are required to actuato (103). The contributions to this split fraction are similar to those when only one train is available (IC2). The more stringent success critoria for this caso offectively doubles system failuto rate from IC2.
B. Observations. The following observations can be noted by inspection of abovo:
- 1. Due to the relatively low failure tah of the components in this system, condensato return valvo failuro to open contributos significantly to all casos with automatic actuation.
- 2. Operator f ailuro to actuato isolation condensers dominates systom failure following failure of actuation logic. Due to the reliability of the actuation logic system, this does not contribute measurably to core damage frequency.
3.
Highlights the continued importanco of maintenance on condensato roturn valves.
C. Recommendations. None.
,Q IPE A-3 05/29/92 I
Table 1 So!ation Condenser System Contributors Split Split Fraction Helative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Return IC failure Operator Maintenance All to Damage Rate Valve action outage time other Frequency j
failure fadure failures d'
IC1 Automatic actuation of 1 of 95.7%
4.0%
0.3%
0.50 %
1.00x10 2 isolation condensers 4
IC2 Automatic actuation of 1 of 60.9%
27.8%
10.9%
0.4%
0.06 %
3.01x10 1 isolation condenser 4
IC3 Automatic actuation of 2 of 60.3 %
28.2 %
11.4 %
0.2%
0.01 %
5.92x10 2 isolation condensers during ATWS 4
1C4 Manual IC actuation 0.9%
98.9 %
0.2%
0.00 %
1.01x10 following logic failure Total system contribution to core damage frequency 0.57 %
i IPE A_4 05/29/92 1
O O
O
l
- 2. Turbino Trip and Bypass (Appendix F.2)
A A. System Contributors. The turbino trip and bypass functions are modo'od in OCPRA top ovonts TT, BV and clT. These top events contributo a total of 0.6% of core damago frequoney. Soo Table 2.
- 1. Valve failure. Valve failure contributos signiacantly (13 to 35%) to turbine trip failure split fractions and dominatos the turbine bypass valvo trip split traction (BT1 90%). This also dominatos (99%) turbino bypass valvo oporation following reactor trip failure (ATWS), which requiros 9 of 9 valvos to opon.
- 2. EPR fallure. Electric pressure rogulator (EPR) failuro dominatos automatic turbino trip (split fractions TT1 64% and TT2 - 62%), as well as turbine bypass valvo operation following reactor trip (split fraction BV1 76%).
- 3. Manual actuation. Oporator responso to trip the turbine has a dominant (C'1%)
offect on split fraction Tf3. Tno evaluations for this action show a relatively boad rango (factor of 39). All but two operators ovaluated this action as skill basod, (porformod from memory) as opposed to rulo based (porformod with procodutos in hand).
B. Observations. The following c,asorvations can be noted by inspection abovo:
- 1. Due to the overall rollability of the hardwaro in thoso systoms, EPR failuro contritatos significently to system failuro under normal conditions.
- 2. Individual valvo failure to close dominatos the turbino bypass system failure ratos for loss of condonsor vacuum and AW/S cases. This only contributes measurably to coro damage froquency following loss of condensor vacuum. primarily duo to tho overall reliability of the reactor trip system.
3, Operator failure to trip the turbino dominatos the turbine trip failuro rate following failure of actuation logic. Due to the overall reliability of the actuation logic system. this does not measurably impact coro damage frequency.
4.
Highlights the continued importance of maintenance on turbino stop and control valves.-
C. Recommendations, None.
IPE A-5 05/29/92
Table 2 Turbine Trip and Bypass Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contnbution Failure Stop and EPR Operator A!!
to Damage Rate control failure action other Frequency valve failure faDures failure d
TT1 Turb;ne trip or sinp valves close 35.2 %
63.6 %
1.2%
0.10%
2.36x10 following reactor trip TT2 Turbine trip on high RPV water 34.4 %
62.0 %
3.6%
0.04 %
2.42x10" level TT3 Manual turbine it;p 12.7%
83.3 %
4.0%
0.00%
1.20x10 2
BT1 Turbine bypass valves close on 98.4 %
1.6%
0.42%
1.54x10 loss of vacuum BV1 2 of 9 turbine bypass valves open 23.8 %
75 7 %
0.5%
0.00%
1.98x10*
following reactor trip 0.6%
0.00 %
1.35x10-2 BV2 All turbine bypass valves open 98.8%
0.6%
fotfowing reactor trip failure l
Total system contribution to core damage frequency 0.56%
Y IPE A-6 05/29/92 G
6 G
- 3. AC Electric Power (Appendix F.3) v A. System Contributors, independent failures of the AC cloctric power systems are analyzed in top events EA, EB, EC and ED. The failure or those top ovents represent the failure of 4160 VAC buses 1 A,18,1C and 1D and associated switchgoar, respectively. The failure of these top ovonts appear in a total of 45% of core damago sconarios. Soo Tables 3,3a and 3b.
1.
Circuh breaker failure. Circuit breaker failuro ds ilnatos (98%) the non-essential switchgoar failure rates and impacts (35%) tho essential wwitchgoar failure rates in the casos whore all support is available (split fractions EC1 and ED1).
In the case of non-essontial power, this is partially due to the requirement to sopan-
.Jth non-essential buses 1 A and 1 B from the main transformer following plant trip and reconnect the bus supplios to tho startup transformors.
This type of failuro also dominatos essential bus failure during turbine building flooding events (split fractions EC3 and EDS), primarily use to the assumed requirement to separate the 1 A1 and 181 motor control contors due to grounding.
Otherwise, loss of the entire bus is assumed.
- 2. Fan failure. Fan f ailure contributos si;nificantly (60%) to essential swltet.goar failure when all support is available (split fract!ons EC1, ED1 and EDA). This is assumed to cause room overheating and failure of electronic components, fj primarily duo to transformer heat load. The exposure time for this failure is assumed to bo 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, since the operator logs require these spaces to be toured twice per shift (assumption 7 of the AC Power system analysis).
3.
Partial loss of support. Due to the relianco on diesel generators, the loss of offsito power results in an increase in system failure rate by a factor of approximately two decados (a factor of 100), This also shifts the dominant contributor to system failure to diesel generator operation.
4, Bus failure, independent bus failuro contributes significantly (35%) to split fractions EC1 and ED1 only.
5.
Diesel generator failure.
Diesel gonorator failure dominates (91%) the indopondent failuro of essential switchgear following loss of offsite power (split fractions EC2, ED2 and EDD). Also, those are the only system split fractions which significantly impact core damage frequency.
The failure of diosol generators is currently dominated by runtime failures (approximately 70%), with the remaining contribution primarily due to diesel start failures. Those runtime failures have boon segmented into failuro during the first hour and failure during the remaining 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> of the mission time. This is conservative since the recovery of offsite power only inclucos recoveries within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, such that a successful diesel generator would only have to rtn for 1-hour
- (O)
IPE A-7 05/29/92 l
for sLocess. Loss of offsite power recovery is analyzed in Appendix B.1 of the level 1 report.
- B. Observations. The following observations can be noted by inspection of the AC electrical power system analysis results and significant contributors:
- 1. Circuit breaker failure to transfer dominates the failure of non-essential buses 1 A and 18, primarily due to the need to transfer power to the startup transformers
- following plant trip. Both split fractions EA1 and EBA (independent failure of non-essential power to transfer, simulating a loss of offsite power) contribute measurably (2 to 3%) to core darnage freq~ency.
- 2. Ventitetion fan failure contributes significantly to the independent failure of essential buses 1 C and ? D when offsite power is available. Due to the impact that failure of these buses has on plant systems, this form of failure does contribute slightly to core damage frequency.
- 3. Diesel generator failure dominates essential bus 1C and 1D failure following loss of offsite power or failure of buses 1 A/1B. Th ' split fractions contribute significantly (15 to 20%) to core damage frequenen primarily due to the impact of the loss of offsite power initiating event. The significance of diesel generator failure is partially due to the conservative treatment of diesel generator mission time for success.
4.
Highlights the continued impodance of maintenance on the diesel generators and circuit breakers.
C. Recommendatic is. The loss of offsite power initiating event contributes 33% to the total calculated core damage frequency. The risk profile due to the " family" of loss of offsite power events consists of both short and long term losses of offsite power. Short term losses of offsite power followed by other failures such as the common cause failure of both diesel generators combined v ith EMRV failure to reciose or other ECCS systems failure contribute significantly to the risk profile. Long term losses of offsite power cor. current with failures of diesel generators and ECCS systems combined with battery depletion result in eventual core damage.
A station blackout technical basis document is under development. This document is to arve as the basis for the creation of a station blackout procedure. Completion of the station blackout technical basis report and the creation of an Oyster Creek plant specific integrated loss of offsite power procedure (larger in scope than the original station blackout procedure) could provide improved operator coping ability in loss of offsite power events. it is recommended that this procedure include provisions for:
Recovering offsite power or onsite sources and appropriately aligning or cross-tieing buses to power critical equipment.
Th? startup and alignment of the alternate AC capability.
O1 IPE A-8 05/29/92
(
t
.(
y.
.c.
Table 3 Non-Essential AC Power Contributors
. Split '
Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure.
Circuit Transformer
' All to Damage -
Rate breaker failure other Frequency failure L failures i
r EA1 -
Failure of bus 1 A
' 97.9%
1.6%
' O.5%'
2.51% :
2.33x104 4
EB1 -
Failure of bus 1B 97.9%
1.6%
0.5%
0.27 %
2.16x10 EBA Failure of bus 18, given -
99.9% -
0.1%
~ 2.16%
7.00x10 (EF1) failure of bus 1 A To'al system contribution to core damage frequency 4.94%
t IPE A-9 05/29/92
'b
O
+*
Table 3a Essential Bus 1C Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Fan Bus Circuit Diesel All to Damage Rate failure failure breaker generator other Frequency failure failure failures EC1 Bus 1C failure with 1 A 59.6% '
34.8 %
5.3%
0.3% '
1.73 %
3.69x10" success 4
EC2 Bus 1C failure after loss of 2.1%
1.1%
2.7%
91.2 %
3.0%
18.30 %'
5.84x10 bus 1 A d
EC3 Bus 1C failure during 23.3 %
1.7%
69.9 %
5.1 %
See note 9.50x10
(-:rbine 'ouilding flooding Total system contribution to core damage frequency 20.03 %
Note:
Split fraction EC3 is used only in the internal flooding analysis, which was done as a screening analysis only (see Section 10 of the level 1 PRA report). It is listed here for completeness.
l l
t IPE A-10 05/29/92 O
O O
Table ab - Essential Bus 1D Contributors Split
_ Split Fraction.
Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Fan Bus ~.
Circuit Diesel
- All '
to Damage Rate failure failure breaker generator other Frequency
' failure failure failures ED1 Bus 1D failure with ID '
59.6%
34.8 %
5.3%
0.3%
1.73% '
5.90x10
success ED2.
Bus 1D failure after loss of 2.1%'
1.1%
2.7%
91.2 %
3.0%
18.30 %
5.82x104 bus 1B '
EDS Bus 1D failure during 37.7 %
6.8%
55.4 %
0.1%
See note 1.17x10#
turbine building flooding EDA Bus 1D failure after loss of 56.7 %
20.8 %
19.1%
3.4%'
O.00 %
5.93x10-*
(EE1) bus 1C EDD Bus 1D failure after loss of 1.7%'
1.4%
2.1%
92.5%
2.3%
0.00 %
6.58x10#
(EE4)-
buses 1 A,18 and 1C 7
Total system contribution to core damage frequency.
20.03 %
Note:
Split fraction EDS is used only in the internal flooding analysis, which was done as a screening analysis only (see Section 10 of the level 1 PRA report). It is listed here for completeness.
J IPE A-11 OV29/92 f
4.125 VDC Power (Appendix F.4)
A. System Contributors. The 125 VDC power system is modeled in OCPRA top events DB, DC, XB and XC. Failure of these top events contributes a total of 31% of ccre damage scenarios, all due to failure of top events DB and DC. See Table 4.
- 1. Battery failure. Short term DC bus failure is dominated (93%) by battery failure, either on initial demand or during the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> time horizon defined for short term operation. This failure is due to the failure of battery capacity on demand (based on failure during test discharge surveillance testing).
