ML20115B098
| ML20115B098 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 10/01/1992 |
| From: | Kreslyon Fleming, Nass S, Richardson C DETROIT EDISON CO. |
| To: | |
| Shared Package | |
| ML20115B090 | List: |
| References | |
| PRA-921001, NUDOCS 9210150275 | |
| Download: ML20115B098 (981) | |
Text
{{#Wiki_filter:_ . , _ . _ _ ._ _ .. . .__ .. _ . . . f i
?
BEAVER VALLEY UNIT 1 -
~
PROBABILISTIC RISK ASSESSMENT i J PROJECT TEAM i Project Manaaers Stephen A. Nass (DLC) j Karl N.- Fleming (PLG) Carl O. Richardson (S&W) j Principal Investiaatoru I F. William Etzel (DLC) Sum T. Leung (DLC) Senior Advisors O "e'so" a. Te"et co'c)- B. John Garrick (PLG) Richmond Gardner (S&W) Other Kev Contributors Ela flW D!& Donald J. Wakefield James E. Metcalf - Pak P. Seto James H. Moody Robert Matti Theresa A. Climak - Grant A.Tinsley Phillip H.~ Spano - R. Kenneth Deremer Ralph Surman (W) Wee Tee Loh Shobha B. Rao O
- P.
-- - -- . - _ . . . --. . - _ _ _ _ _ - _ _ _ _ = _ _ _ _ _ = _ - _ _ _ _ _ _ _ .
B;av:r Vcil:y Pcw;r St:tlon Unit 1 . R vislan 0 Prcb:bilistic Risk Ass sam:nt CHAPTER 1 EXECUTIVE
SUMMARY
TABLE OF CONTENTS O(^'N Section Title Page
1.1 BACKGROUND
AND OBJECTIVES 1.1 1 1.2 PLANT FAMILIARIZATION 1.2 1 1.3 OVER ALL METHODOLOGY 1.3-1 1.4
SUMMARY
OF MAJOR FINDINGS 1.4 1 1.4.1 Results of Core Damage Frequency 1.4 1 ; 1 1.4.2 Contributors to Core Damage Frequency 1,4 3 l 1.4.3 Results for Release Frequency 1,4 15 1.4.4 Contributors to Release Frequency 1,4 22 1.5 IMPORTANT OPERATOR ACTIONS 1.5-1 1.6 IMPORTANT PLANT HARDWARE CHARACTERISTICS FOR 1.6-1 i CORE DAMAGE FREQUENCY l 1.7 IMPORTANT PLANT CHARACTERISTICS FOR 1.7-1 I l CONTAINMENT PERFORMANCE l 1,8 REFERENCES 1.8-1 l O l I l l lCt l
. I
B::v:r Vcil;y Pcwcr St:ti:n Unit 1 R svisicn 0 Pr:bebillstic Risk Ass;ssm:nt CHAPTER 2 EXAMINATION DESCRIPTION TABLE OF CONTENTS Section Title Page
2.1 INTRODUCTION
2.1 1 2.2 CONFORMANCE WITH GENERIC LETTER AND SUPPORTING 2.2-1 M ATFRI AL 2.3 GENER AL METHODOLOGY 2,3-1 2.3.1 Introduction 2.3 1 2.3.2 Causes and Consequences of Failure 2.3-2 P. 3.3 Methodology of Probability and Risk Assessment 2.3-5 2.3.4 Summary 2.3-14 2.4 INFORMATION ASSEMBLY 2.41 2.4.1 Plant Layout and Containment Building Information 2.4-1 2.4.2 Review of Other PRAs and insights 2.4 1 2.4.3 Plant Documentation 2.4-1 2.4.4 Walk Through Activities 2.4 1 ,
2.5 REFERENCES
2.5-1 O 6 il
B:0v:r Vcil:y P:wcr St:ti:n Unit 1 R:visicn 0 Pr:b bilistic Risk Ass:ssm:nt CHAPTER 3 - FRONT.END ANALYSIS (Ny TABLE OF CONTENTS . Section Title Page 3.1 ACCIDENT SEQUENCE DELINEATION 3.1 1 3.1.1 initiating Events 3.1-5 3.1.2 Event Sequence Diagrams and Success Criteria 3.1-16 3.1.3 Frontline Event Trees 3.1-54 3.1.4 Special Event Trees 3.1-146 3.1.5 Support System Event Tree 3.1-155 3.1.6 Sequence Grouping and Back-end Interfaces (Plant Damage 3.1 165 States) 3.2 SYSTEM ANALYSIS 3.2-1 3.2.1 System Descriptions 3.2 33 3.2.2 System Analysis 3.2-128 3.2.3 System Dependencies 3.2 149 3.3 SEQUENCE QUANTIFICATION 3.3 1 3.3.1 List of Generic Data 3.3-1 3.3.2 Plant Specific Data and Analysis 3.3-32 3.3.3 Human Failure Data 3.3-91 3.3.4 Common Cause Failure Parameters 3.3-140 3.3.5 Quantification of Unavailability of Systems and Functions 3.3-161 3.3.6 Generation of Support System and Quantification of Their 3.3-183 Probabilities 3.3.7 Quantification of Sequence Frequencies 3.3-184 3.3.8 Internal Flooding Analysis 3.3-200 3.3.9 HVAC Dependent Failures 3.3-208 3.4 RESULTS AND SCREENING PROCESS 3.4-1 3.4.0 Overview of Results and Contributors 3.4 1 3.4.1 Application of Generic Letter Screening Criteria 3.4-5 3.4.2 Vulnerability Screening 3.4-36 3.4.3 Decay Heat Removal Evaluation 3.4-55 3.4.4 USI and GSI Screening 3.4-59 O iii
- B :v:r Vcil:y P;w:r St:ti:n Unlt 1 Revisi n 0 Prcb billstic Risk Ass:ssm:nt CHAPTER 4 - BACK END ANALYSIS TABLE OF CONTENTS Section Title Page 4.1 PLANT DATA AND DESCRIPTION 4.1-1 4.1.1 Comparison of Beaver Valley Unit 2 and Surry Unit 1 4.1 1 4.1.2 Containment Walk-Through 4.1-2 4.1.3 Containment Systems Analyses 4.1 5 4.1.4 Equipment Survivability 4.1-6 4.2 PLANT MODELS AND METHODS FOR PHYSICAL 4.2-1 PROCESSES 4.2.1 Analogy to Surry 4.2-1 4.2.2 Plant-Unique Analysis of Beaver Valley Unit 2 4.2-1 4.2.3 Containment Response issues 4.2-2 4.3 BINS AND PLANT DAMAGE STATES 4.3-1 4.3.1 Selection of Plant Damage State Parameters 4.3-1 4.3.2 Plant Damage State Definition 4.3 3 4.3.3 Cornprehensive PDS Matrix for. Beaver Valley Unit 1 4.3 5 4.3.4 Condensed PDS Matrix for Beaver Valley Unit 1 4.3 10 4.4 CONTAINMENT FAILURE CHARACTERIZATION 4.4 1 4.4.1 Containment Design Comparison 4.4-1 4.4.2 Penetration Leakage 4.4-2 4.4.3 RPV Support Failure 4.4 3 4.4.4 Containment Failure Modes Associated with ATWS Events 4.4-3 (Excessive LOCA) 4.5 CONTAINMENT EVENT TREE 4.5-1 4.5.1 Containment Event Tree Logic- 4.5-2 4.5.2 Description of CET Top Events 4.5-3 4.6 ACCIDENT PROGRESSION AND CET QUANTIFICATION 4.6-1 4.6.1 Selection of Accident Sequences for Release Category 4.6-1 Definition 4,6.2 Accident Progression Analysis 4.6-1 4.6.3 CET Quantification - 4.6-9 4.7 RADIONUCLIDE RELEASE CATEGORIES 4.7-1 4.7.1 Release Category Definition 4.7-1 4.7.2 Release Category Source Terms 4.7 5 iv
c B:$v r Vcil:y Pew:r St:tizn Unit-1 ' ~l Revislan 0 Preb:bilistic Risk Ass:ssm:nt-CHAPTER 4 - BACK END ANALYSIS-
- TABLE OF CONTENTS 1 -;
tM
- Section : - Title -
Page- . 4.8 BACK END RESULTS - 4.8 1 -- 4.8.1 Release Category Group i (Large. Early Containment Failure '4.8 and Bypasses) 4.8.2 Release Category Group 11 (Small, Early Containment 4.8 Failures and Bypasses) 4.8.3 CET Split Fraction importance 4.8 3 ! 4.8,4 Sensitivity Study - 4.8 4 : 4.8,5 Release Category Group Uncertainties 4.8-6 b O l l' l'
- O i
V
- - . - . _ _ - - - - ,- _ . = - - . . ..-.. ._2._ , -. - --.. __-, ,...._ _ . . _ . -
Beevor Valloy Power Station Unit 1 Revision 0-Probabilistic Risk Assessment CHAPTER 5 - UTILITY PARTICIPATION Ai40 INTERNAL TABLE OF CONTENTS Section Title' Page 5.1 IPE PROGRAM ORGANIZATION 5.1 1 5.2 COMPOSITION OF INDEPENDENT REVIEW TEAM 5.2-1 5.3 AREAS OF REVIEW ANs MAJOR FINDINGS 5.3 5.4 RESOLUTION OF COMMENTS 5.4-1
5.5 REFERENCES
5.5-1 A 9 9 , vi
x_ _ -,_. ? r i- i. i . ,.. - .. .
~_ B ':v:r Vell:y Pcw:r St:ti:n Unit 1 Revisl:n 0 Prsb:!bilistic Misk Ass:ssm:nt.- ! CHAPTER 6' PLANT IMPROVEMENTS AND UNIQUE SAFETY eTABLE OF CONTENTS.
O Section Title - Page- [
6.1 INTRODUCTION
. 6.1 1 i 6.2 BEAVER VALLEY UNIT 1 MAIN BENEFICIAL FEATURES- 6.2-1
-6.2,1 -Beneficial Operator Actions 6.2-1 6.2.2 Beneficial Plant Hardware 6.0-1 .
6.2.3 Beneficial Containment Features ' 6.2-2 - 6.3 ' BEAVER VALLEY 1 VULNERABILITIES IDENTIFIED & . 6.3 1
' POTENTIAL ENHANCEMENT. :
6.3.1. Operator Actions 6.3-1 ;
.6.3.2 Plant Hardware 6.3-2 -
6.3.3 Containmen* .6,3-3. 6.4 ADDITIONAL OPERATOR ACTIONS THAT INFLUENCE THE 6.4-1 CORE DAMAGE FREQUENCY. - [ 6.4.1 Depressurize the intact Steam Generators During a dream 6.4 1 Generator Tube Rupture Sequence or Small LOCA When, in-Either Case, All High Head Safety injection if Failed O 6.4.2 Gag Closed a Failed Open Steam Generator Safety. Valve During a Steam Generator Tube Rupture Sequence 6.41 6,4.3 Manual Loading of Auxiliary River Water Pumps onto the 6.4 1-Diesel Generators, Given Fallu;e of Both River Water Pumps to Restart Following a Loss of Offsite Power 6.4.4 Terminate HHSI Prior to a Pressurizer PORV Challenge, 6.4 1 Given an inadvertelt Safety injection Signal . 6.4.5 Realign HHSI Suction Flow Around Check Valve SI 27, 6.4-2 Should it Fall To Open When HHSI is Required to Pump' Water from the RWST' 6.4.6 Open Cold Leg Alternate injection Path for HHSI- 6.4-2 6.4.7 Manual Equipment Actuation, Given a LOCA with Failure of 6.4 2/ SI Actuation Relays . l
}1/
p vil
B::v:r Vcil',y P:w:r St:ti:n Unit'1 Revisten 0 Pr:b: bill:tle Risk Ass:s:m:nt CHAPTER 7 -
SUMMARY
AND CONCLUSIONS TABLE OF CONTENTS Section Title Page 7
SUMMARY
AND CONCLUSION 7 *1 O O Vili
B;;v:r Vcil:y P wsr St:tiin Unit 1 RoviIsn 0 Preb bilistic Risk Ass:ssm:nt 1 EXECUTIVE
SUMMARY
_n
1.1 BACKGROUND
AND OBJECTIVES A systematic safety assessment was performed for Beaver Valley Unit 1 using probabilistic. risk assessment (PRA) technology. The purpose of the PRA was twofold: (t) to initiate. a comprehensive risk management program, ano (2) to satisfy the U.S. Nuclear Regulatory Commission (NRC) requirement for each plant in the U.S. to perform an individual- plant-examination (IPE). The PRA was performed by an integrated team of engineers and PRA specialists from Duquesne Light Company (DLC); Pickard, Lowe and Garrick, Inc. (PLG); and Stone & Webster Engineering Corporation (S&W). The overall objectiveG of the PRA program are to
- Develop plant-specific Level 2 PRA models for Unit 1 and 2 to support a comprehensive risk management program.
- Apply and develop generic and plant specific PRA databases for initiating event frequencies, component failure rates, maintenance unavailabilities, common cause failure parameters, and human error rates.
- Develop point estimate and uncertainty distribution results for the frequency of core damage and a full spectrum of radioactive release categories for Units 1 and 2.
- Determine the underlying risk controlling factors and key sources of uncertainty in developing the risk estimates.
,
- Meet the NRC requirements for IPEs as set forth in NRC Generic Letter No. 88-20 (Reference 1-1) and NUREG-1335 (Reference 12).
The scope of the assessment is classified as a Level 2 PRA in which the accident sequences are developed sufficient to define a reasonably complete set of radioactive material release categories and a definition of the source terms for radioactive release. The scope of the initiating event coverage is currently limited to what are normally referred to as internal events and internal plant floods. However the accident sequence models have been developed to facilitate future expansion to include a full treatment of external events. The purpose of this summary is to present the current results for the Level 2 PRA on Unit 1. These results include an estimate of the core damage frequency; a quantification of uncertainties in this estimate; and a delineation of the key plant states and release categories as well as the sequences, systems, and souren of uncertainty that are driving the results, in addition, information is provided on the nature, tim ng, and magnitude of potential releases of radioactive material based on the results of plant specific analyses and NUR6G-1150 results for Surry. The current results ara based on plant specific data collected and analyzed by DLC and reflect the plant configuration as of early 1988. l
- J L
l 1.1-1 1.1 Background and Objectives for Human Actions.
Boavsr Vcilty Pcws Statisn Unit 1 Rsvisicn 0 i Pr:b:bilistic Risk Assesamsnt ) l 1.2 PLANT FAMILIARIZ4 TION O DLC lead systems analyst and PLG's principal investigator met at S&W offices and at the plant site early in the project. During this period, an intensive effort was made to collect plant information and documentation, and to interact with many engineers and operations personnel on questions and issues relating to plant behavior during abnormal conditions. The plant visits included a plant walk-through. Following these initial visits, several additional visits by PLG personnel were made to the plant to perform walk-tiiroughs and inspections, and to describe PRA results and models. The major walk-through snd plant visits included:
- A 2-day plant walk-through and inspection of DLC's detailed scale model facility in support of the internal flood . analysis task. A Unit 1 operator and other DLC engineers participated.
- Two separate containment building walk throughs (first, Unit 2, and later, Unit 1) in support of the back-end analysis.
*A 3-day meeting with DLC management, engineering, licensing, operations, and maintenance personnel to present qualitative evaluation results. This included preliminary initiating events, event sequence diagrams, system descriptions and success diagrams, and intersystem dependencies.
- Several multi-day meetings to discuss the draft of this report and to obtain input on the human reliability tasks from operations and training personnel from DLC.
In addition to the above plant visits, several additional steps were taken to ensure adequate plant familiarization. Several PRA deliverables were reviewed by cognizant DLC/S&W engineering, licensing, operations, and training organizations to ensure that key assumptions about plant and systems configurations, success criteria, procedural factors, and other plant-related factors were correct or reasonably justified. The DLC PRA team is located at the site and is very familiar with the plant. The PLG portion of the team has significant experience at similar plants including Beaver Valley Unit 2, and participated in several walk-throughs, i l l l O 1.2-1 1.2 Plant Famman;ation. 1
B::v2r Velisy Powsr Ststi:n Unit 1 Rsvisisn 0
.Prebsbllistic Risk Asssesm:nt 1.3 OVERALL METHODOLOGY The Beaver Valley Unit 1 PRA !s founded on a scenario-based definition of risk. -In this application, " risk" is defined as the answers to three basic questions:
- 1. What can go wrong?
- 2. What is the likelihood?
- 3. What are the consequences?
Question 1 is answered with a structured set of scenarios that is systematically developed to account for design and operating features specific to Beaver Valley, Que-stion 2 is answered with a prediction or estimate of the frequency of occurrence of each scenario identified in the answer to question 1. Since there is uncertainty in that frequency, the full picture of likelihood will be conveyed by a probability curve-a curve that conveys the state of knowledge, or confidence, about that frequcncy. The third question L answs,*ed in a Level 2 PRA with the key characteristics of radioactive material releases that could result from the scenarios identified. In Level 3 analysis, offsite consequences such as public health effects and property damage are estimated for these releases. The results currently reported are for a Level 2 PR A. A large fractio.t of the effort needed to complete a PRA is spent in the development of a model to define a reasonably complete set of accident sequences that is appropriate for the specific plant. An overview of the accident sequence model for Beaver Valley is presented in p Figure 1-1. This model contains a very large number of different scenarios that are i ( systematically developed from the point of initiation, on the left, to termination, on the right ! A series of event trees is used to systematically identify the scenarios from the initiating i events to the po!nt of termination. The event trees are quantified by assigning event tree l " split fractions" to each node in the trees. The split fractions quantify the relative frequency l of success versus failure at each node of the tree, given that the scenario has progressed to that point in the free. The split fractions are assigned probability values as well as names to facilitate the quantification and the decomposition of the results. Given knowledge of the l event tree structures, specific accident sequences can be uniquely identified by specifying:
- 1. The initiating event.
l 2. The split fraction names for each event tree node that is postulated to fail along the accident sequence.
- 3. The end state of the accident sequence.
As noted in Figure 1-1, rather than using a single, large event tree that would be curr hersome to analyze and document, a series of linked event trees is used. The linking is accc nplished wi'nin the RISKMAN@ Version 3 PC-based software system that effectively constructs a single, large tree inside the computer. All scenarios with significant frequencies are linked together without the need for the use of support states or impact vectors to accomplish the linking. The end states that are used to terminate the sequences are the plcnt damage states for the Level 1 part of the risk model and release categories at the end l of the Level 2 event trees. The Level 1 and Level 2 event trees have been fully integrated and linked together to provide a clear and complete definition of accident sequences. The initiati, g events and the event tree split fractions are quantified using different types of models and data. The system failures that contribute to these events are analyzed with the 1,3-1 u ovem Memmoiogy.
B :v:r Vallsy Pow 3r Station Unit 1 Ravicion 0 Probsbilistic Risk Aessesmsnt use of fault trees that relate the initiating events and event tree split fractions to their underlying causes. These causes are quantified, in turn, by application of data on the respective probabilities of unavailability due to hardware failure, common cause failure, human error, ano out of service for test and maintenance. Dependency matrices that are developed from a detailed examination of all of the plant systems help to account for important interdependencies and interactions that are highly plant specific. Event sequence diagrams are used to incorporate operator actions from their application of the plant-specific emergency operating procedures, To facilitate a clear definition of plant conditions in the scenarios, separate stages of event trees are provided for the response of the support systems (e.g., electric power, service water, etc.), the frontline systems (e.g., auxiliary feedwater, quench spray, etc.), operator recovery actions, and containment phenomena; (e.g., containment overpressurization failure). ~ The latter stage of event trees is only included in a Level 2 or Level 3 PRA. A detailed definition of plant damage states provides a clean interface between the Level 1 and Level 2 event trees. The systematic, structured approach that was followed in constructing the accident scenario model provides assurance that plant-specific features will be identified and that a reasonable degree of completeness will be achieved. It also provides for the systematic, top-down development of engineering insights about the key risk controlling factors that drive the results. The current perspective of these results is provided in the next section. O f a 9 1.3-2 u overan vetnoco4ogy.
B;cv:r Vcil:y Pcw:r Stati:n Unit i Rcvisi n 0 Pr b bilistic Risk Assss:m:nt Figure 1-1. Definition of Accident Sequences in the Beaver Valley Unit 1 PRA.- L), f '
/ ,\
e
!l!ls E!:j e
rs" 5!!
. \***/ .
W t - 8
) VI illl
~
ttt "ttttt ,
!E E E I !Il
- i. n e
sa t > +5$ hi ttt "ttttt N Hig- - EWeb t s Is e *-- s - g
= -+
gest tg I << hbb bW l8 5 I e m
=
pg1 h i r a +
- wt.
IEb
+- .
- t i I
,, u El
!i 3 d li Ew
( 1.3 3 1.3 overari uernocoiogy.
Bosysr Vellay Pewsr Station Unit 1 Ravision 0 Probsbilistic Risk Assassmant 1.4
SUMMARY
OF MAJOR FINDINGS 1.4.1 Results of Core Damage Frequency For the Beaver Valley Unit 1 PRA, core damage was assumed to occur when the loss of core heat removal progressed beyond the point of core uncovery, and core exit temperatures exceeded 1,200 F. Although this assumption is less conservative than equating core damage with core uncovery, it is still conservative because actual core melting and release of radioactive material from the fuel would correspond with much higher core outlet temperatures. However, this is also a reasonable assumption because a large fraction of the time to core melt is consumed by the time to reach 1,200 F core exit temperatures for sequences of interest in the PRA. The frequencies of all of the scenarios that ended with these conditions were summed up to provide the overall core damage frequency (CDF). To provide this information, it was only necessary to link together the stages of the Level 1 event trees that span the sequences from the initiatirig events to plant damage states. The format for presenting the CDF is to express it in a probability distribution. This is known as the probability of frequency format, and is designed to communicate both the results and the analyst's confidence in the results. The probacility distribution for CDF for Beaver Valley Unit 1 is presented in Figure 1-2, Figure 1-2. Probability Distribution for Core Damage Frequency. 98-18-1992 RISMN PLOT-DINSITY IVNCTION 19:05:45
!!TLE: CMELT PLANT DAMAGE STATE CNELT $
MEAN: 2.14E-94 5th: 1.92I- H 59th: 1.??E-94 95th: 3.56E-94 P P ' 0 bd ae bn" i5 - 1i " i t t9 - W e T ' ' f f f f I p . p q l
. . ..t. , . . . . . , . . . . t.
fre gency ( -5 :1.0E-5 ) 1.4-1 1 A Summary of Major Finoings.
Boavar Vallay Powar Ststisn Unit 1 Revision 0 Probabilistic Rick Asssssmant There is considerable information in Figure 12. First, the probability curve tells us that we are 90% confident that the true CDF lies in the range of approximately 1 in 9,800 per year to approximately 1 in 2,800 per year, or within a range of a factor of about 3.5. It further tells us that the median frequency is just over 1 in 5,600 per year, and the mean is approximately 1 it' 4,750 per year. The above results are on the order of the corresponding results from PRAs on other pressurized water reactor plants that were derived from comparable methods, databases, and work scopes. This perspective is supported by the comparison of the results from recent full-scope PRAs that used PLG methods and plant-specific databases, as shown in Table 1-1. Also included in this table are NUREG-1150 (Reference 1-3) results developed by the NRC and its contractor for Surry. !! should be noted that the Surry results were obtained using methods and databases different from the other PRAs listed. The Surry results are presented for two cases; with and witnout credit for Unit 1 to Unit 2 crossties that provide enhanced opportunities to recover failures in the auxiNary feedwater, high pressure injection, comoonent cooling water, and refueling water storage tanks. These specific crossties are not present at Beaver Valley. Table 1-1. Comparison of PRA Results for internal Event = Mean Core Dar age Plant PRA Frequency fruu internal Events
- Three Mile Island (Reference 1-4) 4.4 x 104 Midland (Reference 1-5) 2.9 x 104 Beaver Valley Unit 1 (this study) 2.1 x 104 Beaver Valley Unit 2 (Reference I-il) 1.9 x 10d Seabrook Station (Reference 16) 1.7 x 104 South Texas Projec', (Reference 1-7) 1.7 x 104 Diablo Canyon (Reference 18) 1.3 x 104 Surry(without crosstics)(Referexe 1-3) 1.2 x 104 Surry (with crossties) (Reference 1-3) 0.4 x 104
- Events per reactor-year.
