Text

Individual Plant Exam Comanche Peak Steam Electric Station Vol 1:Front-End Analysis
	ML20114C610
Person / Time
Site:	Comanche Peak
Issue date:	08/31/1992
From:	Cragg C, Hamzehee H, Husain A; TEXAS UTILITIES ELECTRIC CO. (TU ELECTRIC)
To:	;
Shared Package
ML20114C607	List: ML20114C610; TXX-9238, Forwards Individual Plant Exam Comanche Peak Steam Electric Station Vol 1:Front-End Analysis, Generic Ltr 88-20;
References
	RXE-92-01A, RXE-92-1A, NUDOCS 9209020355
	Download: ML20114C610 (313)
	v • d • e

mF E

c, . -

4. >

l')

~

' 'A ._--

l i

1 n

l l 1-

! I j L j- _;

s < 4 pm t

,n y..

4 4

t 1

i REACTOR ENGINEERING ,.

i, y 4 > is ;

A , }

i 1 !t

, ,, a; 3 a 8 !

-f i

e, c, .

. v t

t mummmmmmma ausmuur usuunus 8

!- annuumr m u~ - - .

__ _ i c

. - TUELECTRIC

?' 9209020355 920828 we,,,,,,1,,

- {. j PDR ADOCK 05000445 _

s--

p - PDR ,.

p M..umpip., , ~ - p a g- >yy--ew y m e"s- * . -*+rup.-a m - aw--v y-wn', m

RXE-92-01A 0

Individual Plant Ex,vnination Comanche Peak Steam Electric Station Volume I: Front-End Analysis By C. D. Cragg H. G. Hamzehee R. A. Lettic Y. Shen D. M. Tirsun August,1992 ,

1 Prepared by: O U-7 % 91 C. D. Cragg "3 Date Senior Engineer, Systems Analysis kN/Y"'WM H. G. Hamzehee d?- A 7- F1 Date Supervisor, Systems Analysis

]/tEY f-$?" /k R. Af tettie Date Senior Engineer, Systems Analysis

/1 *r h-27-92.

l/ Y. Shen Date Senior Engineer, Systems Analysis b ~

T - &7 D. M. Tirsun Date Senior Engineer, Systems Analysis Reviewed by: c#f

~

/v// MAP 9.,#

~S. D. (arpfak Date Senior Engineer, Systems Analysis U W/ d?- 2 7- 12 H. G. Handehee Date Supervisor, Systems Analysis Reviewed and ,

Approved by: ad M ~s ? f 27 9 '2_

A.Ilusain ' Datd Director, Reactor Engineering i

l

- _ _ _ _ _ - _ _ - _ a

Table of Contents

1. EXECUTIVE

SUMMARY

. .. ..... ........,.................. 1-1 1.1 Background and Objectives . . . . . ............................ 1-1 1.2 Plant Familiarization . . . . . . . . . . . . . . . . . . . . . . . . . ........ ... 12 1.3 Overall M ethodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 1.4 Summary of Major Findings ........ .... .............. .... 1-4

2. EXAMINATION DESCRIPTION . . . . . ...... .... .... ............ 2-1 2.1 Introduction . . . . . . . .................................... 2-1 2.2 Conformance with Generic Letter 88-20 and Supporting Material .........2-1 2.3 General Methodology . . . . . . . . . . . . . . . . . ................2-2 2.4 Information Assembly . . . . . . . . . . . . . . . . . ................. 2-11

3. FRONT END ANALYSIS . . . . . . ........... ... ... ... .. . 3-1 3.1 Accident Sequence Delineation . . . . . . . . . . . . . ,, ....... ..... 3-1 3.1.1 Initiating Events and Front-Line System Success Criteria . . . . . . . . . , , 3-1 3.1.2 Front-Line Event Trees ,............................. 3-10 3.1.3 Special Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3-56 3.1.4 Support System Event Trees ........................... 3-69 3.1.5 Sequence Grouping and Back-end Interface . . . . . . . . . . . . . . . . . . 3 69 3.2 System Analysis . . . . . . . . . . . . . . . . . . . . . . . ................ 3-75 3.2.1 System Descriptions ...............................3-75 3.2.1-1 Component Cooling Water System . . . . . . . . . . . . . . . . . . 3-75 3.2.1-2 Auxiliary Feedwater System . . . , , ,,.........'.... 3-78 3.2.1-3 Residual Heat Removal System . . . . . . . . . . . . , . . . . . . . 3-81 3.2.1-4 Station Service Water System . . . . . . . . . . . . . . . . . . . . . 3-85 3.2.1-5 Containment Spray System . . . . . . . . . . . . . . . . . . . . . . . 3-88 3.2.1-6 Chemical and Volume Control System . . . . . . . . . . . . . . . . 3-90 3.2.1-7 Reactor Coolant System . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2.1-8 Safety Injection System . . . . . . . . . . . . . . . . . . . . . . . . . 3-96 3.2.1-9 Condensate and Feedwater System . . . . . . . . . . . . . . . . . 3-100 11

I 3.2.1-10 Main Steam System ......................... 3-102 3.2.1-11 Circulating Water System . . . . . . . . . . . . . . . . . . . , . 3-104 3.2.1-12 Reactor Protection System .... . . . . . . . . . . . . . . . . 3 - 106 3.2.1-13 Electric Power System . . . . . . . . . . . . . . . . . . . . . . . . 3 109.

3.2.1-14 Instrument Air System . . , . . . . . . . . . . . . . . . . . . . . . 3 116 3.2.1-15 Safety Chilled Water System . . . . . . . . . . . . . . . . . . . . 3-119 3.2.2 System Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-146 3.2.3 System Dependencies . . . . . . . . . . . . . . . . . . . . . . . ....... 3-157 3

'.3. Sequence Quantification . . . . . ............ ............... 3-166 3.3.1 List of Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 166 ,

3.3.2 Plant-Specific Data and Analysis . . . . . . . . . . . . . . . ...... . 3-177 -

3.3.3 Human Failure Data ...... ..... .... .......... . ..... 3-177 l 3.3.4 Common Cause Failure Data . . . . . , . . . . . . . . . . . . . . . . . . . 3 -2 04 3.3.5 Quantification of Unavailability of Systems an': Functions . . .-. . . . . 3 223 i.

3.3.6 Generation of Support System States and Quantification of 'their

Probabilities ...... ... ................. . . . . . . . 3-2 2 4 3.3.7 Quantification of Sequence Frequencies ................... 3-224

{ 3.3.8 Internal Flooding Analysis . . . . . . , , , . . . . . . . . . . . . . . . . . . 3 -2 2 6 3.4 Results and Screening Process . . . . . . . , . . . . . . , . . . , , . . . . . . , . . . , 3-240 -

3.4.1 Appihation of Generic Letter Screening Criteria . . . . . . . . . . . . . . 3-240

3.4.2 Vuln6

ability Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 -2 40 3.4.3 Decay Heat Removal Evaluation . . . . . .............. . . . 3-254 i 3.4.4 USl and GSI Screening ..................... . . . . . . . 3 -25 8

4. BACK-END ANALYSIS . . . . . ....................... .......... 4-1

5. UTILITY PARTICIPATION AND INTERNAL REVIEW TEAM . . . . . . . . . . . . . . 5-1 5.1 IPE Program Organization ............... .................5-1 5.2 Composition of Independent Review Team .......................5-3 5.3 Areas Of Review and Major Comments . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 5.4 Resolution of Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . '9-L I

l lii i

)

-.- . ~ . _ - ,. . - . . . , , . . , , , - . - - . - , - ,

6. PLANT IMPROVEMENTS AND UNIQUE SAFE'D' FEATURES . . , . . . . . . . . . . 6-1

7.

SUMMARY

AND CONCLUSIONS . . . . . . . ............. ........... 71

8. REFERENCES . . . . . . . . . . . . . . . . . .. .......................... 8-1 s

5 t

5 l

l l

I I

i I

j iv ,

l l

-- . - - - - - - - -. m..-. .4.-- .

List of Ficures Figure 3.1.2-1: General Trt.nsient Cvent Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37 Figure 3.1.2-2: Inadvertent SI Event Tree .......................... . . . 3-38

, Figure 3.1.2-3: Main Steamline Dreak Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . 3 39 Figure 3.1.2-4: Loss of Main Feedwater Event Tree . . . . . . . . . . . . . . . . . . . . . . . , . 3-40 Figure 3.1.2 5: Loss of IED1 125VDC Bus Event Tree . , . . . . , . . . . . . . . . . . . . . . %41 Figure 3.1.2-6: Loss of The Safety Chilled Water System Event Tree . . . . . . . . . . . . . . 3-42 Figure 3.1.2-7: Loss of Offsite Power Event Tree . . . . . . . . . . . . . . . . . . . ., , . . . . . 3-43 Figure 3.1.2-8: Loss of Bus I A3 Event Tree ............................. 3-44 Figure 3.1.2-9: Loss of Protection Chenei !PCI Eveut Tree . . . . . . . . . . . . . . . . . . . 3-45 Figure 3.1.210: Loss of Component Cooling Water System Event Tree . . . . . . . . . . . . . 346 Figure 3.1.2-11: Loss of Station Service Water Event Tree . . , . . . . . . . . . . , . . . 3-47 Figure 3.1.2-12: Loss of Instrwnent Air Evens Tree , . . . . . . . . . . . . . . . . . . . . . . . . . 3-48 Figure 3.1.2-13: Excessive LOCA Event Tree ....... . . . . . . . . . . . . . . . . . . . . . 3-49 Figure 3.1.2-14: Large Break 50C'A Event Tree . . . , . . . . . . . . . . . . . . . . . . . . . . 3-50 Figure 3.1.2-15: Medium Dreak LOCA Event Tree . . . . . . . . . . . . . . . . . . . . . . . . 3-51 Figure 3.1.2-16: Small Break LOCA Even" free . . . . . . . . . , . . . . . . . . . . . , . . . . 3-52 Figure 3.1.2.17: Very Small Break LOCA Event Tree . . . , . . . . . . . . . . . . . . . . . . . . 3 53 Figure 3.1.2.18: Steam Generator Tube Rupture Event Tree . . . . . . . . . . . . . . . . . . 3-54 Figure 3.1.2.19: Loss of Condenser Vacuum Event Tree . . . . . . . . . . . .. . . . . . . . . . 3-55 Figure 3. 3-1: ATWS Su ccess Tree . . . . . . . . . . . . , , . . . . . , . . . . . . . . . . . . . . . 3-62 Figure 3.1.3-2: Transient induced LOCA Event Tree . . . . . . . . . . . . . . , . . . . . . . . . 3-64 l Figure 3.1.3-3: Induc41 Small Seal LOCA Event Tree . . . . . . . . . . . . . . . . . . . . . . . 3-65 Figure 3.1.3-4: Induced LOCA 0.6-2" Event Tree . . . . . , . . . . . . . . . . . . . . . . . . . . 3-66 i

Figure 3.1.3-5: Induced LOCA > 2" Event Tr ee . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67 Figure 3.1.3-6: ATWS Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-68 Figure 3.2.1.1: Component Cooling Water System . . . . . . . . . . . . . . . . . . . . . . . 3-121 Figure 3.2.1.2: Auxillary Feedwater System ................... ,,....... 3-122 Figure 3.2.1.3: Residual Heat Removal System . . . . . . . . . . . . . , . . . . . . . . . . . . . 3-124 Figure 3.2.1.4: Station SerAce Water System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-125 Figure 3.2.1.5: Containmen Spray System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-126 Figure 3.2.1.6: Chemical and Volume Control System . . . . . . . . . . . . . . . . . . . . . . . 3-127 y

i m E *u.'Wt=P 4 '*y y *5'd TPW' T-TP**1 '*P--+W T""Mt-?WV y?W9T' N Y m'PP4r*i-

i r

4 Figure 3.2.1.7: Reactor Coolant System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 128

. Figure 3.2.1.8-1: Safety injection System . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 3 129 l

Figure 3.2.1.8 2: Accumulator Injection System ...........................3-130 Figure 3. '..l.9: Condensate and Feedwater System .. .... .. ........... ..... 3-131 Figure 3.2.1.10: Main S'eam System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-133 i-Figure 3.2.1.11: Circulating Water System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 135 Figure 3.2.1.12: Reactor Protection System . . . . . . . . . . . . . . . . . . . , , . . . . . . . . . 3-136 l

Figure 3.2.1.13-1: Offsite Power Distribution System . . . . . . . . . . . . . . . . . . . . . . . . . 3-138 Figure 3.2.1.13-2: AC Onsite Power Distribution System . . . . . . . . . . . . . . . . . . . . . . . 3 139 Figure 3.2,1.13-3: 125V DC & 1ISV AC Onsite Power Distribution System . . . . . . . . . . . 3141

! Figure 3.2.1.14: Instrument Air System ........................ . . . . . . . 3-143 Figure 3.2.1.15: Safety Chilled Water System . , , . . . . . . . . . . . . . . . . . . . . . . . . . . 3-145 Figure 3.3.3 :: Interfaces of HRA with Major PRA Tasks . . . . , , . . . . . . . . . . . . . . 3178 Figure 3.3.3 2: Dynamic Action Screening Value Decision Tree ................3-182 Figure 3.3.3-3: Testing / Maintenance Latent Human-- Error Screening Value Decision Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3- 184 Figure 3.3.3 4: Calibration Latent Human Error' Screening Value Decision Tree ......................... ................. 3-186 Figure 71: Core Damage Frequency by Initiating Event . . . . . . . . . . . . . . . . . . . . . 7-4 Figure 7-2: Core Damage Frequency by Initiator Type . . . . . . . . . . . . . . . . . . . . . . 75 i

i

{

l l

vi l

List of Tables Table 3.1.1-1: Front.Line System Success Criteria .....,,..........,.....3-6 Table 3.1.2-1: - ATWS PORV Failure Days , , . . . . . , . . . . . . . . . . . . . . . . . . . . . 3 60 Table 3.1.2 2: ATWS PORY Failure Fraction - . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 Table 3.1.5-1: Sequence Characteristics of Core Damage Bins . . . . . . . . . . . . . . . . . 3-72 Table 3.1.5-2: Sequence Characteristics of Containment Safeguards Bins . . . . . . . . . . . . 3-73 Table 3.1.5 3: Sequence PDS Frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7:

Table 3.2.2-1: Generic Data For CPSES Unit I Component Failure Rates . . . . . . . . . . , 3-147 Table 3.2.2-2: Generic Data For Cpses Unit 1 Maintenance Frequencies and Du rations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 153 Table 3.2.31: CPSES System Dependency Matrix ...............,........ 3-!57 Table 3.3.1.1: _ CPSES Unit 1, Component Failure Data Base . . . . . . . . . . . . . . . . . 3 - 169 Table 3.3.1.2: Generic Maintenance Data Base . . . . . . . . . . . . . . . . . . . . . . . . . . , , 3-175 Table 3.3.1.3: Generic Internal Flood Data Base . . . . . . . . . . . . . . . . . . . . . . . . . . 3-177 Table 3.3.3-1: Important Human Interactions . . . . . . . . . . . . . . . . . . . . . . . . . 3-203 Table 3.3.4.2: Formulas For Mapping Down Event Impact Vectors , . . , , . . . . . . . . . 3-211 Table 3.3.4.3: Formulas For Upward Mapping of Events Classified as Nonlethal Shocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-211 Table 3.3.4.1: He Prior MGL Parameter (CCF Data Base) . . -. . . . . . . . . . . . . . . . . 3-218 Table 3.3.4.4: CPSES Unit 1, Common Cause Failure Data Base . . . , . . . . . . . . . . . , 3-220 Table 3.3.4.4: CPSES Unit 1, Common Cause Failure Data Base . . . . . . . . . . . . . . . 3-221 i- Table 3.3.4.4: CPSES Unit 1, Common Cause Failure Data Base . . . . . . , , . 3-222 Table 3.3.71: Sequence Quantification Programs . . . . . . . . . . . . . . . . . . . . . . . . . 3-224 Table 3.3.81: Summary of CPSES Flood Scenario Results . . . . . . . . . . . . . . . . . . . 3-230 -

Table 3.3.8 2: Summary of CPSES Significant Flood Scenario Propagation . . . . . . . . . 3-238 l

Table 7-1: CDF Contribution by Initiator . . . . . . . . . . . . . . . . . . . . . . ...... 7-3 I

l l

[

vil i

l

List of Acronyms AF - Auxiliary Feedwater ARV -

Atmospheric Relief Valve ASME -

American Society of Mechanical Engineers ATU - Automatic Transfer Unit i ATWS - Anticipated Transient Without Scram BOS - Blackout Signal BTRS - Boron Thermal Regeneration System CAFTA -

Computer Aided Fault Tree Analysis CC - Component Cooling Water .

CCF -

Common Cause Failure CCP - Centrifugal Charging Pump CET -

Containment Event Tree CH -

Chilled Water (Safety and Nonsafety)

CI -

Instrument Air CPSES -

Comanche Peak Steam Electric Station CS - Chemical and Volume Control System CST -

Condensate Storage Tank :

CT -

Containment Spray CW -

Circulating Water l DHR - Decay Heat Removal l ECCS -

Emergency Core Cooling System l

EHC -

Electro-Hydraulic Control EOP -

Emergency Operating Procedure EP -

Electrical Power

EPRI -

Electric Power Research Institute ERG -

Emergency Response Guideline >

ES -

Reactor Protection System ESF -

Engineered Safeguards Feature ESFAS -

Engineered Safeguards Features Actuation System ,

FSAR -

Final Safety Analysis Report l

l FW -

Main Feedwater HEP -

Human Error Probability HI -

Human Interaction HRA -

Human Reliability Analysis .

HVAC -

Heating Ventillation and Air Conditioning !

IPE -

Individual Plant Examination kV -

Kilovolts LOCA -

Loss of Coolant Accident LOOP -

Loss of Offsite Power !

MAAP -

Modular Accident Analysis Program !

MCC -

Motor Control Center MGL -

Multiple Greek Letter MS -

Main Steam ,

MSIV --

Main Steam Isolation Valve MSLB -

Main Steam Line Break .

viii B

'-=r + g s-- --e + w.* ,--w.e ~en-- e ye wr'--.-, e,,w,= v w-- m--

NRC - Nuclear Regulator Commission ,

NSAC - Nuclear Safety Analysis Center P - Containment Hi 3 Signal PDS - Plant Damage State PORY -

Power Operated Relief Valve .!

'PRA - Probabilisitic Risk Assessment RC - Reactor Coolant (System) !

RCP - Reactor Coolant Pump RH - Residual Heat Removal RWST - Refueling Water Storage Tank i S - Safety injection Signal ,

j S/G - Steam Generator ,

SGTR - Steam Generator Tube Rupture i SHARP - Systematic Human Action Reliability Procedure {

SI -

Safety Injection SIP - Safety Injection Pump SRO - Senior Reactor Operator :

SRV -

Safety Relief Valve !

r SW -

Station Service Water Two -

Reactor Coolant Average Temperature TDAFWP - Turbine Driven Auxiliary Feedwater Pump ;

TPCW -

Turbine Plant Cooling Water i V - Volts .

! I I I q

I

}

t t'

f I

t l ?

lx ;

.., _ . . ..m.... _ . _ , . . . . - _ . . . . _ , - . . . . . . -, ,_. . . _ . . - , _ . _.

1. EXECUTIVE SUMM ARY 1.1 Backcround and Obiectives

" Itis report presents the results of the Individual Plant Examination (IPE) for Comanche Peak Steam Electric Station pursuant to the Nuclear Regulatory Commission's Generic Letter No. 88-20, " Individual Plant Examination for Severe Accident Vult;erabilities." This Generic Letter requested that each licensee perform a plant specific examination for vulnerabilities to severe accidents and to identify cost effective improvunents that would reduce the important vulnerabilities. In response to the Generic Letter, TU Electric committed to provide the results of such an examination to the NRr by September 1,1992.

TU Electric formed the IPE team in early 1989. The major objectives of the Comanche Peak Steam Electric Station IPE were to:

develop an overall appreciation of severe accident behavior; understand the most likely severe accident sequences that could occur at CPSES; a

gain a more quantitative understanding of the overall probability of core damage and radioactive releases; and reduce the overall probability of core damage and radioactive material release, if necessary, by appropriate modifications to plant operating procedures and hardware that would help prevent or mitigate severe accidents.

Additional objectives were added to address the NRC request that all licensees identify any vulnerabilities in decay heat removal systems for their plants and report the results of the evaluation with the IPE.

These objectives were to:

evaluate the adequacy of decay heat removal systems; determine the benefits of providing alternative means of decay heat removal; and 1-1

assess the cost and benefit of alternative measures.

With these important objectives !n mind, TU Electric successfully completed the front-end portion of the IPE study, and produced the insightful results that are discussed in this report. The back end portion of the study is currently being completed and will be submitted separately by October 31,1992.

1.2 Phat. Familiarization ne plant familiarization activities continued throughout the examination. There are three types of activities that characterize this effort, First is the initial gathering of plant data that describes the as-designed and as-built plant. In this regard, the team benefitted greatly from the extensive design and construction verification efforts that were completed prior to licensing CPSES Unit I and from the extensive computerization of much of the plant documentation needed for the analysis. In addition, the analysts were familiar with the plant design and operation and with the documentation since they had worked in various capacities in the engineering and operations departments prior to commencing work on the IPE. This provided the analysts with confidence that the analysis was based on an accurate model of the plant.

The following list of documents is typical of that which was gathered to support each system. Each

( document was carefully reviewed and incorporated into the study.

l

System Operating Procedures

Design Basis Documents

Surveillance Test Procedures l

Plant Operating Procedures

System Flow Diagrams j

System Instrumentation and Control Diagrams i

Control Wiring Diagrams

Electrical One-Line Diagrams

Emergency Response Guidelines

'

Abnormal Conditions Procedures Final Safety Analysis Report i 1-2

. _ . _ -- - - . . . _ . . . _ . _ - . - . _ , _m._ - . , _ _. . _ , . ., _ . -~ , _..

r

Technical Specifications The second plant familiarization activity is the plant walkdown. The analysts supplemented their knowledge of the plant with walkdowns that were directed specifically at answering questions important to the analysis. The walkdowns gave the team an accurate picture of the plant layout and the physical locatica of equipment important to the analysis. It also provided the team with additional assurance that the systems and their associated components could be accessed as necessary to provide the functions modeled in the IPE.

He third plant familiarization activity is the expert interview. For accident scenarios and recovery actions, plant personnel who were very familiar with utilizing procedures to operate the plant and to recover from various plant upsets were interviewed. Their knowledge fonned the basis for decisions as to the feas_ibility of the recovery actions.

Each of these plant familiarization activities were used in important ways in the evaluation. In total, they provide a great deal of confidence that the study accurately models the plant.

1.3 Overall Methodolocv TU Electric performed the IPE study using the Level I Probabilistic Risk Assessment fRA) method for the front-end portion and the Level-II PRA method for the back-end portion of the st ady. Current PRA l methods and procedures, consistent with those described in NUREG/CR-2300, NUREG/CR-2815 and NUREG/CR-4550, were utilized for the front-end ponion. In general, the fault tree linking methodology was adopted by TU Electric for the examination process. His method was implemented by developing plant-specific large fault trees and small event trees. The large fault trees were then linked together according to the event tree logic for quantifying accident sequences.

Tue back-end portion of the IPE will be completed consistent with the general approach described in Appendix A of NUREG-1335 using elements of the EPRI generic framework, i

l 1-3

. . - ~. - . . . .- - -- - -. -- - . - . . -

1.4 Summary of Maior Findings ne total core damage frequency due to internal events for CPSES Unit I was estimated to be 5.72E-05 events per reactor year. Internal Flooding was also included in this evaluation. ,

ne results of the examination demonstrate that there is no plant-specific vulnerability at CPSES. He core damage frequency profile by initiating event is relatively fiat. In other words, the core damage frequency is distributed uniformly among different initiating events and different sequence types.

Therefore, no single plant improvement could be identified that would have a significant impact on the results. However, in order to further enhance plant safety, a number of procedural changes were recommended, ne recommended changes are planned to be implemented for both units in the near future.

In addition, TU Electric plans to replace the RCP seal: witn seals of a new design that will function in ,

a high temperature fiuld environment. Piesently, two of the four Unit 1 RCP seals have been modified and the other two are scheduled to be inspected and evaluated <1uring the 1992 or 1993 refueling outages. ,

All four of the RCP seals in Unit 2 are scheduled to be upgraded prior to initial startup. The IPE models are based on the characteristics of the original seals. Seal LOCAs mntribute approximately 29% to the i total core damage frequency. His contribution is expected to decic se with the upgraded seals. l Unresolved Safety Issue USI A 45 entitled " Shutdown Decay Heat Removal Requirements" was specifically addressed in the CPSES IPE study. Based on the IPE results and a sensitivity analysis performed to examine the CPSES decay heat removal capability, it was concluded that no decay heat removal vulnerabilities exist at CPSES.

The CPSES IPE study was performed specifically for Unit 1. After the completion of the Unit 1 IPE, ;

T a comparison study was conducted to identify differences between Units I and 2 and their impact on the ,

IPE results. The differences in plant design and operation were reviewed and found to have insignificant -

{

impact on the IPE models and final results. Therefom, the CPSES TPE study is applicable to both units.

[

l a

l l-4 f

-, , -_ - --.-,,-w,e.,-m ..+,>c..~ ww.,%-,y,m--, m.y,,, - -w,,-.r... . . . ,s , w, er.--._, ,n,w,-,

2. EXAMINATION DESCRIPTION 2.1 Introduction The examination of CPSES Units 1 and 2 was started in early 1989. A program plan was first developed and major tasks and milestones were identified, In staffing for the IPE, TU Electric's main objective was to utilize in-house resources to the maximum extent possible. Consequently, a strong IPE team consisting of TU Electric staff was formed. Then, the IPE implementation was initiated consistent with the requirements of GL 88-20. The examination process, general methodology and information assembly are described in detail in the following sectia.u.

2.2 Conformance with Generic Letter 88-20 and Supportine Material TU Elactric las completed the IPE study in conformance with the requirements of GL 88-20. The study was performed using method number one described in the Generic Letter. Current PRA methods and l

supporting documents identified in the Generic Letter, such as NU 'G-1335,- NUREG/CR-2300,

NUREG/CR-2815, NUREG/CR-5313 and NUREG/CR-4920, were utilized. The results of this study l were documented according to the submittal guidance document, NUREG-1335. In order to benefit the most from the IPE study, TU Electric has fully utilized its in-house staff for all aspects of the examination so that the knowledge gained from the examination can be used in the future to enhance the safety and economics of CPSES Units 1 and 2. During the course of the examination, the IPE team accomplished the following

The plant emergency procedures, design, operation, maintenance and testing activities were l

reviewed and examined to determine potential severe accident sequences.

The significant contributors to core damage frequency and poor containment performance were determined.

Plant improvements to reduce core damage frequency were proposed an6 accepted after -

discussion with plant engineering and operations.

2-1

I In accordann with the requirements of GL 88 20, external events were not included in the IPE study, i

However, an internal flooding analysis was included as part of the internal events. Although external events were excluded, certain activities relevant to external events were documented during the IPE process so that they can be utilized for the IPE of external eventa (IPEEE) at an appropriate time. For l

example, data taken during the detailed walkdown performed in support of the internal flooding analysis l

I v .a documented in such a way that the information can be utilized for the Fire external event as part of the IPEEE program.

1 2.3 General Methodolorv in general, the fault tree linking methodology was adopted by TU Electric for the examination process.

nis was accomplished by developing plant specific large fault trees and small event trees. The large fault trees were then linked together according to the event tree logic for quantifying accident sequences.

What follows is a description of the major tasks that were accomplished in order to implement this methodology. Each major task is documented in the analysis notebooks and is backed up by suppon'ng calculations and analyses.

To ensure proper interactions among the IPE activities, the following tasks were identified at the beginning of the project:

Task 1 - Initiating Event Analysis Task 2 - Data Analysis Task 3 - Accident Sequence Analysis Task 4 - Systems Analysis Task 5 - Human Reliability Analysis Task 6 - Accident Sequence Quantification Task 7 - Internal Flooding Analysis i Thsk 8 - Shutdown Decay Heat Removal Analysis Task 9 - Containment Performance Analysis (back-end)

Task 10 - Unit 1 - Unit 2 Comparison Task 11 - Identification and Evaluation of Risk-Significant Improvements l 2-2

l Task 12 - Documentation Task 13 - Independent Rey'ew Task 14 - Project Management Identification and coordination of these mejor tasks at the beginning of the project resulted in a technically

{

t strong and high-quality study. It also helped, as a reminder, to address all issues and requirements -

specified in GL f;8 20. Tasks that require more discussion are described below.

Task 1 -Initiatine Event Analysis l

Re initiating event analysis task stancd during the early phase of the examination. The main objectivs of this task was to identify all of the conditions existing in the plant that could result in a severe accident.

Subsequent tasks of the IPE study were based on the assumption that one of these adverse conditions, or initiating events, was present and the ensuing transient was examined to identify all equipment and operator actions required to take the plant to a safe, shutdown condition.

The principal assumption in this analysis was that any of the conditions that may have led to a severe accident would result in cond!tions that exceed setpoints of the reactor trip system or would cause a reactor trip through other automatic circuitry (e.g., turbine trip, safety injection). Therefore, not only the causes for a reactor trip were considered, but also the causes for a turbine trip and the generation of the safety injection actuation signal. For all conditions, the reactor was assumed to be operating at full l power at the time of the initiating event.

The major causes of a reactor trip considered in this task are:

Manual reactor trip.

Reactor trip signal generated by the Reactor Trip system.

Reactor trip signal generated following a turbine trip, j = Reactor trip signal generated following a safety injection actuation signal (SIAS).

l r

For each of Gese signals, the reasons for the reactor trip were examined and traced back to a basic event.

For example, a reason for the turbine to trip was excessive vibration. Herefore, excessive vibration of 2-3 l

the turbine became a basic event. A similar method was used to backtrack through all of the reactor trip signals to identify all potential basic events. The basic events were grouped into thirteen general categories. The events listed under these general categories may be sufficiently different to warrant classification as an initiating event or, the entire category may be a single initiating event. The thirteen general categories considered in the initiating event analysis task are:

Non-LOCA transients where the core integrity is not endangered.

Non-LOCA transients where the core integrity is endangered.

Excessive LOCA

1.arge Break LOCA

Medium Break LOCA

Small Break LOCA

Very Small Break LOCA

Reactor Vessel LOCA

Steam Generator Tube Rupture

Interfacing Systems LOCA

Support System Failures

External Events

Manual Shutdowns The final list of the CPSES initiating events was then compared to other PRAs. It was also compared with the initiating events listed in the PLG data base (Ref. 3.1) which was used as the main source of data in the CPSES IPE study. These comparisons provided addidonal assurance that the initiating events list was complete and that no significant events had been overlooked.

Task 3 - Accident Seouence Analysis After the completion of the initiating event analysis task, accident sequence development was initiated.

As mentioned earlier, small event trees (e.g., functional event trees) were developed for each initiating event category defined in the initiating event analysis task. Then, for each function in the event trees, an appropriate fault tree logic (called top logic) was developed. The functional event trees co ntained only 2-4 l

l i

.- _ -.- - - .- - - -. - ~ - - - - -- - . - -

B top logic. The top logic consisted of system fault tree models and required human actions that were ;

iogically comt'ned based on their logical relationships to a required function.

In general, following an initiating event, it was assumed that the reactor operators would perform the actions specified in the Emergency Response Guidelines (ERGS) and Abnormal Conditions Procedures (ABNs) Following any initiating event, the operator was assumed to enter EOP-0.0, " Reactor Trip or l

Safety injection". All subsequent operator actions or responses formed the bases for each branch point in the event trees. If the operator response was required for the successful recovery from an initiating l event, a branch point was added to the event tree. If the operator response required by the procedure could not be performed because of the initiating event, or if t',e on,erator action had no bearing on the ;

fmal success of the mitigating efforts, then that operator response was not included in the event tree, it ;

should also be pointed out that no " heroic" operator actions were modeled in the accident sequence !

analysis.

The system success criteria were defined in the accident sequence analysis task based on the initiating t

event and the accident progression status. ;

i t

The functions of the safety systems modeled in the CPSES IPE were defimed in the accident sequence i l

analysis. The system functional requirements were mainly dependent upon the initiating event and I accident progression status. Tue system success criteria were determined based on the FSAR, other PRA h I

studies, thermal-hydraulic calculations, or engineering judgements, as ' appropriate. !

I L

I Iask 4 '- Systems Analysis f i

The systems analysis task was the most resource-intensive activity. There were a total of 15 systems included in the CPSES IPE sudy. Support systems as well as front-line safety systems required for mitigation of an accident were analyzed.

The system boundaries were defined at the beginning of each system L.alysis. The selection of the system boundaries was based on the system function, system configuration and logical breakdown which facilitated the system unavailability modeling efforts.

2-5 l

l l

i The mitigating functions for each system and their required success criteria were defined in the accident sequence analysis task. The system success criteria were determined based on the accident categories and status of the plant equipment following an accident.

The system dependency was accurately treated in the system fault tree models. The required support systems for each system function were identified in each system analysis notebook. A separate analysis called " Support System Interfaces" was completed prior to the initiation of the individual system modeling. This analysis provided a list of required support systems along with their associated supported systems. Support systems were broken down by trains and supported systems by components. Each support system train was given a pre-assigned ga'e number that was used by each analyst in the system fault tree models. The corresponding support system gate numbers and gate descriptions were used as undeveloped inputs to the front-line system fault trees at the appropriate level. Then, the front-line and support system fault tree models were linked together to quantify the accident sequences.

The equipment shared between the systems was identified in the system analysis notebooks. Based upon prior agreement, one analyst always modeled the shared equipment in his fault tree and the other analysts made a reference to it as an under ,d input to their fault tree models. This provided assurance that the logical relationship between shared equipment in different systems and their dependencies were correctly accounted for in the accident sequence quantification.

Task 5 - Human Reliability Analysis The systematic procedure that was used to incorporate the human interactions into the plant logic is consistent with the process described in the modified version of SHARP documented in Reference 3,16.

Once all of the human interactions were identified, a screening approach was adopted and applied to each I

action. There are three groups af human interactions that were considered in the CPSES IPE:

1 Type A: De latent human errors that are present prior to an initiating event, that may have occurred l during or after maintenance, testing or operational alignment such that the components are left

j. unavailable.

2-6

- , .. . - , - - . ~

- , ~ -.. . . . - - - . - . - . - - . - -.- - - .-. - - - . .- . -.-. - -

i

^

Type B: Humnu errors associated with initiating events thut are often the direct cause or the iritiating event. Type B human errors were not evalated separately in the IPE as they are accounted for in the laitstmg event frequencies.

Ty e C; Dynamic huttu errors following an initiating ever.t that are associated vchh th actions of operation 3 personnel resroeding to the initiating event. ~n type C actions were group:d into two subg.oups. Group Cr are die immediate resp;nses to accident inithtors and are covered by procedum.

Group C, may or may not be covered by piocedures. Rewvery actions were considered as type Ca.

. To ensure that human ector conaibutions were properly accounted for, human error events were strategically placed in the fun;tional fault tree roodels and!o- die system mit tree mode.s. 'Inis placement considered the scope of the ;.ctions dimibed ir. the event as well a influencing 6.ctus ;

associated with the fault tree. The cogdive port ion of the hme failure rate was modeled separately if the cognitive act was tied to multiple epera'cr aedons. In general, latent human errors and some dynamic human errors were modeled in the system fault tre' rrtode's.

A detailed recovery analysis was performed to properly account for the possib.e secovery actiow, The approach adopted for the IPE follows the general approach described in the EPRI reco.*ey analysb (M 3.22). Recovery actions are defined in this study as all of those actions that could be taken te recover from a particular set of equipment and/or human failures. Those actions may or may not be descr'.at in procedures. 'Ihe recovery analysis included the interview of operations staff with on-site experience, development of decision trees, review of related procedures and drawings, and consideration cf the time l available for each critical recovery action.

l Task 6 - Accident Sguence Ouantification As stated earlier, the fault tree linking methodology was utilized for quantification of the accident secuences. There were several major steps taken to streamline and optimize the quantification process:

Deletion of Circular Locle i

This was performed m order to r: move the circular logic that existed among the support systems.

Usually, the circular logic was removed by the individual systems analyst. Other loops that were noted 2-7 l

a

.rv..-,- w w , ,, y ,,gysW~ n%.e.+ g > g ga w ywyvys y 5yt-9 9 a9

- . - . -.-. - - - -. - -. - . - - . - ..- . . - - . . ~ - - . .

i

] !

i ducing me accident sequence quantification task were removed by the analyst responsible for the

quantification activities, with the individual system analyst's cor.currence.

Compilatipn of Dats Fiks j The systr.ns andysis data base files required for accident sequence quamifica lon we~e compiled into a single traster file. The master file was then used when quantifylag accident sequence frequencies. ,

l G;;;;;3Mti2n.Qfi.ocie Modeh A'l of the system fault tree models and the ecc: dent sequence logic were consolidated in order to quantity the accident sequence frequencies, The process was automated by the use of computer ptograms l

develo d for this task, Ouantification of Aegislent f equences The quaotification of accident sequences was performed by applying different methods for different

, sequences, as appropriate. The process was uependent on the specific conditions _of each sequence.-

Different cotopoter programs were ueveloped and utilized to facilitate the physical process of quantification efforts.

Task 7 - Internalhopdine Anainis A nd, pia cf the interul ficeding impact on ov':rall plant risk included the following major tasks:

"gfwinary Flood Spenario Devemr5ct h this task, prelimic try flood se;nari9 tables for CPSES wue developed. The.<e tables were used as a basis fer flood scw.sric elefinition and a'alysis in the subsequent tasks. The information collected during other IPE tuks and ichmuion from Corcanche Peak information systems were reviewed to support thic l task.

A list of all components modeled in the IPE an@su was developed. Apoendix R fire zone desi.nators were used as flood zone location designators. Taen, prelhninary !! nod propagation anaivsi., was

= performed for each potential flood zone by reviewing plant drawings and eppfylw the question-answer l logic developed for this task. Each resulting flood scenario was labeled using the flood zone where t'.e r -

2-8

l flooding was assumed to have initiated. A propagation scenario was defined by the set of flood zones potentially affected by the scenarlo.

PJpnt Walkdown As part of the interna' flooding analysis, the plant was physically inspected to refine and verify the preliminary f,ood scenario tables r,o that they could be used to accurately define potential flood scenarios in the flood scenaric importance screening. In Eddition, the flood rone inspections were documented by photographing each accessible piant flood zone including .<!gnift: ant component locations, flood propagation paths and flood mitigation / isolation featutes.

Flood Scenario Imnortance Screeninc in this task, the preliminary imernal flood scenario tr.bles were refined bared on the results of the plant walkdown effort, and quvititative screening criteria were developed for the determination of flood scenario risk importance. Next, flood scenario screening frequencies for each flood scenario were de" eloped. Various levels of flood scenario importance screening were performed, first, a ptehminary screening based on maximum conservative scenario impact, second, a screening based on less conservative scenario impact and third, a detailed analysis based on a set of refined assumptions.

Each flood scenario was quantifit., o determine its importance to plant risk by incorporating the informatioa contairied in the flood scenrrio tables into the overall plant model using the .;omputer programs developed specifically for the IPE internal flooding analysis task and the CAFTA (Comnuter Aided Pault Tree Aaalysis) computer software. A generic database was used to estimate the annual frequency of flooding in each flood zone defint<1 in the analysis. 2 Task 9 - ContainmeqLEgformance Angjy3J3 In add.it ion ta the prelimina y task of plant familiarization, there are five major tasks in the back-end of the CPSES IPE.

l 2-9 e

T "-i *' W *' f WpH=-wtuy r'v-r wWg ye-fiJ@Di.-y

"---'-* *-- - --wg y' t P*-t-gyv' *M Try*T v717vt-. r--pr-er"

I Containment Failure Characterization in this task, pcssibic: failure modes for the CPSES Unit 1 Containment in the event of severe accidents were evalurled from the point of view of penetration tailures, catastrophic structural failure, or liner tearing. A fragility curve was developed in this task.

Determination M Plant Damane States in this task, gt.idelines were developed for grouping accident sequences identified in Level 1. This reduced the nu.nber of cases fcr which Contain sent Event Trees (CET) needed to be analyzed.

Containment Event Tree Arialysis l In this task, ti.e conditional (i.e. assuming the Plant Damage State has occurred) probabilities of various-outcomes were calculated for each Plant Damage State. The event trees and fault trees were analyzed using CAFTA Con yuter Software.

MA AP Calculations of Accident Secuence Baselines in tnis task, the ? dodular Accident Analysis Program (MAAP) was used to determine the progression of accidents for use in the second and third tasks above. A pre-requisite for this task was the development of a detailed MAAP model for CPSES, which was a product of the plant familiarization task.

Containment Performance Durinc Severe Acciden15 In this task, the results from the Level

analysis were merged with the conditional Containment Event Tree (CET) findings. Level I functional sequences were ranked in order of expected risk to the public, Additional MAAP calculations for all those sequences that contributed significantly to risk were prrformed te determine release fractions, timing and type or energy level for key CET end-states.

CPSES-specific Release Categories were established by binning CET end-states of similar characteristics.

Source terms were characterized for all Release Categories. The task also included sensitivity analyses and ranking Qe importance of the possible accident sequences, i

2-10 i

I

?

I d

I

2A Information Assembly i

1

$ This section provides a description of the information that was assembled to support the IPE ior

{ Comanche Peak. The primary sources of information include the FSAR, various plant documentation that describes the plant design and operation, and cristing PRA studies of two other plants. Plant documentation is of very high quality and is representative of the as built and as-operated plant. De a study benefitted greatly from the extensive design and constraction verification efforts that were

.I completed prior to licensing and from the extensive computerivilon of most of the documentation needed for the analysis. In addition, the analysts were familiar with this documentation, havir.g worked in I

various capacities in engineering and operations. His provides a great deal of assurance that the analysis is based on an accurate model of the plant. The analysts supplemented their plant knowledge with various

{

phnt walkdowns that were directed specifically at answering questions important to the analysis. The specifics of these informati on gathering activities are provided below.

]

i i Plant Layout I

i j Most of the plant layout and containment building information can be found in the Final Safety Analysis j Report. The construction details of the containment building can be found in the architectural and -

! structural detail drawings for the plant. Much of this information was used in the MAAP calculations performed for the IPE.

I Documentation Used l De following is a listing and explanation of the plant documentation that was used to complete the IPE

study for CPSES.

I System Operatine Procedures l These procedures provide a step-by4tep descriptit .. ' ir the start up and shut down of plant systems for I normal operation. They were used I- the systems analysis portion of the IPE.

2 11 ,

4

Desien Basis Domments(DHDs)

Rese DBDs describe the functions, design requirements, modes of operation, artangement, performance characteristics and limitations of plant systems. DBDs were used to determine the boundaries of the system models and to familiarize the analyst with the system operating requirements.

Surveillance Test Procedures Rese procedures are written to demonstrate the operability of equipment or systems covered by the 1

technical specifications, The surveills.cc test matrix ties these procedures to their applicable section in the technical specifications. Surveillance tests were reviewed to determine test and maintenance unavailtbilities and also to determine fault exposure times.

System Flow Diagrams Dese flow diagrams provide a representation of the flow path for the mechanical systems and also show the valves, strainers, pump:, gauges, orifices, piping size, ASMF class, etc. . . within a system. Flow diagrams were used to develop simplift:d flow diagrams and Reliability Block Diagrams (RBDs) for the system models. Dese drawings also helped to define the boundaries of the system models.

System Instrumentation and Control Diacrams (ICDS)

The ICDS provide a graphic logical representation of the operation ofI&C equipment such as air operated valves, motor operated valver, pumps, switches, or transmitters. ICDS were used to determine operating logic and to model automatic actuation of equipment in the system models. De ICDS were also used in l the human reliability analysis.

Control Wirjnc Diacrams Rese are schematic diagrams that show the control circuitry and wiring connections for such circuits as motor starters, circuit breakert, motor operated valves and air operated valves, nese diagrams were used to develop simplified schematics for the electric power system model as well as to determine the operation of certain equipment.

EJ.ectrical One-line Diacrams These are diagrams that show the electrical distribution system power sources, busses and loads for all voltage levels. Also included in these drawings is the associated protective relaying for each bus. He 2 12

one-line diagrams were used to develop the simplified one line diagrams and the RBDs. He drawings also helped identify the boundaries of the electric power system model.

Alarm Procedures Manuals (ALMS) nase procedures provide the operator with instructions when various plant annunciators are received in the control room, ne procedures are partitioned to correspond to particular sections of the control room annunciators. The ALMS were reviewed by the systems analysts to develop the operator interface portion of the system rnedels.

Abnormal Conditions Procedures (ABNs)

These procedures are used by operators after responding to an alt.rm condition in accordance with the ALMS. The ABNs give step-by step guidance to restore the system to normal operation or to operate in an abnormal con 0guration. The ABN's were used to develop operator responses to abnormal conditions.

Emercency Resoonse Guldelines (ERGS)

These procedures are higher level procedures designed to provide the operator with specific instructions to follow in the event of abnormal plant cor.ditions. These procMures will permit plant recovery to safe conditions from abnormal plant conditions. He ERGS provided the basis for the recovery actions used during the quantification phase of the JPE.

I Final Safety Analysis Reoort (FSAR) ne FSAR is the licensing document that reflects the design of the plant in sufficient detail to determine .

that the plant is properly constructed and can be operated safely. He FSAR was used to familiarize the analysts with certain IPE systems and to understand licensing commitments, in order to ensure that the IPE submittal reflects the as built, as operated plant, an IPE freeze date was chosen for the submittal. The initial freeze date for systems analysis was April 1,1990. Initially all system models were based on drawings and documentatloa current as of April 1,1990. The current freeze date for IPE is January 1,1992. A list containing the revision level, as of January 1,1992, for all o the drawings, procedures and documents that were used to develop the IPE was created to ensure that the IPE reflects the configuration of the plant as of the freeze date. All design modifications and l

l -- 2 13

- . _ . . . _. . . . - - . - . _ -. -_ -. . - - = _ -

procedure revisions implemented up to the freeze date were reviewed to ensure that their impacts on the IPE system models were incorporated, as necessary.

Plant Walkdown During the early phase of the examination, a plant walkdown was performed by the entire IPE team, ne walkdown took approximately two days. During the walkdown, the IPE team verified the plant layout and physical location of critical equipment. The IPE team also gained auditional assurance that the systems and their associated components considered in the IPE study could be accessed as necessary to provide the functions modeled in the IPE. During the internal ficoding analysis, another walkdown was performed by two IPE analysts, an Auxiliary operator and one consultant. His walkdown lasted about one week and the entire effort was documented by photographs. He main purpose of the second walkdown was to refine and verify the preliminary flood scenarios, significant component locations, Good propagation paths and flood mitigation / isolation features.

Comnarlson with other Studies During performance of the CPSES IPE, the Seabrock Probabilistic Safety Assessment (PSA) and the Crystal River Unit 3 PRA were reviewed to gain additional insights. The following is a brief discussion of the insights gained from the two studies.

Seabrook Station Probabilistic Safety Assessment (PSA)

Seabrook is a four loop Westinghouse PWR and is very similar to Comanche Peak in its primary and secondary system design. The Seabrook PSA was performed by Pickard, Lowe and Garrick, Inc. The large event trea methodology was used to quantify the probability of core damage, whereas at CPSES, i the small event tree, large fault tree method was used. Herefore, the accident sequences were broken down differently than in the CPSES IPE. Some insights from this evaluation are:

The event sequence model compares well with the CPSES IPE model. In generrJ, the plant responses that were modeled are identical. There are some minor exceptions.

l

In general, the systems support hierarchy and interdependence are the same.

l 2-14

, - - . . ~- . _

_ .. _ ~ _ _ _ _ _ . . . _ - _ __ _ _ . _ __ __ _ _ _ . _._ _

t

In 3eneral, the equipment failures cited in the Seabrook event trees are modeled specifically in the CPSES system fault trees and not in the event trees.

For reactor shutdown following a LOCA, Seabrook uses a Boron Injection Tank (BIT)(10,000 ppm Boron). At CPSES, sufficient negative reactivity is inserted based l on the concentration of boron in the RWST (2000 ppm). )

e in the Seabrook PSA, RCS makeup is required on any cooldown event to ensure that the core is covered. CPSES pressurizer level is programmed such that the RCS maintains a constant mass (i.e., as temperature drops, required pressurizer level drops). Therefore, all cooldown events do not requite RCS makeup.

Both containment spray systems are composed of two trains designed to deliver 3000 gpm each. Seabrook has one pump per train; CPSES has two pumps per train and both pumps are required to operate for success of the train.

Seabrook did not consider a mechanical binding of the control rods as a possible cause of an ATWS,

Loss of CC at Seabrook leads to a RCP seal LOCA in that both seal injection and thermal barrier cooling are lost. At CPSES only thermal barrier cooling is lost. The charging pumps that provide seal injection are cooled by SW and therefore, seal injection is not lost.

1

At Seabrook, the main feedwater pumps are used to provide feedwater following a reactor trip. At CPSES, main feedwater is automatically isolated on a ieactor trip.

Auxiliary feedwater assumes immediately the function of secondary make ap.

In several events, the Seabrook model requires that a RCP be ope.ating to ensure adequate mixing. This requirement is not placed on the CPSES model because natural circulation is sufficient to ensure heat removal.

l 2-15 n..,- ,,,,m... . . . , , ,, ..,.e - - , , . , , -. _.,,

Crystal River Unit 3 PRA Comparison ne Crystal River Unit 3 (CR3) PRA is very similar in methodology to the CPSES IPE. De initiating u ' 'a are similar, with some special exceptior.s:

t a Loss of instrument Air was shown at CR3 to hue no effects other that to cause the loss of Main Feedwater and therefcde, it was included as part of that event's initiating event frequency. At CPSES, a loss of instrument air has other effects, and therefore, it was

! retained as an individual initiating event.

At CPSES, the effects of the loss of HVAC (as an initiating event or interfacing support system) were rigorously analyzed.

At CPSES, the LOCAs were broken down into five sizes, while at CR3 two were used, ne ECCS success criteria used at CPSES is more conservative.

There are some plant differences. Hey are:

At CR3. the main feedwater pumps are used to provide feedwater following a reactor trip. At CPSES, main feedwater is automatically isolated on a reactor trip. Auxiliary i feedwater assumes immediately the function of secondary makeup.

l l

On Station Blackout, CPSES has 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months of battery capacity. At CR3, the capacity is 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

CR3 uses Byron Jackron RCP seal packages. CPSES uses Westinghouse RCP seal packages.

l 2-16

.,-,_.p.. , ,.,_ ,.. __, _ _ . , . . . . . . , ,,

.,,,_-,-..,n-,,_, - ,,-.y , ,,_ m- yc - , . ,

3. FRONT END ANALYSIS ,

This section provides a description of the front-end analysis. Accident sequence models are discussed, including a discussion of the initiating events, event trees, special event trees and the binning of results into plant damage states. He system analysis section provides information related to plant systems design and operation, systems dependencies and interfaces, and systems unavailability considerations. An overview of the quantification process is also provided. This includes a discussion of the development of the data and the methodology used for the quantincation. Finally, the results of the front-end analysis including internal flooding are discussed, and an evaluation of the decay heat removal function is provided.

3.1 Accident Seauence Deling;lil2D This section provides a discussion of the initiating events and their frequencies and the success criteria for the front line systems that rrit igate each of the initiating events in addition, event trees that were developed for these initiating events are discussed. The success criteria for each branch is discussed and the bais for the plant response is provided in the discussion. Special event trees e. hat were develop-d for ATWS and Induced LOCA are described in a similar manner. Finally, an explanatloa of the method of grouping the accident sequences into various plant damage states is provided.

3.1.1 Initiatine Events and Front-Line System Success Criteria f

Initiatine Events ne methodology developed for the initiating events analysis (Ref,13) can be summarized as follows:

Assume that all initiating events that could lead to core damage will eventually result in a condition that will cause a reactor trip signal to be generated.

Identify all the basic events through the use of a fault trea. logic diagram (Attachment 1 of Ref.

13),

f

, ; t f 3-1 r

Group the basic events with similar transient characteristics (i.e., similar challenge to the available protection systems) into initiating Event Categories.

Quantify the frequencies of each initiating event category.

The basic events were grouped into twenty-one initiating event categories (including internal flooding and interfacing systems LOCAs). The frequencies of most initiating event categories werc estimated based on generic data (Ref.1). The frequencies of the initiating events loss cf component cooling water, loss !

of station service water, and loss of safety chilled water were determined by a plant specific fault tree analysis (Ref.11). The internal flooding data was categorized according to the plant operation modes, flood sizes, and flood locations, and the frequencies of each category were estimated based on generic data (Vol. 9. Ref.1). The twenty one initiating event categories, their frequencies, and the corresponding data sources are listed below.

1. Excessive LOCA (> > 6').

Freq. = 2.66E-07 yr , 8 (Generic Data, Vol. 6, Ref.1).

2. Large Break LOCA (> 6').

Freq. = 2.03E44 yr', (Generic Data, Vol. 6, Ref.1).

3. Medium Break LOCA (> 4' and < = 6').

Freq. = 4.65E44 yr', (Generic Data, Vol. 6, Ref,1).

4. Small Break LOCA (> 2' and < = 4").

Freq. = 5.83E-03 yr', (Generic Data, Vol. 6, Ref.1).

4

5. Very Small Break LOCA (< = 2').

Freq. = 1.26E-02 yr', (Generic Data, Vol. 6, Ref.1).

6. Loss of Condenser Vacuum.

Freq. = 1.18E41 yr', (Generic Data, Vol. 6, Ref.1).

3-2

--.- : .. . .. ..m__. -.

7. Steam Generator Tube Rupture.

Freq. = 2.84E-02 yr', (Genetic Data, Vol. 6, Ref.1).

8. General Plant Transients, including:

Reactor Trip.

Turbine Trip.

Excessive Feedwater Flow.

Closure of One MSIV.

Inadvenent Closure of All MSIVs.

Core Power Excursion.

Loss of Primary Flow.

Freq. = 2.90E-00 yr', (Generic Data, Vol. 6, Ref.1).

9. Inadvertent Safety injection Signal.

Freq. = 2.99E-02 yr', (Generic Data, Vol. 6, Ref.1).

10. Main Steam Line Break, including:

Steam Line Break Outside Containment.

Steam Line Break inside Containment.

Inadvenent Opening of Main Steam Relief Valves.

Freq. = 1.07E-02 yr', (Generic Data, Vol. 6, Ref.1),

11. Loss of Main Feedwater, including:

Total Loss of Main Feedwater.

Partial Loss of Main Feedwater.

Freq. = 1.29E-00 yr, (Generic Data. Vol. 6, Ref.1),

33

- . _ - - _ - . _ _ . - . _ . ._ _ -- _- .. =.. . -. -- .- . .

12. Loss of a DC bus.

I Freq. = 3.35E-02 yr', (Generic Data, Vol. 6 Ref.1),

i

13. 1.oss of Safety Chilled Water, j Freq. = 7.31E 02 yr', (Plant Specific Model, Generic Data, Ref.11).

14 Loss of Off Site Fower. ,

Freq. = 3.50E-02 yr', (Generic Data, NSAC/166, Ref.10).

15. Loss of a Non Vital AC Bus.

Freq. = 8.23E 02 yr', (Generic Data, Vol 6 Ref 1).

I

16. Loss of a Protection Channel.

Freq. = 8.36E-02 yr', (Generic Data, Vol. 6. Ref.1).

17. Loss of Component Cooling Water.

Freq. = 1.53E-02 yr', (Plant Specific Model, Generic data, Ref.11). l

18. l.oss of Station Service Water. !

Freq. = 4.79E 03 yr', (Plant Specific Model, Generic data, Ref. I1). ,

19. Loss ofInstrument Alt.

l Freq. = 2,02E-03 yr . (Generic Dsta, Vol,6, Ref.1).

9 i

20. Internal Flooding (During Normal Operation).

Auxiliary Building; Including Auxiliary, Safeguards and Electrical Control Buildipp.

l- Flood Freq. = 3.02E-02 yr', (Generic Data, Vol. 9, Ref.1).

l Turbine Building: Including Circulatirg Water and Service Water Systems.

I Flood Freq. = 2.19E-02 yr', (Generic Data, Vol. 9. Ref,1). .

A 34 [

i

._, . . _ _ _. ~ . . _ _ _ _ _ _ _ . . _ , _ . - , - _ _ _ . - _ _ . _ . , _ _ _ _ . _ . _ - .

21. Interfacing System LOCA (Plant Specific Model, Generic Data Reference 32)

Accumulator:

Small Relief Valve LOCA = 9.78E43 yr8 piping failure = 2.71E-05 yr'

RH Suction Line:

Small Relief Valve LOCA = 9.32E-05 yr' piping failure = 1.47E-07 yr' pump seal failure = 7.03E-06 yr

Excess Letdown Line:

Small Relief Valve LOCA = 1.30E 05 yr 8 piping failure = 1.19E 10 yr'

Normal Letdown Line:

Small Relief Valve LOCA = 2.27E-03 yr' piping failure = 4.77E 10 yr8

Low Pressure injection Cold uegs:

Small Relief Valve LOCA = 1.44E-05 vr8 piping failure = 2.22E-08 yr' pump seal failure = 1.47E47 yr'

Low Pressure injection Hot Legs:

Small Relief Valve LOCA = 2.22E-07 yr8 piping failure = 6.70E-Il yr' pump seal failure = 8.07E-09 yr8

Intermediate Pressure injection Cold Legs:

Small Relief Valve LOCA = 1.44E-05 yr' l piping failure = 1.23E-09 yr' 3-5

i pump seal failure = 1.47E 07 yr' i

e intermediate Pressure injection llot Legs:

Small Relief Valve LOCA = 4.44E 07 yr8 i i

piping failure = 7.57E 12 yr' l

pump seal failure = 8.07E 09 yr8 Front.Line System Success Criteria The success criteria for the front-line systems is described in Table 3.1.1 1. The Gate Name field lists the top gate in the system, the Noun Name field provides the description of the gate, and the Success Criteria field lists the minimum amount of equipment and flowpath that must be available for that function to be considered a success.

De successes are based on a 'best-estimate" plant response rather than a conservulve, licensing basis plant response. Where necessary, MAAP runs (Ref. 9) or thermal hydraulle analyses (Ref.1) have been made to vaEdate the success criteria. These criteria are consistent with the as-built, as-operated plant.

Table 3.1.1 1: Front Line System Success Criteria Cate Name Noun Name Success Criteria AF1000 PROVIDE 300 GPM TO OPERATION OF ONE OF TIIREE AF PUMPS STEAM GENERATORS DELIVERING FLOW TO AT LEAST ONE STEAM GENERATOR i

CSG4000 PROVIDE EMERGENCY OPERATION OF ONE OF TWO BATPS DELIVERING BORATION OF TIIE RCS FLOW TO Ti!E CHARGING PUMP IIEADER AND TilEN ONE OF TWO CHARGING PUMPS DELIVERING FLOW TO TIIE RCS VIA TiiE NORMAL CilARGING FLOWPATI!

$NLXXil RCP #1 SEAL FAILS MAINTAIN SEAL INJECTION FROM CS OR TilERMAL BARRIER COOLING FROM CC

$NLXX12 RCP #2 SEAL PAILS MAINTAIN SEAL INJECTION FROM CS OR TliERMAL BARRIER COOLINO FROM CC 3-6 i

i l . . _ ,, ..

Table 3.1.1 1: Front Line System Success Criteria (continued)

Gate Name Noun Name Success Criteria

$NLXX13 RCP #3 SEAL FAILS MAINTAIN SEAL INJECTION FROM CS OR T11ERMAL BARRIER COOLINO FROM CC

$NLXX14 RCP #4 SEAL PA1LS MAINTAIN SEAL INJECTION FROM CS OR TilERMAL llARRIER COOLING FROM CC CSG1000 PROVIDE 111011 }{EAD OPERATION OF ONE OF DVO CCPS DELIVERING INJECTION FLOW TO FLOW TO TWO OF FOUR RCS COLD LEGS Tile RCS COLD LEGS CSO2000 PROVIDE 111011 }{2AD OPERATION OF ONE OF TWO CCPS DELIVERING RECIRCULATION FLOW FLOW TO TWO OF FOUR RCS COLD LEGS TO Tile RCS COLD LEGS CTG 1 CONTAINMENT PRESS.15 OPERATION OF ONE OF TWO TRAINS OF TWO CT M AINTAINED %TTHIN PUMPS DELIVERINO FLOW TO Tile ITS DESIGN LIMIT CONTAINMENT SPRAY NOZZLES DURING Tile INJECTION

& RECIRC. OF ECCS MSG 001 PROVIDE MAIN TURBINE ISOLATION OF EITiiER Tile STOP OR CONTROL TRIP VALVE IN EACil STEAM LINE MSG 075 PROVIDE CONTROLLED OPERATION OF TWO OF FOUR ATMOSPilERIC DEPRESSURIZATION VIA RELIEF VALVES OPEN Tile ARVS MSG 300 STEAM DUMP SYSTEM OPERATION OF TWO OF TliREE COOLDOWN AVAILABLE VALVES OPEN ON DEMAND RC1000 PORVS PROVIDE OPERATION OF ONE OF TWO PORVS OR TWO OF AUTOMATIC PRESSURE TilREE SRVS. OPERATION IS DEFINED AS RELIEF ON 111011 RCS OPENINO WilEN RCS PRESS. REACllES Tile PRESSURE VALVES' RESPECrlVE SET"'NT AND CLOSING WilEN PRESS IS LESS TilA., ETPOINT RC2000 PORVs OPEN ON ONE OF BVO PORVS OPENS ON MANUAL OPEN MANUAL ACTUATION SIGNAL RC4000 SRVs OPEN ON 111011 TWO SAFETY VALVES OPEN ON lilGli RCS PRESSURE PRESSURE RC5000 SRVs CLOSE AFTER ALL RCS SAFETY RELIEF VALVES CLOSE AFTER PRESSURE RELIEF OPENING ON lilGli RCS PRESSURE RC7000 1/2 PORVs OPENS ON ONE OF TWO PORVS OPENS ON MANUAL MANUAL ACTUATION ACTUATION FROM TIIE CONTROL ROOM FOR SGTR 3-7 l

Table 3.1.1 1: Front Line System Success Criteria (continued)

Gate Name Noun Name Success Criteria RC8100 MAINTAIN T}iERMAL OPERATION OF TIIE CC VALVES AND BARRIER COOLING TO INSTRUMENTATION TilAT PROVIDE COOLING TO RCP SEAL #1 TIIE RCP #1 TIIERMAL BARRIER RC8200 MAINTAIN THERMAL OPERATION OF Tile CC VALVES AND BARRIER COOLING TO #2 INSTRUMENTATION TilAT PROVIDE COOLING RCP FLOW TO Tile RCP #2 THERMAL BARRIER RC8300 MAINTAIN THERMAL OPERATION OF Tile CC VALVES AND BARRIER COOLINU TO #3 INSTRUMENTATION THAT PROVIDE COOLING RCP FLOW TO TIIE RCP #3 TiiERMAL BARRIER RC8400 MAINTAIN THERMAL OPERATION OF Tile CC VALVES AND BARRIER COOLING TO #4 INSTRUMENTATION THAT PROVIDE COOLING RCP FLOW TO THE RCP #4 TilERMAL BARRIER RHO! PROVIDE ADEQUATE OPERATION OF ONE OF TWO Ril PUMP TRAINS RHR FLOW TO RCS COLD PROVIDING INJECTION FLOW TO ONE OF FOUR LEGS (INJECTION) RCS COLD LEO DURING INJECTION RilG201 PROVIDE ADEQUATE OPERATION OF ONE OF TWO RH PUMP TRAINS COOLING FROM RilR TO PROVIDING INJECTION FLOW TO ONE OF FOUR RCS IlOT LEGS HOT LEO DURING HOT LEO RECIRCULATION (RECIRCULATION)

RT!000 BREAKERS OPEN ON ONE OF TWO REACTOR TRIP EREAKERS OPEN ON MANUAL REMOTE TRIP, DEMAND FROM BOTil CONTROL ROOM liAND BOTH SWITCHES SWITCHES S11000 PROVIDE INTERMEDIATE OPERATION OF ONE OF TWO SI PUMPS HEAD SAFETY PROVIDING INJECTION FLOW TO TWO OF FOUR INJECTION FLOW TO RCS COLD LEGS Tile RCS COLD LEGS SI2000 PROVIDE INTERMEDIATE OPERATION OF ONE OF DVO St PUMP PROVIDING HEAD RECIRC. FLOW TO COLD LEO RECIRCULATION TO TWO OF FOUR TIIE RCS COLD LEGS RCS LOOPS SIS 000 2 ACCUMULATORS TWO OF FOUR ACCUMULATORS DISCHARGE TO l PROVIDS DISCHARGE ON THE RCS WHEN RCS PRESSURE FAL13 BELOW

! DEMAND ACCUMULATOR PRESSURE AF4000 PROVIDE 900 GPM TO OPERATION OF BOTH MDAFWPs DELIVERING THE STEAM FLOW TO AT LEAST ONE OF THEIR RESPECTIVE GFNERATORS S/Os OR OPERATION OF THE TDAFWP DELIVERING FLOW TO AT LEAST TWO S/Gs RC3000 PORV RECLOSES AITER BOTH PORVS CLOSE AFTER BOTH HAVE BEEN OPENING DEMANDED OPEN l

3-8

,,-m._ - . , - v v-~.-- ,.c--. . , , , . - - - - - , . -.%,- .,-y. ., . , , - . , - , .- , ,. ,

.- --. - .. - - ... -. - - _. -_ __ _ . _ _ - . . - .~ . .-

I Table 3.1.1 1: Front Line System Success Criteria (continued)

Gate Name Noun Name Success Criteria AF6000 PROVIDE FULL AF FLOW OPERATION OF ALL TIIREE AP PUMPS WITli Tile >

TO THE STEAM MDAFWPs DELIVERINO FLOW TO AT LEAST ONE OENERATORS OF TilEIR RESPECTIVE S/Os AND Tile TDAl%'P DELIVERINO FLOW TO AT LEAST TWO S/Gs CFG300 MAIN FEEDWATER MAIN FEEDWATER PROVIDES 60% FLOW DURING SYSTEM PROVIDES Tile FIRST llOUR FOLLOWING AN ATWS FLOW DURING ATWS CF0100 M AIN FEEDWATER MAIN FEEDWATER PROVIDED TO ANY S/0 YIA SYSTEM RESTORED TIIE FIFV FROM EITilER MF PUMP.

AFTER LOSS OF AF ,

RC4500 - ANY SAFETY RELIEF ONE OF TilREE SAFETY VALVES OPENS ON HIGli VALVE OPENS ON 111011 RCS PRESSURE PRESSURE RilG100 PROVIDE ADEQUATE OPERATION OF ONE OF TWO RH PUMP TRAINS COOLING FROM RHR TO - PROVIDING COLD LEO RECIRCULATION TO ONE RCS COLD LEOS INTACT LOOP (RECIRCIJLATION)

S13000 PROVIDE INTERMEDIATE OPERATION ONE OF TWO St PUMP TO PROVIDE IIEAD RECIRCULATION INTERMEDIATE IIEAD RCS IlOT LEG INJECTION FLOW TO Tile RCS IlOT FLOW i.