Since the design of the Oyster Creek electric power system requires system re-alignment to the startup transformers following plant trip, at least a momentary discharge is expected, during which time the battery output would be expected to dip slightly. This is conservative in that the failure data is more representative of a longer term discharge of the battery, but is a customary plant modo!!ng technique. Even though battery A could be cross-connected to battery B loads for some failure scenarios, it is not credited in this analysis (see Assumption 6 in the system analysis). Model changes that would take these factors into account would not be expected to change the basic conclusion that battery failure represents a significant contributor to the risk profile at Oyster Creek.
2.
Battery charger failure. Long term DC bus failure is dominated by battery charger failure during the assigned 22 hour2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> mission time. Alignment of the backup battery charger is not currently modeled (see assumption 8 in the DC Power system analysis), Nevertheless, the long term loss of DC power (split fractions XB1 and XC1) do not contribute measurably to core damage frequency.
B. Observations. The following observations can be noted by inspection of the DC electrical power system analysis results and significant contributors:
- 1. Battery failure on demand dominates short term system failure, '.thich contributes significantly (15 to 20%)- to core damage frequency. This may be partially l
mitigated by the analysis of battery failures, though industry data is sparse in this area (i.e. the specific conditions of battery failure). Also, due to the impact of DC bus C on containment heat removal recovery of this system is modeled in Appendix B.4 of the level 1 PRA report.
- 2. Battery charger failure dominates long term system failure. Due to the less rigorous requirements fa DC power several hours after plant trip from power, l
. particularly after short term actuation of frontline response systems, this does not measurably impact core damage frequency.
l
- 3. The above results highlight the continued importance of battery and DC bus / panel maintenance.
1 IPE A-12 05/29/92
C. _ Recommendations. The fallure of all DC power events contribute significantly to total core
(
damage frequency. Long term loss of DC power following station blackout events is also a A
significant contributor to the risk profile Following a long term station blackout the eventual depletion of DC batteries contributes significantly to the OCPRA risk profile. Several actions are recommended which could increase operators ability to cope with loss of all DC power events and reduce the contribution of DC power failures to total core damage frequency.
1, Develop a loss of all DC power procedure, coordinated with the integrain l'ss of all AC power procedure (see AC Power system contributors). This prnceaure should include guidance on the cross connection of essential loads to the "A" battery.
- 2. Consider procuring, staging and procedurally directing the use of a portable DC generator and equipment necessary to supply essential loads for coping with long term losses of DC power.
T U
I 1 i-)
l IPE A-13 08/11/92 1
i
^
Table 4 125 VDC Power System Contributors Split Split Fraction Relative Failure Rate Contribution Sp!!t Total Fraction Description Fraction Failure Contribution Rate Battery Bus Circuit Battery A!!
to Damage failure failure breaker charger other Frequency l
failure failure failures DB1 125 VDC bus B short term 92.2 %
2.1 %
5.7%
0.0%
15.00 %
5.64x10*
DC1 125 VDC bus C short term 93.1 %
2.1%
4.8%
0.0%
15.90 %
5.58x10*
XB1 Long term DC bus B 1.5%
98.2 %
0.3%
0.00 %
8.78x10*
XC1 Long term DC bus C C 2.9%
97.0 %
0.1%
0.00%
4.37y10*
Total system contribution to core damage frequency 30.90 %
IPE A-14 08/11/92 O
O O
LJ A. System Contributors. The ESF actuation logic systems are modeled in OCPRA top events PR (high RPV pressure), RL (low-low RPV water level) and DP (high drywell pressure). These top events contribute a total of 3.0% to core damage frequoney. Soo Tablo 5.
- 1. Sensor failure. Active sensor failuro dominates (74 to 99.9%) actuation logic failures for the casos with both trains of DC power support available.
2.
Partialloss of support. The loss of one train of support (125 VDC bus B or C) results in an increase in system failure rate by a factor of approximately 60 to 80.
This also shifts the dominant contributor to system failure towards failure while in test alignment.
- 3. Test alignment. System failure ratos aro dominated (79 to 92%) by test alignment whenever one train of DC power is unavailable. This is due to the assumption that the affected components are disabled during testing, as allowed by Technical Specifications for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, after which the affected channel must be placed in a tripped condition (see Page F.5-6 of Appendix F).
B. Observations. The following observations can be drawn by inspection of the ESF actuation system analysis results and significant contributors:
( 3,
/
1.
Sensor failure dominates all split fractions with both trains of DC power available.
Due to its impact on plant system actuation, only failure of low-low RPV water level contributes more than 1% to coro damage frequency.
- 2. Time spent in testing alignment on the unaffected train dominates system failuro following failure of one train of DC power. This is partially due to the conservative assumption that the channel in test is not placed in a tripped condition until this is required by Technical Specifications (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per channel per month).
C. Recommendctions. None.-
OQ IPE A-15 05/29/92 1
Table 5 ESF Actuation System (ESFAS) Contributors Split Split Fraction Relative Failure Rate Contribution Sp!!! Fraction Total Fraction Description Contribution Failure Sensor Test Relay All te Damage Rata failure alignment failure other Frequency time failures PRI High RPV pressure '
99.9%
0.15 0.00%
8.42x10~5 actuation with all support available PR2 High RPV pressure 8.2%
91.8 %
0.0%
0.64 %
5.97x10-3 actuation with one 125 VDC bus available :
RL1 Low-low RPV water level 83.2 %
12.9%
3.9%
1.36%
1.14x10" logic with all support available RL2 Low-law RPV water level 7.5%
85.0%
7.3%
0.2%
0.02 %
6.92x10-3 logic with one 125 VDC bus available DP1 High drywell pressure logic 73.6 %
23.9%
2.5%
0.50 %
9.90x10-5 with all support available DP2 High drywell pressure logic 7.0%
79.2%
13.5%
0.3%
0.50 %
6.45x10'3 with one 125 VDC bus available Total system contribtition to core darnage frequency 3.02 %
q IPE A-16 05/29/92
.O O
O
f
- 6. Reactor Protection System (Appendix F.6)
(
l v
A. System Contributors. The reactor protection system (RPS) is modeled in OCPRA top event RS. Failure of this top event contributes a tota! of 2.8% to core damage frequency. See Table 6.
- 1. Control red fal!ure. Control rod failure dominates (59 to 72%) the cases where the automatic reactor trip function is available (split fract,ons RSt, RS2 and RSS).
Due to the large amount of redundancy in the system, this is dominated by the global failure term (i.e. Individual failure of cor trol rods does not measurably contribute, compared to the possibility of a common mode failure mechar;.sm).
- 2. Air operated valve failure.
Failure of the scram outlet valves to operate contributes between 22 and 28% of system failure rate following automatic reactor trip. Again, this form of failure is dominated by commen mode failure.
3.
Manual actuation. Due to the relative reliability of the reactor trip system, mar.ual operator actuation of the system dominates split fractions RS3 (100%) and RS4 (99.9%).
4.
Partial loss of support. Loss of instrument air has virtually no impact on the
- failure rates for the reactor trip system (compare RS1 and RS2). Loss of support to the alternate rod injection (ARI) system has a minor impact (approximately a 20% increase) on system failure rate, N]
B. Observations. The following observations can be drawn by inspection of the reactor trip system analysis results and significant contributors:
1, Due to overall system reliability, global common cause failure of control rods -to insert dominates the automatic system actuation split fractions. Of these cases, 4
RS1, which is currently evaluated at 1.68x10, is the only split fraction that contributes materially (2.7%) to core damage frequency.
- 2. Operator failure dominates this failure rate following failure of actuation logic. Due to the overall reliability of the actuation logic system, this does not measurably impact core damage frequency.
C. Recommendations. None.
Tabin 6 Reactor Protection System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction To;al Fraction Description Contrit'ution Failum Control Air Operator Relay All to Damage Rate rod operated action failure other Frequency failure valve failu.e failures failure 4
RS1 Reactor scram with all support 72.1 %
27.7%
0.2%
2.74 %
1.68x10 available 4
RS2 Reactor scram following loss of 72.2%
27.7 %
0.3%
0.06 %
1.68x10 instrument air RS3 Manual scram following turbine 100%
0.0%
0.00 %
3.50x104 ft:,' ire to trip l
4 RS4 Manual reactor scram following 0.1 %
99.9 %
0.0%
0.01 %
2.00x10 actuation logic failure 4
RSS Reactor scram fo!!owing failure of 59.1 %
22.7 %
16.3%
1.9%
0.00 %
2.05x10 support to alternate rod injection (ARI)
Total system contribution to core damage frequency 2.61%
IPE A-18 05/29/92 e
o e
r u
- 7. Service Water (Appendix F.7)
(~
N.,]
' A. System Contributors. The service water system is analyzed as top event SW. Failure of this top event cc,ntributes a total of less than 0.1% of core damage frequency. See Table 7.
- 1. Manuial actuation. Operator action to start the standby pump following failure of the running pump has a measurable impact (6 to 11%) on split fractions SW1 and SW2 (offsite power available). From Table 6.3-4 (Page 6.3-29), this action has a relatively broad distribution (range between estimates of a factor of 67) between evaluators.
- 2. Partial loss of support. The loss of power to the running service water pump (SW2) increases system failure rate by approximately a factor of 100. This also shifts the dominant failure contribution to maintenance on the available pump (64%).
3.
Pump failure. Pump failure dominates system failure rate for the all support available case and following loss of offsite power, where both pumps would receive a start signal on diesel generator start. Due to the overall reliability of this system, this does not measurably impact core damage frequency.
B. Observations. The following observations can be drawn by inspection of the service water system analysis results and significant contributors:
I k
1.
Pump failure dominates system failure rates when all support is available or following loss of offsite power. Neither of these cases contribute measurably to core damage frequency.
- 2. System maintenance alignment contributes significantly to system failure rate when only one train is available (i.e. maintenance is being performed on tae unaffected train). Again, this does not materially impact core damage frequency.
C. Recommendations. None.
,/3 lQ IPE A-19 05/29/92
Table 7 Service Water. System Contributors Split Split Fraction Relative Failure Rate' Con;ribution Split Fraction Total Fraction Description Contribution Failure Pump Operator Maintenance Ali to Damage Rate failure action alignment other Frequency failure -
time failures SW1 1 of 2 service water pumps 91.8 %
6.4%
i.8%
0.00 %
2.21 x10" with all support available SW2 1 service water pump 23.7 %
11.1 %
64.1 %
1.1%
0.05%
2 31x10 available SW3-1 of 2 service water pumps 98.4%
1.6%
0.00 %
5.27x10" fo!!owing loss of offsite power l
Total system contribution to core damage frequency 0.05%
IPE A-20 05/29/92 O
O O
- 8. Turbine Building Closed Cooling Water (Appendix F.8) p.;
A. System Contributors.' The turbine butiding closed cooling water (TBCCW) system is modeled in OCPRA top event TB Failure of this top event contributes 0.2% of total core damage frequency. See Table 8.
1.
Heat exchanger fr!!ure. Heat exchanger failure (blockage, fouling or rupture) dominates (72%) the case where all support available (TB1).
2.
Partial loss of support. The loss of one train of support (4160V bus 1C or 10, split fractions TB2 and TB3) results in an increase in system failure rate by a factor of 3 (TB2) to 300 (TB3). This also shifts the largest contributor to system failure due to the failure of the opposing check valve to reseat (TB2) and the dominant contributor to pump maintenance on the remaining pump for TB3 (91%).
3.
Manual alignment. Operator action to align the TBCCW heat exchangers it, service water cooling is analyzed in TB4 and TBS (following loss of offsite pc ner).
B. Observations. The following observations can be noted by inspec*lon of the turbine building closed cooling water system analysis results and significant contributors:
- 1. Heat exchanger failure dominates system failure rate when all support is available.
O 2.
Failure of the discharge check valve to close on the failed pump contributes
'd significantly to system failure foliowing loss of bus 1D.
3.
Maintenance on the available pump dominates system failure following loss of bus 1 C.
4.
Operator failure dominates system failure rate following both loss of circulating water cooling to the heat exchangers and following loss of offsite power.