Thus, of the seven plants analyzed by similar methods and databases (i.e., all except Lu,ry), four have core damage frequencies within a factor of less than 2 of the current results for Beaver Valley Unit 1. It is impcrtant to note that of these seven plane, all except Seabrook and Beaver Valley have incorporated into the results plant and procedural modifications to reduce core damage frequency guided by earlier PRA results. The results for Surry without credit for crossties between the ECCS systems at both units are slightly lower than the Beave. Valley Unit 1 results,. althcugh the Surry results are developed using different methods and databases. It is believed that this combination of different methods and databases, such as the inclusion of certain scenarios in the Beaver Valley Unit 1 PRA that 1.4-2 14 summary of vaior rinomos.
B::v:r Vcll;y P:w;r St ti:n Unit 1 R:;visi:n 0 Prcbsbilistic Risk Ass:ssm:nt __were not included in the NUREG 1150 studies for Surry is the primary reason why the Beaver Valley results are slightly higher. _ in ad6 tion, the Beaver Valley results include contributions b from internal floods that were not included in the results for Surry. The Surry results also reflect plant and procedural changes that were incorporated since the original PRA was completed and specifically intended to reduce core damage frequency. Factors that contribute to the nature of the results are summarized below.
- The accident sequences that were analyzed are limited to those initiated by internal events and internal floods in accordance with current IPE requirements. Sequences initiated by internal fires, seismic events, and other external events have been found in some other PR As to be important.
- The current results were obtained using plant-specific data for component failure rates, maintenance unavailability, and initiating event frequencies. The common cause-parameters of the MGL model were used in this study and were first estimated with the benefit of a plant-sp.;cific, screening of industry common cause event data in accordarce with NUREG/CR-4780. Plant-specific data was then used to update the common cause failure data.
- The current results do not reflect any plant or procedural changes that DLC may decide to make to improve safety after the IPE submittal.
- The containment performance (back-end) arialysis included in this study relies heavily on information developed in NUREG 1150 for Surry. It is believed that a plant-specific evaluation would tend to show that this treatment is conservative.
-iO)
%/ .it is e: 7hasized that any PRA result is a strong function of the scope, level of detail, and state of knowledge associated with the underlying models, data, and assumptions. As such, the results are expected to change in future updates.
1.4.2 Contributors to Core Damage Frequency What separates the PRA approach to safety assessment from the more traditional deterministic analyses that have been performed in the Updated Final Safety Analysis Report is the emphasis placed on the quantification of risk factors such as core damage and accident sequentv frequencies. Thus, the presentation of the results in the previous section began with the numerical results for core damage frequency. But simply knowing these numbers is not as important as understanding what is driving the results. By identifying the underlying contributors to core damage frequency, a better understanding of the importance of niant features and operator actions that contribute to plant safety can be developed. In this way, the soft spots in our state of knowledge regarding severe accidents can also be determined, and strategies to minimize their risk significance can be developed. The numerical results developed in this study for Beaver Valley Unit 1 are based on a plant-specific risk model that was developed to meet two different kinds of specifications. The first kind is intended to ensure that the results will account for important plant-specifi': characteristics and will incorporate a reasonably comp!ete set of accident sequences for dependencies. The second kind is aimed at supporting the systematic fecomposition of the
/~N results from bottom line numbers to engineering insights about safe % The capabilities of the V risk model that are derived from this second set of specifications are exercised in this section.
1.4-3 u summary of Major Fir @ngs.
B0cvsr Vsilsy Pcwsr Staticn Unit 1 Revizien 0 Probcbilistic Risk Atsssemsnt o The following analysis of the contributors to core damage frequency is performed in a top-down manner, working from the general to the specific. First, the results are broken down to exan,ine general classes of accident sequences. Several different approaches are followed to define accident sequence classes by a common characteristic, These characteristics include initiating event, plant damage state, split fraction, and combinations of these. Once accident sequences have been classified in this manner, the importance of each group can be evaluated in both percentage contribution and results sensitivity, Next, the results are examined in scenarios as defmed Dy the initiating events, split fractions of failed event tree top events, and the end states of the ),.evel i event trees. Finally, the causes of each event in the important scenarios are delineated to root out the fundamental contributors to risk. 1.4.2.1 Important Classes of Aes dent Sequences The first approach to defining classes of accident sequences is to group the sequences by a common initiating event or initiating event category. The initiating events are the events that are postulated in the risk model to trigger a plant trip, and a challenge of the plant systems to successfully cope with the initiating event. If the subsequent actions of the plant systems and operators are unfavorable or if the initiating event challenge is beyond the capabilities of me plant equipment, an accident sequence with some degree of damage may result. Thus,Pm , initiating events ve fundamental building blocks of the risk model. The computation of their percentage contributions is a straightforward task. Forty-five initiating event categories were identified as the basis for structuring the scenario risk model of Beaver Valley Unit 1. The integrated plant risk model was quantified separately for each category summarized in Table 1-2. Table 12. Summary of initiating Events Number of Major Class initiating Event l Categories ! Loss of Coolant Inventory 7 l General Transients 15 Common Cause initiating Events:
- Loss of HVAC Systems 1
- Other Support System Faults 13
- Internal Floods 9 Total 45 l
l l Figure 1-3 displays the contributions that result when accident sequences are grouped by initiating event. The percentage of the total core damage frequency associated with sequences in each of these exclusive groups provides one measure of the relative importance of the different initiating events. It should be noted that in most cases, the initianng events do not directly result in core damage. Thus, the relative importance of initiating events that are identified with this method includes the frequency of the initiating events themselves as well as the unavailabilities and unreliabilities of the systems and operator actions designed to prevent core damage following these initiating events. 1,4 4 u summay of Major Fmamgs.
Boavor Vallay Power Station Unit 1 Revision 0 Probdillstic Risk Assessment Figure 1-3. Contributions to CDF from Sequences Grosped by Initiating Event O Total Core Melt Frequency = 2,14E-04 Other (11,9%) N Loss of Emergency Switchgear Venhiaten (2.2%) Ns isolab4e small LOCA (2.d%)/ r Loss of Offsite Power steam Generator Tube Rupturef , (23.frA) (3 4%) F Nl Loss of Emergency DC Powe '
,,k Train (3 5%)
Excessive Feedwater (3 9%) a jjjg #
# ,,4li g g ~ I e~av ]
Non4sola s !!LoCA - T r
/
/
Total Loss of Rwer Water (11.2%) Partal Loss of Man Feoowater (12.3%) As can be seen in this figure, loss of offsite power accounts for about 24% of the total CDF, This initiating event and the second-ranked contribution, loss of one emergency AC train, are importart because of their roles in triggering sequences that involve a total loss of emergency AC power (also referred to as station blackout), Appcoximately 43% of the total CDF results from these two initiators. The remaining contributors include 12% from partial loss of feedwater,11% from total loss of river water,5.6% from nonisolable small LOCA, and the remainder from various transient initiators. Another way to group accident sequences to gain important insights is to key on particular conditions of the plant along the accident sequence that depend not only on the initiating event but also on the response of one or more plant systems. The following results were obtained for accident sequence classes of general interest. Note that because each sequence can possess more than one of these conditions, the resulting sequence groups are not always mutually exclusive. O 1.4-5 u summan of ucjor Finames. I _ _ _ . - . . . . . . . . . . . . .. . . . ._
BOv:r V:ll*;y P wsr St:ti:n Unit 1 R:vi:l:n 0 Pr:b:bilistic Risk Assdssm:nt Percentage Accident Category Contribution to CDF RCP Seal LOCA 46.6 Sto n Blackout 30.4 Conta nmant Bypass / Isolation Failure 20.7 Loss of Switchgear HVAC (BVX + BV = F) 15.5 Transient without Scram 20.1 l Thus, a large fraction of the core damage frequency is associated with a RCP seal LOCA. A large fraction of these events are caused by a station blackout and by a loss of switchgear ventilation. The RCP seal LOCA results do not include sequences in which there is also a LOCA via a failed open PORV. Almost one-fifth of the total CDF is attributed to sequences that involve containment bypass or isolation failure conditions. The following table breaks down the total CDF to show the distribution of scenarios grouped by the pressure range of the RCS at the time of core damage. Percentage RCS Pressure Range Contribution to CDF Near System Pressure (2: 2000 psla) 17.6 High (600 - 2000 psia) 62 Medium (200 - 600 psia) 1.7 Low (< 200 psia) 18.7 Thus,62% of the total CDF is associated with a high pressure condition,17.6% is associated with RCS system pressure,18.7% is associated with low pressure and 1.7% is associated with medium pressure. .The high pressure category includes transients and small LOCAs with no secondary (steem generator) cooling. The high pressure category is significant because of the potential for natural convection-induced heatup of various RCS components such as the RCS hot legs, pressurizer surge line, and steam generator tubes between the times of core uncovery and core melt penetration of the lower vessel head. if the RCS pressure remains high until lower head penetration, there is the additional concern of the ' possibility of high pressure melt ejection and increased containment pressure loads. These events are discussed further in Section 1.4.4 below. 1.4-6 14 summary of Major Findings.
83 vsr Vcil2y Pawsr Stellen Unit 1 Rsvisisn 0 Prcb:bilistic Risk Asssssm3nt An alternative say to define acciderst sequence groups is to key on the end states of the Level 1 event trees known as the plant damage states. The plant damage states define-OA important conditions of the plant status, reactor coolant system conditions, and contalnment status at the time of reactor vessel failure. The Level 1 event trees contain 17 plant damage- ) states. Each plant damage state is identified by a five-character code to define RCS pressure, ) availability of containment heat removal systems, and status of containment isolation or bypass at the time of reactor vessel failure after core damage, respectively. The results for the percentage contribution of sequences grouped by plant damage state are summarized in j Table 13. Table 13. Plant Damage State Annual Frequency and Percentage of CDF Containment isolation /Not Bypassed Containment Not isolated Ceh4 CWM With Without 3 ,, _ Containment Containment < 3 inch g ,, ,, Heat Heat Leak Removal Removal RCS SYWCHR SYNOHR SYNISO SYSBYP 3.77 x 104 near 3.01 x 10-7 2.99 x 104 3.40 x 10 8 4.01 x 10 7 (17.6%) System (01%) (14%) (15.9%) (0.2%) Pressure (2:2000 psia)
@p' RCS at HlWCHR HINOHR HINISO HISBYP 1.32 x 10-4 High 3.42 x 104 9.02 x 1&8 7.44 x 107 6.98 x 104 (62.0%)
Pressure (16.0%) (42.3%) (0 4%) (3 3%) (600 psia 2000 psia) RCS at MDWCHR MONOHR MDNISO MOSBYP 3.67 x 104 Meduim 3 41 x 104 2.38 x 10-7 2.14 x 10-e 4 00 x 104 (1.7%) Pressure (1.6 %) (0.1 %) ( < 0.1 %) ( < 0.01%) (200 psia
- 600
- psta)
I RCS at LOWCHR LONOHR LONISO LOSBYP LOLBYP 3 99 x 104 l Low 3.74 x 104 3 99 x 10 7 6.90 x 104 1.00 x 104 1.09 x 104 (18.7%) Pressure (17.5%) (0.2%) ( < 0.1 %) (0.5%) (0.5%) ( < 200 psia) l l Total 7.53 x 104 9.38 x 10-s 3,48 x 10-8 8 42 x 104 1.09 x 104 2.13 x 10-4 l (35.2%) (44.0%) (16.3%) (4.0%) (0.5 %) (100%) O 1.4-7 u summary of Major Findings. 1
80cvar Vcllay Pcwor Stm:on Unit 1 R svisi r 0 Prcbsbilistic Risk Assos:msnt A final way to define meaningful accident sequence categories is to key on the importance of specific plant hardware and operator actions that are identified with specific event tree split fractions; i.e., the values of event tree top event frequencies evaluated under specific boundary conditions. The Beaver Valley PRA event trees contain two types of split fractions: one type whose failure probability is 1.0 because of its dependence on associated equipment or operator actions that failed earlier in the sequence; and another type for events with a finite, nonzero chance of success. In this discussion, only the nonguaranteed failure type split fractions are examined. Again, because each sequence may contain two or more failed split fractions, the resulting sequence categories are not exclusive. The results obtained for some of the relatively high importance split fractions are presented in Table 1-4. Table 14. Split Fraction importance Ranking for ore r Damage Frequence E Percentage Narne Description Contribution Failure to CDF Frequency RT1 Reactor Trip 9.0 x 10 5 19.8 A02 Failure of AC orange 1.1 x 101 19.7 Train-LOSP PL1 Power Level > 40%-ATWS 6.6 x 10-' 19.0 l RE* Failure to Recover AC Power Various 15.0 0 SP6 Emergercy AC Purple-LOSP 1.5 x 10-' 13.7 and AO Fails PA1 RCS Pressure Relief-ATWS 4.1 x 10 ' 10.9 WA2 River Water Train A-LOSP 2.6 x 10 2 9.0 WB2 River Water Train B-LOSP 1.8 x 1 02 8.5 Rll Rod Insertion-ATWS 2.0 x 101 6.6
- Includes several different split fractions.
The results in Table 1-4 provide one way to set priorities for enhancements to plant equipment and emergency procedures to reduce CDF. It is important to note that spht fractions, AO2, RE, BP6, WA2 and WB2 are associated with sequences involving a- station blackout, and split fractions RT1, PL1, PA1 and Rll are all associated with ATWS events. 1.4-8 u summa , of Major Findings.
B cy r Vcilsy Pawar Statinn Unit 1 Rsvislan 0 Prcbsbilistic Risk Asssssmsnt i 1.4.2.2 Important Accident Sequences t Experience has shown that a most valuable output of a risk assessment for purposes of risk
. management is a list _of scenarios ordered according to their importance to risk. This turns out to be more valuable, for example, than the importance ranking of scenario classes and equipment that was examined in the previous section. The reason is that equipment importance is scenario dependent; that is, the importance of a piece of equipment depends on how it contributes to a scenario, in some accident scenarios, a given piece of equipment may require a support system such as auxiliary power or cooling, while in others, it may not.
The point is that working at the scenario level helps to keep dependencies and system interactions in perspective. Literally, many millions of scenarios are contained in the Beaver Valley Unit 1 PRA. The scenarios were developed and quantified in stages. Starting with a list of initiating events, event sequence diagrams (ESD) were developed that document how the plant actually responds to a progression of events. Consideration is given to equipment behavior and the impact of operator actions under a variety of operating conditions. A key element of the scenario-structuring process is the documentation of the events in the sequence and of the plant and operator response. The actual quantification of the scenarios comes about by converting the ESDs into event trees, and employing event tree, systems analysis, and database software in RISKMAN to carry out the calculations. A. key result of the Beaver Valley Unit 1 PRA is that no sing!e scenario makes up a large fraction of the core damage frequency. The top-ranked sequence is initiated by a complete (
\
loss of river water. This sequence contributes about 10% of the total core damage frequency. A complete loss of river water leads to the following consequential events:
- Reactor plant component cooling is unavailable which means that reactor coolant pump (RCP) cooling is unavailable.
- High head safety injection pumps are unavailable due to loss f river water cooling which means that RCP seal injection is lost.
- Loss of both thermal barrier cooling and seal injection leads to a RCP seal LOCA resulting in core damage as high pressure injection is unavailable.
- Loss of containment heat removal due *o loss of river water, in this sequence the containment is isolated and the RPV is at high pressure at the time of
! core damage. Aligning raw water to river water is not included in the present model, but will be considered in future analyses and updates, it is necessary to examine a large number of sequences to account for a large proportion of i the total core damage frequency. To account for 95% of the total CDF, it is necessary to l examine the top 429 sequences. The distribution of the top-ranking core damage sequences over the frequency range is indicated in Table 1-5. Table 15. Breakdown by Plant Model(Level 1) Event Sequence Frequerd:y Range Frequency Range Number of Percentage of Total
* (event per year) Sequences Core Damage Frequency
> 1.0 X 104 4 29.9 1.4-9 u summay or uajor rmamos.
B:cv;r Vcilsy P:wsr Ststlan Unit 1 Rsvisi:n 0 Prsbnbilistic Risk Asssssmsnt Table 15. Breakdown by Plant Model(Level 1) Event Sequence Frequency Range 4 l Frequency Range Number of Percentage of Total (event per year) Sequences Core Damage Frequency 1.0 X 10 1.0 X 10 5 28 38.6 l 1.0 X 104 1.0 X 10 8 164 18
< 1.0 X 104 Very Lar0e Number 13.5 A discussion of the highest frequency sequences that result in core damage is provided below in terms of the initiating event and the resps se of mitigating systems. Their main characteristic are summarized in Table 16. This table includes the 10 top-ranking sequences to CDF that account for about 47% of the total CDF.
The highest frequency sequence that was introduced in Table 1-6 is described above. The second ranking sequence is a station blackout sequence initiated by a loss of offsite power. A loss of offsite power results in a piant trip. Power from both the 138-kV and 345-kV switchyards is unavailable, resulting in a challenge to the onsite emergency power system. Both trains of the emergency power system fail. Failure of both diesel generators 2-1 and 2-2 to start, load and run until electric power is restored from offsite is the key cause of failure of the onsite emergency power system. In this sequence, the pressurizer PORVs successfully reseat, and auxiliary feedwater operates. However, the loss of emergency AC power leads to failure of both RCP seal injectior and thermal barrier cooling, as with all station blackout sequences. Efforts to restore electric power from either onsite or offsite supplies are unsuccessful for several hours. An RCP seal LOCA develops that leads to core uncovery because of the unavailability of high head safety injectioit. The third ranking sequence is initiated by a loss of emergency AC power train orange, which causes the failure of A train river water pumps. The B train river water supply then fails independently. A complete loss of all river water results in a total loss of component cooling, HHSI pumps, RCP seal injection and thermal barrier cooling. An-RCP Seal LOCA develops that leads to core uncovery because of the unat allability of high head safety injection. Containment radioactivity removal is available provided by the B-train quench spray system, but the recirculation spray coolers for containment heat removable are unavailable due to failure of river water. The containment isolates successfully. The fourth sequence is initiated by a partial loss of main feedwater followed by a failure of automatic and manual reactor trip (ATWS). The reactor power was at full power before the event, the RCS pressure reiief paths then failed independently. Inadequate heat removable and RCS pressure relit results in vessel failure which leads to an excussive LOCA. Containment radioactivity rermal and heat removal are successfully provided by the quench spray and recirculation spray s3 Mems. The containment isolates successfully. O 1.4 10 14 summary or uajor nnengs.
f 1 t 7 rm I Table 14 Top-Ranking Sequences Contributing to Core Damage Frequency yg Anrusal Frequency gis $ (Percentage IT ' Initiator Stesequent System Faltures Consequential Iffects/ Comments j ,, E< Har* CDF) __- a.
- Reactor Plant Comrns.t Cootmg 7 0 X 10 $ (9 7%) g 1 Loss of Raver Water *t!
O
- RCP Seal LOCA mth fasture of HHSt and RSS y
- RCP Seal LOCA with Faiture of 1 S X 10 51 8 7%)
Loss of Oftsite Power
- Emerg A/, as .;;e 2 " # e
- Emerg AC Nrple e-
'3o
- Electric Powet Recovery .3
- RCP Seal LOC A with Fadure of 12 X 10 5 (6 0*'.) 3, c 3 Loss of Emerg AC Orange
- Both River Water Header 3 HHSt and RSS _
- Reactor Trip
- RPV Integrity (Escessive LOCA) 1.1 X 10 5 ($ 5%)
4 Partial loss of Main
* '
- Power Leset
- Primary Pressure Retief
- Containment Isolat:on 9 2 X 10 8 (4 4%)
" 5 toss of Oftsite Power
- Emergency AC Orange
.b
- Emergency Switct gear Vent
- RCP Seal LOCA with fatture of
. .a HHS4, RSS a
Ttirune P! ant Comp Cootmg
- Conta>nment ' solation 7 8 X 10 8 (3 8%)
6 Loss of Emerg AC Oraege
- Emerg Sw:tchgesr Vent.
- RCP Seat LOCA with Fasture of HHSt ingettion Path ar- RSS
- Reactor Plant Component Coolmg 5 0 X ?O 8 (2.4%)
toss DC Purple bNgh ? tead Safety injection 7
- RCP Seat LOCA with Fa lure of NHSt
- RPV integrity (Excessive LOCA) 4.9 X 10 8 (2 4*4)
Partsal Loss of Main
- Reactor Trtp 8
Feedwater , pg,e, g,,,, a
- Manuat Rod insertion
?
- Primary Pressure Retref
? - Octh River Water Headers 41 X 10 8 p 3%)
3
- DC Purple Traen 9 toss of Emerg AC Oranga j
- Reactor Plant Component Canemg E
- RCP Seaf LOCA with Faiture of f f HHS and RSS s e
e m 0 3 9 o
' "U ED Tatde 14. Top Ranking Sequences Contributing to Cere Damage Frequemy
'3 g Annual Frequency (Percent. age
[$ 7' Rank initiator Stbsegsert Spfem Fa5ures Consequentid Effects / Comments ,on ,, =4 GO -
"=
na 10 toss of Ernergency
- Loss of afi Fw'gency AC Power Switchgear Ventstation 4 5 X 10 8 (2.2%) 3*
dMNPm z
- E
)> e Loss of Vttal instrurnentation in , -
- Conta.ntnent isolafson $ ,th RCP Seat LOCA wim Faiture of $" .
HHSt. LHSt, QSS and RSS d 3o ea dC '
- 2_
O
?
a PG
?
s 3 3 s k o. c 2 m S s m S en g s o 3 il o e O O
~ _ _ . - _ . __ . . _ . . . _ _ _ _ _ _ - -
Scsv:r Vell:y Pcws Stellan Unit 1 Rcvisicn 0 Preb:billstic Risk Asocssmsnt For the fifth sequence, loss of offsite power followed by loss of emergency AC orange train O puts a demand to start the standby emergency r /itchgear ventilation fans since the normal ventilation has failed due to LOSP. Failure to start the standby emergency switchgear ventilation fans leads to a total loss of switchgear ventilation which, like a station blackout, i re=ults in the loss of all electric pcwer. An RCP Seal LOCA develops that leads to core s ' svery because of the unavailability of high head safety injection.
. The containment iwlation fails due to total loss of power and no credit for operator, to manually isolate valves.
The sixth sequence is similar to sequence five. The difference is that loss of power is initiated by failure of the orange emergency AC power train instead of initiated by LOSP. The turbine plant component cooling system then falls independently which leads to loss of normal switchgear ventilat!an cooling. Failure to start the standby emergency switchgear ventilation fans results in total loss of ventilation and eventually a station blackout. See the preceding paragraph for a more complete description. The seventh sequence is initiated by a loss of emergency 12SV DC power purple train which isolates the CCR supply for the RCP motor and thermal barrier cooling. The high head safety injection pumps then failed independently. An RCP seal LOCA develops without any high head safety injection. Containment radioactivity removal and heat removal are successfully provided t, the quench spray and recirculation spray systems. The containment isolates successfully. The eighth sequence is similar to sequence four, initiated by a partial loss of main feedwater ATWS. In addition, the manual rod insertion fails independently. As a result, an RCS vessel failure occurs which leads to an excessive LOCA. See sequence four for a more O complete description. The ninth sequence is also similar to sequence three. The difference is that the DC power purple trair falls independently. This also leads to loss of both trains of river water since thJ B train pump carr.ot start due to loss of DC power. A complete loss of river water tesults in an RCP seal LOCA without high head safety injection See sequence three for a more complete description. The tenth highest frequency sequence is initJ .d by a complete loss of emergency switchgear ventilation; i.e., failure of remal switchgear ventilation and a failure of both trdns of emergency switchgoar fans, Due to the loss of room cooling, there is a limited amount of time before the room temperatures exceed equipment limits wiwout operator actions to recover the switchgear ventilation. Even ual failures of power at the 4 KV and 480V emergercy buses, the vital instrument bt es, and tha DC batteries leads to a static 1 blackout. The loss of eli emergency AC powar reaultt. in a plant trip followed by a loss of all RCP seal cooling without high head safety iniection. The loss of all vital instrumentation eventually results a loss of all secondary heat removal. Containrnent heat removal is not available. The cm tainment isolatiori fails due to loss of emergency power and no credit for operatore b manua.iisolate valves. 1.4-13 u summary of vajor Finoings.