LFOS l

I 1

3-9

3.1.2 Front-Line Event Trees For each of the Initiating Events, an event tree was developed. In general, following the occurrence of the reactor trip signal or safety injection actuation signal attributable to the Initiating Event, it was assumed that the reactor operators follow the actions specified in the Emergency Response Guidelines (ERGS) and Abnormal Conditions Procedures (ABNs).

For all of th: Nitiating events considered, the operators enter EOP-0.0, " REACTOR TRIP OR S APETY INJECTION" after the reactor is tripped, or required to be tripped. All subsequent operator actions are defined in this ERG or in referenced ERGS. These operator responses form the bases for each branch in the event trees. If the operator response was determined to be critical to the successful recovery from the initiating event, a branch point was required in the event tree. If the operator response required by the procedure could not be performed due to the initiating event, or if the successful completion of the operator action had no bearing on the final success, or lack thereof, or on the recovery efforts, then the response was not represented in the went tree. No "herole" operator actions were postulated.

The suc'ess criteria for each branch were included in the branch description. Where possible, these criteria were based on a *best-estimate" plant response rather than a conservative, licensing basis plant response. Where necessary, MAAP runs or (Ref.14) thermal hydraulic analyses (Ref.15) were made to validate the success criteria.

The Accident Sequence modeling ended when the plant was placed in a stable state. Bus, a particular path ended if stable HOT STANDBY conditions were attained, even though a cooldown to cold shutdown conditions was eventually required.

( ne descriptions of the Accident Sequence Models are presented in the following marmer. Event trees are presented with a textual description of the top events and a discussion of the significant operator responses and success criteria for each branch, Following the discussions of all the initiating events, less detailed or functional events are described. The functional event trees contain only the essential top events or group of events. All other information required for linking the top events with the system fault tree models is described in the top logic models.

l 3 10

Trarsfer End states LOCA ,

This end-state was used to indicate that the sequence progresses into the appropriate size LOCA event tree.

INII "

This end state was used to indicate that the progression of the accident no longer follows this event tree. For example, consider the top sequence on the ATWS tree:

Transient leads to or requires reactor trip.

Electrical ATWS.

Operator successfully trips the reactor.

Since the reactor Js successfully tripped, the subsequent steps are followed on the General Transient (TI) Nee. It was assumed to be conservative not to reduce the initiating event frequency for Tl events that result in an ATWS core damage state. His end-state can also be considered Already Analyzed".

This example is not ' leant to ; 4fer that all post-ATWS events transitioned to the Tl tree. They :

transitioned to their mitiating event specific event tree.

Event Trees Dere are featuro common to all events that are not explicitly described. For example, seal cooling must be maintained in all events that are not LOCAs. If not, the assumed failure behaves like a small break LOCA. These common features are not described explicitly in each event tree, rather, they are described in detail in the INDUCED LOCA or ATWS event tree.

1 3-11 y 9r-emyw % wrw'T-eg -7r of N iig wi--

-Tfi8- a ea- Ww*'2' P' -q-w-eee i e' e p ea c1v' P--n q' w '*1s.-upwerw=' '-w -- d1' pap = p-eq

4 eep-

Notes:

In general, dynamic actions that are required and are procedurallred were included in the fault tree. His limited the amount of recovery analysis required af et quantification. I

All transient and LOCA event trees (except for LDLOCA) reflect successful reactor trip (RPS success). Failure of the Reactor Protection System was modeled in the ATWS tree.

GENERAL TR ANSIENT fil)

(Event Tree is shown in Figure 3.1.21)

1) General Transient (%Tl)

The initiating event is a general transient tlnt leads to a reactor trip (or reactor trip required).

No component or system is disabled by the reactor trip. Following the reactor trip, the reactor operators perform actions as required by the Emergency Operating Frocedure ' REACTOR TRIP ,

OR S AFETY INJECTION", EOP40. He first 15 steps are automatic actions that the operators perform without waiting for the procedures to be read aloud by the Senior Reactor Operator.

His step insinuatu that a reactor trip is required, but not necessarily obtained.

2) Establish Secondary lieat Removal ($SGXX01) l Following the reactor and turbi..e trips, the main feedtvater regulating valve remains open as it is reacting to the steam cenerator level and steamflow/teedflow errors. If instrument alt is lost, the feedwater regulating vdve closes. la addition, the main feedwater isolation valve receives an isolation signal on reactor trip coincident with low T,,, of SG4*F. Bec9use the N-16 T,., is synthesized from Ta and the neutron (fission) power, T., falls to Ta withia a few seconds following the reactor trip. Finally, one of the first fineen autoinatic actions diat the reactor operators are required to perform following any reae.or trip is to verify that FW isolation has occurred. Failure tc. Isolate main feedwater leads to overfill of a steam generatot; The 3 12

- ~.- .... - . - . - - _ - . - _ - . - - . . .. . - - - - - . - -

TDAFWP will be disabled if either S/G 1 or 4 overull. This was modeled in the AF system as a failure of the TDAFWP. ;

Following the turbine trip, the auxiliary feedwater prnnps are automatically started on low steam ,

generator level. Ah pumps may be started manually either locally or remotely. The auxiliary !

feedwater system consists of two tnotor4 riven fealwater pumps and a single steam turbine 4 riven auxiliary feedwater pump. All control and isolation valves between the auxiliary feedwater pumps and the steam generators are normally open, fall + pen valves, in addition, the piping and valves between the auxiliary feedwater pumps and the Condensate Storage Tanks (CST) are aligned to allow suction from the CST at any time. At least 300 gpm is required for success (Ref.15). His is less than the capacity of any one motor driven AF pump. l Success in this task also includes operator actions required to control the auxiliary feedwater now to prevent the overfilling or dryout of any steam generator. I i

Fellowing the failure of AF to provide Dow, the operators attempt to re-establish main feedwater, i This ccnsists of resetting the Feedwater isolation Signal and opening the Feedwater Isolation Bypass Valves.

t i

3) Enablish Bleed and Feed ($DFXX01)

If the RCS cannot be cooled by the secondary, then bleed and feed cooling must be used. Bleed [

and feed cooling is performed by opening both of the pressurizer PORVs (one is sufficient for f

success, Ref.14) while supplying Guld to the RCS from the RWST_with all available centrifugal i charging and safety injection pumps. Bleed and feed is continued until cold shutdown conditions

{

are reached or until the secondary heat sink is re-established. If they cannot be established, recirculation is requited.

After it has been determined that bleed and feed cooling is required, the operators manually actuate SI, if it is not already actuated. The charging and SI pumps may also be manually started if necessrly. The operators verify that the valve alignment is correct, Si and Containment Isolation are then reset to allow the re-establishment of the htrument air and nitrogen supplies, t

i 3-13 l

i The PORVs are powered by Nitrogen from mcssive accumulators to which make up nitrogen is normally isolatal. 'lhis accumulator will be exhausted after approximately 100 cycles of the PORVs. This incredible number of cycles is not likely to occur due to the fact that the ERGS do not instruct the operator to cycle them, but to keep them open, in accordince with the BASES for eis procedure (FRil 0.I), one centrifugal charging pump or, if the RCS has been somewhat cooled and depressurteed during the performance of the previous steps, one safety injestion pump is required to be available for feeding the RCS. For this e,akulation, it was assumed that the operators have 30 minutes to establish bleed and feed.

4) Establish Recirculation ($RCXX01)

As the RWST is depleted, high head cold leg recirculation must be establised. When the RWST is) nits to 40% of span, the operators receive an alarm and the su: tion of the RI{ pumps ,

autoinanc Jiy switches from the RWST to the contabment sumps. Operator action is required to transfer the suction of the intermediate an6 hign head safety injection pumps from the RWST ;

to the discharge of the Ril pumps, it is not required that the operators transitio . to hot leg recirculation icxcept for large break LOCAs), as the injection phase duration sus the 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months time delay dictated by the procedure puts the requirement outside the 24 ho ,r window. ,

if the operators are unable to transition to recirculation due to unavailability of equipment, they ;

are directed to remain in the injection alignment, but to minimize injection flow, and to limit the i amount and duration of containment spray. Also, they are instructed to provide makeup water to the RWST via various sources.

4 INADVERTENT SAFETY INJECTION SIGNAL ACTUATION fr3)

(Event Troc is shown in Figure 3.1.2-2) 1

!) Inadvertent Generation of a Safety injection Actuation Signal (%T3) i 3 14 1

I

-__. _ , _ _ _ . _ _ _ ~ . . . - , , , _ _ _ .- .._._..,_._m.._, __

1 The initiating event is the inadvertent generation of a Safety injection Actuation Signal (SIAS).

The SIAS causes the following events to occur:

l

ECCS initiation

Reactor trip

Phase "A" containment isolation ,

Auxiliary feedwater motor driven pump start

Turbir.e trip

Control room emergency recirculation

Main feeawater Isolation and trip of the main feedwater pumps

Component cooiing water operatica

Emergency diesel generator operation

Containment Vent isolation

Essential ventilation system operation

Containment spray pump start, no spray

Sutlos service water start and

Instrument air compressor trip

2) Establish Secondary System Heat Removal ($SGXX0lS)

Because there is no fault in the primary system, the amount of ECCS injection is insuf0clent to >

cool the core. Therefore, AP and steam relief are required to ensure adequate core cooling.

His event is identical in success criteria to $SGXX01, but imposes the additional requirement that an *S* is present. The presence of this signal changes the reliability of the system by starting some supporting components, but tripping others.

3) Establish Bleed and Feed ($BFXX01)

Failure of AF requires the initiation of bleed and feed. The operator is not required to manually initiate SI, as this has already occurred. This small difference is not sufficient reason to create new logic. Therefore, the existing logic which requires the operator to initiate S1 was used.

3 15

4) Establish Recirculation ($RCXX01)

At depletion of the RWST, the operators are required to enter the recirculation phase.

MAIN STEAM LINE BREAK (T4)

(Event Tree is shown in F!gure 3.1.2 3)

1) Main Steam Line Break (%T4) )

The initiating event is the complete severance of a main steam line between the steam generator 1 outlet nonle and the main steam isolation valve on the number i steam line, if the break were to occur downstream of the main steam isolation valve, the resulting transient would be similar to a turbine / reactor trip after closure of the valves.

He reactor trips following the generation of a safety injection actuation signal on low compensated steamline pressure. Automatic main steamline isolation also occurs due to low steamline pressure. The isolation of the main steamlines nullifies any effects of a possible failure of the turbine to trip. Following the reactor trip, the reactor operators perform actions as required by the Emergency Operating Procedure ' REACTOR TRIP or SAFETY INJECTION",

EOP-0.0.

In 3e nominal steam line break, the isolation of the break is essential to prevent an uncontrolled cooldown. Ilowever, in this analysis, the goal is to prevent core damage. Any cooldown would be the result of excess heat removal, and woulo et les o e a core damage. Therefore, isolation of the break is not required for success,

2) Establish Secondary Heat Removal ($SGXX0lS)

Although heat removal is not necessary at the beginning of the event, it is necessary to establish -

a long term cooling mechanism, of which the first choice is AF and steam relief.

3 16 l

l, . - _ , _

3) Establish Bleed and Feed ($DFXX01)

If AF is unavailable, it is necessary to establish bleed and feed to ensure continued core cooling, i

)

4) Estabil.a Recirculation ($RCXX01) l If bleed and feed was established, then it is necessary to transition te recirculation.

LOSS OF MAIN FEEDWATER - MAIN FEEDWATER UNAVAILABLE (r6)

(Event Tree is shown in Figure 3.1.2-4)

1) Loss of Main Feedwater (%T6)

The initiating event is a complete loss of main feedwater. The initiating event frequency for this event is the sum of the total or partial loss of Main Feedwater, or the loss of the l{ eater Drains or Condensate system. De main feedwater and condensate pumps are unavailable for later use in recovering from the event. The reactor trips on low steam generator water level, high -

pressurizer level, or over temperature N 16. Following the reactor trip, the reactor operators perform actions as required by the Emergency Operating Procedure ' REACTOR TRIP or- ;

SAFETY INJECTION", EOP 0.0.

l

2) Establish Secondary System }{ eat Removal ($SGXX0lS) ,

The AF pumps are actuated on low-low S/G levels and are the first line of defense. Additionally, they receive an anticipatory start on trip of both Main Feedpumps.

3) Establish Bleed and Feed ($BFXX01)

Failure of AF requires that the operator initiate bleed and feed, as described previously. .

t 3-17

4) Establish Recirculation ($RCXX01) l I

When the RWST reache:. 40%, the operators swap the sucticus of the running ECCS pumps to the containment sump.

i LOSS OF A 125VDC SAFEGUARDS BUS (X1) ;

(Event Tree is shown in Figure 3.1.2-5)

Loss of the IE DC bus IEDI leads to a reactor trip due to closure of the feedwater regulating valves.

Additionally, several other systems are hampered including: !

AF - Train A motor driven pump will not start and the TDAFWP may fall due to overfill since the train A regulating valves have lost control power.

CC - Train A will not start due to loss of control power.

S1 Same.

etc. . .

Failure of any one 125 VDC ous can not cause the loss of function to any AC instnamentation distribution I panel fed through an inverter, if all inverters downstream of the bus successfully switch to the alternate l power supply source. De reactor protection system distribution panels (normally fed by the inverters) l l may also be manually aligned to be powered directly from a motor control center, bypassing all inverters 1

(as a recovery).

The tree structure of this event is toentical to the Reactor Trip event tree, ne interdependence of the systems was quantified by initially failing bus lEDI.

l 3-18

.~ _- - _ - _ _ . . ._ . - - . - _ _ . _. . - _ - - _. .. _.-

LOSS OF HVAC N2)

(Event Tree is shown in Figure 3.1.2-6)

This initiating event category was refined to ine'.ude ondy the loss of the most limiting portion of the liVAC system , nie Safety Chilled Water System (Cil). The Cil provides cooling to those rooms where safeguards equipment are located. The Ril pumps, the SI pumps, the CCPs, the MDAFWPs, the CT pumps, and the CC pumps are all required to be maintained in a relatively cool room (< ~ 122*F by environmental qualification).

This event is assumed to require manual reactor trip based on the expected loss of systems supporting normal operation (CC, Electric Power, CS...). The tree structure of this event is identical to the Reactor Trip event tree. The interdependencies of the systems were quantified by inillally failing the safety chilled water system.

LOSS OF ALL OFFSITE POWER N3)

(Event Tree is shown in Figure 3.1.2-7)

The initiating event is the complete loss of Lil offsite power and de-energization of both safeguards busses that also leads to a plant trip.

Following the loss of offsite power, the diesel generatoa start and the essential loads are sequenced onto the 6.9 kV Class IE buses. No power is supplied to the non-Class IE 6.9 kV buses by the diesels, if j the diesels do not start, the ensuing event is a Station Blackout (SBO). The diesels are considered to be successful if they continue to power the busses for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . At this point it is assumed that offsite power has been restored.

A loss of offsite power with reactor power at 100% can be thought of as a loss ofloa0. This causes a generator trip, turbine trip, and therefore a reactor trip. All of the non-Class IE 6.9 V buses will be deenergized. 'Ihe major loads on bus l Al are:

Heater Drain Pump 1; l 3-19 l

i 1

Circulat!ng Water Pump 1;

Reactor Coolant Pump 1; and, a 480 V Bus non safeguards bus TIBl.

Similar redundant loads are on bus l A2. The major loads on but l A3 are:

'

Service Air Compressor I;

Condensate Pump 1;

TPCW pump 1;

Circulating Water Pump 3;

Reactor Coolant Pump 3; Similar redundant loads are on bus I A4.

1) 1.oss of all offsite power (%X3)

His event was modeled as the simultaneous failure of bc,th the 345 kV and the 138 kV switchyards.

2) Establish Secondary System Heat Removal ($SGXX01)

It is necessary to establish AF and steam relief to ensure continued core cooling. If the D/Gs l have not re-energized the busses, only the TDAFWP will be able to provide 110w to the S/Gs.

(

! 3) Establish Bleed and Feed ($BFXX01) l Upon failure of the AF system (and success of the D/Gs) the operator is required to establish bleed and feed cooling for core hect removal.

l l

3-20

7 1

4) Establish Recirculation ($RCXX01)

Upon depletion of the RWST, the operator is be required to realign the ECCS pumps to the containment sump.

Here are many other operator actions that can be taken to prolong the time to which the batteries are depleted (without reestablishment of any pawer source) including shedding loads, s

Additionally, the operators can depressurize the RCS to delay or preclude failure of the RCP seals.

LOSS OF A NON VITAL BUS (X4)

(Event Tree is shown in Figure 3.1.2 8) ne initiating event is the loss of 6.9 kV non-Class IE bus I A3 and it's associated 480 V bus 1B3.

Here are four non Class IE 6.9 Y buses. He major loads on bus l Al are:

Heater Drain Pump 1;

Circulating Water Pt.mp 1;

Reactor Coolant Pump 1; and, ,.

480 V Bus ron-safeguards bus TIDl.

Similar redundant loads are on bus I A2.

De major loads on bus I A3 are:

Service Air Compressor 1;

Condensate Pump 1;

TPCW pump 1;

Circulating Water Pump 3;

Reactor Coolant Pump 3; and, 3 21

480 V Dus non-safeguards bus TID 3.

$1milar redundant loads are on bus I A4.

The following loads are on the 480V non-safeguards buses:

1D1:

Turbine Lube Oil Pump A;

EHC Fluid Pump A; and.

Condenser Vacuum Pump 1.

1B2:

Turbine Lube Oil Pump B;

EllC Fluid Pump B; and,

Condenser Vacuum Pump 2.

183:

Turbine Shaft Lift Oil Pump;

Control Rod Motor-Generator Set 1;

Turbine Lube Oil Pump C; and,

DTRS Chillers.

IB4:

Condenser Vacuum Pump 3;

Control Rod Mator-Generator Set 2; and,

EHC Fluid Pump C.

Based on the above lists, the loss of power to any of the non-Class IE 6.9 kV buses results in a partial loss of feedwater due to the trip of the heater drain and/or condensate pumps; however, the automatic turbine runback is designed to prevent a :cactor trip on the loss of only one of the condensate or heater drain pumps.

The loss of a normal 6.9kV bus results in a reactor trip on RCP bus undervoltage and is backed up by low RCS flow rate and RCP bus underfrequency trips. It also degrades the Circulating Water and

. Turbine Piant Cooling Water systems, modeled in the accident mitigation logic.

3-22

4

For the accident sequence description which follows, it is assumed that bus I A3 is de-energized and

] cannot be re-energired for the duration, of the event.

1) Loss of the 6.9 kV Non-Class 1E bus IA3 (%X4)

Foilowing the loss of the 6.9 kV bus l A3 and its asso, ated 480 V bus 183, the following equipment is disabled:

Service Air Compressor I; I

Condensaw Pump 1;

TPCW pump 1; f

Circulating Water Pump 3; i

Reactor Coolant Pump 3;

Turbine Shaft Lift Oil Pump;

Control Rod Motor-Generator Set 1;

Turbine Lube Oil Pump C; and, l

BTRS Chillers.

4 An automatic reactor trip signal is generated immediately following the loss of power to the buses

due to the loss of power to the RCP, low loop 3 flow, and/or Rd bus undervoltagel underfrequency.

i The tree structure is identical to the Reactor Trip Event tree and therefore, it will not be described below, ne conditions were perturbed by initially failing bus I A3.

i 1

3-23 l,

v- , e a , ,, - - - - ww- *c e- -,. r v

LOSS OF THE PROTECTION CHANNEL IPCI (X5)

(Event Tree is shown in Figure 3.1.2-9) i

1) Loss of protection channel IPCI (%X5)

The initiating event is the loss of protection channel IPCI. The selection of protection channel 1 is based on the larger number of loads, although each chennel could lead to a reactor trip.

Logically, a single channel cannot trip the reactor. However, the subsequent loss of control may l'

(and is therefore assumed to) lead to a plant trip.

ABN-603A, " Loss of Protection or Instrument Bus" describes the operator's response to the loss of this protection channel. These actions are necessary to prevent a reactor trip, and for conservatism, the operator is assuned to fail.

2) Establish Secondary Heat Removal ($5GXX01)

Following the reactor trip, the feedwater will be isolated by the " Reactor Trip with Low T,"

! signal. AF is required to start and provi "9w to the steam generators.

l

3) Establish Bleed and Feed ($BFXX01)

Failure of AF requires that the operator establish bleed and feed.

4) E +ablish Recirculation ($RCXX01)

At the depletion of the RWST, the operators are required to realign the suction of the ECCS pumps to the containment sump, Failure to do so leads to a late high pressure core damage.

3-24

LOSS OF COMPONENT COOL.ING WATER fX6)

(Event Tree is shown in Figure 3.1.2-10)

The transient induced by the loss of component cooling water (CC) is insign:3 cant relative to the loss of capability to establish cold shutdown conditions in the RCS. In addition to other functions, the component cooling water provides cooling for:

Safety Chilled Water System Condenser; e RCP thermal barriers, oil coolers and motor air coolers;

Instrument air compressors; and

UPS HVAC Chillers.

CC also provides cooling water for the recirculation phase of safety injection, feed and bleed operation, and for the recirculation phase of the containmem spray. Thus, recirculation would have only a marginal a

cooling effect on the RCS or containment.

Following the Ic:s of cos.2ponent cooling water, all room cooling is lost due to the dependency of safety chilled water on CC. As a result the equipment in these rooms has an increased probability of failure.

The instrument air compressors cooled by CC are assumed to be lost upon loss of CC at the time of the reactor trip.

1) Loss of Component Cooling Water (%X6)

The initiating event is the loss of both trains of component cooling water for Unit 1, as modeled in Ref.11. He loss of room cooling to the UPS and Distribution Rooms may result in the loss of all inverters within 15-30 minutes. Plant personnel are instructed to install portable fans to circulate air in these two rooms. As the temperature continues to increase, the reactor operators are instructed to manually bypass the inverters that supply instrument power to the control room.

Backup instrument power is supplied by ll8V AC directly from the buses IEC1 and IEC4.

He loss of the safety chilled water system, due to the loss of the CC, also affects the availability of equipment, primarily motors, required for safe shutdown of the plant. All of the safeguards 3-25

mm ua - . . - . .m , _. . . m __m ....-, # . =

equipment (e.g., RH pump, SIF, CCP, and MDAFPs) are supplied with safety chillers. Failure of the safety chillers makes these components susceptible to overheating failures.

The predominant effect noticed is a simultaneus loss of thermal barrier cooling and loss of letdown cooling. Another effect is an increase in the RCP motor betting, pump bearing lube oil, and thermal barrier temperatures. According to procedure, if CC can not be restored, the reactor operators trips the RCPs, thus causing a reactor trip and subsequent turbine trip.

2) Establish Secondary Heat Removal ($SGXX01) l l

l Core heat removal is primarily obtained through the Steam Generators. Due to the loss of room l

i cooling, the MDAFWPs are less reliable.

I

3) Establish Bleed and Feed ($BFXX01)

If AF falls, it is necessary to establish Bleed and Feed. Most of the components will have been degraded due to loss of room cooling.

l

4) Establish Recirculation ($RCXX01)

Because no cooling is available for recirculation, CC must be restored prior to the time the RWST is drained. Even though recirculation is still available, there is no cooling, making j

recirculation an ineffective cooling mechanism.

l LOSS OF STATION SERVICE W ATER (X7)

(Event Tree is shown in Figure 3.1.2-11)

The initial transient induced by the loss of the station service water system (as described in Reference 11) is insignificant relative to the loss of the capability to establish cold shutdown conditions in the RCS. The Station Service Water System supplies cooling for the Component Cooling Water System, the diesel -

3-26

_ . .. - , , , ~, _ . _ _ _ _ . _ . _ . . __ . - . _. . . . . _,

l 3

generators, and the tube oil coolers for the centrifugal charging pumps and the safety injection pumps, Because the CCPs are cooled by station service water, RCP seal injection flow is lost (the positive I- displacement charging pump is cooled by CC). Thus, a SBLOCA through the RCP seals will ensue following the loss of SW if the CCPs are not started and provided with alternate cooling,

1) Loss of Station Service Water (feX7)

The initiating event is loss of both trains of Unit I service water.

t 2) Establish Secondary Heat Removal ($5GXX01) ne first critical step is to establish a mechanism for removing core heat AF with steam relief is the first line of defense,

3) Establish Bleed and Feed ($3FXX01)

Upon failure of secondary heat removal, the operators are required to initiate bleed and feed.

4) Establish Recirculation ($RCXX01)

At depletion of the RWST, the operators realign the ECCS pumps to the containment sump.

LOSS OF INSTRUMENT AIR (X8)

(Event Tree is shown in Figure 3.1.2-12)

The complete loss of instrument air has the following results which may affect the operators' responses:

l

Charging control valves fail fully open l

Letdown isolation valves close

Pressurizer spray valves close 3-27

MSIVs close

TDAFP steam supply valves open

Steam Dump valves close

FW regulating valves c!ose

CC surge tank level makeup valves close

RH letdown flow control valves close

RH heat exchanger CC return valves close

N2 supply header valve closes.

The loss of this equipment requires the control room personnel to manually control the charging flow to maintain pressurizer pressure and level control. They must also manually align the RH and CC systems for the decay heat removal mode of operation.

In addition, instrument air provides motive power to the auxiliary feedwater control valves and the steam generator atmospheric relief valves. The closure of the N2 .upply header line also results in the loss of nitrogen supply to the pressurizer PORV accumulators. All of these valves are equipped with accumulators to provide a source of motive power for a limited time period. The accumulators for the auxiliary feedwater control valves are sized to allow thirty minutes of operation before the valves fail open. The accumulators for the S/G ARVs are sized to provide approximately 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months of operation before the valves fail closed. The nitrogen accumulators on the pressurizer PORVs are sized to allow approximately 100 cycles before the valves fail closed.

I

!) Loss ofInstrument Air (%X8)

The initiating event is the loss of all instrument air, as described in Reference 2. For the following discussions, it is assumed that all instrument air is lost. Following the initial alarms indicating the loss of instrument air, the subsequent operator responses are in accordance with the Abnormal Conditions Procedure ABN-301 A, " INSTRUMENT AIR SYSTEM MALFUNCTION".

3-28

2) Establish Secondary Heat Removal ($SGXX01)

It is first necessary to establish AF and steam relief. This is complicated by the fact that instrument air feeds the control valves from the TDAFWP, and the MDAFWPs.

3) Establish Bleed and Feed ($BFXX01)

Failure of the secondary heat removal system requires the operator to initiate bleed and feed by manual *S" and opening the pressurizer PORVs.

4) Establish Recirculation ($RCXX01)

After the RWST reaches 40%, the operator is required to realign the suction of any running ECCS pump to the sump.

EXCESSIVE LOCA Nu (Event Tree is shown in Figure 3.1.213)

This initiating event is an excessively large LOCA. The most probable break location is at or below the reactor vessel beltline.

The tree structure is identical to the Large Break LOCA sequence (following), except that all end-states are core damage end-states.

9 3-29

LARGE BREAK LOCA (A)

(Event Tree is shown in Figure 3.1.214)

1) LBLOCA (% A)-

The initiating event is a large break LOCA. The break size classification is based on the success criteria with consideration given to the data analysis. A Large Break LOCA requires only one high or intermediate injection pump,2 accumulators (one is considered to be on the broken loop and therefore failed), and either RH pump (Ref.14). The severance of any of the pipes that form the main coolant loop is -considered to be a LBLOCA.

In the FSAR Chapter 15 analysis of the LBLOCA, no credit is taken for reactivity control in the form of control rod insertion or boration due to safety injection, his analysis demonstrates that the core remains in a coolable geometry and that no fuel melting occurs, due to the negative reactivity from the void coefficient. Thus, it is not imperative that a successful reactor trip occur for the LBLOCA.

2) Failure of injection on LBLOCA ($SIXX02)

As described abovi one high or intermediate head injection pump,2 accumulators and one RH pump are required. Although this is less than the success criteria as defined in the licensing-basis analysis, it is rnore conservative than that calculated by MAAP (Ref.14).

3) Establish Low Head Recirculation (SLRCX01)

Cold leg recirculation must be established before the RWST is depleted. The suction of the RH pumps will automatically switchover to the containment sumps when the low RWST level is received. The reactor operators may also manually perform this switchover.

Containment cooling is typically required during a large LOCA to prevent containment failures due to overpressurization. After several MAAP runs, it was determined that even without containment spray, the pressure excursion does not exceed the anticipated failure pressure of 114 3-30 i

l psia. Herefore, containment spray success is not required to prevent core damage. Itis considered in the back-end analysis as a method of reducing the radionuclide releases and preventing late containment failures.

i 1

Eighteen hours after the initiation of the event, procedures EOP-1.0 and EOS 1.4 direct the reactor operators to switchover to hot leg recirculation to preclude precipitation of the boron.

Realistically, this action may not be required to prevent core damage. However, it is

! conservatively required.

During a small or medium break LOCA, if recirculation capability is lost, the operators can extend the injection phase by throttling flows and providing make up to the RWST. In a LBLOCA, this is not considered possible due to the large flowrates seen, and subsequent short times to recover.

MEDIUM BREAK LOCA (M) l (Event Tree is shown in Figure 3.1.215) t

! 1) MBLOCA (%M) i i

he initiating event is a medium break LOCA. The sizing criteria for the MBLOCA requires that the break be large enough that no AF is required, but small enough that RH is not reqt. ired, due to RCS pressure being above it's shutoff head. Sufficient cooling will be provided if a single high or intermediate injection pump is running (Ref.15). The MBLOCA diffets from the LDLOCA in that the RCS will probably not depressurize to below me shutoff head of the RH pumps, although discharge from two accumulators is required. As described in WCAP 11145-P-A, the limiting break size is a 4" break in a cold seg. This break size and location is l

assumed in the following discussions -

l 3-31

2) Establish Safety injection and Accumulators ($SIXX01)

As described above, success requires one high or intermediate injection pump and 2 accumulators (Ref.14).

3) Failure to Establish Recirculation ($RCXX01)

After the RWST has reached 40%, the RH pump will automatically swap it's suction to the containment sump. The operators manually swap the running high or intermediate injection pumps to the discharge of the RH pumps. After 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months , the recirculation flowpath is realigned so that the discharge of the RH pumps and the SIPS is to the hot legs.

SM ALL BREAK LOCA (S)

(Event Tree is shown in Figure 3.1.2-16)

1) SBLOCA (%S)

The initiating event is a small break LOCA. A break size with an equivalent diameter of 2" to 4" (3.14 to 12.57 square inches) is considered to be a small break.

2) Failure of injection on SBLOCA ($SIXX03)

Success in this gate requires that one high or intermediate injection pump injects water into the RCS (Ref.14). This providbs sufficient make-up capacity and sensible heat removal, since the l

break size (2-4") is large enough, to ensure that 1. decay heat is removed.

3) Establish Recirculation ($RCXX01) i At depletion of the RWST, the operators realign the ECCS injection pumps to the containment sump.

3-32

VERY SMALL BREAK LOCA (VS)

(Event Tree is shown in Figure 3.1.2-17) i

1) VSBLOCA (%VS) ne initiating event is a very small break LOCA. The break has an effective diameter of less than 2 inches (area less than 3.14 square inches).

2) Failure of inject:on on SBLOCA ($SIXX03)

Success in this event requires the establishment of flow from at least ore high head injection pump or one intermediate head pump (Ref.14). It has been shown by MAAP analysis that with AF (always required :or success) the RCS will depressurize down to the SIP head, if the CCPs are unavailable.

3) Establish Secondary Heat Removal ($SGXX0lS)

Due to the insufficient amount of sensible heat removal through the bre A additional heat removal is required, ne primary sink is the secondary system.

4) TDAFWP Runs Urtil Battery Depletion (EPBATTDEPI Based on MAAP analyses (for binning), the availability of AF for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months will redirect the binning of the sequences from PDS3 to PDS4. This event indicates failure of the TDAFWP at

! 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , due to loss of DC power that leads to overtill of the steam generators and failure of the TDAFWP.

l l

l l' 3-33

I l

5) Establish Bleed and Feed ($HHLOCA02)

If the secondary heat removal systems are unsuccessful, the operator is required to establish bleed l and feed. The ECCS injection system must have already been successful. Therefore, this event is limited to the operator actions required to open the PORVs.

6) Establish Recirculation (SRCXX01)

He oper.. tor is required to swap the ECCS pump suctions to the containment sump when the RWST reaches 40%. This could be from entering bleed and feed, or due to containment spray -

i- actuation, which has actuated due to the fact that the containment fan coolers were tripped.

1 STEAM GENERATOR TUBE RU"TURE (R)

(Event Tree is shown in Figure 3.1.2-18)

1) Steam Generator Tube Rupture (%R)

The initiating event is a double-ended severance of a single steam generator U-tube in the number I steam generator. This failure results in an initial leak rate of approximately 630 gpm.

2) Failure of Injection on SBLOCA ($SIXX03) f To make up for lost RCS fluid to the generators, it is necessary to inject ECCS tluid. His ensures adequate coupling from the primary to the secondary, should steam relief be the primary cooling mechanism. Additionally, it provides some sensible heat cooling.

3-34

3) Establish Secondary Heat Removal ($SGXX0lS) 1 In order to provide sufficient core cooling, it is necessary a provide AF injection and steam relief. Disabling of the ruptured generator on a tube rupture is modeled in the AF and Main Steam system models. This assumes that the break size is not large enough to remove the decay heat.

4) Isolation of SGTR Break Flow ($SGTR01)

In general, the operators are not required to isolate the break flow to prevent core damage (Ref.

14). A " hands-off" MAAP run was performed that showed that core uncovery does not occur as long as injection and AF are available (always required for success). However, it is required to eventually terminate break flow in order to stabilize the event. The operators must depressurize the primary low enough to match the pressure of the ruptured steam generator, after it has been isolated. This is in explicit accordance with the Emergency Response Guidelines (ERGS).

5) Isolation of SGTR Break Flow w/o Injection ($SGTR02)

If there is no ECCS injection, the operators may still prevent core damage by expeditiously terminating break flow. This is accomplished by using the steam dumps or atmospheries to reduce RCS temperature, and the PORVs or sprays to reduce RCS pressure. Additionally, the MSIVs (the one on the ruptured generator or the other three) must have been closed.

6) Failure to Establish Eleed and Feed ($HHLOCA02)

Upon failure of AF, it is necessary to establish bleed and feed to ensure sufncient heat removal.

Given that the break size may be too small to remove the mass, a PORV must be opened and ECCS flow estrblished.

3 35-

._= _ . . . . . . . _ _ _ . . _ _ _ . _ _ _

7) Establish Recirculation ($RCXX01)

If bleed and feed is required, then the operator transitions to the recirculation mode when the RWST reaches 40%.

LOSS OF CONDENSER VACUUM (CV)

(Event Tree is shown in Figure 3.1.2-19)

This event tree is identical to the reactor trip event tree. The only difference is that the initiating event, loss of condenser vacuum, causes the plant to trip and disables the steam dumps thus requiring the ARVs to control steam generator pressure.

Event Trees The following event trees illustrate the accident progression from the initiating event to the sequence end-state. He PDS bin definitions are described in Section 3.1.5 i

l I

3-36

- . _ . . ~ .. _ __ _ _ _ . . _ . _ . . _ _ _ . _ , ._ ._. . . _ , . _ . _ . _ . . . . . .

r g'3"7Y7.OEog kE**g n<0haa i

O N 1 2

M M C C Q 1 T

1 E T S # #

N B

4 3 S S S D K D D P O N P P N

)

K HT 1 SA I

O X

LL BU X 1 AC C O TR R X

$ X SIC C EE R R T Ho St 1

O LAD I

X BDE E X 1

~

A EF !

O 8

TE $ X SL X EB F 8

L

_ A HYV 1 MRO O AM X R DENR X

G I

AO S O TCT $ X SEA X ESE G F S

- i T

LN AE 1 RS T EN %

NA ER G T 1 T

w0"

r g(2 " . O?

! E8 i8 Io305 mkE g3a O

N w

. O.

E C

s r m T

S e #

N O

s S s D

P X C

o r m N

O I

HT t

_ SA O X

tL rU X AC C TR R '

S

. S1C

_ EE

R C D

E E

LD i BE O E X HP X S F IOP L E t DA $ o A x T x S r E e s

MF EA T L SLA HYAN s SSVG r

0I O t

LY4S X X

BRO AARS G g T S SrTRO $ o, EOAE CET ,

. EP ,

S ,

S A

I S

T N 3 E T T %

R E

V D

A 3 m N T 3, ao

t. 't o 4 . 6 k

TTC Ke.:s @@il- s 50w 4 e o w*.NO 2o a

O N

O.

E T

W T

S # J

. N O

S D

P 5 N

6 N

O I

HT 1 SA O UL X BL X AC C TR R S

S1C EE R

D E

E LD 1 BE O E X HF X S

fO LP BA A

W 1 O

X T X S F 3

E f s

T S A

R HEE S S HTL O t I

FA X LYAN X BR AALC G s TOAS S t o

StV $ x

- EOO CA x EO e S R s s

E N_

MK A A 4 EC T TR %

SO N

A 4 M T WO*

LOSS OF mat 4 ESTABLISH ESTABLISH ESTABLISH PDS ES4 SEO. NC.

FEEDWATER SECOtOARY BLEED Ato RECIRCULATION HEAT REMOVAL FEED y E

%T6 $5GXXO1 $8FXXO1 $RCXXO1 2

^

N C

i 3:

! 2.

t.a 4 %TG N 3

?

1RCXXOI PDS4 ssexxo1 #T6CM1 3

g rn 1 XO1 PDS3 N

T6CM2 -

a

-4 3

o

LOSS OF 125 ESTABLISH ESTABL85H ESTABLISH PDS BN SEO. NO.

VDC BUS 1ED1 SECONDARY BLEED APO RECIRCULATK)N m COOLNG FEED COOLNG j' a

xx1 $$Gxx01 $8FXxC1 SRCXx01 id Y

u

, N M

%X1

- 2 u.

SRCxx01 PDS4 /px1CM1 sSGxxo1 O

, o u",

1BFxx01 Pos3 #xvw2 y E

d a

3

m

-_--. j' LOSS OF THE ESTABLISH ESTABLISH ESTABUSH PDS BN "lQ. NO. ;;

SAFETY SECCtOARY BLEED AND RECIRCULATICN w CHILLED COOLNG FEED COOUNG L WATER SYSTEM -u

%X2 SSGXXO1 $8FXXO1 $RCXXO1 b F

M R

a w w 1

%X2 j N 4 g

r E

,JRCXXO1 8.

SSGXXO1 N fx2W1 4

~

o r.n SBFXXO1 POS3 #x2Cu2 ya b

tT1 N

a.

d a

o J

LOSS OF ESTABLISH ESTABLISH ESTABLISH .05 BN SEQ. NO.

OFFSITE POWER SECONDARY BLEED & FEED. REC 1RCULATK)N

FEAT REMOVAL RECsRC, CONT

. COOLNG 2 E

%X3 $5GXXO1 $8FXXO1 $RCXXO1 g tJ

. .s E

C w E A

xx3 Ok o 3~

$RCXXO1 -

PDS4 gX3CM1 E

$SGXXO1 g 1BFXXO1 POS3

X M d

a r

m{3 YYea . E= % 7aha O

N 1 2

M M C C Q 4 4 E X x S # g N

B S 4 3 S S D D P

P O

P N

)

K HT 1 SA O I

LL X BU X 1 AC C O TR R X

$ X SIC C EE R R 1 n

T HF 1 St IF r

O L X X

B&

A F 1 O

T0 8 Y S $ X E1 t F

f 8 1

G

/ TH 1 S O X

L NW F X OLA G RE T S NV $

OE L C

_ 8 S

U B

F3 4 X

OA 1 %

S S

O 4 L

n

{

i 2!

9 LOSS OF CONTROL S/G ESTABLISH ESTABLISH PDS BN SEO. NO. 3 PROTECTON LEVEL WITH FEED APO RECIRCULATON w CHANNEL 1PC1 AFW BLEED ,"

a b

%XS $SCXXOI $8FXXO1 $RCXXO1 --

E o

OK T

w 2

_ b; xxs -

a s-

s SRCXXO1 PDS4 E sscxxo1 #CCM1 g serxxo1 PDS3 #x5cu2 03

. o

~

5 r

-l 8

o

Figure 3.1.2-10: Loss of Component Cooling Water System Event Tree

=

c N g a 8

+ n h

i 9

2 x eg i*

g 5 s

a h ht I at

$8 a i 1

a s i

th! .

$kb s,

1 i

3-46 l

3

. . . ~ . . -. .. . -

LOSS OF ESTABLISH ESTABLISH ESTABLISH PDS BIN SEO. NO. y STATION SECOtOARY BLEED AND RECtRCULATION SERvtCE WATER FEAT REMOVAL FEED E-3

%X7 $5GXXO1 $8FXXO1 $RCXXO1- $

b

C

=

v, u E A %X7 OK ~-

O L'

SRCXXOI 2 PDS4 #X7CM1 E SSGXXO1

M

~

$8FXxO1 PD"4 #X'7N n

a

-4 2

o i

s, r

- *28 .YY;3 E=o2b2 >W aa 42o O

N 1 2

W M Q C 8 8 E x x S g g h

B S 4 3 S S D , K D O P O P P N

O HTI I SA I

O X

LL BU X AC C TR R S1C EE R

HD 1 SN O LAD I

X B E X F 1 ADE EF 8 O TE SL $ X X

EB F 8

L A

HYV 1 SRO I

O LAM X X

BDE NR G 1 AO S 0 x

TCT $

SEA x ESE -

c 1 5 Rt FA O 8 x

SR ST x OS LM 8

X wA

EXCESSIVE ESTABLISH PDS BIN SEO. NO.

LOCA SAFETY INJECT ION & ACCUM.

FOR LBLOCA .n i3

%XL $SIXXO2 w l --

i

?

E C'

y PDS6 #XLCM1 [

2

%XL o 9 i sSixxO2 Poss #xtcus j' l' 9

a

LARGE BREAK ESTABLISH ESTABLISH FDS BN SEO. NO.

. LOCA SAFETY INJECT RECIRCULATION ION & ACCUM.

FOR LBLOCA I 4,1 c-7.A $SIXXO2 $LRCXO1 3

.w r

Y I..

r R

Y 2

$ m 8

TLRCXO1 POS6 %

%A #ACM1 r

' O O

y m

$SIXXO2 PDS5 #ACM2 h d

a 1

1 s

i i

t MEDG4 BREAK ESTABLISH ESTABLISH PDS ON SEO. NO. t LOCA (4 TO SAFETY RECRCULATION i 6")_[VF- < INJECTION. - l 200 PSIA] AND ACCUM_ ~

E /

m SSIXXO1 : $RCXXO1 y '

, ea m

2

I I

e JRCXXO1 POSS #MCM1 $.

a r-i h

SS1XXO1 l PDSS #G2 $

. a i-d 2 ,

i .

4 I

r h

-

1 --ra _ v - --. _. _ _ _ - - - -

b SMALL BREAK ESTABUSH ESTABUSH PDS BN SEO. NO.

LOCA (2-4") SAFtiY RECRCULATON gy

[VFP < 200 PSA] INJECTION FOR SBLOCA e i 7 L s G $9xXO3 SRCXXO1 .- i I._*

9 i OK @ i f

E !

Y ta w .t=,

M

$RCxx01 PDM #W1 k r

O c1 ssrxxo3 Post #scu2 7 n

I d i i

i 6

i 1

-4 w <- -- = -

I i

i 1

Figure 3.1.2.17: Very Small Dreak LOCA Event Tree i 11111 i i !b 3 5 h g-I 5 i 7 i 5 t

B ; 1 '

. ~

t i l ,, .

g,,I ds," l 1 !! a g, ,

3 53.

%c% r ,, --v. ge. m-e2, - - g ? t- 9-r w %pr'w y e e que w-m - -w- - . =-, -r -q~a y,$ -w+w, w r % ,e v ere e ry wwe pa'- .w +r eg e er - p+y.s,=,- , ws-g em ehw eye h we r +- w r-m-s e, =vymc*rw

Figure 3.1.2.18: Steam Generator Tube Rupture Event Tree k k i

i . 1.11 11 1

3, i

f,a ,

\

d ,

ilge I

{

t

, j k.

9 i

I 1 .

o .

54

l LOSS OF ESTABLtSH ESTABL;SH ESTABLISH CLASS SEQ. NO.

COBOENSER SECOrOARY FEED & BLEED RECRCULATCN VACUUM FEAT REMOVAL 2!

E

%CV $SGXXO1 $8FXXO1 $RCXXO1 3

w N

1

.o

{

=

2 .

Y n g %CV Ox g e.

O n

SSGXXO1 EUN i 2

e '

5

. $8WXO1 r:1 POS3 (CVCu2 g E

d 3

4

t 4

1 3.1.3 Soecial Event Trees Because of their unique progression of events, special event trees were developed for ATWS and Induced LOCA. A description of these event trees follows.

i i

INIH!CED LOCA OND)

(Event Trees are shown in Figures 3.1.3 2, 3.1.3 3, 3.1.3-4 and 3.1.3 5)

Dese event treu were developed to properly account for any transient condition that can result in an induced LOCA. Als includes LOCAs due to loss of cooling to the seals, overpressure transients caused by insufficient secondary heat removal, and pressure transients caused by ECCS injection without mass removal from the RCS.

1) Non-LOCA Transient ($NONLOCAINTl')

The non-LOCA transient is .ny plant transient that could lead to a LOCA, that is not already a LOCA. His is represented as an OR of all these initiating events.

2) SRV Opens on Pressure Transient and Falls to Close ($NLXX03)

His gate models the possibility of an induced LOCA through a Safety Relief Valve due to an SRV opening and failing to close. An SRV is expected to open only if there is a RCS pressure transient and both PORVs fail to open, The source of the pressure transient is inadequate secondary heat removal (as in a loss of Main Feedwater), or ECCS injection without a break (as in an MSLB).

3) PORV Opens on Pressure Transient and Falls to Close ($NLXX02)

His gate models the possibilityof an induced LOCA through a stuck open PORV. The pressure transient is as described above.

3-56 i

i

4) Seal LOCA due to loss of seal cooling ($NLXXO4) i The RCP seal injection flow is normally provided by either the positive displacement pump or a centrifugal charging pump. The PDp is cooled by the CC and the CCPs are cooled by the SW.

Thus, all of these pumps are considered unavailable following the loss of SW. Following the loss of seal injection and seal (thermal barrict) cooling, a LOCA develops through the RCP seals.

At this point, the probability of a seal LOCA is assumed to be I with no potential for recovery.

5) Establish Secoadary Heat Removal ($SGXX01)

His event is explicitly included in all of the other plant transients, but is used here to determine the size of the expected seal LOCA. If available, it allows the plant to remain cooled much longer, increasing the probability of having a large seal LOCA. If not available, the core is damaged earlier, resulting in a higher probability for a small break LOCA prior to core damage (Ref.14). This dir.:ernment was necessary for the back-end analysis, and this logic, as well as the split fractions for break size, came from the back end analysis.

6) Leak Size (LEAK SIZE)

Rese split fractions were assigned to give the split between large and small seal LOCAs (small and very small LOCAs) and are (as stated above) based on the back end analysis (Ref.14). The size of the seal LOCA binned the end-states into the proper size LOCA bin.

ANTICIPATED TRANSIENT WITHOUT SCRAM (ATWS) 1 (Event Trce is shown in Figure 3.1.5 2)

1) Transient Leads to or Requires Reactor Trip ($RTXX01 A1)

The accident mitigation systems modeled in the IPE are sized to cool the core at decay heat levels, in order to reduce thJ power generated in the core to decay heat levels, it is necessary l- to trip the reactor. This requirement is tied to initiating events that are expected to generate an 3 57 l

automatic reactor trip by ANDing $RTXX0l Al (TRANSIENT LEADS TO OR REQUIRES REACTOR TRIP). This gate is an OR of all initiating events except % A (LDLOCA).

De reactor is expected to trip automatically based on an ESFAS signal. Failure of this requires l that the operator manually trip the reactor from the control room. Failure of this Atep requires that the operator proceed with a combination of steps as dictated by FRS-0.1,

Response to ;

Nuclear Generation /ATWT." His combination includes reduction of steam flow (Turbine Trip or closure of the MSIVs), initiation of 900 gpm AF flow, and manual reactivhy insertion (control rods, emergency boration, or local reactor trip).

s Based on the Westinghouse analysis performed in WCAP-11993, the important systems to consider during an ATWS are a) Main Feedwater, b) Auxiliary Feedwater, and c) Pressurizer pressure relief systems. Addhionally, the time in core life must be considered. Success criteria used in this analysis are interpretations of the methodology described in this WCAP.

2) Reactor Protection System Falls (ATWS)

The first gate (ATWS) separates the Mechanical and Electrical trip failures.

Mechanical trip failure (RT4000)is the binding of a sufficient number of control rods assemblies such that the reactor is not shut down. An additional asrumption is that all rods fall partially, or several rods fall fully, such that sufficient negative reactivity is insened to prevent the RCS pressure excursion from reach ng 3200 if full AF lt available.

l Electrical failure consists of the failure of an automatic reactor trip for transients generating auto trips.

l i

l 3-58

i

3) Turbine Falls to Trip (STURBTRIP)

I Tripping of the main turbine is required in order to limit the amount of steam drawn off at nominal steam generator pressure. The resulting increase in steam pressure yields a j

corresponding increase in RCS temperature, giving negative reactivity feedback. This feedback j reduces reactor power, allowing the remaining feedwater to last longer. His faihire is due to ;

]

the failure of the equiptr.ent and falNio by the operator, as a recovery.

t

There are two sources of automatic turbine trip; a) Turbine trip on Reactor Tripped and b) Turbine trip on ATWS (AMSAC). The first one will be successful only on a mechanical rod l

binding ATWS, whereas, the second will be successful in both cases, provided its support systems are available. Additionally AMSAC is assumed to be independent of the ESFAS system as its inputs fall low (conservative). Also, the point estimate value chosen for the reliability of AMSAC equipment swamps any combination of ESFAS equipment that could be proposed.

3) Manual Reactor Trip ($RTXX01 A2A) i in the event of an electrical reactor trip failure, the first recovery action attempted is for the operator to trip the reactor using the handswitches located in the control room. These switches directly trip the reactor trip breakers without using the reactor protection logic equipment.

4) Main Feedwater System ($CF100) l l If main feedwater is available, an ATWS does not endanger the core, as heat removal is available. Main feedwater is available $1nce the isolation of main feedwater is based on the signal

" Reactor Tripped with Low Tn ." ne " Reactor Tripped' signal is present after a mechanical ATWS (both trip breakers are open), but the

Low T,,,* signal is not, as the reactor is still producing a large amount of power.

3-59

- . - - , . - _ . -= .. . . . . . - - _-- _- -

5) Full Auxiliary Feedwater (AF6000)

Failure of main feedwater requires full AF system capability in the event of a mechanical ATWS.

6) Failure due to h!RI, AF, PORY or Time in Life Combination ($nTXXO6) ,

After an electrical trip failure, core damage is assumed to occur if the RCS reaches 3:00 psia.

While the pressurization does not damage the core, the system is assumed to fait due to exceeding ,

the AShiE code class C rating of the RCS. This end state was assumed for simplicity (and was also chosen in WCAP-11993).

'ihe pressure excursion is a function of several parameters, of which the primary one is time.In core life. Time in life dictates a moderator temperature coefficient which provides feedback to shutdown the reactor during an ATWS. This event is therefore broken down by a matrix of events. One axis describes a combination of successful conditions including a)hianual Rod insertion (hiRI), b) Full AF Flow (FAFW), and c)llalf AF Flow (liAFW). The other axis is the number of PORV unavailable (blocked or failed). The values cited in the table are the number of days in the cycle in which the number of PORVs available is not sufficient to prevent the RCS pressure excursion from reaching 3200 psia.

Table 3.1.21: ATWS PORV Failure Days 0 PORVs 1PORY 2 PORVs Blocked Blocked Blocked l

With hiRI, FAFW 0.0 0.0 76.3 With MRI, HAFW 0.0 18.9 82.6 W/O MRI,FAFW 81.7 138.9 192.9 W/O hiRI, MFW 110.7 154.8 209.1 This information was calculated for an 18 month cycle, While CPSES is currently using a 12 l month core for cycles 1 and 2, it is planned to use an 18 month core from cycle 3 on.

Additionally, if a table were generated for a 12 month cycle, all of the numbers would reduce nonlinerly. It is therefore conservative to generate ratios from this table and apply them to a 12 month core (as well as the future 18 month core).

3 60

Using $17 at power dap in an 18 month cycle (assumes I month for refueling) yields the following table, where the table value is (l e frn;; ion of the cycle where the pressure relief capacity is insufficierit.

Table 3.1.2 2: ATWS PORV Failute Fraction 0PORVs 1PORY 2 PORVs 13 locked Blocked Blocked With MRI, FAFW 0.0 0.0 0.147 With MRt. HAFW 0.0 0.0366 0.160 W/O MRI, FAFW 0.158 0.269 0.373 W/O MRI, il AFW 0.214 0.299 0.404 3-61 1

After reviewing the above table, the event tree below was developed:

Figure 3.1.31: ATWS Success Tree

- 5 rnAcTm cr uuam am 'AMs"v,or y

urAvca*at ca. ASS Arw Arn Aac 'E"TCH caewe 1er Avaan.t

, y ese PtavS #

y a

v w

cK ltris rAa.

w (trt? FAL mi " w ltrie rAa.

& w lttto rat w m

" w a Itris rat

w Itrie rat en

' w

-krte ra mt " a (LCTi1 r 4A.

<v alrTU rat w> r sau

7) Long Term Shutdown ($LTSBORON) ne reactor is required to be shutdown in order to prevent imminent damage. his -is accomplished by borating. Boration is attained by either emergency boration, or rafety injection.

342 l

. . . , . - . - - , . . , . , , - - ,, - . . , ,~ ,---.-

8) Local Manual Trip (RT2000)

An additionas method available to shutdown the reactor after an e'ectrical trip is to locally trip the reactor et the reactor trip breakers.

An end state labeled "> INIT" indicates that the plant is shutdown, and the accident propagates to the initiating event tree that is being analyzed. The "> lNIT" paths on this event tree are the result of successful terminations of the criticality state. If transferred to the initiating transient (e.g., %Tl) event tree, it results in the same results (as %Tl) with two differences:

The * > lNIT" initiators (f.Tl for exarnple) is lower in frequency (than %T1 itself) because it includes failure of RPS (RT3000 or RT4000) and others.

There may be some dependencies (success and failure) resulting from AFU)09 and $LTSIlORON.

These paths were not modeled because they are enveloped by the initiators themsehes.

His modeling is not formal . eequired because the original tree was made assuming that the reactor is tripped, his success path <<n this tree results in an entry into the original tree with a factor of slightly less than one, since some of tho events resulted in a core damage due to ATWS. This success .

probability is not credited, i l 3-63 i l

- _ . .--..--~ - . ._ _ - - . . . . - . - . ~ . . . . . . _ . . - . _ . . _ - .

i Figure 3.1.3 2: Transient induced LOCA Event Tree j l11 kit i

t , 1111l1 1 1 1 1 1 ;

bh b , -

-i w

a t

I a g3 -Q Me $

lil l :

lit 1 ig :

i 1 i

5}f b 1 1 3-64 '

+ ww - -sv $ v- v ws- w eye www,*+, -w w w-

v. +,w_ = <w,w , w . o r -y-- y ----~,,v-,-,>,,,,- .-r-w---r,.-e-+, y~,e-w .w*< -, w e 9--ry 3 +4y -y y e v. -w,# 9 i sive--ew *e .** *w y* w y + , w y w y y e*m

1 I

I l

Figure 3.l.3 3: Induced Small Seal LOCA Event Tree i

j i i 11111 !

1 1

2 {

g s i a EEiie i

1 4 P e

i x ..

g 1 .

i

h i

1

ti J

i ,

h Est I 3

f 311M 2 a 4 i

5 +

bs !

fl g Bg r

a l

d ;

11 t

s. s 3-65 i

. - - - . . ~ . _ _ _ . . _ _ _ . - - _ . _ . _ . . . , , , _ , , _ . . . . . . . . . , . . , _ . _ . . . . _ _ . . , _ . ~ _ . _ . , _ - - , , . , , , . , . . . . - , . _ _ , , - _ , , _ , , _ . , _ . . - . .

l l

i NDUCED LOCA ESTABLISH ESTABLISH PDS BN SEO. NO.

l O.6-2" [LARGE SAFETY RECRCULATION -n SEAL LOCA OR NJECTION FOR trT 4

STUCK OPEN PORV] SOLOCA E o

i ILOCA2 $53XXO3 SRCXXO1 F Y

w I

~

.L.

F .

OK &

n ,

w 2.

b t-O SRCXXOI O A2 N2 WM1 i o

o iJ*

t SSIXx03 PDS1 m

ISCM2 4 ;

a '

Y

2 1

I I

1 l

t INDUCED LOCA ESTABLISH ESTABLISH PDS BN SEO. NO.

>2" .~ STUCK SAFETY RECIRCULATION OPE 4 SRV] INJECTION, AND ACCUM. 5 :

ILOCA3 $SIXXO1 $RCXXO1 ,

w r

w OK E.

F, w

2.

b r TRCXXO1 O

ILOCA3 __

POS6 #:MCM1 9 i V J u, M

sSixxo1 Poss #uCu2 [

i .

a 4

h i

t 4

4 L

4 l

4 Figure 3.1.3.e ATWS Event Tree i

e t 11.1 i 111 '

l lilillfillIIIII ,

i '

.$}.-

. .. . 4 t

a Y !

a I 1

). .

i

} a i ,

i's q { \

i i l

\M

t

li 3-68

--. ~,m.. - - , - --w,, ,,,,,--.,-,,g..w,,,.e m ,,,,,,,m-,. p ey., ,v,,, ,. , , .w,uv-y + -.m,-.r,--ergo, -., m..-,- . , , . ~

i l

1 j 3.1.4 Syroort System Event Treu !

I i

The method used at CPSES is the Small Event Tree, Large Pault Tree, in this method, the support

) systems are embedded in the system fault tree models. Derefore, no system event trees have been developed.

! 3.1.5 Seouence Groupipe and Dack-end Interface j Groups of possible core darnage tecident sequence and end states were classified into Plant Dainage State (PDS) bins based on similar characteristics with respect to accident progression and containtnent response.

llinning of core damage accident sequence and end-states into several PDS bins is based on the accident conditions characteristics. Rose characteristics are divided into speelne attributes such as type of i accident initiating event (e.g. Transients, LOCAs, Support System Failures...), core damage states (e.g.

timing of core damage, RCS pressure...), and containment states (containment pressure boundary and safeguards systems). Sequences having the same attributes progress similarly and therefore can be examined under a single containment event tree (CET). A brief description of the specl0c attributes is f provided below.

CORE DAMAGE STNTES:

Core Damate Timing The time of core damage determines the decay power lew and directly affects the rate of core damage and energy loads to the containment. It also affects the cor'*equence assessment, i.e. the time of release of Ossion products to the environment. For the purpose of characterizing the time of release and potential offsite consequences, three time periods (attributes) are considered:

Early: Within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months from the time of shutdown.

Delayed: Within 2 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Late: Later than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

3-69

_ .:_. __ ._. _ -. _ ._ . . . . . _ ,_ _, _ __ ._ .,_.m

RCS Pressuts

%e pressure of the RCS at time of core damage affects the phenomenological events that can lead to containment challenges.

lew: 1.ess than 200 psia.

Medium: Pressures between 200 and 2000 psia.

! lilgh: These are pressure levels near the RCS operating pressure.

i 1

CONTAINMENT STATES

Containment Pressure Boundary Status The containment status at the time of core damage affects the fission product release timing. The t'iree

cases considered are

Intact: Normal comainment leakage (0.1 % volume / day)

Un isolated: An air-to air penetration is open.

Ilypassed: The core damage release bypasses the containment as in a Steam Generator Tube Rupture sequence resulting in core damage or a V sequence.

Containment Sgfecuards System Status:

Containment Sorays This provides substantial fission product control can preclude containment failure if operating in the recirculation mode. The conditions considered are:

sprays operate in the injection mode, sprays inject successfully but fait during recirculation, and sprays are failed.

Fan-Coolers Credit was not taken for Fan Coolers as they are normally shed on Safety injection signal actuation and require an operator action that is not proceduralized to store them.

l 3-70

-. _ . ~ - _ _ _ _ _ _ _ _ . _ .

l PLANT DAMAGE STA'lCS:

For CPSES, there are various plant damage states that represes.ts the possible core damage accident sequence end statea modeled by the functional event trees (Section 3.1.2). Dese plant damage states present the front <nd analysis results in a manageable form, passing on sufficient information about each core damage accident sequence end t. tate to permit meanirgful analysis of the containment response. A detailed discussion of the core damage bira and plant damage states will be included in Section 4.3.

The accident sequence event trees for all the initiating everts will eventually lead to a defined end state, either a stable plant condition or one of the PDS bins previcusly defined. Because accident progression and the possibility of containment failure depend on the availability of safeguards equiprnent (i.e., fan coolers and containment spray), each of the PDS bins was assigned an associated containment safeguards bin. The end states and bins that were used in the analysis are summarized below.

Stable Plant Condition his end-state is attained when the plant is in a stable condition and the reactor operators have the capability of maintaining control. ne plant may be in hot standby, hot shutdown, or cold shutdown conditions.

PDSBin Each end state of the event trees was systemically correlated such ths.1 the core damage states end up in a specific Plant Damage State (PDS) Din. Table 3.1.51 provides a brief description of the various PDS.

Containment Safecuards Bin Each end-state was further divided based upon the availability of containment spray.

Table 3.1.5 2 provides the three containment safeguards bin definitions.

In summary, the PDS provide a means to group various combinations of initiating events, core damage states, containment safeguard states and accident progression characteristics that are expected to lead to j- similar outcomes (i.e. they are subject to similar uncertainties and thus can be examined under a single Containment Event Tree). Table 3.1.5 3 provides a matrix of core damage accident sequence frequencies 3 71 ,

1 1

_ - , . - --- ~m- - . _ . , . _ . , _ , . ~ . . - . . . . . . . . , . . . . . - , - _ . ._. _ _ ..-....._ - ,_.

vs. PDS bins, and is used to transfer the results of the front-end Accident Sequence Analysis to the back-end Containment Performsnce Anal) sis. The mauit defines the various combinations of Plant Damage States and Containment Safeguards Dins and their contribution to core damage frequency from each accident sequence.

Table 3.1.51: Sequence Characteristics of Cofe Damage Bins Pt. ANT si.QUENCE CHARACrER!sTics

DAMAoE STATLS 1 Reutor Coolant System (RCs) bnuh with propure and leakage rotes anaociated with small4reak 1.OCAs. with early damage to core.

2 RCs breach with prepure and leakage retes associated with small-bruk t.OCAa, with late darnage to core.

3 High RCs pnosure taakage estes asenciated with boildt of the reactor coolant through cycling prusurirAt relief ta}Ve8. with Carly damage to Core.

4 High RCs pressure and leakage rates aseostated with boiloftof the coolant through cycling relief valves, with late damage to core.

5 Large estes of lokage from tlee RCs tad low pruaures anacciated w6th large bruk LOCAs and failure of coolars irdection, naultirq la early damage to core.

6 Large bruk 1.OCA conditions, w!:h failure of conlant recirculation and delayed damage to core.

ECB Bypene sequences (3= I irnerfacing LOCA, g=2 soTR, g = 3 Cl failure) with failure of coolant make up.

3sBO station Blukout sequence (ot similar equipment feitures), early core damage.

asBo station Blukoui quence. cor aimaar .quipmeni fatturui. i.ie un dam.go.

8 f.arly core damage occurs within about 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months from the time of shutdown and is associated with ECCS failure to inject for LOCAs or loss of all AF for transients. Delayed is within 2 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Late is more than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and is associated with ECCS failure at recirculation or loss of the TDAFW after 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

8 RCS pressure is determined at the time of vessel breach. Three levels are defmed: High for pressures above 2000 psia, Low for pressures below which debris dispersal is not an issue (200 psig) and Moderate for pressures in between high and low.

x s

3 72 l

_a

. . . . .z.. .. .. .. .

.. - . _ _ _ . . _ - J

i Table 3.1.5 2: Sequence Characteristics of Containment Safeguards Bins J

CONTAINMENT 3ATEGUARD FAN COO 11R$ CONTAINMERr 5MLAY l BW E railed Irdecdon cudy F leiled trsection and recircut.uon u r.ited reaed 1- Ole 3.1.5 3 which follows, the columns are PDS bins, with the first rSaracter defining core damage i bins and the second character defining containment spray states.

P i

) i e

i f

n I

3 73 .

f.

/

-,,.%,.- . . - ,, v. . . - . . . ,, ,,,-n .,.y...-,,..,,_..,.,

.,,,,,,#,.,% ,4 , , . . . - , , . . . .%-,, , ,.,,,%,_y.,,,g,m..,,,,y,,yt.y,, ,, ,

Table 3.L5 3: Sequence PDS Frequencies in i. 2,. u a m x l, .o m = >i * ;. -~x.-w. '

84C YW l Ik ap LleM Ed. 60 $ 11Y1[L[4 e4cul .: t.$ s obt a ObieTE 9"Tisi i estCui 4zu t si e S.ibi2 2,6 TIM 2 1Ji4 ~T6bi2 1,*E4 ertCus i 4L4 sasa0 te4G EdiNe f 4I(Ml EkYbee 1904 1.28, 10 194 4 EIl(Mf

41CW8 grEsil . _

l.404 1. 5 32 1.lig e 7ww2 22, ni4 _ _ _

own ti sa stWCW 4 1,1 $4 1.44 1 41-, 11 l 4L77 alwCu2 ew? e7 4 t able e_vi~i

LKM t leb? Sibt 4. 4 41 1$ED 8LkM2 1.2bl lobe S&A 444.9 skii542X1 ELUITk i

evuM. 2 AyacM) 836 7

~ ~

~ ~'

38641 U4E i sTlgw e 6064 4 8 0..? 3 64 ie t er44 M5 $OG7 i 2f',40 $ D:0i avKW. i .w , 4 3bn i sp LMi 96, s wie . >.c,

.wCw2 .:o un ut. .m.