Due to the overall reSability of the TBCCW system and the Oyster Creek plant design, none of these split fractions contribute materially to core damage frequency.
C. Recommendations. None.
m
, k, IPE A-21 05/29/92 l
i
Table 8 Standby Gas Treatment System Contributors l
Split Split Fraction Relative Failure Rate Contribution Split Total Fraction Description Fraction
' Failure Contribution Rate Heat Manual Check-Pump Maint.
All to Damage exchanger valve va!ve failure align.
other Frequency failure transfer failure time failures closed 4
TB1 All support available.
72.7%
26.1 %
1.2%
0.00 %
7.78x10 TB2 1 of 2 TBCCW pumps after 17.7%
7.4%
43.5 %
29.2 %
2.2%
0.00%
2.88x10~5 loss of bus 1D 4
TB3 1 TBCCW pump after loss 0.2%
0.5%
8.7%
90.6 %
0.0%
0.09%
2.70x10 of bus 1C 4
TB4 Manual alignment to 100% of failure rate due to failure of operator action 0.03 %
9.01x10 service water after loss of circulating water
~f 35 Manual TBCCW restart 100% of failure rate due to failure of operator action 0.04 %
2.00x10 and alignment to servico water cooling during loss of offsite power Total system contribution to core damage frequency 0.16%
IPE A-22 05/29/92
- 9. Main and IC Steam isolation (Appendix F.9) i
)
\\J A. Systera Contributora. The main and isolat5n condenser steam isolation systems are analyzed as OCPRA top events MS, ME and Mt. The independent failure of these top events contribute a total of 1.0% to core damage frequency. See Table 9 and 9a.
It is assumed (see Assumption 4 in the system analysis) that instrument air is not required to maintain the MSIVs closed following system isolation.
- 1. Valve failure. Valve failure to close dominates (99.8%) the failure rate for MSly closure on low-low RPV water level and MSIV closure during a high RPV water level excursion (86%). In the case of closure during high RPV water level excursion, the operator acts to backup sensor failure for the assumed high flow cundition as RPV water level approaches the main steamlines.
Valve failure is also the most significant failure mode for IC isolation.
- 2. Relay failure. Relay failure is the dominant failure mode for MSlV failure to close on low steamline pressure (ME1).
[
3.
Mariaal actuation. Operator response is modeled in split fractions ME2, M12 and MS3. Of these, Ml2 (IC isolation on high RPV wat:r level) was.ludged to be a skill based action (performed from memory, then verified by procedure) by all evaluators (see Page 6.3-17). The action to close MSIVs on lowering RPV water m
/
)
level following failure of low-low level actuation logic (MS3) was evaluated by 7 operators as a skill based action. The remaining 3 operators identified this as a rule based action, which would be performed with procedures in hand.
B. Observations. The following observations can be drawn by inspection of the main and IC steam isolation system analysis results and significant contributors:
- 1. Valve failure to close and actuation relay failure contribute significantly to both analyzed conditions for IC isolation.
- 2. The overall core damage frequency contribution for these systems is small.
C. Recommendations. None.
(p)
IPE A-23 05/29/92
(
Table 9 Main Steam isolation System Contributors Split Split Fraction Relative Failure Rate Contribution Spid Fraction otal I
c ilure Contrib0on to a
Fraction Description Valve failure Relay Operator All other ramage Frequency Rate l
to close failure action failure failures ME1 MSIV closure on low 26.3%
73.3%
04%
0.63 %
4.07x10" steam line pressure with all j
support available ME2 Manual MSIV closure 86.3%
12.8%
0.9%
0.07%
1.24x10-*
during high level excursion d
MS1 MSIV closure on low-low 99.8 %
0.2%
0.00 %
- 1.00x1O RPV water level with all support available 4
MS3 Manual MSIV closure on 1.7%
98.2%
0.1%
0.21 %
6.11x10 l
lowering RPV water level 0.84 %
Total system contribution to core damage frequency 05/29/92 IPE A-24 O
O O
j-
,/~
V V
U
. Table 9a IC isolation System Contributors Sp!it Split Fraction Relative Failure Rate Contribution Spirt Fraction Total Fraction Description Relay failure
. All other Valve -
Pressure
' Contribution to Failure -
Damage Frequency Rate failure to switch failures c!cse
. failure l
d Mit C isolation on high steam 43.7 %
31.1 %
24.3 %
0.9%
0.00 %
1.22x10 flow 4
Ml2 -
63.0 %
2.6%
33.1 %
1.3%
021%
1.26x10 water level Total system contribution to core damage frequency 0.21 %
Note:
All Ml2 cutsets require failure of operator action ZHEMl2, in addition to the hardware listed above.
t' IPE A-25 05/29/92 m
- 10. Core Spray (Appendix F.10)
O A. System Contributors. The core spray system is modeled in OCPRA top event CS. Failure r.,f this top event contributes a total of 17.0% to core damcgo irequency. Thir istem analysis also accounts for the capabilhy to cros? connect fire protection to inject tc the reactor vessel through core spray (split traction CSS). 000 Table 10.
- 1. Pump start failure. Pump start fal'ure dominates the failure of the core spray system for all cases involving automatic actuation (split fractions CS1, CS2 and CS3) followlag plant trip. For the cases with core spray piping failure (split fractions CS7 and CS8), pump start failure contributes significantly (63%) to system failure only when one main and one booster pump are available. The dats for this mode of failure are in line with industry averages.
- 2. M.anual actuation. Operator response has a dominant effect on split fractions CS4, CSS and C36.
- 3. Partial loss of support The loss of one train of support (4160V bus 1C or 1D, split fractions CS2, CS3, CS6 and CS8) resWis in an increase in system failure rate by a factor of approximately 2 to 5. Due to tne dominance of pump start failures for CS1, CS2 and CS3 and the supply of one main and one booster pump in each loop from each division of essential AC power, this does not resu:1;n.a shift in system contributors, though a shift does occur in the case of core spray line break (shifting the dominant contributor from guarantood failure while performing maintenance on the intact train to pump start failure).
- 4. Valve failure. Failure of the parallel or the serial inject valves contributes less than 9% to all split fractions analyzed. This type of failure is of note since "supercomponents" were used to model these components. The individual failure of any single piece of equipment witnin these groupings is therefore not separately identified within the system cause table.
For those cases with degraded support available to the parallel inject valves (i.e.
power available to only 1 of 2 valves see assumption 10 in the system analysis),
two main and two booster pumps are also failed, which causes the relative contribution to system failure due to valve failure to drop to 2.4% for split fractions l
CS2 and CS3.
r l
l
- 5. - Maintenance outage time. Since each core spray subsystem has one main and one b aster pump powered from each essential 4160 VAC bus, system failure due to train maintenance only appears as a significant contributor for cases with core l
spray line failure in the opposite lo^p p.e. split fractions CS7 (83%) and CS8 (34%)).
- 6. Alignment to inject with firr protection. While coerator alignment to inject through core spray with fire protection (split traction CSS) is only modeled for those cases with all core spray pumps failed due to loss of motive power (failure IPE A-26 05/29/92
f of 4160 VAC buses 1C and 10), the dominance of pump start failure for split
.O fractions CS1, CS2 and OS3 indicates that this alignment may also be a viable
(,/
accident management mitigation strategy following independent failure of core spray pumps to start. The extremely broad variance behveen operator evaluations for this action, however, including two evaluations cs guaranteed failure, indicate that-successful completion of this action, particularly before fuel cladding perforation and substantial core degradation is questionable. As noted above, though, this may be an effective means of providing long term cooling water flow to coro deoris, it should be noted that tds action would only be taken following site blackout scenarios with loss of RPV inventory (i.e. with stuck open EMRV or IC failure).
Otherwise, the operator would align fire protection to provide IC makeup, rather than inject fire pond water into the reactor vessel. Both of these actions are addressed by_ existing EOPs.
B Observations. The following observations can be made by inspection of the core spray sys+em anatysis results and significant contributors:
- 1. Pumo start fal. lure dominates the cases where automatic actuation takes placa with both loops intact. Of these, split fraction CS1 contributes significantly (11.7%)
to core damage frequency.
- 2. Operator failure to actuate the system dominates the cases whero actuation logic h
is not available and both loops are intact.
L.J 3.
Maintenance tira on the available train contributeo significantly to system failure when one loop is failed due to pipe break.
4 Existing EOPs address injection with fire protection water as a backup to the core spray systani.
-m C. Recommendations. None, Q}
f IPE A-27 05/29/92 1
1
Table 10 Core Spray System Contributors D
i Split Fraction l Total Split Split Fraction Relative Failure Rato Contribution Fraction Description Contribution Failure Pump Operator l Valve Maint.
All to Damage Rate start action faile'e outage other Frequency failure failu:e time failures CS1 RPV injection with 1 of 2 main 89.3%
'o 1.8%
11.70 %
1.77x10" and booster pumps in either loop j
with all support available l
CS2 RPV injection with 4160 VAC bus 96.5 %
2.4%
1.1 % !
1.14 %
9.27x10 4
1C failed (fails one main and one booster pump in each loop)
CS3 Similar to CS2 with 4160 VAC bus 96.4 %
2.4%
1.2%
1.22 %
9.88x10" 1 D failed (1C available) 4 CS4 Manual actuation with all support 1.7%
97.9%
0.4%
O.00 %
8.10x10 available CSS Manual alignment of fire 99.5 %
0.5%
0.88%
1.91 x10-2 protection to inject to the RPV after failure of buses 1C and 1D CS6 Manual actuation after failure of 10.4%
89.1 %
0.6%
1.78 %
8.98x10-bus 1C or 1D 4
CS7 Injection with second loop after 6.8%
8.7%
83.1 %
1.4%
2.00 %
9.05x10 failure of core spray line CS8 Similar to CS7 with 4160 bus 1C 63.1 %
1.7%
34.3 %
0.9%
0.00%
2.19x10-2 or 1D failed l
1 Total system contribution to core damage frequency 17.02 %
IPE A-28 05/29/92 O
O O
r; 1
- 11. Containment Spray /ESW (Appendix F.11)
L./
A. System Contributors. Containment spray and emergency service water (ESW) are analyzed as a single top event (CC). Failure of this top event contributes e total of 4.0% to core damage frequency. See Table 11.
1.
Manual actuation. The system is mode' d as a manual start only design. This significantly affects the system failure rate and its impact on the plant model, since operator failure to properly actuate the sysicm is a significant contributor to virtually all of the split fractions analyzed.
Operator response has a dominant (95% or more) offect on split fractions CC3, CC4 and CC5. From Table 6.3-5, the actions for operator actuation of torus cooling (dynamic test) (CC3 and CC4) have fairly close agreement (0.005 versus 0.007), whereas operator actuation of containment sprays had an ovcrall mean failure rate approximately twice as high (0.013).
- 2. Partial loss of support. The loss of one train of support (4160V bus 1C or 1D, split fractions CC7, CC8 and CC9) results in an increase in system failure rate by a factor of 2 to 3. This also shifts the dominant contributors to system failure towards heat exchanger blockage (approximately 20%) and maintenance outage time (approximately 40%). The contribution due to guaranteed failure while performing maintenance on the unaffected system is artificially high due to the conservative modeling assumptions (see Maintenance outage time, below).
(o C')
- 3. Heat exchanger blockage. Heat exchanger blockage contributes less than 3%
to total system failure rate for those conditions with both trains available, primarily due to the availability of a redundant train.
For those split fractions with loss of 4160V bus 1C or 1D, the loss of one train of containment spray /ESW pump effectively removes this redundancy, such that the two heat exchangers in the operable train must continue to operate throughout the mission time of 24 h_ours. _ The design of the containment spray system prevents isolation of a single heat exchanger for cleaning with the other remaining in' operation. In other words, blockage of a single heat exchanger will fail the heat removal capability of the affected train, it should be noted that the system data records 7 failures,4 of which occurred during a single period of two months. Following this period, a significant amount (but not all) of the protective coating _ initially installed in the ESW piping was removed. Continued observation of component data over time may justify lower component failure rates.
4.