Dosv:r Vclisy Pew:r St:ti n Unit 1 Ravini:n 0 Preb:billstic Risk Aes;s:msnt 1.4.2.3 UnderlyinD Causes of System Fallure The previous sections have broken down the contributors to CDF into scenario groups, specific scenarios, and the systems and operator actions postulated to fail along these sequences. The systerns and operator actions were initially defined by the initiating events and event tree spht fractions that comprise the basic building blocks of the accident sequence model, in this section, the underlying causes of the hardware and operator failures are examined in more detail. The event tree split factions that contribute the most to core damage frequency were analyzed in Tabie 14. The first and third most important spht tractions result from initiating events followed by a failure to trip the reactor while at full power. An ATWS condition leads to a challenge of the vessel integrHy and RCS heat removal capability. The second most important spht fractions in Table 14 are associe'ed with loss of both trains of emo gency AC power following a loss of offsite power, This pair of split fractions (A02*BP6) one for each train of the emergency AC power systems, is applicable to all station blatkout sequences in which both diesel generators are challenged and fall due to internal causes. They were derived from a systems fault tree analysis, as were all of the event tree spht fractions that are associated with system failures or unavailability. The results of the systems analyses are organized into "cause tables" to permit examination of the principal contributors to system unavailability or failure. The cause table for the loss of both AC power trains is presented in Table 17. Similar cause tables were developed for several hundred different event tree spht fractions that were analyzed for the Beav}r Valley Unit 1 risk model. At this level, the results can be examined for the different iratial ahgnments of the system, the minimal cutsets of the system, failure on demand versus failure to run, and independent failure versus common cause. Thus, in Table 17, it car' be seen that the largest contributor to failure of both power trains is independent failure of both diesel generators (or generator output breaker) to start or run for the assumed 24 hour mission time. The common cause contribution is relatively small, in part due to relatively high failure rates for this component. A 24 hour mission time was assumed for the diesels. The time dependent recovery of offsite power at earlier times, is fully accounted for in the electric power recovery analysis. O 1.4 14 14 ss- .Tery of Malor Fmomgs
8::v:r Vcll: y P=:r St:ti:n Unit 1 R:visl:n 0 Prcb:bilistic Risk Ass:ssm:nt e Table 17, Analysis of Contributors to Failure of Both AC Orange and AC Purple Electric Power Trains (Split Fraction A02*BP6) Percentage of Total Contributors to Failure of All AC Power Fallure Frequency Two Diesel Generator Trains Fall (independent) ( neludes 52.9 diesel generator fall to start, fail to run, and output breaker fall to close) Common Cause Failures of HVAC Dampers 11.5 One Diesel Generator Tram Falls To Star 1 or Run and HVAC 10.0 Damper on Oppcsite Train Falls To Open One Diesel Generator Train Fails To Start or Run and HVAC 7.5 Fan on Opposite Train Falls To Start or Run One Diesel Generator in Maintenance or Test Alignment and 7.3 Opposite Train Fails To Start or Run Two Diesel Generator Trains Fall To Start o, Run due to 7.1 Common Cause Other Causes 3.7 Total Failure Jrequency 1.6 x 10 8 h in cases in which the event trees contain two or more top events to represent separate trains or subsystems, any given accident sequence may contain two or more split fractions that collectively represent a single state of the system. In these cases, the split fraction importance is evaluated for the entire system state as well as for the individual subsystems. This is the case with electric power, as indicated in Table 14. As a group, the fourth most important split fraction was shown to be the non%covery frequency for AC pcwer. These nonrecovery frequencies were evaluated with the use of a time dependent model that considers the timing of loss of AC power and the recovery possibilities for offsite power, onsite power, and the time available for recovery based on the competing effects of battery depletion, RCP seal LOCA development, RCS depressurization, and core uncovery. 1.4.3 Results for Release Frequency The results presented in the previous section for core damage frequency are based on the Level 1 portion of the accident sequence model that is illustrated in Figure 11. The purpose of this section is to present the results of the entire accident sequence model in the frequencies and magnitudes of the different types of releases. These results are derived from the integration of the Level 1, or " front end," model in which the responses of the plant systems and operator actions are modeled, and the Level 2, or "back end," model whose containment event tree resolves the outcome of the core damage scenarios in the timing and magnitude of radioactive material releases. To facilitata the proper treatment of intersystem dependencies that result in interaction between the systems involved in preventing core damage and the systems needed to ensure O- long-term, leak tight containment integrity, the Level 1 portion of the accident sequence model includes all of the reactor protection, core cooling, active containment, and plant support systems. All pertinent information on the status of the containment spray, heat 1.4 15 u summary or u sor nna.ngt
B: vsr Vcil;y Pcw r Statisn Unit 1 Rcvi:l:n 0 Pr:b:bilistic Risk Ass:ssm:nt removal, isolation systems, and containment bypass conditions is passed on to the Level 2 model by the definition of the plant damage states. In this way, the plant damage states serve as the "imtlating event" for the contamment event tree and the interface between the
" front end" and the "back-end" models. It was found to be convenient to quantify the Level 2 containroent event tree by physically linking it to the Level i event tree and then quantifying the entire accident sequence frequencies from initiator to release category, thus eliminatmg the need for plant damage state 3.
In principle, there is a continuum of possible releases that could result from a core damage event. A reasonable treatment of this continuum is afforded by the use of a representative set of discrete "releast categories" that span the full spectrum from relatively largo, early releases to long term release from the containment of the radioactive material. The containment event trees described more fully in Section 4 are developed to resolve the end states in a total of 21 different release category sets, whose major characteristics are summarized in Table 1-8. To facilitate the interpretation of the results, these 21 release categories can be placed into 4 general release types that are defined in Table 19 below. Also provided in this table is the percentage of the total mean core damage frequency assigned to each release type. Treatment of Release Categories and Release Types in this study is the same as was used for Beaver Valley Unit 2 (Reference I II). Table 1-9. Definition and Results for Release Types Release centage Description Type of CDF l Large, Early Containment Failures and 5.0 Bypasses il Small, Eart, Containment Failures and 22.3 Bypasses ill Late Containment Failures 43.4 IV Long Term Contained Releases (containment 29.3 intact) In the above scheme, containment failurcs include isolation failures and structural failures of various sizes. Containment bypasses include steam generator tube ruptures as initiating events, thermal creep rupture of steam generator tubes during high pressure core melt sequences, and interfacing system LOCAs. The term
- bypasses" refers to the condition wnen a release path from the reactor coolant system bypasses the containment building atmosphere and instead releases into systems and buildings located outside the containment.
Small r6icases are classified as those whose equivalent single release path penetrating the containment is less then approximately 3 to 4 inches in diameter, Steam generator tube ruptures are classified as small when they are initiators and as large when thermally induced. Early releases include leaks, bypasses, and isolat:On failures that exist at the time cf core damage and structural failures that occur at or shortly after reactor vessel failure. The remaining releases, including late hydrogen burns, basemat molt through, and decay heat driven ovt rpressurization, are classified as late. The large, early releases represented in Type I are called out with special reporting O requirements in NUREG-1335 (Referance 12). Experience with pubhshed Level 3 PRAs in which offsite consequences are estimated (References 13,15, and 1-6) has shown that early 1.4-16 u seme y or uajor nno ngs.
l 8:cv:r Vcil;y Pcw:r St:ti:n Unit 1 Rovisl:n 0 P :b:bilistic Risk Asso:sm:nt fatality risk, however small, is dominated by type I event since these are the only scenarios , that would result la ootentially life threatening doses in the same time frame as needed to ! v implement protective actions like sheltering or evacuation. Types 11 and 111 involve degraded containment performance, but generally have not contributed significantly to early health effect risk. Type IV, which in several respects resembles the Three Mile Island accident, results in successful containment of the release and no offsite health effects. The large fraction of CDF assigned to Type ll1 is the result of two factors found to be important for Beaver Valley Unit 1. One is the large contribution of station blackout sequences that are assumed to result in long term loss of containment heat removal. The other is the low probability assigned to large or small, early containment failure for these same sequences. The curront model takes no credit for recovery of AC power and containment heat removal after the time of core damage. Such consideration, which is more appropriate during the accident management phase of the IPE, would result in a shifting from the Type lli contribution to Type IV, The small fraction assigned to Type I reflects a high containment strength and a low potential for interfacing LOCAs and design features of subatmospheric containments that preclude large preexisting leaks and the need to isolate larg6 penetrations associated with containment purging. One perspective on the Level 2 results is supported by a comparison of the results for the status of the containment at two snapshots in time during the accident sequences. Such a comparisors is made in Figure 1-4 which compares the total frequencies of accident O sequences with different containment states at the time of the onset of core damage with the corresponding states at the conclusion of the accident when the ultimate fate of the containment is resolved. The results at the time of core damage reveal the causes of containment failure and bypass that are of a systemic nature, such as containment isolation failures, interfacing LOCAs and steam generator tube ruptures as initiating events. The results at the end of the accident incorporate the cumulative effects of the systemic causes as well as the results of the severe accident challenges, Eventually when the PRA is extended to incorporate accident mar,agement, these effects will be incorporated as well, however, the current study does not take credit for human actions to manage the accident that could ot. cur after the onset of core damage. As noted in Figure 1-4, most of the core damage frequency at the start of core damage is accompanied by an intact containment, with small contributions associated with small and large containment bypasses and failures of a systemic nature. At the end of the accident, l there is some redistribution of the core damage frequency that reflects the cumulative effects i of various severe accident challenges to the containment integrity. The late failure category is associated with sequences in which there is a functional unavailability of the containment heat removal systems that are needed to help achieve refreezing and cooling of the molten core debris and removal of reactor decay heat. Most of what is redistributed from the intact category goes here. A smaller proportion is redistributed to small and large containment failures and bypasses that result from various severe accident mechanism that were Oostulated to occur at some finite probability in the Level 2 analysis. There is seen to be about an order of magnitude increase in the frequency of the large release and bypass T category primarily due to probability that containment failure could occur from severe s accident loads from high pressure core damage sequences, 1,4 17 14 summy et umor nnornss. L , . -_ _ _
peaver %: ocwsr Stellon Unit 1 Ravi:lon 0 Arcbeh'tisttt 'Isk Aessssmsnt
; .,, o sange of possibilities for reactor coolant system pressure during a severe core fr ige accident depending on the specific sequence that is followed and the physical plant grossion during the accident, Non LOCA sequences typically progress to core melt oecause of a loss of RCS heat removal. Depending on the response of the primary and secondary rehet valves, arid response of the operators, many of these sequences may remain at full system pressure antil the core penetrates the bottom of the vessel. Variations on system pressure at the time of the onset of core uncovery and eventual damage can result from depressurization through primary system leaks and breaks, operator actions to reduce pressure and operation of various equipment, From the time of core damage until the time of vessel breach various phonornena can result in pressure changos such production of non condensab!o gases from titcalloy oxidation, flashing of water to steam, a thermal failure of primary system components, As seen in Figure 15, a relatively large fraction of the core damage frequency is associated with RCS pressures greater than 600 PSIA at the time of core damage, about 80%. At the time of vessel breach, this fraction is reduced somewhat to less than 60%.
O i O 1.4-18 14 summay v ua;or rino<ngs
Baavar Vollsy Pcwor Stction Unit 1 Revisi:n 0 Prebsbilistic Risk Asssssmsnt Table 1 B. Beaver Valley Unit i Release Categories and Major Release Types gYi ggg - . m - . t 3ge s g C .' h' m I .' h
- h 50 ": %- . .. ....s: asE : e a e e i1
$ M M I
as at M M M M M M M
=
at M M M as M M r M kM M lt it M at it at it it it Ig
- I !
18 38 It it if It it at 1r Ic 1r : i O 9
$ 11 31 M as it is M M ia It it ;e M t !
la M I ! lt M g E
;$ M M M M M M M M M E k-fM M M se M M Dt na
- M M at M M M M M M M i
w M M N N M M M M i y am 50 I
' M
.M s.E
., at alt MM st M se at it la It is D
la R lt 11 it it at it it :s lt it
-- M as M li 18 la JE A is M lu as it 55 :
w o .. O ig a E E a. EIEE E.i i i i i..,-ai i ii i g
;5,=p= 7'd M 8=a9 1,4-19 1.4 summary of Major Fmomgs.
ma Figure 1-4. Comparison of Containment Status at Different Times During Accident gg e< oa w
==
==
ne i m* 1.00E-03 .
- I No late failures at time of core damage w r
n g *m 4 .o , uj m . 3o 4 T 1.00E-04 u- oa o C tu S L,p.:g;g -&:: ..x:r gguO . o
=
>- ,M.nN h '
y .;-. o z 1 %:db .
+9W', W " W-
$ 1.00E 3hyd 5#5 ' (T -
d&65 ~ 4- .-- o nva-n;a ;w: n
>- ,co.; -a :
0.yr - R .3 , r,+ n,
~,: S ;;. . -4 fy
- u. y m(,
a xx.
*g ~
e p._ z h i .+ ,
?R_ . @. . p *:q ,
M
- 9:: 3 o y 1.00E-06 ,- * ' ^
+w ,
&.+.. _.... "R, #7g
-.~ a.
Wer. s . 9-3.r# % - U t'.fg : ,,.f( ?.. h!b,5k;1 ) . -- N #d%$fh' !$1 ad. ..Wr . . ~.s. 1 5 ~'. ", * .. ,! " 2:hNf( t g 'J g ' -- c: , , ~ ,;
,x Y ej ' v ~.y ,
1.00E " ' " " .~~ .; p* #s~~ r '-' * ' ' - ' kWs ,
! I
- ~ ' ~ - ~ - -
1 INTACT LATE FAILURE SMALL LARGE a i RFI FASE/ BYPASS RELEASE / BYPASS I I ' i ; E ATCORE DAMAGE D AT END OF ACCIDENT c 3 b) i 2 4 E C
.? e 4
g < ' m-e- l 5 O~ ' i 5 3 d'B en O ii-i O O O ; _ - - - _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ , - - - . - - _ _ - . _ _ - - _ _ - - - - ____ _ _ _+
4 O O O ma Figure 1-5. Comparison of RCS Pressure at Different Times During Accident 3* ' E2, a E<
"E n' F
- n *
*?
Ef AT CORE DAMAGE AT VESSEL BREACH "E ' 35-O 3 LOW SST SST 3. c - (18%) (18%) . (16%) '_ MEDIUM LOW (2%) HI ' (38%) i . n
?
HIGH MEDIUM (82%) (34%) I LEGEND SST(SYS. SETPOINT) : >2,000 PSIA HIGH : 600-2,000 PSIA l C MED!UM : 200-600 PSIA -i ? LOW : <200 PSIA 4 .i a b 5 e s
, m _
3 4 o i
Ocevsr Vollsy Powsr Stctlen Unit 1 Revision 0 Prob:bilistic Risk Assscamsnt 1.4.4 Contributors to Release Frequency A comparison of the results for the four main release types between Beaver Valley Uruts 1 O and 2 from this study and Surry from Reference 13 is presented in Table 110. T his comparison is extended to Table 111 m which the rnajor contributors to targe, early release (type 1) are exammed. As expected, the tesults for Beaver Valley Ur its 1 ar d 2 are quite consistent. Because the units are essentially identical from a phystcal standpoint, the severe accident treatment was the same for tioth uruts. Umt i has a somewhat greater frequency of a Type i release due to a higher frequency of interfacing system LOCAs. Umt 2 has greater redundancy in isolation valves m the Low Pressure injection System than Umt i has. The remammg differences between the units stems from small differences in the Level 1 systerns results that propagate through the containment event trees. The Beaver Valley results exhibit some differences in comparison with the NRC results for Surry taken from NUREG-11SO that are partly due to the plant differences and party due to the use of different methods, assurnptions and data bases. Although the authors of this repor1 have not performed a detailed examination of the respective differences there are several differences worth notmg that help to explain some of key results. The Surry results for core damage frequency are about a factor of S lower than for Beaver Valley. NUREG 1150 notes the Surry results would be about a factor a 3 greater without taking credit for ECCS cross ties that do not exist at Beaver Valley. A lower core damage frequency means a lower frequency of challenging the containment integrity from severe acctdent loads. In addition, NUREG 1150 makes note of the importance of a low frequency of high pressure core melts which appears to be at variance with the results of this study as shown in Figure 1 S. On the basis of the high de0ree of similarity between the plant and containment designs at Surry and Beaver Valley, such differences in results for pressure are not expected. A final difference that contributes to the above noted differences is that Surry included in-vessel recovery actions that were not considered in the results for Beaver Valley. While such recoveries are believed to be likely, it was decided in this evaluation to postpone the inclusion of such post core damage actions entil the accident management program at Beaver Valley is further developed. The Beaver Valley Unit 1 and Surry results for RCS pressure at the time of vessel breach and invessel recovery are compared in Figure 16. As seen in this figure only about 8% of the core damage frequency is assigned to high pressure or setpoint pressure at Surry whereas about 28% of core damage frequency at Beaver Valley was found to be at these pressures. Even though the Beaver Valley results made use of information on severe accidents from Surry this infornaat'on was used on a selective bams and the respective studies are based on substantially different mixes of accident sequences and some differences in the treatment of phenomena exhibiting large uncertainties. The major factors that could explain all or part of the differences in the results for RCS pressure include:
- Ddferent mix, of sequences from the Level 1 ovent sequence models
- No credit for m-vessel recovery actions for Beaver Valley
- Different assl0nments for RCS pressure probabihties followmg RCP seal LOCAs and mduced PORV failures
- Different assumptions regarding operator induced depressurization actions and associated l assignment of human error rates. Possibly, different interpretations of the emer0er cY operatin0 procedules were employed 1.4 22 14 summary v var rino.ngs
Bosv:r Vollsy Powcr Station Unit 1 Rovision 0 Prcbsbillstic Risk Asssssmont Hence, the overall differences in the RCS pressure treatment at Surry and Beaver Valley are 1 partly plant specific and partly analytic. This 6"atence and possible differences in the. treatment of interfacino systems LOCAs are viewed as the most likely explanations for the differences obtained for the respective studies for the frequency of a large early release. The importance of RCS pressure at the time of vessel breach in the Beaver Valley Unit 1 results are evident in Fi0ure 17 in which the principal containment failure modes that ' contribute to targe early (Type 1) release frequency are compared. More than 80% of this frequency is due to containment failures at vessel breach due to containment loads from a , high pressure melt ejection event. To the extent that the contributions from high pressure sequences can be reduced there would be a corresponding reduction in the likelihood of containment failure from high pressure melt ejections. In development of the accident management program at Beaver Valley, a high priority will be given to considerations of actions to assure RCS depressurization during a high pressure core damage event. In Table 111 the results for contributors to large early release at Beaver Valley Units 1 and 2 are quite similar due to similar Level i results anc identical treatment of severe accidents. Interfacing systems LOCAs are more likely at Unit i than Unit 2. The actual differences are even greater than evident in the results because the Unit 1 analysis took credit for mitigation (makeup of the RWST) that was not credited in the Unit 2 analysis because of the very low frequencies already obtained without such credit. Table 110. Comparison of Release Frequency Results Mean Annual Frequency . O- (percentage of CDF) Release Description Beaver Valley Beaver Valley Surry Type Unit 1 Unit 2 (Internal events) (This Study) (Reference 1-11) [ Reference 13] I Large Early Containment 1.06 x 10 8 8.44 x 108 2.1 x 104 Failures and Bypasses (5.0) (4.5) (5.0) ll Small, Early Containment 4.71 x 108 4.87 x 108 1.8 x 10
- Failures and Bypasses (22.3) (25.7) (4.5) lli Late Containment 9.15 x 10 s 8.54 x 10 8 2.6 x 10 8 Failures (43.4) (45.1) (6.5)
IV Long Term Contained 6.17 x 10 8 4.69 x 108 3.4 x 10 4 Releases (containment (29.3) (24.7) (84.0) Intact) Total Core Damage 2.1 x 104 1.9 x 104 4.0 x 10 8 O 1,4 23 u summary of umor hnomos,
D::v:r Vcil:y Paw:r St:tirn Unit 1 Revi:ltn 0 Prcb billstic Risk Ase:::m:nt Table 111, Comparison of IAajor Contributors to Large, Early Release Frequency for Internal Events Percentage Contribution to Large Early Release (Type 1) Scenario Class Deaver Villey Beaver Valley . Unit 1 Unit 2 ""Y( '" '"*' (this study) unts ( ference 3) (Reference 1-11) Early Overpressurization 81.1 86.0 7 Interf acing System LOC A 10.7 4.3 77 Reactor Vessel Steam 4.9 4.6 6 Explosion (Alpha Mode) ~ Induced Steam Generator Tube 3.2 5.1 10 Rupture (ISGTR) Early Hydrogen Burn <1 <1 <1 Rocket Mode < 0.01 < 0.01 - Table 112 lists several of the top-ranking sequences contributing to Type 1 (large, early release) frequency. These ten sequences comprise about 45% of the total frequency of Type i releases. These sequences are obtained by linking the plant (Level 1) event trees that produced the sequences that were analyzed it) Section 1.4.2 to the containment event tree to provide an integral perspective of scenarios with different release characteristics. The top ranking sequence in Table 112 is an interfacing system LOCA sequence that consists of the VSX initiating event and failure to provide long term makeup to the RWST. Such seqiiences are assumed to result in a core melt and a large containment bypass. The remaining sequences in the table are variations of high pressure melt ejection sequences, - many of which involve a functional station blackout ce total loss of service water. The causes of these sequences involve various combinations of loss of offsite power, loss of river water and onsite power failures. The tenth ranking sequence is an ATWS sequence in which the reactor vessel survives the high pressure challenge and results in another high pressure sequence. O 1,4 24 u summary or unjor nnoings -l 1,,, , , , , .
5:cver Vcll:y Prw:r St:ti:n Unit i Revi:ltn 0 Preb:bilistic Risk Ass:ssm:nt t c (' 5 :! :s : : l e te s l ls l ,
!d id :- -:a :
I :if i-ils id .it g it is it
!n (
z: !:::Di s l '.E is- i : r$:: . !'-
- ~ e.
5' :
$ : C l l
- = :
- : : : ! l !
g
!dit .l9 lt l-l
- g ,g i
' : l l :
- : l l l l :
- : :l l i : :
- : , l l l l
" l
- : : l l :
- l l s l l : a '
- : . C l l : :
3 l
- i i 1 l g i 5 ,
,. 1 a v
l v
- :n -
a : o, ! g: --
- r g =- p..r e :
za gs. =-= 2 : J ll', " 23 - 38 m ,, ,_- 3 5_ 3 a. I -- I I,g --
- .1: i 1 es3s.g[s 11.g
. . . gi g I =..,
, =- g E is! I! ni!! .!!:<, :s* ve!rE ans ccg
!! er((g !!g !,!! cn.!!!ggg
- ..g : g.i- -
- n
- c,s:EEI un o g
e I;::j!!i : iRt :s-lEEill E 5
-sBeansw - 5gsBese=s=I
,fe!su-ssi
's-EE"!!
.!c
== I s:!silliF
=s en g=El .N 7.; eg:! ;2 :s55 . ,. :s el*ig!!!ssi-E
.s- gg, a- - '
*-c lsols-gg83; so -- alg:3-EE g t , .!:_ u : :.18 :$ 8 z*r ,glaQQswa e. lv A sal -
sal g ,lgs8 g O g
-: , IB- , :_s g_I_..H:R" .
. _ .ga QQwra .I W Iti !5 'EIEEEEErl ;$ EEI 3 II$$$ $f.III$$b 3 -Qax*M.at -. _
e; I t,, j j.. j........ ............. !E$EI$!EESE D
............ l..-.........
O 0 E!Ii Y.* l l , i
. .s , , l ;
$ F E'
- u 5
-Q::!'
1-:: : l \ o :: : : l C c) k: l l : : l l M { a .i 5 .i ,! !
-k 5 l $ : 5 $
E i !!- I j I I I 1 o-a : 4: 9
- a ,
_. l as *e o :
- l I- l a- '
- l
= l* s-Ir :- we jW je grE M ir I- j j' W gra ! Mg =3 W g jE.
gru a 4 !