= cui seu ima 2

mms s4e s ees e 89(we 9 6L 4 9 del 4 EIM3 ACMI PCM2 2.8E4 1.14. 4 ) 4 80 0 9L4 M 8.47 4 $bil I 910 7 filCMI 1904 9 abt! 3 tif 4 ff ICW2 2264 84010 llet 4 ft1W1 ffKW2

[f Ni sign 2 4ab4 1.18-lI 4.)Ed. 8 FitLM B l II4

~ 18612 l .14L 4 ff EM2 647 14b7 ~ 10E.10 t iiet h WsCui fvacu2 n.s s ut.4 e.wie ).tG W3CM) w- -

WMwe 3004 4.57 4.E10 e idea WKMJ WRW6 AICMI lab 9 31 y ' I Al&4 HICW2 447 349 1M.40 8.0iEd oxMi -

un m,

10 4 ,

5"x52 1 46-9; 3.11 4 9.SD12 39964

'f7A KMi

axM2 ~

(

i 1SL4 -

' 6lbt? ~TE5 i .it s s at a 716 to i.92.a n*Mi

~

A=CM2 ube Ein uebe 2.16 4

$.E12 184fM 51NI ~

RSCW2 2.21' 4 S.3012 117%A NWMt MdCM2 I47

~ Lible 46101 A1041

31LM2 2.47 7.lE %l 19M AKM4 ASCW2 M14114

- E%7 6 lbil 3.emb1 at1M2

~

Tant 1.303 1.a6 414E1 1. i,4 1.~t E4 $ 864{t.154 !4 aE4 ug) ' 7 0011e at:A

~

v.44 3 ab7.1 E7 OL$ 959 6.261 4 alt 5 344

3.2 System Analy313 nis section provides information related to plant systems, hardware and equipment, and system i dependencies that are important to the systems analysis. A description and sitnplified drawings for each I

of the front line and support systems that were considered in the study is provided, ne method usal to determine the unavailability of plant systems is discussed. It includes a discussion of unavailability {

considerations for standby and operating equipment and for equipment in test and maintenance, ne functional interdependencies among the various systems is discussed and a dependency matrix for all the front line and support systerrs is provided. His information forms the basis fer the development of the system fault trees used in the analysis. He details of the development and use of the system information and support system interfaces are included in the individual system notelmks.

3.2.1 System Descrintions This section provides descriptions and simplified drawings for each of the front-line and support systems that were considered in the IpE. Each system description includes a discussion of the functions of the system and the relationship of the various sub-systems in fulfillir.g these functions, maintenance and surveillance activities performed on the system, system actuation signals, principal operator interfaces and sp.em success criteria. The acronyms used in the system descriptions are the same as those used in the systems basic events files.

3.2.11 Comnonent Cooling Water System l

System Description

ne simplified diagram of the Component Cooling Water (CC) system is shown in Figure 3.2.1.1, ne system consists of two separate, independent, and full capacity pump trains. . Each pump train supplies cooling to an associated safeguards loop which services safety related components. Each safeguards loop contains a pump, a heat exchanger cooled by SW, associated piping, valves, and instruments, ne non-l safeguards loop services non-safety related components and is supplied by either safeguards loop.

3 75 r.- - _ - - , . . . , - - - , , - - . - . -. . - , . - . . - . . . . - - . - _ -

ne CC pumps are powered from separate Class IE 6.9kV buses. Each pump room is equipped with an associated room cooler unit to ensure that the ambient pump room temperature remains within the equipment qualification limits. The room cooler units are powered by Class IE 480V MCCs and are supplied chilled water by the Cil system. The pump seals and bearings are self-cooled. Pump miniflow protection is provided by pneumatically operated, fall closed valve 1 FV 4536/4537. He mlniflow valves are automatically closed by an "S" signal. Technical specifications require the pumps to be tested quarterly; however, the test does not disable the pump.

Surge tank CPI CCATST-01 is provided to accommodate system expansion or contraction. Makeup to the tank is supplied automatically by the Reactor Makeup Water or Demineralized Water systems. The tank 15 separated into two train related compartments that are connected via Independent surge lines to their associated CC cump suction lines.

A normally clo. ar <ss tle line connects the trains at the pump discharge and at the discharge of the Unit I heat exchangers. Each line has a piping connection that allows the Unit I and Unit 2 systems to be cross-tied, in additir.n, a third cross tie line exists between the Unit 1 Train D pump suction and the Unit 2 Train A pump suction.

The safeguards loops connect to the non safeguards loop via the pump suction and heat exchanger discharge cross tie lines. Each cross tie line contains two normally open motor-operated valves. Flow is delivered to the non-safeguards loop by safeguards loop A/B via motor-operated valve 1 HV-4514/4515 and is then returned to its respctive pump suction lint, via motor operated valve 1 ilV-4512/4513. The four cross-tie valves are automatically closed by a "P" signal or a low level signal from the CC surge tank. Stroke testing of the valves is completed quarterly. In addition, the valves are isolated during quarterly ESFAS slave relay actuation testing. The non-safeguards loop motor-operated isolation valves (1 ilV 4524,4525,4526,4527) are also automatically closed b) a "P" signal.

During normal operation, one CC pump will be la service supplying both safeguard loops and the non-safeguards loop. The other CC pump is placed in standby The pumps are operated on a bi weekly

, rotation schedule. The system la designed such that one CC pump can provide adequate cooling to all normal system loads (non safeguards and both safeguards). The pumps are started by any of the following signals:

4 3 76

Low discharge pressure in the opposite train

*S* signal

BOS "

Low discharge pressure in the opposite SW train ne possibility oflatent human error is introduced following testing or maintenance of the standby pump train and the motor-operated cross-tie valves. Manual operator actuation of the standby train may be ,

regtDed for certain accident sequences in which the pump is not automatically started.

De se. ess criteria for me tc cystem is that of providing adequate coollr;g to the following components pertinent to the IPE study:

Safecuards bon

CT pump seal cooler (2 per loop)

Ril pump seal cooler

Rif heat exchanger '

CT heat exchanger

Cil chiller unit condenser a UPS air coaditioning condenser Non-safemiards loon

PDP bearing oil cooler

RCP bearing oil, motor air, and thermal barrier coolers Instrument Air compressor package (2 per unit)

Loss of flow to the non-safeguards loop or loss of all CC tiow necessitates a manual reactor trip bince the RCPs would be without u.aor er bearing cooling, l

3-77

3.2.12 Auxillerv Feeduter S'.c.em

System Description

ne simpil0ed diagrarn of the Auxiliary Feedwat* (AF) system is shown in Figure 3.2.1.2. De AF system consists of three independent pump trains wat take suction from the Condensate Storage Tank (CST) and deliver 00w to the steam generators. An emergency water source is available through a cross-tie with the Service Water system. Two of the trains consist of independent branches utilizing motor-driven pumps. He Altd train consists of one independent branch utilizing one turbine-drwen pump. I Each train contains a pump, valves, piping, a power supply, and controls. He pump seals and bearings are self-cooled. Failure of the AF system does not result in an initiating event.

Both hiotor Driven Auxiliary Fe:Jwater Pumps (h1DAFWPs) take suction from the CST via a common suction line that contains normally locked open manual valve I AF 007. Downstream of this valve, the suction line branches and directs flow to the two separate pump trains. The design flow rate of each pump is 570 gpm at 1200 psid. Each of the htDAFWPs normally feed' two steam generators, llowever, a normally closed interconnection between the pump discharge lines permits the operator to direct flow to any combination of steam generators, hiotor driven pump Col AFAPhiD 01 normally supplies steam generators 1 and 2. hiotor-driven pump CPI AFAPhlD-02 normally supplies steam generators 3 and

4. De pumps are powered from separate Class IE 6.9kV buses. Each pump room is equipped with an associated room cooler unit to ensure that the ambient pump room temperature remains wiQin the equipment qualification limits. The room cooler units are powered by Class IE 480V h1CCs and are supplied chilled water by the Cli system. Both hiDAFWPs are actuated by any of the following signals:

Two out of four low-low level signals from any one steam generator Trip of both f.tain Feedwater Pumps as sensed by low hydraulle pressure

Anticipated Transient Without Scram (ATWS) signal as sensed by AhtSAC e 'BOS"

. 'S' signal The Ttnine Driven Auxiliary Feedwater Pump (CPI-AFAPTD-01) takes suction from the CST through a separate suction line. The pump discharges into individual lines feeding each of the four steam I

3 78

. -,e _ _ . .. _ __ . _ _ . ._ _ ._ __ -_ _ _ . .

generators. The design flo v rate for the turbine 4 riven pump is 1145 gpm at 120" nsid. De turbine is powered by steam from steam generators No I and No. 4. The steam is s , plist to r1 e turbine-driver by two independent steam lines. Each steam supply line is provided with ar. halt.on valve (IMS-144/137) and a check valve (IMS 143/142) to provide redundancy in the event of a MSLB. Each line contains a normally closed, pneumatically operated, fail-open, supply valve (1 liv-2452 1/2). Both steam supply valves open automatically upon receipt of any of the following signals:

Two out of four low-low level signals from any two steam generators

"BOS"

ATWS signal The slave relays that actuate the steam supply valves are testM quarterly. Steam to the supply valve is isolated during the testing of its associated slave relay thereby, causing the TDAFWP to be inoperable

=

per technical specification definition.

Technical specifications require the AF pumps to be tested monthly on a staggered basis. During the test, the pump is unavailable because the normai pump diseharge Dowpath is isolatM and the pump recirculates water back to the CST via the normally closed test path. Each pump is provided with a miniflow line containing an orifice that limits the flow to 100 gpm per line.

He normally open, pneumatically operated, fail-open, flow control valves are equipped with safety related air accumulators that allow the valves to be regulatui after a loss of instrument air. The MDAFWP control valves differ from the TDAFWP control valves in that they are automatically driven to a full open position on a MDAFWP actuation signal.

Flow limiting orifices are provided downstream of each flow con:rol valve to limit the amount of flow that can discharge from a faulted loop. De orifices in the MDAFWP lines are sized to limit flow to 700 gpm per loop; wnueas, the orifices in the TDAFWP lines are sized to limit flow to 680 gpm per loop.

Normally open mc ,>,.* 6, valves are provided for isolation of a faulted loop or steam generator and for containment isoir .o ,

3-79 N 45'7h w m m ~

Operability testing of the Dow control valves and isolation valves is performed concurrently on a quarterly basis. The MDAFWP valves are tested independently from the TDAFWP valves. The instrument air check valves that supply each Cow control valve are also tested. All eight AF isolation valves are stroked during TDAFWP isolation valve testing since each control room isolation valve handswitch operates both steam generator supply line <alves, f

Each steam generator is equipped with a normally open three inch diameter blowdown line that is isolated n AF actuation. A maximum blowdown rate of 17,400 lb/hr is maintained during normal operating f

conditions. Each line contains a containment isolation valve, blowdown flow equalizing valve, and blowdown isolation valve. Each of these valves is a pneumatically operated, fail-closed valve Both the containment isolation valve and blowdown isolation valve receive isolation signals on AF actuation.

4 The possibility of latent human error is introduced following testing or maintenance of the pumps, flow control valves, or isolation valves, The following operator actions are required to maintain TDAFWP operation:

j Subsequent to AF actuation, the operator must throttle the control valves to prevent

. overfill and subsequent damage to the TDAFWP turbine driver.

Following an SGTR, the operator must isolate the TDAFWP steam supply valve from the faulted steam generator (which was assumed to be steam generator No.1) to prevent slug flow from reaching the pump turbine.

4 0 ' followitr AF system functions and their corresponding success criteria are modeled in the accident

, tac ence analysis and the fault tree mode!s:

Provide 300 gpm to the steam generators Success is defined as operation of at least one AF pump delivering flow to at least one steam generator.

3-80

Piovide 860 gpm to the steam generators Success is defined as operation of both MDAFWPs delivering flow to at least one -

of their respective steam generators or operation of the TD AFWP delivering flow to at least two steam generators.

Provide full AF flow to the steam generators Success is defined as operation of all 3 AF pumps with the MDAFWPs a

delivering flow to at least one of their respective steam generators and the TDAFWP delivering flow to at least two steam generators.

i 3.2.13 Reddual Heat Removal System

System Description

The simplified diagram of the Residual Heat Removal (RH) system i, thown in Figure 3.2.L3. The RH

,1 system consists of two separate, independent, and full capacity trains, Each train contains a pump, a heat exchanger, associated piping, valves, and instruments.

The RH system supports the following operating modes:

Shutdown Decay Heat Removal (SDHR)

Low Pressure Safety injection (LPSI)

Low Pressure Recirculation (LPR)

High Pressure Recirculation (HPR)

During the SDHR function, each RH pump takes suction from a separate RC hot leg via two motor-operated valves in series. Motor-driven train A pump TBX-RHAPRH-01 takes suction from hot leg i via 18701A and 1-8702A. Motor-driven train B pump TBX-RHAPRH-02 takes suction from hot leg 4 via 1-8701B and 1-8702B. Failure of either set of hot leg isolation valves to remain closed during normal operation induces an interfacing systems LXA initiating event. The hot leg isolation valves have 3-81

special provisions that allow their power supplies to be switched from their normal supply to the alternate train. This capability allows for emergency RC cooling in the presence of an electrical train failure.

Each pump suction line is also connected to the Refueling Water Storage Tank (RWST) via normally open motor-operated valve 1-8812A,0. The RWST supplies borated water to the RH pumps for the LPSI function. The RH system shares the RWST with the SI, CS, and CT systems. In addition, the RH, SI, and CT systems share RWST isolation valve 1S1-047.

f Following depletion of the RWST, the suction of each R.H pump is realigned to its respective containment sump for the LPR and HPR functions. The RH and CT systems share the two containment sumps. Each ,

have their own suction piping and isolation valves from the sump. The pumps take suction from their respective containment sump via normally closed motor-operated valve 1-8811 A/B. The valves open automatically upon receipt of an "S" signal coincident with a RWST 10-10 level signal. An auto-swap Si reset switch is provided on the main control board to prevent a spurious automatic switchover. The operators are expected to use this reset feature during a prolonged High Pressure Safety Injection (HPSI) phase, thereby, requiring manual operation of the sump isolation valves when switching over to HPR.

Manual sump valve operation is precluded by an interlocking circuit that requires the other RH p imp suction valves to be closed.

He design flow rate of each RH pump is 3800 gpm at 150 psid. The pumps are powered from separate Class IE 6.9kV buses. Each pump room is equipped with an associated room cooler unit to ensure that the ambient pump room temperature remains within the equipment qualification limits. He room cooler units are powered by Class IE 480V MCCs and are supplied chilled water by the CH system. RH pump miniflow protection is provided by motor-operated miniflow stop valve 1-FCV-610/611. These normally open valves are required to automatically open and close to maintain pump flow above the minimum value. The pump requires miniflow protection because for several modes of operation, it is possible to have no net system flow (such as LPSI with high RC pressure). De pump seals are cooled by the CC system; the pump bearings are self-cooled. The RH pumps are automatically actuated by an *S" signal.

Techn! cal specifications require the RH pumps to be flow tested quart'erly. Prior to the flow test, the pumps are disabled when the minitlow valves are stroke tested. During the test, RH flow is recirculated back to the RWST via normally closed motor-operated test valve 1-8890A/B. The RH pumps remain 342

operable during this test because the 3/4" test line does not divert enough flow to cause the pump to be considered inoperable. Stroke testing of RWST suction isolation vrIves 1-8312A,B is also completed quarterly.

Each pump discharges to its respective heat exchanger which is cooled by CC through the shell side. The heat exchanger CC motor-operated isolation valves open partially (approximately 40% of CC design flow)

, upon receipt of an "S" signal and open fully on a "P" signal. An analysis was completed which concluded that during the LPSI mode, the RH pumps can operate in miniflow without CC to the heat exchanger for two hours.

The piping that connects the RH pumps to the suction of the pumps used for HPR is located downstream of the heat exchanger. Train A pump TBX RH APRH-01 delivers flow to the suction of the CCPs. Train B pump TBX-RHAPRH-02 delivers flow to the suction of the SIPS. A cross connect allows either pump to supply flow to both the SIPS and SCPs.

The heat exchanger flow control valve (1-HCV-606/607) is provided to allow the operator to control the RC cooldown rate. The pneumatically operated, fail-open valve is not required during an emergency cooldown because it is acceptable to cooldown the RC at a higher rate. The heat exchanger bypass control valve (1-FCV-618/619) is provided to automatically maintain the total RH flew when the operator is controlling the RC cooldown rate with the heat exchanger flow control valves. This pneumatically operated, fail-closed valve is also not required during emergency cooldown.

Upon discharge from the heat exchanger control valve, flow in each train is routed to two RC cold legs via motor-operated injection isolation valve I-8809A/B. Train A pump TBX-RH APRH-01 delivers flow to cold legs I and 2. Train B pump TBX-RHAPRH-02 delivers flow to cold legs 3 and 4. The pump discharges are connected via across tie, Each of the cold leg injection hnes contains redundant check valves. 'Ihe Rii and SI systems share the downstream check valve in each cold leg injection line.

The RH pump discharge lines are cross tied via normally open isolation valves 1-8716A,B. This cross-tic line connects the RH pumps 'a the hot leg injectios header via the normally closed motor-operated isolation valve 1-8840. Inside containment the line branches into two lines which connect to RC hot legs -

3-83

_ , . ~ , , - . _ - - _ , . ,

2 and 3. Each of the hot leg injection lines contains redundant check valves. De RH and SI systems

share the downstream check valve in each of these two hot leg injection lines.

He possibility of latent human error is introduced following testing or maintenance of the pumps and-mo;or-operated valves. The following operator actions are required to align the system for the cold leg and hot leg recirculation functions:

During the transfer to cold leg recirculation, the operator is required to close cross-tie isolation valves 1-8716A,B to comply with single failure criterion. For the HPR function, the operator must also manually align the suction of the RH pumps to the-containment sumps by closing RWST suction isolation valves 18812A,B and then opening sump isolation valves 1-8811 A,B.

During the transfer to hot leg recirculation, the operator is required to close cold leg isolation valves 1-8809A,B, open cross-tie isolation valves 1-8716A,B, and open hot leg isolation valve 18840.

The following RH system functions and their corresponding success criteria are modeled in the accident sequence analysis and the fault tree models:

Provide flow to the RC cold legs during LPSI Success is defined as operation of at least one RH pump train delivering flow to at least one RC cold leg.

Provide flow to the RC cold legs during LPR Success is defined as operation of at least one RH pump train delivering flow to at least one RC cold leg.

Provide flow to the RC hot legs during LPR Success is defined as ope ation of at least one RH pump train delivering flow to at least one RC hot leg.

I 3-84

, , e..w..- _ , .y, .. .,.._4 .,,_,,,g

.-, -.,. , , , , , _7m,

l l

Provide flow to the suction of the CCPs and SIPS during HPR Success is defined as operation of at least one RH pump train delivering flow to the suction of the CCPs or SIPS.

3.2.14 Station Service Water System

System Description

The simplified diagram of the Station Service Water (SW) system is shown in Figure 3.2.1.4. De system contains two separate, independent, and full capacity trains. Each train contains a pump, associated piping, valves, and instrumentation. The SW pump suction supply for both units is provided by the Safe Shutdown impoundment (SSI). A screen wash system, common to both units, is provided to ensure that debris that may be present in the SSI does not reach the suction of the SW pumps. The screen wash system consists of two independent screen wash trains that contain a pump, spray valve, and traveling screen.

The SW pumps are powered from separate Class IE 6.9kV buses. The SW pump seals are self-cooled.

The SW pump bearings are lubricated and cooled by service water taken from the pump discharge line.

This line also provides water to the upper motor bearing cooler. Prior to entering the bearings, flow is filtered through two series-parallel strainer sets containing four y-type strainers per set. Flow to the upper motor bearing cooler is provided at the discharge of the first strainer set, if an on-line strainer (s) becomes clogged, flow can be manually switched to the redundant parallel strainer set. The SW system is designed such that miniflow protection is not required for operation of the SW pumps. Technical specifications require the SW pumps and discharge motor-operated valves to be operability tested -

quarterly. For the duration of the discharge valve testing, the SW pump remains disabled.

All four SW pumps (Unit I and 2) are located in the Service Water Intake Structure (SWIS). The SWIS ventilation system ensures that the ambient temperature of the structure remains within the equipment qualification limits. The system consists of eight wall mounted propeller exhaust fans subdivided into four trains of two. Each train is powered by an independent Class lE 480V MCC. Each train is l

3 85

thermostatically controlled by a switch which actuates the fans on high area temperature. One train per unit is capable of removing the heat produced by four operating SW pumps.

Each unit has a cross-tie path that connects the SW pump discharge lines. Each cross tie is isolated by two normally closed redundant manual valves. The two cross-tie paths are connected via a section of

piping that contains normally locked-closed manual valve XSW-0006. The cross-tie connection is made between the two redundant isolation valves. This feature enables either train in one unit to be connected 1 to either train in the other unit.

The screen wash system is actuated by high differential level across the traveling screens or by a timed wash signal every four hours. Pneumatically operated, fail-open, spray valve X-LV-4288/4289 opens upon receipt of an actuation signal. Once the spray valve is fully open, its associated screen wash pump starts and pressurizes the spray header. When the traveling screen setpoint is reached, its associated motor will start and rotate the screen for a minimum of 2.5 revolutions, The pumps and traveling screens are powered by associated Class IE 480V MCCs that are capable of being powered by either unit, The pumps and screens are tripped by an "S" signal if being powered by the affected unit.

He supply to the suction of screen wash pumps CPX SWAFTS 01,02 can be provided by either unit's train A/B SW pump. During normal operation, only one train A screen wash header supply valve, ISW-0008 or 2SW-0008, and one train B supply valve, ISW-0013 or 2SW-0013, will be open. 'The screen wash pump suction and discharge headers are capable of being cross-tied by opening normally closed manual valves XSW-0012 and XSW-00ll, respectively.

The SSI is an enclosed cove of Squaw Creek Reservoir. A seismically qualified dam maintains a 7 minimum water level within the SSI. The SSI contains no surface traffic. The only debris postulated to reach the traveling screens is ficating debris. Technical specifications require the SSI to be maintained at a level of 770'. De normal SSIlevel is 775'. The SW system is designed to operate with a minimum level of 769'6" at the onset of a DBA. Consequently, the SW pump suction supply would begin to become endangered if floating debris were to block 5'6" below the water surface. Since the probability i of this scenario occurring is relatively small, the screen wash system is not expected to be necessary following a DBA.

l 3-86 i

'Ihe SSI contains a water supply sufficient to allow simultaneous safe shutdown and cooldown of both units (with one unit in a LOCA) for a minimum of 30 days without makeup, During normal operation, makeup to the SSI is provided by the Circulating Water system which diverts a continuous supply of water to the SWIS. This method of makeup also promotes circulation within the SWIS, Both trains of SW will normally be in service although only one train is necessary to support normal plant operation. The pumps are actuated by the following signals:

Low discharge pressure in the opposite train

*S* signal

'BOS"

Train related CC pump start Since both SW pumps are normally operating, the possibility of latent human error on a SW train is precluded. The possibility of latent human error is introduced following maintenance of a screen wash system component or a ventilation exhaust fan.

The success criteria for the SW system is that of providing adequate cooling to the following components pertinent to the IPE study:

CC heat exchanger CCP lube oil cooler

SIP tube oil cooler

.

CT pump bearing coolers (2 per train)

DG jacket water cooler

, Emergency AF water supply Loss of all SW flow necessitates a ructor trip since both sources of RCP seal cooling would eventually be lost. If SW flow cannot be recovered and an alternate means of cooling cannot be provided for the CCP lube oil coolers, a RCP seal-LOCA will ultimately occur.

l 3-87 i

3.2.15 Containment Sorav System System Descriotion The simplified diagram of the Containment Spray (CT) system is shown in Figure 3.2.1.5. The CT

system consists of two sepaiate, independent, and full capacity trains. Each train contains two spray pumps, one heat exchanger, two chemical eductors, spray headers, spray nonles, associated piping, valves, and instrumentation. Failure of the CT system does not result in an initiating event.

De function of the CT system is to maintain the containment pressure within its design limit aftt.r the following initiating events:

Loss-Of-Coolant Accident (LOCA)

Main Steara Line Break (MSLB) inside containment Feedwater Line Break (FWLB) inside containment The CT pumps are provided with suction lines from both the RWST and the containment sumps. Thus, the system is capable of providing the containment with short term (Injection Mode) and long term (Recirculation Mode) cooling. Each pump train takes suction from the RWST via normally open motor-operated valve 1-HV-4758/4759. The CT system shares the RWST with the SI, RH, and CS systems, In addition, the RH, SI, and CT systems share RWST isolation valve ISI-047. Following depletion of the RWST, the suction of the CT pump train is switched over to its respective containment sump via normally closed motor-operated valve 1-HV-4782/4783. The RH and CT systems share the containment sumps.

The design flow rate of each CT pump is 3000 gpm at 260 psid. The design of the system is such that both pumps per train are required to deliver enough flow to the spray header to remove an adequate amount of heat from the containment atmosphere, ne pumps are powered from separate Class IE 6,9kV l buses. Each CT pump room contains two spray pumps and two associated room cooler units to ensure i that the ambient Ioom temperature remains within equipment qualification !!mits. He room cooler units are powered by Class IE 480V MCCs and are supplied chilled water by the CH system. CT pump mir.lflow protection is provided by normally open motor-operated valve 1-FV-4772-1/4772-2/4773-( 3-88 l

l

1/4773 2. He pump seals are cooled by the CC system; the pump bearings are cooled by the SW system. The pumps are actuated by a "S" signal. The pumps also receive a confirmation start signal when containment pressure reaches the hi 3 ("P") setpoint. Following the "S" signal, the pumps operate in miniflow until the hi 3 setpoint is reached. At that point, the spray header isolation valves 1-HV-4776,4777 open and the miniflow valves close.

Each pump is equipped with as associated chemical eductor which delivers a 28-30 weight percent solution of sodium hydroxide to the pump suction. One chemical additive tank provides gravity flow to each eductor venturi section. Success of the chemical addition system is r.ot considered essential for system operation.

Each pump discharges to si header which routes flow to its respective heat exchanger. The CC system supplies cooling to the shell side of the heat exchanger via normally closed anotor-operated valve 1-HV-4574/4575. He valve is opened automatically by a "P" signal. Upon discharge from the heat exchanger, flow is routed to the spray header via normally closed motor operated isolation valve 1-HV-4776/4777.

The spray headers route flow to ring headers located in four regions of the containment. Each header contains a restriction orifice which balances the flow to each ring.

Technical specifications require the CT pumps and active valves to be operability tested quarterly.

During the pump test, CT flow is recirculated back to the RWST via normally locked-closed test header isolation valve ICT-050/049. Among the valves stroke tested are RWST suction isolation valve 1-HV-4758/4759, co .utinment sump suction isolation valve 1-HV-4782/4783, and spray header isolation valve 1-HV-477o/4777. For the duration of the testing, the CT train remains inoperable. In addition, the CT train is disabled prior to quarterly ESFAS slave relay actuation testing in order to prevent pump damage.

l' The possibility of latent human error is introduced following testing or maintenance of the purnps or motor-operated valves. Valves that are locked-in-place are also considered susceptible to latent human error. The following operator actions are required to align the system for the recirculation mode:

i

Open the containment sump suction isolation valves 1-HV-4782,4783 and close the RWST suction isolation valves 1-HV-4758,4759.

3-89

The following CT system function and corresponding success criteria are modeled in the accident sequence analysis and the fault tree model:

Maintain the containment pressure within its -design limit during the injection and l recirculation mode of the ECCS 1

- Success is defmed as operation of at least one train of two CT pumps delivering flow to the contain:nent spray nozzles.

3.2.1-6 Chemical and Volume Control System 1 System Descrintion The simplified diagram of the Chemical and Volume Control System (CS) is shown in Figure 3.2.1.6.

The system consists of three separate and independent pump trains. Two of the trains contain Centrifugal Charging Pumps (CCPs); the third train contains a Positive Displacement Charging Pump (PDP). Each train consists of its respective pump, associated piping, valves, and instruments.

He CS system provides the following functions during normal and emergency operating modes:

l

Maintain RC water inventory Maintain seal water injection flow to the Reactor Coolant Pumps (RCPs)

Provide high head flow to the RC cold legs during the injection and recirculation modes of the ECCS Control RC boron concentration and provide an emergency boration capability RC level is maintained by a continuous bleed-and-feed process between the RC and CS systems. RC flow i

is letdown from cross-over leg 1 and routed to the Volume Control Tank (VCT) where the boric acid concentration is altered as required. ne VCT supplies water to the suction of the charging pumps via 3-90 n - n ~- e- w- g y , s

l l

i motor-operated valves 1-LCV 112B,C. Normal chargirig How is provided by the PDP (TBX CSAPPD-01). One of the CCPs will be used during periMn of PDp maintenance. Normally, the flow rate of the PDP is controlled automatically by the pressurizer level control system. Failure to maintain pressurizer level tequirements will result in a reactor trip. Upon discharge from the charging pump, a portion of the flow is routed to the RCP seals and the remaindet is injected into the RC via the charging f!ow header. Flow is normally injected into RC cold leg 4 via charging valve 18146. An alternate charging path is provided to cold leg 1 via normslly closed charging valve 1-8147. Both charging valves are pneumatically operated, fail-open valves. The charging flowpaths are swapped each refueling to distribute the Cow induced erosion.

4 The relative distribution of flow between the charging flow header and the RCP seals is controlled by fail-open pressure control valve 1 HCV-182. Failure of the valve in the open position diverts all charging pump flow to the RC and thus, results in a loss of seal injection. However, failure to provide seal injection does not result in direct seal failure because the thermal barrier coolers provide the seals with a redundant source of ecoling.

The normal PDP flow rate is 87 gpm at a nominal pressure of 2395 psid. The pump is powered by a Class IE 480V MCC. The pump room is equipped with an associated room cooler unit to ensure that the ambient pump room temperature remains within the equipment qualification limits. The room cooler unit is powered by a Class IE 480V MCC and is supplied chilled water by the Ventilation Chilled Water system, The pump bearings are cooled by the CC system; the pump seals are self-cooled. The pump is equipped with suction and discharge dampers to reduce fluid pulsations and head loss. The pump is automatically tripped on an "S" signal.

'Ihe design flow rate of the CCPs is 150 gpm at 2515 psid. The pumps are powered from separate Class IE 6.9kV buses. Each pump room is equipped with an associated room cooler unit to ensure that the ambient pump room temperature remains within the equipment qualification limits. The room cooler units are powered by Class IE 480V MCCs and are supplied chilled water by the CH system. CCP.

miniflow protection during normal operation is provided by a common recirculation line that directs flow to the seal water heat exchanger via motor +perated valves 1-8)10,8111. The pump bearings are cooled by the SW system; the pump seals are self-cooled. The pumps are automatically started by an "S" or "BOS" signal. Technical specifications require the pumps to be tested quarterly. During the test, the l

3-91

i f pumps are unavailable because the nor'nal pump discharge flowpath is isolated and the pumps operate in recirculation.

A high point vent is provided at the suction of each charging pump. He three vents connect to a common header that is routed to the VCT via fail-closal solenoid valves 1-HV-8220,8221. These vent valves are automatically closed on an "S" signal. Failure to isolate the vent path could result 11. gas 1

binding of the CCPs (which are started by "S") caused by diversion of the VCr gas blanket.

Following an "S" signal, the CCPs provide high head flow to the RC cold legs and continue to maintain seal injection to the RCPs. During the injection mode of the ECCS, the RWST supplies the suction of l the CCPs via redundant motor-operated valves 1-LOV 112D,E, while the normal suction supply valves from the VCT (1 LCV-112B,C) are closed. In addition, the normal charging flow header isolation valves I (1-8105,8106) and CCP miniflow valves (1-8110,8111) are closed and each pump's alternate miniflow valve (18511 A/B) to the RWST is opened. The CS sy. ,m shares the RWST with the RH, SI, and CT

, systems.

Upon discharge from the CCPs, flow is routed to the RC cold legs via redundant normally closed motor-operated isolation valv. 18801 A,B. Each cold leg injection line contains a locked in-place throttling valve (1-8810A.B,C,D). He valve positions are determined by a flow balance test that is performed

, during each refueling outage, j Following depletion of the RWST, the suction of the CCPs is aligned to the discharge of the RH pumps.

RH Train A directly supplies the CCP suction header via normally closed motor-operated valve 1-8804A.

j RH Train B indirectly supplies the CCP suction header via normally closed motor-operated valve 1-8804B l - and piping that connects to the suction of the Train A SIP. This piping contains normally open motor-operated isolation valve 18924 and redundant normally closed motor-operated isolatior, valves 1-8807A,B. S'P suction isolation valves 1-8923A,B connect the piping directly to the Train B RH pump.

Recirculation supply valves 1-8804A,B are precluded from opening by an interlocking circuit that requires both the CCP and SIP miniflow lines to be isolated,

- ne emergency boration function is provided by redundant boric acid transfer trains. Each train consists of a tank, pump, associated piping, valves, and instruments. Each Boric Acid Transfer Pump (BATP) 3-92

takes suction from its respective Boric Acid Tank (BAT) and delivers flow to the charging pump suction header via normally closed motor-operated valve 18104. In addition, a gravity drain line is capable of

. providing 100 gpm from each BAT (CPX-CS ATB A-01/02) to the charging pump suction header with the VCT isolated. Technical specifications require the BATS to be mairaained at a 50% level, with a boron concentre* ion of 7000 ppm, and a solution temperature of 65'F. The BATPs (TBX-CSAPBA-01/02) are powered from separate Class IE 480V MCCs. They are small canned motor centrifugal pumps located in large open rooms. He heat generated by the operation of the pumps is not expected to impact the ambient temperature of the rooms. The pump seals and bearings are self-cooled. Technical specifications require the pumps to be tested quarterly. During the testing of each pump train, the opposite train is ,

disabled to prevent excessive boration of the RC.

1 The possibility of latent human error is introduced following testing or maintenance of the pumps or motor-operated valves. Valves that are locked iri place are also considered susceptible to latent human error. The following operator actions are required to align the system for its emergency functions:

During the transfer to cold leg recirculation, 'he operator is required to isolate the CCP and SIP miniflow lines in order to satisfy the interlocking condition that will then enable the operator to open recirculation supply valves 1-8804A,B.

In order to initiate emergency boration of the RC, the operator is required to start the BATPs and open emergency boration valve 1-8104 The following CS system functions and their corresponding success criteria are modeled in the accident sequence analysis and the fault tree models:

Provide seal injection flow to each RCP Success is defined as operation of at least one charging pump delivering 8 gpm to each RCP seal.

Provide high head injection flow to the RC cold legs Success is defined as operation of at least one CCP delivering flow to at least two RC cold legs.

3-93

Provide high head recirculation flow to the RC cold legs

- Success is defined as operation of at least one CCP delivering flow to at least two RC cold legs.

Provide emergency boration of the RC

- Success is defined as operation of at least one BATP delivering flow to the chirging pump header with at least one charging pump delivering flow to the RC via the normal charging flowpath.

3.2.1-7 Reactor Coolant Syung SritD.Dncrmtiga The simplified diagram of the Reactor Coolant System (RC) is shown in Figure 3.2.1.7. The system consists of four heat transfer loops connected in parallel to the reactor pressure vessel. Each loop contains a stesm generator, a reactor coolant pump (RCP), associated piping, valves, and instrumentation.

In addition, the system is equipped with a pressurizer, a pressurizer relief tank (PRT), interconnecting piping, and instrumentation necessary for operational comrol.

l The pressurizer controls the RC pressure by reducing pressure variations caused by contraction and t

! expansion of the reactor coolant. A water / steam equilibrium is maintained within the pressurizer vessel to absorb coolant volume surges caused by changs in reactor coolant temperature. The voiume changes i are transmitted to the pressurizer through the pressurizer surge line which is connected to the loop 4 hot leg, Failure to maintain RC pressure within the operational control bard will result in a reactor trip.

During pressure increases, the pressurizer spray system injects subcooled water into the pressurizer steam space to condense the steam and Icwer the pressure. The spray line is connected to RC loops 1 and 4 at the discharge of the RCPs. RCP TBX-RCPCPC-01 or 04 supply flow to the spray line via normally closed pressurizer spray valve 1-PCV-455B/C. The valves are pneumatically operated, fail-closed valves.

A continuous spray flow of approximately I gpm is maintained by spray bypass valve IRC-8051/8052.

This flow prevents the surge line and spray line from being thermally shocked upon spray actuation.

7 3-94

For pressure increases that are beyond the capacity of the pressurizer spray sys'em, the pressurizer is equipped with two power operated relief valves (1 PCV-455A,(56) and three self-actuated safety relief valves (18010A,B,C). De discharge of the power-operated relief valves (PORVs) and safety relief valves (SRVs) is routed to the PRT where it is condensed and cooled. The PORV setpoint is 2335 psig; the lowest SRV secpoint is 2485 psig. The PORV setpoint is established at a much lower value to prevent the ur. desirable opening of the SRVs.

The PORVs are connected to a single port that is attached to the pressurizer upper head. A motor-operated block valve (1-8000A/B) is provided to isolate the PORV in the event the valve fails to close er if excessive seat leakage occurs. Each valve is equipped with an accumulator tank that is sized to ensure that the PORV can be cycled 100 times in a 10 minute period, The tanks are supplied with high pressure nitrogen regulated down to the required operating pressure for the PORV actuators. A relief valve (ISI-0176/0177) provides protection against over-pressurizing the actuators due to regulator failure.

If the a:cumul.' tor supply is exhausted, the operators can recharge the tank via the Nitrogen Gas system.

De PORVs fait closed on loss of nitrogen or control power.

During pressure decreases, fit.shing of saturated water in the pressurizer and generation of steam by electrical heater operation maintains reactor pressure. The pressurizer houses 78 individual heater elements with a combined capacity of 1800 kW.

t The RCPs are powered by non-Class IE 6.9kV buses. Each pump motor is equipped with an air-to-water heat exchanger to cool the ventilating air. De CC system supplies cooling water to the heat exchangers.

The pump upper and lower radial bearings are also cooled by the CC system. - Failure to maintain motor or bearing cooling necessitates a manual reactor trip to prevent RCP damage. The pump seals are provided with redundant cooling mechanisms. During normal operation, seal injection provided by the CS system flows down , .ist the thermal barrier heat exchanger into the RC, his flow acts as a buffer to prevent reactor coolant flow from entering the radial bearing and seel regions. Should a loss of seal injection occur, hot reactor coolant will flow up past the thermal barrier. However, the CC supplied to th'e thermal barrict heat exchanger cools any reactor coolant flowing past the heat exchanger prior to it reaching the lower radial bearing or seal packing regions. Failure of both cooling mewianisms will ultimately lead to a gross seal failure resulting in a seal-LOCA.

3-95 l

De possibility of latent human error is introduced following testing or maintenance of the PORVs, the PORV block valves, or the SRVs. Manual PORV actuation is required during bleed and feed operation, ne following RC system functions and their corresponding success criteria are modeled in the accident sequence analysis and the fault tree models:

Provide automatic precure relief on high RC pressure Success is defined as operation of I of 2 PORVs or 2 of 3 SRVs. Operation is

, denned as opening when RC pressure reaches the valves' respective setpoint and closing when the pressure drops below the setpoint.

Provide RC depressurization via the pressurizer spray system during cooldown Success is defined as operation of I of 2 pressurizer spray valves and its associated RCP providing flow to the pressurizer.

Maintain thermal barrier cooling to the RCPs Success is defined as operation of the CC valves and instrumeuation that provide cooling flow to and from the thermal barrier coolers.

Provide a discharge pathway during bleed and feed operation Success is defined as manual actuation of I of 2 PORVs.

3.2.1-8 Safety Inlection System

System Description

The simplified diagsam of the Safety injection (SI) system is shown in Figure 3.2.1.8-1. He SI system provides intermediate head flow to the RC cold and hot legs during the injection and recirculation modes of the ECCS. Additional injection flow is provided to the RC via the four accumulator tanks (see Figure 3.2.1.8 2). He SI system consists of two separate, independent, and full capacity trains. Each train 3-96

. . . . . .-. .. - _ _ _ _ _ _ - - -- - - A

contains a pump, associated piping, valves, and instniments. Failure of the Si system does not result in an imtlating event.

ne Safety injection Pu. ops (SIPS) take suction from the RWST via normally locked-open motor-operated valve 18806. The RWST supplies horated water to the SIPS during the injection mode. He SI system shares the RWST with the RH, CS, and CT systems. In addition, the RH,51, and CT systems share RWST isolation valve ISI447.

Following depletion of the RWST, 'he suction of the SIPS is aligned to the diseharge of the RH pumps.

Pump "W SIAPSI-02 takes suction directly from RH Train B via normally closed motor-operated val' l 8804B. Pump TBX-SIAPSI-01 takes suction indirectly from RH Train A via normally closed motu operatal valve 1-8804A and piping that connects to the CCP suction header. This piping :ontains normally open motor-operated isolation valve 1-8924 and redundant normally closed motor-operated isolation valves 1-8807A,B. SIP suction isolation valves 1-8923A,B allow either of the Ril pumps to deliver flow to the suction of both the CCPs and SIPS. Recirculation suction supply valves 18804A,B are precluded from opening by an interlocking circuit that requires both the CCP and SIP miniflow lines to be isolated.

The design flow rate of each Si pump is 425 gpm at 1165 psid. The pumps are powered from separate Class IE 6.9kV buses. Each pump room is equipped with an associated room cooler unit to ensure that the ambient pump room temperature remains within the equipment qualification limits. The room cooler un:. we powered by Class IE 480V MCCs and are supplied chilled water by the CH system. SIP

miniflow protection is provided by normally open motor-operated salve 1-8814A/B. The discharge of each miniflow valve is routed to a common return header that direc flow back to the RWST. The header contaim normally locked-open motor-operated isolation valve 1-8813 which provides a redundant miniflow path isolation capability. Following a I CA, the Si system will operate in miniflow until RC pressure drops below the SIP shutoff head of 1537 psi. The pump bearings are cooled by the SW system; the pump seals are self-cooled. The pumps are automatically started by an *S" signal, ne discharge piping of each SIP routes flow to the cold leg injection header via normally open motor-operated cross-connect isolation valve 1-8821 A/B. The injection header contains normally locked-open l isolation valve 1-8835 which delivers flow to the four RC cold legs via injection line throttling valves l-3-97 l

1 l

8822 A,B,C,D. These manual valves are locked in-place in a position that equalizes flow among the four flow paths. The valve positions are determined by a flow balance test that is performed during each refueling outage. Each of the cold leg injection lines also contains redundant check valves. The RH and SI systems share the downstream check valve in each cold leg injection line.

The discharge of each SIP is also routed to two RC hot legs via normally locked-closed motor-operated valve 18802A/B. Train A pump TBX-SIAPSI-01 delivers flow to hot legs 2 and 3. Train B pump TBX-SIAPSI-02 delivers flow to hot legs 1 and 4. Each of the hot leg injection lines contains locked in-place throttling valve 1-8316A/B/C/D and redundant check valves. The throttling valve positions are also determined by a flow balance test that is performed during each refueling outage. The RH and SI systems share the downstream check valve in hot legs 2 and 3.

Technical specifications require the SIPS to be tested quarterly. During the test, SI flow is recirculated back to the RWST via the minillow lines. This configuration does not cause the pump to be inoperable.

However, the pumps are inoperable during quarterly stroke testing of miniflow valves 1-8814A,B and cross-connect isolation valves 1-8821 A,B.

The accumulators are set to inject borated water when RC pressure drpps below 600 psig. Each accumulator tank discharges through a separate line into a RC cold leg. Each discharge line contains two check valves and a normally locked-open motor-operated isolation valve (18808A/B/C/D). System interlocks ensure that each isolation valve is open above 1960 psig (P-ll setpoint). A pressurized nitrogen cover gas is maintained in each tank in order to drive the tank contents into the cold leg once

, RC pressure drops below the tank pressure. The accumulators are demonstrated operable in accordance with technical specifications at least once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . Tec.mical specifications require the accumulators to be maintained at an indicated level between 39-61% (of 13" span), a boron concentration between 1900-2200 ppm, and a cever gas pressure between 623 and 644 psig.

The possibility of latent human error is introduced following testing or maintenance of the pumps or motor-operated valves. He transmitters that measure accumulator level and pressure are also considered susceptible to individual and common cause miscalibration errors. In addition, the potential for misalignment of locked-in-place valves exists. The following operator actions are required to align the system for the cold leg and hot leg recirculation functions:

3-98 l

During the transfer to cold leg recirculation, the operator is required to isolate the CCP and SIP miniflow lines in order to satisfy the interlocking condition that will then enable the operator to then open recirculation supply valves 18804A,B.

1

During the transfer to hot leg recirculation, the operator is required to stop the SIPS, close cold leg cross-tie valves 1-8821 A,B, open hot leg isolation valves 1-8802A,B, and then re-stan the SIPS.

The following Si system functions and their corresponding success criteria are modeled in the accident sequence analysis and the fault tree models:

Provide interrnediate head injection flow to the RC cold legs

- Success is defined as operation of at least one SIP delivering flow to at least two RC cold legs.

1

Provide intermediate head recirculation flow to the RC cold legs Success is defined as operation of at least one SIP delivering flow to at least two

RC cold legs.

1 Provide intermediate head recirculation flow to the RC hot legs Success is defined as operation of at least one SIP delivering flow to at least two RC hot legs, i

Provide injection flow via the accumulators Success is defined as operation of at least two accumulators providing injection-flow to intact RC cold legs.

3-99

3.2.1-9 Condensate and Feedwater System System Descrintion The simp!!fied diagram of the Condensate and Feedwater (CF) system is shown in Figure 3.2.1.9. The CF system utilizes a twin shell main conderser to provide the heat sink for the main turbine exhaust and for the steam dump system. The condensed steam, along with water from the low pressure feedwater heater drains and the FW pump turbine auxiliary condensers, is collected in the main condenser hotwell, he hotwell provides condensate storage equivalent to that required for five minutes of operation at maximum load.

The condensato pumps take e,uction from the hotwell and discharge to a common header which splits into a Condensate Polishing sys' tem supply line and bypass line. The condensate pumps are powered by nan-IE 6.9kV buses. The pump bearings are cooled by the Ttirhine Plant Cooling Water (TPCW) system, he pump seals are cooled by the Deminer:dized Water system. ' Pump minillow protection is provided by pneumatically operated, fail-open valve 1-FV-2239. The pumps are tripped on a 10-10 condenser hotwell level signal and a low lvbe oil pressure signal from both FW pumps.

Full condenste flow is normally routed to the condensate polishing system. Flow is divided among supply ines to the main and auxiliary gland steam condensers and a gland steam condenser bypass line.

Rese lines rejoin into a common header which is then divided into two paths, each passing in succession through the tube side of the drain cooler and the 6th and 5th stage feedwater heaters. The flows are recombirad and then divided to pass through the 4th and 3rd stages of feedwater heating.

The discharge from thme stages is then combined with the heater drain pump discharge at the FW pump suction line. During normal operation, the condensate pumps supply approximately 65% of the FW pump suction, with the heater drain pumps supplying the remaining 3S%. However, the condensate pumps are capabl?.of providing 96% of full feedwater flow during transients.

Each FW pump is driven by a dus1 admission turbine. During startup, high pressure steam is delivered to the turbine via die steam equalitation header. At power, the high pressure sourca is isolated and the MSRs supply the turbine. Each FW pump turbine is supplied with its own lubrication system. The 3-100

_ _ _ _ _ - _ . - J

system is comprised of two AC lube oil pumps, one DC lube oil pump, and two tube oil coolers cooled by TPCW. Seal injection is provided to the FW pumps by the condensate system via a piping connection made at the outlet of the gland steam condenser bypass line. Each FW pump is provided with a separate seal injection line that consists of two filter trains and a temperature control valve. Pump miniflow protection is provided by pneumatically operated, full open valve 1 FV-2289/2290. De FW pumps are tripped upon receipt of an "S" signal or a steam generator hi-hilevel signal.

He FW pumps discharge to a common header which splits into two trains of high pressure feedwater heating. Flow from these stages is recombined and routed to se main feedwater manifold. The discharge from this manifold is then directed to the individual steam generator feodwater flowpaths. Each flowpath contains a manual isolation valve, flow element, feedwater control valve, check valve, and feedwater isolation valve. Each flowpath also contains a preheater bypass line and a feedwater control valve bypass line.

The preheater bypass line connects upstream of the feedwater isolation valve anc c.scharges to the steam generator auxiliary nozzle. Each line contains a manual isolation valve, check valve, and fail-closed pneumatic valve Prior to entering the auxiliary nozzle, flow is routed through two series check valves located inside containment. Each AF system steam generator flowpath connects to FW system piping upstream of the two check valves, outside containment.

De feedwater control valve bypass line is primarily used during power ascension up to approximately 25% load. The line contains a feedwater centrol bypass valve and associated maintenance isolation valves. At power, the feedwater control valves regulate the flow to the steam generators. The control valves and bypass valves, as well as the preheater bypass valves, are pneumatically operated, falleclosed valves equipped with redundant solenoid valves to ensure rapid closure, when required.

The feedwater isolation valves are hydraulically operated with redundant solenoids provided to bleed the hydraulic fluid from the valve opera r, causing the valves to trip closed within five seconds. The valves fail-as-is on loss of power to the solenoids.

3-101

To isolate main feedwater, redundant ESFAS feeJwater isolation signals are sent to the feedwater control and bypass valves, preheater bypass valves, and feedwater isolation valves. The feedwater isolation signal is generated by any of the following:

Steam generator hi-hi level

"S" signal

Reactor trip coincident with low average RC temperature (T,)

Although main feedwater is isolated on a reactor trip coincident with low T,, the condensate and feedwater pumps operate in recirculation and consequently can be used if the AF system fails. In order to re-establish main feedwater, manual, operation of the feedwater control bypass and preheater bypass valves is required.

s 3.2.1-10 Mahi Steam System System Descrintion The simplified diagram of the Main Steam (MS) system is shown in Ficure 3.2.1.10. The MS system transports steam produced in the four steam generators to the high pressure turbine. A main steam line is connected to the top of each steam generator. Each steam line contains an Atmospheric Relief Valve (ARV), five safety valves, and a Main Steam Isolation Valve (MSIV). Downstream of the MSIV, each steam line has a connection to the equalization header. The MS system also provides separate steam supplies to tae TDAFWP via connections to main steam lines 1 and 4, made upstream of the ARVs.

He steam dump system is designed to bypass R% of total main steam flow around the main turbine to the main condenser when turbine steam demand during a transient is less than the stesm generator output.

The steam dump valves are capable of being modulated by average RC temperature or steam dump header pressure. The steam dump control mode is chosen by a selector switch located on the main control board. He T,., position permits valve control during operational transients including reactor trips.

Steam dump header pressure, measured by 1-PT-507, permits valve con +rol during hot shutdcwn conditions. The steam dump valves we fail-closed pneumatic valves operated in four banks of three, with 3-102

___ _ _ _ _ _ _ _ I

bank " A* (1 pV-2369A,B,C) being used during cooldown modes. A steam dump signalis blocked when the main condenser is not available.

He ARVs are designed to operate automatically during steam pressure transients to minimize safety valve lifting. A manual block valve (IMS-026/063/098/134) is provided for each ARV (1 PV-2325/2326/2327/2328)in the event the ARV fails to close or excessive seat leakage occurs. Each ARV is equipped with an accumulator tank that is sized to permit valve modulation for a minimum of four hours following a loss of Instrument Air. Each accumulator supply line is provided with two chec' valves in series to prevent backleakage in the event of an Instrument Air system failure. The check valves are tested quarterly by isolating the air supply line and verifying that the accumulator pressure remains constant, ne ARVs fait closed on loss of air supply or control power.

i ne safety valves are designed to collectively pass 105% of the rated flow at a pressure not ciceeding 110% of the steam generator design pressure. De set pressures of the individual valves on each steam line are Maggered at different pressures in order to minimize chattering during valve operation.

The MSIVs (1-HV-2333 A,2334 A,2335A,2336A) are provided to prevent the uncontrolled blowdown of I more than one steam generator following an MSLB. The valves are designed to stop flow in either direction within five seconds after receipt of an actuation signal. The valves are operated by a hydraulic control system coupled to a nitrogen accumulator. He accumulator stores the energy required for closing the valva in the foun of compressed nitrogen gas. Each valve is equipped with an air-operated pump that supplies hydraulic fluid to the chamber below the valve actuator piston. As the chamber becomes pressurized, the actuator piston is forced upward against accumulator gas pressure. To close the MSIV, two redundant solenoid valves open to drain the hydraulic fluid and allow the compressed nitrogen to drive the actuator shut.

Prior to entering the high pressure turbine,' flow in each main steam line is routed through a turbine stop and control valve. The valves are hydraulically operated and are combined in a common body. The stop valve is provided to protect the turbine from abnormal operating conditions. The control valve throttles [

in response to signals from the turbine control system. Both valves are automatically closed by the ,

iollowing signals:

i 3-103 A

- - _ - - - _ - _ _ - 1

Reactor trip

'S" signal

Steam generator hi-hi level The possibility of latent human error is introduced following ARV accumulator check valve testing.

Latent human error was not considered on an individual MS valve basis since it does not contribute significantly to the failure of syst6ms that contain multiple redundancy. Manual operator action is required to isolate a faulted steam generator following a SGTR and to trip the main turbine, if necessary.

The following MS system funct.. and their corresponding success criteria are modeled in the accident sequence analysis and the fault tree models:

Provide main turbine trip Success is defined as isolation of either the stop or cc. trol valve in each steam line.

Provide main steam isolation Success is defined as isolation of the MSIV in the faulted steam generator ih.e or isolation of the remaining three MSIVs.

3.2.111 Circulatine Water Svstem System Descrintion ne simplified diagrani of the Circulating Water (CW) system is shown in Figure 3.2.1.11. The CW system consists of four pump trains. Each train contains a pump, associated piping, valves, and instrumentation. The Circulating Water Pump (CWP) suction supply for both units is provided by Squaw Creek Reservoir (SCR), Water from the SCR flows through steel bar trash racks and a screen wash system prior to entering the Circulating Water Intake Structure (CWIS). The screen wash system consists of two 50% capacity screen wash pump trains, one spray valve, and six traveling screens.

3-104 i

- . - -- -. -. = . - -__- . .-

The CWPs are powered by separate non lE 6.9kV buses. He CWP seals are self-cooled. Two full capacity lube water pump trains provide lubrication to the CWP be rings ar.d also cooling water to the punip motors. The tube water pumps take suction from the CWP discharge manifold. The lube water pumps are powered by non-lE 480V MCCs During normal operation, one tube water pump will be in-service; the other pump is placed in standby. The pumps are operated on a weekly rotation schedule.

In the event both lube water pumps fail, the screen wash system automatically starts and supplies the lube water pump discharge header. All eight CWPs (Unit I and 2) are located in the CWIS. Tne pump motots are on top of the structure, thus, not requiring a ventilation system.

The screen wash system is actuated by high differential level across the traveling screens or by a timed wash signal every four hours. Upon initiation of the screen wash system, the pumps and their associated discharge valves, the screen wash supply valve, and the traveling screens are actuated, The pumps take suction from the CWIS and discharge to a common header which supplies flow to each traveling screen, ne pumps and traveling screens are powered by non-lE 480V MCCs. Screen wash pump discharge valves 1 HV-2911,2912 and screen wash supply valve 1-ilV-2915 are pneumatically operated, fail-closed valves.

During summer operation, four CWPs are in service providing flow to the intake manifold which in turn supplies the intake tunnel. During winter only two or three will be operating. He intake tunnel routes j the flow to an intake box beneath the turbine building where it is divided into four lines which pass through the main condenser waterboxes. Upon discharge from the condenser, the flow is recombined and directed to the discharge tunnel for return to the SCR. .A line branching off the intake tunnel supplies flow to the other Cb system loads. In addition, a bleed line connected to the intake manifold supplies makeup water to the SSI.

Cross-tic lines connect the lube water pump and screen wash pump discharge headers of each unit.

Dere is also a cross-tie line that connects the SSI makeup lines of each unit.

l The possibility oflatent human error is introduced following maintenance of the screen wash pump traH the screen wash spray valve, or the standby lube water pump train. In addition, the potential exists for common cause miscalibration of the two level switches that actuate the screen wash system.

3-105

. . _ - . . = - .- , - . - - - . . . . - - .-

l The success criteria of the CW system is that of providing an adequate heat sink for the following components pertinen! the IPE study:

Main condenser (steam dump system)

Turbine Plant Cooling Water heat exchangers

Condenser exhausting vacuum pump heat exchangers 3.2,1-12 Reactor Protection Sys'em System Descrintion The simplified diagram of the Reactor Protection System (ES) is shown in Figure 3.2.1.12. The (ES) is comprised of two functionally defined subsystems, the . aactor Trip System (RTS) and the Engineered Safeguards Features Actuation System (ES), that perform two major functions. The RTS system automatically trips the reactor whenever critical plant parameters reach specified limits. The ESFAS system activates equipment necessary to maintain the reactor in a safe shutdown condition. Spurious I operation of either system results in a reactor trip.

i The (ES) consists of two separate and independent Solid State Protection System (SSPS) cabinets which are located in the Control Room. Each cabinet is an assembly of four smaller cabinets arranged on a common base. The cabinets are designated as the input, logic, output #1, and output #2 cabinets. The input cabinet consists of four instrument channels provided signals from four separate channel cabinets.

These four channels feed both trains, and are powered by lE IISVAC panels. The signals received by the individual channels are provided by process instruments measuring vital station parameters, h channels process all inputs via normally energized relays that de-energize to close contacts that input signals to the logic cabinet where the coincidence logic is performed (i.e. 2/3,2/4). Individual logic cards inside the cabinet then provide signals to both the RTS and ESFAS subsystems.

The RTS subsystem is comprised of two reactor trip breakers arranged in scries which carry power from the rod drive metor-generator sets to the Rod Control system pown cabinets. _ The Rod Control system distributes the power among the individual Control Rod Drive Mechanisms (CRDMs). If power is 3 106

l I

interrupted to the CRDMs, the rods will drop into the core resulting in a reactor trip. A bypass breaker in parallel with eac!: trip brrsker allows nn4!nc terting of the trip breakers. An interlocking circuit g prevents the bypass breaker and the twetor trip breaker, or both bypass breakers from being closed simultaneously, ne SSPS logic cards wpply dgnale to the undervoltage (UV) and shunt trip coils of )[

the reactor trip breakers. When a trip signal is sont, actuation of either coli causes the breakers to open.

He UV coils de-cricrgize to actuate, whereas, the shunt trip coils require 125 VDC power to actuate.

He ESFAS subsystem consists of the SSPS outpi't #1 and #2 cabinets. The SSPS logic cards transmit signals to master relays. He master relays then provide signals to multiple slave relays. The slave relays then send actuation signals to various ESP components.

Instrument calibration checks are performed routinely during plant operation. In general, loss of an individual instrument due to testing, maintenance, or power supply failure places the associated channel in the fall safe or tripped position. The exceptions are the *P", Containment Phase *ll", and RWST/ Containment sump isolation valve switchover signals which require power to be transmitted, in addition, the Si ar.d Linckout Solid State Sequencers, v.hich load the required equipment sequentially onto their respective Class IE buses following each signal, require power to operate.

The possibility of latent human error is introduced following instrument calibration. The potential for common cause miscalibration of instrument channels measuring the same parameter aho exists. Periodic testing of the ESFAS master and slave relays is completed during norma. ,peration. Although the relays remain operable during testing, some relay actuation tests require certain components to be disabled in order to prevent undesirsble actuation of the function tested (i.e. CT actuation). The individual system d:scriptions specify the components affected by ESFAS testing, ne following is a list of specific ESFAS actuation signals, their associated functions, and the success criteria that were modeled in the IPE:

Safety injection ('S')

Generate a reactor trip signal Actuate ECCS (CCPs, SIPS, RH pumps, and associated valves)

Actuate the ECCS support systems (SW, CC, Cil) 3 107

_ __---_O

- Sta t the htDAFWPs l

- Start the diesel generators and CT pumps

Phase A Containment isolation !

- Isolate all non-essential lines penetrating the containment

Phase B Containment isolation

- Isolate the reinalning lines penetrating containment with the exception of the ECCS and CT lines

hialn Steam Isolation

- Isolate all four main steam lines by closing the associated htSIVs

Feedwater Isolation

- Isolate FW by closing :Le ftedwater control valve, feedwater isolation valve, feedwater control bypas<, valve, and feedwater prcheater bypass valve in each line 5 Containment Spray ("P')

- Provide a confirmation start signal to the CT pumps and aquate the CT header isolation valves

AF Actuation Establish AF flow to the steam generators i

hialn Turbine /Feedwater Pump Trip

- Close the high pressure and low pressure turbine stop and control valves j

- Trip the FW pump turbines -

4

RWST/ Containment Sump Automatic Switchover

- Automatically open the containment sump to RH pump suction valves 1 8811 A,B 3-108

Blackout (* DOS *)

Actuate the following equipment subsequent to a Loss of Of tsite Power:

CCps

SW, CC, Cil pumps

AF pumps

Inst.ument Air compressors (Load units onto their respective buses.)

6.9kV switchgear room cooler units

Dattery room exhaust fans

Containment Ventilation Isolation Isolate all ventilation lines that penetrate containment

Control Room Emergency Recirculation Initiate the ernergency recirculation mode of the Control Room IIVAC system 3.2.1 13 Electric Power System

System Description

De Electric Power (EP) system is comprised of the offsite power distribution system and the onsite distribution system, which consists of AC and DC power systems. The simplified diagram of the offsite power system, AC power system, and DC power system is shown in Figure 3.2.1.13 1,-2,-3, respectively.

Offsite Power System The offsite power system is comprised of two physically and electrically independent switchyards that provide preferred and alternate power sources to the safety related systen.3 of both units. The preferred power source for the Unit 1,6.9kV safeguards buses is the 345kV switchyard via startup transformer XST2. He preferred power source for Unit 2,6.9kV safeguards buses is the 138kV switchyard via 3-109

startup tramformer XSTI, ne alternate source for Unit 1 is transformer XSTI (138kV SWYD) and the alternate source for Unit 2 is transformer XST2 (345kV SWYD).

He 138kV switchyard consists of two buses, East and West, fed by two network transmission lines. De DeCordova line feeds the West bus via breaker CB 7020. The Stephenville line feeds the East bus via breaker CB 7050. ne 138kV East and West buses are tied together through breakers CB 7030 and CB 7040, which also feed startup transformer XSTI.

The 345kV switchyard incorporates a two bus scheme fed by four network transmission lines and each unit's main generator circuit. The four substation lines and their associated bus connections we listed below, ne Comanche Swhch line is not listed because it is an outgoing feeder only.

Benbrook, West bus

DeCordova 1, East bus

Venus 2 West bus

Parker 1, East bus ne 345kV East and West buses are tied together through Unit I main generator breakers CB8000 and CB8010, Unit 2 main generator breakers CB8020 and CB8030, and breakers E6 and W6, which also feed start up transformer XST2, station service transformer IST, and spare transformer XSTl/2.

He network tre missions lines from the various substations converge on the CPSES site via four i

physically independent transmission corridors. One corridor contains the 138kV and 345kV circuits from l DeCordova and the 345kV circuit from Benbrook. The DeCordova 1 and Benbrook lines share a double circuit tower line from D2Cordova to CPSES. The 138kV DeCordova line parallels this 345kV double circuit tower line. The circuits do not cross each other within the DeCowwCPSES corridor, ne second transmission corridor contains the 345kV Venus 2 circuit ns third corrk .r contains the 345kV Comanche Switch and 138kV Stephenville circuits. The fourth cocide ;ontains the 345kV Parker 1

circuit.

Disconnect switches are located on either side of all the switchyard breakers and on the feeder lines to and from the transformers. He disconnects that feed transformers XST1, XST2, IST, and XSTl/2 are 3-110

motor-operated with associated handswitches located in the control room. He remainder of the switches

) are manual and must be operated from the switchyard. The disconnects can only be operated when the line is de-energized.

I Onsite Power Distribution System The AC and DC power systems are divided into Class IE and non Class IE distribution systems, ne AC systems are further subdivided into the following four distribution levels:

6.9kV

480V

^

208/120V

ll8V The DC systems are further sub-divided into the following voltages:

125V

125/250V

24/48V Non-Class IE AC Distribution Systim ne 6.9kV distribution system consists of four unit buses and one common bus. During normal operation, the unit buses are powered by their respective main generator via unit auxiliary transformer IUT/20T. He common bus is powered from either unit station service transformer (IST, 2ST).

Following a loss of voltage to'one of the unit buses, an attempt is made to automatically fast or slow transfer to the offsite source. The Unit 1 offsite source is the 345kV switchyard via IST; Unit 2 is supplied by the 345kV switchyard West bus via 2ST. A fut transfer will be blocked if the alternate power supply voltage or phasing is not correct or the transfer does not take place within 0.25 seconds.

In the event of an unsuccessful fast transfer. a slow transfer can be achieved provided that the normal supply breaker has opened and all feeder breakers from the affected bus have been tripped (which occurs 3-111 l

automatically after the fast transfer is blocked). Control power to the 6.9kV switchgear is supplied by the 125 VDC system.

Each 6.9kV bus (unit and common) feeds an associated 480V distribution system bus. Each 480V unit bus is provided with an alternate supply breaker fed from another bus from the same unit. The normal and alternate supply breakers are interlocked such that both cannot be closed simultaneously. The 6.9kV and 480V switchgear are housed in the same room. Electrical area cooling is provided to the switchgear room by the Ventilation Chilled Water system.

Each 480V bus supplies power to several 480V hiotor Control Centers (htCCs) located in various rooms throughout the plant. Each common h1CC is equipped with an automatic transfer unit (ATU) supplied by a preferred and alternate source of power (one source from each unit). He ATUs preclude one htCC from being powered by both units, ne 480V hiCCs is transformed to feed the 208/120 VAC distribution system and supplies the 125 VDC distribution system battery chargers.

He ll8V Uninterruptible Power apMy t. ote: 3 :omprised of four distribution panels. Each panel is powered by an associated 16 A.t 19 e dt.g ss a trknsformer through a 120 VAC distribution panelboard. Both 118 VAC panel feeder tu akets are manually operated and interlocked to prevent paralleling of the sources. Each inverter is orraally supplied by a 480V hiCC source with a 125 VDC bus providing input power on loss of AC voltage.

Class IE AC Distribution System The 6.9kV distribution system consists of two independent safeguards buses corresponding to two trains of safety related equipment. Each bus is provided with a preferred and alternate offsite power source and a diesel generator, in the event that the preferred offsite source is lost, an attempt is made to automatically slow transfer to the alternate source. If the alternate source is not available, the diesel generator will then start and supply the bus. After the bus is re-energized by either the alternate offsite source or the diesel generator, the loads required during a LOOP mode are started in a pre-programmed sequence by the Blackout Sequencer Control power to the 6.9kV switchgear is provided by the Class IE 125 VDC system.

3 112 J

i Each 6.9kV bus feeds two 480V distribution system buses, ne train related bus pairs are tied via normally open bus tie breakers, ne tie breakers are interlocked with the normal bus fewier breakers to prevent paralleling of the 6.9kV-480V transformers. He train related 6.9kV and 480V switchgear are l housed in the same room.

f I 1

. De switchgear rooms are provided with normal and emergency ventilation systems. During normal j operation, two half capacity ventilation fans supply air cooled by the Ventilation Chilled Water system to both switchgear rooms via a common plenum. Each switchgear room is also equipped with an j emergency ventilation system comprised of two full capacity room cooler units that are started j automatically upon receipt of an "S* or *BOS* signal. He room coolers and ventilation fans are powered by Class lE 480V htCCs. The room cooler units are supplied chilled water by the Cil system.