Maintenance outage thne. System failure while performing maintenance on one train is the most significant contributor following failure of 4160V bus 1C or 1D.
This is primarily due to the model simplification of evaluating the system for only one maintenance alignment and conservatively assuming that the system is failed gS.
()
IPE A 29 05/29/92
whenever the assigned train is in maintenance and either 4160V bus 1C or 1D is not available. This model simplification effectively doubles system failure due to train maintenance outages, a conservatism that is addressed in Appendix B.4 (recovery from loss of contain nont heat removal) of the level 1 PRA report.
Also, the Oyster Creek maintenance tration data are rather high, compared to the industry. Therefore, reducing system and component maintenance and outage times could significantly improve system failure rates for the cases with on9 train of support failed.
- 13. Observations. The following observations can be made by inspection of the containment spray / emergency service wat~ system analysis results and significant contributors:
- 1. Operator action failure dominates system failure rate for the cases where both trains are available. The containment spray /ESW system failure rate is dominated by operator failure to actuate the system for split fractions with both trains available (CC3, CC4 and CC5).
- 2. Maintenance outage time on the available traln, heat exchanger blockage and operator failure all contribute significantly to system failure rate following loss of bus 1C or 1D.
- 3. Overall, the heat exchanger failure rate is higher than the industry average, predominantly due tc the occurrence of a relatively large number of blockages during a two month period several years ago.
W C. Recommendations.
- 1. Since the operator plays a major role in successful initiation of the containment spray system, these actions should b i emphasized in training.
- 2. Changes to the coordination of preventive maintenance on the containment spray system could result in decreased outage time.
Containment spray heat exchanger, containinent spray pumps, ESW pump preventive maintenance should be coordinated to coincide with planned refueling outages. For example, all planned refueling outages could include the replacement of heat exchanger anodes and cleaning. In cases where maintenance must be performed on a single component in the system (which results in the unavailability of an entire system) other system preventive maintenance tasks should be performed during this same outaga time.
3.
Efforts to reduce the likelihood of heat exchanger blockage should continue.
Removal of the damaged sectier's of the ESW pipe coating and the clorination system modification have been major improvements. Further enhancements to the chlorination system (to chlorinate a larger segment of the system) that are planned for the next refueling outage should be comNeted as scheduled.
IPE A-30 05/29/92 l
uuman.-
l e
o e
l l
l Table 11 Containment Spray System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Contribution Failure Fraction Description l
l Operator Heat Pump Maintenance All to Damage Rate I
action exchanger start outage time other Frequency I
l failure blockage failure failures l
r 1.4%
0.02 %
1.87x10 l
CC3 Operator starts 95.8%
2.4%
l containment spray to cou l
torus (IC successful with failure of makeup)
CC4 Operator starts 95.9 %
2.0%
2.1%
0.64 %
2.07x10 containment spray to cool j
l torus after IC failure 1
CCS Manual ESW/ containment 95.0%
3.0%
2.0%
1.36%
1.37x10 2 l
spray actuation (1 of 2)
)
CC6 Manual actuation during 55.7 %
2.0%
37.2%
5.0%
0.02%
2.87x10-2 reactor trip failure - main and backup pumps required l
CC7 Similar to CC3 with 4160V 33.0 %
22.7 %
2.2%
40.8%
1.3%
0.02%
5.25x10 2 bus 1C or 1D failed CC8 Similar to CC4 with 4160V 35.9 %
21.9 %
2.6%
39.4 %
0.2%
1.46%
5.44x10 2 bus 1C or 1D failed CC9 Similar to CCS with 4160V 26.7 %
25.0%
2.9%
45.0%
0.3%
0.50 %
4.76x10-2 l
bus 1C or ID failed 4.02%
Total system contribution to core damage frequency IPE A-31 05/29/92
1
- 12. Recirculation Pump Trip (Appendix F.12)
O A. System Contributors. The automatic trip of the reactor recirculation pumps on IC actuation (high RPV pressure and low-low RPV water level) is modeled in OCPRA top event RP. This top event also includes the trip of all 5 recirculation pumps during reactor trip failure (ARYS) conditions. None of the individual split fractions for this system contribute significantly (more than 0.00%) to core damage. See Table 12.
- 1. Circuit breaker failure. System failure during automatic operation (RP1) is dominated (97%) by failure of any recirculation pump supply circuit breaker to open. This is conservative in that it more than doubles the system failure rate for cases in which reactor trip is successful (see assumption 3 in the system f
analysis). Following reactor trip, only the "A" and "E" recirculation pumps would be required to trip to prevent IC isolation on high condensate return flow.
While this affects the individual system failure rate, it does not materially affect plant model results, since split fraction RP1 contributes 0.00% to core damage.
2 Relay failure. The alternate actuation logic path from relays 1K19,1K20,2K19 and 2K20 is not modeled (see assumption 5 in the system analysis). Since relay failure contributes 1.2% of system failure rate for auto:natic actuation (split fraction RP1), this does not materially affect the results for this system.
- 3. Manual actuation. Operator response has dominant (87%) effect on split fraction RP2, which is used whenever IC actuation logic, which also trips the recirculation pumps, fails. Of the 11 evaluations for this action,5 verators evaluated this as a skill based action (performed from memory, then vt %ed with procedures), as opposed to rule based (refer to the procedure before performing the action).
4.
Reactor trip failure (ATWS). It should be noted that the manual action for operator trip of the reactor recirculation pumps includes the manual actuation of liquid poison (boron) injection following failure of reactor trip. This is due to the close linkage between successful reactor trip and the timing constraints on liquid poison injection. This evaluation is conservative for the non-ATWS case.
B. Observations. The following observations can be drawn by inspection of the above results:
- 1. System failure rate is dominated by circuit breaker failure when actuation logic is available.
- 2. Operator failure dominates system failure following failure of IC actuation logic.
- 3. Continued emphasis on circuit breaker maintenance is appropriate.
C. Recommendations. None O
IPE A-32 05/29/92 l
g O
O O
- Table 12 Reactor Recirculation Pump Trip Contributors -
. Split.
Split Fraction Relative Failure Rate Co'ntribution Split Fraction
. Total '
Fraction Description,
Contribution Failure Circuit
- Trip' Valve Operator A!!
to Damage Rate breaker coil failure -
action other Frequency -
- failure failure failure failures RP1 Automatic trip of 5 of 5 reactor.
. 97.0%
- 1.5%
1.2%
0.3%
' O.00% '
2.82x10-7 (RP3) recirculation pumps on high RPV pressure or low-low RPV water.
level RP2 Recirculation pu_mp trip fo: lowing 12.8%
4 86.8 %
0.4%
0.00%
2.54x10 failure of IC actuation. logic
. (manual actuation)
Total sys 9m contribution to core damage frequency 0.00% '
i r
h i
t IPE A_33 05/29/92
- 13. Condensato and Foodwater (Appendix F.13)
A. System Contributors. Independent failures of the condonsato and foodwater systems are analyzed in top ovents CP and FW, respectively. The independent failure of these top events contributo a total of less than 0.1% to coro damage frequency. See Tablo 13.
l RPV water lovel control is separately analyzed in top events RF and OF, which contribute a total of 1.36% to coro damage frequoney. Soo Table 13a.
1.
Blockage of steam seal exhaustor. Since tho stoam seal exhauster represents a single common point in the system flow path, blockage of flow through this component will significantly degrade condentato makeup capability. Blockage of i
this component dominates (96%) condensato system failure with all support available (split fraction CP1) and contributes 26% to system failuro following loss of bus 1 A.
Manual valvo transfer is also included in the failure of this flow path. This failuro contributos 4% of system failure in the all support available case (split fraction CP1).
Due to the extremely high reliability of the condensate systerr this mode of failur3 doos not measurably impact plant modol results.
- 2. Partialloss of support. The loss of one train of support (4160V bus 1C or 1D, split fractions CP2, CP3, FW2 and FW3) results in an increaso in system failuro rato by a factor of approximately 3 to 5. This also shifts the dominant contributors to system failure towards pump train failure and maintenance outage time on the unaffected components.
This mode of failure increases tho loint condensato/foedwater system failure rate from 4.89x10-5 with all support available to 3.13x10 following failure of 4160 VAC 4
bus 1 A and 2.58x10-2 after failure of bus 18. Accordingly, foodwater failure after loss of bus 1B (split lraction FW3) is the cniv condition under wh!ch "11s system contributos measurably (0 04%) to total coro damage frequoney.
- 3. Pump train failure.
Pump train failuro contributes significantly (73%) to condensate system failuro following failure of bus 1A and dominates (99%)
feedwater system failure for the all support available caso and following failure of bus 1 A. This modo of failure includes pump failure with failure of the associated discharga check valve to close, as well as inadvertent discharge valva closure and common mode pump failure between trains.
4.
Maintenance outage time. System failure while performing maintenance on one train is the most significant contributor for split fractions following f ailure of 4160V bus 18. This is primarily due to the !oss of supply power to 2 of th' ' system trains, causing a guarantood failuro condition whenever the remai-ain is undergoing maintenance. This contributos 78% of condensato syste
,rato O
IPE A-34 05/29/92
and 90% of foodwater system failure rate. Due to the ovorall rollability of those O
inipact core damage frequoney.
systems and the redundancy of the overall plant design, this doos not significantly
- 5. RPV water level control failures (Tablo 13a). Operator responso is assumod to be required for long tonn RPV water levol control, with or without successful oporation of the low level seldown systom. If the lovol soldown system functie qs properly, the operator has significantly more time available in which to respond before flooding the IC steamlinos and hazarding main steamlino carryover.
This response has a dominant impact on split fractions RF1 (98%), RF2 (88%) and OF1 (88%).
Sinco the oporator response to a high RPV level excursion or foodwater regulathg valvo lockup Includos tripping all 3 foodwater pumps, failure of any of the supply circuit breakers to trip contributos 12% to system failure. This is conservativo in that the operator would not havo to trip all 3 pumps for succose, but only the pump with the failed regulating valve. This has a minimal (Icss than 0.3%) offect on coro damage frequoney.
B. Obnorvations. The following observations can be made by inspection of the condensato and foodwater system analysis results and significant contributors:
- 1. Duo to overell system rollability, the condensato system failuro rato is dominated by flow blockage when all support is availablo (CP1).
- 2. Pump fallure dominatos foodwator system failure when all support is available and both condensato and foodwater system failure ratos following i/ss of 4160 VAC bus 1 A.
- 3. Train maintenanco 'dominatos both condensato and foodwao, eys&n failure
- following failure of bus 18, 4.
Operator failuro dominatos RPV level control failure for all casos.
C. Recommendations. Although the feedwater and condensato system as we'! m c.PV level cont.al do not contributo significantly to the total calculated coro damage frow no. they do represent significant challenges to oporators ability to mitigato or provent a 4 s.Ent.
The loss of foodwater control or high level excursion contributes less than 2% to the total core damage frequoney, however high level excursions represent potentially sevore tiansients and may possibly procood to rnain steam lino failuro in the most severo casos. The planned modification to post trip reactor it,cc water control system (Reactor Overfill Protection Systee l
(ROPS)) schoduled for implementa4n in 15R is expected to substantially decrease tho risk of reactor vossol high lovel excursions, and thus should bv implomonted as scheduled.
-g IPE A-35
. V29/92 l
Tab:e 13 Condensate and Feedwater System Contributors Split Split Fracticn Relative Failure Rate Contribution Sp!it Fraction Total Fraction Description Contribution Failure Steam Manual Pump Marntenance AI; to Damage Rate seal valve failure outage Sme other Frequency exhauster transfer failures blockage closed CP1 1 of 3 condensate pumps 95.7%
4.0%
0.3%
0.00%
4.89x10-5 with all support available CP2 1 of 2 condensate pumps 26.1 %
73 2 %
0.7%
0.00%
1.79x10' after failure of 4160 VAC bus 1 A (18 available) 4 CP3 1 condensate pump 2.1 %
19.1%
78.5 %
0.3 %
0.00 %
2.20x10 available after loss of 4160 VAC bus 1B (I A avai!able)
FW1 1 of 3 feedwater pumps 99.2 %
0.8%
0.00 %
9.57x10 with a!! support (including condensate) available FW2 1 of 2 feedwater pumps 99.9 %
0.1 %
0.00 %
1.34x10*
after failure of 4160 vAC bus 1 A (18 available)
FW3 1 feedwater pump 3.4%
96.5 %
0.1 %
0.04 %
1.36x10 available after loss of 4160 VAC bus 1B (1 A available)
~
t Total system contribution to core damage frequency C.04%
IPE A-36 05/29/92 9
O O
A
\\
d 4
Table 13a RPV Level Control Sy-tem Contributors J
1
. Split Split l<raction.