!D IE
-:g Ig.UEI =ne I
i: -!g.UEI
. III =e f
-- ;l
- EEE a :- :- !-lH~w=cEl :8--E3xie:
- -- r.*5:
l.
- r - l E 5':. .a I: :I sr---
- 5':Ie lW I- l g- . :"mg:::e*$:r=
l
- Er Et :
l r : 5"5"**:Er- : a.
. g-: 5-)El- ::vur.E m
.r. -
zuvrog.EI- .-ig..r. lvrr-$j I.2 : g 2: WRa.=* Bhhf.N;W8
=*
g :- . _ l : ShhRR, -a lE55WWgs.I"S" : a h i :f" [a c.
" :18 g 35-l Bggf [s E5 :Dggf" 25[IE I jB..f[s- r. 25-I l" : :: gEssas. l , .e -
- :n.i:esl , s. ..,
i g!!Eura'. s... .
, tgEEEas i
5 3 IgssEns55 A
- I .1.i! ! .
.- ,~
I ... ... i.. l.. 1A 25 u summuy ot unior rmengs
. - - _ - -- _ , _ _ _ _ . _ _ _ _ . _ . . ~ . . . . , . - . _ _ _ . - . _ _
T g ;p <e~' <PCs* 3 > Uo(4-s nt p.T,3
)
." C3.~ a .
yg<)
,+'= O uaUt"JTEF~.n 0,g 7 > m *I,e3g s= - t
- t i
2 . t . _ . 9 . n . _ 9 . e . 4 m9 _ _7 m.0 6 m0 6 . O
. t . 3 9 1
r . _5 . G e 3 m2 . 2 . 2 . A U . P . m. 2
) .
. m ._ _
8 yr _7 1
. ce
. ne.
7 0
- m_70-
- m. A T
_7 _0 _ 0 2 ay E E _ . E .
. _E m6 _E _ 0 .
2
. gr 2 4 _50 5 _1 1 1 7: ee ._ 2 m rp. 3 3 2 1: F( .
6 m2 _ . 1 .
- m. m m 2 w2
.. dte.
. . 2 0 ml o 6
0 0 0 V na..
. Et
. V S wV
.S .V
.S .V
.S .
R S. . . _ m .
. a .
. m .
e m .
. 4 m w
. E
. N 0 u O . O
. n I _ I e T .
. fl T .
A m A _ A U L C
- n. m_
L U C L U E
~ .
y . . R . _ R _ R c . G I G G I _ G I , .
. B C N B C _ m C S n tm. m e
u y . . I L O O E R G I L OY OR A3 I L 0 0 E R G mi L 0 0 A s A E G R
.W
. T A
- N q
e m. m C R E E L D CT Rf E e N3 It AA RR C R E E L D C R E l A R
'E 5
pL t PSL SO uI TT _ AA r gS /.C _ St F eS. ts.. SI PR L O sit SPRn TT _ SI
.E PR ASCA L
O _ Pe T r IO
. FR
. h0t9 A
I
- n. MR A3CA. . PE Re PP A SR _ qR ASSCA.o S .
rA C 4S u 4 C _ stA e R C #*
)
1 FP . TS T E e. v UA PB CgRO. IfOL pLA tPSR P O pp tt PP T L _PS LA NNRO OL PB p i P eeLRO.FCAJ tI OL
.lYC e S NL AAF NLF _ NL !IAAF ML AAEF ./NE0 .
p f R
- d. . OA RR L. 0EOA NE OG EA _
L _OA RR TTSA L __ 0A N RRG TTFSA L.SER0 . CO e. IM 1TIMS IM _tM O
.PGB2
.E .
5 TTSA. S NE T y E LE . te. TR CE NE - ATRC ESCER TREN II TT _ TR S _ CE TTOS _ CE iR NL IS T CRAAVI TTEOS NE .pR
.tEL* =
R . i r . EMLBAAI JIA0RRT TYOSm CC
- _ JiAOERTP EnLRAAI RTAAEORRtTP .P9E ESP
( !U L e. IuOASSAt 4/V PPCp e P EJT TDB/F A3EK e J s _ N/V PPCED tN0sWAS$WAt _ u/V J PPaCqs.D. nSE*S e s a r GT
@I eF A
G. r. a.
- u. YlENP'AT oM // P TfRIs' S8 L
WNINOSNNN O TCYINAA O S/TTORRYTPT WRECITTTTLN IIII F P __ I 01 t M )4ASSAL TlENP'AT _TiRI
// P AUt Wt T;EA TTRRTI MsJN EC ITAtLLUuwRIAS E
08lI // N>4EL sP P Af sBS PmCT oEV
/ATI A = _
Et AtLJN S EESA _EC le oE . N . . FiTRPP'A A/AT AL _ OEFET _DPTAJATFFF _ L _ F M AT TRPPM FEf AtA. _AJATFT ERPPSNA.ET AL tie P e tM. . - . SeE tRSSS/f SSM3 R PASNTAAAAT) W IlRRSSWt X _A _SNE INSSS/0 SSMt S5EAA INWS$$SN/0
$STM0.AaR0 _
R glu.- _ WlU0 _2 O SRRCC $RRECC nA. - . . - D ALLR SRRCC.GODD IE ._ I TEALUS%DDI tPP t EC p _ ALLR D I _D _ ALLSDR P MI EtS S6 ly iT tE . - . EAA EETR E EEA$ AAIR _ EAA _ NEUEDDAO EETR _ EAA A EEWTRmECE- me g
. uREUEDDAO.IUTPTDESMXEEIO
_ R SDCMDITAtT E U N E E ") D ! A O . F T RT . e r aD - . SODIIET SECC#WAT IT APE
- W SDDIIB r
ltC IISSGC SEsN RmW TC ItSSt C _ N IN tS$TGC sR .
.P a eT
- GPSSTTTA.FKlFAAICEUUOOGE CEutJUE GPPEEWWIA CPS $TTfA ICERJJfLE
_ GPSEd$TTuTA CEUGRJJoUEmtAPCT ESA E . . I NRRIGGAR I
. tL.
nR. - . NRElGGARmOMMWRDGQLLCR NRROLIGGCARmMORS . e g r oA. CE. s ,. s . a eE. cG. nR
. t n ..
e L eA . v .
. m m .
o uL.. E. g r . . . t S e... .
- m. m_ .
m. s gS. T e nT c iC. . . n tE. rL o
. . . m .
e t m u p- . . q e . . . e T . . m m S n. g .
. te. .
m . in t .
- p. M . M ._ M
. M m
. s .
k
. f . C . C C . C . C .
. . A . A A . A . A r.
n a
. c.
s. E R m E R E t E R mS V t t . R D.e. A B L A 3 s .
. A S
TP e p
. e 9 I EB m I L
EW _ S AI Es L
. R I L
ES m.aTA t EB. L o c.
- n. f. N P C
S SV S ET
. S SV MP S C
&MS CP SV S
ET
. E
.W MP C
S SV S ET SV. S T g.
- a. AA0NVA E0O
. A0NAT E0O- A AA EVA E00
. O
. P A0WVA E0O mRR EO ET .
ouSA.. S
- e. SR0 IRE R32TER m NuR0 IRE S2TER
. SR0lRE .E R0 IRE mTT AC WA tRE. .
. Il RB6fER . G S2TER
)
E CTU . AA CTU
.EDL.tTU
_ . N CTU .DE TER. CTU. 2 . DL*EFL AE ESPE JAI
. RRL<RFL TTE AI AE EFL JAI A
R t<FAI E FL wE ER EFL. JA! f o MS E<TR EF A . R SPE LE<TR EF A
.ESPk
.MS E<TR EF A .
CAS5PE
. CRRE*TR 9 EF A
mFL ALO EUEITR NE EF A 2 RW E LL;f AELu mEEES WNPV OAR AELN LUT . RV E LUT AELN
. AEEV
. DD AELE LUT NVTLUT.
AAERELE.
. . TT!MIE mPRUTI MIE
.TTtMIE . YAATIMIE mI
.MMLEMI E e
g
. AAS W PEF AM u t .E OPAS AM PEFNI AAS W PEFM AM . CEEAS
. NMR PEFN AM S AEE n 2 E R .TCCE R E R . E E R ONEIR .
a t V . RR0UTA EU0SNT IAAR0UTA S U0SNT mRR0UTAI .. GRRR0UTAI mFDRNEFW. AW UfA. I . SCPtO2Sn1 EU0SNT REEU0SNi .S P ( L 1 VS6SEu t S EMo mFYTS6SEN FCCS EMO MIS V$2SEN EMO
. ETTS6SEm
. MAAS EMo OI SEN.
REMO W 2 S BE- RtC FPE R Pl AE mONRE-
.FCGPE EER RuC Pl AE
.RE- RNC FPE R PI AE EWWE R4C
.FRRPE R P1 AE m.LTR
. LMTA AOLPt RmC.
1 : . e . . O SAGNR TNTG .ORR e EESAGuR TaTG mO TNTG SAGNR
. OEE TNTG .
AOCunTG. AE. m .
. SCTIOA SMMCTIoA
.SCTIOA
. VVSAGuR
. SIICTIoA ITAnGmR.
.TUEAI0A O
1 a .
. SRSWCL SEERSNCL . SRRRSNCL g . O mO O mSRSmCL . O A le b
L E L- - - - eL-w L- - - - . L- - - - - mP-RARMM0t_. a T
/ .
. 4 n. o...
6 mT
. m0 T M . R .8 .9 .1 .
Nhhm ** mC3! Q E C*Rw59 g
O O O f Figure 1-6. Comparison of Beaver Valley Unit 1 and Surry Results for RCS Pressure at Vessel Breach IE Oe E w ,$ E< 8._ 5E
- n
- i'$
E$2 SURRV (NUREG-i tSO) SEAVER VALLEY UNfT 1 3o S ssT(n)'4 HtGH (5%) g3 i - c-MED*UM (8%) ssT(1n) ~{ - NO VESSEL i* [l* LOW 08%) k i BREACH (50%) .,
} HIGH (13)
, s Lowpes) wEoruu pas) LEGEND SST(SYS. SETPOINT): >2,000 PSM HIGH: 600-2,000 PSM i
~
MEDIUM: 200-600 PSM LOW: <200 PSM i $ t 2 a . E f :n M , r w [k O~ 2- ' o , i
I } Figure 1-7. Ccntribution of Containment Failure Modes to Large Early Release Frequency mm > 3g l tr <
==
tr , kI Tii F i m* w x LARGE EARLY RELEASE FREQUENCY = 1.06E-05 3% / / y en { 5%
==
EE ! 3y !
.___ *3 i
C l 11% 2, l.
=
E EARLY (HPME) OVERPRESSURIZATION O .NTERFACING SYSTEMS LOCA b ! h O REACTOR VESSEL STEAM EXPLOSION i 9 INDUCED STEAM GEN. TUBE RUPTURE j E OTHER St%
?.
' 6 i i k O
-s C
N 3 .
- l
?
43 kI O
=
~ t o ( I .- _ . _ , # . . - - --. _ _ _ _ _ . _ _ _ _ . . _ _ _ _ . . . . _ _ . _ _ _ _ _ _-_ . _ ______T___ _
Scover Vellsy Pcwor Stctlen Unit 1 Revislen 0 Prebabilistic Risk Ascoesm:nt 1.5 IMPORTANT OPERATOR ACTIONS. The estimate of core damage frequency provided in the r .:luation Gepends heavily on the credit given to the operating crews in performing actions before and durmg an accident. Those actions occurring during an accident are especially important. For Beaver Valley Unit 1, operator actions found to be important are discussed below.
- Critical actions to be taken in response to failures in the electric power systems include:
-Losses of all emergency switchgear ventilation may lead to complete loss of all emergency AC power. The ability of the operators to promptly start the standby emergency switchgear ventilation exhaust fan when offsite power is lost or provide alternate room cooling to the switchgear areas when all fans fail are important. Currently, alarm response procedures inform the operators to investigate the cause of trouble, but do not provide explicit guidance on how to establish sufficient alternate cooling in the event that both emergency switchgear ventilation fan trains fall. The alarm respnnse procedures are being reviewed to see if they can be enhanced to cover these scenarios.
-For station blackout sequences, both onsite and offsite recovery actions to reestablish power to 4,160V emergency AC electrical buses are important, A cross-tie connecting the 4kV normal buses of BV 1 and BV 2 will be installed. This cross tie will permit either of the emergency diesel generators of tno non blacked out unit to be connected to either of the emergency buses of the blacked out unit in the event of a station blackout. This modification is being implemented to provide an acceptal,le station blackout coping capability using the emergency diesel generators of the other unit as the alternate AC (AAC) source. DLC is et omitted to installing the necessary hardware, revising existing O pf ocedures, and providing training to effect this crosstie capability.
-For each plant trip, a fast transfer is made of the 4,160V buses from the unit station service transformers to the system station service transformers, Failure to successfully transfer may result in a loss of power to one or both 4,160V emergency buses if the associated diesel generator does not function properly. The operator action to locally align or replace the breakars from the emergency buses to the system station service transformers following a failure of the fast transfer is important because the frequency of such failures is predicted to be significant. Procedures will be prepared and training will be provided on how to promptly repair or change out the failed breakers.
-For station blackout sequences, operator actions to manually isolate containment penetrations with motor operated isolation valves, as called for in the procedure, are important to ensure leak tight integrity of the containment and avoidance of potential containment bypasses.
-For sequences ;nvolving station blackout and no steam generator cooling, current procedures (ECA 0.0) preclude RCS depressurization via the PORVs as would otherwise be directed for other sequences per FR C.1, This contributes to a relatively high frequency of high pressure core melt events, which, in turn, contributes to early containment failure due to induced steam generator tube rupture and high pressure melt ejection-driven overpressurization. During the accident management phase of ths 'PE, consideration will be given to extending existing provisions for RCS depressurizatio., to cover station blackout sequences.
- Actions that are important for the mitigation of LOCAs include:
-In the event of a small LOCA, failure of the operators to properly monitor plar, parameters, or perha s misread or otherwise interpret the indications incorrectly, and 1,5-1 1.s important Operator Actions,
B :v:r V ll;y P:w:r St:ti:n Unit 1 R visl n 0 Pr:b:bilistic Rtk Ase:ssm:nt prematurely secure the HHSl ramps would result in a reduction of RCS inventory and ultimate core damage. Therefore it is important that the operators be well trained to prevent this error of commission.
-In the event of a LOCA with failure of recirculation flow from the containment sump to the ,1CS (due to the LHSl pumps falling at the time of switchover) procedures instruct operators to establish recirculation flow using one of the outside RS pumps or to provide makeup to the RWST from the spent fuel pool or via blending. These actions are important becaube, at some other plants. LOCAs with failure of rectreulation were found to be relatively high frequency core damage sequences, when no credit was taken for these actions.
- Key actions for other scenarios include:
-ATWS scenarios are an important contributor to the total core damage frequency at Beaver Valley Unit 1. The operator action to manually insert control rods following ATWS events with main feedwater available, when both the automatic and manual reactor trip functions f ail, is therefore important. Operator training is conse~;uential for this action since it must be accomplished within one minute of the initiation of the transient to limit the overpressure spike.
-Some important containment bypass sequances at Unit 1 are initiated by a steam generator tube rupture. The operator response to cool down and depressurize the RCS in order to facilitate isolation of the ruptured steam generator may therefore be important.
However, substantial time is available for this action. That such sequences are among the highest frequency containment bypass scenarios is an indication of the protection afforded by the Beaver Valley Unit 1 design features concerning these sequences relative to other Westinghouse PWRs. It is desirable, however, to have the emergency procedures for steam generator tune rupture events more explicitly instruct the operators to perform the depressurization for sequences in which all high head safety injection is also failed. Procedures are being upciated accordingly.
-Also, for steam generator tube rupture events, the potential exists for a safety relief valve on the ruptured steam generator to stick open. Procedures and training are being improved to ensure that such a stuck-open valve would be locally gagged closed, thereby isolating the ruptured steam generator.
-The reactor plant component cooling water sysMm desi0n is such tha; RCP thermal barrier cooling may be lost in a variety of sequences. The operator actions to trip th.
j RCPs are important to prevent potential damage to the RCP seals in nonstation blact out scena"ios. 1 0 1.5-2 i.s imp ~ tant one.w Actions.
f Brav:r Vallsy Pcw r St:ti:n Unit 1 R visl:n 0 Pr:bsbilblic Risk As:Ossm:nt 1.6 IMPORTANT PLANT HARDWARE CHARACTERISTICS FOR CDF O Characteristics of the Beaver Valley Unit 1 plant design and operation that have been found to be important in the analysis of core damage frequency include;
- The fact that RCP seal injection and thermal barrier cooling are not both dependent on component cooling water (CCP), as in some plants, is an important strength of the functional arrangement of Beaver Valley Unit 1.
- For station blackout sequences, both thermal barrier cooling and RCP seal injection tre lost. The loss of all seal cnoling could lead to seal failure and a potential LOCA. The addition of the cross-tie connecting the 4kV normal buses of BV 1 and BV 2 will provide an alternate AC (AAC) source. Additional modifications ,o further address RCP seal integrity for loss of all seal cooling are under review and both new seal materials and alternate seal cooling systems will be considered. Any modifications will be implemented in accordance with tr 9 resolutien to Generic issue 23.
- In the event of a failure of automatic reactor tip, the operators can attempt to manually trip the reactor from the control room. However, this manual action does not remove power to the control rods. Removal of power must be accomplished by locally tripping the motor generator sets, in the Ivent that both reactor trip breakers mechanically bind, it is unlikely that the coerators could remove power locally prior to RCS pressure peaking during ATWS scenarios initiated by a total loss of main feedwater. Adding the capability for the operators to remove power from the control room would reduce the reactor trip failure frequency and is being considered.
O Beaver VaWey Unit i has two emergency diesel generator 6 with which to mitigate an V extended loss of offsite power. A crost tie connecting the 4kV normal buses of BV-1 and BV 2 will oe installed. This cross tie will permit either of the emergency diesel generators of the non blacked out unit to be connected to either of the emergency buses of the blacked ou u nit in the event of a station blackout. This modification is being implemented to provido an acceptable station blackout coping capability using the emergency diesel gcnerators of the other unit as the alternate AC (AAC) source. Credit for this enhancement has not been included in the current PRA resul's, and will be included by DLC in a future PRA update.
- In the event of a plant *-ip followed by a loss of all auxiliary feedwater, several design features at Berter Val!ey Unit 1 make it less susceptible to loss of all secondary haat removal sequences than some other plants. The electric motor-driven main feedwater pumps make it less likely to lose ar;d easier to restore main feedpater than at plants with steam driven main feedwater pumps. The pressuNeer has thrae PORVs with which to perform bleed and feed or feed and b'eed cooling, should all secondary heat terroval be lost. Moreover, engineering calculctions indicate that n the event of a luss of all secondary heat removal, the HHbl pumps have sufficient head capac!!y tc= successfully provide sufficient flow for bleed and feed cooling with the operators holding open just one of the pressurizer PORVs.
- Beaver Valley L.enit 1 is designed to try and stay online followmg a load rejection accident.
Tcr a 100% load rejection accident, it is not expected that run back to house loads wome be successful voth a high degree of reliability. Consequently, the net effect of this design feature it. a 'oss of offsite power event is just to delay the time of reactor trip This delay V is expected to result in a challenge la the pressurizer PORVs to lift as occurred during a loss of load test e' Beaver Valley Unit 2. In the event that the PORVs fail to reclose, the time available for electric power recovery from a station blackout event is significantly 1.6-1 te impor. Pint. Hareware craracteristics for cor.
B: v:r Vati:y P wcr St:ti:n Unit 1 Rcvisl:n 0 Prcb:b!Ilsus Jisk Aes:ssm:nt reduced. The option of eliminating the challenge by defeating the 100% load rejection tcpability is being consideret.l.
- The emergency switchgear ventCation is provided by both the normal switchgear rooms
- HYAC system and the emergency switchocar ventilation fans. Complete losses of such svetems hae been Mown to occur in the past at other plants. The rooms served b'y emergency switchgear ventilation contain a number of heat icads. Current therma'i-hydraulic analyses ir+cate that equipment design temperature limits may he weeded in 30 minutes if ah b 1tiletion is lost. These rooms are also situated so that w,ily opening doors may ant produce a chimney effect. Alarm response procedures cra
.ing reviewed to deterreine n they can provide more explicit guidance on how to
.nstablish sufficient alternate cooling in the event that both emergency switchgaar ventilation fat trains fai!
- For ATWS scenariac where there is partial or complete loss of main feedwater, with the failure of the automatic and manual trip of the reactor, and the ta!Iure of AMSAC to iriitiatc Auxiliary Fcedwater flow, a pressure surge in the RCS cccurs due to the inability of the secondary cystem to sufficiently remove reactor core heat. The norrnal system arrangef6ent of the PORV blocks at the time of the PRA system model was one blod valve open and two block valves closed. The current PRA models assume this alignmsnt had do riot itive any credit for operator actions to open the closed block valves d9 ring ATWS events. As a result, with only one PORV and three safety relief valves avr.ilable therc ' inoufficient RCS pressure relief capacity 70% of the time, for the above mentioned scena s (see Section 3.L4). These scenarios directly lead to an RCS vessel rupture and high pressure early core melt. The options for reducing these ATWS sequences are under review.
O 1.6-2 16 Impor. Pint, Hatcware Characteristics for CDF,
- - - - - - - - - - - - - . ~ - - . - - - - - - - . . -
Esav:r Vcil:y Pcw:r St:tirn Unit i Rcvisisn 0 Prsb:bilistle Risk Ass:ssm:nt
-l '
1.7 IMPORTANT #LANT CHARACTERISTICS FOR CNMT, PERFORMANCE The following chsracteristics of the Beaver Valley Unit 1 containment structure and systems are important _to containment performance during severe accidents:
-
- Subatmospheric Containment Operation 1ho Beaver Valley Unit 1 contcinment is maintained at a subatmospheric pressure (9.0 to 10.5 psia) during normal operation.
Containment in-leakage is continually monitored. Because of this feature, the likelihood -l of large leaks in the containment existlnt s' the time of a severe accident is negligible, l and a potentially important contributor to the risk of early health effects is eliminated. !
- Containment Building Design. A detailed comparison of the Surry Unit i and Beaver I Vo!%y Units 1 and 2 containment designs indicates that.they are very similar. It was corcluded that the Surry 1 containment failure probability distribution would be somewhat conserowe foe the Beaver Valley Unit 1 containment. NUREG 1150 concluded that the Surry "contain,ilent vo:pmo and high failure pressure provide contriderable capacity for accommodation of severe acc'dnat pressure loads."
- Reactor Cavity and Instrument Tunnel Configurathn. The reactor vessel is supported by a cylindrical steel support skirt and is surrounded by an annular neutron shield. tank, which, in turn, is surrounded by the concrete primary shield wall.
The instrument tunnel and primary shield wall form a " key" shaped structure, appropriately referred to as the " keyway." The concrete rectangular section of the keyway is covered by steel decking, upon which some of the RHR equipment rests. The platform for most of the RHR equipment is adjacent to this decking; Access to the keyway is O through a steel hatch, which is hinged on one end ofihe hatch and positively latched to the steel decking on the opposite end of the hatch with a screw. The platform is locater, at Elevation 707'6", whereas the floor of the keyway is at Elevation 690'11". Thus, water in the containment proper would have to rise to a level of iW" above the floor-before _it would overflow into the keyway, The exception is the case of a LOCA involving leaking - instrument tubes that would directly wet the cavity. Convoisely, water that enters the reactor cavity from the refueling tank would be unavailable for recirculation until the reactor cavity and instrumentation tunnel filled to a . level 16'7" above the cavity floor before it reached the decking above the keyway.- Approximately 64,800 gallons are ; estimated to be required to fill the reactor cavity and instrumentation tunnel up to the RHR f platform elevation. Approximately 1,092,000. gallons of water are required to reach the 707'6" level in the containment (excluding the volume in the keyway). The RWST has a minimum capacity of 441,000 gallons. Another 78,500 gallons are available from the accumulators, chemical < addition tank, and reactor coolant system. As is the case for the Surry Unit 1 containment, the Beaver Valley Unit 2 reactor _ cavity _ does not communicato directly with the containment sump. A small sump nump (rated at - - 10 gpm) is located at the bottom of the instrument tunnel noar where the instrumentation tubes rise vertically toward the seal table. Since it is not possible (unless an outside source of makeup is provided) to flood the t~ reactor cavity via " overflow" from the containment, the only significant source of water in - the reactor cavity prior to vessel failure results from operation of the quench spray (QS) sysb.m. If both-QS pumps operate, it is estimated that approximately 140_ gpm of_ the spray _ will fall into the reactor cavity.- At this rate, water level'in the reactor cavity and instrumentation tunnel would rise _ approximately 0.03 feet / minute. Sustained makeup of 1.71 O import. Piant enarac. for conta n. Pert, .