Each 480V bus feeds several 480V htCCs located within safety class structures throughout the plant.

Common safety-related loads are powered by Class IE htCCs fed from each unit via an ATU. De supplies are interlockcd to ensure that power is being provided by only one unit. De ATU breakers are supplied by a train related bus from each unit.

He 480V htCCs is transformed to feed the 208/120 VAC distribution system and the 125 VDC distribution system battery chargers. The 120 VAC system consists of one distribution panel per train.

Each panel supplies one local distribution panel and provides an unregulated power supply to its train .

related il8V UPS systems.

ne ll8V UPS system consists of four independent distribution panels (2 per train). Each panel is powered by its respective inverter supply or a standby 120 VAC unregulated power supply fed from a bypass transformer. The tie is through a manual transfer switch consisting of two circuit breakers that are interlocked to prevent paralleling of the sources. Each inverter is normally supplied by a 480V htCC with alternate power provided by a 135 VDC bus. In the event the preferred and alternate supplies are unavailable, a third source is automatically provided by the same 120 VAC source that feeds the panelboard.

The (ES) ll8V UPS system consists of four distribution panels (2 per train) corresponding to four SSPS instrument channels. Each panel is powered by an associated invester or by a 120 VAC panelboard, 3 113

.* , - - e , ,.m -.e-- ~ . - - .r + r_ --y. , ,e v,p+ --we- --w r, c ---.v

Each inverter is fed by a 480V hiCC and a 125 VDC bus, ne 480V power from the htCC is administratively turned off to eliminate spiking problems, he train related components for both UPS systems are housed in the same room. De UPS area air conditioning systern provides ventilation for the UPS rooms in both units. De system is comprised of two separate, independent, and full capacity air conditioning (AC) trains. Each AC unit feeds into a common ventilation chase which, in turn, feeds all four UPS rooms. His arrangement allows for either AC unit to serve all areas of the system. Each AC unit is provided with a condensing unit which is cooled by the CC system. De AC units are powered by common Class IE 4SOV htCCs. During normal operation, one AC train is in service. De standby train is automatically started by an "S* signal, "BOS",

or failure of the operating unit.

Each diesel generator set is equipped with auxiliary systems which provide fuel oil, cooling water, starting air, lubricating oil, and combustion alt. Each diesel generator is housed in a separate room provided with a ventilation system consisting of four exhaust fans powered by Class IE 480V h1CCs. ,

Each diesel is equipped with two independent starting circuits that require a separate Class IE 125 VDC power supply to actuate. In addition to starting following a total LOOP to its respective bus, each diesel automatically starts upon receipt of an "S" signal and remains operating in a ready to-load condition. He diese! and its associated subsystems are operability tested on a monthly basis. Prior to testing, the diesel is placed in the maintenance mode to support pre nm checks.

He fuel oil transfer system consists of a fuel oil storage tank, two full capacity fuel oil transfer pump trains, and a fuel oil day tank. De day tank provides fuel to the suction of the engine driven fuel oil pump and the backup motor-driven fuel oil booster pump. In the event the transfer system is unavailable, the day tank is equipped with an emergency fill lies. Technical specifications require the day tank and storage tank to be maintained at capacities that correspond to three hours and seven days of continuous operation at full load, respectively. Each diesel generator fuel oil transfer system is operability tested quarterly. During preparation for each individual transfer pump test, both transfer pumps are disabled.

ne transfer pumps are powered by Class IE 480V htCCs.

3 114

. _ _ . _ ~ . . _ __ _ - - _ __. - . - _ _ _ - _ . _ _ _ _ _ . -. _ . . _ _ . _ - _ _ _ __ _

ne closed loop jacket water cooling system is provided to dissipate the heat generated by various engine components. De SW sysum provides the heat sink for the jacket water cooler. After an emergency start, the engine is capable of operating without SW for 15 minutes, ne possibility of latent human error is introduced following testing or maintenance of the diesels and their associated subsystems, and the alternate offsite feeder breakers to the 6.9kV buses.

Non-Class IE DC System De system is comprised of three indrpendent 125V systems, a 125/250V system, and a 24/48V system.

One 125V system provides the alternate power supply for the UPS system to the Emergency itesponse Facility (ERF) computer. The system consists of a battery, two battery chargers (one spare), and a bus.

In addition to the 118 VAC UPS system, the battery system provides power to one DC distribution panel.

Two 125V systems are provided for control room emergency lighting for each unit. Each system consists of a battery, battery charger, fusible switch, lighting panel and contactor, ne 125/250V system consists of two 125V batteries, three 125V battery chargers (one spare), and a 125/250V bus. A partial list of the loads powered by this system include the main turbine emergency bearing oil and seal oil pumps, the main feedwater pump turbine emergency lobe oil pumps, and the plant computer, ne 24/48V system provides power for main turbine control and instrumentation, ne system consists of two 24V batteries, two 24V battery chargers, and a 24/48V bus.

Class lE 125V DC System De IE 125 VDC system is comprised of four independent buses (2 buses per train). Each bus is fed by an associated battery and two full capacity battery chargers powered by 480V MCCs supplied from l . separate 480V buses. He train related battery chargers and associated buses are located in the UPS

! rooms and are cooled by the UPS area air con 6tioning system, ne two battery charger feeder breakers are mechanically interlocked such that only one charger rer.uins connected to the bus at any time. Each l

3 115

bus feeds a 118 VAC UPS laverter, an SSPS instmment channel inverter, rad local distribution panels.

One bus from each train feeds a common distribution panel (XEDl 1, XED21). He common panels are fed from each unit via an automatic transfer switch which prevents paralleling of the sources, in the event of a Station Blackout, each battery is capable of carrying the essential load continuously for a period of four hours. Each set of train related batteries is located in a separate room. A separate eahaust system is provided for each battery room, ne exhaust system consists of two full capaelty exhaust fan trains, ne exhaust fans are powered by Class IE 480V MCCs. During normal operation, one exhaust fan train is in service. He standby fan is automatically started by an "S" signal, *BOS",

or failure of the opera...;g train.

3.2.1 14 Instrument Air System

System Description

ne simplified diagram of the instrument Air (Cl) system is shown in Figure 3.2.1.14. He system consists of two unit air compressor trains with their associated prefilters, afterfilters and aftercoolers, air receivers, and air dryers. In addition to the two unit trains, there are two spare compressor trains common to both units. Loss of the Ci system will directly lead to a reactor trip.

The unit lead compressor train is a rotary compressor CPI-CICACO-02 with integral inlet filter / silencer, an air receiver, and an air dryer. He designated unit backup train is a reciprocating compressor CPI-CICAC041 with filter / silencer, external aftercooler cpl-CIMS AC 01, an air receiver, and an air dryer.

One of the spares is a complete train consisting of rotary compressor CPX-CICACO-02, an air receiver, and an air dryer, ne other spare is reciprocating compressor CPX-CICACO-01 with associated external aftercooler CPX CIMSAC-01 that uses the air dryer system of either unit backup train, ne discharge line from each compressor is connected to an aftercooler (which are integral to the rotary I

compressors). From the aftercooler, alt is then routed to its dedicated air receiver tank. He common reciprocating compressor discharges air from its aftercooler to normally closed pneumatic valves 1/2 HV-3476 that direct the air to either backup unit air receiver (cpl /2 CI ATAR41). Upon discharge from the 3 116

air receiver, air is then routed to a prefilter. From the prefilter, flow is directed to the air dryer inlet manifold. The alt is then passed through a four way valve that controls the flow through the active and regenerating towers. From the air dryer discharge, the air is sent to the afterfilter inlet manifold which directs air to the filter in service. Upon discharge from the afterfilter, flow is delivered to the main supply header which then routes air to the various plant buildings.

He Unit I distribution system supp!!cs the Unit I and common buildingst the Unit 2 disnibution system supplies only the Unit 2 buildings. Two normally closed cross-tic lines connect the unit and spare rotary cornpressors. Manual valves ICl 677,2Cl-677 connect the compressor discharge lines, while, pneumatic valves 1 ilV 3464,2-IIV-3464 connect the afterfilter discharge lines. The unit reciprocating compressors are cross tied at the discharge of the air receiver by normally locked-closed manual valve ICI 050.

The unit reciprocating compressor and external altercooler are prov;ded with separate cooling lines from the CC system. He CC cooling flowpath to the compressor and aftercooler is shown in Figure 3.2.1.14, Sheet 2. Self actuated pressure regulating valve 1 pCV 4645 controls the flow to both the compressor cylinder jacket and aftercooler A fall open solenoid valve on the inlet line to the compressor stops the flow whenever the compressor is not operating. To eliminate potential damage to the compressor from in-cylinder condensation, flow from the aftercooler discharge is diverted to the cylinder inlet via 3 way pneumatic valve 1 TV-4673, upon sensing a low inlet temperature. For additional protection, a self-

~

actuated temperature control valve in the compressor CC discharge line throttles the flow down when temperature drops. The cooling supply for the spare reciprocating compressor and associated aftercooler is provided by the TPCW system, ne unit rotary compressor packages are cooled via the same CC supply header that provides flow to the reciprocating compressors. Once inside the compressor package, the CC flow is split into two headers.

One header supplies the oil cooler and intercooler; the other header supplies the aftercooler. The cooling supply for the spare rotary compressor package is provided by the TPCW system.

j The unit compressors are powered from associated Class IE 480V MCCs. He spare compressors are l powered from non-lE 480V MCCs. The unit compressors are automatically loaded onto their respective i

480V buses after a "BOS". He compressors are then started manually or automatically upon receipt of 3 117 I

e , -. - +r c . ,- r ,mw,- , , . . .. , . , , ,, %.. ..- , ,-.,a rc- m , - --< m -

A a low pressure signal from their associated air receiver. De unit compressors are tripped by an 'S' signal, thereby, requiring operator action to reotablish the system.

During normal operation, the lead compressor train is continuously in service. If the plant usage exceeds the capacit) of the lead compressor, the backup will automatically load when the pressure setpoint is reached in its dedicated air receiver. The common spares are used as follows:

When a lead compressor is inoperable, the common rotary train is used as the lead compressor for that unit.

When a backup ccmpressor is inoperable, the common reciprocating compressor is used as the backup for that unit.

He possibility of latent human error is introduced following maintenance of the backup and spare com1,ressors. Maintenance was considered for the lead compressor, however, latent human error is precluded since the unit is expected to be returned to service immediately following completion of repairs.

Success criteria for the Cl system is that of providing air to the following components pertinent to the IpE study:

Pressurber spray valves

RCP seal wate pressure control valve 1 ilCV 182

AF control valves

ARVs TDAFWP steam admission valves

RH heat exchanger flow control and flow control bypass valves

Steam dump valves

CH systera chiller unit water regulating valves

FW control valves 3 118

3.2.115 Safety chilled Water Sysum System Descrintion ne simplified diagram of the Safety Chilled Water (Cil) system is shown in Figure 3.2.1.15. De system consists of two separate, independent, and full capacity pump trains. Each train contains a pump, a chiller unit, associated piping, valves, and instrumentation.

Each Cil train supplies chilled water to the cooling coils of the fan-coil units provided to ventilate rooms housing ESF equipment. He Cli trains are closed loop, with chilled water in continuous circulation.

The Cil pumps take suction from the loop return header and discharge to the chiller unit's evaporator section. Upon discharge from the chiller unit evaporator, flow is routed to the supply header for distribution to the various fan-coil units. Three normally closed cross-tie lines are provided at the pump suction, pump discharge, and chiller unit discharge. Each cross-tie line contains two redundant manual isolation valves.

De Cil pumps are powered from separate Class IE 480V MCCs. The pump seals and bearings are self-cooled. Technical specifications require the pumps to be tested quarterly; however, the test does not disable the pump. The chiller units are powered by Class IE 480V buses. The units are automatically started upon actuation of thelt respective Cil pumps. The chiller unit condensers reject heat to the respective safeguards loops of the CC system. The CC flow rate through the condenser is controlled automatically by Water Regulating Valves (WRVs) 1 PV 4552,4553. ne WRVs are pneumatically operated, fall-open valves which are modulhaf according to chiller unit condenser pressure measured by 1-PT-4552,4553. The WRVs are required to be throttled such that the condensing pressure does not drop below a certain value. An accumulator is provided for each WRV to ensure remote throttling capability following a loss of instrument alt, Surge tank CPI Cil ATST41 is provided to accommodate system expansion or contraction. Makeup to the tank is supplied automatically by the Reactor Makeup Water or Demineralized Water systems. He tank is separated into two train related compartments which provide a surge line to their associated Cil pump suction line.

3 119

L During normal operation, one pump will be in service providing chilled water to its respective loop; the other pump is placed in standby. De pumps are operated on a bi weekly rotation schedule. He pumps are staned by any of the following signals:

*S* signal

'BOS '

Start-up of respective CC pump De possibility oflatent human error is introduced follewing testing or maintenance of the pumps, chiller units, or WRVs. Manual operator actuation of the standby train may be required for certain accident sequences in which the pump is not autornatically started.

Success criteria for the Cil system is that of providing chilled water to the fan coil units of the following components peninent to the IpE study:

6.9KV switchgear (2 per train)

MDAFWP

SIP

Ri1 pump

CT pump (2 per train)

CCP

CC pump in the event of a loss of all Cil, a manual reactor trip is necessitated due to the subsequent loss of all CC and resulting loss of RCP motor or bearing coeling, 1

3 120

si

!i a

V7i r k'\ '

J

I -

i t Sk*( l ,

[ m. ; 3 f d D L

f OM i F

i F

MO

>4

>4 zg i t-1, ,

y _. _

y _ _t a

..} m 8 5

L _

v^v- q'\/Y! _

_j If I I ht

{b s

'I i p4 'l1 i "T, i S

^6 ON b bl bh 1.

/t b.

/s

/ !.y 9

t {V i, 9}A, s

[-

9 Q

t .

{'^)

gV -

q f % ( i y e

! N i IX ,_,l X

I

i. ai i -

. y g, [i i. -y HI p{ !

~

ml '

klA v.N L NI~

A 9 3,7 I

-g v$

- ~~

[I !!

fl l i !] ssi i"

j. O ! *g Lil ey

%v,{

I ll I' il p;3

,1 - ti

- liI 51 Figure 3.2.1.1: Comnonent Cooling Water System Geet 1 of 1 3-121

t j n t a L

.- .jj !'i

!! P' b' i -

XIi >

e 1A

,51 L_

,I

- o g

O! ! 1Z!

~

~!

l9 c- 17'? l c- 7'$ c- f g 5 6 E 5 ij ;B e !

[ ; [f I. ~h '"i i b !l t g

!N et

(. jJ 75 12_! l~ [yi

$ e . t i

!Y 01$ 015!

,y- l 1

14; y; 17l , -

l q_ g;

\

y; t

B1l8$l P! I g !!gii l.

i s

f i

[ g, j s!'AG- i[h.iE .

li!!

v t Y 3 Figure 3.2.1.2: Auxiliary Feedwater System Sheet 1 of 2 3 122

o , , .

r I* I*

ill ! i{ll! if ,, !!!i (C

s

)C

-(m v) (mC_ - (C -

)

- Ik1!! cy : Ik.1 cp-: I! Ik,1 ! !

cip-: lkt!!

, cp-:

I ,1 21 l ,1 21 : ,1 21 :

42_1 ,

) 1 4 1 3 $ %,

I

l, l l

Ii mXie- .(I met e

g _L j.jj _ _L.j.jj _ L @ __ _L Q _

!b ib ! b p ,. i

~ gi .

EE!!

$ !BI!p!p , ~f ! llII!jo l~% ,

$ aNII Eh l ENfi lll Il Il Il

~ ' ~

Ij

,17! ,@l Pi ,Fl P! ,17! Fi 1i, lEl i, l, ,

I i, i, i !

5 79 E

9 i ,9 ,f9 i E 9

5 g

t', t', t', '

1l i'. ' i' T'I.

l.

i

. 'oI l 7! F!. FI. 9 i i i I* i i I I a ls! = =

2si = i ti 1

! l 5 5 E

!T t

!? ![

t -

Figure 3.2.1.2: Auxiliary Feedwater System Sheet 2 of 2 3-123 j I

. . n T F ! h Ya l

I!

tti 1

\, I -

i s .! . w r

$ l "Sll 4, n.F "I! !$

a' (l "I! t......... .J g,_ t U 7,'

l f da #:

s) -

$;- hj -

[u , *

! 70 8 0 L

5 pY Iha !1-w!

{ g .Y Ifbl 3 %

(E (3

e :

7G lFE@[ ($)<3!

- lFE@J l

( n t

-@- ['9-F,, I ,,

[i] ( ;I v

1 e

[8) bbb'ef li) hb'f

@$' ht$'

I l V !zi I

i I

? !l

?-

7

b ; e w 3 e 43! bj' h

y A 3 U 4! '

W i EI! %

l 1 s 1 j >

ET,! !21 yhl y

l141 la ! !!ggll m, o2 "l

,, j;, t Vl -

y

4) 1 t ylt 8 9u x e

, .4, y i . I'

. g* ,j .

0 C (1 3 31 3 __

A n n A A 1

/}[- !((

I!

1: I 18!

lI ilj l1 lll 11 l![

11 v

Figure 3.2.1.3: Residual Heat Removal System Sheet 1 of 1 3-124

-v r - m qw --- -

-W~

e lijl I!jl e

11l1 e

lill e

-H N N H-k t!G:f F.*! -l 1 I l i E l

-H H e G)

}-Q-- >_ gg' -,-Q--{;}

I 8 f f!! CG:l4

[0Ml. l re ta H H-H r 12 12 -

1Z[ tz 9

% . I I ag a I g a g 3 g)l my gg --+ g s --F +~ ,N I 5 + -- y VI r i

j ~ 9 'I

! k r- , s 1" t- -r' 5 g y 3 :

^

?

k OI}

(D/

A

k. s i

-f j . OI! j H 3 3

I ; i w

} 3

~

lx lx l ' ,

5

r. i_ r,_ . 1. ;

[ i i rm [

$ 'l- J' 8 l l 5

eg*I

! .Eh, Figure 3.2.1.4: Station Service Water System Sheet 1 of 1 1

3-125

P.

n Q

\ lpa

-DO8 j

-]

i LP !s e , ,, -

.> " I r.s l(.

i m

o; 1; 0 y

j 1:

a; e,4 tios v.*

c a

5 ',I

_ _ , :!i , 2 t

c' =;

r r4 I) l.;. l.

Ig ;5 c{

e, ' {<

r - ,.

e tal r ;

\ >w .- . >:0 imj;9cjQr> lHy+qf33 4 e i 4

- niL .i s

o-- r >

=

, lC .t

- N o , $., . l0

i at ,, .

.,i 1 ,

, g{ k fi I/_ ; { e ,,? t "A s l .;,i EI! pb; jei 46 sI,;

i EI! 1~; f.t,); sI,;

T' 4

j ,.

i

. 1

- . + ,

4 J, *

( b (l

u' )1 E

)f.

b l l k

i i i l

/\ / 9

! l !

, >v4 'A l 8

I l >! I g ! t aI(, i > =

sI; 1 _- l n-le 1aI Iu yr i

I gf i l i f9 1 i i

g l _.

f. ., _. l 1. p 1 .. 1 s t.: I I

}! }!

.ra .=

xt :s, a*:Y- as:.

Figure 3.2.1.5: Containment Spray System Sheet 1 of 1 3 126

,s e. - ,

.- ,,, . . , . , -- --r,

1\

9 I l 7 i !l 1 l 9 :i; 't: G)-Hj: iL i

n , ._ N 'M . _.a

/

yl.

y Ef EIl h,t la lI

-l a -,!

.s ".

i I , Ie

' Oj; lZ FIl 8%{ EIL r c t L _J f ' F ;

7 zl 15! 15l ll.f IEf

.&. 7: '

., l ..l lI gg izj izl iz[ izl l l .,j .

. , g.r..g .., :.,. >; ), . i.,1

, . .l

'J'

[]Vg []I, [])g [l{ g

) --)i

^

l W[llOI!OI!OM! t "i t

i,s F ,

,7

,r Y IZI 15 ,l 15 l 15 l b l' 5

r ~

t;l bel 15! 15l _ _ _

eel ik! lZl ;p; IZl , l e %lexj u e t I Z! Ll ljI ljI - ~hk , ~

LI .. -

,, ,f

g -5.g ogI gl*

Ik WIl Q v l t : i

+

h

!!= yl .

M

. 1 lM 4 H4 I

N Figure 3.2.1.6: Chemical and Volume Control System Sheet 1 of 1 3-127

\

. J r

r m

\

)

J _ _ :

LV L nl i f /J I U's

&'11 i

h p

_] w, ,

T: ^f s s

\;

_.k.m^

-.3 V I Il, r

i si

)3-

)L

/

4 1 di' M ')l Q. '

\s ,/ *

/

_3

.],j/ Sl-bl

...7.........

(jl [

j 4) 4) +

se:l cE [

ei chi. -

. l- . l'. 8 8 xl xl l

ne 6 1 Xl xl 9 5 Il ll t i h I.

Figurc 3.2.1.7: Reactor Coolant System Sheet I of 1 3 128

. - = = * . .

Il fi fi f5 fi I! In Es

l *} *$ 'E *E *l *} *}

! I i I

r4/.l h"l ll r/l

, c, Fc/I _

d~'71m1 7 ! ; 1.7l17!

c- l l_ _ 3, _ _ _ _

ll 3 V 2 .t tzl tz!

I tz{tf tzt. tzt. tz! f tz L

. r/

f c,I ! " v.." -,I A I e7 E t

.{ e , - ,

i f! ft f! fi ff f .k .

! . .k - k -

k ,.! - ! . .. k

__ql EI. . EE,;i.

_ _j EIl s

I.1 g s1 =

!!} {,0

- ?

y I

.[

j - i

9-t Y. , I 7 4 at

h. 7 w-e.hf,

g lc" .*

I

{f]

K}-

R t

[T}

1

@ ! I I !

,, r-H- f.(w::

j e 5 fw:

[j 1L ! gra i;

'I E! Aq s:, ; !!

l~?l_;

E32i bs Y Iy e1 b 6%*

t i

i t

[l9 E

6 Figure 3.2.1,81: Safety Injection System Sheet 1 of 1 3 129

11 gg i it 5 t

'I o I 'l il i ll I;'I ! I I

! l 8l. _ _ _!

I l 5 lc__,l 12lj!

8l__ _

l l, CIe df l l Cl c l Ag 31 il % /

9!

!r! j YL 91

/

i hIl \ ! %,$

-H '

~ i l l' N. . . ,

l

.J

d. di p .dL h.. .;

e.l dl. dl d.l,

. .k. v.l 7

jg I Igl dl 4l ll l h gh 4l k I ! ! (

!! ll !! lll Il sg i Il ;

)

'I h t 'l !! t i I l,l iL tz'.j I I U

I i !. . i ! l,l 8L ;

tz)j kj

!7 l I '2!$ldl l tzl q[ d{

(! YL 4 ! (! VI 91

& y h__/ v "kI

-H .!

, j!

J - ..

y X E!

X

Idi gl el el

'gi ! d gl el al

( ll

) ( 1

!I hl !! l{l Figure 3.2.1.8-2: Accumulator Injection System Sheet 1 of 1 3-130 1

. . - . - _ . - - _ _ . - _ - - .._ l

- --.._ _ - .. - = - _. . . -- ._ - . - . . _ _ . .

a b I

$N l l 11

<gg S .,,, r g ._

iJl }v i 44{vj i ,-}<4 e i l ; I lh }

MOl3he J.y Ji, d' l si ;dl

J, g*j t g*i n 12l l! ! j n 1 gj l

                             .r.s ew iT]j"l!4 II 1:,            .

g( ! !! [id (, 8l': ! .. !I !

l ll4 1 h ! tE'.' l i J444l # ~ J--9.ch

                     -egg-{ ~}-{~}-ch                            @Tj                   ,
                                                                                                ?;?F                   ,         ?IF '

t.l, 12, u : - I tt ut i ; , Nl dl ' j - l oVU (Fl I '

                                                      'l                                                                       T                    '

mIt BIi~ ~ oli ' %'(l RIl

EIl 4 l 7

                                                                                                !                       ^l lI . l lI 4

4 *I i la TrEd lly lly

                                                                                                       %                     iiii '? 'i;I-d,i            tLi        1

[ l Y cet

mj _

o<i< 1 g,I

                                                                                                                                             ,'4 h It                  '            l'f i
                                                                               ,                          't' li0lf,Xl                                                            l 4

t p i*i ; 6 l N s i QQ @ I~

                                                                      E6l           ESh,                 e ll              lh                      .

i I'. Eglf-l f,c; t; l ,,,,%a ,M> i y i 16 is 16 s l 1

                                                                                                         <jjH           H               H f

i

                              '     )I    '

i!P 6 P-4TH ., H FL_}-ch

                                   /                                 !                                     i 3

r. l; i

                                                                                                           !      ll              li                      i Figure 3.21.9- Condensate red FeAlwater System JL            di           J.5 Shcet 1 of 2
                                                                                      ?-131

i (- _ l Q .l _/ Q !" s n

--g

.,. ntgi o

o-- 7g n 1-1g

            !                             E                                  n nf,                              n                        ,
                                                      -                        ~                                       --                               --
            ,      n      ,                         s                                         ,
            .,.           .,                                    .,                 e                        .,               e               .                e v         - t                             u_t                                            - t                                 -

s a, _ , a

                                                      =                              ,_

u a g<o - g < n -"; q i. -"7 : < e ; o . . . 4 : =

a S

E Or ! Y hI O {ef O {ef O{ef I! u I! i I!e I!

                         , - y                                o                                               - p t                                  ,
                                                                      /et                              v t                      t
                                                                                                                                               -g
                                - Ee    ~

L$r ,.

                                                                                                                    !t      ,
                                                                                                                                                     ;e
                                                                                                                                                            ~

I ofe!,0l.!o]!.,oll/=j,o}!o=l,di e 7 a e e N g _g Mb _. _ g ._ _ g

                                  $                                        $                                        s                                s
                                  .                                        1                                        1                                1 7                                            .                                        .

I*I o 8 o f . ?

                                                                                                                  .L E    -                                !.

t

l /,,\ se-- 8ry ay l Figure 3.2.1.9. Condensate and Feedwater System Sheet 2 of 2 3 132

iI ii ii !! OO OC 11 II ii ii O O O-O

   .,   O       '.

O l 0 1

                                                              . O s   u             s                 .

u i

                                        ?
                                       .?

,i ,i ,i - i . .3 .3 .3 y! ,I

              },1                                        ~},i y              y_                       y                 y                              ,,

I l l l 5

                  "k                     0}l                 O}{

"fp " p. "Q "fp Figure 3.2,1,10: Main Steam System Sheet 1 of 2 3 13;

i I

l 1 I a r .: r r ,3 ,s t4 I, Bdi. Bd;. Edi. . 8dl. @ii. Old. 0} 0}, 0} 01- 0} 0{-}

                                                       ,3              -,                     ..,       e .g   eq ext              sji            eXi       sAi        edt    e4i, ,

1 l

l I a g 1 1

g . l 2

                                                                                                               .r ~ I Nh              kj              @l        SXl        SXl Bih 4!   4 G!:            4!:      41:        G!   2 d    $

4l eX'i 8d SXl 40 %I

                                                                                                                                     .I li,E i'

I It i i CH><)- 1

                                                                                                                                  = 1; e

I 3., ) 1 l? 19 il? JR # ud Jd Figure 3.2.1.10: Main Steam System Sheet 2 of 2 3-134

I k :TF oah-I L i 5 ) \ e I I ! i 7 h f k f l I ! r a HjC,} . t.J

 != b+                                     g s
            $                 a         -el-                                           .s i.

i Ie2 b+ _ I j o mTp _ / \

 ,          iH i-l i

I i i g ! '"[

   "b*I   '
            't'
          !                                           "M i i        M ,b i                          T- -
                                                                                             !:1 -e=na      l' l-eIs    e i

i '. i 1 6 J ml g a i i!tyl I I s i i 5 IIr- l l= ht 19 l _ll_. l l' ' ! l _l}! i-s l I yW a g_ i

 !                                      ~~

9 9I I i I .i i ! i;g in bt 3

I i it J

                           !ie F^,    i I

i J el

                                                       !                 9 4i ob! 1  1
               *I'                                     8 l                                  !  8 i

ji

9?

II _ Tr -- is ; _ \ / e I g.l.

t 941::

9T "jO 14 I^3 14 i g IT 9

                                                                                               }!       <GI
                                                                                           ,   u.         , u.

f.- !f i It it 9.4 g -t40 r Figure 3.2.1.11: Circthting Water ystem Sheet 1 of 1 ll 3-135 _ - _ _ _ _ i

1 1 4 i 58

E

\x~

NT _/s ' 4 e .e i h'5 3 1 S k $ !

                                   -t      u i         t   il 3       3

{1 3 3 I

,t I

i e E O C O- p O ;O i y

   ;2 3-4
                 =

C C 5,

                                                                                            - ag E

A _ , _ = ; S, 3SO *> -- A 7 , A W 3E0 p -- > E k- p O h 3 e. 8_ o . n n <

EB ;jB ;{3" E5 as e." :: et p*'

               =:n aus t.A 2:       :n
                                                                                  >3       p*'
           .     :=                                                                 c=     .

, Figure 3.2.1.12: Reactor Protection System . Sheet 1 of 2 3-136

S B SA A # R P R Y K K B B O B g1 . / 7 T L 3 S L O O R R ST T M T N E N E O TS y S C n n" g V U , O Y C G D S D - O O W . R R P A B PI R R I RR K T B T BK c

                          ,                        l.(s V                           V U                           U T                           T S                           S r

lg _~ D D R SA R PO L SA SB AA PO L A B S C SB C L OH l S O N MO L A MO L L I A OR RT R TR OR R R FNO RT FN O T O O C C y9a F".".C.. E2S b8gc <%y . B N o.,- N yC4

4 8 [ 't : Illelnss ig. ! i

, .-/-bs

                                                                ?
                                                                       /

ly ' 5 . I ,:{ e .

, : I i i a

                 !                                                                  ~$                                                            }lX 3                                      ,

t : 8 e-- l i qH l

                                                       -/
                                                                ,      /

/- !}/-

I' die 8 * *I I jjj . i i-

                                              -                                        (@f s

j i e q rO 1

                                                       -/ s /

v il: j

                                                                                                               ,    t I                                 i -

l l l i i !!! a I t ) l ; l_ y v i ij v i j l -lr @ / /-{i}-/- 8, .- jg/j.I I j i3 3iI j , hl - 25 i v : Xft

                                                                                                                             .                      SH)ig
                                                       -/6./                                                 !               is                          i i; I.

i ls !

                                                                                                             .             i el Ee           q!!* i -

35 1* -] j

                                              "                                                                            . mfg.
                                                                                   -/                        !,                                     4 F--= '

g . . sH i i is =

l, ~/ E / / :: /- l. ! . . I.: - ]E 5" th

                 !                            s                 i 8                   I                     i*
                                                                                                                         -t n!i              !

l-a v E@} l:, a u it

                                                                                                                                                                . r.

]

! ! -/@P , s , "j i i iii e i j.

               !                             g
                                                                                      /g 6a j
                                                                                                 /-        ,

IIst ! 3 V-~ 2_ ' . . . - - ..................................._...j }j, F- . <, gas i ee

                                                                                                           ,                ,3.

2

                                                                                                                               *i           -

j '@e ' M6, b I 3

                                                                                                    .      ,       A    -W

ta' 8 i I i -

i I !!! 3 : 1 15! s-g a

                                   ))            .

a - a a gE-}lf

li 8

                                                           ' 4":.-                      ' vy's 2:
                                                      ~~'r h ?* '                              !!.                            .

a i : ) 1*Ti .! 5! g-l l l! a 3 d!gg :

3. .:

                                                                                                  - l; igl,        -I "nsI!

t c g alg. s. t . J - iH}:,s a x 8 E-. ; .3

              .                                                                                                    a     3                  .

_ _ L. ......... ......................... ..........) I .3 I 5 Figure 3.2.1.13-1: Offsite Power Distribution System Sheet 1 of 1 3-138

l 4 s Ig .

                                                ?                                              3           8 l'E t

3. e
II I ii lI g. -

8f 1

                                      ?                                                                                         E0 g          ,                                                                @<                       al
                          } C.                           .

e E ll - i

                                                         .      .i             i.                []s!

E ll E- - l

                                              !B        i F1                                                                            -

1 - I- LJ /] O i,I i 1 at n a av i iC L__J t j E- E- ej i :ti

                                                                                            .                                 Si i                                                                                            I

- lI In ex la i I ! **

                                               !                                          *g 3,                                                                             ej
                                                                                                              ' _j                    i i

ll g ii i

                         .          ;                                                                                         ,1 I

p"- il

                                                       !:     !a             I=             -

e E--ll - i

                                                       .!     .!.             !.                []! ;

E ll E- -

!E =

                         ;          5                                                                  E-                     !!

al s : i a n v l ! LJ c T l I :5j i; Ih In Figure 3.2.1,13-2: AC Onsite Power Distribution Systtm ! Sheet 1 of 2 (Class IE) 3-139 \ l l

                                                                       - . . _ _ _ . - .,                            . . . . . .        .-   ~ . , , , _ . . _ . , .

i i fi

                                                               ,                                                                   L O,-

. . , o;

                   'I E                                   a        a
                                                                              ,           ,I E-           I i

' . u _

.{

lt y s e1- u 1 J J

                                                                                                                                                      .i I

e i

                      -            I i                                    e                                                                                                                   .

! ' ' ~E ! ! ! E hl l ; E ll E-43: I

li h

p 11

                                                                                            .l.
                                                                                            }'

t, 3 e'

' ig ,

p 4 5 - Lg_ : ili

                   ',;j! E'                                         .;      .
                                                                             ;          j                             E                  E-         II ll        E-                                                            .

ais-

O LJ g II Y*

] I I i. i 3 k i

                   ,l, r- I                                                                                                                =

LJ

                    .s '                                           .!       .!          A i,{s
                    .             i                                         ll        E~

f-e E E E-I ii l 2 i !:

e-l.

3 i i s . E i. E - 1:- E- ;n-

a vg is- 1 1

Figure 3.2.1.13-2: AC Onsite Power Distribution System Sheet 2 of 2 (Non-Class IE) 3-140 _ . . . . - . _ . . _ _. - . - . . _ . . _ - - - _ - ._.. . .. - - . . .. .~ .._.._ _

1 I I Il'

                            'l i _a l IILo'
                                                                                                   'l i _a l

La_

                                      ,_         _s_                                                          c_.         _s_

I " i

                                     ?                            '
                                    !i                                                                      !i 1

m m 4 .

l l I ,li , ,li ,

l ,li f, , li-mi Fo- -m LI Il-mi LI

      'l-mi I

Fu-tc_

                                               -m- _a_.
                                                                                           ?-m 7
                                                                                                                          ,Lc_

_a_m i s r-

                                                                               'l-mi 1

Fu- e r- -m-i

lI l !
lI l

 ,                                  li-
                                    .                                       .                              /,1                                .

I lIlllF W lllllF W e

            !                                                                      I 1

m-.i a-.l

                 .j                     m-i                                              ;                      m-.

ij- 3f e-'i $f e-I ig i 3t e-,1 - 3t a-,'1 m-i e-i m-si , a-ei l u I g e i

                          !!                                                                     gi I

d-8 I

                                                                                                                     'i ?

a L- e i i wc l w t j li la i e i e

                               -a                                   i                                 -m                                 i e-                   m-    s r-                m-    s a                       t                                               a

! 8 i 8

                                        !i                                                                      !$

l 11 ! 11

      !!-mi t                                  I     'g.r                     Ji-mi Fo-- -m                             I fj-mi 7

l-m-

                               -m
                                        ,r-                  m-     i li-mi Fa-4_m-i
                                                                                                                ,r-

a a I a a i yt i- gi el el M i M l lllllF W lIlll.F M-

          }              l' l             !             I        Y                               !

1 !! 'I Figure 3.2.1.13-3: 125V DC & 118V AC Onsite Power Distribution System Sheet 1 of 2 (Class IE) i 3-141

i l' Rf i ~ i

                          !      iIl h i

i d,, rge a p i - g,8

                               -.                                             fllllb Y                    :

t e s : 8

  !!-E-           bE-.-

16

i

                                                                                             ,           1}

3 4 8' s g"{ l.i-=H Ho-i n._3 f lllll b M $! er

                     .!.             3(
    !j-a-{        }-a-                ;                                          ,

2 i 5 lllllF M llblh :

a e i 1: - lj-Ed FM-I -g fj-Ed l-- E -- I i I lllllF M !I ( N lIlllF M , 8 a E s i i 8 5

                             -a L         L                                              i 8

' E I e

i 12 E li-mH Fo-L i: E [

     ,5;-a-        Fu-          v;      f     a                                           ;
                                      .h r

E l

                             -u L         L i                    .        :

, 8: i 6 12 b

                         ;-             u e
                                                                .                       3e es r

Figure 3.2.1.13-3 125V DC & 118V AC Onsite Power Distribution System Sheet 2 of 2 "on-Class IE) 3-142

                                                                                                ,    , ,      , r- g , , , -,

J s 4 11 t I e i XI' i -

ll}

E i 2 1 2 I e + t 4 *

   !!          I                     I
                                          !!          II                                         !!         !          h!            M!!
   ;iG                 DG               Div          :iG               DG                     D;i is          6                     1 is         is          LJ                                      Cl                DC-                  D

is .

                    !          !

i 4 4 4 i 6 l 3l IA , i4 e. .

E i I : I i I : . f . 20 D;! . is 9 ji - D;! . Jh,i !4,l 14]4I si 9

                                                                                                                                                   .I
                                                          <!(G i                                                  i
        <3(I ,D5i ""                                         "I Dij '"

D DIi! l;i ., lAu, .

                                                   !Aa, i                                                        ,

i p

p - 4 vi { ., {! {'i : C D!'I G D!! G Dl n Al lg 'E XI-k;l'E 5 1l .

                                                                             !.                                               xi            t          .

1 A, 4

                          =                                                  =                                                                         ,i Yi           54                                    }!            ;9         je> +l l
        !iA  O                   Di!                      !iL  O                                     -                 -
                              , .:.             :.                              .D:il                                -

i A t

                                                                                ! ,i a

x,i

                                                                                                             } J,.!                                    I v                      '                          v                          !                    -

t

                                                                                                                                                      'Il 3                                                                                                                     s                            4}

i j h i ! IM ~

                                 !8 i
                                                                                                                               .v!

i

                                                                      !             I*                             I,                           I

! ! i 4 l 1 -s 11 E i I E 1 3 il t

            .f Il
                                                                      ![If l     -                                                  -                -

e; gi l 3i r! l / xr! ((

                                                                                                                                      !=                gl 8

l 8 i i

     !              i            g                      I            i              j                 'A                  i        iA i
                                                                                                                                                    ,1
         !!!      !              E!-                       !!! !                    E!-                      !*           !               !o-            $.

5-s 5 :r { 4 4 9 i= 9 w gi !9 33 i Figure 3.2.1.14: Instrument Air System (*2 t'I Sheet 1 of 2 3-143

s 3 0 3 2 0 N ,-C - 1 C C C 1 I 3 2 0 , 1 0 2

                     -                        .                                                                     3 C                     O .                                                                        9 C                     T o                                                                        1 N C P 1
                                             ,C    c                                                                C R         0                                                                C U .       1                                                                T T s E

P o

                                              ,.-                                       X 7
                                              -                                           0 2

1 t - s C . R e C . 7 t 1 0 u No o 3 1 5 3

                                                                        $ bC                    C N0C C
          -                                                                   T t

C i C i e 1 w o 1 2 8 8 0 C d4 y -0

                                                               -    ,   !     l. I        l ;   I     I fV                                  O 0                              C                    R C                              A     _              E L

9 C t O C

                                                               -   _              O C

1 7 R 4 6 3

P C _ E T R E 6 L 4 i4 4 _ N I O 3 f 6 v _ O_ 7 T C t -_

   -                            -                                  _                                    S 1                                                                -                                    l 1                                                   R                     1

_ E , _ _ L A_ O O _. f 1 _ C _ O - , 0 L O _ O C , j L C A l I i ; l A S C 8 u l l C C I I I 1 P - _P 3 C C 0 N1 C C 1 4 0 4 4 6 5 6 3 3 4 b0 { C iN0 Y-C fL

                                                                          - C v

C C P 1 I 1 5 4 6 0 5 4 0 V C d1C [ P C

                   -                                                         T 1

0 . 0

2 x ,-

                                           ;C C

t s 0

0 0 P s C 0 C C r. m s m _ e m

                         % cN, u J . e ._ae&soUn                 ,          *3 ga o O'o t  t

. maab

. d

g r 1.r *i 5

      *l                                   5          !                         #l
                                           !          !                            l H          H                              .

p- ,,. .i.

                                                                          @3                              i, s$.                I!.!
                             ,y                                                        l
                                                                                       .                  E E,"
                          .1                                                                           O1 e:

v e: ,

                                                                                                    . - - )--_

i i~'_. l E . (h !ty e i (;% i !? HFh k Y 7 !.CF l 5-t 0 X 3 qi fl $ i ,l.

            ,     I.                                                                   g
                                                                                                 ~
            ; Elf-                        !          i                                 t S 55                          s          i                            "E M          M                                       E[.

8! EI{e! Ef 5 z!

   .i                                                                       .

I I n {k f( s El H i H i Xi Ui As t71 e e

.i.

A: a

:, t.

f.!

         -g               .e A
                                                                                 !. .5E
         =.            57
             .        Of ?                                                       s .g, .
         !:]?

a 'tr : 9'? l_#\s?

I f i i

4 /n T N :

                                         'M     N:            i E    M 8

i i i S 9 5 I -C)<3 - g X ,H X t 2 l25 i b I. 4 i

             -        G{'5 a2;           1a1 i*                   Figure 3.2.1.15: Safety Chilled Water System Sheet 1 of 1 3-145

3.2,2 System Analysis

We method used for determining a system unavailability in the IPE project is the Fault tree Analysis. For each system analyzed, a corresponding plant-specific system fault tree model was developxl. He computer program used for the fault tree evaluation was CAFTA (Ref. 5). ne equipment (standby and operating) unavailabilities incleding the unavailabilities caused by component failure (independent failure and dependent failure), human error, and component in test or maintenance were considered. The IPE Component Failure (independent failure) and Comn.on Cause Failure (dependent failure) data bases (Ref. 4) consist of component failure rates and demand probabilities for both standby and operating components. The data was stored as the IPE type code (TC) file in the CAFTA software for calculating the component unavailabilities. He equipment unavailabilities due to human errors including both latent and dynamic human errors were also considered (Ref.12), and incorporated into the system fault tree models. To quantify the component unavailabilities caused by test and maintenance (preventive nd co Tective), both the frequency and the duration of the test and maintenance are necessary. The test and preventive maintenance frequencies and durations for various components were obtained from the plant data base for scheduled maintenance called MMCP (Managed Maintenance Computer Program). For the unavailability caused by corrective maintenance, both operating and standby components were considered. He PLG gener' data base (Volume 3 of Ref.1) is the major data source used for determining the corrective maintenance frequencies and durations. Since maintenance durations appeared to depend much - more heavily on technical specifications than on component type, the data of maintenance durations in the PLG generic data base were categorized based on the technical specifications (i.e., allowable time out of service). The system analyst first examined th: plant technical specification for a component at certain plant operating condition, then determined the maintenance duration by using the data base. Due to the lack of plant-specific data for the CPSES Unit 1, the development of the IPE data base was heavily dependent on generic data. The generic data used for component failure rate, the corrective maintenance frequency and duration,'and the initiating event frequency follow. 3-146

Table 3.2,21: Generic Data FOr CPSES Unit 1 CornpOnent Failure Rates COMPONENT / FAILURE MODE FAILURE UNIT

DATA SOURCE CODE RATE ROTATING EQUIPMENT CillLLERS (CU) FAIL DURING OPERATION 9.44E-05 H PLD4500 VOL2 FAIL TO START 8.07E43 D PLO4500 VOL2 COMPRESSORS AIR FAIL DURING OPERATION 9.8 t E-05 H PLc4500 VOL2 (PA)

FAIL TO START 3.29E-03 D PLO4500 VOL2 DIESEL GENERATORS FAIL TO START 2.14E 02 D PLO-0500 VOL2 (DO) FAIL DURING FIRST HOUR 1.70E-02 II PLO4500 VOL.2 FAIL AFTER FIRST HOUR 2.5 t F-03 H PLO4500 VOL2 FAN, SMALL FAIL DURINO OPERATION 7.84E46 H PLO 0500 VOL.2 (VENTILATION)(FN) FAILTO START 4.84 E-04 D PLG-0500 VOL2 M.D PUMPS, FAIL DURINO OPERATION 3.36E45 H PLO4500 VOL.2 OPERATING (PO) FA't TO START 2.35 E43 D PLO-0500 VOL2 M D PUMPS, FAIL DURING OPERATION 3.42E-05 H PLG4500 VOL2 STANDBY (PM) FAIL TO START 3.29E 03 D PLD4500 VOL.2 PUMPS, TUR31N E- FAIL DURINO OPERATION 1.03E43 H PLO-0$00 VOL 2 DRE ;N(PT) ) FAIL TO START 3.31E-02 D PLO4500 VOL2 AIR COOLER (AC) FAIL DURING OPERATION 1.00E-05 H IDCOR IPEM 2.4-1 A FAIL TO START 2.93E-03 D IDCOR IPEM 2.4-1 A VALVES AND DAMPERS DAMPERS, M ANU AL lllANSFER OPEN/CLOSE 4.20E48 H PLO-0500 VOL2 (DX) DAMPERS, MOTOR. FAIL ON DEMAND 4.30E43 D PI44500 VOL 2 OPERATED (DM) TRANSFER OPENICLOSE 9.27E-08 H PLO4500 VOL2 DAMPERS, FAIL ON DEMAND I 52E 03 D PLO4500 VOL2 PNEUMATIC (DA) TRANSFER OPEN/CLOSE 2.67E47 H Pla-0500 VOL2 VALVES, AIR- FAIL ON DEMAND 1.52E43 D PLO4500 VOL2 OPERATED (VA) TRANSFER OPEN/CLOSE 2.67E-07 H PLO4500 VO' V ALVES, CllECK FAIL ON DEM AND 2.69E-04 D PLO4500 VOL.2 (OTHER THAN STOP VALVE.9) OROSS REVERSE LEAKAGE 5.36E47 H P!44500 VOL2 TRANSFER CLOSED /PLUO l .04 E-08 H PLU-0500 VOL2 , 3-147

Table 3.2.21: Generic Data For CPSES Unit 1 Component Failure Rates COMPONENT / FAILURE MODE FAILURE UNTT' DATA SOURCE CODE RATE VALVES CHECK FAIL ON DGIAND 9.13E 04 D Pt44500 VOL.2

~_

(STOP VALVES) (vr) CROSS REVERSE LEAKAGE 5.36 E-07 H PLO400 VOL2 TRANSFER CLDSED/ PLUG 1.04 E-08 H PLO4500 VOL2 VALVES. ELECIRv- FAIL ON DEM AND 1.52E43 D PLD400 VOL2 HYDRAULIC (EXCElrr - TURBINE STOP/ CONTROL TRANSFER OPEN/ CLOSED 2.67E-07 H PLO-0500 VOL .2 VALVES)(VID V ALVE3, M ANUAL TRANSFER OPEN/ CLOSED 4.20E 08 H PID400 VOL2 (VX) FAILTO REPOSITION 1.00E44 D IDCOR IPEM 2.4-1 A VALVES, MorTOR. FAIL ON DEMAND 4.30E-03 D P144500 VOL2 OPERATED (VMJ TRANSFER OPEN/CLOSE 9.27E48 H PLO4500 VOL2 VALVES, RELIEF (2 FAIL TO CLOSE 8.88E-03 D PLO4500 VOL2 STAGE TARGET ROCK) (VK) FAIL TO OPEN 9.03 E-03 D PLO4500 VOL2 V ALVES, RELIEF FAILTO OPEN 2.42E45 D PLO-0500 VOL2 (OTHER THAN PORY OR S AFETY VALVES) TRANSFER OPEN 6.06 E-06 11 PLO-0500 VOL2 VALVES, (PORV) (VP) FAIL TO CIDSE 2.50E-02 D PLO4500 VOL2 FAIL TO OPEN 4.27E-03 D PLO4500 VOL2 TRANSFER CLOSED /OPEN 2.67E-C7 H EXPERT OPINION SIMILAR TO AOV VALVES, SAFETY FAIL TO OPEN 3.28E-04 D PLO4500 VOL2 (VF) FAIL TO RESEAT AFTER 2.87E4 D PIA-0500 VOL2 STEAM RELIEF - FAILTO RESEAT AFTER 1.00E-01 D PLO4500 VOL2 WATER RELIEF FAIL TO RECLOSE I .00E D IDCOR IPEM 7 4 l A V ALVES, SOLENOID FAIL ON DEMAND 2.43E 3 D PLO-0500 V6.. (VS) TRANSFER OPEN/ CLOSED 1.27E-06 H PLO4500 VOL.2 VALVES, TURBINE FAIL ON DEMAND 1.25E44 D PLO@00 VOL2 STOP/ CONTROL (VU) TRANSFER CLOSED 2.88E-05 H PLD4500 VOL2 7RANSFER OPEN 1.24 E-05 H PLO4500 VOL2 3-148

Table 3.2.2-1: Generic Data For CPSES Unit 1 Component Failure Rates COMPONENT / FAILURE MODE FAILURE UNT!* DATA SOURCE CODE RATE PRESSURE VESSELS ACCUMULATORS, RUPTURE /LEAA 2.46E46 H PLO 0500 VOL.2 SCRAM HEAT EXCHANGERS RUFTURE/ LEAK 1.95 E-06 H PLO4500 VOL2 000 PIPES (GREATER RUITURE/ PLUG (PER SECTION) 8.60E-10 H Pt44500 VOL2 THAN 3-INCH DIAMETER) (PP) PIPES (LESS TilAN 3- RUPTURE / PLUG (PER SE LTION) 8.60E-09 H PLO4500 VOL.2 INCH DIAMETER)(PT) TANKS, STORAGE RUPTURE / LEAK 2.66E-Os H PLO-0500 VOL.2 (h*) EXPANSION JOINT RUPTURE 8.60E-09 H CRYSTAL RNER 3 (EJ) PRA FLOW ELEMENT (FE) PLUG / RUPTURE 3.00E 08 H CRYSTAL RNER 3,

                                                                                        ' PRA FLEXIBLE HOSE (F!t)    PLUGMUPTURE                     3.00E 07         H                CRYSTAL RIVER 3 PRA FLOW ORIFICE (OR)      PLUO/ RUPTURE                   3.00E48          H                IDCOR IPEM 2.4-t A NOZZLES, STRAINERS, SUMPS, AND FILTERS FILTERS, AIR           PLUG                            5.83E 06         H                PLG-0500 VOL.2     ,

FILTERS. PLUO 3.54E 05 H PLC-0500 VOL2 COMPRESSED AIR' FILTERS, OIL PLUG l.76E-05 H PLG-0500 VOL2 REMOVAL FILTERS, PLUC 1.07E46 H PLO-0500 VOL.2 VENTILATION (FV) ' NOZZLES, PLUG 7.06E48 H PLO4500 VOL2 CONTAINMENT BUILDING SPRAY / (ONE TRAIN)(NZ) STRAINERS, SERVICE PLUG 6.2 t E46 H PLo-0500 VOL2 WATER (FL) SUMPS, PLUG 1.00E-05 H Pic 0500 VOL.2 CONTAINME.VT (5U) TRAVELING SCREEN FAIL TO OPERATE 2.71E-05 H PLG4500 VOL2 (TS) 3 149-

Table 3.2.2-1: Generic Data FOr CPSES Unit 1 Component Failure Rates COMPONENT / FAILURE MODE FAILURE UNIT

DATA SOURCE CODE ,

RATE ELF 4TR] CAL EQUIPMENT BA1TERIES,125V DC FAIL ON DINAND 4.84E44 D PLD-0500 VOL2 (BT) FAIL DURING OPERATION 7.53 E-07 H PLO4500 VOL2 BA1TERY CH ARCERS FAIL DURING OPERATION 1.86E-05 H PLO4500 VOL2 (BC) BISTABLES (BI) FAIL ON DEMAND 3.89E-07 D PLO-0500 VOL2 SPURIOUS OPERATION 2.21 E46 H PLO-0500 VOL2 BUSES (BU) FAIL DURING OPERATION 4.98E-07 H PLGO500 VOL2 CABLES, cot (TROL FAIL OPEN OR SHORT 4.64E 06 H PLO-05r VOL2 (CA) CIRCUTT BREAKERS - FAIL TO CLDSE 1.6 t E-03 D PLO4500 VOL2 (> =480V AC)(BA) FAIL TO OPEN 6.49E-04 D PLO O500 VOL.2

                       ~RANSFER OPEN                  8.28E-07                      H      P144500 VOL2 CIRCUIT BREAKERS        FAIL TO CLOSE                 2.27E44                       D      PLO-0500 VOL2

(<480V AC)(BB) ~ FAIL TO OPEN 8.39 E-04 D PLG-0500 VOL2 TRANSFER OPEN 2.68E47 H PLO4500 VOL.2 FUSES (FU) FAIL OPEN 9.20E-07 H PLO-0500 VOL.2 INVERTERS (IV) FAIL DURING OPERATION 1.83E45 H PLO 0500 VOL2 MOTOR FAIL DURING OPERATION 3.59E-05 H PLO-0500 VOL2 GENERATORS (MG) POWER SUPPLIES FAIL DURING OPERATION 1.33 E-04 II PLA4500 VOL2 (+ 120V DC ESFAS) (PD) POWER SUPPLIES FAIL DURING OPERATION 5.33E 05 H PLO4500 VOL2 (+5V OR +25V DC ESFAS)(PS) REACrOR TRIP FAIL ON DEMAND 1.77E 03 D PLO4500 VOL2 BREAKERS (SB) SHUNT TRIP COILS FAIL ON DEMAND 1.40E44 D PLO-0500 VOL2 .(SY) UNDERVOLTAGE FAIL ON DEM AND 2.75 E-03 D PLO-0500 VOL2 COILS (UY) RELAYS (RM) FAIL ON DEMAND 2.41 E-04 D PLOA500 VOL2 FAIL DURING OPERATION 4.20E47 H PLO-0500 VOL.2 3 150

Table 3.2.2-1: Generic Data FOr CPSES Unit I Component FalluTe Rates COMPONENTI FAILURE MODE FAILURE UNTT* DATA SOURCE CODE RATE SWTTCHES, FAIL ON DEMAND 2.40E45 D PLO4500 VOt. 2 PUsilBUTTON TRANSFORMERS FAIL DURING OPERATION 1.56E-06 H P!44500 VOL.2 (> = 4.16KV)(TR) TRANSFORMERS FAIL DURING OPERATION 6.87E-07 H Pt44500 VOL.2 ( < 4.16KV. > = 480V) (TM) TRANSFORMERS, FAIL DURING OPERATION 1.55E46 H PLO-0500 VOL.2 INSTRUMENT (< 480V, > =120V) (TD AUTOMATIC FAIL TO TRANSFER 2.30E46 H SHEARON HARRIS TRANSFER UNTT (AT) RELAY COffTACT F AIL TO OPEN/CLOSE 3.00E44 D IDCOR IPEM 2.4-1 A SPURIOUSLY OPEN/CLOSE 2.40E-07 H OCONEE PRA TABLE B-1 TIME DELAY RELAY FA1TO TRANSFER 3.00EC4 D IDCOR IPEM 2.4-I A (RT) TRANSFER PREMATURELY 6.00E H IDCOR IPEM 2.4.l A RELAY COILS (RY) FAIL TO 3.00E46 D IDCOR IPEM 2.4-1 A DEENERG12ERNERGIZE SPURIOUSLY DEENERG1ZE 3.00E-06 H IDCOR IPEM 2.4.l A TERMINAL BOARD SHORT/OPEN CIRCUTT 3.00E-07 H IDCOR IPEM 2.4-I A (TR) ELECTRONIC EQUIPMENT SIGNAL MCDIFIERS FAIL DURING OPERATION 2.94E-06 H PLO4500 VOL.2 (MS) TRIP LOGIC FAIL ON DEMAND 8.52E45 - D PLO4500 VOL.2 MODULES (SS) FAIL DURING OPERATION 2.70E.06 H PLO4500 VOL 2 INSTRUMENTATIOM 5%TTCHES, FAIL ON DEM AND 2.69E44 D PLO 0500 VOL.2 PRESSURE (SP) OPERATE SPURIOUSLY 3.40E.07 H OCONEE PRA TABLE B-1 TEMPERATURE NO OLTTPtTT 3.4 t E46 H PLO4500 VOL.2 MONITOR LOOPS TRANSMTTTERS, FAIL DURING OPDtATION 6.25 E-06 H PLO4500 VOL.2 FLOW (TF) 3-151 _ _ _ _ _ _ I

4 s Table 3.2.2-1: Generic Data For CPSES Unit ! Component Failure Rates COMPONENT / FAILURE MODE FAILURE UNTT* DATA SOURCF. CODE RATE . TRAN sMITTERS, FAIL DURINO OPERATION 1.57E-05 H PLc4500 VOL2 5 LEVE'., (TL) TRAb SMTITERS, FAIL DURINO OPERATION 7.60Eu H PLO4500 VOL.2 PRE & .URE (TP) LIMTT SwTTCH (SI) FAIL TO OPERATE I .00E-04 D IDCOR IPEM 2.41 A OPERATE SPURIOUSLY 4.70E4 H OCONEE PRA TABLE B-1 J LEVEL SWTTCH FAIL TO OPERATE 2.40E-04 D OCONEE PRA TABLE (SL) BI OPERATE SPURIOUSLY 1.57E4 H SHEARON ilARR15 1-MANU AL 3%TTCH FAIL TO OPERATI 3.00E-05 D IDCOR IPEM 2.4-1 A (sM) OPERATE SPURIOUt'.Y 1.30E4 H OCONEE PRA TABLE B1 TORQUE SWTTCH FAIL TO OPERATE I .00 Eel D IDCOR IPEM 2.4-1 A (Sq) OPERATE SPURIOUSLY 3.40E-07 H OCONEE PRA TABLE .: B-l 9 TDtPERATURE FAIL TO OPERATE I .00E44 D IDCOR IPEM 2.4-1 A SWTTCH (ST) OPERATE SPURIOUSLY 3.40E.07 H OCONEE PRA TABLE B-1 TEMPERATURE FAIL HIOH/ LOW RESPOND 3.00F 06 H IDCOR IPEM 2.4 I A TRANSMTTTER (TI) SCRAM RODS - SINGLE SCRAM ROD FAIL ON DEM AND 3.20E45 D PLO4500 VOL2 (PWR) (SC) a 4 3-152

              ,         -.                         ,     ~            .-
                                                                          .n   ..n.                 .-,-.m-. ,

Table 3.2.2-2: Generic Data For CpseS Unit 1 Maintenance Frequencies and Durations NO. COMIONENT TECHNICAL MAINTENANCE MAINITNANCE SPECIP. CATIONS rREQUENCY DUkATION (HOURS) (EVENTS / HOUR) 1 CHILLERS NONE 1.3819E 04 469.7 5 24 HRS l.3319E-04 6.3 48 OR 72 HR$ l.3819E44 13.1 168 OR 336 HR$ 1.3819E-04 37.2 2 COMPRESSORS NONE 2.93 tlE44 38.5 s 24 HRS 2.93 t lE-04 6.3 48 OR 72 HR$ 2.9311E44 13.1 168 OR 336 HRS 2,9311E44 37.2 3 LARGE FANS NONE 1.4727E44 38,5 s 24 HRS 1.4727E44 6.3 48 OR 72 HR$ 1.4727E44 13.1 168 OR 336 HRS 1.4727E 04 37.2 4 SMALL FANS NONE 2.0897E44 38.5 5 24 HR$ 2.0897E44 6.3 48 OR 72 HR$ 2.0897E44 13.1 168 OR 336 HRS 2.0897E-04 37.2 5 DIESEL GENERATORS NONE I.0270E43 38,5 5 24 HR$ l .0270E-03 6.3 48 OR 72 HR$ 1.0270E43 11.1 168 OR 336 HR$ 1.0270E43 37.2 6 HEAT EXCH ANGERS NONE 4.1453E45 583.1 5 24 HRS i 4.1453E45 6J 48 OR 72 HRS 4.1453 E-05 13.1 168 OR 336 HRS 4.1453E-05 37.2 7 OPERATINO SERVICE NONE 3.3459E44 266.3 WATER PUMPS 5 24 HRS 3.3459E44 7J } 72 IIR$ 3.3459E-04 11.1 168IIRS 3 J459E-04 28.7 8 OTHER OPERATING NONE 1.5790E-04 266.3 PUMPS 5 24 HRS 1.5790E44 7.5 72 HRS 1.5790E-04 11.1 168 HRS 1.5790E-04 28.7 9 STANDBY MOTOR- NONE 1.1670E-04 2663 DRIVEN PUMPS s 24 HRS 1.1670E44 7.5 72 HRS l.1670E-04 11.1 168 HRS 1.1670E44 28.7 10 STANDBY TURBINE- NONE 4.1928E44 2663 DRIVEN PUMPS S 24 HRS 4.1928E-04 7.5 72 HRS 4.1928E44 11.1 168 HRS 4.1928E44 28.7 11 POSrTIVE NONE 6.3703Een 266.3 DISPLACEMENT s 24 HR$ 6.3703E46 7.5 PUMPJ 72 HRS 6 J703E-04 11.1 168 HRS 63703E44 28.7 3-153

 . - . . . - - - - . . - . . -- .                  -   -          ..         - - _..                          . . . - - - - - . - ~ .                                                 . - -        ..

i-Table 3.2.2-2: Generic Data For CPSES Unit 1 Maintenance Frequencies and DuratlOns (continued) NO. COMPONENT TECHNICAL - MAINrENANCE MAINTENANCE - SPECIFICATIONS FREQUENCY . DURATION (HOURS) (EVENTS / HOUR) 1 CHILLIRS NONE 1.3819E44 469.7 s 24 HRS 3.3819E44 6.3 48 OR 72 HR$ l.3519E-04 13,1 165 OR 336 HRS l.3819E44 37.2 i' 12 VALVES NONE i 1382E-05 132.3 s 24 HR$ 2.7382E45 4.1 72 OR 168 HRS 2.7382E.05 18.9 13 BATTERIES, RATTERY NONE 2.4948E45 38.5 CHARGERS. AND s 24 HRS 2.4948E 05 6.3 INVERTERS. 48 OR 72 HRS 2.4948E-05 ' 13,1 168 OR 336 HRS 2.4948E 05 37.2 14 BUSES NONE 2.6586E-06 38.5-5 24 HR$ 2.6586E46 61 48 OR 72 HRS 2.6586E46. 13..

                                                             ' 168 OR 336 HR$                        ' 2.6586E46                                 37.2 15    TRANSFORMERS          NONE                                     4.4037E-06                               38.5 s 24 HR$                              . - 4.4037E 06                               6.3 48 OR 72 HRS                             4.4037E.06                                13.1 168 OR 336 HR$                           4.4037E-06                               37.2 16    371 TAINERS           NONE                                     9.2738E-05                               38.5 s 24 HRS                                 9.2738E45 .                               6.3

, 48 OR 72 HRS . , 9.2738E-05 13,i 168 OR 336 HR$ 9.2738E 05 37.2 17 OAS TURBINES NONE 1.9213E44 - 38.5 5 24 HRS - 1.9213E-04 6.3 48 OR 72 HRS - 1.9213E44 13.1 168 OR 336 HRS ' l .9213 E 04 - 37.2 3-154

I Generic Data Used for the Initiating Event Categories:

1. Excessive LOCA (> > 6").

d Freq. = 2.66E-07 yr 8 (Volume 6, Ref,1).

2. Large Break LOCA (> 6").

Freq. = 2.03E-04 yr8 (Volume 6, Ref.1).

3. Medium Break LOCA (> 4" and < = 6").

Freq. = 4.65E-04 yr (Volume 6, Ref.1). 4 Small Break LOCA (> 2" and < = 4"). Freq. = 5.83E43 yr8 (Volume 6, Ref.1).

5. Vary Small Break LOCA (< = 2").

Freq. = 1.26E-02 yr8 (Volume 6, Ref.1).

6. Loss of Condenser Vacuum.

, Freq. = 1.18E-01 yr8 (Volume 6, Ref.1).

7. Steam Generator Tube Rupture.

Freq. = 1,18E-01 yr5 (Volume 6 Ref.1),

8. General Plant Transients. Including:

Reactor Trip. Turbine Trip. Excessive Feedwater Flow. Closure of One MSIV. Inadvertent Closure of All MSIVs. Core Power Excursion. Loss of Primary Flow. Freq. = 1.90E-00 yr8 (Volume 6, Ref.1). 3-155

                                        -                  - v r-- -. , , , , ~~,,-    -.v-

, 9. Inadvertent Safety Injection Signal. Freq. = .E 79E 02 yr' (Volume 6, Ref.1).

10. Main Steam Line Break. Including:

Steam Line Break Outsue Containment. I - Steam Line Break Inside Containment. 4 Inadvertent Opening of Main Steam Relief Valves. Freq. = 1.07E-02 yr5 (Volume 6, Ref.1). i

11. Loss of Main Feedwater. Inc.udmg:

] - Total Loss of Main Feedwater. Partial Loss of Main Feedwater. Freq. = 1.29E-00 yr8 (Volume 6, Ref.1).

12. Loss of a DC bus.

Freq. = 3.35E-02 yr8 (Volume 6, Ref.1). 4

13. Loss of Off-Site Power.

Freq. = 3.50E-02 yr' (NSAC/166, Ref. I1).