- Relative Failure Rate Contributon Split Fraction Total Fraction Description Contnbution Failure Operator Level Circuit All to Damage Rate action control breaker other Frequency
- failure failure failure failures RF1
. Long tcrm post-trip RPV 98.3 %
1.7%
0.0% '
1.00%
5.09x104 level contro! with all support available RF2 Recovery of level contro!
88.5 %
11.5 %
0.0%
0.05 %
1.70x10#
after regulating valve lockup OF1 Recovery frorn high RPV..
88.5 %
11.5 %
0.0%
0.31 %
1.70x10 water level initiating event i
Total system contribution to core damage frequency -
1.36 %
i i
e 4
t k
1 IPE A-37 05/29/92 v
~
un
~..
.w
.-w,
-w.
.r+m-nw=.,
vn--
l
- 14. Circulating Water (Appendix F.14)
A. System Contributors. The circulating water system is modeled in OCPRA top ovont CW.
Faiiuro of this top event contributos a total of loss than 0.1% of coro damage frequency. Soo Taolo 14.
1.
Partial loss of support. The loss of one train of support (4160V bus 1 A or 18, split fractions CW2 and CW4) results in an increaso in system failure rato by soveral docados. For CW4, this also shifts the dominant contributor to system failure to maintenance outage time. Due to the overall roliability of tho system and plar'* CM!gn, though, this does not have a significant impact on core damago fret amn 2.
Maintenance outage timo. System failuro while performing maintenanco on one train is the most significant contributor for the non reactor trip split fraction following failure of bus 1 A or 18. This is primarily duo to the success requirement for both pumps to be available. Otherwise, system failuro is assumed. This contributos 98% of system failure rate for CW4 B. Observations. The following observations can be made by inspection of the circulating water system analysis results and significant contributors:
- 1. Dischargo valvo falluto dominatos system failuro rato when all support is availablo.
- 2. Pump falluto contributos significantly to system failuro rato folic, wing loss of power trorn 4160 VAC bus 1 A or 18.
- 3. Train maintenanco dominatos system failuro rato for non-reactor trip ovcnts with failuro of bus 1 A or 1B (CW4).
C. Recommendations. Nono.
O IPE A-38 05/29/92 l
l 1
w.
Table 14 Circulating Water System Contributors Spht
~ Split Fraction Relative Failure Rate Contribution Split Fraction Total
.. Fraction Description Contr;bution Failure Pump Discharge Maint.
A!!
to Damage Rate failure valve outage other Frequency -
failure to
' time failures close ~
CW1 1 of 4 circulating water pumps 13.6%
86.3%
0.1%
0.00 %
1.29x10*
2 with a!! support availabic 4
CW2 1 of 2. circulating water pumps 55.7 %
43.8%
0.5%
0.00 %
2.16x10 after failure of 1 A or 1B CW3 2 of 4 circulating water pumps 21.7 %
78.2 %
0.1%
0.00 %
6.35x10*
after non-reactor trip events with all support available t
)
CW4 2 of 2 circulating water pumps 1.7%
982 %
0.1 %
0.03%
1.51x10 l
l after non-reactor trip events with -
failure of 4160 VAC bus 1 A or 1B Total system contribution to core damage frequency 0 03 %
[
4 i
f i
IPE AJJ 05/29/92
1
- 15. Automatic Depressurization (Appendix F.15) g l
A. System Contributors. The automatic depressurization system (ADS) is analyzed as top ovent AD. This top ovont includes manual (omorgency) depressurization, as well as automatic system actuation and contributos a total of 2.5% to CDF. Soo Tabio 15.
- 1. EMRV failure to open. Duo to overall system rollability when all support is availablo, EMRV failure to open contributos significantly (90%) to split fraction AD1.
This modo of failure also cor,tributos 31% to system failuto during manual actuation (omorgoney depressurization) on low RPV water lovol (split fractions AD4 and ADS).
2.
Manual actuation Manual system actuation is inodolod under 3 conditions:
Emergoney depressurization on lowering RPV water level following IC failure to actueto (AD3).
Emergency depressurization on lowering RPV water lovel following failuro of 10 makeup (AD4).
Emergency depressurization on high supprossion pool temperaturo (ADS).
Operator responso has a significant (67%) offect on split fractions AD3 and AD4 and a dominant (95%) impact on ADS. This is partially due to the allowanco for the redundant and diverse indication available to the operator on loworing RPV water lovel (soo noto on Pago F.15-6), which was not applied to ADS. Sinco this action would only 60 performed on increasing suppression pool temperature.
- 3. Partialloss of support. The loss of one train of support (125 VDC bus B or C, split fraction A02) results in an increase in system failuro rato by a factor of approximately 9.
This also shifts the dominant contributors to system failuro towards actuation logic failure (71%) and transfer relay failuro (25%).
B. Observations. The following observations can be made by inspection of ADS system analysis results and significant cor.tributors:
1, Due to overall system reliability, system failure rate is dominated by EMRV failure to open when all support is available.
- 2. Actuation logic failure dominatos system failure rate following loss of one division of 125 VDC power (AD2),
3.
Operator failure dominatos system failure rato for all manual actuation casos (AD3, AD4 and ADS).
C. Recommendations: None.
IPE A-40 05/29/92
Ow Os Om Table is Automatic Depressurization System Contributors Split
__ Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description' Contribution Failure EMRV Logic Transfer Operator All to Damage Rate failure to -
failure relay action failure other Frequency open failure failures AD1 Automatic ADS actuation
.90.1 %
7.0%
2.9%
0.02%
1.03x10-7 (ADS) with all support available 4
AD2
' Automatic ADS actuation.
11.4 %
71.5 %
24.6%
0.5%
0.64 %
4.18x10 with one 125 VDC bus failed 4
AD3 Manual depressurization 31.2 %
cr.6%
2.2%
1.36%
1.35x10 after IC failure 4
AD4 Manual depressurization 31.2 %
66.6 %
2.2%
0.02 %
1.35x10 after CRD and IC makeup failure 4
ADS Manual depressurization 4.2%
95.2%
0.6%
0.50 %
9.45x10 on high suppression poc!
temperature Total system contribution to core damage frequency 2.54 %
IFE A-41 05/29/92
- 16. Standby Liquid Control (Appendix F.16)
A. System Contributors. The standby liquid control (SLC) or liquid poison system is modelod in OCPRA top event Bl. Failure of this top ovont contributos a total of 2.3% to coro damaga frequoney. Soo Tablo 16.
- 1. Manual actuation. Manua! operator actuation of the system dominatos the casos where both trains are available (split fractions B11 (52%) and B13 (65%)).
- 2. Partialloss of support. The loss of one train of support (4160V bus 10 or 1D, split fractions Bl2, Bl4 and Bl6) results in an increaso in system failuro rato by a factoi of approximately 5. This shifts the dominant system contributors to pump failures (moro than 70% of systom failuro rat 9).
- 3. Pump failuro. Pump failure to start or run for tho 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> mission timo contributes more than 20% for all split fractions. This is primarily duo to the relatively high plant specific ialluto rato. Plant data collection included common modo failuro (control fuso failuro) of both trcins during surveillanco testing, which incroasos the falluto rato for split fractions with both trains availablo.
Following failure of one train of support, pump failuro contributos more than 70%
of system failure, primarily due to the relatively high failuro rato for pumps of this typo. Also, this modo of failuro contributos more than 70% to both hardware only casos ovaluated (BIS and Bl6), whero the operator action is included in split fraction RP2.
4.
Maintenance outogo time and test alignment. Test alignmont only contributos more than 5% to system failuro when both trains of support are availablo.
Otherwise, neither testing or maintenanco contributo more than 5% cf system failuro rate for any analyzod condition. It should bo noted that recover) from test alignment is not modeled (soo assumption 7 in the system analysis), though an operator would be stationed noar the equipment while performing this test.
B. Observations. The following observations can be noted by inspection results abovo:
- 1. Operator failure to actuato liquid poison injection in timo to provent coro damage contributos significantly to system failure when both trains are available (Bl1 and Bl3).
2.
Pump failuto contributos more than 70% of system failuro rate for all other casos.
- 3. This highlights the importance of continued monitoring of the SLC rollof valvos to ensure the now valves perform as expoeted.
C. Recommendations. None.
IPE A-42 05/29/92
4 3
4 Table 16 ' Uguid Poison injection System Contributors
-l M
I
'l Sput Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction.
Description Contribution Failure Operator Pump Test Mst.
All to Damage Rate '
action failure' alignment outage other Frequency failure time time failu-es t
l
?
BI1
. Operator starts 1 of 2 trains of -
51.5%.
32.9%
7.8%
7.8%
125%
1.75x10 liquid poison (boron) injection f
with turbine bypass available i
i B12 Similar to Bit with 1 train available 12.7%
78.1 %
1.6%
4.1 %
4.5%
O.00 %
8.65x10 l
B13 Operator starts 1 of 2 trains of 65.3%
23.4% '
5.6%
5.6%
1.02%
2.45x10#
1 3
liquic poison with no turbine bypass 4
Bl4 Similar to B13 with 1 train available 18.3%
72.9 %
1.5%
3.8%
3.5%
0.00 %
9.25x10 i:
j BIS 1 of 2 trains of liquid poison 70.6%
16.1 %
13.3%
0.00 %
8.4A10 injection start after manual l
recirculation pump trip due to logic failure
[
f-816 Similar to BIS with 1 train available 89.3 %
1.8%
4.7%
4.2%
0.00 %
7.56x10#
t f
Total system contribution to core damage frequency 227%
z i
q.
t IPE A-43 05/29/92 r
i i
e h
i r
l
- 17. Primary Containment isolution (Appendix F.17)
A. System Contributors. The primary containment isolation system is analyzed as top ovont Pl. Failuro of this top ovent appears in a total of 0.4% of coro damago frequoney. Soo Tablo 17.
- 1. Manual actuation. Operator responso has a dominant (92%) effoct on split fraction P12.
- 2. Partial loss of suppert. Tho loss of actuation logic roquires manual system actuation, which increases system failure rato by approximately a factor of 8.
- 3. Valvo failures. Valve failures, particularly sclonoid valvo falluto (64%), dominato (96% total) the system failuro rato when automatic actuation logic is available.
For manual aduation (P12), vaWo failure only contributos 0.1% of total system falluto rato.
B. Observations. The following observations can be made by inspection of the primary containment isolation system analysis results and significant contributors:
- 1. Tho failure of primary containment isolation is dominated by solenold valvo f ailure when actuation logic is availablo.
- 2. Fo!!owing failure of actuation logic (Pl2), system failuro rato is dominated by oporator failure.
Since the Indopondent failure of this system does not signif cantly contributo to the Ph.
scenario database, further attention to system failuro is not Indicated.
C. Rocommendations. None.
O iPE A-44 05/29/92
Table 17 Primary Containment Isolation System Contributors l
Split Split Fraction Relative Failure Rate Contribution Split Fraction rotal Fraction Description Contnbution Fa!!ure i
Operator Solenoid Air All to Damage Rate action valve operated other Frequency failure failure valve failures failure 4
Pit Automatic containment 84.0 %
12.4%
3.6%
0.04 %
121x10 isolation P!2 Manual containment 92.5 %
6.3 % -
1.8%
12%
0.35 %
1.62x10 isolation from the control room Total system contribution to core damage frequency 0.39 %
IPE A45 05/29/92
- 18. Standby Gas Treatment (Appendix F.18)
A. System Contributors. Tho standby pas treatmont system is modolod in OCPRA top ovont SG. Failuto of this top ovent appears in loss than 0.1% of total coro damage frequency.