BO v:r Vcil:y P w:r Stati:n Unit 1 R;visl:n 0 Preb: bill: tic Risk Ass:ssm:nt 140 gptn would be adequate to cool core debris once derey heat level reached 0.75% of full power. The above features impact the ability to ensure that thert .c a means to cool the fuel melt debris bed after the core melts through the vessel tottom head. They also influence the capability to reduce radioactive release source terms via the cooling and scrubbing effects of introducing additional water to the containment.
- Containment Heat Removal. The Beaver Valley Unit 1 containment fan coolers (containment atmospheric recirculation system) are not designed to provide a safety function. Furthermoro, the coolers are automatically tripped and isolated on a safety signal, anel would flood out during accidents in which the RWST is injected into the containment. Therefore, only containment heat removal by tne recirculation spray systems (RSS) is given credit (where appropriate) in the Beaver Valley Unit i PR A.
O O 1,7 2 o import. Plant Charac, for Contain. Pert
80:v:r Vell:y Pcwor St:ti:n Unit 1 Revisisn 0 Prchabilistic Risk Assessment
1.8 REFERENCES
11, U.S. Nuclear Regulatory Commission, Generic Letter No. 88-20. December 1998.
- 12. U.S. Nuclear Regulatory Commission, " Individual Plant Examination: Submittal Guidance," final report, NUREG 1335. August 1989.
- 13. U S. Nuclear Regulatory Commission, " Severe Accident Risks
- An Assessment for Rive U.S. Nuclear Power Hants, NUREG 1150 Summary Report " second draft for !
peer review, June 1989. 1-4. Pickard, Lowe and Garrick, Inc., "Three Mile Islend Unit 1 Probabilistic Risk Assessment," prepared for GPU Nuclear Corporation, PLG 0525, November 1987,
- 15. Pickard Lowe and Garrick, Inc., " Midland Probabilistic Risk Assessment," prepared for the Consumers Power Company, May 1984.
- 16. Pickard, Lowe and Gerrick, Inc., "Seabrook Station Probabilistic Safety Assessment," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG 0300, December 1983.
- 17. Pickard, Lowe and Garrick, I n c., " South Texas Project Probabilistic Safety Assessment, Summary Report," prepared for Houston Lighting & Power Company, PLG 0700, April 1930.
- 18. Pickard, Lowe and Garrick, Inc., "Diablo Canyon Probabilistic Risk Assessment,"
prepared for Pacific Gas and Electric Company, PLG 0637, August 1988,
- 19. Fleming, K.N., "Recent Trends in Evaluation of Large. Early Release Frequency in PWR Plants," Transactions of the American Nuclear Society, Winter Meeting, San Francisco, November 1989.
1 10. Pickard, Lowe and Garrick, Inc., " Risk Management Actions To Assure Containment Effectiveness at Seabrook Station," prepared for Public Service of New Hampshire, PLG 0550, July 1987. 1 11. Duquesne Light Company, " Beaver Valley Unit 2 Probabilistic Risk Assessment," Sunnmary Report, Revision O. O 1,8-1 to Refe'ences
B::vsr Vcil:y P wcr St:ll:n Unit 1 R:visl:n 0 Pr:b:billstic Risk Ass:ssm:nt 2 EXAMINATION DESCRIPTION .r k
2.1 INTRODUCTION
The objectives described in Section 1.1 were accomplished by the completion of a Level 2 PR A on Beaver Valley Unit 1. Reference 21 defines the three levels of PRA work scopes as follows:
- Level i considers the performance of the plant systems to the extent needed to resolve scenarios to the point of success or core damage.
- Level 2 includes issues of core and containment phenomenology to the extent needed to resolve scenarios to the point of release of radioactive material.
- Level 3 includes an assessment of offsite consequences to public health and property.
The study described in this report represents a Level 2 analysis. It includes an assessment of the frequency of a spectrum of release categories, together with information to describe the timing and magnitude of source terms, that could be expanded into a Level 3 PRA at a later date, if desired. The scope of accident sequences that are included in the PRA is limited to those initiated by the so called internal events and internal floods in conformance with NUREG 1335. The PRA models and software will accommodate future extensions of this analysis to cover a full spectrum of internal and external plant hazards as needed. The technical scope of work that is necessary to perform a Level 2 PRA was organized into , the following tasks:
- Task 1 - PR A Management Plan
- Task 2 - Unit 1 and Unit 2 Differences Task 3- Plant Event Saquence Model
- Task 4 - Systems Analysis
- Task 5 - Data Analysis
- Task 6 - Human Actions Analysis
- Task 7 - Level 1 PR A Quantification
- Task 8 - Uncertainty Analysis
- Task 9- Containment Performance Analysis
- Task 10 - Report
- Task 11 - Project Management
- Task 12 - Clerical Support and Publications
- Task 13 - Technology Transfer
- Task 14 - NRC Meetings and Support
- Task 15 - Accident Management
- Task 16-Technical Review and Quality Assurance The above technical and administrative tasks are interrelated and were integrated by the project team.
n PLG provided PRA technology and project. S&W provided plant Information, technical reviews, and analyses of severe acciderts and effects of HVAC loss. DLC provided project management: DLC personnel from engineering and operations were directly involved in 2.1-1 2.1 innocucton.
B:av:r Vcli;y Pcw:r Stati:n Unit 1 Revist:n 0 Prtb:bilistic Risk Aescssm:nt performino the analyses and providing independent in house review. Additional discussions on the PRA organization and DLC's involvement are provided in Section 5. The technical quality of the project was ensured by a combination of approaches:
- The assignment of highly competent, experienced personnel to the project team.
- The use of the state-of-the-art methods and software to perform the analysis.
- The complete and systematic documentation of all models, input data, computer programs, and other aspects of the analysis.
- The involvement of DLC management, engineers, and operators who are familiar with the design and operation of Beaver Valley Unit i to ensure that the models accurately describe the plant, its operating environment, and implementation of plant procedures.
- The performance of independent technical reviews within PLG, S&W and DLC.
- The reviews and comments of the DLC Independent Review Team (see Section 5).
- The use of quality assurance (QA) procedures that are appropriate for PRA.
The OA procedures used for this project (Reference 2-2) cover a variety of activities, including procurement, document control, computer program verification and documentation, the performance of QA audits, and the performance of technical reviews. These procedures, which are based on Appendix B of 10CFR50, are believed to meet or exceed the requirements of NUREG 1335. O O 2.1 2 2 i 'n"o**
- Be:v;r Vcil;y Pcwcr Ststlen Unit 1 Rovislan 0 Prebsbill: tic RI:k Assssomant 2.2 CONFORMANCE WITH GENERIC LETTER & SUPPORTING NRC Gonetic Letter No. 88-20, which was issued on November 23,1988, requested tt it an IPE for severe accident vulnerabilities be performed and that the results of the examir r un be submitted to the U.S. N. clear Regulatory Commission. Supplement No.1 to Generic Letter 88-20 was issued August 19, 1989, announcing the availability of NUREG 1335, " Individual Plant Evaluation: Submml Guidance," and requesting, in accordance with Generic Letter 88 20 a submittal, within 60 days, descricing pioposed programs for completing IPEs. The following discuss!on summarizes conformance with the generic letters and NUREG-1335:
- Summary. This PRA is written according to the NUREG 1335 format and content and provides a plant-specific, systematic examination of Beaver Valley Unit i tot vulnerabilities. DLC is using the PRA to develop an appreciation of severe accidents, understand most likely sequences, gain a more quantitative understanding of core damage and release probabilities, and, if necessary, reduce these probabilities. The Beaver Valley Unit i results are consistent with the NRC's bafety Goal Policy Statement.
- Examination Process. DLC personnel, w% are familiar with the details of the design, controls, procedures, and systern conhgurations, have been involved with the analysis and technical reviews, and are performing the Beaver Valley Unit 1 PRA. In addition, a DLC Independent Review Team is used to ensure accuracy of the documentation and to validate both the IPE process and its results.
- Internal Events. This PRA includes a full treatment of internal initiating events and internal floods. The preliminary screening for important flood scenarios ensures no significant vulnerabilities and introduces DLC to the potential importance of spatial O dependencies that will be included later; e.g., those resulting from fires or earthquakes.
- Methods of Examination. This is a Level 2 PR A using current state of the art methods consistent with NUREG/CR 2300 ar.d severe accident phenomenological issues discussed in Appendix 1 of Generic Letter 88-20. The PRA is based on the plant design as early of 1988. The "back end" phenomenological models and analyses will support DLC plant specific evaluations of any future NRC proposals concermng containment prformances issues.
- Resolution of Unresolved Safety / Generic issues (Pelationship to USl A-45). Decay Heat Removal Systems have been included in the models and the results show no significant vulnerabilities.
- PRA Benefits. This study is a Level 2 PRA. DLC recognizes the potential benefits of a PR A, and plans to use and maintain it.
- Severe Accident Sequence Selection. The r'sults of accident sequence screening are presented in Section 3.4.1, as described in NUREG 1335, Section 2.1.6, for systemic sequences.
- Use of IPE Results. DLC will ensure that 10CFR50.59 is met regarding changes as the result of improvements identified from the IPE.
- Accident Management. After completion of the PRAs on Beaver Valley Unit 1 and Beaver Valley Unit 2, DLC plans to have training programs that provide orientation on the use of PRA, important results, and conclusions. More detailed training is planned for those O personnel who are directly involved in configuration management and plant change evaluations.
2.2 1 u contomance wan cenene ur. ano supponna wt
8::v r Vcil:y P:wcr St:ti:n Unit 1 R visl:n 0 Pr:babillstic Risk Ass:ssm:nt
- Documentation of Examination Results. This summary report, with Appendices A through E, provide the current tier 2 documentation. The summary repor1 alone satisfies the requirements for the IPE submittal per NUREG 1335.
- Licensee Respc ase. A DLC letter, dated October 30,1989 (References 2-3), documents the 60-day response. This letter is committed to a Leve' 2 PRA method and approach, referred to several existing PRAs for a description of the method, and is committed to submit the IPEs for both units by 1991. Another DLC letter, dated September 18,1991, to extend Unit 1 submittal to September,1992.
O O 2.2 2 .., _ . . . _ . ,. _ .. .. s _ , , _ j
30:v:r Vcil:y Pcw r St:ti:n Unit 1 R visisn 0 Pr:babilistic Risk Ass:ssm:nt 2.3 GENERAL METHOD 0'.0GY The purpose of this section is to summarize the technical approach and methodology useid in the development of a risk model for Beaver Valley Unit 1. More detailed descriptions of the methodology are included throughout the report. The overall PRA methodology closely follows the series- of analytical tasks and methodologies that PLO has. developed and implemented in performing more than 20 PRAs of nuclear power plants having various work scopes, Mathematical bases for the approach are given in Reference 2-4. 2.3.1 Introduction The Beaver Valley Unit i PRA is founded on a scenarlo based definition of risk. In this application, risk is defined as the answers to three basic questions:
- 1. What can go wrong?
- 2. What is the likelihood?
- 3. What are the consequences?
Question i is answered in the form of a structured set of scenarios that is systematically developed to account for design and operating features specific to Beaver Valley Unit 1. Question 2 is answered in terms of a prediction or estimate of the frequency of occurrence of each scenario identified in answer to question d Since there is uncertainty in that frequency, the full picture of likelihood will be conveyed oy a probability curve (a curve that conveys the state of knowledge, or confidence, about that frequency). O The third question is answered in a Level 2 PRA in terms of the key characteristics of radioactive material releases that coulo result from the scenarios identified. In a Level 3 analysis, offsite -consequences such as public health - effects and _ property damage are estimated for these releases. The results currently reported are for- a Level 2 PRA, as defined in the IEEE/ANS "PRA Procedures Guide" (Reference 21). A large fraction of the effort needed to complete a PRA is spent in the' development of a model to define a reasonably complete set of accident sequences that is appropriate for the-specific plant, _ An ' overview of the accident sequence model for Beaver Valley Unit 1 is. presented in Figure 2.3-1.' This models contains a very large number of different scenerlos that are systematically developed from the point of initiation, on the left, to termination, on the rig ht. A. series of event trees is used'to systematically identify the scenarios Dom the initiating events to the point of termination. , Dependency matrices that are developed from a detailed -examination of all of the plant systems- help to account for imnortant interdependencies and interactions that are highly' plant specific. Event sequcnce diagrams
- are used.to incorporate operator actions from application of the plant specific emergency operating procacures into the scenario identification process.
To facilitate a clear definition of plant conditions in the scenarios, separate stages of event trees are provided for the response of the support systems (e.g., e%ctric power, river water, etc.), the frontline systems (e.g., auxillary feedwater, quench spray, etc.), operator _ recovery actions, and containment phenomena; e.g., containment overpressurization failure. A detailed definition of plant damage states provides a clean interface between the Level 1 and i Level 2 event trees.
- The systematic, structured approach that was followed in constructing the accident scenario
-model provides assurance that plant specific features will be identified and that a reasonable
< 2.3 1 2.3 Generai uomoooiogy.-
,n . . -- - -. - - . . . . - - - . - , . - , _ , - - ~ . - . - . _ , , . , . _ - . - .
I D:sv:r Vcil:y P:wcr Ststlin Und _ i Rr,visi:n 0 Prchbill: tic Risk Ass:ssm:nt degree of comnleteness will be achieved. it also provides for the systematic, top-down development of engineering insights about the key risk controlling factcrs that d?ive the results. The first step in risk analysis is to make a list of possible scenarios. As a matter of principle, we wish to make this list as long as possible; i.e., to think of and separately identify a? many scenarios as we can, in the case o' a nuclear plant, the list of scenarios can literally run into the billions. It is necessary therefore to develop methods for identifying scenarios, and for organizing and structuring the list so that it can a comprehended and its analysis made manageable. We begin by following a deductive line of thought that leads to the identification of possible initiating events. The next step is to organize the possible ensuing event sequences into a
" plant" model. The model building begins with the development of event sequence diagrams (E3Ds) that are reviewed with operations personnel from the p! ant to e.uure a proper integration of the plant emergency operating procedures. Each ESD is then converted into an event tree that follows the scenarios up to the point as suggested in Figure 2.3-2, a coalescence of scenarios, or " pinch point," occurs in that, qmn a certain state, y,, of plant damage has occurred, the remainder, or downstream portion of scenarios, is the same regardless of how that state was arrived.
When the PRA is extended to Level 2, the next portion of the scenarios is .nodeled by a
" containment event tree" that follows the progress of the scenarios through the containment from the plant state to the occurrence or nonoccurrence of a release of radioactivity into the environment. Thus, the entry states to the containment event tree are the plant damage states; i.e., the exit states from the plant event tree.
The exit states from the containment are called " release categories," each of which specifies a " source term;" i.e., a certain quantity and mix of released radioisotopes together with information describing the timing and energy of release. At this point, another coalescence of sequences occurs in that the effects in the environment of a given category of release are the same regardless of the particular scenario that led to that release category. In a Level 3 PR A, the environmental effects are then studied by a " site model" that takes the release catogory source term as its input event, follows the movement of the radioactiv:ty, and computes 'he final damage state, x,, in terms of public health and property damage impact. The Beaver Valley Unit 1 PRA is a Level 2 (Reference 2-1) analysis, as it includes the initiating events, the plant model, plant damage states, and containment model; it stops at the release category (source term) level. 2.3.2 Causes and Consequences of Failure Becaur reactors are protected by reliable, diverse, and redundant safety systems, it is neces' ry to postulate a series of multiple failures of systems, comoonents, and humans before mre damage can occur. The likelihood of a chain of independent failures leading to accide. s has been shown to be extremely small. However, actual operating experience and more a 'vanced modeling techniques demonstrate that, a:though their likelihoods are quite small, tney are numerically higher than would be estimated solely from a postulated chain of independent failures. This is because physical and hurnan inte tctions cause dependent 2.3-2 u cenerai uemocoiogy.
Bacvar Vallay Pewsr Statlan Unit 1 Rsvisl:n 0 Probabilistic Rick Asssssmsnt failures that increase the probability of each successive failure in the chain. In fact, dependent failures tend to dominate the likelihood estimate. Thus, realistically estimating the likelihood of potential reactor accidents is determined principally by the ability to analyze dependent multiple failures (Reference 2-5). The concept of dependence is important in both probabi'ity theory and probabilistic risk assessment. In fact, it is the modeling of the dependencies among various combinations of components in a nuclear power plant that makes the PRA job complicated, if every component failure or other situation could affect only a single component at a time, the reactor core would probably never be threatened because it would require the coincidence of several failures before a serious accident could develop. Such " independent" coincidences are truly rare, There would still be a need for logic modeling to be sure of the impact of a failure, of course, but such modeling would be relatively simple, in general, no single component failure can, by itself, result in core damage, except for very unlikely events such as rupture of the reactor vessel. Core damage can occur only if more than one failure occurs independently, or if one failure leads to another, or if one condition causes more than one failure. A dependent avent is a system action or physical condition whose likelihood is changed by the events that precede it or by the conditions that exist when the event occurs. (The term
" condition" is used here in a broad sense to represent either environmental conditions, equipment conditions, or plant state.) In general, the likelihood of each event in a scenario is conditioned by all previous events in the scenario. As will be seen later, the impact of previous events is sometimes not significant, in other cases, such events are of great concern.
The joint likelihood of two or more events occurring simultaneously, but odependently, is usually so small that it is not important to risk. For example, if two independent events each have a chance of ' in 1,000 of occurring, the joint likelihood is 1 chance in 1,000,000. Therefore, the PRA focuses its attention an multiple events that result from each other or from the same cause. Examples of such causes include conditions in the plant, such as those resulting from initiating events, or the occurrence of the same maintenance error for different components having similar vulnerabilities, in the numerical example cited above, a dependent failure wou!d exist if the likelihood of one event was deaendent on whether the other event had occurred. If the degree of coupling (dependence) between the failures is strong, the joint likelihood of both events in that example could be closer to 1 chance in 1,000 than to 1 in 1,000,000. 1 Corsideration of dependent events occurs at many places in a PRA. For example, j
- Each initiating event is carefully examined to see which of the systems that must function i to mitigate its consequences might also be made unavailable by the initiating event. Such I
dependence is modeled by grouping those initiating events that require similar mitigating systems, then defining the boundary conditions for each mitigating system to make them specific to those initiators.
- Each event in a scenario is examined to specify the correct boundary conditions for it, given the previous events in the scenario, in such cases, a branch may be eliminated under specific boundary conditions if it is not needed, certain to be successful, 3'
impossible, or already failed because of events that have occurred previously in the s t.,enario. Previous events may also change the availability of a mitigating system without eliminating the corresponding branch. Such a situation is indicated in a boundary 2.3 3 u Genew Memocology. l
B2cvar Vcllay Pow;r St:tlen Unit 1 Ravislan 0 Probabilistic Risk Asssssmsnt l contfition table by a numerical specification indicating the boundary condition to be used for that system in each case.
- Support systems whose failure would impact the operability of frontline systems are modeled explicitly in the support system model; that is, for example, an electric power system may have multiple states so that in the event trees there are more than two branches at the electric power system. In the fault tree diagrams for each other system, the state of electric power is used as a boundary condition in the top structure of the tree.
Thus, in effect, a different fault tree is calculated for each system, assuming different states of electric power (availability of buses). From this fault tree, the split fractions are , calculated for the appropriate branch point in the event tree. To implement this process, the impact of the support system state on each event in a scenario is shown in the boundary condition table for the correspondirig event tree,
- Human actions that occur during event sequences and might affect more than one event in a scenario are best modeled in the esent trees or added as recovery actions on a seque nce-by-sequenct basis. For such actions, great care must be exercised to account for all dependent effects such as competing demands on operators and the impact of previous actions.
Human actions that affect only one system (but might affect more than one component in that system) are modeled with the system. Examples include a single maintenance man making the same mistake on two redundant pumps, two operators influencing each other so that they both make the same mistake, or sequential testing by one operator who makes the same mistake in each test.
- Any initiating event that might affect more than one event it' a scenario is modeled explicitly if its likelihood and potential consequences are judged to be significant, Examples of such inNiating events include steam line breaks, loss of coolant accidents, and internal floods.
All dependencies identified during the course of a PRA are modeled explicitly with the following two exceptions. First, an implicit allowance for real but undefined dependencies is made by using parametric " common cause" terms in the support system and frontline system analyses. Secondly, certain dependencies acknowledged by the nuclear industry and specifically considered in the plant design are judged to be insignificant contributors to risk and are therefore not explicitly modeled. le following terms represent various types and aspects of dependance. They are defined
? for purposes of clarity. = Common Cause Failure. A term used for dependent events that share a common cause.
Operating history has shown that such failure mechanisms occur with a predictable frequency. When they may be significant contributors to risk, they will be modeled as dependent failures. The term "commnn cause failure" is used in this study to refer only to those dependencies that are either intentionally not modeled explicitly or cannot be explicitly modeled because their joint failure mechanisms are not understood. The treatment of common cause events in this PRA is explained in Section 3.3.1 and is l consistent with the procedures defined in Reference 2-6.
- Intersystems Dependency. A term usually used to refer to adverse or unrecognized dependencies between events in a scenario. In its must general use, this term refers to all such dependencies regardless of whether they are significant contributors to risk.
Intersystems dependencies are generally divided into " functional" (Section 3.2.1), " spatial" i 2.3-4 n cenera: ven.cooiogy.
B :v:r Vall:y P:wcr St:ti::n Unit 1 RGvisl n 0 ' Prtb:bilistic Risk Ass:ssm:nt (Section 3.3.6), and " human interactions" (Section 3.3.3). All three types of interactions b G can be explicitly modeled in a PRA if they are found to be significant contributors to risk.
- Environmental Effects. - A term that refers to dependencies stemming from environmental conditions in the plant; e.g., a ventilation support system failure that causes more than one frontline system to fall. Such conditions are explicitly considered in a PRA.
2.3.3 Methodology of Probability and Risk Assessment Core darnage may be initiated either by internal events, such as a loss of coolant accident, or external events, such as fires, earthquakes, etc., with simultaneous, or nearly simultaneous, human errors contributing to either type of causal event. The tasks necessary to perform a Leve! 2 PRA include:
- 1. Definition of all potential initiating events ar d the resulting sequence of-event scenarios.
- 2. Ca!culation of the frequency for each scenario (and because there is uncertainty, a-probability distribution over frequency must be determined).
- 3. Reporting of the results, including quantification of the probable frequency of reactor core damage and a relative ordering of the specific scenarios (initiating events,-
system failures, human actions, etc.) leading to it, The usefulness of a Level 2 PRA is not only as an assessment of risk, but also as a tool that p) plant operators and managers can use to identify, assess, and control specific risk. By using
\ / the results of the PRA to play "What if ...?" games and to perform cost-benefit analyses of potential equipment changes or other plant modifications, plant operators can (1) better understand the potential contributions of failures of various plant systems to core damage, and (2) mitigate potential occurrences and their consequences, thus reducing risk.
2.3.3.1 The Quantitative Definition of Risk in analyzing risk, we are attempting to envision how the future will turn out if we undertake a certain course of action (or inaction). Fundamentally, therefore, a risk analysis consists of l answers to the following three questions:
- What can happen; i.e., what can go wrong?
l How likely is it that this will happen? !
- If it does happen, what are the consequences?
To answer these questions, we would make a list of outcomes, or " scenarios," as suggested in Table 2.3-1. The ith line in this table can be thoi lht of as a triplet:
< s,, $,, x, > (2.1) where s.= a scenario identification or description.
@,=the frequency of that scenario.
2.3-5 2.3 cenerai Memocotogy.