14. Loss of Non-Vital AC Bus.

Freq. = 8.23E-02 yr (Volume 6, Ref.1). A

15. Loss of Safeguards Bus.

Freq. = 8.36E-02 yr5 (Volume 6, Ref.1). 4

16. Loss ofInstrument Air.

]. Freq. = 2.02E-03 yr' (Volume 6, Ref.1). 3-156 4

                                              -r                    -

rw - + c

3.2.3 System Dependencies This section discusses the functional interdependencies among the various systems. A depenhncy matrix showing the functional interdependencies fer all front line and support systems is presented in Table 3.2.31. His section also includes a discussion of the dependencies caused by systems that are shared between the units. All systems dependencies were explicitly modeled in the analysis. Each system notebook contains a section that lists all system dependencies and interfaces and indicates the segment in whi.h these are modeled. Table 3,2,3-1: CPSES System Dependency Matrix FRONTLINE SYSTEMS SUPPORT SYSTEMS ac cs s1 RH CT AP IV M3 sw CC CH & D C1 CW 8* 1 1 1 6 _ 4 1 CC 1,4 1,4 3 1 1 4 2- 2 1 U P m 2 2 2 2 2 2 2 P O u 3 3 3 3 3 3 3 3 3 3 3 3 3 3 R . T u 5 5 5 5 5 5 5 5 5 5 5 _ 5 S Y a 3 3 3 3 3 3 3 - 3 S T E I'4 4 - M -I S m 3 3 _ 1 = Equipment cooling 2 = Room cooling 3 = Motive power 4 u Heat removal 5 = Signal 6 = Alternate water supply 3-157 l

COMPONENT COOLING WATER SYSTEM (CC): ; System Dependencies ne CC system receives motive power from the Electric Power System (Class lE 6.9kV). ! The CC room cooler units are powered from Class IE 480V MCCs and are cooled by CH. He CC system receives control signals from ES and the SW system,

The CC system interfaces with the following systems

CT - C'l pump seal cooling and CT heat exchanger . RH - RH pump seal cooler and RH heat exchanger i CH - CH chiller unit condenser UPS - UPS air conditioning condenser CS - Positive Displacement Pump buring oil cooler RC - RCP bearing oil, motor air and thermal barrier coolers C1 - Instrument Air Compressor Package Cooling ES - Control Room A/C units The CC Heat Exchangers are cooled by Station Service Water. Shared System Denendencies (includinc Unit to Unit) Piping connections are provided at the discharge of each pump and at the discharge of each heat exchanger that allow the Unit I and Unit 2 systems to be cross-tied. In addition, a third cross-tie line i allows the Unit 1 Train B pump suction and the Unit 2 Train A pump suction to be cross-ties. AUXILIARY FEEDWATER SYSTEM (AF): System Denendencies The MDAFW Pumps receive electric power from the luectric Power System (Class IE 6.9kV). The rmm cooler unit are powered by 480V Class IE power and cooled by CH.

The TDAFW Pump receives motive power (steam) from the MS system. The AF system ceceives control signals from ES and FW. The AF system flow control and isolation valves receive motive power (air) from the Ci system. 3-158

j. Shared Systems A portion of the main fealwater bypass system piping connected to the steam generator auxiliary nozzle is shared with the / ;ystem. RESIDUAL HEAT REMOVAL (RH):

System Denendencies The RH pumps receive motive power f n the Electric Power System (Class IE 6.9kV). The room cooler units are powered by Class IE 480V and cooled by the CH system.

The RH Heat Exchangers are cooled by CC. He RH system receives control signals from ES. The CI system provides motive power to RH system componenc. Shnred Systems The RII system shares the Refueling Water Storage Tank (RWST) with the SI, CS and CT systems. De RH systcm shares the RWST Isolation Valve ISI-047 with the SI and CT systems. The RH and SI systems share the downstrer.m check valve in each cold leg injection line and the downsts:am check valve in each hot leg injection line. The RH and CT systems share the two containment sumps, but have individual flowpaths from the sumps. He RCS pressure relief tank is used t,y valves 8708A and B. STATION SERVICE WATER SYSTEM (SW) Svstem Denendencies The SW pumps receive motive power from the Electric Power System (Class 1E 6.9kV). SWIS cooling. is provided by Class IE 480V exhaust fans. The SW pumps are actuated by signals from the ES and train-related CC system. The SW system provides cooling water to the following systems. CC - CC heat exchangers 1

             -CS         -

CC pump lube oil coolers l l 3-159 i I I'

    ,                        .,             ,.       .      .,  . - - , . , . - - . . , . . -         m,,,... - - - , _ - ,_ . , . . . ..- .. -

SI .- SI pump lube oil coolers CT - CT pump bearing coolers EP - Diesel Generator Jacket w?er cooler AF - Emergency AF Water Supply ne CW system provides makeup water to the SWIS. Unit to Unit Shared System Dependencies Both Unit Service Water systems share the Service Water Intake Structure located on the Safe Shutdown impoundment. Both Unit systems share a common screen wash system with multiple suction and discharge cross-ties. Cross tie connections in each unit system enable either train in one unit to be connected to either train in the other unit. CONTAINMENT SPRAY SYSTEM (CT): System D,fptndencies and Interfaces ne CT pumps receive motive power from the Electric Power System (class lE 6,9 kV) The CT pump seals are cooled by the CC system. The CT pump bearings are cooled by the SW system. The CT pump room cooler units are powered by Class IE 480V and cooling supplied by the CH system, The CT system receives control signals from the ES system l Shared System Dependencies He CT system shares the RWST with the SI, RH and CS systems. The CT system shares RWST Isolation Valve 1S1047 with the SI and RH systems, i The CT and RH systems share the containment sumps, i l l l 3 160 L

5. . .__ _ - .

( ~ CHEMICAL AND VOLUME CONTROL SYSTEM (CS): e System Denendencies and Interfacts De Centrifugal Charging Pumps (CCPs) (Class IE 6.9kV) and the Positive Displacement Pump (PDP) (Class IE 480V) receive motive power from the Electric Power System. The CS system provides seal water to the Reactor Coot nt Pumps. The seal water flow control valve receives air from the CI system. The PDP bearings are cooled by the CC system. He CCP bearings are cooled by the SW system. The CCP room cooler units are powered from Class IE 480V and cooling water is supplied by the CH system. The PDP room cooler unit is powered from non IE 480V and cooling water is supplied by ventilation chilled water. The pumps receive control signals from ES. l The CS system maintains RC system level during normal operation. The CCPs provide high head flow to the RC system on an "S" signal, ne Boric Acid Transfer systems, a sub system of the CS, provides emergency boration of the RC system. Shared System Denendenchs ne CS system shares the RWST with the RH, Si and CT systems. RLACTOR COOLANT SYSTEM (RC): System Denendencies and interfaces f he RCPs, (Non Class IE 6.9kV) the PORY black valves (Class IE 480V) and the pressurizer heaters (Class IE 480V) receive power from the Electric Power System. The PORVs receive motive power from the Nitrogen Gas System. He CC System provides cooling the RCP motor air toolers, upper and lower bearing lube oil coolers, and the thermal barrier. The CS system provides seal injection to the RCP seals. 3-161

       .___-__ _-.           --                                                                          a

The pressurizer spray valves reed-e motive power from the instrument air system, 1 The RCS interfaces with the ECCS system, the main sten system and main and auxiliary feedwater.

4 S AFETY INJECTION SYSTEM (SI): System Dependentie?. At)d interfaces - The SI pumps receive motive power from the Electtic Power System (Ciass IE 6.9kV). The SI pump room coolers are powered by Class IE 480V supplied by CH. The SI pump bearingsce cooled by the SW System. The pumps receive control signals from ES. The Si pump provide intermaliate lead injection and recirculation Pow to the RC system. The class IE 125 VDC system provides control power to the Si system. 9 Shared System D,gpfndttdt6 : The SI system sharez the RWST with the RH, CS, and CT system. ; The Si system sharcs RWST Isolation Valves IS140 with the RH and CT systemt The SI system shares the downstream check valve in each cold leg injecticc line with the RH system. The SI systam shares downstream check valves in hot legs 2 and 3 with the RH system. CONDENSATE AND FEEDWATER SYSTEM (CF): SJEtrLQ:tp.fdfl1 CUM De Conder.nate Pumps receive motive power from the Electric Power System. (Non Class IE 6.9kV)

        ' Thniain Feed Pump Turbines receive motive power (Steam) from the Main Steam System.

The condensate putnp bearings are cooled by the Turbine Plant Cooling Water system (TPCW). Each MFP turbine is supported by AC aiv.i DC lube oil pumps and its lube oil cooler is cooled by TPCW.

        - The MFP seal lujecdon is provided by the Coudensate System.

He FW system receivcs control signals frem ES, The FW control valves teceive motive power from the Cl system. 3-162 y .

                                                 ^(                'g-g             -k--   --[.- y\ O         . --u    -

1 l l i MAIN STEAM SYSTEM (MS)- System Dependencies.gnd Interfaces ne main steam system provides steam to the TDAFW pumps via connectiota to main steamlines 1 and 4. The ARVs receive motive power from the Ci system and dedicated accumulators. The S: cam Dump System receives rnodulation signals from the RC system T,,, and motive power from the Cl system. De turbine stop and control valves receive closure signals from ES. The Steam Dum; 'ystem uses the CW system as a support system for condenser av.llability. The class IE 125 VDC system provides control powet to system valves. CIRCULATING WATEP SYSTEM (CW): Symm Denendencies and Interfaen The CW pump motors and associated screen wash receive motive power from the Electric Power System I (Non Class IE 6.9 kV and non class IE 480V MCC respectivdy). The Circulating Water system provides cooling water to the main condensers and the auxiliary condensers . associated with the main feed pump turbines. He CW system provides cooling the Condenser Exhausting Vacuum Pump Heat Exchanges, ne non lE 125 VDC rjstem provides control power to the CW system. Sham, . tem Denendencies, The CW e,ystems of the two units share the CWIS. De Unit 1 CW system can be cw . ,onnected to the Unit 2 system through various smaller branch lines. l L 3 163

REACTOR PROTECTION SYSTEh! (ES): System Dependencies and Interfaces ne ES system is powered by the Electric Power System, for functions that require power. Most ES functions are fall safe (power independent). He ES system provides the Safety injection signal that

actuates ECCS (CCPs, SIPS, Ril Pumps and associated valves)
Muates the ECCS support systems (SW, CC, Cll)
starts the MDAFWPs
starts the Diesel Generators
starts the CT pumps The ES system initiates phase A and B Containment isolation, ne ES system isolates Malt Steam and hiain Feedwater Systems.

The ES system provides a confirmation start signal to the CT pumps and opens the CT spray header isolation valves upon high containment pressure, ne ES system closes the main turbine stop and control valves and trips the FW pump turbines. The ES system opens the containment sump to Rif pump suction valves upon low level in the RWST. 1 I The ES system provides a Blackout Signal (DOS) that actuates the following equipment. Centrifugal Chrrging pumps in CS systern SW, CC and Cil pumps AF pumps

Cl compressors
6.9 kV switchgear room coolers
Dattery Room Exhaust Fans ne ES system initiates contalnment Ventilation isolation.

He ES system initiates Control Room Emergency Recircu'ation. ELECTRIC POWER SYSTEM (EP): t System Dependencies and Interfaces ne 138kV and 345kV switchyards provide preferred and alternate power to EP. 3 164 1 l

i i The CII system provides cooling to the 6.9kV and 480V switchgear rooms. j The ES system provides load shedding and re energiring of various electrical loads. , UPS toom cooling is provided by the CC system. The Diesel Generator Jacket water is cooled by Station Service Water. .i Shared System Deriendencies ] Automatic transfer units (ATU; crovide automatic powering of shared electrical buses by either unit. 1 i i i INSTRUMENT AIR (Cl) SYSTEM: I System Denendencies and Interfgts The Instrument Air compressors are powered by the Electrical System. (Class IE 480V). The spare compressors are powered by Non Class IE 480V. The air compressors are cooled by CC. l The cooling supply to the spare compressors is provided by the TPCW system. The Unit compressors are tripped by an *S* signal. They are loaded into their respective buses after a

                              'llOS" .

4

                             *the Ci system provides air to the following components pertinent to the IPE study:

Pressurizer Spray Valves

RCP Seal Water Pressure Control Valve AF Control Valves

ARVs
TDAFWP Steam Admission Valves j
R11R lix Flow Control Valves
Steam Dump valves.

Cil System chiller unit water regulating valves.

FW Control valves, d

3 165 P

                                                  -..v. , . ,g-      -,            ,----.r,..       , , ew,-    -  -nw. . - . . . . , , -- - - - - . . ,, ~ ---m,--.. -- e. -

u -e-. e

SAFETY CillLLED WATER (Cil) SYSTEM: System Denendencies and Interfasts The Cil pumps are powered from the (Class IE 480V) Electric Power System. The Cil Chiller units reject heat to their respective safeguards loop of the CC system. Instmment air provides motive power to the valves that control of CC through the Condenser units. Makeup water to the Chilled Water system is from the Reactor Makeup Water System or the Deminerallel V a.tw 'vstem. He Cil Pump. < W control signals from the ES system on start of the respective CC pump. 3.3. Siguence Ouantification His section provides an overview of the quantification process that was used in the analysis. A discussion of the development of the various data bases that were used in the quantincation is provided. Important in this regard are the discussions related to the use of generic data and the development of human failure and common-cause failure data for the quantification. In addition, a discussion of the methods used to quantify the unavailabl..tles of systems and functions and the core damage frequencies is provided. Finally, a discussion of the internal flooding analysis is provided. 3.3.1 List of Generic Data The basis of all results obtained in the Comanche Peak Individual Plant Examination (IPE) project is the IPE Generic Data Base. His data was used in the quantification of both system fault trees and plant event trees and therefore, it ultimately determined the results of the IPE prQ. ,t. The types of data used for this quantincation include i

Component Failure Date.
Maintenance Unavailability Data,
Common Cause Failure Data, e initiating Events Data,
Internal Flood Data, and 3-166 o

i

            =       11uman Reliability Data.

Comnonent Failure Data ne component failure data required for the IPE project consists of component failure rates and demand probabilities. His failure data was collected and used to calculate component and system unavailabilities (i.e., the probability that the component or system is unavailable) in the CAFTA (Ref. 5) software utilized in the systems analysis portion of the IPE project. He primary source of component failure dats

! used in the IPE project is the PLO data base (Ref.1). The IPE data needs that could not be met with the PLG data base were satisfied by selecting data from the available in-house data sources: the IDCOR/IPEM data base (Ref. 6); the Oconee PRA (Ref. 7); the Shearon liarris Generic Data Base (Ref. 8); and, WASil 1400 (Ref. 9). A detailed description and explanation of the data sources selected is given in Ref. 4. He IPE Generic Data Base valaes for component failures are exhibited in tabular form (Table 3.3.1.1) at the end of this section. Th% amponent failure data bsse contains the information of component type, failure mode, failure rate (failures per hour or failures per demand), and the correstonding data source. The data is also stored as the IPE type code (TC) file in the CAITA software.

I

Maintenance Unavailability Data l De PLG data base (Volume 3. of Ref.1) was used as the main data source fcr developing the !

maintenance data base for the IPE project. The applicability of the PLG maintenance data base is restricted to operating and/or hot shut down conditions. Cold shut down unavailabihty information was [ not used in estimating the maintenance distribution. The maintenance frequencies of all components listed in this data base were derived as the number of outages per component hour. Camponent hours are defined as the time in hours that a component existed in standby or in the operating made during plant i power operation. The data of maintenance durations was categorized based primarily en the technical specifications (allowed outage times fot systems or equipment). For pumps and valves, sufficient data points were available to allow these two types of components to be treated separately, with a reasonable amount of data in each duration category. For other types of components, however, this was not true. Since maintenance durations depends much more heavily on technical specifications outage ime than on component type, all components other than pumps and valves were treated together and then categorized according to the technical specification. The only exceptions to this were in the category of components (other than pumps and valves) with no technical specification. Withiriihls category, the heat exchangers and chillers had maintenance durations so far outside the range of the other components that they were 3 167 __ . _._. ~ . _ _ - _ . _ _

treated as separate categories. (Heat exchangers and chillers that did have technical specifications were included in the same categories as other components with the similar technical specifications.) Table 3.3.1.2 at the end of this section lists the estimated values of the maintenance frequencies and durations for various types of compnents and associated technical specifications. For each component type, the mean value of the maintenance frequency is fixed. Ilowever, as discussed earlier, the mean value of the maintenance duration is dependent on the corresponding component technical specification. Common Cause Failure Data De common cause failure analysis and the data base development are described in Section 3.3.4. Initiatine Events Data The PLG data base (Volume 6 of Ref.1) was used as the main data source for generating the initiating events data base in support of the IpE project. The initiating events were divided into three general groups: loss of coolant inventory, general transients, and common cause initiating events support system faults. Each group has several initialing event categories, and each category contains one or more specific initiating events that result in the same general plant response. The initiating event frequency for the event of loss of offsite power was estimated based on the data issued in NSAC/166 (Ref,10). He frequencies of initiating events for loss of safety chilled water, loss of component cooling water, and loss of station service water were quantliied based on individual system fault tree analysis (Ref. I1). The initiating events data base for the IPE project is given in Section 3.1.1. IDiernal Flood Data ne Generic Internal Flood Data Base was developed based on the PLG generic data base (Volume 9 of Ref.1). He flood data was categorized according to the plant operation mode and flood location. The internal flood data base for the IPE project i given in Table 3.3.1.3, which lists the flood frequencies according to the flood categories (operating mode and flood loca' ion). Human Reliability Data The description of the human reliability data base development is given in Section 3.3.3. 3-168 J

Table 3.3.1.1: CPSES Unit 1. Component Failure Data Ba$e COMIONENTI FAILURE MODE FAILURE UNTT* DATA $OURCE CODE RATE ROTATING I4UIPMENT CHILLERS (CU) FAIL DURING OPfAATION 9.44E45 H P144500 VOL2 FAIL TO START 4.07E43 D PL44500 VOL.2 COMPRE$$0R$ AIR F AIL DURING OPERATION 9.81 E45 H P144500 VOL2 (PA) FAIL TO START 3.29E43 D PLO4500 VOL2 1 DIESEL GENERATORS FAIL TO START 2.14E42 D P144500 VOL2 A F AIL DURING flR3T llOUR I .70E42 H PL44500 VOL2 FAIL AFTER FIRST HOUR 2.51E43 11 PLO4500 VOL2 FAN, $M A! L FAIL DURING OPERATION 7.8tE46 11 P144500 VOL2 (VENTILATION)(FN) FAIL TO START 4.84E44 D PLO4500 VOL2 M.D PUMPS, FAIL DURING OPERATION 3.36E45 - 11 P14-0500 VOL.2 OPERATING (lo) FAIL TO START 2.25E43 D Pt4-0500 VOL2 M.D PUMPS, FAIL DURING OPEllATION 3.42E45 H P144500 VOL2 STANDBY (PM) FAIL TO START 3.29E43 D Pt44500 VOL.2 PUMP 3, TURBINE- FAIL DURING OPERATION 1.03E43 11 PL44500 VOL2 DRIVEN (I'r) FAIL TO START 3.3lE42 D PLA-0500 VOL2 AIR COOLER (AC) FAIL DURING OPERATION 1.00E45 H IDCOR IPEM 2.41 A F AIL TO START 2.93 E43 D IDCOR IPEM 2.4-1 A VALVES AND DAMPFAS DAMPER $, M ANU AL TRANSFER OPEN/CLOSE 4.20E48 H PLO4500 VOL2 (DX) D AM PERS. MOTOR- FAIL ON DEMAND 4.30043 D PLO4500 VOL 2 OPERATED (DM) TRANSFIR OPEN/C145E 9.27E-08 H PLO4500 VOL2 D AM PERS. FAIL ON DEM AND 1.52E43 D PL44500 VOL2 PNEUMATIC (DA) TRANSFER OPEN!CLOSE 2.67E47 H PLO-0500 VOL.2 VALVE 3, AIR- FAIL ON DEM AND 1.52E43 D PLO4500 VOL2 OPERATED (VA) TRANSFIR OPENICLOSE 2.67E47 H PLO4500 VOL2 VALVES. CllECK FAIL ON DEM AND 2.69E44 D PLO4500 VOL2 (OTHER TH AN STOP VALVES) OROSS REVERSE LEAKAGE 5.36E47 II PLO4500 VOL2 TRANSFER CLOSED / PLUG 1.04E48 H PLO4500 VOL.2 3-169

I Table 3.3.1.1: CPSES Unit 1, Component Failure Data 11ase (continued) COMPONENT / FAILURE MODE FAILURE UNIT

DATA SOURCE COGE RATE VALVES. CHECK FAIL ON DFM AND 9.13 E44 D P1D4500 YOL

($ TOP VALY(J) (yT) OROSS REVER$E LEAKAGE 5.36E47 H PLO4500 VOL2 TRANSF12 CLOSED / PLUG l 04E48 H PID4500 VOL2 VALVES. EllcrRO- FAIL ON DIMAND 1.52E43 D PLO4500 VOL2 HYDRAULIC (EXCEPT TURBINE STOP/CORTROL TRANSFER OPEN/CID$ED 2.67E47 H PLo4500 VOL2 VALVES)(V)t) VALVES. M ANUAL TRAN$fT.R OPEN/CLD$ED 4.20E44 H PLO4500 VOL2 (VX) FAILTO REPO$fTION 1.00044 D IDCOR IPDt 2.41 A VALVES MOTOR. FAIL ON DEMAND 4.30E43 D PLD4500 VOL.2 OPERATED (VM) 11 TAN $FER OPEN/CLOSE 9.27E45 H PLO4500 VOL2 VALVES RELIEF (2 FAIL TO CLOSE 8.88E43 D PLO4500 VOL2

       $TAGE TAROET ROCK) (VK)              FAIL TO OPEN                9.03 E43         D              PLO4500 VOL2 VALVES RELIEF           F AIL TO OPEN               2.42E45          D              PLO4500 VOL2 (OTHER THAN PORY                                           ,

OR S AFETY VALVES) TRAN1FER OPEN 6.06E-06 3 PLG4500 VOL2 VALVES, (IORV) (VP) FAIL TO CLO$E 2.50E42 D PLO4500 VOL.2 FAIL TO OPEN 4.27E43 D PLD4500 VOL2 TRANSIT.R CLOSED /OPEN 2.67E47 It EXPERT OPLNION

     -,                                                                                    SIMILAR TO AOV VALVES. SAFETY          FAIL TO OPEN                3.2RE44          D              PLO4500 VOL2 (VF)

FAILTO RESEAT AFTER 2.87E43 D PLO4500 VOL2

                               $ TEAM RELIEF                                                                    '

FAILTO RESEAT AITER I .00E-01 D PLO4500 VOL2 WATER RELIEF FAllTO RECLOSE 1RE42 D IDCOR IPEM 2,4-1 A VALVES. SOLENOID FAIL ON DEM AND 2.43E 3 D PLO4500 VOL2 (V3) TRANSFER OPEN/ CLOSED 1.27E46 11 PLO4500 VOL2 VALVES. TURBINE F AIL ON DEM AND - 1.25044 D PLD4500 VOL.2 STOP/COPrrgOL (VU) TRANSFER CLOSED 2.$8E45 H PLG4500 VOL2 TRANSFER OPEN l .24E45 H PLO4500 VOL2 3-170

f Table 3.3.1.1: CPSES Unit 1, Component Failure Data lla$e (continued) l COMPONENT / FAILURE MODE FAILURE UNTI* DATA SOURCE 4 CODr RATE i

i PRESSURE VESSE13 ACCUMULATORS, RUPTURE / LEAK 2.46E4 H PLI34500 VOL.2

,                  SCRAM I

HEAT EXCH ANGERS RUPTURE / LEAK l.95E 4 H PLil4500 VOL.2 i GM j PIPES (OREATER RUPTURE / PLUG (PER SECTION) 8.60E 10 H PLA34500 VOL.2 i THAN 3. INCH i DIAMLTER) (PP) j PIPES (LESS TH AN 3- RUPTURE / PLUG (PER SECTION) 8.60049 ll IM4500 VOL.2

INCH DIAMETER)(Pt>

TANKS, STORAGE RUPTURE / LEAK 2.66E48 il I'LO4500 VOL.2 i (TK) EXPANSION JOINT RUPTURE 8.60E49 H CRYSTAL RIVER 3, l (EJ) PRA i '

IWW ELEMENT (II) PLUO/ RUPTURE 3.00E4S H CRYSTAL RIVER 3, 4

FI.EX1 tile llOSE (Tif) PLUG /RUITURE 3.00E47 H CRYSTAL RIVER 3 PRA FLOW ORIrlCE (OR) PLUO/ RUPTURE 3.00E-0$ H IDCOR IPEM 2.4 I A 1 NOZZLES. STR AINERS, SUMPS. AND FILTERS TILTERS, AIR PLUG 3.R3E-06 H PLO 0500 VOL.2 FILTERS. PLUG 3.54E-05 H PLc4500 VOL.2 COMPRESSED AIR FILTERS, Olt PLUG l .76E-05 li f%-0500 VOL 2 REMOVAL FILTERS. PLUG 1.07E46 H PLO-0500 VOL.2 VENT!LATION (TV) NOZZLES, PL'10 1.06E.05 H PIX 14500 VOL.2 CORTAINMENT J BUILDING SPRAY (ONE TRAtN)(NZ) STR AINERS, SERVICE PLUG 6.21Em 11 PLO4500 VOL.2 WATER (TL) SUMPS, PLUG 1.00E45 H PL41-0500 VOL 2 CONTAINMENT (SU) TRAVELING SCREEN FAIL TO OPERATE 2.71E 05 H PLO 0500 VOL.2 (TS) 3 171

   .    -        - , - - -                    . - ~ . - . . -                 .       -  ._. . - - -              _

Table 3.3.1.1: CPSES Unit 1, Component Failure Data Base (continued) i w COMPONENT / FAILURE MODE FAILURE UNTr* D ATA $OURCE CODE RATE 4 ELICTRICAL F4UD' MENT BATTERIES 125V DC FAIL ON DUI AND 4.84E44 D l'144500 VOL.2 (BT) FAIL DURING opt 3tA110N 7.53E47 11 P144500 VOL2

B ATTERY Cll ARGERS F AIL DURING OPIAATION 1.86E-05 Il PI44500 VOL.2 (BC)

B15 TABLES (BI) FAIL ON DEMAND 3.89047 D P144500 VOL.2 SPURIOUS opt 3tATION 2.21E 06 11 PLO4500 VOL2

,           OUSES (BU)                      FAIL DURING OPERATION             4.98E47          11        PLD4500 VOL.2 CABLE 3, CONTROL                FAIL OPEN OR SIIORT               4.64E46          Il        P144500 VOL2 (CA)

CIRCUTT BREAlIRS FAIL TO CLOSE 1.6 t E-03 D P144500 VOL2 (> = 480V AC) (BA) FAIL TO OPEN 6.49E44 D PLD4500 VOL2 TRANSFER OPEN 8.28E47 ll Pt44500 VOL2 CIRCUTT BREAKER $ FAIL TO CLOSE 2.27E44 D PID 0500 VOL.2 (<4kOV AC)(BB) FAIL TO OPEN B.39E44 D PLO4500 VOL2 TRANSFER OPEN 2.68E-07 il PLO 0500 VOL2 FV10$ (FU) FAIL OPEN 9.20E-07 il PLO.0500 VOL2 INVERTERS (IV) FAIL DURING OPERATION 1.83FA)5 ll P14 0500 VOL2 MOTOR FAIL DURING OPERATION 3.59E45 11 PLO4500 VOL2 0ENFJLATORS (MO) IOWER SUPPLIE5 FAIL DURING OPER ATION 1.33 E44 11 PLG4500 VOL.2 (+ 120V DC E$FAS) i (PD) POWER SUPPLIES FAIL DURING OPERATION 5.33E45 11 PLO 0500 VOL2 (+5V OR +25V DC ESFAS)(PS) REACTOR 1 RIP FAIL ON DutAND 1.77E 03 D PLO4500 VOL2 BREAKERS ($B) SIIURT TRIP COIM FAIL ON DDI AND 1,40E44 D PLO4500 VOL2 (5Y) UNDERVOLTAGE l- AIL ON DEMAND 2.75E-03 D PLO 0500 VOL2 Colu (UY) RELAYS (RM) FAIL ON DEMAND ' 2.41E44 D PLO4500 VOL2

          !                                 FAIL DURING OPERATION             4.20E47          11        PLO45(4 VOL2 3-172
     ,.                    - , ~         .-                    .-         - .                        . -                  . . -    . . - . _ _ , - .

r f Table 3.3.1.1: CPSES Unit 1, Component Failure Data Base (continued) COMK)NEfTI FAILURE MODE FAILURE UNrr* DATA $OURCE CODE RATE $ 5%TTCHE3, FAIL ON DEMAND 2.400-05 D PLO4500 VOL.2 q PUsilBUTTON

;         TRANSFORMERS             FA!L DURING OPFAATIOrd                    1.56046                H              l'LO4400 VOL.2 i         ( > = 4.16KV) (rR)

TRANSFORMERS FAIL DURING OPTRATION 6.87047 ll P!44500 VOL.2 j ( < 4.16KY, > = 480V)

UM) i TRANSFORMER 3, FAIL DURINO OFFAATION l.55 E46 H Ft04500 VOL.2 l INSTRUMrRT

- (< 480V, > = 120V) (Th AUTOMATIC FA!L TO TRANSITA 2,30046 11 $HEARON linRRIS TRAN1FTA UNfT (AT) RELAY COffrACT FAllTO OPE.N/CLO1E 3.00E44 D IDCOR IPI112.41 A (CN)

                                   $PURIOU$LY OPEN/CLOSE                     2.40E-07               H              OCONEE FRA TAllLE 4                                                                                                                   B-1 TIME DELAY RELAY         rAllTO TRANSTER                           3.00r 04               D              IDCOR IPLM 2.4-1 A (RT)

TRAN$rTR PRD(ATURELY 6.00E46 H KXX)R IPDt 2,41 A RELAY COILB (RY) FAIL TO 3.00E46 D IDCOR IPGt 2.4-1 A DEEN!2Gl2 FANER0!ZE

                                   $PURIOUSLY DEENER0 LIE                    3.00E46                11             IDCOR IPEM 2.4-1 A TTAMIN AL BOARD          silORT/OPEN CIRCUTT                       3.00E47                11             IDCOR IPIAI 2.4-1 A (Tiu ELECIVONIC 'IQUIPMENT i          $1GNAL MODirtERS         FAIL DURING OPERATION                     2.94E46                H              PLG4500 VOL.2 4

(MS) TRIP LOGIC FAIL ON DEM AND 5.52E-05 D PLO.0500 VOL.2 MODULES ($5) FAIL DURING OPERATION 2.70E46 11 PLO4500 VOL.2 INSTRUMEffTATION SWTTCitt3, Fall ON DDt AND 2.69E44 D PLO4500 VOL.2 --' PRES $URE (5P) OPEAATE SPURIOU5LY 3.40E-07 11 OCONEE PRA TABLE B-l TGtPERATURE NO OUTPUT 3.4 t E46 11 PLO4500 VOL.2 MONTIOR IDOPS TRANSMrrTERS, FA!L DURING OPER ATION 6.25 E-06 H PLO4500 VOL.2 FLOW (TF) 3 173

   ,_ _ -        . . _ .        ,   ,_,         _ .   . . _ . _ .    . . _ _        _ . - ~ . _ _ .              _                -    _..

i i t 4 9 Table 3.3.1.1: CPSES Unit 1, Coutponent Failure Data Base (continued) ! i 1 i i COMPONENT / FAILURE MODE FAILURE UNIT

DATA $0VRCd i CODE RATE i TRANSMrITER3, FAIL DURING OPI7ATION l.$7E45 H Pla4300 VOL.2 s

LEVEL (TL) i TRANSMITITAS. FAIL DURING OPERATION 7.60E46 H PLO4500 VOL2 PR13$URE frP) j i LIMrr SwTTCH ($1) FAIL TO OPERATI 1.00E44 D IDCOR IPt:M 2.4-I A i. OPERATE $PURIOU$LY 4.70046 H OCONEE PRA TABLE FI i LEVEL $wTTCH FAIL TO OPERATE 2.40E44 D OCONEE PRA TABLE ($L) . B-l t OPERATE SPURIOU$LY 1.57E-06 H SHEARON H ARRtt } 1 ] MANUAL $WTTCH FAIL TO OPIAATE 3.00E43 D IDCOR iPEM 2.4-I A , ($M) OPERATE SPURIOU$LY 1.30E46 H OCONEE MLA TABLE kl TORQUE $%TICH FAIL TO OPERATE 1.00E-04 D IDCOR !PEM 2.4-1 A 4

                                                                                                                                ---~

(5Q) OPERATE $PURIOUSLY 3.40E-07 H- OCONEE PRA TABLE - El COMPONENTI FAILURE MODE FAILURE UNff' DATA $OURCE j CODE RATE OPERATE SPURIOU$LY 3,40FA7 H OCONEE PRA TABLE El i TEMPERATURE F AIL TO OPERATE l.00FA D IDCOR IPEM 2.4-1 A

                                $WTTCH (ST)

TEMPERA 111RE - FAIL HIGH/ LOW RESPOND 3.00E4 H IDCOR IPEM 2,4-l A < titan $MrITER (IT) SCRAM RODS l FAIL ON DEMAND $1NOLE SCRAM ROD 3.20E 05 D PIIl4500 VOL.2 (PWR) (SC) !

                                                                                                                                                                                                               -t 3 174 L

t

     ,s t._ - , ,,.m---  ,, ,. y-  ,,,,r-,   gy,... , - . yy-y-e fy-%.gg- - ,  m,e, c    y~  w r r e  , ,wy w e, n   -,..,. ,%+       ,y,.,-ww w ,       ,r ,--e--ww+e          s -e- w .v....-ver.4 evs+ ,-

Table 3.3.1.2: Generic Maintenance Data DaSe NO. COMPONE.NT TECilNICAL MAINIT. NANCE MAINTE. NANCE

                                            $l'ECII1CATlONS     l'REQUENCY           DURATION (11OURS)

(EVEKr$'llOUA) 1 CillLLERS NONU 1.3819E44 469.7 5 24 IIRS 1.3819E W 6.3 48 OR 72 HR$ 1.38190 44 13.1 168 OR 336 IIRS 1.3819E-04 37.2 2 COMPRES$0ks NONE 2.9311E44 38.5 5 24 HR$ 2.9311E44 6.3 48 OR 72 HRS 2.938 t E44 13.1 168 OR 336 HR$ 2.931iE44 37.2 3 LARGE FANS NONE l.4727E44 38.5 5 24IIRS 1.4727E44 6.3 48 OR 72 IIR's 1.4727E44 13.1 168 OR 336 liRS l.4727E44 37.2 4 SM ALL FANS NONE 2.0897E44 38.5 s 24IIRS 2.0897E44 6.3 48 OR 72 IIRS 2.0897E44 13.1 168 OR 336 llR$ 2.0897E44 37.2 1 DIESF10LNERATORS NONE l.0270E43 38.5 s 24 HR$ 1.0270E43 6.3 48 OR 72 HRS 1.0270E-03 13.1 168 OR 336 llR$ l.0270003 37.2 6 IIEAT EXCll ANGERS NONE 4.1433E-05 383.1 s 24 HR$ 4.1453 E45 6.3 48 OR 72 HR$ 4.14 $3E-05 .' 3.1 168 OR 336 IIRS 4.1433E45 37.2 7 OPERA 71NO SERVICE NONE 3.3459E44 266.3 WATER PUMPS 5 24 HRS 3.3459E44 1.5 72 HR5 3.3459E44 II I 168 HR3 3.3459E-04 28.7 8 OTilER OPERATING NONE 1.5790E44 266.3 PUMPS 5 24IIRS 1.5790E44 7.3 72 HRS 1.5790E44 11.1 168IIR$ l .5790E44 28.7 9 STANDRY MOTOR- NONE l.1670E44 266.3 DRIVEN PUMPS 5 24IIRS l.1670E4e 7.$ 72IIRS l.1670E-04 11.1 168 HRS l .1670E44 28.7 10 STANDRY TUP.BINE- NONE 4.1928E44 266.3 DRIVEN PUMPS E 24 HRS 4.1928E44 7.3 72 HR$ 4.1928E44 Il.1 168IIRS 4.1928E-04 28.7 11 FOSf!7VE NONE- 6.3703E44 266.3 DISPLACEMEKr 5 24 HRS 6.3703E44 7.5 PUMPS 72 HR$ 6.3703E44 Il.1 16f HR$ 6.3703E-04 28.1 t 3 175

.j

Table 1.2.1.2: Generic Maintenance Data Base (continued) NO. COMPONENT TT.CilNICAL MAIRTENANCE MAlvrENANCE SPECITICATIONS MLEQUENCY DURATION OIOURS) (EVENTS /llOUR) i Cit!LLERS NONE IJS19E44 469.7 5 24 IIRS IJB19E44 6.3 48 OR 72 IIRS l.1819E44 13.1 168 OR 336 IIR$ l.3819E44 37.2 12 val.VES NONE 2.7382243 132.3 5 24 IIRS 2.7382E 05 4.1 72 OR 168 IIRS 2.7382E45 18.9 14 B ATTERIES. ItATTERY NONE 2.4944t45 38.5

       + CHARODts, AND                        s 24IIR$                                                 2.494tE45                  6.3 INVERTERS.                           48 OR 72 IIRS                                            2.4948045                 13.1 168 OR 336 IIR$                                          2.4948 E45                37.2 14    BUSES                                NONE                                                     2.63860-06                38.$

s 24 IIRS 2.6346E44 6.3 45 OR 72 IIRS 2.65860 06 13.1 168 OR 336 IIRS 2.6386E.06 37.2 l$ TRANSFORhlERS NONE 4.4037E46 38.5 s 24l(RS 4.4037E46 6.3 48 OR 72 IIR$ 4.4037E4M 13.1 168 OR 336 llRS 4.4037E44 37.2 16 STRAINER $ NONE 9.273RE45 38.5 s 24 IIRS 9.2738E45 6.3 48 OR 72 lik3 9.2738E 03 13.1 168 OR 336 IIRt 9.2738E-05 37,2 17 OAS TURillNES NONE 1.9213E44 38.$ 5 24IIRS l.9213E44 6.3 48 OR 72 IIRS 1.9213E44 13.1 168 OR 336 IIRS 1.9213E44 37.2 3 176

                                                                                                                                      .-__1

I Table 3.3.1.3: Generic Internal Flood Data Base i j l I tDCATioN 71,OoD fitf4ULNCY DURING NORM AL oPIRATloN 1 (EVINTs/ REACTOR YEAR) AUXILtARY BUILDING

3.02E42 TURit!NE 2.19E-02 BUILDING'
AUXILIARY BUILDING; INCLUDING AUXILIARY, S ATT.0VARD AND ELtrrRICAL CONTROL BUILDINGS.

3

TURBINE BUILDIN0; INCLUDING CIRCULATING WATER AND SERVICE WATIR SYSTEMS.

i- t l 4 3.3.2 Elant Speelde Data and Analvils CPSES Unit I staned commercial operation in April of 1990 and Unit 2 is still under construction. Consequently, sufficient plant-specine operating data for CPSES is not available for use in the IPE study. Therefore, a generic data base was utilized as th. ...aln source of data and no statistical analysis, ach as Bayesian update, was required for updating plant specine data. 3.3.3 Human Failure Data in general, a modined version of the process outlined in SilARPl (Reference 16) was used as the systematic procedure to incorporata iluman Interactions into the plant logic. Figure 3.3.31, which was-taken from Reference 16, shows the interfaces between the human reliability analysis (HRA) and the major Probabilistic Risk Analysis tasks. 3 177 m - w -,y,y-w,y, y --v. , - . , - - * - ~ - - - . y ,y-v. -. ,..wp-_...,y-,rm,.w-, , _ - , .e_,,m...- ,p-3 ,, p , , --.. ,,v,.y,-., ,~e...-%v4 ,-w a

Figure 3.3.31: Interfaces of IIRA with Major PRA Tasks 10"4 ."S. WAJet PRA tasks

    ~;ca    _
                 .t"l:'.l",   .     .a=u= _             u":lr".                -                                  ;  h"4Y"'                         -.- J== o=
    = a.           --                          --o                                 "'.".M.n em    u
                                 ,                                                                                  c    -o                                 = 'a

................... L............ .....: ............. ............. .....- ......d--...........: ..... 4,p:== y C. .w- hDj ::::D

-J<

stACrs Of SHARP Z

                                                                                                  \~r_

I Iluman interactions (111s) were identified during the development of the system models and accident sequences. A screening methodology was developed after reviewing existing methods. These ills were then assigned a screening value based on the screening methodology, and the quantified lits were incorporated into the logic trees. The impact on the sequences was then evaluated under stage 2 of SilARPl. If it was found that these lits were significantly important in terms of their contribution to core damage frequency, these lits were requantified using an expert judgement approach. For selected lits that were time limited, time reliability correlations were used (Reference 17). These requantified lits were re-entered into the logic trees and the results were obtained. The final stage of sequence quantification included comideration of recovery actions in the plant logic. This was accomplished in stage 4 of Sl{ARPl. The human interactions consist of several different interactions. The general industry standard is to group them into three grom. These types are type A, Latent; type B, Initiating; and type C, Dynamic, 3 178

Type A are associated with maintenance and test operations; type B are associated with initiating events (often the direct cause of tre initiating event); and type C are associated with the actions of station personnel responding to the initiating events. He latent or type A actions are errors that may occur during or after maintenance (preventive or corrective), testing, or operational alignment such that the componenta are leh unavailable, nese actions were evaluated in the Latent lluman Errors (Type A) section. According to the general practice in pRAs, type B actions are not evaluated, but are effectively included in the initiating event frequencies. De general practice was followed for these actions. In practice the type C actions are often the most important in preventing core damage. He type C actions are divided into two sub groups: C,, which are the immediate responses to accident initiators and are covered by procedures and C., which are recovery actions, and may or may not be covered by procedures. The analysis of recovery actiora (type C.) is covered under stage 3 of SilARPl. An important group of latent errors are those that occur because of miscalibration errors occurring simultanmusly in multiple safety channels. Rese are common cause calibration errors. These were evaluated in the Common Cause Calibration Errors section. Most of the dynamic actions are included in the Functional Fault Trees, nese actions include tasks such as controlling AF flow, or restoring main feedwater aher failure of AF. Each task requires the operator to evaluate a situation, and take action to tern. hate or mitigate the accident. Some dynamic human errors were incorporated into the system logic models (i.e. fault trees) because of their logical retailonship to systemic events. Only those actions that are more appropriate in the system models were placed there. An important stage in the IPE is the internal review process covered under stage 4 of the SHARPI procedure. This was accomplished by reviewing the various products of the liuman Reliability Analysis at various stages from the initial llRA procedure development, to development and application of IIRA methods, to interviews of plant personnel, to final documentation review, in addition, an outside group of experts reviewed the IPE as a whole, including the 11RA portion. 3 179 l __---_-..--2-.---------- - - - - - - - -

    ._ _    _      m.      _       __        .. _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ _                                   _. _

t r Screenine Evaluation De screening methodology used at CPSES is a melding of several previously published methodologies. he framework and mechanics are original, ne backbone of this methodology is an event or decision tree that is based on a series of structured questions that leM an evaluator to a iluman Error Probability (llEP) screening value. He decision tree has the C/antage of showing tiie i tic influence or t performance shaping factors and their relative importance to the llEP. He sc

of the trec also I indicates the dependencies between factors. Generic and local issues are factt.a n,co the trees by considering the distribution of end states. He generic issues are tackled in the order of headings and the dependencies between branches. Local effects are accounted for by the overall scale of the values and by the distribution of probabilities.

         %ree different trees were developed to cover Dynamic Actions, L* tent Error following Testing
          / Maintenance, and Latent Error following Calibration. Each tree consists of questions formulated about the task. A particular performance shaping factor is applied to each question, though each factor is fairly granular.

To ensure that human error probabilities were properly accounted for in the core damage frequency, basic events that nxxleled human errors were strategically placed in the functional fault tree and the system fault tree models during the constniction of the trees. His placement considered the scope of the actions described in the event and the influencing factors associated with the fault tree. Each task was defined at the time of placement. Als definition covered such things as the time limits, success criteria, cues, etc. He cognitive ponion of the human failure rate was modeled separately, if the cognitive act is tied to multiple operator actions. Similarly, the system fault tree models incorporate latent and some dynamic human errors. For ev. ample, it is possible for a component / system to be disabled following test or maintenance by an operator mitaligning a valve. His latent action was included as a basic event in the system model. Additionally, some system specific dynamic actions were included in the system fault treu. His was done only in the cases where it was inappropriate to place it in the functional fault trees. l 3 180 L

i 4 l ACCIDENT SEOUENCE DYNAMIC llUMAN ERROR METilOROLOGY i Several methodologies for assessing the nonsuccess probability of dynamic humart actions are described in several EPRI and NUREO reports. After reviewing several of these methodologies (see References

17 22), the methodology that is described below was chosen.

l l Assessment of the failure probability of human actions that are required to mitigate an event requires i several steps. nese steps are described below. Identification The human actions that are required to mitigate an accident came from the Accident Sequence, Ref. 36. 1 Each acth) was modeled as consisting of a single cognitive task and one or more tasks involving actions. The quantification of thesc sequences included the failure probability contribut;an attributed to these human actions. Screenine Each item was assigned a screening value using the procedure described previously in the screening evaluation section. His approach takes into account the dynamic fils, C,. De chart used for this type of human interaction is shown in Figure 3.3.3 2. 3-181 _- ~ . - - - _, - _ ._ _ _ _ _ _ _ . _ . -

Figure 3.3.3 2: Dynamic Action Screening Value Decision Tree

             "#8@~ W57, Ije4                                 EO'            ES(,h"[IS      "Ohh   E#a.,

H 34AN pdft1 TACT 99pOC /79t Ak4 TAtw CTM. MUCTWET TW

                                                                                         '"       K.02 M1htk
                                                                                         **f      c ot 1                                 P he f LW       t oQ1 QMIT 25.r'    w oi U?_n     n o, j Q 1.1.C4NKT NI

' X -Ot 1MfMd AltT7tMT P tst f t *w

g. 4, prtT wr_T AMi M Qt K-Ci spa *L f

                                                                                                                'i M@       7t =01 NDT P M f LM 44%

enstra fen SMf gg Dynamic Errors Screenine Chart

   . The evaluation chart, figure 3.3.3 2, for dynamic errors consists of four questions leading the analyst to the screening value.

i The first question in the chart is "ARE THERE PROCEDURES AND/OR TRAINING FOR Tills TASK 7" This question is considered the most important, and therefore was asked first. If procedures l are provided, the probability for success is higher, in addition, training on a task increases the i probability for success. 3-182 l

l I

De second question 'IS Tile TASK COMPLICATED 7' is used to range the task based on difficulty.

This is a binary evaluation by an analyst with operational background, and is only considued for those l tasks that have neither procedures nor training associated with them. The next question 'IS TilERE RELUCTANCE BY TIIE OPERATORS TO PERFORM Tills STEP 7'

,         is used to try to assess the failure probability due to 1.esitation by the operator. For example, establishrreat of bleed and feed is a rather easy, practiced task, he operators may hesitate, however, considering the fact that the Pressurizer Relief Tank rupture disk will most assuredly rupture, leading to contamination of significant portions of containment.

The last question 'IS T11E TIME ALLOWED FOR Tile TASK LONO OR SliORT7' is another binary subjective estimation of the work stress level due to time. The evaluation, again, was based on the opinion of an analyst w!$ an operational background. His takes into account the relationship of the + expected task time to the allowable task time. After answering each of the questions listed above, the analyst is led to an 11EP screening value between IandSE-02. Srcondary Evaluation Those events that contributed significantly to the accident sequence, or those that reduced significantly the probability of the cutset were re-evaluated using an expert interview technique. The experts were from the Operations Training Group of the Nuclear Training Department. He individuals interviewed had a significant amount of training and/or operations experience. Therefore, they were able to provide a good estimate the likelihood of the operators succeeding (or failing) in a particular task. i l SYSTEM HASED LATENT llUMAN ERROR METHODOLOGY , Assessment of the errors due to system-based latent human errors was performed using the following methodology. Als corresponds to the overall approach mentioned earlier.

j. 3-183 .

i m- ,nvmc .--~. ,, , r---- - - -r -- r e ~ w-

Identifiention Each system analyst identified and described each latent human error that coul' '

                                                                                                        .c       ..e .t unavallebility during the accident sequences. %is description included enough info            s.
                                                                                                             + ne llRA analyst could then perform a screening using the inform tion provided.

Screening Each item was assigned a screening value using a procedure similar to that described in the screening section, taking into account the maintenance, test and calibration envltorenents. Each HI was first binned to the proper evaluation chart, either for periodic test and maintenance and repair and retest or for calibration. These charts are r,hown as Figures 3.3.3 3 and 3.3.3 4. Figure 3.3.3 3: Testing / Maintenance Latent Human Error Screening Value Decision Tree

'50 %";r         * **
    ----           . T"*'i '." v4f.  .
                                             .'.T1
                                             .J::  ,
                                                     ,J. 1 710.
                                                     . 4m _ _,
                                                                    . *24'??r,
                                                                        ** "         .M "
                                                                                   "'s PS" t.4-              F~*'"

m,mm , u.,em., ,m f., . , = m. f*43 mt ar r< men arn m MN gg arsreten g.g an er namen tria. m men g4 namusew W4 m erwat e MN g amman g, E-03 MT Mfw.m.nu murn TIII M M M MN g KitBTtB K-of me ermannrn

                                                                                   >                          Mag
                                                                                    "~

h K=N asi erwet M MN g E*0% . 3-184'

Periodic Test /Malntengage Screenine Chart ne evaluation chart for testing and maintenance, Figure 3.3.3 3, is compriscd of five questions leading the analyst to a ' rcec,ing value. He first question is "!S Tile ANALYSIS FOR A COMPONENT OR TRAIN 7' In some systems, it was judged to be more reasonable to lump the latent human error contribution at the train level. His question is used to range the evaluation based on this need. For those systems in which the latent human error was not lumped at the train level, it was included at the component level, ne second question "lS TH ERE TRAINING / PROCEDURES FOR Tile TEST /M AINTENANCE7' asks k procedures or training are provided. If this is the c.ase, the probability of success is much higher. Als question is considered the most important in terms of its affect on failure probability. The next question *lS THE SYSTEM FUNCTIONALLY TESTED FOLLOWING TESTING / MAINTENANCE 7" leads the analyst to check for retests. A retest is designed to ensure that the system functions properly after maintenance, however overall it decreases the probability of latent human error following tnalntenance. Errors committed during the maintenance are more likely to be detected if a retest is performed. !!ence, the overall probability will be significantly reduced, ne question 'IS Tile SYSTEM RECONFIGURED FOR Tile TEST?" leads the analyst to check to see if the system is reconfigured for the test. If it is, this reconfiguration introduces the possibility of more errors, nerefore, it will increase the HE. He last question "lS THERE AN INDEPENDElfl' CHECK AFTER TEST / MAINTENANCE IS COMPLETE 7' leads the analyst to check for an independent check. An independent check consists of verification of the component by someone other than the perton who performed the original alignment, The presence of an independent check reduces the probability of error. Preferably, the person performing the check should be someone other than a person on the same team undertaking the task. Self-checking also reduces the probability of errors. However, this factor is assumed to be included inherently and no specific credit is taken for it. 3-1115

Firse 3.3.3-4: Calibration Latent lluman Error Screening Value Decision Tree i T!!o'J" calibrotkm f O 7, E%*d'.TD the CWtrot ke I.Mo*QiJ" colit>rotice is

                                                                                                    '*d*,.*Ec% 1" indepdently ch.ck.67 Uc...

Probotellit y ayetom co w t. took? eorry>le t e ? ; CALORATCtJ Erdt. TRAJJ/ PROC TEST 90. CHCCK in cFrm M-03 I TEtTTD to en c>rer t-02 EITtCM _en circK 2E-02 tof it1TfD Itc te e>rce g.o, a C ALDR AYorJ CPft

en c> rex: r. o1 3

TrtitD l to en ctrek 2C-of trtT6cR 1 en cirev 2_o, tot trittn to en cirex t+oo i 4 0 I Calibration Screenine Chart J The evaluation chart, Figure 3.3.3-4, for calibration is comprised of three questions leading the analyst to a screening value. The first question is 'IS THERE TRAINING OR PROCEDURES FOR THE CALIBRAT!ON TASK 7" A procedure is inherently designed to reduce the number of errors. Training provides a reasontble substitute, but the combination is preferred. 3 186 _ . - - - ._ _. . _ . . . . . _ . _ _ , - ~ _

l ] i l The second question 'ARE Tile SYSTEM TESTED AITER CALIBRATION 7' tests for the presence i ' of a test following calibration. A test should catch most of the errors that may have occurred during the calibration. The final question "15 THE CALIBRATION AND RESTORATION INDEPENDENTLY CilECKED7" I tests for independent verification of the procedural steps. This provides an additional mechanism for

reduction of human error.

j Exnert Interview in order to increase the level of confidence in the probabilitics chosen for the screening values, an {

Interview with experts was performed. De experts chosen were two instnietors frorn the Nuclear Training Department. Specific latent human errors were not discussed, but the general types of ettors 1 i that were modeled in the IPE were discussed. The discussion centered on two topics.1)What type of
errors have been seen at CPSES, and when do they occur? 2)What programs or features are in place to ,

limit errors? He results of this discussion are documented in the Human Reliability Analysis calculation, Ref.12. i COMMON CAUSE ESFAS CAUBRATION ERRORS During the evaluation of the human events associated with the Emeagency Safeguards Actuation System (ESFAS) model, it was concluded that significant human ermrs could be due to the common cause error in calibration of channels within ESFAS. These errors could lead to the unavailability of an actuation logic channel. To begin evaluating calibration errors, an assessment was inade of the base calibration error rate of a single channel and those factors that are common when Jc' ibrating ESFAS channels. This starting point l was assessed using the calibration error tree. . All calloration tasks are performed using procedures that l the technicians are trained on, and the steps are checked independently, his leads to a non success - j probability of SE-03 using Figure 3.3.3 4. i 3-187 y rwe ,- r. 3,-, - - , ,- y y,-* , - , ,--, #y . -v-... _.

                                                                                               #     4.--, .
                                                                                                             ,, _.,.. . , s.,,,_y.~.w, ,r----.

De base calibration error rate non-success probability was then adjusted by applying two modifying factors that account for the common factors. He first common factor is related to the procedures. Because individual procedures aan used to calibrate each charmel, the common factor was determined to % be 0.05 ne second common factor is related to the calibration frequency. The cyclic nature of the calibration schedule and the frequency with which channel to channel comparisons are made results in a common factor for this step of 0.01, ne product of the base calibration error rate and the two modifying factors above yields a value of 2.5E-06. Enigninitrvlew in order to increase the level of confidence in the probabilities chosen for the screening values, im interview with experts was performed. De experts chosen were three Nuclear Training I&C instructors. The content of the interview is listed in the liuman P.eliability Analysis calculation. He result of the interview confirm that the above number is realistic. SYSTEM BASED DYNAMIC HUMAN ERROR VIITilODOLQQY,; Assessment of the errors attributable to dynamic system-based human errors were performed using the following methodology, similar to that outlined above. Identification Each system analyst was responsible for identifying each dynamic error that could lead to equipment unavailability during the accident sequences. A description was provided and included enough information suct' that the 11RA analyst could perform a screening tudng only the information provided. - Screenine A screening value was assignal to each item by the lira analyst using the method described in the Accident Sequences Dynamic Ituman Error section. The chart detailing that methodology is Figure 3.3.3-2. 3 188 l

                                                                                      .-... _....._- - - - - - -_- ..__-A

      $cspadary Evaluniell Dose events that contributed significantly to the probability of a dominant cut set, or overall core damage during preliminary quantification, received a secondary evaluation using an expert interview method.

Dese experts were two Nucles Training Department instructors. A summary of this interview is listed in the lluman Reliability Analysis :alculation Ref.12. RECOVERY MTIONS Recovery actions were considered by the analyst to reduce the contribution of a given sequence to core damage frequency. He possibility of recovery actions was only considered for those sequences that made significant contribution to core damage frequency. The approach that was used follows the general approach covered in the EPRI recovery analysis (Ref. 22). Recovery actions, as defined in this document, are all actions that can be taken to recover from a particular set of equipment and human failures. C,QNVOLUTION ANALYSIS FOR l_OSS OF OFFSITE POWER De method used to perform the quantification of the Off-Site Power Non-Recovery (OSPNR) events for the Comanche Peak Steam Electric Station (CPSES)is the Convolution Analysis Methodology. A detailed description of the Convolution Analysis Methodology is given in Ref. 24. He methodology was applied as described below.

Re dominant Loss of Off-Site Power (LOOP) cutsets were identified, and the comp (ment failures in each cutset were categorized into two types; a) mission time independent failures and b) mission time dependent failures.

The off-site power non recovery (OSPNR) probability distribution in this analysis was assumed to be a two-parameter Weibull distribution, and was determined bued on the generic data given in NUFCG/CR 5032 (Ref. 25).

                                                                              -3 189
                                              . . . . . . . ..             ..   . _  _ - _ _                                      l

  . _ _ _ _ _ _ _                         __._ _ .                    .._ .__.-_._m                               .._     ._- _ _ _. .                    . .

i l'

The probabit3t y density functium (pdf) for the componenti with mission time dependent failures 1

4 were esumed to be exponential distributions. o la order to rc< luce the calculational effort of evaluating a convolution integral for each cutset, } ! reptuscatative cutsets that have the same convolution integral were identified, i

The probability dernity functions of the time dependent comporient failurss in the representative cutsets were then convoluted with the OSl: Nit probability distribution.

f Eight representatlw cutsets wera identified in this study. In order to determine the c4mvohition integral intervals for each representative cutset, an event tree was created for the LOOP recovery analysis. A detailed description of the analysis aid the final results for erh representative cutset is given in Ref, 26. l IDENTIFICATION OF RECOVERY ACTIONS l

l As stated above, recovery actions wers app!Ied to dominant cutsets where it was expec'ed that recovery i actions would be taken by the plant personnel. Each recovery action was examined for its feasibility, in line with the requirements of Reference 22, i

During the preliminary quantification, corresponding to SilARP1 stage 3, several impcrtant recovery act' ors were identified. De methodology used for the quantification of these recovery actions consisted of an interview of an expert with the results interpreted by decision trees. Tv;o decision trees from SH ARPI were used in the rt:covery analysis. Rese were one for detection and diagnosis (P) and one for auxiliary operator action (P ). The interviewee was a member of the Operations staff with ten years of on site experience. The details of this interview, aloog wi h t the conclusions, are given in the Human , Reliability Analysis calculation, Ref,12. After final quantification, additional recovery actions were identified, nese actions were assessed by researching the available procedures and reviewing the applicable drawings. Yhe time critical events were , Newd using the assessor's experience to estimate the likelihood of failure. 3 190 -

                        .--r        -.-.y          .,-__,,--._r. ~y-.,-         , _ , , - , - , .
                                                                                                            ,#,,-      %           <   -c,  . _-- - - - w     --

De analysis of the additional reuvery actions was similar to that outlined above. For some recoveries, data from " Faulted System Recovery Experience" (Ref. 23) was used to estimate the failure prcbability to recover equipment. LATENT ERRORS MODELED j The latent errors that were modeled in the system models are listed below. In general, a single latent error was applied to a train of components, if the latent error of any component in that train disabled the train. If there was L. single component that led to multiple function failures, then a latent error was

applied to that event. An example of this is the latent disabling of train A Motor Driven AF pump. This train can be disabled 5 lisPI' nment of a valve in the train. improper control switch positioning, or incorrect reassembly ot de ptmp. The event AFAPMPMD01FX, with a probability of 2E-02, models the possibility of any of these events.

LATENT ERRORS Basic Event Enh, Regription AFAPHPMCD1FX 2E-02 MDAFWP 01 TRAIN UNAVAILABLE DUE TO LATENT NUMAN ERROR AFBPMPMD02FX 2E 02 MDAFWP 02 TRAIN UNAVAILABLE DUE TO LATENT NUMAN ERROR AfCPTPTD01FX 2E 02 TDAFWP TRAIN UNAVAILABLE DUE TO LATENT HUMAN ERROR AFCTDAFWPNX 1E*04 BOTN TDAFWP STEAM ADMIS$10N LINES UNAVAILABLE DUE TO LATENT NUMAN ERROR AFCVA24521NX 1E-03 TDAFWP STEAM SUPPLY LINE FROM SG 1 INADVERTENTLT DISABLED I AFCVA24522NX 1E-03 TDAFWP STU3 SUPPLY LINE rROM SG-4 INADVERTENTLY DISABLED AFXPMPM000FX 2E 04 ALL AF SG JNLET FLOWPATHS UNAVAILABLE DUE TO LATENT HUMAN ERROR AFXvXAF007FX 1E-03 MANUAL VALVE 1AF-007 MISALIGNED CLOSED AFXVXCl331FX 1E-03 MANUAL VALVE 1C1-331 MI; ALIGNED CtOSED S CCAPOPCC01NX 1E 02 CCV TRAIN A UNAVAILABLE DUE TO LATENT HUMAN ERROR i CCAVHV4514FX 5E 03 PATN FROM CCW TRAIN 1A TO NON SAFECUARDS LOOP MISALIGNED CLOSED CHAPMPCP05NX 1E-02 SAFETY CHILLED WATER i.M d "A" IWADVERTENTLY DISABLED C1f'AACn01NX 1E-02 AIR CCMPRESSOR TRAIN 01 INADVERTENTLY DISABLED-ClarnAC001NX 1E-02 AIR COMPRESSOR CPX CICACO 01 INADVERTENTLY DISABLED ClxPAAC002NX 1E-02 AIR COMPRESSOR CPX CICACO-02 INADVERTENTLY DISABLED CSAPMPBA01NX 2E-02 BAT PUMP TRAIN "A" UNAVAILASLE DUE TO LATENT ERROR CSAPMPCHOINX 2E-02 CCP TRAIN "A" UNAYAILABLE DUE TO LATENT ERROR CSBPMP8A02NX 2E 02 BAT PUMP TRAIN "B" UNAVAILABLE DUE TO LATENT HUMAN ERROR C5BPMPCH02NX 2E 02 CC7 TRAIN "B" UNAVAILABLE DUE TO LATENT NUMAN ERROR CSXVX18341NX 1[-03 MANUAL VALVI 1-8341 MISALIGNED CLOSED 3-191

] CSXVX&810FX 2E 04 CCF 07 MANUAL VALVES MISALIGNED CLOSED (1-8810A,B,C,0) CSXVX$104ENX 1E 03 MANUAL VALVE 1 Sl*D48 MISALIGhED CLOSED CTAPMPCSDINX 2E 02 TAAIN A EDUIPMENT INADVERTENTLY DISABLED CTBPMPCS02NX 2E 02 TRAIN 8 EDUIPMENT INADVERTENTLY DISABLED CTXVX15147FX 1E 03 MANUAL VALVE 15147 MISALIGNED CLOSED CW&cCFLS2915 1E 03 COMMON CAUSE MISCAllBRAtl0W OF LEVEL SWITCHES 2915A AND B CW1TRVSCR 1E 02 INADVERTENT DISABLING OF 3 DR MORE TRAVELLIke SCREENS CWASL2915AWX 1E 02 LEVEL SWITCM 1-LS 2915A MISCALIBRATED (FAILS TO OPERATE) CWSPMPLWO2NX 1E 01 PUMP, MOTOR DRIVEN, STANDBY CP. CWAPLW-02 INADVERTENTLY DISABLED CW6SL2915BNX 1E 02 LEVEL SWITCM 1-LS 2915B MISCALIBRATED (FAILS TO DPERATE) CVCPAPhC02NX 1E 01 AIR COMPRESSOR CP1 CVVPMC 02 INADVERTENTLY DISABLED CVCPAPMC03NX 1E 01 CONDENSER VACUUM PUMP CP1 CVVPMC 03 INADVERTENTLY DISABLED CVCPMPSC01NX 1E 01 PUMP, MOTOR DRIVEN, STANDBY CP1 CWAPSC 01 INADVERTENTLY DISABLED CWCPMPSCO2NX 1E 01 PUMP, MOTOR DRIVEN, STANDBY CP1 CWAPSC-02 INADVERTENTLY DISABLED CWCPOPCWO4NX 1E*02 PUMPS, MOTOR DRIVEN, NORMALLY OPERATING CP1 CWAPCV 04 INAT.EhTENTLY DISABLED FWCVAV2915NX 2E-03 PNEUMATIC VALVE 1 HV 2915 INADVERTENTLY DISABLED DDBPD*WT02NX 1E 02 PUMPS, MOTOR DRIVEN, NORMALLY OPERATING CPX DDAPWT 02 INADVERTENTLY DISABLED EPADGGEE01NX 1E 02 DIESEL GENERATOR CP1 MEDGEE 01 INADVERTENTLY DISABLED EPEDGGEE02NX 1E 02 DIESEL GENERATOR CP1 MEDGEE-02 INADVEttENTLY DISABLED EPXBAiEAX2NX 2E-D4 CCF 0F BOTW ALTERNATE SUPPLY BREAKERS DUE TO LATkNT NUMAN ERROR EPXDGGEEDONX 1E 03 CCF OF BOTM DIESEL CENERATORS DUE TO LATENT HUMAN ERROR ESCCFMISCAL 1E 04 FAILURE OF INSTRUMENT CHANNEL DOE TO CCF MISCALIBRAfl0N RWST LEVEL ESCCFMISCAL1 1E 04 FAILURC OF INSTRUMENT CHANNEL DUE TO CCF MISCAllBRATION CNTMT PRESS. ESCCFMISCAL2 1E-04 FAILURE OF INSTRUNENT CHANNEL DUE TO CCF MISCALIBRATION STM. PRESS. ESCCFMISCAL3 1E 04 FAILURE OF INSTRUMENT CHANNEL DUE TO CCF MISCALIBRATION S/G LEVEL ESCCFMISCAL4 1E-04 FAILURE OF INSTRUMENT CHANNEL DUE TO CCF MISCAllBRATION PR2. PRESS. ESCCFMISCAL5 1E D4 FAILURE OF INSTRUMENT CHANNEL DUE TO CCF MISCALIBRATION RCS TEMP. ESCCFMISCAL6 1E 04 FAILURE OF INSTRUMENT CHANNEL DUE TO CCF MISCALIBRATION RX. TRIP StG. #1 ESCCFMISCAL7 1E 04 FAILURE OF INSTRUMENT CHANNEL DUE 10 CCF MISCAllBRATION RX. TRIP SIG. #2 ESXTLLT517TX 5E 03 LEVEL TRANSMITTER 1 LT-517 MISCALIBRATED ESXTLLT518tX SE 03 LEVEL TRAhSMITTER 1-LT 518 MISCAllBRATED ESXTLLT519TX SE 03 LEVEL TRANSMITTER 1 LT 519 MISCAllBRATED ESXTLLT52TTX 5E 03 LEVEL TRANSMITTER 1-LT 527 MISCALIBRATED ESXTLLT528TX 5E 03 LEVEL TRANSMITTER 1 LT 528 MISCALIBRATED ESXTLLT5291X 5E-03 LEVEL TRANSMITTER 1 LT 529 MISCALIBRATED ESXTLLT537TX 5E-03 LEVEL TRANSMITTER 1 LT 537 MISCALIBRATED ESXTLLT538tX 5f 03 LEVEL TRANSMITTER 1-LT 538 MISCAL!BRATED ESXTLLT539fX SE 03 LEVEL TRANSMITTER 1 LT-539 MISCAllBRATED ESXTLLT547TX 5E 03 LEVEL TRAN: !TER 1 LT 547 MISCALIBRATED ESXTLLT548TX SE-03 LEVEL TRANSMITTER 1 LT 548 Mitr4LIBRATED ESXTLLT549TX 5E-03 LEVEL TRANSNITTER 1 LT-549 MisLAllBRATED ESXTLLT551TX $E-03 LEVEL TRANSMITTER 1 LT 551 MISCALIBRATED ESXTLLT552TX 5E 03 LEVEL TRANSMITTER 1-LT-552 MISCALIBRATED ESXTLLT553TX 5E 03 LEVEL TRANSMITTER 1 LT-553 MISCAllBRATED ESXTLLT554TX 5E-03 LEVEL TRANSMITTER 1 LT 554 MISCAllBRATED ES4TLTE33ETX 5E-03 LEVEL TRANSMITTER 1 LT 833E MISCALIBRATED 3-192

ESXTLT930ETx 5E 03 LEVEL TRANSMITTER 1 LT 930E MISCALIBRATED ESXTLT931ETx 5E 03 LEVEL TRANSMITTER 1 LT 931E MISCAllBRATED EsxTLT932ETx SE-03 LEVEL TRANSMITTER 1 LT 932E M!$CAllBRA1ED ESxTLTRAN1TX SE 03 LEVEL TRANSMITTER TRAN1 MISCAllBRATED EtXTLTRAN2TK 5E 03 LEVEL TRANSMITTER TRAW2 MISCALIBRATED E1XTLTRAN3fx 5E-03 LEVEL TRANSMITTER TRAN3 MISCALIBRATED ESMTPPT455fx 5E 03 PRESSURE TRANSMITTER PT 455 MISCAllBRATED EtXTPPT456TX SE 03 PRESSURE TRANSMITTER 5T 456 MistALIBRATED ESKTPPT457Tx 5E 03 PRESSURE TRANSMITTER PT 457 MISCALIBRATED EsxTPPT458TX 5E 03 PRE $$URE TRANSMITTER PT 458 Ml$tAllBRATED ESXTPPT514TX SE 03 rii$$URE TRANSMITTER PT 514 MISCALIBRATED E$XTPPT)15fx 5E 03 PRESSURE TRANSMITTER PT-515 MISCAllBRATED E*KTPPT516TX SE-03 PRESSURE TRANSMITTER PT 516 MISCALIBRATED {' EsxTPPT524Tx $E 03 PRESSURE TRANSMITTER PT 524 MisCAllBRATED E$XTPPT525fx 5E 03 PRESSURE TRANSMITTER PT 525 M!stALIBRATED ESXTPPT526TX SE-03 PRESSURE TRANSMITTER PT 526 MI5 CALIBRATED ESXTPPT534TX 5E 03 PRESSURE TRANSMITTER PT 534 MISCALIBRATED ESXTPPT535fx 5E-03 PRESSURE TRANSMITTER PT 5a3 M!$ CALIBRATED

  **XTPPT536Tx      5E 03 PRESSURE TRANSMITTER PT 536 MISCALIBRATED
   'I    'oT544Tx   5E-03 PRESSURE TRANSMITTER PT-544 M11 CALIBRATED a- '545f t    5E 03 PRESSURE TRANSMITTER PT 545 MISCALIBRATED

/ *- 4546Tx 5E 03 PRESSURE TRANSMITTER PT 546 M13CAlllRATED f934TX SE 0! PRESSURE TRANSMITTER PT 934 MISCAllBRATED

          -l935fx   $E 03 PRESSU8E TRANSMITTER PT 935 MisCALIBRATED
           >T936TX  SE 03 PRESSURE TRANSMITTER PT 936 MISCAllBRATED

4. PPT 93TTX SE 03 PRESSURE TRANSMITTER PT 937 MISCAllBRATED ESXTTTE411TX 5E 03 TEMPERATURE TRANSMITTER TE-411 B MISCAllBRATED ESXTTTE421TX 5E 03 TEMPERATURE TRANSMITTER TE 421 B MISCAllBRATED ESXTTTE431TX 5E 03 TEMPERATURE TRANSMITTER TE-431 B MISCAllBRATED EsxTTTE441TX 5E 03 TEMPERATURE TRANSMITTER TE-441 B MISCALIBRATED MSXYPARv00NX 2E D4 ALL ARVs UNAVAILABLE DUE TO LATENT HUMAN ERROR MSZVXCIT55Fx 5E 03 MANUAL VALVE 1CI 0755 MISALIGNED CLOSED RC&CCF5558 $E-D4 COMMON CAUSE MISCALIBRATION OF PT 455 AFD 458 RC&CCF55678 SE 05 COMMON CAUSE M.!SCAllBRATION OF PT 455,6,7,8 RC&CCF5657 5E 04 COMMON CAUSE WISCALIBRATION OF PT 456 AND 437 RC&CCF5kVS 5E D4 CCF MISCALIBRATION OF 2 DR MORE SRVS RCAVM3000AFx SE 03 MOTOR-OPERATED VALVE 18000A INADVERTENTLT DISABLED RCAVMS000BFx 5E 03 MOTOR OPERATED VALVE 1 80008 INADVERTENTLY DISABLED RCAVPCV456NX $E 03 PORY 1-PCV 456 INADVERTENTLT DISABLED RCAVPV455ANX SE 03 PORV 1 PCV 455A INADVERTENTLY DISABLED RCBVAV455BNX 1E 03 PNEUMATIC VALVE 1 PCV 455B INADVERTENTLT DISABLED RCSVAV455CNX 1E 03 PNEUMATIC VALVE 1 PCV-455C INADVERTENTLY DISABLED RHAPMAPRMINX 1E 02 RHR TRAIN 1A iMAVAILABLE DUE TO LATENT HUMAN ERROR RHAVM8701ANx SE 03 MOTOR-OPERATED VALVE 1 8701A INADVERTENTLY DISABLED RHAVM8702ANx 5E 03 MOTOR OPERATED VALVE 1 8702A INADVERTENTLY DISABLED RNAVHS811 ANK 5E-03 MOTOR OPERATED VALVI 1-B811A INADVERTENTLY DISABLED 3-193 l

RHAVM8812AFx 1E 03 MOTOR OPERATED VALVE 18812A INADVERTENTLY DISABLED RMBPMAPRK2NX 1E 02 thR TRAIN it UNAValLABLE DUE TO LATENT HUMAN ERROR RNBvM8701BNX 5E 03 MOTOR OPERATED VALVE 1 87018 INADVERTENTLY DISABLED RHBVM8702BNX SE 03 MOTOR OPERATED VALVE i 8702B INADVERTENTLY DISABLED RMBVM8811BNX SE 03 MOTOR OPERATED VALVE 1 88118 INADVERTENTLY DISABLED RNBVM8812BFX 1E 03 MOTOR OPERATED VALVE 1 88128 INADVERTENTLY DISABLED RMXTLLT930TX SE 03 LEVEL TRANSMITTER 1 LT 930 FAILS DUE TO MISCAllBRATION - RHXTLLI931TX SE*D3 LEVEL TRANSMITTER 1 LT 931 FAILS DUE TO MISCAllBRAil0N kHXTLLT932TX SE 03 LEVEL TRANSMITTER i LT 932 FAILS DUE TO MISCAllBRAil0N RNXTLLT933fx 5E*03 LEVEL TRANSMITTER 1 LT 933 FAILS DUE TO MISCALIBRATION RNxvM18840MX 5E 03 MOTOR OPERATED VALVE 18840 INADVERTENTLY DISABLED RMxVX8717XNX SE 05 MANUAL VALVE 18717 MISALIGNED OPEN $1APMPS101NX 5E 02 St PUMP TRAIN A UNAVAILABLE DUE TO HUMAN ERROR SIATU T" 3TX 5E 03 LEVEL TRANSMITTER 1 LT 950 MISCAllBRATED SIATLLTL .iX SE-03 LEVEL TRANSMITTER 1 LT 951 MISCAllBRATED SIATPPT960TX SE 03 PRES $URE TRANSMITTER 1-PT 960 MISCALIBRATED SIATPPT961TX SE 03 PRESSURE TRANSMITTER 1 PT 961 MISCAllBRATED SIAVM8923AFX SE 03 MOTOR OPERATED VALVd 1-8923A INADVERTENTLY DISABLED (misaligned closed) SIBPMPS102MX SE 02 St PUMP TRAIN B UNAVAILABLE DUE TO MuttAN ERROR SIBTLL1952TX 5E 03 LEVEL TRANSMITTER 1 LT 952 MISCALIBRATED SISTLLT953fX 5E 03 LEVEL TRANSMITTER 1 LT 953 MISCALIBRATED StBTPPT962TX SE t 3 PRESSURE TRANSMITTER 1 PT 962 MISCALIBRATED

$1BTPPT963TX    5E 03 PRESSURE TRANSMITTER i PT 963 MISCAllBRATED.