Sinco this system determinos the filtoring and roloaso point of reactor building oxhaust, it does not directly impact coro damago, but appor.rs only in the results duo to indopondent system failure in sconarios with oxisting coro damago (prodominantly in scenarios following loss of ono train of system support from 4100 VAC bus 1C or 1D). Soo Tablo 18.
Manual actuation of this system is included in reactor building isolation top ovent RI.
- 1. Partial loss of support. The loss of ono train of support (4160V bus 1C or 1D, split fractions SG2 and SG3) results in an increaso in system failuro rato by a factor of almost 100. This also shifts the dominant contributor to system failuro duo to the availablo train being in maintenanco (82%).
The difforonce between split fractions SG2 and SG3 is based on the assumption that train A is solocted as the lead train (soo Assumption 4 in tho system anal) sis).
Therefore, spilt fraction SG2 includos the falluto rato for the low flow switch for train A.
- 2. Fan failure. Failure of the standby gas treatment fans to start and run contributos 78% of system failuro rate when powcr is available to both trains (split fraction SG1). Following loss of power to one train (split fractions SG2 and SG3), the contribution of fan failuto drops to 12% of system failure rato.
3.
Maintenance outage timo. The unavailability of one train duo to maintenanco contributos significantly (82%) to system failure following loss of power to the other train. Whilo recovery from this condition beforo system actuation is possible, it has not boon separately analyzed due to the small contribution of this system to coro damage froquoney.
B. Observations. The following observations can bo mado by inspection of the standby ga; treatment system analysis results and significant contributors.
1.
Fan failure dominatos system failuto rate when both trains are availabio (SG1).
- 2. System failuro due to maintenanco on the unaffected train dominatos system failure rato following failure of 4160 VAC bus 1C or 1D (SG2 and SG3).
C. Recommendations. Nano.
O iPE A-46 05/29/92 I
Table 18 Standby Gas Treatment System Contributors
.i Split Spiit Fraction Relative Failure Rate Contribution Split Fraction Total
{
Fraction Description Contnbution Failure i
Fan Supply Maint.
A!!
' to Damage Rate failure damper outage other Frequency failure time failures a
i SGI 1 of 2 trains with aff support.
78.0%
- 15.7%
6.3%
0.00 %
2.74x10'
[
available SG2
. Train 2 following loss of. support 12.0%
3.9%
81.5 %
2.6%
0.09%
1.61x10 i
4 to train 1
.SG3 Train 1 following loss of support 12.1%
3.9%
82.8%
5.1 %
0.02 %
1.59x10 I
to train 2 '
p Total system contnbution to core damage frequency 0.06%
[
i i
h b
i t
t i
i I
t
-l iPE A-47 05/29/92 l
i P
i s
...,~_-m e.
. Fire Protection (Appendix F.19)
A. System Contributors. The fire protection system is analyzed as OCPRA top event FP. The Indopondent failure of this top event contributes a total of 0.5% to core damage frequency.
Soo Table 19.
1.
Diosol driven pump failure. Cutsots with diesol driven pump failure dominato (97 to 98%) system failure. This is due to the relatively high failure ratos of diosol driven compononts.
2.
Partial loss of support. The loss of offsito power (split fraction FP2), which falls motivo power to the redundant firo pump, increases system failuro rato by approximately a factor of 90, but does not shift the relativo contributions significantly.
- 3. Manual system alignment. Opcrator failure to align the redundant fire pump does not measurably impact the failure rato for this system.
B. Observations. The following observations can be made by inspection of the fire protection system analysis results and significant contributors.
Tho Indopondent failure of the fire protection system does not materially affect plant model results. System failuro rato is dominated by failure of the diosol driven pumps, both duo to the goncral failuro rato of diesel driven equipmont.
C. Recommendatione. None.
O
- PE A-48 05/29/92
O O
O Table 19 Fire Protection System Contributors Split.
Split Fraction -
. Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Diesel driven pump Ai! other to Damage Rate failure failures Frequency FP1 -
All support available -
97.1% '
- 2.9%
0.03%
1.39x10-5 FP2 Loss of offsite power 97.8 %
2.2%
0.43 %
9.22x10 (redundant fire pump) -
l
. Total system contribution to core damage frequency 0.46%
i-i d
l IPE A-49 05/29/92 i
4 7
i
- 20. Condensato Transfer (Appendix F.20)
A. System Contributors. The condonsato transfer system is modeled in OCPRA top events CT (condensato transfor), MU (makeup to the isolation condonsor) and ST (CST availability).
Future of those top events contribute a total of 1.7% to core damage frequoney. Soo Tablo 20.
1.
Pump start f ailuro. Pump start failure contributes more than half (58%) of system failuro rate for the condensato transfer system (split fraction CT1). Due to the relatively low failuro rato for this system, this doos not measurably impact plant model results.
2.
Manual valve fallero. Manual valvo transfer closed coritributes more then a third (38%) of condensato transfor system failuro (split traction CT1). Again, duc to tne relatively low failuro rato for this system, this does not measurably impact plant mod 31 rosults.
3.
Manual actuation. Operator responso has a dominant (99%) impact on split fractions MU1 and MU2.
4.
Partial loss of support. The loss of condensate transfor for IC makeup has a minor impact on the failuro rate of top event MU, primarily because this top event has a very long response time and is dominated by failure of the operator action fnt both split fractions. Also, recovery of the condensats transfer pumps, which would requito the operator to locally roset the supply breaker, is not modelod following loss of offsite power.
5 Air operated valve failure. Failure of the hotwell makeup and reject valvos dominatos (78%) condensato sto ago tank failuro rato. Due to the reliability of this system, this doos not e,ignificantly impact plant model results.
B. Observations. The fol! awing observations can be made by inspection of the condensate transfer system analysis results and significant contributors.
- 1. Only IC rnakeup coritributes materially to core damage frequency, primarily due to the requirement for operator ection. Due to the amount of timo available to the operator, transit to the area and manual local valve operation does not materially impact the results (compsre MU1 and Md2).
2.
Pump failuro and manual valve transfer closed both contribute significantly to the failure rate for the condensato transfer system.
3.
CST failure rate is dominated by failure of air operated control valves.
C. Recommendations. None.
IPE A-50 05/29/92
. ~)
C m
p i'
Table 20 Condensate Transfer System Contributors l
Sp!!t Split Fraction Relative Failure Rate Contribution Split Total Fraction
. Description Fraction Failure Contribution Rate Pump Manual
' Operator Air All to Damage failure valve action operated other Frequency -
transfer '
failure va!ve failures
~
closed failure I
i CT1 Condensate transfer system 58.5 %
37.0% '
4.5%
0.00 %
1.31x10 I
99.4 %
0.6%
3.25%
4.02x10
[
4 MU1.
. !C makeup from condensate -
transfer -
[
t
'MU2 1C makeup from fire protection 99.0 %
1.0%
1.40%
4.04x104 4
STI -
CST available 18.3%
77.8%
3.9%
0.05%
1.65x10-5 Total system contribution to core damage frequency 1.70 %
t I
i j
i f
i IPE A-51 05/29/92 I
I E
- 21. Instrument Air (Appendix F.21)
A. System Contributors. The instrumont alt system is analyzod as top ovent IA. Indopondent failuro of this top event contributos a total of 0.2% to coro damage frequoney. Soo Table 21.
- 1. Stuck Open rollof valvo. Due to the removal of chock valvo internals to facilitato component maintonanco, any of 7 rollof valvos opening and sticking opon will depressurize the 8nstrument air system with no recovery availablo until the failed valvo is reset or gaggod or the rocolver isolatod. This modo of failuro contributos nearly half (49%) of system failure rate when all support is availablo (IA1) and 19%
of system failure when support is lost to one of the operable air compressors.
- 2. Manual operation. Operator action is required following loss of offsito power (IA3) and to align fire protection to provido compressor cooling following loss of TBCCW (iA4). This form of failuro dominatos both failuro ratos (71% and 00%,-
respectively).
- 3. Partialloss of support. The loss of one train of support (4160V bus 10 or 1D, split fraction IA2) results in an increase in system failuro rato by a factor of approximately 2. This also shifts the most significant contributor to system failuro to compressor failure.
Also, it is assumod that, when power is lost, it is lost to the running, or lead air compressor, requiring the standby air compressor to start for system success.
This assumption contributes 17% of the compressor failure term shown in Tablo 21 for IA2.
- 4. Air drier blockage. Air drior blockago or failure to shift proporly into dryout alignment contributes nearly a third (32%) of system failure when all support is available. This fdure could be partially recovered by operator alignmont of air driers C and D attor failure of air driors A and B, but was not modelod.
B. Observations. The following observations can bo made by inspection of the instrument cir system analysis results and significant contributors.
- 1. The conservativo modeling of the instrument air system does not significantly impact plant model results.
- 2. System failure due to inadvertent relief valve operation does not significantly impact core damage frequency. However, this situation can present a significant challongo to operators to provent a plant transient. This highlights the continued importance of proventative maintenance on relief valves.
C. Re::ommendations. Nc 9 IPE A-52 05/29/92
- .l
- i y!
l
(,
t[:
,li
> ;i
!if!
- hi!
g,
/
4 4
2 2
e 0
0 0
0
!ar e 1
1 1
1 t ut x
x x
x oia 2
1 6
6 l
tar F
1 6
9 8
2 5
1 2
I no n ey ogc it i
ct an u
arbme 0
1 4
1 6
Fia u 0
0 0
1 1
r t
q nDe 0
O 0
0 0
it lpooF r
SCt s
e e r
l r
4 9
3 6
lAthu 7
8 l
5 3
2 oia 1
1 9
f
/9 "2,
r
. s n
o 5
r ne 0
o o
t t
it aor ri u 4
4 u
u etci 1
0 l
b b
a r
n paf 7
B i
O t
t n
n o
o C
C r
y o
c m
e s
n t
er u
e a
se e
ts R
pi 9
3 4
9 r u q
mf l
y e
mfa 0
0 4
e 9
S r
r 5
1 u
o r
e 3
l i
i A
a C
g 5
F a
t A
n e'
m e
a e
v r
r m
e i
ir iu 3
2 5
4 d
t u
a Arl 2
2 i
e' da 3
2 e
l r
3 1
r t
f s
R o
n c
I n
o o
e ei f
t t
l n
liva 4
6 4
7 o
12 ear e
Rv e 9
8 i
5 3
t p
4 1
u tb o
i b
a r
T tn ot gh
. ei o
f t
c ni ir w
o i
r r sn f
i su w
e o s m
ia a
i rl t s e
le s od loeb n
t o t
el wa on l
s r
l r n ni y
o o
bo beo ol i
erW i
f t
a cit a s af e
s t
c 1
pv mf s
ap l
t C
l tiae t
iae a
s aea a
ri naC r
r Fc v
vr t
t t
siW ig ap a oo s
nB o
it s ef rf C aioT T
e m
st l
lpD o
2 1 st oC t
er l
lac S
c r o af f
f o
opp uoB u e mp n
T n o t
1 1
a ss ar ou c s Mo Mp -
l n
liio t
2 3
4 t
1 pc Sa lA A
A A
I I
I r
N' i
E F
P I
.1
,1 j
,',I i
4 t
)
f
- 22. Control Hod Hydraulica (Appendir F.22) g A. System Contributors. The use of the control rod hydraulic (CRD) systom to provido reactor vossol makeup after plant trip is modeled in OCPRA top ovent CD. Indopondent failuro of this system contributos a total of 0.1% of core dt. mage frequoney. Soo Tablo 22.
- 1. Manual alignment. Operator alignment of the tost bypass valvo, which is assumod to be required for system success, dominatos (90%) the casos whero 2 CRD pumps are availablo (CD1 and CD2). For split fractions with one pump available, oporator response contributos 25% (CD3) and 20% (CD4), respoctively, of system failuro rato.
- 2. Partialloss of support. Loss of support to a CRD pump following failuro of 4160 VAC bus 1C or ID increases system f ailuto rato by a factor of 4 to 5, primarily due to failuro while in maintenance, as described below.