B::v;r Vcil:y P:wcr Stcti:n Unit 1 Rsvisi:n 0 Prebnbilistic Rl:k Asssssm:nt x,=the consequence or evaluation measure of that scenario; i.e., the measure of damage, If this table contains all of the scenarios we can consider, we can then say that it (the table) is the answer to the questions and therefore is the risk. More formally, using braces, { }, to denote " set of," we can say that the risk, R "is" the set of triplets, R = { < s,, @,, 4 > } , i = 1, 2, . . N (2.2) This definition of risk as a set of triplets is our first level definition; we shall refine and enlarge it later. For now, let us see how to give a pictorial representation of risk. Imagine, in Table 2.3-1, that the scenarios have been arranged in order of increasing severity of damage; that is, the damages, x,, obey the ordering relationship: K i 5 x2 5X 3 5 $xu (2.3) Now add to the table a fourth column in which we write the cumulative frequency, adding from the bottom (Table 2.3-2). The cumulative frequency is represented by the upper case Q, as shown. If we now plot the points < x,, Q,> , we obtain the staircase function shown as a dashed line in Figure 2.3-3. Let us next note that what we called " scenarios" in Table 2.3-1 are reo/ cr pories of scenarios. Thus, for example, the scenario " pipe break" actually includes a whole category of different kinds and sizes of breaks that might be envisioned, each resulting in a slightly different damage level, x. Thus, we can argue that the staircase functior' should be regarded as a discrete approximation to a continuous reality; i.e., if we draw in a smoothed curve through the staircase, we can regard that curve as representing the actual risk. Thus, we call it the " risk curve." When a risk curve is plotted on a log-log scale, it takes on the characteristic concave downward shape shown in Figure 2.3-4. Note, however, that we do not precisely know the frequency of each scenario. The samo is true therefore of the risk curve Q(x); i.e., we have uncertainty about what it would be. The degree of uncertainty depends upon our total state of knowledge as of right now; upon all of tho evidence, data, information, and experience with similar courses of action in the past. We seek therefore to express this uncertainty using, naturaliy, the language of probability. Since the thing we a.. oncertain about is a curve, Q(x), we express the uncertainty by embedding this curve into a space of curves and erecting a probability distrioution over this space. Pictorially, this is represented by a diagram of the form of Figure 2.3-5. This figure is what we call a " risk curve in probability of frequency forn.st," or, alternatively, a " risk diagram." It consists of a family of curves, Q,(x), with the parameter P being the cumulative probability. To use this diagram, we could, for example, enter with a specific x value and choose, say, the curve P = 0.90. The ordinate of this curve, Q u(x), is then the 90th percentile frequency of x; that is, we are 90% confident that the frequency with which damage level x or greater occurs is not larger than Q (x). 2.3-6 2.3 cenerat Memoao<ogy.
B cvsr Vcil;y Pcw r St ti:n Unit 1 R visl::n 0 Prcbabilistic Risk Accas2m:nt Returning to our set of triplets for a proposed course of action, suppose we now acknowledge that we do tot know the frequency with which scenario category S, occurs. We would then 4 express our state of knowledge about this frequency with a probability curve: P,( ,) = probability density function for the frequency, @,, of the ith scenario. Thus, we now have a set of triplets in the form R = { < s,, p,($,), x, > } (2A) which we could say is the risk including uncertainty in frequency. From the set in Equation (2.4), we can construct the risk family, Figure 2.3 5, by cumulating frequencies from the bottom in a manner entirely parallel to that used in Table 2.3-2. Similarly, if there is uncertainty in the damage also, we would have the set of triplets: R = { < s,, p,(@,), g,(x,) > } (2.5) or, more generally, R = { < s,, p,(@,, x,) > } (2.6) using a joint distribution on o,, x,. In Equations (2.5) and (2.6), we can also construct the family of risk curver, it is conceptually and computationally much clearer, however, to stick ( with Equation (2.4), if possible. One way of doing this is to make the damage level part of the definition of the scenario. There is then no uncertainty in the x,. All of the uncertainty is then in the functions p,(@,). 2.3.3.2 initiating Events, the Plant Model, and Risk Decomposition A PRA is basically a listing and an analysis of scenarios, and a full-scope PRA can contain literally billions of scenarios, depending on how broadly t%y are described. Assembling a PRA of workable size therefore takes advantage of severai ' pinch points" that help limit the total number of scenarios requiring separate calculation. At a given pinch peint, event sequences are coalesced into groups (states) that are indistinguishable in terms of future behavior; i.e., accident sequences emanating from a pinch point state depend only on that state and not on the path up to that point. Major pinch points in the Level 2 PR A are initiating events, plant damage states, and release categories. As explained below, several intermediate pinch points between the initiating events and plant damage states are defined by the process of event tree modularization, in defining the scenarios and their consequences, there are two major steps, one deductive and one inductive. Each scenario consists of an initiator, or something that starts a sequence of . events. This might be a system failing, a pipe breaking, a fire, or a human error; something that perturbs the reactor cooling system. The rest of the scenario consists of passive and active (automatic or manual) processes that determine the consequences of the scenario. These actions, or events, consist of systems, working or not; buildings and pipes remaining intact or not; etc. in the PRA models, all scenarios were identified by a combination of deductive end inductive thought processes. First, a set of all possible initiating events was deduced. Then, the 2.3-7 2.s cenerai uemocolocy.
Bsov:r Vall:y Pcw;r St ti:n Unit 1 R visi:n 0 Prcbabill: tic Risk Assessm:nt events that occur in each scenario subsequent to the initiator were characterized inductively, using event trees. 2.3.3.2.1 Initiating Events. Three analytical methods are used to identify candidate initiating events:
- Master Logic Diagram
- Heat Balance Fault Tree
- Failure Modes and Effects Analysis The master logic disgram is a deductive approach for directly addressing the question "How can a significant release of radioactivity to the environment occur?" The heat balance fault tree attacks the initiating event issue from a different direction. The top event for the heat balance fault tree method is " Initiating Event occurs." The fault tree logic development that ensues is based on the concept that any initiating event must involve an upset or imbalance in the thermal equilibrium that otherwise exists in the reactor core and its heat removal systems. This approach results in a finer structure for defining initiating event categories and enhancing completeness. Failure modes and effects analysis can be used to systematically identify support system failure modes that result in common cause initiating events. The FMEAs are not only used to generate additional initiat:ng event categories but also to subdivide the original set in order to facilitate the treatment of dependence in event tree quantification. The application of these methods to Beaver Valley Unit 1 is discussed in Section 3.1.
2.3 3.2.2 The Plant Model. A great variety of possible scenarios must be enumerated in the plant model. To do this requires detailed modeling of the plant, its systems, its components, and their interdependencies. Physical and human interactions with the plant that can affect the frequency of occurrence of an accident scenario must also be included. Event frequencies and their associated uncertainties are quantified using historical evidence in both nuclear and nonnuclear experience, when applicable. The plant model contains .ne reliability aspects of all of the systems, including the engineered safety features of the containment. Once the initiating events are identified, the scenarios or accident sequences that could result are identified using a plant event tree. The plant event tree is actually a network of event tree modules. The top events of each event tree is actually a network of various plant systems, so that each path through the tree represents an event sequence. In this way, the event tree embodies a truth table of all possible success and failure combinations of the plant systems. At the end of each sequence, the plant is either in a stab!e, recovered condition or has suffered some core damage. A set of plant states, y,, is defined, and each path through the tree is assigned to one of these states. This point in the analysis is called a pinch point. Once a scenario has reached this point, its further development depends only on plant state y, and not on how that state was reached. Each plant state is carefully defined so that the further analysts is the same whether that state was reached because of a LOCA, a loss of offsite power, etc. Figure 2.3-6 is a symbolic representation of an event tree diagram. Arrayed across the top are various systems or safety functions in the plant; e.g., the reactor protection system, the auxiliary cooling system, etc. At the left, we enter the tree with the initiating event and then l ask, "Does system A work or not?" Thus, the tree branches at this point, with the upper l 2.3-8 :.3 cenerai Memocoiosy. i
B0cy;r Vcil:;y Psw:r St:ti:n Unit 1- ' Rcyliisn 02
- Preb2bilistic Risk Assessm:nt
. branch representing " system _ A works" and the' lower-branch representing " system A fails."
[7 At system 8, there is another branching, and so on. .& in this way, the event tree diagram is developed. Each path through the tree thus represents a " scenario," an envisioned sequence of events beginning with the specified initiating event- _and leading to a " plant damage' state" represented by the symbol ye
- These plant damage states'are defined in terms of the conditions in the reactor vessel, the type and- degree .- of coherence of - core - melt,' and . the status of . the containment safety / mitigation systems. These states are chosen and defined with sufficient specificity that once such a state has occurred, the subsequent events,in the containment- are the same regardless of the path _ by which that state was reached. As a. result of this definition, a -
coalescence of scenarios occurs at this point that structures the scenarios list and greatly simplifies the computational labor involved in the analysis. Also noted in Figure 2.3-6 is the fact that a given system need not be restricted to the two states: works or fails. in some cases, it.is appropriate to use.a multistate model of th'e system, thus representing various states of partial failure. Electric. power, for example,' Is - often treated this way. How many states should be_ used for a given system is a question'of modeling- detall_ or." degree of aggregation" as is the number of systems identified in the - event tree in the first place. 1 The. situation here is identical to that present whenever a symbolic model is made of a real world entity, whether _it be a mathematical model, an engineering model, a computer model, j or, indeed, a verbal model. The point is that the model is not the entity. :it is only a symbolic 'O representation. of the entity. Modelers sometimes tend to forget'that "the map is not the territory" and?the menu is not the meal." '] {
'l The conceptual event tree of Figure 2.3-6 needs to account for a.very large number of-systems and system dependencies. At a minimum, the' event tree needs-to include a .
sufficient number of event tree top events to be able to unambiguously 'determine the end state, or the plant damage state bin to assign to the sequence, in addition, the event tree-must be structured in a manner that facilitates the quantification of the scenario frequencies. This, in turn, requires that all important depenoencies and interactions be accounted for.' Two - basic approaches are described-. In the PRA LProcedures Guide -(Reference _2-1) for accomplishing this. -One involves direct modeling of these dependencies in sequence fault - trees (fault tree linking). The other approach, the one followed in this PRA,_ involves direct _modeling of the dependencies in the event trees. Rather _ than burdening the _ computer , hardware and software resources with a single large event tree or fault tree, the approach followed here -involves the use of modularized and linked event: trees. The - use : of modularized event trees in constructing the Level 1 P_RA accident sequence model for Beaver Valley Unit 1 is. illustrated in Figure 2.3-1. Two event tree modules express the evolution of' the accident. ' sequences _from initiating event to plant state: one that models the response of the support systems, and one that models the frontline safety systems. The event trees are constructed, quantified, and linked with . special event tree - analysis software that uses dependency matrices as input. Event sequence diagrams are used to develop physical plant scenarios and application of emergency operating procedures. Each scenario terminates in 1 of 18 different scenario end states. One of these is successful termination, and the remaining (e 17: Involve core damage in a variety of different states of the reactor coolant system and active containment systems. This detailed definition of plant damage states is needed for a proper interface with the containment event trees. to provide perspective for the Level 1 2.3 9 2.3 cenerai Memoaoiogy.
, B2av:r Vallay Pcwor Sistion IJnit 1 Revisi:n 0 Preb:bilistic Risk Ass 2ssmant 1 results, these 17 plant damage states are grouped into 4 major categories according to the approximate potential of offsite health impact, in PRAs conducted previously by PLG, the concept of support states was used to facilitate the quantification and linking of the modularized event trees. In that procedure, end states were assigned to a support system event tree to represent the different ways the support systems states could impact the systems represented in the frontline event trees. The assignment and group ng of sequences into support system' states and the binning together of similar support states were an integral step of the quantification process and also affected the presentation of results. This support state methodology was adopted in a simplified version of PLG's methodology that was adopted in the IDCOR IPEM. Because of enhanced r.,apabilities of the PR A software that was used its this project, known as RISKMAN, there is no need for the introduction e' support states. This is true because the softwara links together , all of the sequences between the event tree modules, creating what amounts to a single, large event tree. The trees are input and reviewed by the analyst in modules only for human factor considerations.
- Determining Split Fractions for the Plant Trees. Let us turn now to the question of determining the split fractions for a typical branch point in the plant event trees. The basic process used here is to perform an analysis of the system to which that branch point relates; that is, we break the system down into its components and determine the relationship between the performance of the components and the performance of the system. From this relationship, and from the likelihood of various component fai!ures and various combinations of component failures, the split fractions for the system are calculated. This process involves the following steps:
- Qualltative Analysis. This step includes system familiarization and walkdown, definition of system functions and success criteria, definition of system and componeat boundaries, definition of all event tree top events and split fractions to be analyzed, collection and review of all relevant system documentation, and definition of common cause groups. I
- Logic Modeling Development. This step includes the develcpment of a reliability block diagram, conversion of this diagram to a fault tree, incorporation of :ommon cause basic events into the fault tree, and screening analyses to support logic model simplification.
- System Failure Equation Development. For each system, top event, and split fraction, an algebraic equation is developed to compute tite failure frequency and to serve as a model for uncertainty propagation. The equations are developed by
- Incorporating boundary conditions for the split fraction into the system fault tree.
- Incorporating initial systern alignments into the fault tree.
- Determining the fault tree minimal cutsets.
- Applying the " rare event approximation' or basic probability combination laws, as ;
appropriate. 1
- Applying probability models for common cause failures, failures on demand, I mission failures, and various contributions to system, subsystem, and componert unavailability. ;
- Database Development. For each equation parameter (e.g., failure rate, common cause failure parameter, maintenanc or testing frequency, etc.), a probability 2.3 10 a ce sersi Memoootogy.
Ccov:r Vcil:y Ptw:r St:ti:n Unit 1 Revisisn 0-Prcb bilistic Risk Ascsssm:nt distribution is developed that describes the state of knowledge or uncertainty O associated with the parameter value. This includes plant specific screening for b determination of common cause parameter in accordance with Reference 2-6.
- Quantification and Analysis of Results. Results are than obtained by propagating point (mean values) and uncertainty distributions of the database parameters therefore system equations. Results are displayed in "cause tables" that show the contributors in terms of initial alignments, and major groups of cutsets and individual cutsets, as needed to make appropriate use of the results. The numerical output of this analysis becomes the input for the event tree quantification and for the final uncertainty analysis.
- Relating System Analyses and Event Trees. Figure 2.3 7 shows the relationship of the structuring ideas that we have been discussing. Thus, at the top (i.e., the plant level) is the event tree diagram. This level shows which combinations of system failures, together with which initiating events, could result in any given plant state.
At the next level down, the system level, fault trees express the relationship of the system to its components. This level shows which combinations of component failures result in failure of the systems. Below that is the cause level, showing which causes could result in component failure and which combinations of causes could result in those combinations of component failures that cause system failure. Particular interest centers at this level on single causes that by themselves could fail more than one component or more than one system.
- Calculating Scenario Frequencies. Each scenario is then analyzed to determine its frequency of occurrence and the magnitude of the consequent damage, as measured by
(])
/
several damage indices, in calculating these frequencies and damage magnitudes, it is important to explicitly quantify the uncertainty, as any competent scientist does when presenting results, in the case of risk assessment, it is especially important to quantify uncertainty since we are dealing with rare events and with a skeptical audience of regulators, intervenors, and the general public. Therefore, we incorporate unce tainty into the PR A from the beginning, from each piece of input data up to the final results. The uncertainty in the risk comes from a lack of prior knowledge about exactly how frequently each scenario will occur and exactly which consequences it will produce. Both of these sources of uncertainty are carefully tracked throughout a PRA to specify, as accurately as possible, the risk from operating the plant. l A general framework for organizing a PRA, describing the uncertainties, and presenting the results was presented in Section 2.3.3.1. Once the possible scenarios have been l qualitatively defined, the next step is to calculate the frequency with which they occur. l Each path through an event tree is characterized by the particular entry state and by the i failed systems in the path. Thus, for example, in the simplified plant event tree diagram of Figure 2.3-8, consider the scenario S=/AEC5 (2.7) This is the scenario consisting of initiating event or entry state I followed by cuccess of systems A and C, and failure of B and D. This scenario is represented by the darkened line in the diagram (the lower branch at each node represents failure of the corresponding system). l The frequency of this scenario may be written (S) = (I)/( A l l)/(E l /A)/(C l /A E)/(6 l lAEC) (2.8) 2.3-11 2.3 cenerai vernocoiogy.
B::v:r Vcil:y P;w:r St ti:n Unit 1 - Rcvisi:n 0 l Pr:b;bilistic RI:k Ass:ssm:nt l i where
@(S) = the frequency of scenario S.
@(1) = the frequency of initii ing event 1.
/(All) = the fraction of times system A succeeds given that I has occurred.
/(f!/A) = the fraction of times system B fails given that I has occurred and A nas succeeded.
((CllAE) = the fraction of times C succeeds given that i has occurred, A has succeeded, and B has failed,
/(6llAEC) = the 'raction of times D falls given I , A,3, and C.
The quanti'ies f(All), etc., ue called the " split fractions" at the nodes of the tree. What this means exactly, for example, is that for an infinite population of hypothetical clones of our plant (all run for their full lifetimes), out of all of the sequences that reach node B1, the fraction f(B llA) takes the lowcr branch at this point. With the split fractions established at each branch point, we may then calculate the frequency of each scenario path as the frequency of the imtiating event tirms the appropriate split fraction at each branch on the path; i.e.,
@(S) = @(l) (3f, (;f, . . I nf ,, . . . (2.9) where /,, is the branch chosen by the path at node n.
Now note in Equation (2.9) that if we divide by @(l), we obtain
$(S) gj) " l it, I 2<, Int,, .., = f(S) (2.10)
Here, the term on the right hand side, the product of sollt fractions along a given path, thus has the interpretation of " conditional frequency" or the split fraction of that path; that is, out of all of the times initiating event i occurs in our thought experiment, f(S) is the fraction of times in which scenario S results.
- Quantifying Uncertaintles. The event tree computations outlined above must account for a variety of sources of uncertainty that prevent the development of highly accurate estimates of accident sequence frequencies. These sources of uncertainty include the lack or sparcity of data from which to quantify the risk model input parameters (i.e.,
component failure rates, initiating event frequencies, etc.), plant-to-plant variability in the performance of similar equipment at other plants, modeling uncertainty, equipment behavior in harsh environments, uncertainty in classification of common cause event data, and many other sources. The basic approach to quantifying the effects of these uncertainties on the PRA results is-to assign probability distributions across the range of possible values for each uncertain parameter. Those assignments are made with the use of data analysis software that uses Bayesian updating techniques for incorporating operating experience from other plants, expert opinion, and plant-specific data, Next, these probability distributions are propagated progressively through the systems models and event trees, using a Monte Carlo sampling procedure to develop uncertainty distributions for the core damage frequency and other risk factors. 2.3 12 2.3 General Mem000t09Y. f l
B:svar Vollsy Pcwsr Stcticn Unit i Revision 0 Prebsbill: tic Risk Asssssmsnt The overall flow of data associated with this process is illustrated in Figure 2.3 9. This figure shows use of the four principal modules of the RISKMAN software program and N identifies where point estimates and full distribution results are obtained. it is important to r,ote that when the event trees are quantified and linked together in the Event Tree Analysis module, only point estimates are obtained because of the large number of sequences that are included. These point estimates approximate the mean values of the sequence frequer'cies because mean values of the split fraction, initiating event, and human error rate distributions are used from the preceding steps of the uncertainty propage%n. Although the systems are quantified using point estimates for the purpose of reviewing and screening, these estimates irequently underestimate the means of the system level uncertainty distributions because of the use of the failurt. rate coupling assumption. Therefore, the event tiees are quantified using the means of the system level Monte Carlo results rather than the point estimates. Past experience has shown this to be important for redundant systems. - The important sequence model accepts e prioritized set of important sequences fur predefined groups of accident sequences from the results of the event tree module. These groups include, for example, one for all core damage sequences, one for each plant damage state or plant damage state group, one for each release category or release category group, one for each initiating event, and others fnr each sequence within that group are used in another Monte Carlo ampling step to propagate the split fraction uncertainties to obtain the uncertainties in thE. oW il results.
- Decomposing Risk Contributors. Once all of the event trees have been quantified and the logic for linking the event trees has been implemented, a thrge database of risk
(' inforrr.ation is provided to produce the necessary numerical results and, more importantly, the engineering insights needed to best manage the risk of the plant. When the PRA is extended to Level 2 or 3, there is a convenient matrix formalism to systematically diagnose the portions of the event sequence model that cominate the results (Reference 2-4). Some basic possibilities are illustrated in Figure 2.3-10 For a Level 1 PRA, a variety of approaches can analyze the results for these important insights.
~
These approaches involve the examination of the risk contributors at four distinct leuis of detail:
- Accident sequences grouped by some common characteristics such al presence of core damage, particular initiating event or event type, particular plant damage state or plant damage state group, or presence of a particular system top event and/or split fraction. This facilitates the evaluation of the importance of specific plant hardware and operator actions in determining core damage frequency and other risk factors. '
- Individual accident sequences ranked according to core damage frequency or frequency of any of the above sequence groups.
- Contributors to specific system failure modes that are identified with a particular event tree top event and split fraction, Contributors can be progressively decomposed into different initial alignments, groups of numerical cutsets, individual minimal cutsets, and basic events.
- When a particular database parameter is identified as important (e.g., beta factor or failure rate), the ultimate contributors to these parameters can be analyzed by determining the particular evidence that was incorporated into the database. In most cases, this evidence includes a listing of the events in the database that were classified in support of parameter estimation.
l 2.3-13 2.3 cenew vetnocotogy.
r B;;v;r Vcil;y P;w:r St:ti:n Unit 1 R:visi:n 0 Pr:b:bilistic Risk As ::sm:nt Application of these approaches to risk decomposition is illustrated in Section 3.4. 2.3.4 Summary A summary of the specific methods employed in each major phase of the Beaver Valley Unit 1 PRA is provided in Table 2.3-3. More details are available in the appropriate report sections. O O I 2.3-14 2.3 cenera' Metnocoto]Y.
. ~ . .. . .- . - . . . . - . . , . ,. - . . .
. B:cvsr Vcil;y Pow:r StLti:n Unit 1 Rcvisirn 0 -
Prsb:billstic Risk Ass:ssm:nt
.p Table 2.31. Scenario List
^ %)
- Scensrlo - Frequent:y L _ Consequence
- S, : $, - x,1 Sa ' $s x.e e 'S- e 0 4- 9 e e *- ;
Su $n- xn r i i V s i
' i G
2.3-15 - 2.3 cenersi vetnocoiogy.
^J
B :v:r.Vell:y Prw;r St:ti:n Unit 1-- R visi:n 0 Pr:b:bilistic Risk Ass:s::m:nt Table 2.3 2, Scenario List with Cumulative Probability Scenario Frequency Consequence Cumulative Frequency O S, 0, x, Q, = Q, + 0, S, @, x, Q, = Q 3 + 0, S, &, x, Q, = Q, . 3 + @, S,., $,., x., a Qu.,= Qu + p,., S, e, xn Q, = p, 9 O 2.3-16 2.3 cenerat vemoooiogy.
B;;v:r Vall:y Prw:r St:ti:n Unit 1 Rsvisi:n 0 Prcb:bilistic Risk Ass:ssm:nt - p Table 2.3 3. Speelfic Methods Employed To Accomplish Major PRA Tasks PRA Task Specific Methods Employed initiating Event Selection
- Master Logic Diegram Method for Similar Plants *
- Heat Balance Fault Tree Method for Similar Plants *
- FMEA of Major Plant Systems
- Internal Flood Analysis
- Comparison with Previous PRAs and Generic Lists Accident Sequence Definition
- Systems Dependency Matrix Development
- Event Sequence Diagram Development
- Support Systems Event Tree Development
- Frontline Systems Event Development
- Plant Damage State Definition and Grouping
- Recovery Action incorporation Systems Analysis and
- System Reliability Block Diagram Development Quantification
- System Fault Tree Development
- System Quantification Model Development
- Common Cause Failure Analysis
- Database Development
- Systems Quantification Accident Sequence Model
- Event Tree Quantification and Linking Quantification
- Quantification of Operator Actions
- Dominant Accident Sequence Model Development
%>
- Uncertainty Quantification and Propagation-
- Sensitivity Analyses
- Determination of Principal Contributors to Risk
- lssue Resolution
'These methods were incorporated via lists of irftlating events from PR As on other Westinghouse plants including Diablo Canyon, Seabrook Station, South Texas Project, Indian Point Units 2 and 3, and Zion.
a 2.3-17 2.3 Generai vetnocorogy,
t, ID o Om W< me 7 E< Ee
. 33
- g ~13 .