SIBVM8923BFX 5E 03 Motoa OPERATED VALVE 1 89238 INADVERTENTLY DISABLED (misaligned closed) SICCFMISCAL 2.5E 06 FAILURE OF INSTRUMENT CHANNEL DUE TO CCF Ml3CAllBRAT10M

$1CTLLT954TX    5E 03 LEVEL TRANSMITTER 1 LT 954 MISCAtlBRATED SICTLLT955TX    SE 03 LEVEL 1RANSMITTER 1 LT 955 MISCALIBRATED SICTPPT964TX    5E 03 PRES $uRE TRANSMITTER 1 PT 964 MISCAllBRATED SICTPP1965TX    SE*03 PRESSUI.E TRANSMITTER 1 PT 965 MISCALIBRATED SIDTLLT956TX    5E 03 LEVEL TRANSMITTER 1 LT 956 MISCAllBRATED SIDTLLT957TX    SE 03 LEVEL TRANSMITTER 1 LT 957 MISCALIBRATED SIDTPPT966TX    5E 03 PRESSURE TRANSMITTER 1 PT 966 MISCALIBRATED
$1DTPPT967TX    5E 03 PRESSURE TRANSMITTER 1 PT 967 MISCAllBRATED
$1XVM18806FX    1E-03 MOTOR-OPLRATED VALVE 1 8806 MISALIGNED CLOSED SIXvM18813FX    1E 03 MOTOR OPERATED VALVE 1-8813 MISALIGNED CLOSED
$1XVH18835FX    1E 03 MOTOR OPERATED VALVE 1-8835 MISALIGNED CLOSED SIXVM18924FX    5E-03 MOTOR OPERATED VALVE 1 8924 INADVERTENTLY DISABLED SIXVM8804BNW    SE 03 MOTON-OPErnTED VALVE 1 88048 INADVERTENTLY DISABLED
$1XVX8816FX     2E 04 MANUAL VALVES 1SI 8816A, B, C, & D MISAllGNED CLOSED DUE TO COMMON CAUSE SIXVX8822FX     2E-04 MANUAL VALVES 1SI 8822A, B, C, & D MISALIGNED CLOSED DUE TO COMMON CAUSE SWXFNNWO6NX '    1E-02 SSW TRAIN "A" VENTILAfl0N INADVERTENTLY DISABLED SWXFNWW38NX      1E 02 $$W TRAIN "B" VENTILATION INADVERTENTLT DISABLED SWXPMPT'.01NX  -1E 02 SCREEN WASH TRAIN 01 UNAVAILABLE DUE TO LATENT HUMAN ERROR SWXPi*' TS02NX   1E 02 SCREEN WASH TRAIN 02 UNAVAILABLE DUE TO LATENT HUMAN ERROR 3-194

_ _ _ _ _ - _ - _ - _ _ - - _ . _ _ _A

l TWEPOPTP01NX 1E 02 PUMPS, MOTOR DRIVEN, NORMALLY OPERATING CPX TWAPTP 01 INADVERTENTLY DISABLEC VAACUCCR03NX 1E 02 CHILLER CPX VAACCR 01 INADVERTENTLY 015ABLED DYNAMIC ACTIONS MODElf;R Re following dynamic actions were modeled in the accident sequence logic, or in the system models if appropriate. Basic Event h Descriotion LAFSCTR $E-02 OPERATOR FAILS 10 ISOLATE TDAFWP $ TEAM $UPPLY FOLLOWING SGTR Upon a SGTR, the operators sust isolate the steam stoply to the Turbine Driven AF pwp f rom the rwtured steam generator. If 5e f alls, the overfilling of this generator will f all the turbine. He must conplete this task prior to overfill, at appron 30 minutes. 18FXXINITNT 1E 03 OPERATOR FAILS 10 INITIATE FEED AND SLEED Upon loss of all AF and main feedwater, the operators sust initiate bleed and feed within 15 minutes to mainteln core cooling.

  &CHSTART     1E 02 OPERATOR FAIL 5 TO MANUALLY ACTUATE STANDBY CH PUMP Upon autostart of the motor driven AF pumps, the operators must start the stan&y chilled water pu:ps to ensure roca c,oling is available to the AF punp train in which chilled water was in stanty. Due to the slow room bestup, they have several hours to perform this task.
  &CMTHROTTLE  3E 01 OPERATOR FAILS TO THROTTLE WRV FOLLOWING LOSS OF AIR Upon a loss of instrument air, the operators must locally manually throttle the CC flow through the safety chiller condenser to prevert it f rom tripping on low suction pressure. Although they have approximately one hour, the location of the control valve relative to the indlcation la unfavorable.
  &CRACSNT 5E 02 OPERATOR FAILS TO MANUALLY TRIP ESFAS UPON EXCEEDING CTRL ROOM EQ. TEMPS Upon a loss of HVAC to the control room, the operators must assure that the ESFAS signals are processed prior to ESFAS equipment f ailure in the control room. The operators have several hours, based on the slow heatup rate of the control room.
  &LTS          1E 02 CPERATOR FAILS TO INITIATE EMERGENCY BORATION Af ter en ATVS with successful establishment of secondary heat removal, the operators must initiate emergency boration to ensure that the reactor is eventually shutdown. Since the RCS is being cooled, the operators have at least e i hour to acconplish this.

LMRI 2E 02 OPERATOR FAILS TO INSERT ROOS MANUALLY AFTER ATWS Upon an ATWS, the operators must manually drive the control rods in, if they cannot be tripped, in order to be successful, they must begin within the first few minutes of the event. 3-195

   -_ _               .      _ _ _         . _ _      ~__ - .-                _.            ._ _ _             _       _

L 4 4

          &RCXXD1        2E 03 OPERATOR FAILS TO REALIGN CCPS, SIPS, AND RHPS TO RECIRC. (NOT OR COLD)

Af ter a LOCA and coupletion of the injection phase, the operators must realign the suction of the CCPs and SIPS to the discharge of the RH pumps. This task is {nitiated when the RWST reaches 40%. The Switchover aust be conpleted prior to att peps tripping on low suction pressure, s a. l &R$lxENOSINT 2E 02 OPERATOR FAILS TO TERMINATE ECCS BEFORE FlLLING PRESSURIZER l On a LOCA, or spurious $ signal, where the injection capacity exceeds break flow, ti.e operators aust termNte the ECCW injection flow prior to overfilling the pressurf ter. . If they f ait, the opening o. the relief valves may lead to their f ailure :o reclose. This would induce a LOCA l through the relief valve. In cases In which there is no break flow, the operators will have-i approx. 10 minutes to secure the unnecessary puppa, t

          &RTEx01A2      it 02 OPERATOR FAILS TO TRIP RE 4 TOR AFTER AUTO TRIP FAILURE On en ATWS, the operators must attengt to trip the reactor from the control room. This will only he successful if the failure was not We to the reactor trip breakers. They sust make this attempt within the first minute of an ATWS.

i &SCLxAFWXNY 1E 02 OPERATOR FAILS TO CONTROL AF FLOW TO 4 S/Gs The flow from the AF punps to the steam generators is controtted by remote manual valves. Following an autostart of the AF, the operators aust throttle the flow within 45 minutes to prevent overflLL of the steam generators. L. S$GTR01 1E 06 OPERATOR FAILS TO ISOLATE BREAK FLOW ON SGTR AFTER 2 HOURS I. Af ter a steam generator tube rtpture with successful establishment of ECCS injection andg i secondary heat removal, the operators must terminate break flow prior to deptetton of the RWST.

This is accomplished by depressurtaing the non ruptured generators to cool the primary, then depressurizing the primary. They have approx. 18 hours to perform this task.

SSGTR02 1E 02 OPERATOR FAILS TO TERMINATE BREAK FLOW ON SGTR AFTER ECCS FAllVRE I Af ter a ateam generator tube rupture w'ith successful secondary heat removal but f alture of ECCS,

j. the operators can prevent core u1covery by terminating break flow. This is accomplished by.-

depressurtains the non ruptured generators to cool the primary, then depr'essurlaing the primary. ] l They have approximstely 1 hour to perform this task. 4

           &SGTR03        1E 02 OPERATOR FAILS TO ENTER CLOSE LOOP COOLING AFTER SGTR

. Af ter a steam generator ttbe rupture, with successiut ECCS inpction and secondary heat removat, but f ailure to terminate break flow We .to equl'pment unavaltability, they can prevent core-uicovery due to ECCS f atture at RWST depletion by allowing the RCS to depressurize low enough to align RH to closed loop cooling. This sust be acconplished prior to RWST depletion at approx. 18 hours.

           &TURBTRIP      IE 02 CPERATOR FAILS TO TRIP TPS TURBINE FROM THE CONTROL Ro0M AFTER ATWS l
                        - Upon an ATWS, the operators must trip the turbine if_. it was not tripped by AMSAC. This will limit the amount of feedwater taken off by the turbine, and delay steam generator dryout. . This -

_ must be accomplished within the first minute to be considered successful. i 3l% 4 1 4

                                                 -       . - _ -      . . ~ .    .. _ _       __                _ . _         .

I ETUMANUAL 1E 01 OPERATOR FAILS TO OPEN XTW 0027 FOLLOWING Lapte0N PUMP AUTO START Upon f ailure of the running Turbine Plant Cooling Water Pup, the stardy pusp will auto start. However,.its discharge valve is nearly closed. ' An Auxillery Operator must locally open this manual valve to ensure that TPCW la maintained. The valve is normatty closed to prevent a water hammer from damnging the system on pump start @. Given that the valve is partially open, and the slow heat @ rate of the system, the operators have appron.15 minutes to futty open this valve. AFMANSIART 5E 02 OPERATOR FAILS TO MANUALLT START AF PUMPS ON AUTO START FAILURE Af ter a transient, the AF ptmps are auto started to mainteln steam generator Jevel. If they have not received a signal to start dJe tb ESFAS equipment f atture, the operators aust manually start the pumps. They sust start the pumps prior to the point in which level is now enough to significantly reduce the heat reaevel capacity of the secondary system at approx.~ 15 minutes. AFTDMAN 1E 02 OPERATOR T AILS TO LOCALLT THROTTLE TDAFW FLOW ' ;S AFTER LOSS OF SUPPORTS Upon a loss of support systems, either instrument - .r DC power, the control valves for the turbine driven AF pump f all open. With full flow adattted to the steam generators, they will overftll and fall the turbine. The operators nust locally manually throttle the flott prior to-overfill at approx. 90 minutes after failure of the support system. CF&MFWRES1 5E 02 OPERATOR FAILS TO REESTABLISH MAIN FEEDWATER AFTER LOSS OF ALL AF Upon a tosa of att Auxiliary Feedwater, the operators must restore main feedwater flod to the steam generators. This is acconplished by resetting isolation signals and opening the valves, all from the control room. The operators must perform this prior to steam generator dryout at approx. 15 minutes. CF&MFWRESTS 1E 01 OPERATOR FAILS TO REESTABLISH MAIN FEEDWATER AFTER AN $ SIGNAL Upon a tons of att Auxillary Feedwater, the operators nust reatore main feedwater to the steam generators. if a 3 signet is present, they sust reset the isolation signets, including the S signal, restart a main feedpung, and allen a flowpeth to the steam generator. This must be perforsed prior to steam generator dryout at approx.- 15 minutes. CIBRESETSINY 1E 03 OPERATOR FAILS TO RE ESTABLISN INSTRUMENT AIR FOLLOWING #S" SIGNAL Upon receipt of an S signal, the instrument air compressors powered from the 1E busses are tripped, as they are not 1E classified. After the event is stabilized, the operators sust restart these cargressors in order to maintain instrument att for control of air operated valves. Given that att valves that must be operated have a 30 minute air accumulator, the operators must complete this task within 30 minutes. - CISTARTX -5E 02 OPERATOR FAILS TO STAtt EITHER COMMON COMPRESSOR TRAIN If the normat instrument air compressors are unavailable, the operators may start a consnon s compressor. This event models the cognitive f ailure to attaapt to t tart either compressor. This must be acconplished prior to the accunutators deplet'ng at 30 rn*nutes. 3-197

i CISTARTX01 1E 01 OPERATOR FAILS START COMPRESSOR X 01 AND OPEN 1 HV 3476 If the normal instrunent air compressors are movellable, then the operators may start consson compressor X 01. This must be acconplished within 30 minutes of losing instrument air CISTARTF02 it 01 OPERATOR FAILS 70 START COMPRESSOR X 02 AND OPEN 1 HV 3464 If the normat instrument air conpressors are unavaltable, and comon conpressor X-02 f aits., the operators may start comon ccripressor X 02. This must be acconptished prior to acewulator depletion at 30 minutes. CSGCCPRECOV 1E 02 OPEPATOR 8 AILS 10 MANUALLY ACTUATE THE CCPs if the Positive Olsplacement Pwp becomes mavailable, the operators must start a Centrifugal Charging Pw p to maintain seat injection. This nust be performed prior to the postulated seal failure time of 45 minutes. CSaSSWRECOV 1E 02 OPERATOR FAILS TO PROVIDE MANUAL ACTIONS REQUIRED FOR ALTERNATE SW COOLING If station service water la Lost to a Centrifugal Charging Pupp, the operators sust align fire protectlen or demineralized water to the tube oil cooler to prevent the punp from f alling. Because of the large site of the sep, the operators have approximately one hour to perform this task. CSHCV182 5E 02 OPERATOR Falls TO MANUALLY CONTROL HCV 182 AFTER LOSS OF SuoPORT SYSTEMS Seal injection to the RCPs is diverted from normal charging by 1 HCV 182, which faits open on loss of support systems. If this occurs, an auxiliary operator must locally throttle it, or its isolation valve, to divert flow to the RCP seats. This must be accorplished prior to the postulated seat failure time of 45 minutes. CWS1239 1E 01 OPERATOR FAILS TO ACTIVATE CP1 CWAPCW 04 WHEN NEEDED Upon f atture of a Circulating Water Pwp, the operators must start the stan&y CWP. This will ensure the availability of the condenser for steam dwps and for the main feedwater purps. CWECES1030 1E 01 OPERATOR FAILS TO START PUMo 03 AFTER FAILURE OF 01 AND 02 Upon f atture of two condenser vacuun pwps, the operator must start the standby purp. This will ensure that condenser vacuun is maintained and that the steam dwps and main feedwater peps are available. CWN0ZZLE 5E 02 OPERATOR FAILS TO ISOLATE ONE HALF OF THE N0ZZLES WNEN A SCR WP IS IN MAINT. If one circulating water screenwash pung is unavailable, the operators nust throttle one half of the screenwash flow nozztes to attain enough discharge pressure to clean the travelling screens. This must be acconplished pejor to tripping of the circulating water pupps on low suction pressure. This is expected not to occur for many hours, ECA 1.1 1E 01 OPERATORS Fall TO USE ECA 1.1 ON LOSS OF RECIRC. CAPABILITY Upon loss of recirculation capability, the operators must reduce ECCS injection flows and align a source of make w water to the Refueling Water Storage Tank. This will ensure that the core remains cooled mtil equipment can be repaired, and recirculation can be acconplished. They will 3-198

  . ~ .- . -.- . .            -          . . ~ . -- - -.                  - -         - - -    -.                 -           . . - - - . . - - - .

d be aware of the loss of capability many hwes before recirculation is required, as the procedure directs them to verify the capability.

EP1PC10P 1E 02 OPERATORS FA!L'TD SWAP TO UNREGULATED POWER ON Loss 0F POWER TO 1PC1 Upon loss of the instrument inverter to 1PC1, the operators sust elign_mregulated AC power to the protection chamel. This will ensure continued controllability of selected systems. This must be accesplished within 45 minutes to prevent a seal LOCA, or steam generator overfill.

EPIPC2DP 1E 02 OPERATORS Fall TO SWAP TO UNREGULATED INSTRUMENT POWER . Upon loss of the instrunent inverter to 1PC2, the operators must allen mregststed AC power to the protection channel. This will ensure continued controllability of selected systems. This g must be accomplished within 45 minutes to prevent a sesl LOCA, or steam generator overfill, EP1PC30P 1E 02 OPERATOR FAILS TO SWAP TO UNREGULATED POWER f Upon toss of the instrument inverter to 1PC3, the operators must align mregulated AC power to the protection channet. This will ensure continued controllability of selected systems. This

sust be accomplished within 45 minutes to prevent a seat LOCA, or steam generator overfill.

1 i EP1PC40P 1E 02 OPERATOR FAILS TO SWAP TO UNREGULATED POWER j; Upon loss of the Instrunent inverter to 1PC4, the operators must align mregulated AC power to the protection channel. This will ensure continued controllability of selected systems. This

must be accomplished within 45 minutes to prevent a seat LOCA, or steam generator overfilt.

3 EPACMANST 1E 02 OPERATOR FAILS TO START SAFETY CHILLER Upon loss of normal cooling to the 1E electrical bus rooms, the operators must start the safety I chitted f an coolers. This will ensure that equipment f ailures due to high room tenperature do not occur. Based on room heat up rates, the operators have at least 12 hours to perform this task. ESSMAN 5E 03 OPERATOR FAILS TO START LOADS AFTER SEQUENCER FAILURE j Upon f ailure of the ESFAS Sequencer to load the reqtitred conponents, the operators must manually start the equipment. This action in dictated by the Emergency Operating Procedures, and is regJired to be memorized by the operators. This must be accomplished within the first few minutes to be considered successful.

                   -RC&8000A    1E 01 OPERATOR FAILS TO OPEN BLOCK VALVE WHEN MANUALLY OPENING PORV Upon initiation of bleed and feeds the operators must open the PORV block volve when opening a l                                PORV, if the block valve had been closed due to excessive leakage.

RC&80008- 1E 01 OPERATOR FAILS TO OPEN BLOCK VALVE WHEN MANUALLY OPENING PORV Upon initiatim of bleed and feed, the operators nust open the PORV block valve when opening a PORV, if the block valve had been closed due to excessive leakage, l.

4 6 )' 3-199

    ~ .-                                                  ..m.  , . . ,,w     . , - .   .    ,    .--e, . , ew,,,   , ,-m,..+~                     ,,--v.,,--.., ~ ,,w.~,

RCAVM8000 AFT 2E 03 OPERATOR FAILS TO ClosE Mov 1 8000A Upon the f ailure of PORY A to close, the operator sust close the block valve to isolate the break. This nust be 6ccorplished prior to core meovery et approx.110 minutes, given that ECCS is not evaltable. RCAVM80008FT 2E 03 OPERATOR FAILS TO CLOSE MOV 1 80008 Upon the f ailure of PORV B to close, the operator sust close the block valve to isolate the break. This must be acconplished prior to core uncovery at approx.110 minutes, given that ECCS is not available. RCXTKN2$UPTT 5E 02 OPERATOR FAILS TO RECHARLE ACCUMULATOR If the Pressuriger PORV is required to cycle more than 100 tinies, the operators nust redwin the nitrogen accunutator that provides motive power to the valves. This task eust be accomplished prior to f atture of the bleed and feed function, which may take Lp to one hour, given that the PORV has cycled 100 times. . 4 RHMANSWAP 1E-01 OPEkATORS Fall TO MANUALLT REALIGN RH RIMP SUCTION TO SUMPS If the RM system f alls to automatically swap its suction to the containment sunp Lpon reaching 40% levet in the RWST cbe to a signal f alture, the operators must reation the valves manually. This aust be done prior to f ailure of the pupa on low suction pressure. The window of time between rece'pt of the 40% levet alarm and tripping of the punp is expected to exceed 20 mir Jtes. RTaSCMANNX 1E 01 OPERATOR FAILS To MANUALLT TRIP THE REACTOR AT THE TRIP BREAKER On an electrical ATWS, if the operators are unable to trip the reactor from the controt room, an Auxiliary Operator must trip the reactor at the reactor trip breakers. Since the secondary plant is required to be renoving the heat of the core, the time window for success is relatively long. Hocever, they must couplete the task within 10 minutes to be considered successful. SWSCREENST 5E 02 OPERATOR FAILS TO RESTART SCREENWASM PUMPS AFTER S, ON CLOGCED SCREENS Upon receipt of an S signal, the Station Service Water travelling screens and screenwash purps are tripped. Af ter the plant has stabilized the operators are instructed by the procedures to reload this equipent. This must be acconplished prior to the point at which the service water puvs trip on low suction pressure. This time is expected to be very targe, greater than 20 hours. VASHVACSTART 1E 02 OPERATOR FAILS TO START CR HVAC Upon f ailure of the running control room HVAC unit, the operators must start the stancby unit. This must be perfossed prior to falture of the equipnent in the control roce. Based on the heettp rate in the control room, this is expected to take more than 10 minutes to occur. 3-200

RECOVERY ACTIONS APPLIEQ l

         'Ihe following recovery actions were added to cutsets, if appropriate, after examining the elements and             i determining their applicability to the sequence.

B Basic Event r Erph heerfetion AFARECOV 4.5E 01 OPERATOR FAILS TO RECOVER THE FAULTED TRAIN A MDAFWP Based on review of the data in Ref. 23, the f raction of pmp f at tures that cannot be recovered within 2 hour s is 0.45. AFSRECOV 4.5E 01 OPERATCA FAILS TO RECOVER THE FAULTED TRAIN 8 MDAFWP Based on review of the data in Ref. 23, the f raction of pugs f attures that cannot be recovered within 2 hours is 0.45. AFCRECOV 6.5E 01 OPERATOR FAILS TO RECOVER THE FAULTED TDAFWP Based on review of the data in Ref. 23, the fraction of purp f ailures that cannot be recovered within 2 hours is 0.45, i AFISOLRECV 1E 02 OPERATOR FAILi, TO REOPEN LATENTLT MISALIGNED AF ISOLATION VALVES If the AF flow paths to the r. team generators had all buen latently misaligned, the operators must open these valves upon diagnosis of the probtem. Since the controls and indications are all located on the control board, and flowrotes must be verified upon auto start of the purps, the operators will perform this step very early on. This must be conpleted prior to dryout of the steam generators at approx. 15 mi mtes. AFRECOVX01 1E 01 OPERATOR FAILS TO RECOVER INADVERTENTLY MISALIGNED 1AF 007 If the svetion valve to the AF punps was latently misaligned, the operators must open this valve prior to the steam generators drying out at approx. 15 minutes. CCxTIE 1E 02 OPERATOR FAILO 10 CROSS TIE TO UNIT 2 CC AFTER LOSS OF ALL UNIT 1 CC If all Unit 1 CC is unavailable, the operators must restore CC tr/ cross-connecting it to a Unit 2 CC train. This will not prevent a seal LOCA, but will enable the ECCS system to be aligned to recirculation by making heat removal from the RH heat exchanger available. Assuning that a large seal LOCA was induced, the operators have t.t least 18 hours to perform this task. EP0GRUN1 2.5E-01 OPERATOR FAILS TO RECOVER A O!ESEL GENERATOR THAT HAS FAILED To RUN If a single dieset generator has f alted during its mission time, it must be recovered by the operators. Based on review cf the timited data in Ref. 23, a conservative f atture probability of 0.25 was chosen as the probability that operators cannot recover this generator prior. to core uncovery, which takes at least 110 minutes to occur. EPOCRUN2 1E 01 OPERATOR FAILS TO RECOVER A DIESEL GENERATOR WHEN BOTH HAVE FAILED TO RUN If both c:lesels have failed during their mission time, the probability of not recovering both diesels is higher th.in the independent fatture squared. This event models that probability. 3-201 1 j

  . . - _ . - . ~ .            -. --           . .- .- .              .  . . - -,              . - ~ ~ _ . .           -               - ~

l l 1 EPDGSTA*T1 2.5E 01 OPERATOR FAILS TO RECOVER A DIESEL GLNERATOR THAT HAS FAILED TO UTART If a alngle diesel generator has f at ted to start, it aust be recovered by the operators. Based i on review of the limited data in Ref. 23, a conservativr failure probability of 0.25 was chosen 4 as the probability that operators cemet recover this generator prior to core mcovey, which takes at least 110 minutes to occur. 4-EPDGSTART2 1E*01 OPERATOR FAILS TO RECOVER A CIESEL WHEN BOTH HAVE FAILED TO START If both diesels have failed to start, the probability of not recovering both diesels is higher than the independent falture sguared. This event models that probability. l LATERECIRC 1E 01 OPERATORS AND PLANT STAFF Fall TO REAllGN TO RECIRC. ON LATE REclRC EVENTS On events in which recirculation is entered into very late, chas to the small break flows and large RWST volume, the probability of not entering recirc. Is overty coruservative. Therefore, this correction f actor can be added to the cutss;s to adjust the probability of that event.

PUMPRUN1 5E-01 OPERATOst FAILS TO RECOVER PUMP WHEN ONLT ONE PUMP NAS FAILED TO RUN

) If a service water pump f allt during its alssion time, the operators saast restore the pump to ereure continued Lest removat trem the equipment. Based on review of the data in Ref. 23, the 2- probability that they not ouccessfully restore the puip within 2 hours is 0.5. l ^ PUMPRUW2 5E 01 OPERATOR FAILS TO RECOVER A PUMP WHEN TWO OR MORE HAVE FAILED To RUN if both service water puips fait in their mission time, the proba,bility of f alling to recover a pump is greater than the independent recovery f alture squared, due to redistribution of the manpower. This event models that possibility. S.lXTIE 1E 02 OPERATOR FAILS TO CROSS CONNECT TO THE UNIT 2 SV SYSTEM ON LOSS OF ALL SW If att Unit 1 SW is mavailable, the operators must restore SW by crossconnecting it to a Unit 2 SW puip. This wlLL not prevent a seal LOCA, but will enable the ECCS system to be aligned to recirculation by making heat removal from the RH heat exchanger avaltable. Assuming that a large 1 seat LOCA was induced, the operators have approx. 110 minutes perform this task, prior to core uncovery. TDPUMPRUN 6E 01 OPERATOR FAILS TO RECOVER THE TDAFWP WHEN IT HAS FAILED TO RUN

                                       !* the Turbine Driven AF puip f alls during its mission time, .the operators must recover it.

Based on the data avaltable in Ref. 23, the operators will be unable to restore the puip 60% of the time. TDPUMPST 4E 01 OPERATOR FAILS TO START THE TDAFWP WHEN IT HAS FAILED TO START

                                     -If the Turbine Driven AF pump f alls to shrt, the operators nn.st start it. Based on the data in Ref. 23, the operators will be unable to successfully start it 40% of the time.

X1 RECOVER 2E 01 OPERATOR FAILS TO RECOVER 125 VDC BUS 1ED) IN 2 HOURS If 1E DC bus 1ED1 f aults, the operators must repelr and re energize it within 2 hours to make the equipment powered by this bus avaltable. Based on the data in Ref. 23, they will be unable' to do this 20% of the time. 3-202 t

X2 RECOVER 7.7101 OPERATOR FAILS 10 RECOVER THE FAULTED $4FETY CHILLED blATER $T$IEM If both trains of safety chilled water fall, as the initiating event, then the operater must restore one train prior to equipment failures. This recovery event was generated by enemining the specific f alture evente and adding event specific recoveries to the initiating event model. The recovery events consisted of recovering the f aulted ewipnent. 26RECOVEE 6.5E 03 OPERATOR FAIL? 10 RECOVER CC VITHlW 2 HOUR $ If both trains of ccr@onent cooling water f all, as the initiating event, then the operator sust restore one train prior to entering the recirculation phase. This recovery event was generated by examining the specific f alture events and addinC event specific recoveries to the initiating event model. The recovery events consisted of recovering the f aulted equipnent, or. cross tieing to a Unit 2 train. M7 RECOVER 5E 03 OPERATOR FAILS 10 RECOVER $W IW 2 HOUR $ If both trains of station service water felt, as the initisting event, then the operator must restore one train prior to core uncovery. This recovery event was generated by examining the specific f ailure events and adding event afecific recovertes to the initiating event model. The recovery events consisted of recovering the f aulted ewipwnt, or cross-tising to a Unit 2 train. IMPORTANT HUM AN INTERACTIONS At the end of the final quantification, the Fussel/Vessely importance factors were derived for all His that appeared in the cutsets that had a probability of IE-09 or greater. The His with an importance value of IE-02 or greater are: Table 3.3.3-1: Important Human Interactions Human Interaction Probability F/V Value

                         &RCXX01                     2.00E-03                           1.1IE-01 LATERECIRC                   1.00E-01                         8.91E-02 EPDGSTART!                   2.50E41                           8.25E-02 EPBDGGEE02NX                 1.00E-02                          6.64E-02
                         &SGTROI                      1.00E44 -                         6.45E-02 AFCPTPTD01FX                 2.00E-02                          6.34E-02 EPADGGEE0lNX                 1.00E-02                           5.00E-02 ECA 1.1                      1.00E-02                           4.16E-02 EPDGRUN1                     2.50E                         3.30E-02 X1 RECOVER -                 2.00E-01                            3.24E-02 3-203

_ .. J

Table 3.3.3-1: Important Human Interactions (continued) Human Interaction Probability F/V Value CS@SSWRECOV 1.005 02 3.01E-02 PUMPRUN1 5.00E-01 2.97E 02 TDPUMPST 4.00E-01 2.41E 02 TDPUMPRUN 6.00E-01 2.32E-02

                         &SGLXAFWXNY                1.00E-02            2.20E-02 EPXDGGEE00NX              2.00E-04             2.06E-02 X6 RECOVER                4.50E-03             2.05E-02 AFTDMAN                    1.00E-02            1.72E-02 15X2 RECOVER             7.70E-01             1.72E-02 EPDGSTART2                1.00E-01            1.50E42 X7 RECOVER                5.00E-03             1.36E-02 3.3.4 Common Cause Failure Data The common cause failure (CCF) database for the IPE project was develop. I based on the meth; 'agy developed by Pickard, Lowe anJ Garrick, Inc. (PLG) (Ref.1). The Multiple Greek Letter (MGL) model (Ref,2) was used to quantify the effect of common cause events, i

The Multiple Greek Letter (MGL) model is the one used most frequently in the International Common Cause Failure Reliability Benchmark Exercise (Ref.11). The primary objective of the MGL model is to calculate the probability of multiple :omponent failure due to a common cause. For such a calculation for a system of m components, the component failure probability Q and the m-1 different parameters pi (i = 2,...m) are defined below: Q,: Total failure probability of a component due to both independent and common cause events. 3-204

i p,: Conditional probability that the cause of a component failure will be shared by one or more additional components, given that 11 specific components have failed, where p, = S, p3 = 6, p4 = 7.... Q,, the probability of k specific component failures due to a common cause, can be expressed in terms of Q, and the MGL parameters, as shown by the following equation: f ~ 1A Q,-1/ "_ g ([f.i{ p,)(1-p,,i)Q, (k- 1,..m) 3.3.4.1 i where pi = 1. 92 = 4. 93 = 7. P. = 6. .., p. . = 0. The simple point estimators for the MGL parameters p, are: N Eh

a p,=] (i-2,3,..m) 3.3.4.2 E a, A i+1 where n, is defined as the number of events involving the failures of exactly k components. Theoretically, the values of the MGL parameters for an m-component system can be estimated by knowing the values of an . In other words, the MGL parameter is a function of nu . It is important to note that the application of the MGL model is not as simple as just applying the basic equations. The difficulties of estimating the MGL parameters are normally caused by the lack of actual CCF data, including both plant-specific and generic industry data. In order to obtain a reasonable result of the MGL parameter estimation when data sources are limited, a methodology based on Bayes' theorem has been developed by PLG. 3-205

Mathematically, Bayes' theorem is written as P(XlE E.) = K L(ElX,Eo) P(XlEo) 3.3.4.3 where P(XlE,E ): posterior distribution, probability of X being the true value of an unknown quantity in light of the new evidence, E, and the prior body of knowledge, Eo. L(ElX,Eo): likelihood of the new evidence, E, assuming that the true value of the unknown quantity is X. ? P(XlEo): probability of X being the true value of the unknown quantity based on the state of knowledge, Eo, prior to receiving the evidence E, and K is a normalizing factor which is defined as K = f L(ElX,Eo) P(XlEo) dX eB a in the context of the MGL parameter estimation, the term X in equation 3.3.4.3 is the parameter, Eo is the engineering judgement of the parameter, and E is the actual generic CCF data from other similar olants. The key issue of applying Bayes' theorem in this context is to combine the engineering rnowledge and the actual data of common cause failure, in order to maximally use the available information. The prior distributions for the MGL parameters, such as 4, y and 6, were developed for various types of components and failure modes by a team of PLG experts. These distributions reflect the experts' estimates of the likely range of variation of the MGL parameters, and supplement the data base of generic common cause evenes. The mean values of the MGL parameters #, y and 6 of the prior distributions for various types of components and failure modes are listed in Table 3.3.4.1 at the end of this section. 'Ihe constant coefficients A., Bo, Co, Do, Eo, and Fo in the table will be used for further estimations of the mean values of the corresponding posterior distributions. 3-206 1

Since a plant-specific commoa cause database for CPSES Unit I was not developed, industry generic data sources were used to make statistical inferences about the frequencies of common cause events at CPSES. However, due to the variability among plants, especially with regard to coupling mechanisms and defenses against common cause events, generic industry experience may not be directly applicable to the specific plant being analyzed. Differences need to be identified and adjustments made accordingly. In general, the differences between the system in which the data originated and the system being analyzed arise in two ways: first, there are physical differences in system design, component type, operating conditions, environment, etc.; second, there can be a difference in system size. The method of applying the generic industry CCF data for the CPSES IPE can be summarized as follows: Screen out the com.non cause events that are not applicable for the IPE common cause failure analysis. Adjusting the component group sizes between the original system and the system being , analyzed. Data Screenine For each event in the generic CCF database, a determination of it's applicability was made based on an engineering analysis of the system design, operating conditions, common cause defenses, environment, etc, The following rules for CCF data screening were used:

*-      Component-caused functional unavailabilities were screened out since this kind of dependency is normally modeled explicitly.

If a specific defense exists that clearly precludes a class of events, all specific events belonging to that class were screened out. If the cause of the reported event was related to a train interconnection that does not exist at CPSES, the event was considered as an independent failure of one train. 3-207

Events related to inapplicable plant conditions (e.g., preoperations testing, etc.) were screened out unless they revealed general causal mechanisms that could occur during power operation.
If the event occurred during shutdown and would typically be restored before resuming power operation because of preservice testing (or if it cannot occur during power operation) the event was screened out.
Events involving incipient failure modes (e.g., packing leak, etc.) that clearly do not violate component success criteria were screened out.
If a second failure in a common cause event happened after the restoration of the first failure, both failures were considered independent failures.

Only events involving the failure modes of interest were taken into consideration; events involving failure modes that are irrelevant to the system logic model were screened out. If the event is only applicable to a specific component design that is not similar to the components being studied, the event was screened out. If the cause of the reported event was related to a configuration tnat does not exist at CPSES, the event was screened out. Events caused by human errors that are mode'<<1 independently or that are not :pplicable to were screened out. External events such as fire, earthquake, etc. , , were modeled independently. Adiustment for System Size A method of mapping was used for adjustment in an impact assessment based on system size differences. The mapping rules are presented fer the following cases: 3-208

                                                        ~A   e M                                               --.

Mapping Down: ne case in which the component group size in the original system is larger than in the system being analyzed.

Mapping Up: De case in which the component group size in the original system is smaller than in the system being analyzed, in order to reduce the uncertainty inherent in mapping of impact vectors, all events were classified into one of the following three categories:

Lethal Shocks: Causal events that always fail all the component., in the system. Independent Events: Causal events that act on components singly and independently. Non-lethal Shocks: Causal events that act on the system as a whole with some chance that any , number of components within the system can fail. - Alternatively, nonlethal shocks can occur when a causal event acts on a subset of the components in the system. He impact vectors for a case of lethal shoer were mapped directly as P$i = P,* 3.3.4.4 where 1 is tne size of the system being analyzed, and j is the size of the system being mapped. I t l De number ofindependent events in the generic data base was assumed to be proportional to the number of components in the system being analyzed. It can be shown that the number of independent events in systems with size I and k are related by the following equation: Ni = (1/k)N, 3.3.4.5 It is important to distinguish between the independent failure and the single failure due to a common cause. Equation 3.3.4.5 can be applied only for the independent events. 3-209

__ . . . ~_ The formulas for mapping up and mapping down the impact vectors for the nonlethal shock event category are different. It can be seen that mapping down is deterministic; however, mapping up is not deterministic. Formulas for mapping down data from a system having four, three, or two components to any identical system havin3 fewer components are presented in Table 3.3.4.2. In this table, PJ* represents the 1:-th element of the average impact vector in a system (or component group) of size m. Table 3.3.4.3 includes formulas to cover all of the upward mapping possibilities with system sizes up to four. The parameter p in the table is a conditional probability (p = 0.5 in this study) of each component failure given a shock. 4 3-210

Table 3.3.4.2: Formulas For Mapping Down Event Impact Vectors TO*

3 2 1 P.* = 114 P,* + P.* P.* = 1/2P,* + 1/6Pi
P/"= 3/4P."'+ 1/2P/* + 1/4P/"

P,* = 3/4P/* + 1/2 Pa* P,*= 1/2P/*+ 2/3Pa* + 1/2P/* P/8'= 1/4P/* + 1/2Pa *+ 3/4P,* + P.* 4 Pa* = 1/2P,* + 3/4 P

P " = 1/6P "+ 1/2P,"'+ P.*

J P/* = 1/4P,* + P.* P.* = P." + 1/3 P

P/"=P/* +1/3P/*+ 1/3 Pa*

P * = 2/3 P,* + 2/3 P," P/"= 1/3P/* + 2/3 Pa * + P

3 P." = l/3 P/* + P/*

FROM* P/"= P.*+ 1/2P

P/"a l/2P,* + P,*

2

SIZE OF SYSTEM M APPING FROM.

              ** SIZE OF SYSTEM M APPING TO.

Table 3.3.4.3: Formulas For Upward Mapping of Events Classified as Nonlethal Shocks TO'* 2 3 4 P."= 2(1 0)P/" P,*=3(1 p)'P/" P "'= 4(1 p)'P/" , , P,* =pP/" P/*=3p(1 p)P/" P/* = 6p(1-p)'P/"

;                                                        P/* = p'P."'              P." = 4p'(1 -p)P/"

P/*=p'P/" P/* = 3/2(1-p)P,* P,* = 2(1 p)'P,* 2 P/* = p P " + (1 -p)P," Pa*= 5/20(1-p)P *+(10)'Pa* P/* = ppa

P,"=p'P,* t 2p(I psp "

P."' = p'P," P/* = 4/3(I-p)P

3 P/* = p?,* + (1 -p)P/*

P,* = pP/* + (1 -p)Pl* P/*=pP/*

SIZE OF SYSTDel MAPPING FROM

                      ** SIZE OF SYSTEM M APPING TO.
                      *** p = 0.5, is Tile CONDITIONAL PROr,ABILTTY OF EACH COMPONENT FAILURE, O!VEN ASHOCK.

Once the impact vectors of all the events in the generic htabase were assessed for the system being analyzed, the number of events in each impact category we. calculated by adding the impact vectors l l I l 1 3-211 . l 1 a - ~

I! ( ) a ni ={ P i(O-N fel a n,={ P,(0 k>l 3.3.4.6 del where ni = total number of events involving failuie of one component due to both independent and common cause failures, and N= number of events due to independent failure. ng = total number of events involving failure of k (k > 1) similar components due to common cause failures. Pa* = the k-th element of the 1-th impact vector. Once the values of ni and n were calculated (Equation 3.3.4.6), the prior distributions were updated to yield posterior distributions for the MGL parameters. For an m-component system, it fchws that (Volume 4 of Ref.1) 3-212

for # - factor, A =Ao +[ in, i=3 B=Bo+ng 0-Al(A+B) for y - fac it, C=C o +[in, i=S D = Do + 2n, y =CI(C+D) etc. . . 3.3.4.7 i where A., Bo, Co, and D are the constant coefficients estimated from th( -*ior distributions, and the values of these coefficients were obtained from Table 3.3.4.1, The mean values of the MGL parameters obtained from Equation 3.3.4.7 were estimated based on the system sizes of the prior distributions, and were then mappa.d again to the sizes of the systems being analyzed. Since the system sizes of the prior data base were assumed to be four in most cases, the formulas used to convert the MGL parameters for the four-component system into the corresponding MGL parameters for the three-component and two-component systems were developed. The formulas described below are developed based on the mapping rules from Table 3.3.4.2 and Equation 3.3.4.2, for a three-component system:

 /P = (1/3)(2b + 3c + 12)/(a + b + c + 4) y* = (c + 12)/(2b + 3c + 12) for a two-component system:

3-213 i

J

                                                                                                                          'l
    #* = (1/3)(b + 2c + 12)/(a + b + c + 4) where a = (4/y*8'*)(1 - $ (*)/#*

b = (4/6'*)(1.- Y*)/y '* c = 4 (1 - 6"')/6'* 3.3.4.8 The general procedures for estimating the MGL parameters are summarized as follows: a) ne Prior MGL Parameter Database Development De generic prior distributions of the MGL parameters, such as 4, y, and 6, for varioas types of components and failure modes were developed by a team of PLG experts (Ref.1). In most cases, the system sizes were assumed to be four.t I is important to note that the value of the MGL , . parameter is dependent on the size c'the s.jstem. Table 3.3.4.1 lists the mean values of the MGL parameters and the constant coefficients A., Bo, Co, Do, E , and F .

b)_ Data Classification and Screening f,

ne data source for the generic event descriptions was the PLG generic common cause database . i (Volume 4 of Ref.1). The determination of whether an event was applicable depended on the - engineering analysis based on the rules described earl., c) System Size Adjustment ne procedure used for the system size adjustment is described by the following two steps: 3-214

sma Since the prior MGL parameters were estimated based on the assumption of certain system size, the impact vector for each applicable event was mapped to adjust the difftmces between the , system sizes in the generle database and in the prior MGL parameter eta base. The formulas listed in Table 3.3.4.2, Table 3.3.4.3 and Equatba 3.3.4.4 were applied for capping down/up the impact vectors. Equation 3.3.4.5 was used for mapping the indepetident events. ne values of g were calculated by substituting the values of P? and N into Equation 3.3.4.6, and the values of MGL parameters were then be calculated by substituting the values of f( and the constant coefficients A.,4 C, Dn, 4, and F, listed in Table 3.3.4.1 into Equation 3.3.4.7. Step 2 The mean values of the MGL parameters obtained from step I were then mapped again to the sizes of the system being analyzed by using Equation 3.3.4.8. 'Ihe types of common cause failures considered in this analysis were determined based on the following assumptions: The components that or which failed due to a comrnon cause wert assumed to be in one system. Common cause failures which cross systems were not considered in this analysis. The components which failed due to a common cause in a conunon cause component group were assumed to be of the same component type. Far an m-component (m .13) common cause group, if any three components in the group failed due to a common cause, all the components in the group were assumed to fail. Based on the above assumptions, on!y the probabilities of two or all specific component failures due to a common cause were considered.. The following equations were used to calculate the probability of multiple component failures due to . common cause, for a two-component common cause group: 3-215 l __________m_ _ . _ _ - ..___---_ - __ -- __- --

Qi = (1-#*)Q, = Q, Q: = #*Q, = C (failures 2 per demand)

                        = F 2(failures per hour)                  3.3.4.9 for an m-component (m h 3) common cause group:

Qi = (1-#*)Q, = Q, Q = 1/(m-1)#*(1- y*)Q, = 1/(m-1)C (failures 3 per demand)

                                             = 1/(m-1)F3 (failures per hour)

Q, , #*y

Q i = C (failures 4 per demand)

                                = F 4(failures per hour)                      3.3.4.10 where Q, (t= 1,2,all) is the probability of k specific component failures due to a common cause, and Q is the failure probability of the component due to both independent and common cause events. The value of Q, was obtained from the component failure data base. The calculated values of C    2 , C 3 , F2 , F3, Cx, F4, and Q, for each common cause group are listed in Table 3.3.4,4, and are also included in the IPE type code (TC) file. The system analysts determined the size of the common cause group in the system being analyzed.

In some cases, a common cause group contained several segments, and each seginent contained a certain i-number of components. Since the failure of any one component in a segment will fail thc segment, the distribution of a common cause failure which only falls components in a single segment can be negligible. However, the common cause failure contribution for two segment failures was considered, and was calculated as Qc = ning(m 1)#*(1-y*)Q, = n n:/(m i 1)C (failures 3 per demand)

                                       = ning(m-1)F3(failures per hour)-                     3.3.4.11 where ni, n : the number of components in segment 1 and segment 2, m: the total number of the components in the common cause group.

3-216 l

A detailed description of the data screening and system size adjustment for each component and failure mode is given in Ref. 4. He prior MGL parameters (Table 3.3.4.1) and the posterior MGL parameters together with the common cause failure probabilities (Table 3.3,4,4) for various types of components and failure modes are listed in the following tables. 3-217 1;

Table 3,3,4,1: The Prior MGL Parameter (CCF Data Base) COMPONENT FAILURE MODE MGL PARAMETIRS A, a, o, r. I y C, D, . w F, a, { MUTOR. F AE.TO OPEN 1.58, 21.0, 7.0E-2 3.8, 23.3, 1.461 1.8, 8.31, 1.8E-1 OPERATED VALVES 1,58, 21.0, 7.0E-2 23.3, 1.461 FAIL TO CLO3". 3.8 1.6 8.31, 1.8E-1 (VM) AIROPf3tATED FAIL TO OPEN 1.58, 21.0, 7.0E-2 3.8 23.3, 1.4E-l 1.8, 8.31, 1.8E-1 VALVES (VA) F AIL TO CLOSE 1.58, 21.0, 7.0E-2 3.8, 23.3, 1.4 6 1 1.5, 831, 1.8L1 ELJcrRO- F AIL TO OPEN 1.58, 21.0, 7.062 3.8, 23.3, 1.4 L1 1.8, 8.31, 1.8E-1 HYDRAUL3C VALV FAIL TO CLOSE I.58, 21.0, 7.0E 2 3.8 23.3, 1.4 E-1 1.8, 8.31, 1.861 SOLENOID F AIL TO OPERATE 1.58, 21.0, .7,0E-2 1.58, 21.0, 7.0L2 3.3, 9.58, 2.8E-1 VALVES ON DEMAND (VM MECilANICAL FAIL TO 1.58, 11.0, 7.0E-2 1.58, 21.0, 7.0L2 3.8 9.58, 2.8E 1 RELAYS ACTUATE (RM) DISTABLES FAIL TO 1.58, 21.0, 7.0L2 1.58, 21.0, 7.0L2 3.8, 9.58, 2.861 (BD ACTUATE 8%7TCHES FAIL TO 1.58, 21.0, 7.0L2 1.58, 21.0, 7.0E-2 3 .8, 9.58, 2.BE-1 (SM, $P) ACTUATE CIRCUTT I ATLTO OPEN 1.58, 21.0, 7.0E-2 3.8 23.3, 1,4L1 1.8, 8.31, 1.8E-1 BREAKERS (BA BB) FAIL TO CLOSE 1.58, 21.0, 7.0E-2 3.8, 23.3, I.4E 1 1.8, 8.31, 1.8E-1 AllWlOTOR FAIL TO OPEN 1.58, 21.0, 7.0E-2 3.8, 23.3, I 4E-l 1.8, 8.31, 1.851 OPERATED

         ^                         FAIL TO CIDSE      1.58, 21.0, 7.0E-2    3.8   23.3, 1.461                1.8,  8.31, 1.8 E-l D

3' OPERATING FAILTO RUN 0.84 839.0, 1.053 1.58, 21.0, 7.002 1.8, 8.31, 1.851 PUMPS (10) FAIL TO 1.58, 156.4, 1.062 3.8 23.3, 1.4 E-l - 1.8, 8.31, 1.8E-1 START /RFSTART . STANDBY FAIL TO RUN 1.58, 156.4, 1.062 3.8, 23.3, 1.4L1 3.8, 9.58, 2.8E-1 PUHPS (PhD FAILTO START 1.58, 21.0, 7.0E.2 3.8, 23.3, 1.4E.1 3.8, 9.58, 2,851 7 URBING. FAIL TO RUN 1.58, 156.4, 1.002 F/A N/A DRIVEN PUMPS (PT) FAIL TO START 1.58, 21.0, 7.002 N/A N/A PostTIVE FAILTO RUN 1.58, 156.4, 1.0E-2 N/A N/A DISPLACE. PUMPS FAIL TO 1,58, 21.0, 7.002 N/A - N/A START / RESTART 3-218

Table 3,3,4.1: The Prior MGL Parameter (CCF Data Base) COMIONERF FAILURE MODE MGL PARAMETER 8 A. B, a. C, tr ,, E, r, a, OPERA 71NO F AIL TO RUN 0.84, 839.0, 1.003 1.58, 21.0, 7.0L2 1.5, 8.31, 1.8 L1 FANS (TN) FAIL TO 1.58, 156.4, 1.002 3.8 13.3. l.4Ll 1.8, 8.31, 1.808 START / RESTART STANDBY FAIL TO RUN 1.58, 1564, 1.002 3.8 13.3, l.4LI 3 t, 9.58, 2 . 8 11- 1 FANS (AC) F All TO START l.58, 21.0, 7.052 3.8, 23.3, 1.4L i 3.8, 9.58, 2.8E.1 DIESEL FAILTO RUN 0.246, 21.2, 1.lL2 N/A N/A OENERA10R$ (DO) F Alt TO 8 TART 0.192, 7.12, 2 'G2 N/A N/A LOGIC'111P FAIL TO 0.44, 839.0, 1.003 1.58, 21.0, 7.002 3.8, 9.58, 2.8L1 MODULES ACTUATE (18) MCrtPR FAIL TO RUN 0.84, 839,0, 1.003 1.58, 21.0, 7.002 1.8, 8.31, 1.8 E.1 , OENER4 TOR ' I F AIL TO LESTART 1.58, 156 4,1.0L2 3.8, 23 *,1.4Li 1.8, 8.33, 1.801 I MECilANICAL FAIL TO OPEN l.58, 156.4, 1.002 1.58, 21.0, 7.0E-2 1.4, 8.31, 1.8 E.1 RELIEF VALVE 5 FAllTO RESEAT l.58, 1564 l.002 4.44, 13.18, 2.5 E.1 3.8, 9.58, 2SLt PREMATUP.E 1.58, 156.4, 1.0E-2 4,44, 13.18, 2.5 L1 3.8 9.58, 2.8L1 OPENING CHICK FAllTO l.58, 156.4, l.0E2 3.8 23.3, 1.4 LI 18, 9.58, 2.801 VALVE 5 OPENTEOPEN

                                                                                   -s FAtt 10 RESEAT       l.56, 156.4, 1.0E-2     3.8   23.3,1.(LI . 3.8, 9.58, 2.8E-l REACTOR TRIP   FAIL TO OPERATE       1.58, 21.0, 7.0E-2             N/A                      N/A BREAKERS (SB; UNDER     t' AIL TO 9PERATE      I.58, 21.0, 7.0E-2            N/A                      N/A VOLTAGE Li (L (UY)

MECHANICAL FAILTO l.58, 21.0, 7.0L2 1.58, 21.0, 7.0E-2 3,8. 9.58, 2.8L1 1 RELAY (RM) ' ACTUATE l Silt.fr TD" FAllTO OPERATE I.58, 21.0, 7.00-2 N/A N/A tc W.o 5AFETY FAIL TO RUN l.58, 156.4, 1.0E-2 N/A N/A ClitLLER (CU) FAIL TO START 1.58, 156.4, 1.0E-2 , N/A N/A unenn ?' 3-219

Tchle 3.3.4.4: CPSES Unit 1, Common Cause Failure Data Base

Conp. Fall. CCF Prior Olbribution Posterior Olstribution failure Probebility Type Mode Pop. Bete 0 Cama 0 Bete Omaste et C3/ft C3/73 CA/FA AC 0 2 0.02752 0.01747 2.93t 03 5.12t 05 At 0 3 f 04;93 0.10206 0.03168 0.10273 2.93t 03 8.33t 05 9.54t 06 AC 0 2 0.00393 0.01720 1.00t 05 1. Tit 07 AC 0 3 0.00713 0.10206 0.03056 0.12578 1.00t 03 2 67t 07 3.84t 08 BA 0 2 0.02719 0.02719 6.49t 04 1.76t 05 BA 0 3 0.04993 0.08897 0.04993 0.08897 6.49t 04 2.95t 05 2.88t 06 BA 0 2 0.02719 0.02719 8.2M 07 2.25t 08 BA 0 3 0.04993 0.08897 0.04993 2.08897 8.28L 07 3.T7t 08 3.684 09 e8 0 2 0.02719 0.02719 8.39E 04 2.2M 05 tt 0 3 0.04993 0.08897 0.04993 0.08897 8.391 04 3.82t 05 3.73t 06 , et 0 2 0.02719 0.02719 2.68t 07 7.29t 09 80 0 3 0.04993 0.08397 0.04993 0.08897 2.68t 07 '.22t 08 1.19t 09 BI O 2 0.02542 0.02542 3.89t 07 9.89t 09 31 0 3 0.04830 0.05275 0.04830 0.05275 3.89t 07 1.78t 08 9.91t 10 tl 0 2 0.02542 0.02542 2.21t 06 5.62t 08 31 0 3 0.04830 0.05275 0.04810 0.05275 2.21t 06 1.018 07 5.63t 09 CU 0 2 0.01000 0.00937 8.07t 03 7.56E 05 CU 0 -2 0.01000 0.02058 9.44t 05 1.94t 06 DA 0 2 0.02719 0.02719 1.52t 03 4.13t 05 DA 0 3 0.04953 0.08897 0.04993 0.08897 1.52t*03 6.91t 05 6.75C 06 DG 0 2 0.02500 ti.01342 3.84E 02 5.15E 04

 . DG    0       2 0.01100            0.01458                             2.51t 03 3.M E 05 OM    0       2 0.02719            0.02719                             4.30E 03 1.17t 04 DN    0       3 0.04993 0.08897    0.04993 0.08897                     4.30t 03                   1.96t 04 1.91t 05 7N    O       2 0.00388            0.00359                             4.84E 04 1.74E 06 FW    D       3 0.00713 0.08897    0.00659 0.0f.885                    4.84t 04                   2.91t 06 2.84t 07 FW    0       2 0.00036             0.00318                            7.89t 06 2.51t 08 3 220

Table 3.3.4.4: CPSES Unit 1, Common Cause Failure Data Dasc . Conp. felt, sti Prior Olstri PoJterior Oletrit=stion felture Protsebility 1 type Mode Pop. sete0 Gaaes seto Cams Ot C3/f2 C3/F3 CA/FA )i Fu 0 3 0.00069 0.04599 0.00588 0.082.30 7.89f 06 4.26E 08 3.82t*09 ! 1 MX 0 2 0.003&8 0.00388 0 0.00t+00 j 1 Nx 0 3 0.00713 0.08897 0.00713 0.08897 0 0.00t+00 0.00E+00 Mt 0 2 0.00036 0.00036 0 0.00t + 00 ) NX 0 3 0.00069 0.> 199 0.00069 0.04$99 0 0.00t+00 0.00f +00 f PM 0 2 0.02752 0.03585 3.296 03 1.181 04 PN D 3 0.04993 0.10206 0.05$30 0.29656 3.29t 03 1.'JBC 04 5,40t 05 PN 0 2 0.00393 0.00177 3.42t 05 6.05t 08 l PN 0 3 0.00713 0.10206 0.00321 0.10271 3.42t 01 9.85t 08 1.13t 08

)                      P0     0          2 0.00388                   0.00273                              2.358 03 6.41t 06 '                                   -

1 PC D 3 0.00713 8.08897 0.00501 0.08885 2.35E 03 1.07t 0A 1.05t 06 . P0 O 2 0.00036 0.00209 3.36E 05 1'.03t 08 3 0.00069 0.0'.59c PC O .0.00391 0.07049 3.36f 05 1.22f. 2i ? 26f*29 i PT C 2 0.07000 0.07000 3.318 02 2.32t 03 PT o 2 0.01000 0.01000 1.03t 03 1.03t 05 RM 0 2 0.02542 0.02542 2.41t M 6.13t 06 RM D 3 0.04L4 0.05275 0,04830 0.05275 2.41t 04 1.10E 05 6.14t 07 8N 0 2 0.02542 0.025 2 4.2t 07 1.07E 08 RM 0 3 0.04830 0.f.5275 0.04830 0.05275 4.21 07 1.928 08 1.07E 09 i

,                      S8     0          2 0.07000                   0.04974                              1.77t 03 8.80E 05 1
                       $N     O          2 0.02542                   0.02542                              3.00E 05 7.63t 07
!                      SM     0          3 0.M830 0.05275            0.04830 0.05275                      3.00E 05               - 1.37t 06 7.64t 08 i                      SP     0           2 0.02542                  0.02542                              2.69t-M 6.84E 06

) EP 0 3 0.04830 0.05275 0.04530 0.05275 2.69E M 1.23t 05 6.85t 07 4 SS 0 2 0.00036 0.00036 8.52t 05 3.09t 08

                       $$     0           3 0.00069 0.05275          0.00069 0.05275                      8.52t 05                 5.57t 08 3.10E 09 SS      0          2 0.00036                  0.00036                              2.70E 06 9.80E 10
                       $$      0         3 0.0006f 0.05275           0.00069 0.05275                      2.70E 06                 1.76t 09 9.83t 11 5Y     0           2 0.07000                  0.06070                              1.40E M 8.50E 06 UY      0          2 0.07000                  0.15262                              2.75t 03 4.20E M 3-221 4
   -v.3r--      c. r-       ,   .m---          4           e    v ,                  -r--   v      - +..     - . ,     *=     2            ---v     , y v-m. r

Table 3.3.4.4: CPSES Unit 1, Common Cause Failure D8ta liase Com. Fall. CCF Prior Olstritution Posterior Olstritution Falture Protability type mode Pop. Set >0 Gemc0 Sete Coma et C2/F2 C3/F3 CA/FA V4 0 2 0.02719 0.02719 1.528 03 4.13t 05 VA 0 3 P.04993 0.08897 0.04993 0.08897 1.52t*03 6.91t 05 6.75E 06 VC D 2 0.00393 0.00374 2.69t 04 1.01t 06 VC D 3 0.00713 0.10206 0.006 ' O.10273 2.69t 04 1.64t 06 1.8St 07 VM 0 2 0.02719 0.02719 1.525 03 4.132 05 VM 0 3 0.04993 0.or897 0.04993 0.08d97 1.52t 03 6.91t 05 6.75t 06 VM 0 2 0.02719 0.05628 4.30t 03 2.428 04 VM 0 3 0.04993 0.08897 0.09316 0.20818 4.30t 03 3.17t 04 8.34t*05 VR 0 2 0.00361 0.00361 2.42t 05 8.74E 08 vt 0 3 0.00690 0.04599 0.00690 0.04599 2.42t 05 -1.59E 07 7.11t 09 VR 0 2 0.00440 0.00440 6.06t 06 2.67t-08 VR 0 3 0.00750 0.17333 0.00750 0.17333 6.06t 06 3.76t 08 7.88E 09 Vs 0 2 0.02542 0.02542 2.43t 03 6.18t

05 vs 0 3 0.04830 0.05275 0.04830 0.05275 2.43F 03 1.11t 04 6.19t 06 where Comp. Type: Component code.