- 3. Maintenance outage time. Maintenance outago time has a pronounced impact on tho split fractions with only one CRD pump available (CD3 and CD4), with contributions of 63% and 50%, respoctively, of total system failure rato.
- 4. CRD pump failure. Pump failuro does not significantly contribute to any of the analyzed system configurations, though this does contribute up to 5.7% of total system fal!uro rato for split fraction CD4.
- 5. Strainer blockage. System failure duo to strainer blockago only contributos significantly to split fraction CD4 (10%). For all other analyzed alignments, this mode of failure contributos loss than 1% of system failuro rato.
B. Observations. The following observations can be made by inspection of the control rod drive hydraulic system analysis results and significant contributors.
- 1. Operator failure dominates system failuro rate when both CRD pumps are availablo (CD1 and CD2).
- 2. Pump maintenance outago timo contributos significantly to system failuro rato for casos when only ono CRD pump is available.
Overall, independent falluto of the CRD hydraulic system, including manual operator alignmont of the tost bypass valvo, does not matorially impact plant model results.
C. Recommendations. Nono.
O IPE A-54 05/29/92
R Table 22 CRD Hydraulic System Contribu; ors Spfit Split Fraction Relative Failure Rate Contribution Split Fraction Tota!
Fraction Description Contribution Failure Operator Maint.
CRD Strainer A!!'
to Damage Rate action outage pump blockage other Frequency failure time failure failures CD1_
Both CRD pumps available (1 98.6% -
0.5%
0.6%
0.3%
0.08%
5.07x104 i
running) and operator opens test bypass valve CD2 1 of 2 CRD pumps start after loss 97.5 %
1.4%
0.6%
0.5%
0.02%
5.13x10 I
of power and operator opens test bypass CD3 1 of 1 CRD pump starts after loss 24.7 %
62.7 %
4.6%
0.8%
7.2%
0.02%
1.99x10 of power and fa!!ure of 1C or 1D i
and operator opens test bypass valve i
'CD4 Running pump loses power, 27.7 %
50 2 %
5.7%
9.6%
6.8%
0.00%
2.49x10 operator starts standby pump and I'
opens test bypass valve Total system contribution to core damage frequency 0.12%
i NI d
a f
l IPE A-55 05/29/92 l'
I t,
-r e
.m--
-m
- 23. Reactor Building Isolation (Appendix F.23)
A. System Contributors. Roactor building isolation is modeled in OCPRA top event RI. The failure of this top ovont occurs in scenarios that contributo a total of loss inan 0.1% to coro damago frequency. It should be noted thht the failure of this system does not load to core damago, but dolorminos tha status of secondary containment for radioactivo roloaso considerations. Soo Tablo 23.
- 1. Air opeiated valve failure. Duo to the predominanco of air operated valvos in the roactor building isolation sysMm, this modo of failure dominatos (99%) the split fractions with actuation logic availablo (Rli and Rl2).
- 2. Manual actuation. Following failure of actuation logic, manual isolation of the reactor building from the control room contributos 98% to split fraction Rl3.
B. Observations. The following observations can be made byinspection of the reactor building isolation system analysis results and significant contributors.
- 1. Valvo failure dominatos system failuro rate when all support is available and following loss of instrument air.
- 2. Operator failuro dominatos system failuro rato following failuro of actuation logic (Rl3).
C. Recommendations. Nono.
l l
l l
l O
IPE A-56 05/29/92
i
^
(Q b
b a>
333
- [5 E-5 N
N m
fj&&
2"g8 m
e 5
5 m
O 6
6.
6 6
[
g 22 Si a
.O
- a E
" w=
g g
. 6 E
B e
v.
g, '
O O
E
~-
2 2
1 6
g s 's y8@
g 8
KB I
I s
8-
.9 e@ o " W*
2 16 e
0
.b 5
m O
D N
a 2
g E
5 m
k6gM 9.
.h M.
&9a 8
8 o
e
.m o
s 8
D w
0
-@'5 m-
.m e
e me WE i
8 8
Os ua
=
mE 3
9 e
_g c mE y.9 C
h m
S D
C B:j N@S O Sj
.o E.g.
M c.
m 3,
-S D
2.0 E
-M8 B%
O s
go m
-a 2y Q
Ow O
D"
~Do C
m.c eg m
M CE C5. y a
o.-
o y
C E0 e
.N n
$y.
'E
'E
- u. -
s f
,*u,,
-..2 e
.....r..,
,,-...~m
.,.-,a,.
,,.,.,,,:-,,g.,,,,,,,y
,. +.
,..,.~,...~,,#w.._..,,...-7..
,..-,. + =..
.c
,,,.-3,.wv..
- 24. Main Steam Safety and Rollof Valves (Appendix F.24)
A. Syntom Contributors. The main stoam safoty valvos and EMRVs are modolod in OCPRA top events SO, SR, VO and VR. Failure of those top events contributo a total of 25.7% to coro damago frequoney, primarily due to indopondent failure of EMRV reclosure at top event VR (24.8%). Soo Tablo 24 and 24a.
- 1. Valvo failures. Valve failure dominatos (98% or moro) all analyzed split fractions for th!s system.
2.
Success critoria. Sinco it is uncertain that a second EMRV would not opon whon VO1 is questioned, the success critoria for valve roclosure include an additional valvo, above the number required to initially open. Also, it is assumod that any valvo failure will result in uncontrollod toactor vossol depressurization (1.0. the valvo fails full open, as opposed to a partially closed state or failuro to fully roscat).
Those assumptions (soo Assumptions 1 and 2 in the system analysis) oflectively double the system failuro rate for split fraction VR1 and contributos 20% to the failuro rato for split fraction VR2. Sinco each of thoso split fractions have a pronouncod Impact on the plant model and coro damage frequoney, this assumption also has a pronounced offect.
B. Observations. The following observations can bo mado by inspection of the malr steam roliot system analysis results and significant contributors.
Valvo failuro dominatos system failuro rato for all casos and highlights tho importanco of contir,'od proventative maln'onanco of the roliof valves.
Recommendations. None.
O IPE A 58 05/29/92
I I
i
. Main Steam Safety Valve Contributors Table 24
. Split '
Split Fraction
' ' P. elative Failure Rate ContributionSplit Fraction Total '
l l
- Fraction Description Contribution Failure Common cause Safety valve to Damage Rate j
failure to open fails to close Frequency 4
SO1 4 of 9 safety valves open 100%
5 0.00 %
1.G7i.10 SO2 7 of 9 safety valves open 100 %
0.00%
3.17x10~5 1
?
SR1 4 of 4 open safety valves reciose 100%
0.48 %
1.1f.t10 SR2 8 o! 8 open safety valves reclose 100 %
0.30 %
2.30x10#
t Total system contribution to core damage frequency 0.78 %
s 4
Table 24a - EMRV Contributors I
3 Split Split Fraction Relative Failure Rate Split Fraction Total i.
Fraction Description Contribution Contribution Failure to Damage Rate EMRV Pressure A!!
Frequency
[
failure switch other j
faifure failures VO1 -
1 of 5 EMRVs open 99.9 %
' O.1 %
0.00%
2.92x175 4
VO2 4 of 5 EMRVs open 97.6%
1.6%
0.8%
0.16% '
7.52x10 l
4 j-VR1-2 of 2 open EMRVs reclose 97.8%
2.2%
0.0%
17.60%
2.49x10#
VR2 5 of 5 open EM!Ws reclose 97.8%
1.8%
0.4%
7.16%
6.21x10 j
i l
l Total system contribution in core damage frequency 24.92%
i e
f IPE A-59 05/29/92
{
y i
i i
]
[
l
- 25. Containment Vent (Appendix F.25)
A. System Contributors. The containment vont system is analyzod in OCPRA top ovent OV.
Indopondent failuro of this system contributos a total of 1.1% to coro damago frequency. See Tablo 25.
Tho recovery from containment vont failuro duo to loss of support systems is modolod in top ovont RV.
- 1. Solenold valve failure. Solenold '.lvo failuro dominatos (63%) system failure when both torus and drywell vont p o a are availablo (1.0, no coro damago prosont
- OV1). Following coro damap
, Sn only the vont path through the torus air spaco is usod (to prosorvo suppre:.,lon pool scrubbing), solonoid valve failuro contributos 20% of system failure rato.
- 2. Operator alignment of vent. Operator failuro to align the torus vont dominatos (74%) system failuro following core damago (OV2). Operator ovaluations of this action (Pago G.3-20) show a relatively broad distribution, with a rango of 49 betwoon high end low estimatos for this action. This is believed to be partially due to operator hositation to provido a vent path from the primary containment following coro damago, even with suppression pool scrubbing of fission products.
The evaluations for containment vont before core damago (OV1) show somewha.
closer agroomont, with a rango of 16 betwoon high and low estimatns. Due to the extremoly long time availablo to perform this action, this falluto rate was adjusted by a factor of 0.1 to account for the prosonco of the tclioving shifts and off sito direction during this time in the scenario, D. Observations. The following observations can be made by inspection of the conta'.nment vont system analysis results and significant contributors.
- 1. Solonoid valve failuro dominatos system failare rate when all support is available and core damago has not yet occurrod.
2.
Operator failure dominatoe system failuro rato following coro damago.
C. Recommendations. None.
O IPE l
A-60 05/29/92
m U
U(s c:
. Table 25 Containment Vent System Contnbutors i
Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction
. Description
. Contribution Fa!!ure Solenoid Operator
. Relay Air operated Alg to Damage Rate valve action failure valve failure other Frec;uency failure failure failures 4
OV1 '
Operator vents 63.0 %
15.8%
12.6%
8.4% '
02%
1.08 %
1.71x10 containment to relieve pressure OV2 Operator vents torus air 19.6%
73.6 %
3.9%
2.6%
0.3%
0.00m 2.31x10 space following core damage Tctai system contribution to core damage frequency 1.08 %
IPE A61
. 05/29l92
A i
O i
APPENDIX B CONTRIBUTORS TO OPERATOR ACTION ERROR RATES O
t O
TABLE OF CONTENTS B.1 Performance Shaping Factors......................................
B-1 B.2 Rosults of Performance Shaping Factor Review...................
B-3 B.2.1 Operator controlstirips foodwater during high RPV wcter level excursion (OF1)
B-3 B.2.2 Operator trips roactor after TT failure (high led) (RS3)..............
B-3 B.2.3 Operator manually closos MSIVs after falling to cortrol RPV water level (high) at top ovent RF (ME2)...........
B-3 BM Opoa. tor injects through core spray with fire protection during loss of all AC power (CS5).....................
B-4 B.2.5 Operator lines up fire water injection through core sp y during LOCA conditions outside containment (unisolated LOCA) (FS1)
B-5
'G.2.6 Operator inhibits ADS and controls level near TAF during ATWS with FW available and condenser failed with EMRV/SV closure (OL2)....
B5 B.2.7 Operator inhibits ADS during A'!WS with FW failed end EMRV/SV closure (OL3)..................
B3 B.2.8 Operator manually ro-onergizes bus 1 A1/1B and re-starts at least ono TECCW pump following a loss of offsite power (TBS)........
B-6 B.2.9 Operator secures or isolates condentste transfer header to
.g reactor building within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer
("')
supply line break in the roactor building (FTB).....................
B-7 B.2.10 Operato trips plant and isolates feodwater following feedwater line break in the trunnion room (FTD)
B7 E.3 Summary of Rocommendations B-8 rm.
U.)
IPE B-i 05/29/92
B. CONTRIBUTORS TO OPERATOR ACTION ERROR RATES
.,e (L
- The purpose of this appendix is to report the results of a review of the human action analysos to determino if any outlior performance shaping factors (PSFs) exist which may indicate a potenf ossible changes to procedures, operator interfaces, training or personnel available to im-porator response.
Collecc sy, the actions of plant operators at Oyster Creek have an estimated contribution of E1%
to total core damage frequency. No single operator action contributes more than 3% Thus it is not expected that improvements in an individual human error rate would have dramatic effects on the calculatec' core damage frequency. Novortheless, a separate review of the human action surveys was ponormed to determine if any outlier PSPs exist in individual operator opinions, which may indicate areas where incromontal improvement in error rates cou'd be achieved.