LEVELt LEVEL 2 ,$. ACCOENT SEQUENCE bOOEL ACCsDENT SEOUENCE ML gg l , eg m A JL 3O~ f V T e3 A A r A r A EC 3 inyg m _ DEPENDENCY MATNCES l + -+
==r=S 4 4 + +
SUPPORT ++ FRONTLANE REN + + / 8 ACTIONS CONT M NT ACCCENT SCENARSOS SYSTEMS g SYSTEMS ; EVENT EM 4 MM 4 EVENT -
+ -> ACCOENT FREQUENCIES PLANY yngg RELEASE P RELEASE CttAAACTERtShCS TREE TREES (T) TREE + DAMAGE + \
y a , ; s STATES CATEGORIES / 4 4 = eaNT -
+ +
FLOODS EVENT SEQUENCE 4 4 CtAGRAW + + t J L 2 L 1 L j y Y Y Y INtflAT4NG PLANT RESPONSE CONTAINMENT RESULTS EVENTS SCENARIOS RESPONSE SCENAROS P u o Figure 2.3-1. Definition of Accident Sequencer In the BVPRA e s C 3 8 *_ O O g 3 5 o O O O
._.__3 7
..A i: ,
1WI
'0 e F <e . -
e'e.
. F -t 5 4'.
om.
' O = l'- . .:i -
1e-
? 3 *. ;
I W C. ,
>E y ,e.
+
g : W)
.g eO e, >
. b 5,
. s i
,3 g:~
- l3 g: t
- g' .i f if . _
y e Ph ( - IteitATit4G Pt ANT STATE 8't LE AS E FfNAL E V E N T -- CA TEGOR Y DAMAGE. ' ggggg N-
.y CONTAINMEN T "
a PLANT RA00E t - (RELEABF) SITE MODEL to - MODE t. -; l i t i t Figure 2.3-2. Structuring of Scenarios - Relationship of' Pinch Pointe
~
f
.. p
.. u
.e o-
.h .' ,
. g_.
, , z- .;
.e. -
u,
.8 e
9 o-
-g s- ..
s , o , i
.r y .%= 4 w-
'BC.:ver Vcil:y P wnr St ti:n Unit 1 R visi:n 0 Pr!.b:bilistic RI:k As'cssm:nt e
i . \ i i
- L.. .,
.. B ! E l L, e 6 L t I
, ,, g., ..... . .. ..... g Figure 2.3-3. list Curve une i
.E a ..
1 i
\
uva . Figure 2.3-4 tisk Curve in Fretatnet forut use e., -, V e t *P e
/
_as e temesaa n figure 2.3-5. 21sk Curve in Probanility ef f requene, Forut O 2.3-20 2.3 cererat uetnoooiogy.
- 3 :ver Vciliy Pcw:r Statlan Unit _1 - :Rsvislan 0 i
' Prsb:bilistic RI:k Assessmsnt .
EVENT TREE DtAbMAM'
.g-PL ANT '
IE .A. B. 'C **=
~
* + . - DAMAGE
;j .. STATE .
. -- - yo .
?.I .
s b g Figure -2.3-6. Structuring the Scenario List - The Plant Event Tree-1 d i
.(
m i) 2.3-21 2.3 cenerai MemodoloGY -
,, , . :,, . ~ . .
_ , . . , -.. . ..;... u. , - . - , . . , . . . . . ....;.-.--_,........:..
B :ver Vcil:y P w:r St:tiin Unit 1 R visi:n 0 Pr:b:billstic Risk As ::sm:nt INTEGRATED IN TIATING 3', l,,, 30 SYSTW O EVENTS 3I STATE SYSTEM LEVEL l e . = - .s:- e .
'1 y ...:
- y .
SYSTEM / SUBSYSTEM LEVEL S1 S2 QGp (LOGIC) COMPONENT LEVEL - - - - - FAILURE MOD C11 C12 Cn1 C21 C22 021 CAUSE LEVEL UST OF + 15 CAUSES UST OF -52 CAUSES UST OF CAUSES COMMON TO t S AND S2 (Sj ANDlE's) DATA LEVEL AND INFORMATION EXPERIENCE WITH FREQUENCY OF CAUSES POSTERIOR GENER!C INFORMATION: Ej POPULATION DATA:E2 > ::$> PRIOR PLANT SPECIFlc DATA: E3 N J Figure 2.3-7. Relationship between Plant Event Trees and Systems Analysis O 2.3-22 2.s cenerri Me:nocoiogy.
.. . . ., . _ . . . - _ . .. .....-. .- ~.. -... .. - . - . . . - . ~ . . . - ,
. . . ~ . .,
i <[4"% 1 3:5ver Vdilsy Psw:r..St:tlin Unit 11 R:vi:lzn 0.. Prob: bill: tic Risk Ass 3asmant 4 Y
5% ,
-INITIATING EVENT.
I- A B C 0-NODE B;- - , I)' f(A NODE A f(5lIA) N0DEC IABCD = S 3 1l(AlIl-
$=I A TCY
((S)* p(Ilf(A Ill(51Alf(CIAilfl5 IAIC) Figure 2,3-8._SimplifiedPlantEventTreeDiagran O 2.3-23: 2.3 cenerat uetnooougy,
TW
" e Om 7<
D 9
=<
m as PO*P87 CON T APeutgi LFvit 2 OO SYS f EMS ESiaWATE O Ek
-> E W I1REE y T ANALYSIS RE,SULTS p pg FOft SPt ti "UUL E 8 MACTsON
~y SCnEENeNo #
ffJ YE Rf ACING g O LOCA k uODEL NONSYSTEFA WaaTRATORS M# l MFAN VALUE S l l MEAN VALUES ,3
; . EV%NT 1R$5'L,
; , , ^ ANALY8sS ['7 Post ESTmAATE S FOR
*m **
! ALL SEOUENCES U Of5 T RIBUTIONS ! I'
.a -+ i f;) nmm Art W rStSa.h r;uOoutzTd- J / 7 I*i i +
Tsus % . J.F>epute YSIS >;; I o,3,R,,,4,T,0 S !~E 3
% ~C 3
,FAstURE _ EvtNT TREE 'P RATES SPtif FRACTONS AN Al y$'$ d IMPORTANT iP og s'dfFRMAL _ $NiflATING gg _ SYSTEM EfOUENC($
~
FLOOD EVENT FREQUENCY ,p p g M SNfTIATORS CO.wf ReUTortS 8JODELS __ WAINTENANCC I _ ffJuAN FRROR _ UNAVAllf Bit tiY RATES h3 ' ~ COMO CAUSE ~ g PARAwE 1 ERS 1, NONSYS5f M 9NIf tATORS ~. N PORTANT; M a
- ; '--SEOUDeCE MOrgL - T i }*j, u
LEGEND
. CC*f MELT FREOUENCY-RELEASE
- CAttoony FREOUCNCCS EPEOAt MODELS g uy
== DAMAGE St ATE FRECEE NC.E S T *
- CL -
;.c, y3L 'Ag
, v .rs.,~;I-V
; g!
Ar$MMArd MODULE Figure 2.3-9. FRA Qcanf f ficatirm Flow Chart U FftOSABILff Y OtSTmOUT10N$ 0 10 OUAA1W Y UNCERTASMTES - O n
- ~
C m M e 3 at 0 O , 5 o e O O
O O O E j' at-ae LEVEL OF DAMAGE TYPE OF RELEASE l INITIATING EVENT - EE ' I l TYPE OF PLANT DAMAGE I ne MMCs) 1 HMc, (ts) I (fM.t;C) .I i (,,t m; ; 3 x r l 1 .I g F5- t P ~l l 1
! "E.
CDF j PDS CDF g MIES 7e 4 i F l i
= -
ML \\ i sam
\\ ;
i is: is I I I 1 -c 1 x 1 t I + 1 + t E-a e u EVENT SEQUENCE I SYSTEM UNAVAILABILITY FAILURE CAUSES INPUT DATA w . I I I l I SYSTEM B CAUSE I IEl A f B lC l l lB l' l . TABLE I , n ! ! 1. INITIATING EVENTS I l OGIC =. I 2. COM PON ENT S -
+ / L
' CAUSES '
- 3. MAINTEN ANCE
/ g
~~
l FREQUENCIES l 4. HUMAN ERROR
/l MAJOR L
L_. [ 1 I U5 DOMINANT I , 1 U2 '@ 1 v4 { un g. I EFFECTS { g I
- 5. COMMON CAUSE VIRONMENTAL p
SYSTEM . SEQUENCE l DOMINANT FAILURE l l so.no MODES c"or E[ Em'[n'e"[me'oS'f c 8 a
;"l ;': : " ::. , a 6
r Figure 2.3-10. Risk Decomposition (Anatomy of Risk) ' Je o- e , 3 S. I 8 E. i j 'E 5 o
B cv r Vallsy Ptw:r St:ti:n Unit 1 Rcvisi n 0 Prcb:bilistic Risk Ass:ssm:nt 2.4 INFORMATION ASSEMBLY ,A, V 2.4.1 Plant Layout and Containment Building infortcation Plant layout information is found in the Updated Final Safety Analysis Report (UFSAR), Section 1.2. UFSAR Figures 1.2-1 and 1.2-2 show the site plant and station arrangement, respectively. Information on the containment building is found in the UFSAR and Section 4 of this report. Tables 41 and 4-2 of this report provide an extensive comparrison of Surry Unit 1 and Beaver Valley 1 containment designs. 2.4.2 Review of Other PRAs and insights The PRA Team has reviewed the Surry PRA in NUREG-1150 (Reference 2-8) and supporting documents, as the Surry design is very similar to that of Beaver Valley. Other PRAs reviewed by the PRA Team include Zion, Indian Point and Millstone. PLG has also performed about 30 major PRA projects, many of which are Westinghouse PWR plants with large, dry containments, and has reviewed numerous PRAs of different scopes. Insights derived from review of these PRAs have been applied to the Beaver Valley Unit 1 PRA. Insights include the use of plant specific failure rate data, methods, the addition of failure modes for various equipment and determination of success citeria. 2.4.3 Plant Documentation (] The PRA is based primarily on the plant-specific information that is contained in the \.s/ documents identified in Table 2.41. Exceptions include generic issues such as RCP seal LOCA information and the PLG generic PRA database. Results are based on generic nuclear plant and component data collected and analyzed by PLG in a generic database (Reference 2-7) updated with Beaver Valley Unit 1 plant-specific data. Specific references to actual diagrams, calculations, procedures, etc., that have been used are found in the system analysis writeups and design basis documents, The Beaver Valley Configuration Management Program ensures that the PRA represents the as-built, as-operated plant. Plant modifications and procedure changes were screened for incorporation in the model. Certain members of the PRA Team are also responsible for 10 CFR 50.59 safety evaluations and this keeps them abreast of changes. 2.4.4 Walk-Through Activities The DLC PRA team is located at the plant and is involved with plant walk throughs and inspections almost continuously. The following describes the PRA team walk-throughs on Unit 1, including scope and team makeup: Walk-Through Scope l Team Makeup November 1988 Plant DLC PRA Team Leader (1 day) Familiarization Tour DLC Operator (SRO) p DLC PRA Team Engineer V PLG PrincipalInvestigator PLG Lead System Analyst PLG Svstem Analyst 2.4-1 a informnon AssemDly.
r-B::v:r Vcil y P w:r St:ti:n Unit 1 R vi::l:n 0 Prcb:bilistic Risk Ass:ssm:nt Walk Through Scope Team Makeup July 1989 Internal Flood DLC Operator (SRO)
!2 days) Analysis DLC PRA Team Leader Walk-Through OLC PRA Team Engineer PLG Principal Investigator PLG Flood Task Leader August 1989 Internal Flood DLC PRA Team Leader
(% day) Analysis PLG Flood Task Leader Follow-up March 1989 Containment DLC PRA Team Leader (% day) Walk-Through DLC PRA Engineer (Plant Model) for Unit 2 Back-End DLC PRA Engineer (Back-end) Analysis S&W Civil / Structural Engineer PLG Level 2 Task Leader September 1989 Containment DLC PRA Team Leader (% day) Walk-Through DLC PRA Engineer (Plant Model) for Unit 1 Back-End DLC PRA Engineer (Back-end) Analysis PLG Independent Reviewer for Level 2 Analysis on Unit i O O 2.42 2 4 Information AssemDiv.
- , =
.((
~
' 1N A . .. _
. 4
- 3: aver.V llsy Pcw::r St:tlan Unit 1- R visi:n.0
' Preb:bilistic Risk Ass:ssmtnt
' Table 2.41.; Beaver Valley Unit 1 Specific-O. Information Sources -
Final Saf;;y Analysis Report .
- Fire Hazards Analysis Report Design Basis Documents Piping and Instrumentation Diagrams
-= Electric One Line Diagrams ,
Logic Diagrams Elementary Diagrams Plant Operating Procedures Plant Surveillance Procedures Operating Manual Emergency operating Procedures Off Normal Operating ProcedJtes Operating Crew Surveys Equipment Qualification Reports Plant Walk-Throughs f ( O 2.4-3~- 2.4 Information AssemDfy[ L: ' -. .- -. . ,.
4 B:r.v;r Vcil:y P;w:r St:ti:n Unit 1 R;visi:n 0 Perbabilistic Risk Ass:ssm';nt
2.5 REFERENCES
! i 2-1. American Nuclear Society and institute of Electrical and Electronics Engineers, "PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," sponsored by the U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, NUREGICR-2300, April 1983. 2-2. Pickard, Lowe and Garrick, Inc., " Quality Assurance Program," PLG-0223, March 1985. 2 3. Reference to 60-Day Letter 2-4. Kaplan, S., G. Apostolakis, B. J. Garrick, D. C. Bley, and K. Woodard, " Methodology for Probabilistic Risk Assessment of Nuclear Power Plants," PLG-0209, June 1981, 2-5. Fleming, K. N., A. Mosleh, and A. P. Kelley, Jr., "On the Analysis of Dependent Failures in Risk Assessment and Reliability Evaluation," Nuclear Safety, September-October 1983. 2-6. Mosleh, A., et al., " Procedures for Treating Common Cause Failure in Safety and Reliability Studies," prepared for the U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, Pickard, Lowe and Garrick, Inc., NUREG/CR-4780. EPRI NP-5613 October 1988. 2 7. Pickard, Lowe and Garrick, Inc., "Seabrook Station Probabilistic Safety Assessment," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG 0300, December 1983, (~] C/ 2-8. U.S. Nuclear Regulatory Commission, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power P! ants, Summary Report," second draft for peer review, NUREG-1150, June 1989.
^ / *g V
2.5-1 2.5 References.
80sver Velisy Pewsr Stellen Unit 1 Revisinn 0 Prcbsbilistic Risk Assossm:nt 3 FRONT END ANALYSIS 3.1 ACCIDENT SEQUENCE DELINEATION This section describes the acc: dent sequence models that were developed for the front end analysis. The accident sequence models are used to combi 9e the results of the systems analysis in order to perform the front end sequence quantification, as described in Section 3.3. This section describes the selected trutiating event categories, the respo.'se of each system needed to mitigate cach initiator, and the assignment of end states to each accident sequence. The purpose of the plant model is to define a set of potential accident scenarios that could result in core damage. Accident scenarios are defined by evaluating the plant response to an inisating event. An initiating event is any event that initiates a plant transient condition or otherwise perturbs the normal operation of the plant, which, together with associated failures evaluated in the plant model, results in a sequence of events that m?.y involve undesirable consequences such as the release of radioactive material.
- Plant response" refers to the progression of a wide spectrum of possible event sequences based on the success or failure combinations of cer1ain plant systems / equipment and human operator actions that could either prevent core damage or mitigate the accident consequences should core damage occur. The plant model therefore consists of scenarios that begin with initiating events and ,
end with either stable plant conditions c states of ccre damage. " Stable plant condition" means that the plant is in either a stable hot shutdown or a cold shutdown condition 24 hours after the initiating event has occurred with core decay heat being safely rejected or removed. The first objective of plant modeling is to construct a set of accident scenarios that begins with initiating events and ends with successful termination or states of core damage categorized into plant damage states (PDS). The second key objec5,se of the plant model is to quantify the likelihood and associated uncertainties of these accigent v,.enarios. To accomplish these two objectives, it is first necessary to identify a wticiew complets an s ell-defined se' of initiating events to enaracterize the risk levelt. ir BtEC Vallav Unit The identification of initiating evsnts for the plan ~. model is performeo using two mesheds review of initiating event lists from other studies, and a failure modes ;nd effects analysn (FMEA) of plant systems and components. Section 3.1.1 describes in detail the process followed in the selection of initiating events for Beaver Valley Unit 1. After tho initiating events are determined, the next step is to identify the equipment items or systems that are required to operate nd the operator actions that are necessary to successfully mitigate the event. It is essential to have an intimate understanding and detailed analysis of all plant systems and operator actions that influence the unfolding of accident sequences. The model for all possible event sequences after an initiating event is made up of two parts: the support systems model and the frontline systems model. Support systems l are those plant systems that do not directly perform the plant mi*igating functions in response to a plant transient, instead, they provide the necessary motive and control power, coobg water, and actuation signals nae ape fer the frontline systems to perform the plant mitigating functions. An example of such a support system is the electric power system; the auxillary feedwater system is an example of a frontline system. At the heart of these models are dependency tables that show how a failure of each support i system (major electric power bus or vital instrument bus) affects equipment in other support ( systems, and how a failure of support system equipment affects frontline system trains or 3.1 1 Accment seasence Deanecon. '. 3i J v == > t' w s-.-- giay-.ne-**-, me-.--e--3-,wy.y- *-4.-.--y gy y,y--g,-y-%.---w.m--S--i.-.-- ----.Swms-me.. y arw-- -r-- .--m----m-ywyv.yy wv 7 -+w,e-p ,,-,.r,- - - -ymy-y
Bc vsr Velisy Powsr Stati n Unit i Rcvisicn 0 Prebebilistic Risk Astossment equipment. Information from the dependency tables is used to construct the suppor1 system model. Section 3.1.5 describes the process through which the support system model is constructed. The intersystem dependency tables are presented in Section 3.2.3. The unfolding of event sequences involving the irontline systems after each initiating event is developed with the aid of event sequence diagrams (FSD). ESDs are gic diagrams that display the analysts' understanding and assumptions about the physical development of accident scenarios and the key interactions that ensue between system responses and operator actions. The ESDs are composed of various event and explanatory blocks, and are useful in describing the various sequences paths in a more general and easily understood manner than with event trees. The ESDs for Beaver Valley Unit 2 are presented in Secticn 3.1.2. The events in the ESDs are keyed to the steps in the emergency operating procedures to facihtate review anw to ensure proper consideration of the specified operatcr actions. Sinca they do not easily lend themselves to direct quantification, the ESDs are converted into equ elent event tree models for sequence Quantification. Because more emphasis is plaend on the ESDs in the develcpment of the underlying accident sequence logic, the event trees themselves become less useful for this purpose and more of a computational tool. Gections 3.1.3 and 3.1.4 provide a detailed description of the frontline event sequente models for the initiating events considered in the plant model analysis. A great number of possible scenarios must be specified in the plant model, beginning with an initiating event and ending with a PDS. The PDSs define the categories of core damage sequences to be considered in the back end analysis; e.g.. whether, in addition to core damage, the containment isolates successfully. The PDSs defined for Beaver Valley Unit 2 are summarized in Section 3.1.6. Their development is discussed in Sec' ion 4.3. It is important to note that in this study, all active containment systems are included in the plant event tines and in the definition of plant damage states. This ensures proper treatment of mutual dependencies between core cooling, containment, and their support systems. To quantify the frequency of each accident sequence defined by the plant model, system specific logic models are developed for each mitigating system. The system models development are presented in Section 3.2. The data used to quantify the system models are presented in Sections 3.3.1 through 3.3.4. The human failure analysis is provided in Section 3.3.3. The subsequent system quantifications are presented in Section 3.3.5. These systems results are then used to quantify the plant event tree models. The proper ssignment of system quantification results to each node in the support and frontline event tree mode!s, as a function of initiating event, is first performed. Once the support system event tree model and the frontline system event tree model for each selected initiating event have been sei up, RISKM AN (Reference 3.11) links the two models and performs the necessary calculations to give the frequencies of each complete accident sequence. The assignment of system quantification results to each node in the support and frontline event tree models is r' asented in Section 3.3.7 and Appendix D. ! Operator recovery actions that can be applied to a specific accident sequence or group of l sequencc1 are described in Section 3.3.3 and Appendix B. Recovery models ware constructed 1 sed on the results of a preliminary quantification. These recovery models include a ne,/ event tree in which recovery actions were explicitly modeled, updating the system unavailabilities to incorporate operator actions into recovering a failed system (s), and updating the existing event tree structure to allow for the modeling of operator recovery actions. l i 3.12 3i AccioeM sequence oeanehon. l i
.___ __ _ _ _ _ - . - ~ _ _ - ._
B :v:r Vall:y P:w r St:tirn Unit 1 Revisl:n 0 Preb:bilistic Risk Ass:ssm:nt Analysis of Beaver Valley Unit i internal flooding potential and impact on the plant model is presented in Section 3.3.8. HVAC system failure impacts are presented in Section 3.3.9. R,' ally, the results of the sequence quantification activity, inclucing a comparison with tiie individual plant examination screening criteria, are provided in Section 3.4. Figure 3.11 shows the various modules involved in the p' ant model analysis. Only those accident sequences resulting in core damage are considered in the back end, or Level 2, analysis. References 3.11. Pickard, Lowe and Garrick, Inc. "RISKMAN8 Ph A Workstation Software, Overview," Release 3.06, 1992. O l ( 3.13 3.1 Accicent secuence Dehneation.
B::v:r Voll:y P:w;r t ',n Unit 1 R visl:n 0 Pr:b:bilistic Risk As:N ,cnt Figure 3.11, Beaver Valley Unit 1 Plant Event Tree Model O TRANSIENT / GT/RECIL. M $LOCA % dim EVENT TREE MLOCA 4 , EVENT TREE LARGE LOOA , 4 EVENT TREE a G $'JPPOAT DCESSM WTATiN3 ==+ $ystEM$ , y LOCA . W iS EVENT TREE EVEhiTREE r U 3 FEC0VERY SGTR EVENT EVEh1 TREI 9 DME SGTR/RECm: TRII EVEVT TREE
- t N ;
ATWS EVENT 9 <_ TRIE WTERTA3G LOCA 51DVE40E 1 0 3.14 s.1 Accident Sequence Dehneation.
i i B :v r Vall:y P w r St:ti:n Unit 1 R visl:n 0 Prcbabilistic Risk Acs :sm:nt 3.1,1 initiating Events (3 U This section presents the initiating event categories selected for quantification in the Beaver Valley Unit i Probabilistic Risk Assessment (PRA) model. The three main objectives to the selection of initiating events are described as follows:
- To provide adequate completeness that all possible events are accounted for.
- T^ account for cr,ique plant design and operatinnal features.
- To provide a way to categorize the events in all of the unique ways that the event may impact the rest of the plant.