Fall. Mode: "D" - fal! on demand. ' "O" - fail during operation. i i The number of components that are believed to have been exposed to the common cause events in the system being analyzed. I Beta 0. Gamma 0: MGL parameters (prior distributions). D ta. Gamma: MGL parameters (posterior distributions). Q,: I-l 3-222

Failure probability / rate of a component due to independent and common cause events. C2/F : Constant coefficient, used to calculate the failure probability / rate of falling two components in a two-component system, due to a common cause event. C,/F,: Constant coefilclent, used to calculate the failure probability / rate of falling two components in an m-component system (m > 2), due to a common cause event. CA/Fg Failure probability / rate of falling all components in an m-component system (m > 2), due to a common cause failure, ne common cause failure dica is included in the IPE type code (TC) file. 3.3.5 Ountification of Unavailability of Systems and Functions ne PRA method used at CPSES is the Smali Event Tree, Large Fault Tree. De computer program used was CAFTA. CAFTA is a micro-computer based fault tree analysis program developed by Science Applications International Corporation (SAIC) for EPRI. The system fault trecs were developed employing modularl7ation of components. These modules were developed using an on-site developed dBase program, his program managed the components, their selected failure modes, the fault exporure times, and the testing and maintenance unavailability. De system models also included latent human errors and common cause failures. These models were quantified assuming all support systems were available to test the logic and to determine the system unavailabilities due to its own fault. 3 223

i j 3.3.6 Generation of Supnort System States and Ouaritification of neir Probabilities t i j This section dcs not apply to the fault tree linking methodology adopted for the CPSES IPE study. i 1 3.3.7 Ouantification of Sequence Frequgnghs

         %e functional sequences were quantified by following several steps. First, the logic from the accident sequences and the systemic logic were merged into a master single fault tree Also, the bas)c event and gate descriptions were merged. The circular logic was broken by replicating selected sections oflogic, l         renaming the gates, and redirecting the supports. This method assures that support system failure properly lead to failures of the systems it supports, and preven'.s the systems from being circular in their

logic. At this point, the system models were again quantified, with their supports intact, to test the integthy of the logic.

l The functional sequences were quantified using this fault tree by setting the flags as appropriate for the sequence, and then generating the cutsets. De resulting cutsets were post-processed to remove dual initiator cutsets, cutsets with mutually exclusive events, and cutsets that contained falk:res of a system required to be successful, if the sequence contained a success path. The resulting cutsets were examined, and recovery actions added where appropriate. Table 3.3.71 shows the computer programs used during quantification, and the ftmetions performed by each program. i Table 3.3.7-1: Sequence Quantification Programs ! Program Purpose 1 CAFTA Fault Tree Editor Merged all system and accident sequence logic into a single master tree NOCIRC

Identified and broke all circular logic CHGATENM
Used to generate replicated logic, for sequences that contained events with different flagging requirements.

3-224

  . - _ _~.                  -        _     . -    _ - - _ - _ - - - . .                        - - - . _ - - _ - - _ - - _ . - - -

i E Program Purpose i CAFTA - Fault Tree Editor Generated FTAP input deck , CAFTA Cutset Generator Generated minimal cutsets CAFTA Cutset Editor Generated cutset files, deleted mutually exclusive events I CLASSCUT

Classified the cutsets based on PDS bin, containment spray status and containment isolation status, in support l of the back-end analysis

MERGCUT " Merged all sequence cutsets into a single file used to calculate total core damage frequency

Programs written at TU Electric

                     " Utility program written by SAIC Interfacing system LOCAs (ISLOCAs) were analyzed by taking the master fault tree, faulting the equipment faulted by the ISLOCA (e.g., both trains of Ril), faulting tae recirculation flow path (there would be no water in the containment recirculation sumps), and then generating the cutsets for the                                  j appropriate sized LOCA.

For the Internal Flooding Analysis, the master fault tree was pared down by redefining all initiators to be false except the General Plant Transient. De remaining logic was used to generate cutsets from loss of heat removal sequences, ATWS sequences and induced LOCA sequences his tree was quantified for each flooding scenarlo by first redefining all equipment to be in a failed status due to the flood as failed. De list of failed equipment was generated using dats bases containing information about the location of PRA equipraent and the cables and junction boxes powering that equipment. Finally, a recovery anaiysis was performed on the resulting cutsets to obtain the final internal flooding cutsets leading to core damage. 3-225-

l 3.3.8 Internal Floodina Analysis , 1 The objective of the internal flood analysis project was to quantify the impact of internal flooding on CPSES core damage frequency. To accomplish this, the internal finod analysis team identified locations that are susceptible to internal flooding and contain equipment included in the IPE models. Then, based

)     on the locations of flood hazard sources, the ikxx! pr pagation paths, and the equipment vulnerable to j      flooding, the team defined specific flood scenarios and assessed their contribution to the total core damage i      frequency.

l !. T u d in order for internal floods to lead to core damage, all of the following conditions must occur:

An unexpected, uncontrolled release of water or other liquid in the plant that affects IPE equipment operation.
A reactor trip that presents a potential challenge to the integrity of the reactor Core.
A failure of IPE equipment due to floo< ling or other causes that reduces the plant's capability to reach a safe r,hutdown condition following a flooding event.

l Analysis of the internal flooding impact on overall plant core damage frequency included the following general tasks:

Preliminary flood scenario development

                *       ' Plant walkdown

Initial flood scenario frequency screening
Refinement of analysis bases and assumptions
Final flood scenario frequency screening and detailed analysis l 3-226 i

i l __ _ - _ _ _ .. ._. _ ~ , .

l l Information from the system walk-downs performed in the systems analysis task was combined with i information obtained during a plant walk-down by the intanal flood analysis tearn to provide a basis for l deveJoping flood scenario tables. He direct impact of each flood scenario was defined by listing the IPE equipment affected on each flood scenario table. Flood huard sources were also listed on each flood I scenario table, ne flood scenario initiating event frequencies for each zone were determined using generic internal flooding data from Reference 1 and zone specific weighting factors to account for zone volume and flood source density. De scope of th!s analysis included flood huards from all plant liquid (primarily water) sources that could affect IPE equipment. Internal flood hazard sources included all Installed, fixed liquid systems and temporary (e.g., hose or tubing) liquid systems that are generically used on a repetitive, routine basis at U.S. nuclear power plants. Temporary hose or tubing systems that could potentially be used for one-time maintenance or repair applications were outside the scope of this analysis. Damage associated with internal flood hazards included only short term (less than 24 hours) liquid inundation effects on IPE equipment. Other hazards such as pipe whip, steam impingement, and specific liquid jet or spray patterns were outside the scope of this analysis. j in the inillal screening analysis, any source of water (including liquid Jets and sprays) was assumed to fail all IPE equipment located in the associated flood initiation zone. His is a conservative assumption. Consideration of IPE equipment cable terminal points (e.g., junction boxes) was included in this analysis I to the maximum extent possible using previously developed equipment cable routing and junction box locatic is recorded in the plant's automated cable and raceway data bases. l De final two steps above were performed iteratively until each scenario was determined to be below the established screening frequency or until the scenario frequency was determined to reflect actual plant response using the screening methods of this study. Each iterative step refined a layer of conservatism from the analysis. For example, the first screen assumed only an infinite source, while the second screen separated finite frorn infinite sources. He second screen also included those 'Ex-control room" actions not affected by the flood. A third screen credited 'Ex-control room" actions following flood miilgation. I i 3-227 1 l l ._ - . _. ._._._ _. _ ~. _ __. -

l l 1 Analysis Summgy I For the CPSES internal flood analysis, an initial set of til flood scenarios that were potentially j significant to core damage frequency were evaluated. Each of these scenarios is defined in Reference 44. i Following this initial screening analysis,101 of these 111 scenarios were determined to be significant enough to require a more refined analysis, ne results of the analysis for all flood scenarios are l summarized in Table 3.3.81. Details of the flood scenario screening analysis methodology and screening j criteria development are presented in Sections 4.0 and 5.0 of Reference 44. Flooding in each of these l 101 flood zones propagates to other flood zones where it can affect additional plant equipment. Of these i 101 scenarios 11 were further sub divided based on the potential source of the flood, and the zone's initiating frequency was divided and assigned to these scenarios based on the ratio of potential flood l i source piping systems and components under consideration. A detailed presentation of the impact of each l } flood scenario is provided in Reference 44. Using refined screening bases and assumptions, the initial core damage frequency was calculated for each of tha remaining scenarios that exceeded the 1.0E-6 core damage events per year screening value. Here were 32 scenarios remaining that exceeded the 1.0E-06 core damage events per year screening value nese 32 scenarios required further detailed analysis of 4 their cutsets to yield a final estimate of core damage frequency. De detailed analysis included consideration of specific human actions associated with mitigation and/or termination of the flood, more realistic propagation assumptions, and more realistic flood impact for selected equipment Table 3.3.8-2 provides a summary of the flood propagation paths associated with the significant flood scenarios that required detailed analysis. De final revised core damage frequencies, based on detailed analysis, were calculated to be below 1.0E-6 per year core damage frequency for 31 of the 32 scenarios. 3 Conclusions ne calculation of all core damage frequencies in this study still contain some conservatism. Specifically, the core damage cutsets that are below the 1.0E-06 per year screen have conservative flood initiating event frequencies and contain conservative flood induced component failure assumptions, maximum estimated flood heights, plant models and human action failure assumptions. Derefore, knowing that the detailed evaluation of the scenarios can provide, at a minimum, an order of magnitude reduction in 4 the estimate of core damage frequencies, only the scenarios that required detailed evaluation were summed to reflect the total contribution of internal flooding to core damage frequency. 4 3 228

ne total core damage frequency due to internal flooding was estimated to be 1.29E45 per reactor year. Here was only one internal flood scenario that had a core damage frequency exceeding the reporting criteria of 1.0E-06. 'this scenario edibits a Cat profile with its top cutset probability of 2.39E47. This specific scenallo and the other scenarios that contributed significantly to internal Gooding all follow a similar sequence of events. Ilowever, each scenario may have a different initiating event frequency and may impact the IPE-related equipment differently. De two dominant scenarios are described below:

He initiating Oc. i assumed to lead to a reactor trip. In the dominant scenarios, the flood water faults the safety chilled water system (Cil) equipment. His leads to the loss of the motor driven AF and the ECCS pumps due tc the failure of room cooiing. Additionally, the propagating Good faults instrument alt compressors and electrical equipment cabinets located in its path. The cutsets then vary based on the various failure modes of the turbine driven AF pump or its support systems.
A flood in the Service Water Intake Structure (SWIS) faulta a single train of the Service Water System. He sprays or flood flow from the break fault the MCCs that provide power to the SWIS ventillation fans and screen-wash pumps and screens. His results in a total loss of the service water system that eventually leads to core damage.

De internal Gooding analysis indicates that there are no significant vulnerahilities for CFSES from internal flooding. Based on the results this analysis no hardware or procedure changes were deemed to be required, i I I 3-229 l

l i Table 3.3.8-1: Summary of CPSES Flood Scenzia Results Flood Sullding flood Floor Flood initlet Finet Core Desese Frequency ;edJction Factors Scenerlo Zone Elev. Scenario scenerlo Scenerlo i Number Initletion Core Damage Core Fw Frm Damage

                                                                                                                                                'Originet      Revied W "I               W "*'I       I' "

Originnt Revised sevised new Flood aumen Ntsen Flood Maximum Epi;samt Wetsted

                                                                                                                    "'# I Actions not         actions     Propsgetion               Flocxf      Felture      Nissen

! affected ty revised Peth* eight" node secovery

the Flood for the e

Ispect Action (s) flood

AA021A Auxitlery AA0214 790 4.50E-03" 4.50E-03 5.98E-07 x x x x
sti t Isry i

AA021A1 AA021A1 790 8.30E-04* 8.30E-04" 4.36E-07 x x x x AAC21A2 A.mittiary AA021A2 790 1.06E-03* 1.06E-03" 4.47E-06 x x x x } AA021A3 Auxiliary AA021A3 ' 790 8.30E-04" 8.30E-04" 3.20E-07 x x x x x AA021s Aumittery AA0218 810 2.83E-03* 2.83E-03 8.68E-07 x x x x AAC2151 'unitlary AA02181 810 2.47E-04" 2.47E-04" 5.81E-07 x x x x AA02153 Auxitlery JJt021s 810 : 2.47E-04" 2.47E-04" 7.00E-07 .I x x x x AA021C Auxillary AA021C 822 9.91E-05 9.91E-05 1.14E-08 x x . AA021D Aunitiery AA0210 832 1.09E-03 1.09E-03 3.38E-08 x X* x , AA021E Auxiliary AA021E 842 3.80E-04 3.80E-04 6.94E-08 x x I

AA021F Auxiliary AA021F 854 1.06E-03 1.06E-03 7.67E-08 x x" x x Aunit lary . 7.84E-06 i

AA021G AA021G 86Z -7.84E-06 9.88E-08 x x j AA021M Aunitlery AA021N 841 8.40E-06 8.40E-06 1.07E-07 x x AA022 Auxillery AA022 790 5.15E-04 5.15E-04 1.04E-07 m x t j_ A4023 Auntifery AA023 810 2.31E-05" 2.31E-05 3.45E-07 x x

                  .AA0231'           Auxiliary     AA0231        810      5.78E-06"              5.78E-06   2.57E-07                                      x                                 x*                                     ,

4

i AA025 Auxillery AA025 810 4.37E-05 4.37E-05 <1.00E-09 x x I

3-230 i i l

Table 3.3.8-1 (continued) Ftood Ftood F1oor F1 cod Finol Core Deange Frequency Reedetion Foctors Bul1 dins Initie1 Scenerlo Zone Elev. Scenario semerlo scenerlo er Initiation Core Desage Core ,

                                            #N           'W              ""*      Originot  Originot     .Bewfoed      Revloed       Revised   Itew Flood (per p r)   (per yeer)    Frewenty        ,u,,n . IPJean       F, cod      Maalaus     E pipment     Reteted W # #I       Actions not  actions    Propagetton     Flood        Felture      Musen effected by  .erised       Pe h*
                                                                                                               ,         Keight"        seode     Recovery the 7tcod   for the                                 Ispect    Action (s) f(ood**

Auxitlery AA026 810 E.06E-05 8.06E-05 <1.00E-09 x x AA026 810 8.23E-05 8.23E-05 2.65E-07 x x

     'AA027  Auxillery     AA027 AA028  Auxillery    AA028     810      4.47E-05     4.47E-05    <1.00E-09                        x            xl                                      j Auxillery    AA030     810      2.31E-05     2.31E-05    <1.00E-09                        x            x AA030 Am0301  Auxillery   AA0301     810      5.78E-06     5.7BE-06     2.66E-GT                        x            x          X" 832      5.76E-06    5.76E-06      8.59E-07        x                            x AA034  Auxitlery,   AA034 Auxillery    AA035     832      5.44E-06    5.44E-06      8.13E-07        x                            x AA035 Auxillery    A4036     832      5.81E-06    5.81E-06      8.40E-07        x                            x AA03o Aunitiery    AA037     832      5.44E-06    5.81E-06      7.79E-07        x                            x AA037 Auxitlery    AA038     873      1.37E-03     1.33T-03     4.06E-08                        x            x AA038 Auxillery    AA039     8 73    2.74E-04     2.74E-04     <1.00E-09                        x            x AA039 Auxillery l  AA040     886     2.71E-04     2.71E-04      7.49E-07                        x            x AA040 Aunillery   "AA098     790     2.91E-03     2.91E-03      1.47E-08                        x            x AA098 AA153     778      1.07E-06    1.07E-04    <1.00E-09                         x            x
 , AA153     Auxillery Aunitiery    AA134     778     4.28E-04     4.28E-04      9.43E-07        x                            x AA154 Aunittery    As024   '810      2.50E-05     2.5c5-05    <1.00E-7                          1            x As024 AB0241  Aunillery   A80241    810      8.33E-06     8.33E-06    <1.lf,                            x            x          x*

3-231

TaNe 3.3.8-1 (continued) Flood 4 Flood Finst Core Osseee Frepency Redxtion Factors Flood Building Floor initlet scenerlJ Zaw Elev. Scenario scenario scenerlo Ntater Initiation Core Osmage Core Originnt Originot Revised Revised gedoed Pew Flood W "I #I mwen manen Flood Maximass Equissemt Retsted g 3 Actione not octiens Peopogstion Ftood Feiture manen effected by revised Path

Meight" mode Recovery the Flood for the Ispect Action (s)

I flo # 3 2.41E-05 1.32E-09 N N Ac02v AuxitterY ACO29 810 2.4*E-05 Auxellary ACO291 810 8.04E-06 8.04E-06 <1.00E-09 M K x* ACO291 3.33E-04 3.33E-04 9.05E-07 x r AD031A Auxit8ery AD031A 310 8 3.33E-04 1.19E-09 N N A30315 Auxillery ADO 31b 832 3.33F-04 1.06E-04 1.06E-04 <1.00E-C9 K x AE032 Auxiliary AE032 810 l 810 1.06E-04 1.06E-04 2.69E-07 Y x AF033 Auxiliary AF033 778 2.78E-03 2.78E-03 1.65E-08 x r EA043 Auxitlery EA043 _ 778 4.06E-05 4.06E-05 8.065-08 x x EA044 Auxillery EA044 778 5.59E-05 5.59E-05 1.22E-07 x x EA047 Auxiliary EA047 1.26E-05 1.26E-05 1.30E-08 I x EA054 Auxiliary E A054. 792 792 1.26E -f'~s 1.26E-05 1.30E-08 x x EA057 Auxiliary EA057 1.86E-04 5.13E-07 K r EA073 Auxi t s ery EA0T3 852 1.86E-01 EA074 .".un t ilery EA074 852 1.86E-04 1.86E-G4 5.13E-07 t x x Auxiliary EA075 852 1.17E-04 1.17E-04 3.62E-07 r I EA075 807 2.3SE-04 2.38E-04 8.96E-07 x x Em063 Auxitiery Em063 2.38E-04 2.38E-04 9.62E-07 x x Em064 Auxit*ery EWO64 807 4.12E-04 4.12E-04 5.47E-07 x x E0065 Auxitlery E0065 830 3-237

I TaNe 3.3.8-1 (continued) Flood Building Flood Floor Flood initial Finat Core Damege Fregemcy kedxtion Factors scenario Zone Elev. Scenario scenario scenerlo Ntrber Initiation Core Dc.sege Core _ rwy Fwy hge 0:-igino t Origirst Revised Revised Revised New Flood (per year) (per year) Freq;ency p en N en Flood Memleen Equigume rt Retet*d W Fear) Actions not actions Propegation Flood Talture Nteen affected by revised Fath* Meight" Mode Recovery

                                                                                                                    . the Ftood      for the                                 Iwipoct   Actlon(s) f 4ood" E0066 Auxillery     E0066    830   7.32E-06               7.32E-06      5.16E-07            x                              x E0068 Auxiliary     E0068    830   2.31E-06               2.31E-06      2.00E -07           x                              x E0069 Aunitfory     E0069    830   8.19E-06               8.16E-06      5.76E-07 '          x                              x E0070 Auxiliary     E0070    840   1.68E-05               1.68E-05      2.34E-08            x                              x 1

E0071 Aux illery E0071 840 1.23E-05 1.23E-05 8.84E-07 x x E0072 Auxiliary E0072 840 1.09E-05 1.09E-05 7.82E-07 x x E0140 Auxiliary E0140 840 6.39E-06 6.39E-06 4.44E-07 x x E0141 Auxiliary E0141 840 7.61E-06 7.61E-06 5.53E-07 x k E0162 Auxiliary E0162 830 1.15E-05 1.15E-05 8.27E-07 x x E0163 Auxiliary E0163 830 6.52E-06 6.52E-06 4.58E-07 x x EQ149 Auxiliary Ec149 778 1.75E-05 1.75E-05 2.44E-08 x x ER150 Ausillery ER150 779 1.75E-05 1.75E-05 2. 4E-08 x x 54001A Safeguard SA001A 773 2.45E-04 2.45E-04 6.48E -07 x x SA001A1 Safeguard SA00141 773 2.72E-05 2.72E-05 5.99E-OS X x x" SA0018 Safeguard SA0018 785 4.24E-05 4.24E-05 6.43E -07 x x SA001C Safeguard SA001C 790 2.66E-04 2.66E-04 7.11E-07 x x SA001D Safeguard SA0010 800 5.04E-06 5.04E-06 6.77E-07 x x 3-233

_-- - - - ~ - - - . . . _ - - - . . . , I L j i, Table 3.3.8-1 (continued) l I , f Flood- Dullding Floq4 Floor Flooo Initiet Finet Core Dessye Frogsmcy Eedaction Factors F '~ scenario Zone, Elev. Scenerlo - Scenerlo scenario- f I assiber initiation Core Deense Core

;                                                      F                   rw               Dw            Originnt              .Originot                  Revised        Revised                  sevloed               new Flood
                                                          # M 'I                 #        '

numan maman Flood .Nalass Eosipment metetod i g 3 Actions not actions Propogetion Flood Felture itseen ! ef fected try revised Peth" Neight" stede Recovery [ ! the Flood for the lepect Actlan(s) i fIcod" ""

t. m l i ..

x x x j- w142 safeguerd SA142 810 3.50E-04 3.50E-04 3.59E-08 ! se002A safeguerd se002A 773 1.94E-04 1.94E-04 5.09E-07 x x l .i 58002A1 safeguerd s3002A1 773 2.93E-05 2.93E-05 6.55E-06 x x M* t i ss002s safeguerd se002s 785 4.30E-05 4.30E-05 6.70E-07 x x 58002C safeguard s0002C 790 1.56E-04 1.56E-04 4.07E-07 x x sS002D safeguard 50002D 8C0 1.00E-05 1.00E-05 1.36E-07 x x

            ss002E  safeguard   se002E          810    4.06E-05            4.04E-3        6.40E-07                                                  x            x s

i j .- ss0020 safeguerd $8002G 832 2.44E-05 2.44E-05 3.07E-08 x x x x I ss002M safeguard 380024 841 2.45E-06 2.45E-06 3.87E-07 x x ; } L 1.63E-03 1.63E-03 8.83E-07 x x x i 50004 safeguard ss004 790 f f 580061 safeguard se0041 790 1.81E-04 1.81E-04 6.06E-07 x x x" ____m x x e I !' 58005 safeguard 58005 790 1.01E-04 1.01E-04 2.58E-07 A I L . I S0006 safeguerd 58006 790 9.34E-05 9.34E-05 2.90E-07 x x se006 safeguard se006 810 6.86E-04 6.86E-04 1.26E-07 x x x j j t 3 j- 5e0081 safeguard 500081 810 6.79E-05 6.79E-05 ~1.98E-07 x x x" i f S8014 saferasrd se0144 832 7.74E-06 7.74E-06 1.07E-07 x x j 58015 safeguard s0015 832 9.54E-0'. 9.54E-04 1.87E-07 m x x f I' j > 3-234-l 1 i

t I :

i. i

? Table 3.3.8-1 (ContinueJ) [ I Ftood . Sul1 ding Ftood Floor__* l F1 cod Initie1 Finnt Core Deenge Frogsency RedactIce Factors scenecio Zone- Elev. Scenerlo Scenario scenerie Number Inf tietfor. Core Damage Care - Origlwt Originot Revised Revised Revised new Flood [

                                                                                   "*O                "*                               stamen      Numan          Flood     peelmse     Equisment           teleted               i 3

ActIcris set actiens Propegetion F1ood FeIture uween effected ty revised Path * #eight" pode Recovery I the Ftood for the Ispect Actien(e) ! f1aod* t i i Ss143 Safegua-d 53143 810 1.76E-04 1.76E-04 4.94E-09 x x x x ; Ss1432 Safeguard SS1432 810 1.76E-04 1.76E-04 6.77E-07 x x x i S8144 Safeguard $5144 832 4.65E-04 4.65E-04 1.07E-08 x x x x !

Sa155 Sefeguard 58155 832 f.08E-05 1.0 % C5 1.53E-08 M x x x: i. SC007 Safeguard SC007 790 1.26E-04 1.26E-04 3.49E-07 ' x *

4 !

SC009 Safeouard SC009 810 1.96E-04 1.96E-04 7.00E-07 x x i-j SE016 Sefeguard SE016 832 1.63E-04 1.63E-04 2.03E-07 x x { SE018 Safeguerd SE018 852 3.2et-04 3.28E-04 9.16E-08 x X" g SF019- Sefeguard SF019 873 2.48E-05 2.48E-05 3.65E-07 x X" - SG010A Safeguard SG0104 810 3.72E-04 2.T?E-04 1.44E-08 x x SG0108 Safeguard SG0105 844 4.60E-05 4.60E-05 <1.00E-09 x x Snott Sefeguard Spott 844 1.09E-05 ' 1.09E-05 <1.00E-09 x X i I Safeguard 1.44E-08 x SIO12A $1012A 810 2.72E-04 2.72E-04 x t

           $10125                      Safeguard  $10125           844       4.60E-05           4.60E-05            <1.00E-09            x                                x t

'. SJ013 Safeguard SJ013 844 1.09E-05 1.09E-05 <1.00E-07 x x { x"

SK017A Sefeguard SK017A 852 6.48E-05 ,6.48E-04 <1.00E-09 x x SETTA Safeguard SE17A 852 5.52E-04 5.52E-04 1.75E-07 x x* x 3-235 4 , ! I i ( ;

                                   -w-  ,          e          5                              .yv-          y e . - < - -      --           -,.

_

v + - * , . -e-. . ,_- _. ,w

F l i i t i Table 3.3.8-1 (continued) ! i l Flood Building Flood Ficor Flood Inittet Final Core Denepe Fretpaency sekstion Factors l Scenerlo Zone Elev. Scenerlo scenario scenerlo

kuuber Initletion Core Demoge Core I Y ""'" Originnt Origiret Revised ' #evises Revised ooit Flood j

(per year) (per yeer) Frequeticy , , g

                                                                                                                         # #3   Actions not       actions         Propog4 tion            Flood                     failure                           Musen

effected by revised Fath" #eight" Mode Reccvery l Actier-(s) 4 the Flood for the twt fIcod" [

f l i SE0173 safeguard SE0178 8 73 2.72E-05 2.72E-05 3.99E-07 x x j SK017C safeguard sr017C 880 5.22E-04 5.22F-04 4.82E-08 x x i SM157 safeguard SM157 810 1.26E-06 1.26E-06 5.02E-06 l u x t ', 50003 si ".uerd S0003 773 3.38E-05 3.38E-05 5.04E-07 N I -

         *31054       Turbine            Ts105A                 773           7.48E-05                 7.482-05      1.23E-09         x                                              x i

i T31058 Turbine Te1055 758 9.26E-04 9.26E-M 2.48E-08 x x ; f i Ts105C Turbine Ts105C 158 4.11E-04 1.60E-07 1.60E-37 h 181050 Turbine Ts1050 ' 778l 9.82E-03 9.82E-03 1.15E-08 x x Ts105E Turbine TB105E F3 9.55E-03 5.08E-06 3.42E-07 x x ; Te105/ Tsbir e Ta105F 8 'O + 3.84E-04 9.49E-06 9.49E 95 ; L

T8107 Tr bine Te107 778 1.21.E-04 [ 4.2EE-08 4.281E-C8 T8109 . Turbine ~ TS109 803 2.20E-04 5.21E-C8 5.2tE-08 , t TB110 b Turbire - TR110 810 1.46E-04 3.11E-08 3.11E-05 . .- I

          ^sitt
          ,           Turbine           -75111                  810           1.39E-04                 3.70E-04      8.04E-07         x                                              x i          T8112       Turbine             T3112                 810           5.14E-05                 1.36E-04      2.72E-07         x                                              x
                                                                                                     <1.00E-09     <1.00E-09                                                                                                                                   !

a TB113 Turbine Ts113 778 4.30E-07 i' ,

                                                                                                   -<1.00E-09      <1.30E-09                                                                                                                                   ;

3 73148 Turbine TB$48 810 2.23E-06 1 ! 3-236 !,

}.

4 1

               .    +

Table 3.3.8-I (continued) Flood Sulldint Flood Floor Flow inittet Finet' Core Demoge Frequency Redetion Factors scenerlo Zone Elev. scentrio scenstio scenerlo Ikaber Initiation Core Dessee Core - F rw Dw Or!sinet Originnt Revised RevirW Revloed sew Flood (per yeer) (per yeer) FrMW thaman Muuan Flood nealanse Ewipment Reteted j

                                                                                   #   "*# '   Actione not  actioris      *ropeestian   fload        Feiture        sewsmn effected by  revised          Path"     Weight"         Isode      Recovery the Flood   for the                                   Ispect     Actlante) ft d                                                             l j                                                                                                                                                                              !

T8186 Turbine TS186 778 1.90E-05 <1.00E-09 <1.00E-09 ! Ts197 Turbine TS187 778 2.62E-05 <1.00E-09 <1.00E-09 Turbine TB201 830 5.05E-06 5.05E-06 <1.00E-09 x x T5101 1.34E-04 1.34E-06 <1.00E-09 X X X

        -WA103          suts        m103       796 i                                                                                                                                                 e' 5.29E-05      4.21E-07                         M                         I             N Ws104A          suis       We104A      810      1.44-02 8.44E-07                         x                         I             y WB1048 -        Swis      951045       796      1.4M-03        1.46E 'D                                                                                            -

(1)' snitiatire Event Frequency shown has been muodified bleed on Zone's ficod source essteptions Ref. 44. (3) Pr w tlon path rewfalen includes definirq infinite end non-infinite sources. (3)- peodification to propogetion path other then flood source are detailed in Ref. 44 (O- Actions are adjusted to eccetm for flood break termination by operators. (5) This cotsman reflects changes in muinas floems heights free the meninse cateuteted flood heights, reached by either en infinite source flood or e finite source flood es defined in Ref. 44. (6) These scenerlos are infinite source scewfos that are treeted es finite sources besed on pipe sire / flow rate. 3-237

 --                                                                                                                                                                        .s

    -. - -                  -.       ..         - . - - - .                       .    - -        .   ..   ._ -           .-         =.       - -.

4

Table 3.3.8-2: Summary of CpSES Significant Flood Scenario propagation i Flood initiation Core Flood Flood Propagation Dccription Zone Damage Slze' Frequency j

AA021 A $.98E-07 i For this group of scenarios, the flood initiates in one of the various rooms located in the Auxiliary building on elevation 790' This zone contains various plant ancillary equipment including,the CC heat ] exSh angers, the CT and Ril system heat exchangers CC valves, ne boric acid transfer pumps and IPE related electric.d control cabinets. AA021A1 4.36E 07 3 He flood propagates to adjacent zones through normally open doors. Rese zones are: 1) the Safeguards building 790' corridor and the chiller equipment area elevation 778'. He chiller equipment area contains CH system chillers and pumps, in addition to IPE related cable junction boxes. De flood continues its propagation out of this zone via AA021A2 4.47E-06 2 cight 6" diameter floor c :eck valves into the air compressor room. His area contains equipment associated with the Ci system including the Cl air compressors. 2) ne second pathway is to the Safeguards i bullding corridor, which also contains IPE related electrical cabinets and provides a path to the AF system motor driven and turbine drive pump rooms which located on this elevation. Access to both trains of AA021 A3 3.20E-07 4 ECCS pumps is provided from this corridor, ne pump rooms are physically separated and are accessed from different stairwell and are located on elevation 773' These areas contain the RH. Si and CT pumps. AA021B 8,68E 07 1 For this group of scenarios, the flood initiates in one of the rooms contained in this zone which is located in the Auxiliary building at elevation 810'. %ls zone includes all of the hallways at this elevation, the CS system valve room as well as several rooms containing waste and resin processing erWpment. It also contains severa! CS and CC AA021B1 5.81E-07 3 system flow control valves, ne flood propagates from this zone into adjacent zones at this building elevation. These adjacent zones contain the CC system and the CS system pump rooms. He flood water then propagates either to the Safeguards building elevation 810' or via fic AA021B3 7.00E-07 4 grates to the Auxiliary building 790' and follows the propagation paths previously defined. Propagation into the Safeguards building elevation 810' leads to the piping penetration and one of the electrical equipment area rooms. 3-238-l

s-Flood initiation Core Flood Flmd l'ropagation Description Zone Damage Size

Frequency SB004 8.83E47 2 For this group of scenarios, the flood initiates in one of the corridors located in the Safeguards building at eleation 790'. This zone contains Rii system incrumentation and suction isolation valves. The rene also I

contains various cable junction boxes and electri:al equipment cab'r.ets associated with the CT, Si and RH systems. He flood propagates to ; adjacent zones throagh normally open doora into ti.e Auxiliary building l 790' corridor and then into the chiller equipment area elevation 778'. The chiller equipment area contains CH systems chillers and punsps, in addition to IPE related cable julialon boxes. The flood continues its SB0041 6.06E-07 4 propagation out of this chiller area via eight,6' diameter floor check valves into the air compressor room. This area conts.as equipment associated with the Ci system .ncluding the C1 air compre<, sors. The flood initiati. pone (Safeguards building corridor) also pros ides a path ! to the AF system motor driven and turbine drive pump rooms located l en this elevation. Access to both trains af ECCS pamps is provided i from this corridor. The pump rooms are physically separated :.nd are l accessed from different stairwell and are located on elevation 773'. These areas contain the Ril, Si and CT pumps. SBl43 4.94E-09 1 nis flood initiates in one of two piping penetration rooms. These rooms contr. ins MOVs associated with the RH, SI, CS and CT systems. i They also contains severa' junction boxes associated with sdditional equipment belonging to these systems. (Note, Zone SB143 contains

single failure valves associated with the Si cold leg and RH hot injecti n lines, contributing to this zone., higher contribution to CDF)

SD1432 6.77E 07 2 The flood propagates from these areas to adjacent zones on this building elevation. The adjacent zones include, the other piping

penetration room and the building's 810' elevation corridors. Flood
water propagation continues into either the Auxiliary building elevation 810' or into the stairwell leading to the lower levels of the Safeguaids SA142 3.59E-08 2 building. De Auxiliary buildings 810' elevation zcnes include the
hallways on elevation 810', the CC system and the CS system pump rooms. The flood water may then propagate via floor gr?.tes to the l Auxiliary building elevation 790' and follow the propaFition paths previously defined.: 1) Flood size based on non-infinite source with flow rates that limits accumulation to less than l'.; 2) Flood size based on non infinite source with flow rates that limits accumulation to maximum calculated height.; 3) Flood size based on infinite source flow for time period that limits flood water accumulation (o 1 foot.; 4) Flood size based on infinite source flow for time period that limits flood water accurrulation to non-infinite source maximum calculated height.

I 3 239

 - - - - ,     w ,          -
                                              ,en,,v<-my,,,-g-             ,  w ,n
                                                                                    +-- ,     e-  , ,m- - - , - - ,,n---,.an ------p,----~ , w pe-,,- r --- w,n.\

3.4 Results and Screenine Process his section provides a discussion of the results of the front-end analysis. An evaluation of the results according to the specified screening criteria is provided. In addition, a thorough discussion of the evaluation of the decay heat removal function is prosided. l 3.4.1 Apclication of G fneric Letter Sct.cmjDe Criteria ne sequences reported are those functional sequences that contribute IE-05 or more per reactor year to l core damage. the functional sequences tlat contributs 5% or more to the total reported Core Damage Frequency, and any ftmettonal requence that contributes to a ccutainment bypass frequency in excess of IE-07 per reactor year. 3.4.2 Vulnerability Screening The total estimated Core Damage Frequency for CPSES Unit 1 is 5.72E45 per reactor year. His is the surn of all non minimal cutsets quantified to a truncation limit of IE 09. He sequences that contribute IE-06 or more per reactor year or 5% of the CDF are discussed below. Deso sequences contribute 84% of the overall Core Damage Frequency. Note that the sequences may generate cutsets that are not minimal with respect to each other. Therefore, the percentages cited are the sequence probability divided by the linear st'm of the sequences, 6.16E45, which includes sequences below the IE 09 limit (due to recoveries applied). i If there were cutsets that dominated the sequence, they are listed below the sequence description. 4 Otherwise, the top 5 cutsets in the sequence are listed. t 1 3 240

l. #1SCM2X3. Loss of Offsite Power with 0.6-T InduCeG LOCA, and Failure of injection [1.2E-05, 20 %)

In this sequence, the initiating event is a Loss of Offsite Power. In most Cutsets, a combination of equipment failures leads to a Station Bhtkout (SbO). Due to a loss of cooling to the Reactor Coolant Pump Seals, a Seal LOCA ensues, Also, AF is successful in keeping the RCS cooled. This keeps the RCS at 'ilgh temperature and pressula longer, and results in a Large Seal LOCA. As no power is available, the Emergency Core Cooling System (ECCS) is unavailabie. Additionally, operators are unable to restore any power source, including ufsite power, prior to core uncovery. The top 5 Cutsets that make up this sequence are:

1) h3 Lost OF ALL OFF$ lit POWtt Ikl11ATING (VtW1 FREQUENCY 3.$0t*02 6.2BE 07

     $$FLARGt1        PROBAtlll1T TkA1 INDUCED LOCA 18 LARGE AFitR $UCCESSFUL SECONDARY      7.60E 01 EPKDGGtt00NR CCF of 901N Dit$tt GENtRA10R$ DUE 10 LAf TNT hJMAN ERROR                   2.00E 04<

x3RFt170 0FFSITE POWtt CN Rttovtti FACTOR 1.181 01 Af ter a lof J of of felte power, both diesels fell to stort due to latent hwan error, a large seal LOCA 16 trduced, and the operators cannot recover of fsite power prior to core uncovery at 170 minutes.

2) h3 Lost OF ALL OFFilft POWER INiilA11No tVENT FRtoutNCY 3.$0E 02 $.01E 07 SSFLARGtt PR08Allll1T THAT INDUCfD LOCA 18 LARGE AFitR SUCCtllFUL $1CONDARY 7.60E 01 (PSDGGEt02NX DittiL LthtRATOR cpi MEDGtt 02 INADvttitNTLY DitABLED 1.00E 02 SW$1GA11N $W PUMP 1 RAIN A VNAVAILABLE DUE 10 ft51/MAINithANCE 1.60E 02 K3&Ft170 0F F$11E POWER Nt. RECOVERT F AC10R 1.18E 01 Af ter a tone of of felte power, train 8 D/G f alls to start because it 18 Inadvertently disabled, trein A 0/G is unevellable because its cooling source, service water pnp A, is mavellable. A large nest LOCA is Irduced and the cperators cannot recover of f ette power prior to core uncovery at 170 airutes, c

3) u3 LOS$ OF ALL OFF$ lit POWER Ikl11 AllNG EVENT FREQUENCY . 3.$0E 02 4.92E 07 StFLARGE1 PR08Abill1Y THAT INDUCED LCCA Il LARGE Af fit SUCCE$$FUL SECONDARV 7.60E 01 EPCCF1 CCF OF SEA 1 AND itA2 AFitR SM 1.4BE 03 13RFF170 0FFSl1E POWER NON RLC0Vttf F ACTOR 1.25t 02 Af ter a lose of offsite power, both safegueros busses are feutted de to comon cause f ailures. A

, large seel LOCA is induced and the operatore cannot recover of f site power prior to core uncovery at 170 minutes.

4) D3 Loss 0F ALL OFF$ lit POWER ! Nill A11NG EVENT FRt00tNCY 3.$0E 02 4.67t 07

     $$FLARGtt           PROSABilltf IMAT INDUCED LOCA 15 LARGE AFTER $UCCit$FUL ttCONDARY 7.60E 01 EPADOGE101NX       OltstL GENERATOR CP1 MEDGtt 01 INADWRitN1LY DISABLED                 1.00f 02 EPStG8031M         DIEEEL itC2 UNAVAILABLE DUE 10 list /MAINitNANCE                     1.49t 02 x3RFt170           of Fslit POWER NON RECOVERY FAC100                                   1.18E 01 train b dieset is out fmr intenance. A Loss of offsite power occurs, and frein A diesel is unavailable due to Latac* %sn error. A large seat LOCA la induced. The operators are unable to restore rower prior to cor. uncovery.

3-241

_ - _ ~ .. - _ - .. . __ - - _ _ _ _ _.-.~. - - - ._--.- -_.--_-- i > l } i !

5) EK3 Lost 0F ALL OFFSITE POWER INITIATING CVthi FRt0UthCV 3.50E 02 4.67E 07 !

) S$FLARGft P908AllLITY THAT INDucr0 LOCA 18 LARGE AFTER SUCCE$$FUL SECONDART 7.60E 01. 4 EPSDGGtt02NX OltstL GENERATOR CP1 MEDGF.f *02 thADVER1tN' FLY DIS.ABLED 1.00E 02

EPt4GA03fM . Olt$tL ttG) UNAVAILAILE DUE 10 ft$T/NAINTENAkJE 1.49E 02 4 2

K3RFt170 CFFSITE POWER NON RECOVERY FACTOR 1.1M 01 j frein A dieset is out for esintenance. A loss of of*alte power occurs, ervi Train 8 diesel is , mavellab'.e chs to totent hunen error. A large seat LOCA th trduced. The operatort are moble to - restore power peloe to core mcovery. , i j 2. AA021 A27Internal Flood from an RWST 2ource in the 790' elevation of the Auxiliary Building j [4.47E-05, 8 %) a 4 A flood is induced from a pipe taking $uction from the RWST. The flood waters propagate j throughout the 790' elevation of the Auxillary and Safeguards Buildir.g, faulting equipment

located .in these areas, it also propagates into the Safety Chiller room, fontting both trains of

{ Safety Chilled Water (CH), and propagates into the instrument Air room, faulting the compressors located there. . Additionally, it propagates into both trains of the ECCS pump rooms a

located in lower elevations of the Safegurds building-e I e

                 'Ihe following five cutsets contain additional equipment that must fall or events that must happn, given

} 4 that the equipment failed by the flood has already failed, in order to cause core damage. 1

1) AA021A2 FLom INITIAftt IN AA021A, RWST $UPPLit3 1.0M 03 2.39107 AFCPTPTD01FW TDAFWP TRAIN UNAVAILABLE DOE 10 LATENT HUMAN ERROR 2.00E 02 '

i AFkMCLRAlWN PROSABILITY TNAT TRAIN A MDAFWP FAILS ON LOS$ OF Rotet COOLING 2.95F 01 AFRMCLRBINN PR08481LITY THAT TRAIN B ICAFWP FAILS CM LOS$ 0F CDON COOLING 3.56t 01 1 CllfG8K2 AIR DATER TRAIN X 01 FAILS . 1.07t 01

Af ter the flood, the TbAFWP is movellable 4Je la latent error, and both MDAFWPs felt on Loss of room cooling. Mein Feedwater is uneveltable due to e Loss of Instrument air. Blood eral feed is unevellable dae to the fact that the ECC$ pwupe are feutted. ,

2) AA021A2 rLos INITI Af tS IN AA021A, RWST FTPLIED 1.0:sf M 2.39t 07 AFRMCLRAINN PRosA81LITY THAT TRAIN A @AFWP FAILS ON LOSS OF Rocal C00 LING' 2.95t*01 AFRMCLRBINN PROSABILITT ThAT TRAIN 3 WAFWP FAILS ON LOSS OF ROON C00LlWC 3.56t 01 AFTOMAN OPERATOR $ FAIL TO LOCALLT THROTTLE T0AFW FLOW VAf.vtl AFTER L0b$ of SUP 2.00E 02t J

Cl$tGBX2 AIR DRYER TRAIN X-01 FAILS 1.07E4 01 ' FL*"Cl30Mika INSTRUMENT AIR WOT REST 0tt0 WITHIN 30 MINuits - . . . . 1.001+00 Af ter the flocl. Instrunent air to the TDAFWP is moveitobte and the operetors fall to tocetty control the flow, leading to overflit of the Steam Generaters and failure 9f the TDAFWP. Both MDAFWPs fell on loss of room cooling. Meln feedwater !s movellable due to e loss of fostrument tir. Bleed and feed is moveltable chas to the f act that the (CCS ptseps are feusted.

3) AA021A2 FLOOD INITIAftt IN AA021A, RWST S W t!E0 . 1.06t 03 AFRMCLRAINN PROSABILITY THAT TRAIN A MDAFWP FAILS ON LO15 0F R00P COOLING '2.95E 01 ~ 2.22E 07 AFRMCLR$1NN PROSAplLITY TNAT TRAlu 8 MDAFWP FAILS ON Lost 0F ROOM COOLING . 3.56E 01 AFTDMAN OPERATORS Fall TO LOCALLY THROTTLE TDAFW FLOW VALVES AFTER LO3$ OF SUP 2.00E 02<

Cl5 TARTS 02 OPERATOR FAILS TO $ FART COMPRE$$0R X 02 AND OPLN 1 HV 3464 1.00E 01< FL aCl30 MIN

INSTRUMENT AIR NOT RES?0 RED WITNik 30 MINUTil 1.00t+00 Af ter the flood, instrument air to the TDAFWP la mavellable ervt the operators fell to locally control the flow, tesding to overfitt of the steam Generators and f ailure of the TDAFWP. Both i 3 242 q

_ ~. _ , . _ _ _ . . . ._ . . . . . _ , _ _ _ _ . . - , . _ . _ . . . . _ . -

    ._.- -..- -_.~. .~ - ..-._ .. _ . _ . - _ _ -..- -                                                                .- .___ _ _ - -- - - . - .-

4 l l i l i j I NOAFWPs fait t.n toss of rous cooling. Main Feeawater is wvellable dae to e loss of instrument j eir. Bleed and feed la movellable due to the f act that the ECCS paaps are fsuited. ] b i 4) AA021A2 FLOW) INIT!Afts IN AA021A, AWST $UPPLitD 1.06E 03 2.22E 07 AFCPTPTD01FX T0AFWP 1 RAIN UNAVAILABLt DUE TO LATENT HLMAN ERROR 2.00E 02 i AFRMCLRAINN PROSA81Liff TNAT TRAIN A NAFWP FAILS ON Lost 0F RouM COOLING 2.95E 01 1 AFkMPLR$1NN PROSA81Liff iMAT 1 RAIN 8 EAFWP f AILS ON LOS$ OF Rom COOLING 3.56&*01 4 CitfARfXO2 OPERATOR FAllt TO START COMP 81$30R Xa02 AND OPEN 1*HV 3464 1.00C=C1s . Af ter the flood, the TDAFWP le movellebte che to latent error and both WAFWPs fell on loss of ! ! rows cooling. Main Feedwater is movellable due to a toss of Instrument air, steed and feed la movellebte dae to the f act that the rCC8 pumpe are feutted.

3) AA021A2 FLOOD INIflATES IN AA021A, RWST SUPPLIED 1.06E 03 1.77E 07 ,

1 AFCPIPfD01FN TURBINE DRlyEN PUMP cpi +AFAPID 01 FAILS DURING OPERATION 2.47E 02 i AFRMCLRAINN PROBASILiff TMAT TRAIN A eAFWP FAILS ON LOSS OF ROOM COOLING 2.95E 01 ( j AFRMCLRt!NN P908A81LifY THAT TRAIN 8 2AFWP f AILS ON LOS$ OF Rom COOLING 3.56E 01 [

Cl$tG812 AIR DRVER TRAIN x 01 FAILS 1.07E 01 i

i TDPLMPRUN OPERATOR FAILS 10 RESTORE INE TDAFWP AFTER FAILURE 10 PUN 6.00E*01 After the flood, the TDAFWP falls during operatifm, yd the operatore tennot restore it. Both MDAFWPs felt due to a toes of room cooling. Meln Feedwater is unevellebte dos to e loss of

inattvmant alt. Bleed and f eed 19 movellebte dae to the feet that the ECC$ pm are feutted. .

i h a ,

3. #SCMI - Small Break LOCA with failure at Recirculation [4.8E-06, 8%) !

Y , l After a small breat LOCA with suceeasful establishment of ECCS injection, the operators fall to, or are unable to, realign the plant for recirculation. [ The cutset that dominates this sequence is: I t 1

1) ILS $ MALL BREAK LOCA IN!!. CVENT FRED. $.83E*C3 1.17E 06 !

}

                                          &RCXx01                 OPERATOR FAILS 70 RfAll0N CCPS, SIPS. AND Rits f0 REClkt. (NOT OR 2.00E-02 LATERECIRC              OPERATORS AND PLANT STAFF FAIL TO REAllGN 10 RECIRC. ON LATE RECIR 1.00E*01                          ,

Af ter a emen t break LOCA, the operators and the plant staf f imit to restian ECCS to reclFeulation. ' j the RW$1 depletes, ICCS f alls, eM the core is mcovered. 4 L j 4. #RCMI - Steam Generator Tuho Rupture with Failure to Terminate Break Flow. p.4E-06,6%] q j After the initiating event, an SGTR, the ECCS system is successful at establishing makeup, the { AF system maintains level in the Steam Generators, but the operators either fail, or are unable - { to terminate break flow due to equipment unavailability. Additionally, if th'e equipment was 1 unavailable, the operators were unsuccessful at depressurizing the RCS to the polut at which the-Residual Heat _ Removal system could be aligned for closed loop cooling, and they could not - rnateup to the RWST to continue the injection phase. ]

- o 3 243 4

5 L l

i 1 ne cutset that dominates this sequence is: i

1) 1A $1 TAM CENttAfor. TUDE RUPTUaE lhlTIAllNG EVtNT 2.84t*02 2.84E 06 ASGTR01 oPLRATOR$ F All 10 ISOLATE &RfAK fLCW oW $GTR AFitt 2 NCORS 1.00E 04 Af ter a steam generator with successful establishment of LCCS injection ard secondary best remrsval, l the operators fell to terminate break flow. The RWST depletes ECCS falls, and the core is 1

mcovered. . 5. #VSCMI - Very Small Ilreak LOCA with Failure at Recirculation 13.3E@,5%) After a Very Small Break LOCA with successful injection and successful establishment of AF, the operators do not successfully realign the systems to recirculation, or the systtnu are s unavailable. ! ne cutset that dominates this sequence is:

1) %VS VERT EMALL BREAK LOCA INiilAflNG EVENT 1.26E*02 2.52E 06

         &RCry01              OPtnA10a FAILS TO REAllCN CCPS, SIPS, AND RHP510 RICIRC. (HOT OR 2.00t+03 LATERECIRC          OPERATOR $ AND PLAhi STAFF FAIL TO REALIGN 10 REClRC. ON LATE RECIR 1.00t 0 Af ter a VSSLOCA, the operators ard the plant staf f f all to reelign the ICC$ to recirculation. The RW1T depletes, ECCS f alls, and the core 16 uncovered.

, 6. #1SCM2TR - Transient or Loss of Sepport Systam Leads to 0.6-2* LOCA and failure of ECCS at injection [3.3EW, $ %) In this sequence, the initiator and subsequent equipment failures lead to a 0.6-2* LOCA, and the ECCS systems are unavailable to provide makeup to the RCS. These sequences are dominated by induced RCP seal LOCAs. Additionally, it is important to note that the same system failures that lead to the induced LOCA are unavailable to mitigate the LOCA. 3 244

!                                                                                                                        1 J

l j < l De top four cutsets that make up this sequence are: I l 1 l

1) 1.K7 LDst OF SVAfl04 SERVict VAftR INiilAllWC (vet 1 ME0Vf4Cf 4.79E 03 1.02E Of

      $$FLARGfi          PR06 ABILITY THAT INDUCED LOCA is LARGE Aritt SUCCtstFUL SECONDARY 7.60E 01 ClassWRECOV        0F ERATOR FAILt 10 PROVIDE MANUAL AC110Ns Rt00lRED F0w ALitRhAlt $$ h00E 02 CSLUBEFAll         CS PUMP F AILURE PR06ABILiff GIVEN A Loll 0F LUBE Olt CCOLING             1.00t+00 SILUBICOOL         St MMP FAILURE PROBABILITY Glvtu A LO510F LUBt CIL COOLING                1.00t+00 XTRICWtt           OPERATORS FAIL TO REL.0Vit SW 14 2 MOURS                                  $.00E 03 Upon a toss of att Unit 1 station Service Jeter, Corporent Cooling uter is lost and theref ore the positive displacement charging pwp tripe, 6nd thernet barrier cooling la also movellebte. The cperatore are unable to provide alternate cooling to the Centrifuget Chorging pmpe. A Lerge seal LOCA is Irwised. The CCPs ord the $1Pe felt che to loss of ide oil cooling. With to high head (CCS pwps evettable, the core uncovere cA>e to the LOCA. Atilitionally, the operators are meble to restore service wter pelor to ecpipsent f all        r.

2) 1.Xl LOS$ OF DC BUS 1[D1 3.35E 02 1,TN 07 StFLARGE1 PR08 ABILITY THAT INDUCED LOCA 18 LARGE AFTER $UCCtllFUL $ECONDARY 7.60E 01 171tGB0$in 808 1EA2 UNAVAILABLE DUE TO 1 Ell /MAlWitWANCE 3.48t 05 X1 REC 0Vtt OPERAfDel Fall 10 REC 0Vit 12$ VDC BUS 1[D1 IN 2 N WR$ 2,000 01 The Initiating event is e lose of it DC tus 1E01. Train A equipsent cannot start tecause DC power is unevellable, f rsin 8 eo %t hee no power because tua itA2 is out for corrective reintenance.

A seat LOCA ensues, and no .JC5 le erottable. The operators are moble to restore DC power to atpipment prior to core mcovery.

3) til GENERAL PLANT TRANsitNT 2.90t+00 1.42E 07

      $$FLARGft          PROCABILITY ikAT INDUCED LOCA IG LAtGC AFTER $UCCtl$FUL SECouDARY 7.60E 01 C1915WEECOV        OPERAfDs FAILS TO PROVIDE MANUAL ACTIONS Ft0UIRED FOR ALTERNATE $$ 1.00E 02 CtLUBEFAIL         CS PUMP FAILURE PR06Atillff GIVEN A LOCS OF LULE Olt COOLING              1.00E*00
      $1LU8tC00L         $1 PUMP F AILURE PR06AllLiff GIVtX A LD5h H8 Ltti 91L COOLING             1.00t+00 SwitGA1TM          SW PUMP TRAIN A UNAVA]LABLE OUE 10 TE5?/MAINTENitCI'                      1.60E 02
      $V$tGS1            SW PUMP TRAlu 8 FAILS                                                    8.09E 04 PUMPRUN1           OPERATORS Fall TO WECOVER PUMP th4T FAIL 4 TRING OPb'Atl0N               5.00E 01 Train A Stetton Service Water 16 out for eelntenente. A pl$nt trvalent leads *o a reactor trip.

The rewining service water pw p trips. The operators are moble to recover this pwp, or provide alternate cooling to the CCPs. With rio seat injection or thermet barrier cooting, a seal LOCA le in Weed. The CCPS and the $lPs fell due to loss of tube oil cooling. With e emell LOCA and no ECC$, the core is mcovered.

4) %11 GtNERA6 Pl. ANT TRANt!ENY 2.901+00 1.07E-07 SSTLARGE1 PRotABIL!TY 1".AT INDUCED LOCA 15 LARGE AFTER $UCCESSFUL SECONDARY 7.60E 01 CSSSSWRECOV OPtkATOR FAILS 10 PROVif MANUAL ACil0NS REQUIRED FC I ALTERNATE $$ 1.00E 02 CSLUBEFAIL CS PUMP FAILURE PROBABILITY GIVEN A LO$$ OF LUBC Oil COOLING 1.00E*00

      $1LUBEC00(         $1 PLMP FAILURE PR08ABIL11Y GivtN A LOSS OF LUBE Oil C00LlWG             1.00E *00 SW5tGAliN          $W PUMP TRAIN A UNAVAILABLE DUE TO TEST / MAINTENANCE                    1.60E 02
      $W$1082            SW PUMP B STRAINER 1 RAIN FAILS                                         3.03E 04 Train A $tation Service Water 14 out for maintenance. A plant tran31ent tends to a reactor trip.

The remelning service bieter f alle due to e clogged Strainer. The operators are unable to provide alternate cooling to the CCPt. With no seat injection or thermal berrier cooling, a seal LOCA is induced. The CCPe and the $1Ps felt due to loss of Idee oil cooling. With a snell LOCA and no ECC5, the core is i.ricovered. 1 1 3-245 1 1 i

i

7. #ATCM6 - Transient with Mechanical Rod Binding ATWS, Successful Turbine Trip, Failure of Main Feedwater, and Failure of Any AF Pump. [2.bE 06, $%)

i in this sequence, the inillating event leads to or requires a reactor trip. 'Ihe reactor fails to trip i due to mechani al rod binding, but the turbine does trip. Main feedwater is unavailable, most i likely due to the initiator, and any one AF pump fails to start or run. 'Ihis wquence is dominated by a loss of Main Fealwater.

                 *The top 5 cutsets that make up this sequence are:

il 116 LOSS OF MFW

NO MFW AVAILABLE INITI Af!NG EVENT FREQUtWCY 1.00E+00< 3.31E 07 AFCPTPt00iNW TutBINE* DRIVEN PUMP CP1 AFAPTD 01 Ulls to START 3.31E 02 kPX$CRODRPDF FAILURE OF SCRAM SYSTEM (MECMAWlCAL
R00$) 1.00Ea05 Upon a loss of main feedwater, a sufficient ru ter of control rod 6 fall to insert auch that the reactor is not shutdowm. The turbine driven AF ptsip falls to starr and the ensulno pressure eacursion exceeds 3200 pela.

2) 1X1 Lost OF DC BUS 1r01 3.15E 02 3.35E 07 i RPx1CRODRPFF FAILURE OF SC8 AM SY$ FEM (MECHANirAL

RODS) 1.00E-05 i d

upon a lose of train A 1E DC power, a suf ficient tueer of control rods felt to insert such that the reactor is not shutdown. Main feedweter is lost due to the DC power, and train A motor driven AF

planp f alls to start for the same reason. The ensulag pressure excursion exceeds 3200 psia.: 3) 176 LO$$ OF MFW

NO MFW AVAILABLE INITIAflNG EVENT FREQUENCY 1.00E+00< 2.47E 07 AftP1P1001FN TUR8INE* DRIVEN PUMP cpi AFAPID 01 FAILS DURING OPERATIDW 0.47E 0 RPX5CR00RPFF FAILUSE OF SCRAM SYSTEM (MECHANICAL
RODS) 1.00E 05 Upon a loss of main feedwater, a suf ficient ruter of control rods felt to insert such that the reactor is not shutdown. The turbine driven i ptep f alls to rm, aM the ensula pressure excurslm esceeds 3200 pela.

1

4) %16 Lost OF MFW = WO MFW AVAILABLE IN!TI A11NG EVENT FREQUENCY 1.00E+00< 2.45E 07 AF5EG82 MDAFuP TRAIN 8 FAILS 2.45E 02 RPRSCRCORPFF FAILURE OF SCRAM SYSTEM (MECMANICAL RODS) 1.00E 05 Upon a loss of main feedwater, w suf ficient ruter of control rods fall to insert such that the 3 reactor is not shutdown. Motor driven AF ptep B f alls to start or run, and the ensuing pressure enursion exceeds 3200 pele.

5) 176 Loss of MFW NO MFW AVAILABLE INITI ATING EVENT FREQUENCY 1.00E+CH 2.45E 07 AFSEGA2 MDAFWP TRAIN A FAILS 2.45E 02 RPXSCRODQPFF FAILURE OF SCRAM SYSTEM (MECMANICAL RCCS) 1.00E 05 Upon a less of main feedwater, a suf ficient ruter of control rods fall to insert such that the reactor is not shutdown. Motor driven AF ptep A f alls ce start or rm, and the ensuing pressure excursim exceeds 3200 psia.

8. #X3CM2 - Loss of Offsite Power with Failure of AF and Failure of Bleed and Feed Cooling

[2.6E45, 4%) Upon a loss of all offsite power, combinations of equipment failures lead to a total loss of AC power (SDO). Additionally, the Turbine Driven AF pump, which is AC independent, is-i 3-246

unavailable. he operators are unable to enter Bleed and Feed cooling due to equipment unavailability. Additionally, they could not recover any clectrical power, including offsite power, prior to core uncovery. 4 The top 5 cutsets in this sequence are:

1) 23 Lohl 0F ALL OFFSITE POWER INFTIATING EVENT f REQUENCY 3.50E 02 1.65E-09 AFCPTPTD01NN TURBINE-DRIVEN PUMP cpi AFAPTD-01 FAILS TO 4 TART 3.31E-02 EPADGGEE01FN DIESEL GENERATOR CP1 NEDGEE 01 FAILS AFTER FIRST HOUR OF OPERAfloW 5.77E 02 EPSDGCEE02FN DIESEL GENERATOR cpl *MEDGEE-02 FAILS AFTEf( FIRST HOUR OF OP[ RATION 5.77E-02 13RFA110 0FFSITE POWER NON RECOVERf FACTOR 4.28E 03 EPDGRUN2 CPERATORS FAIL TO RECOVER A DIESEL CENEPA!OR WHEN BOTN MAVE FAILED 1.00E-01 Af ter a loss of of fsite power, both diesels f all to r.m and the TDAFWP fbits to start. The i verstors are mable to recover either diesel and off site power. Without any AF or power, the RCS

' inventory eventually bolts of f and the core is uncovered.

2) 23 Lost 0F ALL OFFSITE POWER INITIATING EVLNT FmEQUENCY 3.50E-02 3.41E 07 AFCPTPTD01NN TURSIL. DRIVEN PUMP CP1 AFAPYD*01 FAILS TO START 3.31E 02 EPCCFT CCF 07 1EA1 AND 1EA2 AFTER BOS 1.4BE 03 13RFE110 0FFSITE POWER NON RECOVERY FACTOR 1.99E 01

! Af ter a loss of of f site power, both 1E busses are ur.available due to como1 cause f ailures. The TDAFWP falls to start. Drerefore are maMe to FOcover of fsite power prior to rore uncovery.

3) 23 LOSS OF ALL CFFSITF POWER IW! Tit. TING EVENT FREQUENCY 3.50E-02 3.39E-08 AFCPTPTD01NW TURRINE DRIVEN PUMP CP1 AFAPTD-01 F#1LS TO START 3.31E 02 EPADGGEE01M DIESEL GENERATOR CP1 MEDGEE 01 FAIL'J TO START 3.84E 02 EPBDGGEE02NW DIESEL GENERATOR cpi MEDGEE-02 Falls To START 3.84E-02 h3RFE110 0FFSITE POWER NON RECOVERY FACTOR 1.99E 01

[PDGSTART2 OPERATORS Fall TO RECOVER A DIESEL WHEN BOTH HAVE FAILED Jo START 1.00E 01 After a loss of offsite power, both diesels fall to start and the TDAFWP falls to strrt. The operators are unable to start either diesel, or recover offsite power prior to core uncovery.

4) 23 LOSS OF ALL OFFSITE POWER INITIAftkG EVENT FREQUENCY 3.50E-02 5.56E 09 AFCPTPTD01FN TURBINE DRIVEN PUMP CPI AFAPTD41 FAILS DURING OPERATION 2.47E 02 EPCCFT CCF OF 1EA1 AND 1EA2 AFTER BOS 1.48E-03 x3RFG110 0FFSITE POWER NON RECOVERY FACTOR 4.34E 03 After e loss of offsite powe , both 1E busses are unavailable due to cumeen cause failures. The TDAFWP f alls to rm. Operators are unable to recover of fsite power prior to core mcovery.

5) 23 LOSS OF ALL OFFSITE POWER INITIATING EVENT FREQUENCY 3.50E 02 2.40E 39 AFCPTPTD01FN TURB1WE DRIVEN PUMP CP1 AFAPID-01 FAILS DURING OPERATION 2.47E-02 EPADGGEE01NN DIESEL GENERATOR CP1 MELGEE 01 FAILS TO START 3.84E-02 EPSDGCEE02NN DIESEL GENERATOR CP1 MEDGEE 02 FAILS TO START 3.84E 02 x3RFH110 0FFSITE POWER NCN+ RECOVERY FACTOR 1.BSE-02 EPDGSTART2 OPERATORS Fall TO RECOVER A DIESEL WHEN BOTH HAVE FAILED TO TTART 1.00E-01 Af ter a loss of offsit< power, both diesels f all to start, ard the TDAFWP f alls to run. The operators cannot start either diesel, or recover offsite power prior to core mcovery.

9. #TICM2 - General Plant Transient with Failure of AF and Failure of Bleed and Feed Cooling

[2.2E 6, 3%] After a reactor trip, tla A1 2system is unavailable due primarily to loss of room cooling to the motor driven AF pumps, combined with unavailability of the TDAFWP The same support l systems lead to the uu.vailability of the equipment associated with bleed and feed. 3-247

ne top five cutsets that make up this sequence are;

1) 111 GENERAL PLANT TRANSIENT 2.90E+00 8.33E 08 AFCPTFTD01FX TDAFWP TRAIN UNAVAILABLE DUE TO LATENT auMAN ERROR 2.00E 02 AFRMCLRAINN PROBABILITY ThAT TRAIN A DOAFWP FAILS ON LOST 0F ROOM C00LlWG 2.95E 01 AFRMCLRBINN PROBASILITY THAT TRAIN B POAFWP FAILS ON LOSb 0F ROOM COOLING 3.56E 01 l CCSEG81 CC PUMP TRAIN 8 FAILS 8.59E 04

) EPBATTDEPL TAG JNDICATING DEPLETION OF BATTEtlES AT 4 HOLAS 1.00E + 00 ? EPUPSMVACFAI FLAG INDICATING FAILURE OF UPS HVAC 1.00E +00 SWSEGA1TM SW PLMP TRAIN A UNAVAILABLE DJE 10 TEST / MAINTENANCE 1.60E 02 Service water pwp train A is mavailable due to maintenance. A generet plant transient leads to a reactor trip. The TDAFWP is unavallable due to latent errur. During its mission time, the train B CC pap falls. This leads to a loss of safety chilled water, and a loss of room cooling. Both motor criven AF pe ps fell due to loss of room cooling. The battery chargers falted on loss of room cooling, and when the batteries deplete, the ECCS equipnent cannot be started, therefore bleed and feed is mavaltable.

2) %T) GENERAL PLAET TRANSIENT 2.9 N ?.21E 08 AFCPTPTD01FX ipAFWP TRAIN UNAVAILABLE DUE To LATENT HUMAN ERROR 2.00E 02 ArRMCLRAINN PR08 ABILITY THAT TRAIN A MDAFWP FAILS ON LOSS OF ROOM COOLING 2.95E-01 AFRMCLR61NN PROGABILITY THAT TRAIN B MDAFWP FAILS ON LOSS OF ROOM COOLING 3.36E-01 CCSEGA1 CC PUMP TRAIN A FAllt 1.38E 02 CCSEG81 CC PUMP TRAIN s FAILS 8.59E 04 EPSATTDEPL TAG INDICATING DEPLETION OF BATTERIES AT 4 HOURS 1.00E+00 E/UPSHVACFAI FLAG INDICATING FAILURE OF UPR HVaC 1.00E+00 A generet plant '6cansient leads to a reactor trir W .c tFWP is movellable due to latent error.