The review of the PSFs was performod by inspection of Table 6.3-4, Performance Shaping Factor Results and Table 6.3-5, Sunc ary of Human Action Results from the level 1 PRA. Those actions which contain outlier PSFs milch me"indicato inadequate time availabh, procedures, training or indications (especially those actions with guaranteod failure) are described in subsection B.2 below.
B.1 Performance Shaping Factors -
The performance shaping factors (PSFs) used for the OCPRA operator action evaluation can be grouped into the following major categories; t
Time related factors Operator training and experience P c :edural direction available to the operator P. sit indications Personnel availability Consequences associated with the action These major factors can then be broken down into the following performance shaping factors:
Time available Actual time available to complete the action (V1).
Perceived time available to diagnose the problem and identify the
=
correct response (V2).
Perceived time available to complete the action (V3).
-Training.nd experience In identifying the need to perform the action (V8).
'in diagnosing the need to perform the action (V9).
In performing the action (V10).
,(u
^
IPE B-1 05/29/92
Indications J
Initial Indications (V13).
Later indications (V14).
Procedural direction Procedural dircction available in the gh'en scenario (V11).
i Non-scenario related proceduros available to direct the action (V12).
Personnel availability Adequacy of manning in the control room, both initially (V15) and later (V30), relative to performing the required action in time.
Adequacy of manning outside the control room, both initially (V16) and later (V17),
l Consequences associated with the action Consequences of performing the action - to the plant (VS) and to the operators (V6).
Consequences of falling to perform the action to the plant (V19) and to the operators (V20).
9 Operator confusion 4
Procodhg related successful actions (V7).
Procoding rotated unsuccessful actions (V21).
Number of preceding and concurrent unrelated actions in progress while the operators are performing the required action (V22).
The individual performanco shaping factors used, variable designations, and associated reference vslues are shown in Figure 6.2-1 in the level 1 PRA report. Each of the above performance shaping factor categorios is discussed in more detail in Section 6.1 in the level 1 PRA report.
l L
l 9
IPE B-2 05/29/92
)
B.2 Results of Performance Ghaping Factor Review
<7
'O This subcection presents those operator actions which were judged to have " outlier" PSFs that indicate a potential for improvements to procedures, training or operator interfaces. This review included an investigation of each shaping facior at either extreme end of the scale (typically 0 to 10, as indicated in Table 6.34 of the level 1 OCPRA report). The detailed operator action descriptions are located in Appendix E of the level 1 OCPRA report.
B.2.1 Operator controlsltrips feedwater during high RPV water level excursion (OF1)
A.
Description. On a loss of feedwater control transient (flow failed high), the operator identifies the transient and takes positive action to prevent co<ering IC and main steam lines. The assumed rate of level increase for this action is 15 inches per minuto until turbine trip at 175 inches.
B.
Observations.
1 This action may not be as clearly directed by plant procedures (V11) as the other post-trip immediate actions.
2.
Personnel outside the control room arrive too late to assist in performance of action (V16 and V17).
C.
RecommendaVon. Consider increased training emphasis on high level excursion mitigation including simulator exercises.
U B.2.2 Operator trips reactor after TT failure (high level) (RS3)
A.
Description. Operator manually scrams reactor after lailure of the main turbine trip on high RPV leveli B.
Observations.
1.
A marginally adequate amount of time is available to perform the action (V1, V2 and V3).
2.
Minimal procedural guidance is available for this action (V11).
C.
Recommendation. Consider procedural enhancements.
B.2.3 Operator manually closes MSIV" after falling to control RPV water level (high) at tcp event RF (ME2)
A. -
Description.
Operator manually closes MSIVs before ficoding RPV steamline penetrations after failure to control RPV water leve! This action is not procedurally directed.
l p(/
IPE-B-3 05/29/92 l
l
B.
Observations.
'1.
A marginally adequate amount of time is available to perform the action (V1, V2 and V3).
2.
No procedural guidance is available for this action (V11).
C.
Recommendation. Consider procedural enhancements and training to direct MSIVs closure on severe high level excursions.
B.2.4 Operator injects through core spray with fire protection during loss of all AC power (CSS)
A.
Description. Following a plant trip with loss of injection, operator lines up for Fire Protection Water injection through core spray lines and injection valves. This action includes manual operation of at least one of the following sets of manual valvos:
Injects al Close Ooen Loop i Booster Pump Suction V-20-91 (2")
V-20-83 (6")
Loop 11 Booster Pump Discharge V-20-90 (2")
V-20-82 (6")
Note that ECCS procedure 308 also has the operator depressurize the RPV below 137 psig before initiating fire protection water injection. This step appears with those listed in the EOP (LR-5), but only after level has dropped to 0 Inches TAF.
This action is assumed to take place following a loss of both divisions of vital AC power (core spray failed due to loss of support). Depressurization will be possible with EMRVs, but only until either station batteries discharge or vital power is regained througn r4 covery of offsite power or at least one diesel generator.
B.
Goservations.
1.
Operators perceive a potential for consequences to the plant (VS, primarily due to the introduction of fire pond water into the reactor vessel).
2.
Operators expect severe coxequences to the plant if the action is not performed (V19).
3.
The variance between evaluations for this action is extremely broad (factor of 1100 between highest and lowest evaluation), primarily due to two of the 14 evaluations with insufficient time available to complete the action (V1) and to perform the action, once the decision has been made tc perform the action (V3). This indicates a greater amount of uncertainty as to the requirements to perform this action, particularly during loss of all AC power conditions, than for some other actions evaluatN.
IPE B.4 05/29/92
~_,
C.
Recommendation. Consider increased training emphasis on this action, particularly in A
station blackout events where an EMRV may be stuck open.
B.2.5 Operatorlines up fire water injection through core spray during LOCA conditions outside containment (unisolated LOCA) (FS1)
A.
Description. Operator lines up for fire protection water injection through core spray lines and injection valves. This action involves the manual manipulation of 'ae same manual valves as for the action above.
B.
- Observations.
1.
Operators perceive a potential for consequences to the plant (VS, primarily due to the introduction of fire pond water into the reactor vessel).
Operators expect severe consequences to the plant if the action is not performed (V19).
3.
The individual evaluations for this action showed a very broad variance (factor of 167 between highest and lowest evaluation), with agreement between group averages that was consistent with other actions evaluated.
This was primarily'due to one evaluation that v/as more than a decade below the next lowest evaluation. This evaluation included 16 (of 21) shaping factors evaluated at the extreme end of the scale.
O-C.
Recommendation. Consider increased training emphasis on this action including simulator exercises.
B,2.6 Operator inhibits ADS and controls level near TAF during ADVS with FW available and condenser failed with EMRV/SV closure (OL2)
A.
Description. During an ATWS with loss of main condenser heat sink, the control room operator inhibits ADS by placing ADS timer switch to RESET, as directed by Power / Level Control (EOPs), (After successful boron injection and recirculation pump trip). The operator then lowers reactor water level to the top of active fuel by terminating and preventing all injection except boron and CRD until water level reaches 0 inches TAF.
. Note: ADS actuation was noted as a frequent occurrence in simulator training by one crew member (i.e. timer was NOT successfully reset). Other crew members had difficulty inhibiting ADS when intentionally lowering RPV water level.
B.
Observations.
1.
_ A marginally adequate amount of time is anilable to perform the action (V1, V2 and V3).
IPE B5 05/29/92
2.
There is a potential for consequences to the plant (VS).
3.
Severe consequences are expected to the p! ant if the action is not performed (V19).
4.
The broad variance between operator evaluations for this action (factor of 321 between highest and lowest evaluation) reflects two (of 12) evaluations as having insufficiont time to complete the action (V1).
C.
Recommendation. Consider increased training emphasis at the simulator exerciscs.
B.2.7 Operator inhibits ADS during ATWS with FW failed and EMRVISV closure (OL3)
A.
Description. During an ATWS with feedwater avalleble, the control room operator inhibits ADS by placing the timer switch to RESET, as directed by the EOPs. MSIV closure is assumed successful, isolating turbine bypass Boron injection and recirculation pump trip are also assumed successful.
B.
Observations.
1.
A marginally adequate amount of time is available to perform the action (V1, V2 and V3).
2.
There is a potential for consequences to the plant (VS).
3.
Severe consequences are expected to the plant if the action is not performed (V19).
4.
The broad variance between operator evaluations for this action (factor of 212 between highest and lowest evaluation) reflects one evaluation (of 12) as having insufficient time to correctly diagnose the action (V2 = 0),
resulting in guaranteed failure.
C.
Recommendation. Consider increased training emphasis at the simulator.
B.2.8 Operator manually re-energizes bus 1A1/1B and re-starts at least one TBCCW pump following a loss of offsite power (TBS)
A.
Description. Following a loss of offsite power and restoration of bus 1 A1/181 and service water, the operatcr manually shifts heat exchanger cooling to service water following failure of circulating water. Time available to perform the action is dependent on the loss of TBCCW to cool the condensate pump motors and plant air compressors.
B.
Observations.
1.
A marginally adequate amount of time is available to perform the action IPE B-6 05/29/92
(V1, V2 and V3).
c,e '
\\
b) 2.
The extremely broad variance between evaluations for this action (factor N
of 2280 between highest and lowest evaluation) shows broad uncertainty between operators concerning the performance of this action. One operator evaluated this action as a guaranteed failure due to inadequate time to perform the action following the decision to perform the action (V3). Only one other evaluation resulted in an error rate of more than 0.05 for this action. This other evaluation included a slightly greater amount of time to perform the action (V3).
C.
Recon)mendation. Consider increased training emphasis at the simulator.
B.2.9 Oporator secures or isolates condensate transfer header to reactor building within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer supply line break in the reactor building (FTB)
A.
Description. Following a condensate line failure (rupture or large leak) in the reactor building, operators secures or isolates condensate transfer flow to the affected header within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
B.
Observations.
1.
Minimal procedural guidance is available for this action (V11).
im gts)
.acomrnendation. Consider adding procedural guidance and training, C.
B.2.10 Operator trips plant and isolates feedwater following feedwater line break in the trunnion room (FTD) -
A.
Description. Following a foodwater line break in the trunnion room, control room operators trips the plant and isolates feodwater flow into the reactor.
B.
Observations.
1.
A marginally adequate amount of time is available to perform the action (V1, V2 and V3).
2.
There is a potential for consequences to the plant (VS) for performing this action. The plant concequences are partially due to the induced loss of feedwater caused by performing this action.
3.
Minimal procedural guidance is available for this action (V11).
4.
The evaluations for this action indicated a relatively broad variance (factor of 81 between highest and lowest evaluation). This was partially due to the broad uncertainty between operators as to the type of action this 1M IPE B-7 06/24/92
involved.
5 assessed this as a skill based action, which would be performed from memory, then verified with procedures.
4 assessed this as a rule based action, which would be performed with procedures in hand.
The remaining 5 operators evaluated this action as knowledge based, for which no written procedural guidance is available (see V11 above).
C, Socornmendation, Consider enhanced procedural guidance and training.
B.3 Summary of Recommendations The following recommendations are made based on inspection of the above results:
1.
Consider the developrnent of specific procedures, guidance and training on reactor overfill transients, specifically for operator actions (OF1 and ME2),
2.
During operator training point out that consistently successful performance of the following actions can positively affect overall core damage risk as determined by the PRA.
a.
Operator injects through core spray with fire protection during loss of all AC power (CSS) b.
Operator lines up fire water injection through core spray during LOCA conditions outside containment (unisolated LOCA) (FS1) c.
Operator inhibits ADS and controls level near TAF during ATWS with FW available and condenser failed with EMRV/SV closure (OL2) d.
Operator inhibits ADS during ATWS with FW failed and EMRV/SV closure (OL3) e.
Operator manually re-energizes bus 1 A1/1B and re-starts at least one TBCCW pump following a loss of offsite power (TBS) f.
Operator trips reactor after 1 T tailure (riigh level) (RS3) g.
Operator secures or isolates condensate transfer header to reactor building within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer supply line break in the reactor building (FTB) h.
Operator trips plant and isolates feedwater following feedwater line break in the trunnion room (FTD)
IPE B-8 06/24/92