During its mission time, the train A ord B CC pve W This leads to e loss of sa.ety chllled water, and a toss of room cooling, et,th motor e le ,. pmpa fall due to loss of room cooling. The battery chargers Siled ~ loss of room - Airm, and when the batteries deplete, the ECCS equipment cannot be st. .t thersfore bleeo and feed is unavailable.

3) %T1 GENCRAL PLANT TRANSIENT 2.90E+00 6.18E 08 AFCPTPTD01FW TURelWE-DRIVEN PUMP CP1 AFAPTD 01 FAILS DURING OPERAflou 2.47E-02 AFRMCLRAINN PRO 8 ABILITY TNAT TRAIN A DOAFWP FAILS ON LOSS OF Ro0M COOLING 2.95E-01 AFRMCLRBlWN PROBASILITY THAT TRAIN 8 MDAFWP FAILS OR LOSS S ROOM COOLING 3.56E + 131 CCSEG81 CC PUMP TRAIN B FAILS 8.59E-04 FPSAfTDEPL TAG INDICATING DEPLETION OF BATTERIES AT 4 HOURS 1.00E+00 EPUPSdVACFAI FLAG INDICATING FAILURE OF UPS HVAC 1.00E+00 DISEGA1TM SW PUMP TRAIN A UNAVAILA8LE DUE TO TEST / MAINTENANCE 1.60E 02 T!*UMPRUM OPERATORS FAIL 10 RECOVER THE TDAFWP WWEN IT HAS FAILED TO RUN 6.00E-01 A generet plant transient leads to a raector trip. The TDAFWP is mavallette due to latent error.

During its mission time, the trein A and B CC pwps felt. This leads to a loss of safety chilled water, and a loss of room ccoling. Both motor driven At peps f ait due to toss of room cooling. The battery chargers f ailed or. Loss of room cooling, and when the betterles deplete, the ECCS equfyct carvnt be storied, therefore bleed and feed is unavailable.

4) 1T1 GENERAL PLANT TRANSIENT 2.90E+00 5.77E 08 AFRMCLRAINM ?ROBASILITT THAT TRAlu A MDAFWP FAILS ON LOS$ OF ROOM COOLING 2.95E-01 AFRMCLRelWM PROBABILITY THAT TRAIN S MDAFWP FAILS ON LOSS OF ROOM COOLING - 3.56E 01 CCSEG81 CC PUMP MAIN B FAILS 8.59E 04 EPBATTDEPL TAG INDICATING DEPLETION OF BATTERIES AT 4 HOURS 1.00E+00 EPUPSHVACFAI FLAG INDICATING FAILURE OF UPS HVAC 1.00E+00 MSSEGX29 STEAM DUMP STSTEM FAILS TO MAINTAIN MAIN STEAM SYSTEM INTEGRITY 1.38E-02 SVSEGAITM SW PUMP TRAIN A UNAVAILABLE DUE TO TEST / MAINTENANCE 1.60E 02 Service water pupp train A is unavailable due to maintenance. A general ri mt transient tends to a re**?or trip. The TLAFWP la unavaltebte che to latent error. During its M 2sion time, the train B CC e p falls. This leads to a loss of safety chilled water, arJ e loss of room cooling. Both motor driven AF pu ms fait due to loss of room cooling. The battery re gers fatted on loss of room cooling, ard when the batteries deplete, the ECCS equipnent cannot be ted, therefore bleed and feed is unavaltable.

3-248 ?

     -. -- _                  - . ..                 . - ~ -     .        -            -                        - - .~                  -           ., .~

i i "

5) 111 GENERAL PLANT TRANSIENT 2.90E+00 5.52E 08 AFCPTPTD01NN TUREINE DRIVEN PUMP CP1 AFAPTD 01 RAILS 10 START 3.31E 02

(> AFRMCLRAINN PROSA81LITY THAT TILAlN A MDAFWP FAILS ON LOS$ OF ROOM COOLING 2.95E-01 AFRMCLRBINN PROSA81LITT THAT TRAlW B MDAFt# FAILS ON LO$$ OF ROOM COOLING. 3.56E 01 i CCSEGB1 CC PtMP TRAIN B FAILS 8.59E 04 l EPSATTDEPL TAG INDICATING DEPLEil0N OF BATTERIES AT 4 HOURS 1.00E+00 1 EPUPSHVACFAI FLAG INDICATING FAILURE OF UPS HVAC 1.00E+00

                - SWSEGAITM           SW PUMP TRAIN A UNAVAILABLE DUE TO TEST /MAINTEN*NCE                              1.60E*02 i                 'TDPUMP$T           OPERATOR $ FAIL TO START THE TDAFWP WHEN IT MAS FAILED TO START                    4.00E 01 j                        $ervice water pw p tr61n A is (navailable due to maintenance. A general plant translant Leeds to a reactor trip. The TDAFWP falls to start. During its alssion time, the train 3 CC pop f alls. This 4

toads to a loss of safety chitted water, and a loss of roan cooling, toth motor driven AF pu ma felt the to toss of room cooling. The battery chargers f atted on loss of room cooling, and when the j batteries deplete, the ECCS equipment cannot be started, therefore bleed and feed is unavailable. I d

;.            10.       #ACMI - Large Break LOCA with Successful Injection and Failure at Recirculation [2.0E-06, i

3%) i s d in this sequence, a Large Break LOCA occurs, ECCS is successful at injection, but fails during either hot or cold leg rec!rculation. The top three cutsets that make up this sequence are:

1) 1A LARGE BREAK iOCA INITIATING EVENT FREQUENCY 2.03E 04 9.00E 07 [

i RMSEGX6 RCS NOT LEG aNJECTION VALVE 1 8840 UNAVAILABLE 4.43E 03 l Af ter a LSLOCA, and successfut cold tog injection and recirculation, the enerators are unable to establish hot leg recirculation che to the f ailure of b8840. The Localized volding and flow j channet blockages due to boron precipitation lead to core damage. 1

;             2) %A                   LARGE SREAK LOCA INITIATING EVENT FREQUENCY                                       2.03E 04   1.47E 07 i                   RMCCFMLR            F AILURE OF HOT LEG RECIRC. DUE TO MOV COMMON CAUSE, UN!QUE To HLR 7.24E 04

! Af ter a LBLOCA, and successful cold leg injection and recirculation, the operators are unable to j establish hot leg recirculation dut to csunon cause f ailure of hot .tes recirc. valves. The locallred volding and flow channel blockages due to boron precipitation toad to core damage. l -3) %A LARGE BREAK LOCA INITIATING EVENT FREQUENCY -2.03E 04' 1.05E-07 RMSEGX6TM RH SEGMENT X6 UNAVAILABLE DUE TO MAINTENANCE 5.1TE 04 - . -After a LBLOCA, and successful cold leg injection and recirculation, the operators are unable to . establish hot les recirculation due to 1 8840 being in maintenance. The localized voiding and flow

- channet blockages che to boron precipitation toad to core damage.

I i- 11. #IVSCM4 - Induced Small Seal LOCA with failure of ECCS, and successful AF [1.7E-06,3%] In this sequence, an initiating event and a combination of equipment failures lead to a small seal LOCA. ECCS equipment is not available, primarily due to the same failures that induced the

- LOCA. ' The availability of AF delays core damage to a late PDS bin.

i 3-249 4 +

                                         --     - ..            , . .~. _           -.   . .  . . , , - . . ,_.            .        ...   - . _ . , . - - _ . , , , -

1 5 ne top four cutsets in this Sequence are: a

1) %X3 LOSS OF ALL OFFSITE POWER !NITIATING EVENT FREQUENCY 3.50E 02 2.07E 07

             $$FSMALL1            PROBABILITY THAT INDUCED LOCA l$ SMALL AFTER SUCCESSFUL SECONDARY 2.40E 01 EPCCFT               CCF OF 1EA1 AND 1EA2 AFTER BOS                                        1.48E 03 X3RFE470             0FFSITE POWER NON RECOVERY FACTOR                       .

_ 1.67E 02 Af ter a loss of offsite power, both safeguarck busses are mavaltable due to common cause. The TDAFWP la successful at maintaining secondary heat removal. A small seal LOCA is inchaced. The operstors are mable to recover offsite power prior to core meovery.

2) %X7 LOSS OF STAfl0N SERVICE WATER INITIATING EVENT FREQUENCY 4.79E 03 5.75E 08 SSFSMALL1 PROSABILITY THAT INDUCED LOCA IS SMALL AFTER SUCCESSFUL SECONDARY 2.40E 01
CSSSSWRECOV OPERATOR FAILS TO PROVIDE KANUAL ACTIONS REQUIRED FOR ALTERNATE $51.00E C2 LsLUBEFAIL CS PUMP FAILURE PROSA81LITY GIVEN A LOSS OF LUBE 01L COOLING 1.00E+00 SILUBEC00L St PUMP FAILURE PROSARILITY GIVEN A LOSS OF LUBE all COOLING 1.00E+00 2 X7 RECOVER OPERATORS FAIL 70 RECOVER SW IN 2 HOURS 5.00E 03

Unit 1 experiences a total loss of SW. The AF system maintains secondary heat removal. The operators fait to provide alternate cooling to the CCPs and a smatt seal LOCA is *nduced. The operators are mable to recover Station service water prior to ogJipment f altures. The SIPS fall .

a due to toss of Lube oft cooling. With a smalt LOCA and no ECCS, the core eventually mcovers. i' 3) %X1 LOSS OF DC BUS 1EDI . 3.35E 02 5.605 00 S$FSMALL1 PR08 ABILITY THAT INDUCED LOCA IS SMALL AFTER SUCCESSFUL SECONDARY 2.40E 01

            .EPSEGS05fM           sul 1EA2 UNAVAILABLE DUE To TEST / MAINTENANCE                        3.48E 05 X1 RECOVER           OPERATORS FAIL 70 RECOVER 125 VDC BUS 1ED1.IN 2 HOURS                 2.00E 01 A loss of 1E DC bus 1ED1 toads to a plant trip. Train B is unavailable chae to maintenance on the i                     bus. With no train A DC power, the equipment falls to start. A small seat LOCA la induced. The

operatore are mable to recover the DC bus prior- to core uncGary.: 4) %T1 GENERAL PLANT TRANSIENT . 2.90E+00 4.49E-08 S$FSMALL1 PROSABILITY THAT INDUCED LOCA 15 SMALL AFTER SUCCESSFUL SECONDARY 2.40E 01 CSaSSWRECOV OPERATOR FAILS TO PROVIDE MANUAL ACTIONS REQUIRED FOR ALTERNATE $$ 1.00E 02 CSLUBE FAIL - CS PUMP FAILURE PROSABILITY GtVEN A LOSS OF LUBE OIL COOLING 1.C0E+00 SILUBECOOL St PUMP FAILURE PR08 ABILITY GIVEN A LOSS OF LUBE CIL COOLING 1.00E+00

, SVSEGA1TM SW PUMP TRAIN A UNAVAILABLE DUE TO TEST /MAINTFNANCE 1.60E 02 SWSEG81 SW PUMP TRAIN B FAILS 8.09E 04 PUMPRUN1 OPERATORS FAIL 70 RECOVER PUMP inAT FAILED DURING OPERATION 5.00E 01 Train A Service w ter 14 in maintenance. A general plant transient occurs. SW pump 8 f alls in its mission tiana. The operators f all to provide alternate cooling for M c CCP, and it f alls due to loss of Lee all cooling. A small seat LOCA is induced. The SIPS fall ch;e to toss of itbe oil cooling. The operators are mable to recover the tripped SW puip prior to core unt.wvery.

12. #1VSCMS - Induced Small Seal LOCA with failure of ECCS, and Failure of AF to provide flow for at least 4 hours [1.6E-06, 3%]

In this sequence, an initiating event and a combination of equipment failures lead to a small seal LOCA. ECCS equipment is unavailable, primarily due to the same failures that induced the 4 LOCA.- Additiom.lly, AF fails prior to 4 hours, which directs the sequence into PDS bin 3SBO. 3-250

ne top five cutsets to this sequence are:

1) u3 LOSS OF ALL OFFSIT! POWER INIT!ATING EVENT FREQUENCY 3.50E-02 2.43E 08 SSFSMALL2 PROBABILITY THAT LOCA l$ SMALL AFTER FAILURE OF SECONDARY HEAT REM 7.60E-01 AFCPTPTD01FX TDAFWP TRAlu UNAVAILASLE DUE 10 LATENT HUMAN ERROR 2.00E 02 EPPDCCEE02FN DIESEL GENERATOR CP1 MEDGEE 02 FAILS AFTER FIRST HOUR OF OPERATION 5.77E 02 SWSEGA1TM SW PUMP TRAIN A UNAVAILABLE DUE TO TEST /MAlWTENANCE 1.60E-02 X3RFB110 0FFSITE POWER kON RECOVERY FACTOR 1.09E 01 EP0GRUN1 OPERATOR FAILS TO RECOVER A DIESEL GENERATOR THAT HAS ? AILED 10 RU 2.50E 01 Train A service water pmp is out for maintenance, disabling train B diesel. A loss of offsite power occurs. Train A diesel f aits to rm. The TDAFWP is mavailable cbe to latent error.

2) 23 LOS$ OF ALL OFFSITE POWER INITIATING EVENT FREQUENCY 3.50E 02 2.42E 08

   $$FSMALL2           PROBABILITY THAT LOCA 18 SMALL AFTER FAILopf 0F SECONDARY HEAT REM 7.60E 01 AFCPTPTD01NN        TURBINE-DRIVEN PUMP cpi AFAPTD 01 FAILS To START                        3.31E 02 EPADGGEE01NN        DIESEL GENERATOR CP1 MEDGEE 01 FAILS 70 START                           3.84E 02 EPBDCGEE02FN        DIESEL GENERATOR CP1 MEDGEE-02 FAILS AFTER FIRST HOUR OF OPERATION 5.77E-02 13RFB110            0FFSITE POWER NON RECOVERY FACTOR                                       1.99E 01 EPDGRUW1            OPERATOR FAILS TO RECOVER A DIESEL CENERATOR THAT HAS FAILED TO RU 2.50E 01 EPDGSTART1          OPERATORS Fall TO RECOVER A DIEkl GENERATOR THAT MAS FAILED To ST 2.50E 01 After a toss of offsite power, train A diesel falls to sts*t ae' train B faits to run. The TN FWP fails to start. A small seat LOCA is bduced. The operators are unable to restore offsite power or either diesel generator. With a small LOCA and no ECCS, the core is eventually uncovered.

3) u3 LOS$ OF ALL OFFSITE POWLR INITIATING EVENT FREQUENCY 3.50E 02 2.42E-08 SSFSMALL2 PR06 ABILITY ThAT LOCA 15 SMALL AFTER FAILURE OF SECONDARY HEAT REM 7.60E 01 AFCPTPTD01NN TURBINE

DRIVEN PUMP CP1+AFAPTD 01 FAILS To START 3.31E 02 EPADGGEE01h. DIESEL GENERATOR CP1 MEDGEE 01 FAILS AFTER FIRST HOUR OF CPERATION 5.77E 02 EP80GGEE02NN DIESEL GENERATOR CP1 MEDGEE 02 FAILS To START 3.84E 02 X3RFB110 3FFSITE POWER kON RECOVERY FACTOR 1.99E-01 EPDGRUN1 0F'ERATOR FAILS TO RECOVER A DIESEL GENERATOR THAT HAS FAILED TO RU 2.50E 01 EP0GSTART1 OPERATORS FA!L TO RECOVER A DIESEL CENERATOR THAT HAS FAILED To ST 2.50E 01 Af ter a loss of of fsite power, train 8 diesel f alls to start and train A f alls to rm. The TDAFWP faits to start. A small seal LOCA is induced. The operators are unable to restore offsite power nr either dieset generator. With a small LOCA and no ECCS, the core la eventuelty uncovered.

4) %x3 LOSS OF ALL OFFSITE POWER INITIATING EVENT FREQUENCY 3.50E 02 2.27E-03 SSFSMALLE PR08 ABILITY THAT LOCA IS SMALL AFTER FAILURE of SECONDARY HEAT REM 7.60E 01 AFCPTPTD01FX TDAFWP TRAIN UNAVAILABLE DUE To LATENT HUMAN ERROR 2.00E 02 EPB0GGEE02FM DIESEL GENERsTOR CP1 MEDGEE-02 FAILS AFTER FIRST HOUR OF OPERATION 5.77E 02 EPSEGA03fM nlESEL 1EG1 JNAVAILABLE DUE TO TEST / MAINTENANCE 1.49E 02 X3RFB110 0FFSITE POWER WON Rl:COVERY FACTOR 1.99E 01 EP0GRUN1 OPERATOR FAILS TO RECOVER A DIESEL GENERATOR THAT HAS f\llED TO RU 2.50E 01 Train A diesel generator is out for maintenance. A Loss of offsite power occurs and train B diesel f alls to rm. The TDAFWP is mavailable due to latent error. A small seal LOCA is induced. The operators are unable to recover offsite power or train B diesel. With a smelt LOCA and no ECCS, the core is eventustly uncovered.

5) M3 LOSS OF ALL OFFF1TE POWER INITIATING EVEdf FREQUENCY 3.50E 02 2.27E 08 S$FSMALL2 PROBABILITY THA) LOCA 15 SMALL AFTER FAILUkE OF SECONDARY HEAT REM ".60E 01 AFCPTPTD01FX TDAFWP TRAIN UNAVAILABLE CUE TO LATENT HlMAN ERROR 200E 02 EPADGGEE01FW DIESEL GENERATOR CP1 MEDGE! 01 FAILS AFTER FIRST HOUR OF OPERATION 5.77E 02 EPSEG803fM DIESEL 1EG2 UNAVAILABLE DUE TO TEST / MAINTENANCE 1.49E-02 X3RFB110 0FFSITE POWER NON RECOVERY FACTOR 1.99E 01 EP0GRUN1 OPERATOR FAILS TO RECOVER A DIESEL GENE. ATOR THAT MAS FAILED To RU 2.50E 01 Train B dieset generator is out for maintenance. A Loss of of fsite p)wer occurs and train A dieset f alls to rm. The TDAFWP la unuallable che to latent error. A smatt seat LOCA is induced. The operators are unable to recover offsite power ce train B diesei. With a small LOCA and no ECCS, the core is eventually uncovered.

3-251 i

13. #ATCM3 - Transient with Electrical ATWS, Successful Turbine Trip, Failure of Remote Manual g Trip, Failure of Main Feedwater, and Failure Due to MRI, AF, PORV, or Time in Life Combination [1.4E-06, 2 %)

4 la this sequence, an initiating event that requires a resctor trip occurs, but the reactor does not trip due to electrical failures of the trip system. The turbine does trip. The operators either fail, or are unable to trip the reactor from the control room. Main feedwater is unavailable. The combination of failure in Manual Rod Insertion (MRI), failure of Auxiliary Feedwater (AF), failure of the pressurizer Power Operated Relief Valves (PORVs), or time in core life (which dictates Moderator Temperature Coefficient) leads to RCS overpressurization, and assumed core damage.

1) 21 LOSS OF DC BUS 1ED1 3.35E 02 1.0BE 07 ESS$8CCF01C2 CCF of REACTOR TRIP BREAKER 8.80E 05 UET5 CORE LIFE UNFAVORABLE WITH HAFW, MRI,1 PORV 3.66E 02 A Loss of 1E DC bus 1ED1 Leeds to a trenthnt requiring a trip, and disables Train A PORV and MDAFWP A. The reactor trip breakers f all to open due 40 common cause. The time in core Life is unfavorable and the RCS pressure excursion exceeds 3200 psia.

2) 21 LOSS OF DC BUS 1ED1 3.35E 02 9.76E-08 AFCPTPTD01NN TURBlWE DRIVEN PUMP CP1 AFAPTD 01 FAILS TO START 3.31E 02 ES$$8CCF01C2 CCF of REACTOR TRIP BREAKER 8.80E-05 A toss of 1E DC bus 1[D1 teads to a transient requiring a trip, and disables Train A PORY and MDAFWI A. The reactor trip breakers f all to open owe to comon cause and the TDAFWa falls to start. The RCS pressure excursion exceeds 3200 pale,

3) 21 LOSS OF DC BUS 1ED1 3.35E 02 7.29E 08 AFCPTP1001FN TURBlNE DRIVEN PUMP CP1 AFAPTD 01 FAILS DURING OPFRATION 2.478*02 ES$$8CCF01C2 CCF of REACTOR TRIP BREAKER 8.80E-05 A loss of 1E DC bus 1ED1 leads to a transient requiring a trip, and disables Train A PORV and MDAFWP A. The reactor trip breakers f all to open due to comon cause and the TDAFWP fr 'ts to rm. The RCS pressure excursion exceeds 3200 psia.

4) %T6 LOSS OF MFW NO MFW AVAIL. INIT. EVENT FREQUENCT 1.00E+00< 7.13E 08 AFCPTPTD01NN TURBINE DRIVEN PUMP CP1 AFAPTD 01 FAILS TO START 3.31E 02 AFSEGB2 MDAFWP TRAIN 8 FAILS 2.45E-02 ESSSBCCF01C2 CCF of REACTOR TRIP BREAKER 8.80E 05 A loss of main feedwater requires a reactor trip. The trip breakers f all to open due to comon cause. The turbine driven AF ptrp f alls to start, and the train B motor driven AF purp f alls to start or rm. The RCS presrure excursion exceeds 3200 psia.

5) %T6 LOIS OF MFW NO MFW AVAIL. INIT. EVENT FREc'a n t 1.00E+00< 7.13E 08 AFCPYP1001NN TURBINE DRIVEN PUMP CP1 AFAPTD 01 FAILS TO START 3.31E-02 AFSECA2 MDAFWP TRAIN A FAILS 2.45E 02 ESSSBCCF01C2 CCF of REACTOR TRIP BREAKER 8.80E 05 A Loss of main feerNeter requires a reactor trip. The trip breakers f ait to open due tu comnuan cause. The turbine, driven AF purg f alle to start, and the train B motor driven AF purp def ts to start or rm. The RCS pressure excursion exceeds 3200 psia.

14. #IMCM2 - Transient leads to Opening of Pressurizer SRV with failure to Reclose, and ECCS failure on injection [1.2E-06, 2%)

3-252

After a transient induces a pressure excursion in the RCS. He PORVs fail to open and the SRVs must mitigate the pressure excursion. They fail to reclose, leading to a > 2" LOCA. He ECCS system fails at injection. He cutset which dominates this sequence is: ,

1) %X3 LOSS OF Att OFFSITE POWER INIT!AT14G E%ENT FREQUENCY 3,s0E-02 3.06E 07 EPCCFT CCF OF 1EA1 AND 1EA2 AFTER BOS 1.48E-03 4 EPUNIT2 ALT UNIT 2 ALTERNATE POWER SOURCE UNAVAILABLE 1.00E+00 EPUPSNVACFAI FLAG INDICATING FAILURE OF UPS NVAC 1.00E+00

. RCSECC4 ANY SRV FAILS 10 RECLOSE AFTER ALL HAVE OPENED TO RELIFYF. PRES $URE 2.97E 02 K3RFE110 LOSS OF OFFSITE POWER kON RECOVERY FACTOR 1.99E 01 Af ter a ions of of fsite power, both trains of electric pcwer are unavailable due to cann on cause. This loss of power leads to the unavailability of the PORVs. The RCS pressure excursion leads to

opening of one or more SRVs. One falls to close leading to a LOCA. The operators are unable to

recover offsite power prior to core mcovery.: 15. fr6CM2 - Loss of Main Feedwater, Failure of AF, and Failure of Bleed and Feed Cooling

[1.1E-06, 2 %] After a Loss of Main Feedwater, the AF system is unavailable due primarily to loss of room i cooling to the motor driven AF pumps, combined with unavailability of the TDAFWP. He same support systems lead to the unavailability of the equipment associated with bleed and feed. he three dominant cutsets in this sequence are: 1

1) %T6 .0$$ OF MFW No MFW AVAILABLE INITIATING EVENT FREQUENCY 1.29E+00 3.71E 08 AFCPTPTD01FX idAFWP TRAIN UNAVAILABLE DUE TO LATENT NUMAN ERROR 2.00E 02 AFRMCLRAlWM PROBABILITY THAT TRAIN A PCAFWP FAILS ON LOSS OF ROOM COOLING 2.95E 01 AFRMCLRSINN PR06Ai!LITT THAT TRAIN B MDAFWP FAILS ON LOSS OF ROOM C00 LING 3.56E 01 CCSEGB1 CC PUMP filAIN 8 FAILS 8.59E 04 EPBATTDEPL TAG INDICATING DEPLETION OF BATTERIES At 4 HOURS 1.00F+09
EPUPS: lVACFAI FLAG INDICATING FAILURE OF UPS MVAC 1.00E+00 SWSECA1TM SW PUMP TRAIN A UNAVAILABLE DUE TO TEST / MAINTENANCE 1.60E 02 A loss of main feedwater leads to a plant trip. The TDAFWP is unavailable Cbe to latent error.

Train A service water was out for maintenance and train B CC pum f ailed. This leads to a loss of room cwling for both motor driven AF pups, and they f all. Additionally, loss of UPS HVAC Leads to i f ailure of the battery chargers. The batteries deplete and the ECCS pums cannot be started. Therefore Bleed and feed is unavailable. The RCS inventory eventually bolts off, and the core mcovers. 1 1 3-253

                                                                -                             gw -        y           .

           =   . -._            ..           --        , .          -           -
                                                                                        - -               ~        .,              - .-.         -       ~

l 1

2) IT6 10$$ OF MFW No hfW AVAILABLE INITIATING EVENT FREQUENCY 1.29E+00 3.2iE 08-1 ~ AFCPTPTD01FX TDAFWP TRAIN UNAVAILABLE DUE TO LATENT HUMAN ERROR 2.00E 02 AFRMCLRAINN PR08 ABILITY THAT TRAIN A MD/.FWP FAILS ON *.0$$ OF ROOM COOLING 2.95E-01 l AFRMCLRBlWH PROSABILITT THAT TRAIN.B W AFWP FAILS ON LOSS OF ROOM COOLING 3.56E 01 j CCSEGA1 CC PUMP TRAlW A FAILS- 1.38E 02 CCSEG81 CC PUMP TRAIN I FAILS 8.59E 04 EPSATTDEPL TAG INDICATIMG DEPLETION OF SATTERIES AT 4 HOURS .1.00E+00

,        EPUPSHtACFAI         FU.J INDICATING FAILURE OF UPS NVAC                                        1.00E+00 i                 A loss of mein feedwater Leeds to a plant trip. The TDAFWP is unavailable dJe to latent err 9r.

Train B Cc ptmp f alted, and Train A CC ptap f ailed to start or run. This leads to a loss of room cooline for both aiotor driven AF ptmps, and they fall. Additionally, loss of UPS HVAC leads to failure of the battery chargers. The betterles deplete and the ECCS pumps cannot be started. Therefore Bleed ard Feed is unavailable. The RCS Inventory eventually bolts of f, and the care uncovers. 4

3) %T6 LDSS OF MFW - NO MFW AVAILABLE INITIATING EVENT FREQUENCY 1.29E+00 2.75E 08 AFCPTPTD01FW TURBINE DRIVEN PUMP CP1-AFAPTD 01 FAILS DURING OPERAfl0N 2.47E 02 1 AFRMCLRAINN PR08 ABILITY THAT TRAIN A pcAFWP FAILS C* LOSS OF ROOM COOLING 2.95E 01 AFRMCLRSINN PROSABILITT INAT TRAlu B pcAFWP FAILS ON LoS3 0F ROOM COOLING 3.56E 01

2. CCSECB1 CC PUMP TRAIN B FAILS .

8.59E 04 4 EPSATTDEPL TAG INDICATING DEPLETt0N OF SATTERIES AT 4 NOURS 1.00E+00 EPUPSWVACFAI FLAG INDICATING rAILUWE OF UPS NVAC 1.00E+00 SWSEGA1TM - SW Pump TRAIN A UNAVAILABLE DUE TO TEST / MAINTENANCE 1.60E 02 3 TDPUMPRUN OPERATORS Fall TO RECOVER THE TDAFWP WHEN IT MAS FAILED TO RUN 6.00E 01 l A tot.s of main feedwater leads to a plant trip. The TDAFWP falls to run, and the operators are mable to restart it. Train A service water was out for maintenance and train I CC pump f alted. This leads to a toss of room cooling for both motor delven AF pumps, ard they f all. Additionally, , loss of UPS HVAC teads to failure of the battery chargers. The batterles deplete and the ECCS puups cannot be started. Therefore Bleed and Feed is mavailable. The RCS inventory eventually bolts of f, and the core tricovers. l 3.4.3 Decay Heat Remova! Evaluation The purpose of this section of the report is to provide a discussion of the results of the evaluation of the ]

de:ay heat removal (DHR) function for CPSES. The NRC staff resolved USI A 45 by subsuming it into the IPE (Ref. 28 and 29). This action requested that all llCensees identify any vulnerabilities in DHR systems. NRC report NUREG-1289 (Ref. 27) states that the program objectives are to:

Evaluate the adequacy of DHR systems.

o Determine the benefit of providirig alternative means of DHR. I o Assess the cost and benefit of alternative measures. l This evaluation was completed for CPSES as discussed below. The evaluation demonstrates that there are no plant specific vulnerabilities to loss of the decay heat removal function for CPSES. 4 4 3-254 a 4 i 4

                                                 - -         e ,-.e     , - , -    --e   .-e, .w.,.e ,n     ..wp,-    , - + , - , n      e , , ,,,.,p+ c

The reporting criteria for DliR vuinerabilities are based on:

The set of accident initiators and sequences applicable to D11R risk as specified in NUREG-1289 and the case studies (Ref. 30 and 31).
The core damage frequency reporting criteria specified in NUREG-1335 for functional accident sequeners.

Section 4.2.2.1 of NUREG-1289 states in part:

        "...for purposes of the resolution of USl A-45, a limited-scope PRA is defined as one that considers at least the following initiating events:

Small LOCAs,
Loss-of-offsite-power transients,
Transients caused by loss of the Power Conversion system,
Transients with offsite power and power conversion systems initially available,
Transients caused by the loss of an AC or OC bus.

The following initiating events are not includec in the limited-scop PRA as defined here:

Large and Medium LOCAs
Reactor Vessel Ruptures
Interfacing System LOCAs
Anticipated Transients Without SCRAM
Steam Generator Tube Ruptures
Special Emergencies [ External Events]."

In addition, NUREG-1289 indicated that the pressurized thermal shock issue is to be excluded. NUREG/CR-4458 was also reviewed to determine what size pipe-break LOCAs and transient-induced LOCAs from PORV and SRV openings were to be included in the analysis.' NUREG/CR-4458 was selected mainly because CPSES is a Westinghouse PWR and is similar in design and accident initiators to Point Beach. In that report, a small LOCA was defined as a break less than 2 inches in diameter. 3-255

nerefore, it was logical to conchde that the DHR vulnerability study need only consider small LOCAs of two inches or less in diameter. On the other hand, the CPSES IPE study included transient-induced LOCAs involving stuck-open PORVs and SRW in the Small Break and Medium Break LOCA categories. Consequently, despite the fact that CPSES IPE analysis binned diese scenarios with LOCAs greater than two-inches diameter, they were all included in the DHR evaluations. In other words, Very Small Break LOCAs and the prtions of Small Break LOCAs ar.d Medium Break LOCAs that were caused by a transient-induced stuck-open PORVs or SRVs were considered in the CPSES DHR analysis. The folicwing initiating events wns included in the DHR evaluation for CPSES:

Reactor Trip
RCS Overpressurization J
Inadvertent Safety injection Signal Actuation
Main Steam Line Break Loss of Main Feedwater - Main Feedwater tJnavailable
Loss of a 125VDC Safeguards Bus
Loss of HVAC
Loss of All Offsite Power
Loss of a Non-Vital Bus
Loss of the Protection Channel IPCI
Loss of Component Cooling Water
Loss of Station Service Water
Loss ofinstrument Air
Very Small Break LOCA
Loss of Condenser Vacuum Induced LOCA (portion caused by PORVs and SRVs only)

Small Break LOCA (portion caused by PO9Vs only) Medium Break LOCA (portion caused by SRV only) The following initi; ting events were not included in the DHR evaluation for CPSES:

Large Break LOCA 3-256

i

Medium Break LOCA (except incloded portion caused by SRV)
Small Bresk LOCA (except included portion caused by PORV)
Steam Generator Tube Rupture
Anticipated Transient Without Scram (ATWS) i In the NUREG/CR-4458 study, the Reactor Coolant Pump (RCP) seal LOCAs were not modeled.

Therefore, RCP seal LOCAs were excluded from the CPSES DHR analysis. The IPE results were reviewed for decay heat vulnerabilities. Each sequence with a frequency of IE4 or greater (after removing excluded initiators) was reviewed individurdly. De results are as follow:

   *       #VSCM1 - 3.33E4 - VSBLOCA with successful establishment of ECCS ud AF, but failure to establish recirculation.

This sequence is dominated by the dynamic error in realigning the suction of the ECCS pumps from the RWST to the containment sump.

rrlCM2 - 2.19E4 - General Transient with failure of AF, successful establishment of Bleal and Feed Cooling, bat failure to establish recirculation.

4 This sequence is comprised of many low probability combinations of equipment failures that lead to loss of the support systems. He top cutset has a probability of 8.33EG.

    *      #X3CM2 - 2.13E Loss of offsite power with failure of AF and failure to establish Bleed and Feed Cooling.

This sequence is dominated by station blackouts, with failures of the Turbine Driven Auxiliary Feedwater Pump. 3-257

EQ.41 - 1.53EE - SBLOCA with successful establishment of ECCS, but failure to establish recirculation.

       -        His sequence is dominated by the dynamic error in iealigning the suction of the ECCS pumps from the RWST ta the containment surnp.

#ISCM2X3 - 1.47Ef4 - Loss of offsite power induces a LOCA through a stuck open PORV, ECCS faib u. .ajecion.

This sequence is dominated by a station blackout. The sum of these cutsets is 1.58E-05. Excluding the dynamic action to realign to recirculation yields a frequency of JR-05 A review of the cutsets and the above results indicates that ;here is no specific vulnerability to a loss of DHR capability at CPSES. 3.4.4 ILSI and GSI Screening Unresolved Safety Issue (USI) USI A-45 entitled " Shutdown Decay Heat Removal Requirements" is the only USI that was specifically addre' sed in the CFSES IPE study. Based on the IPE results and a sensitivity analysis performed to examine the CPSES decay heat removal capability, it was concluded that no decay heat removal vulnerabilities exist at CPSES. In general, it was cc.icluded that no vulnerabilities exist at CPSES. This could imply that no vulnerabilities associated with any other outstanding Sresolved Safety Issues or Generic Safety Issues exist at CPSES. 3-258

4 BACK-END ANALYSIS - he back-end analysis is an evaluation of the containment performance in light of the results from the front-end, or systems, analysis. This analysis is nearing completion and will be reported separately by no later than October 31,1992. 4-1

i

5. UTILITY PARTICIPATION AND INTERNAL REVIEW TEAM This section provides a discussion of the makeup of the IPE team and the independent review teams that participated in the study. A discussion of the scope of the internal and external reviews is provided. The major areas of review and the major comments resultlog from the various reviews are discussed as well their resolution.

 ,- 5.1      IPE Procram Orcanization i

The IPE effort was in!t ated in early 1989. The first objective was to form a strong in-house IPE team in order to maximize the benefits gained from IPE insights, and to utilize them toward future safety - enhancement of CPSES Units I and 2. With that in mind, the IPE team members were select.d based on the individual's knowledge of PRA techniques, familiarity with the Comanche Peak plant and system design and, finally, knowledge of plant operating behavior under normal and accident conditions. The 'I1) Electric IPE team consisted of a project manager and five analysts. Each team member has unique technical expertise which provides the knowledge required for implementing all phases of IPE. Their qualification are summarized below. Hossein Hamzehee has over eleven years of experience in PRA, reliability / availability

             -improvement, systems analysis anr1 plant operation. As a consultant, he was previously involved in tne development of three other full-scope PRAs. He holds an M.S. and D.S degree in Mechanica: Engineering. He is also a registered professional engineer in the State of Texas.

Hossein was responsible for overall project management. Chris Cragg is a certified SRO and has over six years of experience in plant operation and PRA. He holds a B.S. degree in Nuclear Engineering. Chris was responsible for accident sequence analysis and quantification, human reliability analysis, and development of select system models. Hugo DaSilva has 16 years of experience in nuclear enginaring thermal-hydraulic and severe accidents analysis. He is the company representative for the MAAP users group. He was also 5-1 h .. . . .. .

                                                                                               . . . . .   .    . . _3

1 one of the founders of the MAAP Users group. Ile holds a Ph.D in Nuclear Engineering, an

M.S. and a B.S. degree in Mechanical Engineering. Dr. DaSilva was responsible for the entire back-end analysis t

Reid Lettie has over 10 years of experience in design engineering, start-up engineering and systems engineering He holds a D.S. degree in Electrical Engineering and is a registered professional engineer in the State of Texas. Reid was responsible for n'odeling all of the electric

power systems.

Yu Shen has 5 years of experience in reliability analysis, statistical modeling and data base

j. development for nuclear power plants and space launch vehicles. He has a Ph.D degree in Applied Science. Dr. Snen was responsible for data analysis, and for select system modeling.

}

Dan Tirsun has 12 ye:rs of experience in design engineering, systems engineering and PRA. He holds a B.S. degree in Nuclear Engineering and is a registered professional engineer in the State of Texas. Dan was responsible for development of select system raodels, internal flooding analysis, and the interfacing system LOCA analyis.

W After the formation of the IPE team, a detailed program elan was developed by the IPE project manager. The program plan was then independently reviewed by consultants. .Following the completion of the h lependent review, the IPE program plan was reviewed and clearly understocJ by each IPE team member. The implementation efforts were then initiated. As mertioned earlier, the TU Electric staff was fully involved in all aspects of the IPE study. Over 90% of the total implementation and analysis

work was done by the in-house staff. Consultants were used primarily for highly specialized areas such as human reliability analysis, internal flooding analysis, back-end analysis and independer.t review where 4

the outside support would be most effective and helpful. It should be pointed out that even those highly specialized tasks were performed by the in-house staff but, under the direction and guidance of the consultants. 4 5-2 4

                                     ,w                              ,                   n ,.   ,                      . . . , , , . . -

5.2 Camposition of Indeoendent Review Team To ensure a high-quality product and to provide quality control to the IPE process, TU Electric selected two types of independent review, an internal independent review and an external independent review. Both reviews were applied to the entire examination process except when it was not pos;ible due to the availability of resources or required skills and expertise. In those few cases, as a minimum, each task went through either internal or external independent review. Each review process is described below. 4 Internal Review 4 Generally, every IPE-related analysis was reviewed by one of the IPE ter.m members other thr.n the original analyst. In addition, depending on the type of the analysis, the analysis was also reviewed by a plant staff member not invcived in the development of the IPE. For instance, each system analysis notebook was reviewed by an independent IPE team member. In addition, selected Sa,ctions of that system notebook (e.g., system information, system flow diagrams, system operations, bound.ry conditiens and modeling assumptions, maintenaace and surveilluce tasks, operator interfaces) were then independently reviewed by the system engineer fiom Plant Engineering. The accident sequence analysis 3 notebook was also independently reviewed. In addition, selected segments of the notebook, sudi as the event tree logic and modeling assumptions, were discussed with SROs from Operations. Funhermore, TU Electric management was kept fully informed of the interim results of the, examination. This was accomplished by periodic meetings called "lPE Management Review Meetings" which were held when najor progress was made or preliminary results were obtained. Typically, the following organizations assigned a representative manager to attend each of these meetings:

Operations
Design Engineering-
Plant Engineering l
Reactor Engineermg
Licensing
T raining 5-3

5 These meetings also served u a vehicie to rev!ew the results and to identify any possible improvements that could potentially reduce total core damage frequency. Exterra Review Exteraal reviews, herein, refer to those independent reviews that were performed by consultants. De overallIPE program plan was independently reviewed by Westinghouse. After the completion of each task and internal review, it was thoroughly r".:ewed by Science Applications International Company (SAIC), except the human reliability analysis ..v1 internal flooding analysis tasks. Accident Prevention Group (APG) was selected as the consultant to provide technical guidance and to review the human reliaollity analysis task. Since this task required more skFis and expertite, TU Electric utilized APG in the development and analysis actbities in addition to the review efforts. he internal flooding analysis 7 task was independently teviewed by ERIN Engineering. In addition, ERIN provided technical guidance on the internal flooding analysis. The final independent review was performed after the IPE study was completed and final quan*ification results were obtainul. A team of PRA experts was selected to iridependently rrziew the entite IPE study i and its supporting analyses. He independent review team consisted oE , embers of die followinF organizations:

PLG, Inc.
ERIN Engineering
FRH, Inc.
Baltimore Gas and Electric

The review team spent about one week at the TU Electric office- mhere documents, procedures and all i

the required supporting analyses were available for use. Overall, the review team concluded that the IPE study was very comprehensive, well documented and technically sound. Their major comments are discussed in the following section. i 1 5-4 1 1 1

                                                                                                                    'l
                                                                    ._                    m   y      ..-,     , -,.

5.3 Areas Of Review and Maior Comments All of the review comments provided by internal and external reviewers were documented and kept with the corresponding, nc.ebooks. The responses to the comments were also documented in the review

comment sheets.

System Models The IPE system nxxlels received two levels of internal review, one by an IPE team member and one by a plant system engineer, and two levels of external review, he internal review by an IPE team member was the initial review upon completion of the system study by the analyst. His review was a line-by-line check of each section of the notebook to ensure that the ; t technicai eg- 4 he :;iudy were correct. Items such as system ftmetions, succen criteria, component information, operator interface and fault tree logic were reviewed. Since this was the first review 6 a notebooks, most of the commer.ts called for. adding, deleting or correcting information. No major comments were noted. After the initial review by the IPE team members, the system medels were reviewed by a consultant. The same review criteria were uced as with the internal review, although this review was at a higher level and somewhat more independent. A number of comments were made during this review that improved the quality and credibility of the system models. The following is a list that summarizes some of the more significant comments: Many of the comments dealt with the need to clarify assumptions or to add assumptions to the system models. These comments had an overall impact of incrcasing the quality of the documentation of the finished product. A number of comments dealt with common cause failure analysis, such as, how more than two components were treated, or how to identify individual components within a common cause failure segment. 5-5 k Mn. - - _ _ _ _ _ - - . _ _ _ _ - . _ - - - _ _ . . . _ - - - - . - . - _ . - - _ - - - .-

A comment was made to include the non-class 1E power supplies in the models. Originally the non-lE power supplies had not been modeled.
In some cases, the comments were directe.d r. removing excess conservatism from the models.

For example, latent human error was removed from the fault trees in cases where multiple tank level alarms are available in the control room. ]

In other cases, comments resulted in adding equipment to the system models. As an example, in the electric power system, the protective relaying for the slow transfer of the 6.9kv safeguards busses was added to the model.

Some comments resulted in time savings in the overall IPE process. For example, in the containment spray model, the fault tree was originally constructed with recirculation and injection modes in one fault tree. The comment was made to break up the fault tree into two fault trees, one for injection and one br recirculation mode. This was done during the systems analysis phase. As a result of these external comments and additional analysis, inhibit gates were added to the models for room cooling for electric power and the safeguards pump rooms. Inhibit gates were also added to the lube oil coolers for the safety injection and CS pumps. This allows for the fact that this equipment will survive for some time without room cooling and keeps these systenu from having an artificially high contribution to core damage. 4 The internal review by the plant system engineers was conducted to ensure that the system configuration, assumptions and component information used in the model were correct. The system engineers are exposed to the day today operation of systems and have extensive knowledge of preventive maintenance activities and the as-buiit configuration. Many of their comments resulted in changes to the system models that improved the accuracy of the models but had insignificant impact on the results. The following is a list which summarizes some of the more significant comments given by the system engineers: 54 l 1

               . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - - -                                                         U

The system engineers commented that corrective maintenance durations appear to be low and that their experience shows that corrective maintenance could take longer in some cases. It was explained that the analysis is based on generic data because of the limited operating data for CPSES. This generic data takes into account all corrective maintenance durations, some being extremely long and others short.
RCP seals are planned to be upgraded with cartridge assemblies and high temperature o-rings. This will reduce the frequency of induced-LOCAs due to seal failures.
Equipment survivability is greater than shown in the system models. For example, the service water pumps can operate for a short time without bearing cooling because the first stage in-leakage will provide some cooling.
The systems engineers for the circulating water and the service water systems stated that the designs of the intake structures are such that it is unlikely for the screened intakes to clog.

In general, the overall camments by the system engineers provide confidence that the system models are complete and technically correct and that they represent the actual plant design and system configurations. After the study was completed, as a fimal check of the methodology and quality of the CPSES IPE, a week long independent review was performed by a team of consultants who are specialist in the field of PRA. This one week review covered all of the documentation generated for the IPE study including te. systems models, his was a general review of the systems analyses to determine if they would meet the requirements of the IPE submittal. The majority of comments by the consultants dealt with accident sequence quantification, flooding analysis and hum:m interaction. In summary, it can be concluded from these reviews that systems, functions and operator actions were well modeled, and that the IPE team understands the models and has properly documented them. 5-7 l l l l l , L. .. - _

.a

Human Reliability Analysis GIRA) The Human Reliability Analysis received two levels of external review, De first was a detailed review by a consultant working with the HRA analyst, and the second was an overall review conducted during the one week independent IPE review. The following is a summary of the first level of review of the 3 HRA analysis:

Overall the screening values appeared to be less conservative than desired. A comparison was performed of the range and distribution of the Human Interaction (HI) against diaributions from several EPR: sources. It was recommended that the di:tribution be adjusted.
Although each individual train had HI values associated with it, common cause contributions in the case of multiple, redundant trains were not considered. It was

recommended that these contributions be considered in the study.

i Accident Seauence Analysis and Ouantification Two levels of signature review were performed for the accident sequences. De normal internal review was performed by a reviewer who was knowledgeable in 6 is area and the notebcok was reviewed and-signed by a second reviewer. A number of comments made by these reviewers pointed out inconsistencies in the naming of events between the event tree and the combined event top logic. None of the comments by themselves was considered major. The accident sequences and quantification results were also reviewed by the independent review team during the one week revi;w. Listed below is a summary of the major comments: The truncation limit for quantification should be reduced to assure that all important cutset types are considered and to improve the accuracy of the determination of core damage frequency. 5-8 j l i 1

          <       Re. SGTR event tree should be modified to include a " falls to depressurke" ten event.

This is included in other PRAs.

A justification for assured cooldown for the Very Small LOCA event tree shou ld be provided.
A more detailed support system matrix should be provided with the report.
TL $br' :ated set of scenarios should be supplemented with information regarding those scenarios that are "normally" considered but that do not appear explicitly in the model.

The small event tree model needs event sequence diagrams that record each scenario and what happened to it to assist the reviewer in understanding the overall modeling. I Initiating Event Analysis The initiating events analysis received an internal signature review from a member of the IPE team and and external review during the one-week independent IPE review. No major comments were noted from i the internal review. . During the one-week review, the independent reviewers did not identify any errors (i.e., wrong modeling,

wrong data, omitted events), This indicates that the models are mature and well understood by the CPSES IPE team.

t 5.4 Resolution of Comments As discussed in section 5.3, a multi-level review was conducted to ensure the quality and technical accuracy of the dacumentation and results of the CPSES IPE study.' All of the review comments were addressed and documented. Responses to some of the more significant comments that were discussed in the previous section are described below. 5-9 l

Systems Analysis The miscellaneous comments provided by the internal reviewers (e.g., clarification, assumptions, conservatism, documentation, etc.) were evaluated and incorporated where appropriate in the system notebooks. Comments that were not incorporated were concurred with the reviewers. A separate section for common cause failure analysis was added to each system notebook to address questions that were raised by the reviewers. ne non-class IE power supplies were modeled and added to the electric power system model. The protective relaying for the slow transfer of the 6.9kV safeguard busses was also added to the electric power model. The fault tree model for the containment spray system was expanded to include the injection and recirculation modes separately, This facilitated the back-end analysis. The IPE study was performed based on the original design of the RCP Seals. However, a sensitivity analysis was done to roughly estimate the effect of the new, upgraded seals that may be installed in the near future. It was decided not to modify the system models to address the comments of the plant system engir.eers regarding the equipment survivability. The current system models are more conservative and consistent with the available information. The clogging of the screened intakes in circulating water and service water systems were assumed to be potential failure modes and no action was taken to exclude them. The current models are more conservative and consistent with other published PRAs. 5-10 t ,. . _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ . _ _ _ _ _ _ _ _ - -]

Human Reliability Analysis GIRA)

The screening values associated with latent and dynamic human errors were increased in order to be more conservative.
He common cause contributions to human error probabilities disabling multiple redundant trains were considered in the analysis.

Accident Seauence Analysis & Ouanti6 cation ne miscellaneous comments provided by the internal reviewers were evaluated and incorporated where appropriate, Comments that were not incorporated were concurred with the reviewers, The comments provided by the external reviewers during their one-week review were incorporated, as judged necessary. The IPE models were modined accordingly and accident sequences were requantified to estimate the new accident sequence frequencies as well as total core damage frequency. 1 5-11

            .                                    ..    ,y., , m6 r--       - . - - -

6. PLANT IMPROVEMENTS AND UNIOUE S AFETY FEATURES -

ne perpose of this section of the repott is to provide a discussion of the plant improvements resulting from insights gained from the IPE, and to provide a discussion of any safety features unique to Comanche Peak Steam Electric Station. As part of the IPE, plant procedures were reviewed and evaluated to assure that appropriate plant specific operator responses wre ~msidered in the system models and recovery actions, in order to assure a high probability of success, several plant procedures were modified based on the IPE insights. These procedural modifications are summarized below: On loss of a support system to the Turbine Driven AF pump (TDAFWP), the valves fail open, and the pump goes to full flow, leading to steam generator overfill. This overfill leads to failure of the TDAFWP's turbine. Under Station Blackout conditions, the operators were explicitly instructed to locally manually throttle the flow control valves to the steam generators. However, they were not instructed to do this onder any other conditions. Since there were other cutsets that contained failure of the TDAFWP due to its support system failures, without a station blackout, the procedures were revised to provide explicit instructions to the operators to manually control the flow to the steam generators to prevent overfill. After a loss of CC, the ECCS system will successfully inject flow to the RCS on a LOCA, but is not capable of entering the recirculation phase if the RH heat exchanger is not available. The verification of recirculation capabil ty a the Emergency Response Guidelines did not explicitly instruct the operator to verify the availability of CC. The procedure has been revised to include - the verification of CC availability when checking for recirculation capability. Re seal injection flow to the RCP seals is attained by throttling down the normal injection flowpath to the RCS. This valve fails open on a loss of its support systems. This failure will starve a'l flow to the seals, sending it to the normal RCS charging flowpath. This procedure has been revised to instruct the operator to locally manually throttle the flow to normal charging in order to divert flow to the seals. 6-1

                                                                   - _ _ _ _ _                                i

r A

One safety chilled water train is normally in service, and one is in standby. Upon an auto-stut l of the Motor Driven Auxiliary Feedwater Pt.mps (MDAFWPs), the blower for the associated fan cooler starts. The procedures did not instruct the operators to -tart the standb> chiller, This leads to motor failure due to overheating. The procedure has been revised such that the operators are now instructed to start the non-running safety chilled water train upon auto-start of the auxiliary feedwater pumps.
Upon a loss of auxiliary feedwater, the operators are instructed to rectablish main feedwater.

The suggested flowpath contained manual valves that are closed at power. Therefore, an auxillary operator was to be dispatched to locally open these valves. If this flowpath was subseguntly found to be unavailable, the operators were to use a second flowpath tht could be aligned from the control room. A human reliability analysis was perfor.ned on the existing procedure and on a proposed modification to the procedure that consisted of reversing the order of flowpath restoration. The modified procedure was found to be more reliable and the procedure has since been revised to incorporate this change. 2 . The IPE results identified two additional areas for improvement in the area of plant design. As a result,

    .nges were recommended based on the IPE insights:                                                           )

There are two trains of CC per unit at CPSES. The units can be cross connected per design, via

normally locked closed valves. This feature had been removed and the piping was blank flanged during Unit 2 construction and was being considered for a permanent design change. After an ,

initial quantification, it was found that the availability of the cross connect was important to the reliability of the CC system, and the IPE staff recommended that the feature be retained. TU Electric plans to replace the RCP seals originally installed at CPSES with seals of a new design that will function in a high fluid temperature environment. Presently, two of the four Unit

;          I RCP seals have been modified, and the other two are scheduled to be inspected and evaluated in the 1992 or 1993 refueling outages. All four of the seals in Unit 2 are scheduled to be upgraded prior to initial startup. The IPE models are based on the characteristics of the original seals. Seal LOCAs contribute approximately 29% to the total core damage frequency, which is expected to decrease with the upgraded seals.

6-2 J

I Uniaue Plant Safety Features CPSES is a 4-Loop PWR with support systems designs similar to other Westinghouse Plants. However, five of the safety systems are unique and provide an additional safety margin. Hey are: Re Station Service Water system at Comanche Peak consists of two independent safety-related trains in each unit (a total of four trains). All of these trains are normally operating (for chemistry reasons). Additionally, the trains can be cross-con ected such that any pump can be aligned to either train in either unit. This provides high reliability of Station Service Water. Le Component Cooling Water (CC) system consists of two independent safety-related trains in each unit (a total of four trains). The trains in a unit are normally cross-connected, with one train operating and one in standby. The operating train provides heat removal for all operating CC cooled equipment. The trains can be cross-connected such that Unit 2 CC can provide cooling to Unit 1, and vice versa. This provides high reliability of Component Cooling Water. The electric power offsite Interface is made at two switchyards (138 and 345 kV). Th- 345 kV yard consists of two busses interfacing with the offsite transmission network via four transmission lines. Three of these lines transmit power in or out, but one is an outgoing feeder only. The 138 kV yard consists of avo busses interfacing with the offsite transmissic . network via two transmission lines. Any transmission line (except the outgoing feeder) in either yard can provide power to the safeguard busses. This level of redundancy provides for a highly reliable offsite power source. The auxiliary feedwater system consists of two independent motor-driven pumps and one turbine driven pump. Any one of these pumps can provide enough flow to remove decay heat. His redundancy and diversity makn the auxiliary feedwater system very reliable.

            - At CPSES, ECCS injection can be obtained from either the CCPs or SIPS. Both of these pumps have a high enough discharge head such that either is capable of injecting into the RCS while it is pressurized.- These pumps are physically separated (different buildings and elevatiens) which 6-3

1

                                                                                                                              'l F

is bene.ficial from a spatial interaction perspective. This redundancy and diversity provides for highly reliable high pressure safety injection. 4 4 f k ? 4 i I~ i k n h i i l N

7.

SUMMARY

AND CONCLUSIONS ne estimated total Core Damage Frequency (CDF) due to internd events for CPSES Unit 1 is 5.72E-05 events ;> wtor year, including Interr al : looding, ne IPE results demonstrate that there is no plant-specific w;actability at CPSES. The CDP profile by initiating event is relatively fiat. That is, the coro damage frequency is distributcd uniformly among initiating events and different sequence types. Therefore, no single plant improvement could be identified that would have a significant impact on the results. The CDF contribution by initiating event leading to core damage is shown in Table 71, and presented graphically in Figure 71. A discussion of the first six initiating events leading to core damage is provided below, ne CDF contribution by initiator type is shown in Figure 7 2. Station Blackout (SDO) [1.59E 05] is the anost significant contributor to the CDF, as expected. This is primarily due to the reliance of the RCP seals on cooling water, which requires electric oower, This postulated induced LOCA wou:d be caused by the unavailability of the same equipment t' sed in mitigation of the LOCA. induced Lx! LOCAs, from all initiators, contribute to 1.66E-05 events per year to the CDF. For Internal Flooding [1.29E 05), the most significant scenario is tne postulated flooding of the auxiliary building that is assumed to lead to failure of the safety chilled water system. His failure could lead to failure of the ECCS pumps and the motor driven AF pumps. The most significant sequences resulting from a Loss of Main Feedwatu [5.03E4] are from ATWS. He high generic initiating event frequency (1.29 events / year) and the fact that 1.oss of Main Feedwater is the initiating event lesd to a high rellaace on Auxiliary Feedwater. ( A General Transient '4.56E-06] could lead to core damag when combined with support system equipment failures. Rese poculated events could lead to failure of AF and concurrent f.'ure of bleed and feed. 71

                                                                                                      . . .. J

i l

ne Very Small Dreah LOCA [3.76E 06]' contributes to the CDF due to its stringer.t success a criteria, ne break size in the postu'ated scenario is sm!!! enough such that ECCS injection alone

!          does not provide sufficient heat removal, but large enough to eventually decouple the RCS from the steam generators, leading to a loss of secondary heat removal. Herefore, both are required for success.

Re Steam Generator Tube Rupture [3.54E4] contributes to the CDF because breakflow must

} be terminated by the c,.erators to consider the event to be stabillzed. Although this is r.ot a j difficult action, failure in this task is conservatively assumed to lead to core damage. 4 i 4 A comparison study of the bnit I and 2 differences and their bnpe on the IPE was comrieted. The differences le plant design and operation were reviewed and found to have insignifiwllmpact on the IPE models or it's resu!ts. l i Based on the IPE results and examination of CPSES decay heat removal capabilities, it.was concluded 4 that no decay heat removal vulnerabilities exist at CPSES Uma 1 and 2. Herefore, USI A 45 entitled

   " Shutdown Decay 11 eat Remm al Requirements" should be considered resolved for CPSES.

i i i i 72 i l t - __ ___

     . _ . _ . . _ _ _ _ _ _ _ . . _ _ _ _                             . _ _ . . . _ - . _ . . . = . . . _ _ _ . . _               _ . _ . _ . . _ _ . . _ _ . _ _ _ . _ _ _ _ _

I 4 i 1 l Table 71: CDF Contribution by initiator Initiating Event CDF Percent initiator Type Contribution Contribution i i LOOP 1.59L 05 27.9 LOOP

l i internal Flooding 1.29E-05 22.7 Internal Flood ,

LOMFW 5.03E 06 8.8 Transient 1 i Gen. Trans. 4.56E-06 8.0 Transient I VSBLOCA 3.76E-06 6.6 LOCA SGTR 3.54E 06 6.2 SGTR j LDLOCA 2.85E 06 5.0 LOCA

Loss of IEDI 2.17E-06 3.9 Transient I

i SBLOCA 1.65E 06 3.0 LOCA l 1 - MDLOCA 1.02E46 1.8 LOCA j 4 i Loss of CC 9.03E-07 1.6 Loss of Sup. Sys. ! Loss of CH 7.553-07 1.3 Loss of Sup. Sys. , Loss of SW 6.04E-07 1.1 Loss of Sup. Sys. 1 Loss of Cond. Vac. 5.84E-07 1.0 Transient l Excessive LOCA 2.66E-07 0.6 LOCA l ISLOCA 1.56E-07 0.3 - LOCA 4~ Loss of l Al 7.60E-08 0.13 Transient Inad. SI 5.96E4 0.09 Transient MSLB _ 5.48E-08 0.09 Transient Loss of IEC1 4.86E-08 0.08' Transient i .l [ 4 i 4 73 A

1 Figure 71: Core Damage Frequency by Initiating Event

                                                                                                                                                  )      10!! 01
                                                                                                                                           .      ?.*
                                                                                                                                         \               M N        s-N        /      E Tru; s                 s-r N                 s LTI 71 p                     r.-
                                                                                                                            \                     $ TXT3
                                                               ,                                                                                   s-j%
                                                                                                                         \                        /      WATuos01 l
                                                                                                                          \                       /.-

i N $ um i 'C g 1-7

                                                                                                                      \                           I BM s

N / MM s s-N N I ME x-l

                                                                                                                                                  /      MG s    -

i .s l- / ICI1 7) 1 e1 <- N / EM l N g' <-

                                                                    ,                N                                                             /     M BA i               s--                                                            ,.; .

_\ *fttJ1 W3 1-

                                                                                                                                             =~
                                                                                                                                                   !      Nh
                                                                            ;\                                                                      c l      \,                                                                       )    Pooli lu]

C c-k N, y , , , ( dXTl

                                                                        ~r     w                                              n                      en 4                              f W      W                                     W        $                     W 9

o. 9 9 9 7-4 l . . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _

Figure 7 2: Core Damage Frequency by Initiator Type a

a u J3 i. g, , w-F

                                           - ( ;,

h i- , n , i

                              'I.. --
                                                          ' j.

a\

          \     ,

e 5

               \a 7
                                                                 +%

a 7-5

1 i 8. EEFERENCES I

1. Pickard, Lowe, & Garrick, Inc.,

Database for Probabilistic Srfety Assessment of Light Water Nuclear Power Plants,' PLG4500, July 1989.

2. Fleming K. N., and A. M. Kalinowsik, "An Estesion of the Beta Factor Method to Systems

, with liigh Levels of Redundancy,' Pickard, Lowe and Garrick, Inc., PLG-0289, June 1983. l 3. Poucet, A., A. Amendola, and P. C. Cacciabue,

Summary of the Common Cause Failure Reliability Benchmark Exercise," Joint Research Centre Report, PER 1133/86,ispra, Italy, April j 1986.

4. TU Electric "IPE Generic Data Base,' RXE SY cpl!!430. Rev. 2.

a

5. Electric Power Research Institute, *CAFTA, Version 1.7,* prepared by Science Applications International Corporation,1987.

6. Westinghouse Electric Corporation, " Individual Plant Evaluation Methodology For Pressurized Water Reactors," IDCOR Technical Report 86.3A1, April 1987.

i 7. Nuclear Safety Analysis Center of the Electric Power Research Institute and Duke Power j Company, 'Oconee PRA: A Probat.llistic Risk Assessment of Oconee Unit 3,* NSAC 60, June . 1984.

8. Science ApplicationsInternational Corporation, 'Shearon liarris Generic Data Base,* Draft 1987.

9. U.S. Nuclear Regulatorv Commission, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Nuclear Power Plants," WASH 1400, NUREG 75/014, October 1975.

10. " Losses of Off Site Power at U.S. Nuclear Power Plants Through 1990,* NSAC/166, April 1991,

11. TU Electric ' Support System initiators," RXE-SY-cpl /1024, Rey,1.

12. TU Electric 'liuman Reliability Analysis," RXE-SY-cpl /1-020, Rev. O.

13. TU Electric " Initiating Events Analysis," RXE-SY-cpl /1-003, Rev.1.

14. TU Electric ' Success Criteria Calculations & Interfaces," RXE SY-cpl /1-033, Rev. O.

15. TU Electric ' Response to T-il Questions from the IPE Accidut Sequence Model Development,'

RXE-TA cpl /0-023, Rev. O. 3

16. EPRI RP 320641, ' Systematic Human Action Reliability Procedure (SHARP) Enhancement

, Project, SHARPI Methodology Report," draft report, March 1992. 81

17. EPRI NP 6560 L, *A Iluman Reliability Analysis Approach Using Measurements for Individual Plant Examination,' 1984.

18. NUREG/CR 4772, " Accident Sequence Evaluation Program, Human Reliability Analysis Procedure," 1989,

19. NUS 4531,

Human Cognitive Reliability Model for PRA Analysis,
December 1984.

20. NUREG/CR 1278, ' Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," 1983.

21. NUREG/CR-4639, " Nuclear Computerized .abrary for Assessing Reactor Reliability (NUCLARR)."

22. EPRI RP 3206-0], 'Modeling of Recovery Actions in PRA's," Draft Report, January 1992.

23. EPRI NSAC 161, " Faulted Systems Recovery Experience," May 1992.

24. Richard Anoba, Mahmoud Helba, 'Off Site Power Non-Recovery Events Work Package," Project Document: 0649 60-01, Rev. O SAIC, January 1992.

25. NUREG/CR-5032, 'Modeling Time to Recovery and initiating Event Frequency for 1.oss of Off-site Power lucidents at Nuclear Power Plant ,* January 1988.

26. TU Electric,

Probability Analysis for Off Site Power Non Recovery Events,' RXE-SY-CP!/1-030, Rev. O.

27.

Regulatory and Backfit Analysis: Unresolved Safety Issue A 45, Shutdown Decay Heat Removal Requirements," U.S. Nuclear Regulatory Commission, NUREG 1289, November 1989. ,

28. Individual Plant Examination for Severe Accident Vulnerabilities: 10CFR50.54(f), U.S. Nuclear Regulatory Commission.

29. Individual Plant Examination: Submittal Guidance, Final Report, U.S. Nuclear Regulatory Commission, NUREG 1335, August 1989.

30. W. R. Crammond, D. M. Ericson and G. A. Sanders, " Shutdown Decay Heat Removal Analysis of a Westinghouse 2 Loop- Pressurized Water Reactor - Case Study," Sandia National Laboratories, NUREGICR-4458, March 1987.

31. W. R. Crammond, D. M. Ericson, Jr. and G.A. Sanders, " Shutdown Decay Heat Removal

Analysis of a Westinghouse 3-Loop Pressurized Water Reactor - Case Study,' Sandia National Laboratories, NUREG/CR-4762, March 1987.

32. TU Electric, 'CPSES Interfacing Systems LOCA Analysis," RXE-SY-cpl /1-026, Rev. O.

33. ' Individual Plant Examination for Severe Accident Vulnerabilities," NRC Generic Letter 88-20, November 23,1988.

8-2 l (; . _ _ _ . _ _ _ _ _ __. - , - - . - - -

I

34. TU Electric 'CPSES Unit 1 Fire Protection Report," Rev. 4 Fe ruary 15, 1991.

35. TU Electric

Fire Safe Shutdown Report for CPSES,* EPM-P257152-004, Rev.,4.

36. TU Electric, " Accident Sequence Analysis," RXE SY-cpl /013, Rev.1.

37. " Database For Probabilistic Risk Assessment Of Light Water Nuclear Power Plants," Pickard, Lowe and Garrick, Inc., PLG-0500, March 1990.

38. TU Electric ' Accident Sequence Quantification," RXE-SY cpl /022, Rev. O.

39. ' Individual Plant Examination: Submittal Guidance," NUREG 1335, Final Report, August 1989.

40. " International Flood Hazard Model," M. Kazarians and K.N. Fleming, ANS Transactions, Volume 45, p. 385,1983.

41. " Spatial Interaction Analysis in Probabilistic Risk Assessment," M. Kazarians and N. O. Slu, presented at the Intemstional ANS/ ENS Topical Meeting on Thermal Reactor Safety, San Diego, CA, February 2-6, 1986.

42. TU Electric, " Auxiliary Building - Flooding Analysis," CPE SI CA-0000453, Rev. 3. Appendix A.

43. TU Electric, " Safeguard #1 Building - Flooding Analysis," CPE-SI-CA400-662, Rev. 3, Appendix A.

l 44 TU Electric, " Internal Flooding Analysis," RXE SY-cpl /1-021, Rev. O. l 45. TU Electric, " Electrical and Control Building - Flooding Analysis,' Rev. 2, 8-3 ( _)}}

ML20114C610

Text

SUMMARY

3.4.2 Vuln6

SUMMARY

System Description

System Description

System Description

System Description

System Description

System Description

System Description

SUMMARY

Navigation menu

Search