This process of grouping initiating events by similarity of plant response is common to all PRA models, and helps to limit the number of plant ever. sequence models to be developed, it is necessary and practical to analyze only those initia ing events that make appreciable contributions to risk. Given knowledge of the approximate frequency of the initiating events and the relative impact of these events on plant systems, it is possible and desirable to group and screen initiating events to simplify the quantification of risk, without introducing significant errors in the risk estimate. The list of initiating event categories selected for consideration in the Beaver Valley Unit i PR A is presented in Table 3.1.11. Each initiating event category identifibd in this table should lead to a plant trip; i.o., either a reactor trip or turbine trip condition. Events that lead only to a requirement for an orderly, controlled shutdown are not considered. This is because during a normal, controlled shutdown, the plant is near equilibrium, shutdown
; < proceeds at a controlled rate, and standby systems are started before they are needed. If such systems fall, most ot the normal systems are available to maintain operation, the allowed response and recovery times are much greater, and, since the reactor is already tripped, the number of safety functions that must be performed to provide sufficient core cooling is reduced. Therefore, normal, controlled shutdown and startup are not considerr?
as initiating events for quantification and are believed to be significant contributors to risk. Failure of the reactor to trip automatically [i.e., anticipated transient without scram (ATWS)] is considered in the PRA models in the course of developing plant response scenarios. Therciore, ATWS events are not defined as a separate initiating event category. So-called external events such as internal plant fires, earthquakes, and severe weather conditions are not included in the current list of initiating event categories. With the exception of internal floods, such events need not be analyzed for the initial IPE submittals. The initiating event categories listed in Table 3.1.1-1 are identified using several approaches; i.e., a comparison with previous lists, a failure modes and effects analysis (FMEA) of plant systems, a review of Beaver Valley specific plant system and trip summaries, and a review of the Final Safety Analysis Report. A very effective approach in identifying initiating event categories and in ensuring completeners is to compare similar lists prepared for other Westinghouse reactors. Numerous lists are available and were considered during the preparation of the initiating event category list for Beaver Valley Unit 1. In particular, the lists included those prepared
' for the Beaver Valley Unit 2 PRA (Reference 3.1.11), Diabic Canyon PRA (Reference 3.* 12),
and the Scuth Texas Project PRA (Reference 3.1.1-3), and the recent core damage frequency 3.15 n ucicent sewence veesten.
B::v:r Vcil:y P wsr St:ti:n Unit 1 R1visl n 0 Prcb bilistic Risk As:Cssm:nt analysis from internal events performed for Surry Umt 1; i.e., NUREG/CR 4550, Volume 3 (Reference 3.1.14). The Diablo Canyon and South Texas Project PRAs are of particular use since they include a formal application of the master logic diagram and heat balance fault tree techniques to search for key initiating events in a further attempt to ensure completeness, in addition, these lists of events were compared against other published sources, including the EPRI NP-2230 report (Reference 3.1.15), V/ ASH 1400 (Reference 3.1.16), and NUREG/CR 4674 (Reference 3.1.17). The initiating event categories selected for Beaver Valley Unit i and presented in Table 3.1.11 fall into three broad groups: losses of reactor coolant inventory, transients, and common cause initiat ng events. Internal floods are considered to be a subgroup of common cause initiating r vents. The list of transient initiating event categories prepared for Beaver Valley Unit 1 closely parallels the lists developed for the Beaver Valley Unit 2, South Texas Project and Diablo Canyon in that the list of event categories is more detailed than the list prepared for the analysis of Surry Unit 1: 1.e., the transient categories, with and without main feedwater (MFW) available, have been further subdivided for a more accurate treatment of the plant response to each subcategory. The loss of coolant inventory initiating event categories are the same as those quantified in earlier studies, included in this group are the interfacing loss of coolant accident (ISLOCA) events and steam generator tube rupture (SGTR) events, each of which may lead to release paths that bypass the containment. For the IPE program, therefore, these initiators receive special consideration. The common cause initiating event group considers support system faults. The support system faults of interest were identified by an FMEA of all key plant support systems. This analysis is documented in Table 3.1.12. Heating, ventilating, and air conditioning (HVAC) systems are given special consideration in Section 3.3.9. The analysis makes use of information in the intersystem dependency tables presented in Section 3.2.3. Support system faults are of special interest for PRA quantification because they are very plant specific and because they not only cause a plant trip but also degrade the systems designed to mitigate such events. As such, they have often been found to be important risk contributers. The support system faults that are listed in Table 3.1.11 provide a thcrough coverage of electrical and other support system faults. Losses of ringle vital instrument buses have occurred at Beaver Valley in the past. However, since these failures, the Unit i system has been redesigned to provide a backup automatic switchover to a redundant power source. Therefore, these events are included based on historical precedence, but the frequency of such failures has been reduced to reflect the improved current system design. Although the list of initiating event categories for Beaver Valley Unit 1 is more detailed than that developed for Surry in NUREGICR-4550 two of the thirteen initiating event categories considered in the Surry analysis were not considered for Beaver Valley Unit 1. Because of the similarity in the nuclear steam supply system and containment design between Surry and Beaver Valley Unit 1, the reasons for these differences are summarized below. Losses o! charging pump cooling at Beaver Valley Unit 1 are much lower in frequency than O those at Surry because charging pump cooling is supplied to all three charging pumps from both river water headers. No stralners are associated with the charging pump coolers at 3.16 u accioent sequence oennecon.
80 v:r Vcil:y Pcw:r St:ti:n Unit 1 R visitn 0 Prtb:bilistic Risk Ass:ssm:nt Beaver Valley Unit 1. v,hich might be susceptible to plugging, as at Surry, instead, the strainers are associated with the river water system itself. Loss of both river water system O' headers is considered, however, as an initiating event for Beaver Valley Unit 1. Finally, an initiating event category for very small loss of coolant accidents (i.e., less than 1/2-inch equivalent diameter) was considered for Surry but not for Beaver Valley Unit 1. Instead, such events are assumed to be within the makeup capacity of the normal charging system and therefor 9 would not lead to an immediate plant trip. Such events, which have in fact led to an automatic plant trip, are conservatively included in t 10 frequency of the isolable or non isolable small LOCA initiating event categories whose frequencies are computed directly from data. Some of the initiators listed (AOX or BPX) do not, by themselves cause a plant trip, but are modeled because together with other failures they may lead to a plant trip (e.g., if standby equipment must start in order to prevent a plant trip). Initiating event frequencies were developed based on available data from other nuclear power plants, and plant specific analysis of unique Beaver Valley Umt i systems. The Beaver Valley Unit 1 plant specific initiating event frequency distributions are presented in Section 3.3.2.5. References 3.1.1 1. Pickard, Lowe and Garrick, Inc., " Beaver Valley Unit 2 Probabilistic Risk Assessment, Summary Report," prepared for Duquesne Light Company, PLG-0730 Volume 1 October 1989. 3.1.1-2. Pacific Gas and Electric Company, " Documentation of Long Term Seismic Program Probabilistic Risk Assessment," DCL 88 260 October 28,1988. 3.1.13. Pickard, Lowe and Garrick, Inc., "Sout h Texas Project Probabilistic Safety Assessment, Summary Report," prepared for Houston Lighting & Power Company, PLG-0700, Volume 1, April 1989. 3.1.1-4. Bertucio, Robert C., et al., " Analysis of Core Damage Frequency from Internal Events: Surry, Unit 1," prepared for U.S. Nuclear Regulatory Cornmission, NUREG/CR-4550, Volume 3, November 1986. 3.1.15 Electric Power Research Institute, Inc., "ATWS: A Reappraisal, Part lil, Frequency of Anticipated Transients", EPRI NP 2230,1982. 3.1.1 6. U.S. Nuclear Regulatory Commission " Reactor Safety Study: An Assessment of Accident Risks in U.S. Nuclear Power Plants," WASH 1400, NUREG 75/014,1975. 3.1.1 7, Oak Ridge National Laboratory, " Precursors to Potential Severe Core Damage Acc3ents," 1984 and 1987 Status Reports, Prepared for U.S. Nuclear Regulatory Commission, NUREG/CR-4674, ORNL/NOAC 232, Volumes 3, 4 (May 1987) and 7,8 (July 1989), l l l 3.17 3M Accident seavence ochnecon.
tm Table 3.1.1-1 (Page 1 of 2). List of initiating Event Categories Selected for Beaver Valley Unit 1 3 Group Initiating Event Categories Code Designator Loss of Coolant 1. Excessive LOCA (reactor vessel failure, not cootable by ECCS) l3 ELOCA hQ Inventory 2. Large LOCA (>6-inch diameter up to design bases) LLOCA E 2.
- 3. Medium LOCA (2 to 6-inch diameter).
4 Sma!I LOCA, Nonisolable (1/2 to 2-inch diameter). MLOCA SLOCN h gy
' 5. Small LOCA, Isolable (PORV train leakage)(1/2 to 2-inch diameter) SLOCl y]
- 6. Interfacing System LOCA VSX
- 7. Steam Generator Tube Rupture Transients 8. Reactor Trip SGTR 3 'h RT $@
- 9. Turbine Trip TT *"
- 10. Loss of Condenser Vacuum LCV s_
- 11. Closure of All Main Steam Isolation Valves (MSV) AMSIV ,
- 12. Steam Line Break Upstream of MSivs
- a. Steam Line Break in One Steam Generator SLB1
- b. Main Steam Relief or Safety Valve Opening MSV
'y c. Steam Line Break in Common Residual Heat Removal (RHR) Valve Line SLBC y 13. Steam Line Break Dow . Steam of MSIVs SLBD
- 14. Inadvertent Safety injection ISI
- 15. Miscellaneous Transients
- a. Total Main Feedwater Loss or Condensate (includes feedwater line break or condensate failure) TLMPN
- b. Partial Main Feedwater Loss (one loop) PLMFW
- c. Excessive Feedwater EXFW
- d. Closure of One Main Steam Isoiation Valve IMSiv
- e. Core Power Excursion CPEXC 5 f. Total Loss of Primary Flow (one or more loops) LPRF Common Cause 16. Loss of Offsite Power LOSP h Initiating Events 17. Loss of One 125V DC Emergency Bus y Support System a.125V DC Bus 1-1. Orange DOX C Faults b.125V DC Bus 1-2. Purple BPX fj 18. Loss of River Water and Auxiliary River Water Headers WCX 10). Total Loss of Reactor Plant Component Cooling Water CCX 2 E; E O 6-6 3
?'
O O O
O O O Table 3.1.1-1 (Page 2 of 2). List of Initiating Event Categories Selected for Beaver Vr,t:ey Unit 1 n Group ! Initiating Event Categories E3
- 20. Loss of One VitalInstrument Bus Code Designator E%
- a. Loss of Red Vital Bus
{j
- b. Loss of White Vital Bue
- IRX &F IWX
- c. Loss of Blue Vital Bus 28)
IBX E- y
- d. Loss of Yellow Vital Bus lYX
- 21. Loss of One 4.16-kv Emergency Bus &4
- a. Loss of 4.16-kv 1 AE. Orange Emergency Bus E 2}
AOX EE
- b. Loss of 4.16-kv 1DF Purple Emergency Bus
- 22. Loss of Station Instrument Air BPX !$
IAX l'- C J
- 23. Loss of Containment instrument Air ICX =
- 24. Loss of Emergency Switchgear Ventilation System BvX ' '
Internal Floods 25. Intake Structure Internal Flood ISFL 26 Turbine Building Intemal Flood TBFL
- 27. Primary Auxiliary Building (PAB) Intemal Floods
$ a. PAB Elevation 735' PABF1 la b. PABF1 for 15 - 30 minutes PABF2 !
- c. PAB Elevation 722' PABF3
- d. PABF3 for 15 - 30 minutes PABF4
- e. PABF3 for 30 - 60 minutes PABF5
- 28. Control Room HVAC Equipment Room intemal Flood CRFL
- 29. West Cable Vauft Intemal Flood CVFL 5
E 9 a w a D 5 3
- n 5'
3 I.. E O
Te Table 3.1.1-2. Failure Modes and Effects Anatysis of Beaver Valley Unit 1 Key Systems and Components oE tr < Impact on Safety System (s) or , In adng Ewnt gg System / Subsystem *'*'I#**
- Key Plant Equipment Designato,
=<
e at Offsite Grid gg Turbine Trip 9/TT p Resu!ts m furtwne/ generator trip but equipment yv Reactor Coolant Pumps (RCP) hsted is repowered when fast transfer to 138 AV rj Main Feedwater (MFW) Ime is completed >
,e Condensate w, Turbine Plant Component Coohng Water =g 345-kV Une Reactor Trip -
Does not cause a plant trip y **g Both 345 and 138-kV None 16/LOSP Results in plant trip Equipment rsted is es Unes RCPs unava.lable Equipment normany operat.TJ and 3. c MFW powe ed from errmiumsy buses must restart. "
=
Condensate Turbine Plant Component Coohng Water i Non-Emergency AC Unit Station Service Subset of Equipment impacted by bss of Both 16/LOSP Loss of these electre power subsystems is Transformers 345-kV and 138-kV Unes bounded by the loss of offvte power event for 3 both frequency of occurrence and impact. i fa 416 kV Buses 1 A.18 O 1C, or 1D 480V Buses 1 A.18 JC,ID IE.1F.1G. 1H.1J. or 1K Emergency AC 416-kV Bus 1AE (O) Numerous Systems, includmg HHSt. LHSI. CCR. g 21a. AOX Loss of a smgte bus may requrre the opposste 416-kV Bus 1DF (P) RSS. RHR. OSS. AFW, IAC. RWS 2tb. BFX tram of a normarty operatmg system to start.
, 480V Bus IN or 1N1 (e g . CCR, charging) and therefore w,!! be a (O) conservatively modeled as initiating events.
] 480V Bus IP or 1Pt Failure of either the 416-kV Bus or the 480V Bus R (P) of er'her err.,,gy AC train is modeled as a w fa:Iure of that tram a d up 2 F#
$ 3 e
h= 1
- =
? o O O -
O
s T ( \ ( V \_/ mm Table 3.1.12. Failure Modes and Effects Analysis of Beaver Valley Unit 1 Key Systems and Components oI w< impset on Safety System (s) or initiating Event "* System / Subsystem
- F' Key Plant Equipment 'M Designator h[
125V DC Emergency Ee~ Bus 1-1. (O) DC Control Power to Orange Loads 17a/DOX Feedwater isolation (ma n feed regulatug valves p
-m PORVs 455D and 456 close) F MSIVs Letdown
>$e 1AC, RCPs, MFW, Atmospheric Steam Dump Valve *h ag PCV-1MS-101 A **
Bus 1-2. (F) DC Control Power to Purpie Loads 17t#DPX Loss of ins bus is sumlar to that of orange. 3 o-ea M5tVs PORV 455C Ec 1 MFW a Letdown (AC RCPs AtmospherN: $leam Dump Valves PCV-1MS-101B & C Bus 1-3 (O) Auxiliary Feedwater Pump FW-P-3A N/A Loss of bus wn! result in a favfure to start the ja auxiliary feedwater pump Fotential for causing
? " plant trip is not 6 dent.5ed.
a Bus 14, #P) Auritrary Feedwater P ep FW-P-38 N/A Loss of bus is simelar to 13.
-a ! N ?
2 m
- 3 a
O
=
U i I.
! O 3
5 o
t t rn oj Table 3.1.12. Failure Modes and Eftects Analysis of Besver V.fley Lfreit 1 Key Systems and Components tr < \ in a % Event gg Impact on Safety System (s) er
*T * ** <
I * ** Key Plant Equ'pment - *. #_ Designator -
} nT 123V Vital AC Bus f
20alfRX A segle fature of vital bus I (red) or it (wNte) yt Red Resedua! Heat Release Valve wett cause a demand on opera: ors to manually contrtd 7j SSPS Train A plant whech is expected to resu!! m a p! ant trip
>e CCR ;e Fa4ure of both vital buses I and il mit result RWS m a reactor trip eg Atrnospheric Durrip Valves Condenser Dump Vaives y{-
o :s Letdown 20btTWX Loss of tNs bus is sarmiar to tf st of red 3C WNte SSPS Train B $. CCR T RWS Condenser Durno Valves Letdown RHR Pir.at trm caused by excessive Mrw whe.n control UFW 20c/18X Blue valves fa l open ta Condenser Durg Vafves Letdown RHR
$ Condecser Dump Vafves 20d/1YX Loss of tNs bus is simetar to that of blue Yellow UFW Letde-a 14/158 Spunous signal of rnost enterest causes an SSPS HHSI enadvertent safety ir3ection Spuevous actuation of LHsl ind'v' dual systerns also possible OSS Reactor Trip w Turtwne Trip Contamment Isolatton Loss of one trarn willead to orderly plant ;
N/A RSS shutdown, as requered by technecat specificators R AFW O And Many Others MS!Vs, MFW control, and condenser dump valves l
?.
CCR. IAC. RCP's. Atmospherec Steam Dump 22/ LAX ' o' Stat,on Instrument att fa41 closed Loss of bacliup to contenment f$ Air Valves MFW instrument air. Event ernpact simniar to noss of j i bcth mam feedwater and CCR S MSfVs Condertser Dump Valves *.- k 3 Contanesat isolatron - 8 G
- o 3
O O O
~ r i
f ( TW Table 3.1.1-2. Failure Modes and Effects Analysis of Beaver Vatley Unit 1 Key Systems and Components o2 tr <: System / Subsystem '*E' " ** # 'I *' te Comment Designator t
- f. *_ <
Containment CCR 2311CX CCR isolation valves for RCP thermal baerier and nW
~
instrument Air Containment isolation p tube oif cootmg fait c!osed RCP seal iryection stdt D RCPs PORVs. Pressurizer Spray Valves avariabte, but RCPs must be tryped Event ;;; j K impact semitar to loss of CCR but also affects 3> e N W s. E ' River Water :s T One Header CCR N/A
$ *. i Loss of one header will not cause a plant try 36 Diesel Generators AFW since att loads can be supptred by the other E3 I header <tunty normat operation Only N A ~~ h l HHSI header is used as a bxkup supply of water for RSS AFW. -*
Doth Headers Same as Above 181WCX Farture of bo'h river water headars causes CCR falure, resultmg in PCPs being snpped Loss of l both is less frequent but affects both tra.ns of ' supported systems Reactor Plant RCas 19/CCX RCPs are tripped to prevent overheating RCP
$ Comporwnt CoJmp RHR seal injection is requrred to protect the seals
- Water loss of CCR flow to one header conservatrvely modeled as loss of flow to both Reactor Trip Turtwne Trip 81RT Spunous opening will result in a reactor trep Breakeis MFW ERF (black) Diesei -
N/A Only impacts supported systems of there is a Geaerator concurrent loss of offsete power. w Turbrne Plant MFW
" 15a/TLMFW MFW fats and station instrument air must be Component Cooting BAS aligned to filtered water. Event impact samdar to Water Condensate loss of mam feedwater and of lower frequency $ Emergnecy HVAC 24/BVX Fa, lure of emergency switchgear ventilation cause Switchgear !
3" a station blockout t
,ui Ventitation o t g Reactor Coolant Pumps 4 g Loss of Att RCPs Pressurizer Spray 15f/LPRF Low RCS flow reactor trip signal. Normat 2
pressurizer spray unavattable. e ! g Trip of one RCP - BIRT Causes a plant trif
- on low RCS flow Pressuriter <
g spray still availatde
)
g F
;2 ?
o ! i l i
D EQ<N ge_G r A1 h3a y<h3o T8t[tg".Wp7of,, r F , pee Lt.T("53S~ t r h e O m e r g o r z h e r s n o No r iml,a f mnu +gwN s i w oe k p os h opN - k of e s al r r of o nla mg n a h n su c u r r s oc s tt t as e r f mr u u r sh es r le pr e o ose c t b a r o i p r o en r vo n i lsm ea a cf ar e s t blar o lain ee t ser b e a ve en mus prod npid f t los t c a t r ogw h e m 'a r u gVs r s gr u . imreo i sh p as i m nom t i e f vsn sst e Nseoka a t e r re S ni zw t n r ct t rT,u o o n S e. m a ar s pss w l e - t gp-. -. t sp a i n eo t oAs a s s iaor c oMr UouAb r ) r neG pt ks is sl r t c er lo pd Ntc!a ! h sI w ,c s unk ene t t n a y f o csCe e a eut p o e ee( a o lt w,. xa t e g s u viv r t o nbAe au S e Mno jf j r minpelo t el k n t r nr me t m m k a e les r r ff r le rn tat r p s lprcrb i leyer . eywui a r s eei ag laib a la a i d o le reaea to ust o spmt e a sse n t e gteuipr elo ssto t vrb s it mnh e m C mpv ue e on ,e n laver eg r s t r r r lt nf sr sf ot i r t e u l u c e is slaot pa er iscf sV aeWn s e
- a co u s r eps tyil sin sunn yN- on t
o r wn et e te ae cnm I S r eF Wl : tc k aut g r a d eF e s no e me gM r p n e gM g v ro s a a ssed e w n oo nf WoUt nt e soedns ea e e adne f e n or a apc n ni m mf m a e aor r ar me s e no t t f e i u s a oa et a F r d b pnr e p f o ess e M x, al t t l l mts tet nhe pplo pm o uu ne n o r. c a f a o o Nns cpcd n p eiea iu s a emmg oes oa stsoW evefnegne nr l t s s ce s ugt S t Nai t nti n lo sxci e s e u . oA owl l wrus e f ta nr r e l r l oc t a n eim ou elb ut r iC l oaos s et rov E .a m osdw oia nnl Vs MoS nmtomc V is s nt at a nkasi nn os e cMiacaht r l il t r s alt s uO uei I b t u eos uw To wr a wecueTe s t n e SS pL t oPlor pE nAt n o e ppmS s Lfe SOiMs OrAt n el alutr et ea e gS S r sNM Mucis nl a po o pr Sb p po t r l Sd o p m I e o d C d n
"Ct 9yn o r
/ a o
F W W F W F V a "roi g l M U W M D S N 1 B V V D s C F B S S S gs L L X L M M L B m "* e De O L T
/
P
/
E T
/ TS L l i
A S
/
M M L S e t a S a b t c a T/ d / a
/
b
/
b / t s y "C / S 5 1 S 1 S 1 S t
/3 91 S
1 I 1 2 1 2 1 2 1 3 1 S y K 1 i t n e O U y r e o ft ) a s V ( r m e e v t s a y e S B y f t o f e s a is y S f a n n o A t c s a t p c m f e I f E d n a W s F e - - M d - - - - - - - o M r e n lo m s o e it m G t s V a e r a p F y R r e lo d o oe t m b s O P t a Is Cs taS r u 2 u e ec D S r w e m mv nn 1
/ e d t a a al a ee r e
1 iz e s 3 m e r e n e ie teV Ghp s sn u F e S s S y es ne msop e e t s s n e lb y s d n b nv nt i e a d e nl v a S e r ia M o r u iala af a emt um oa MV t T P C T MS SAD CV
$aA $ >gg3 {hS @_3gj l'
e O 3 O Table 3.1.1-2. Failure Medes and Effects Anafysis of Beaver Valley Unit 1 Key Systems and Cornponents ol tr < Impact on Safety System (s) or In a gEmt g3 Systern/ Subsystem Categorylcode Comment Key Plant Equipment - < Designator EE Residual Heat - 12r1SLBC Spunous operwng or beeak in common steam lene Eo Release Valve p. outside contamment. smatt steam lene break. pv wh.ch depressurires att ttwee steam generators. xj Pressurizer Spray - BIRT Spurious openeng or closing excessive or
>e w
Valves insufficient spray may lead to reactor trio on low E$ or high pressurizer pressure. $$ Auxeliary Feed iter - N/A Inadvertent startup discussed with SSPS. 3o en a s High Head SWty Injection N/A Inadvertent safety injection discussed with SSPS ~hE Low Head SaGty - N/A Potential for causing plant trip not identified injection Ouench Spray - 8/RT Spraying down of contamment expected to result in reactor trrp by opeiators, or electrical equipment faelures. h Recirculatson Spray - N/A Potential for causing plant trip not idenhfied. Residual Heat - N/A Potential for causing plant trip not identified Removat Conte *vnent isolation - N!A Potential for causing plant trip not identified Spurious actuation is covered by SSPS and the systems that penetrate the containment High Head Safety . - N/A Spurious operation consedeced with SSPS Loss w injection / Charging of charging flow would result in letdown isolation on low pressurizer level
> Letdown - 14!!st Break in letdown line outside containment.
8 letdown isolates on safety injecteori signal caused {; by low pressurizer pressure Therefore, net result is a safety injection actuation without a LOCA 1 5 y 2 o 0= - w 3 9 o
B:cvsr Vcll:y Powcr Stellan Unit 1 Revisi:n 0 PrcbObilistic Risk Assessm:nt 3.1.2 Event Sequence Diagrams and Success Crlteria Event sequence diagrams (ESD) are used to document the possible scenarios and courses of action that can be taken by the operators after a specified initiating event has occurred. Such actions include the plant hardware response and the steps taken by the operators. The ESDs document the probabilistic risk assessemnt (PRA) team's understanding of how the plant functions and how it is operated. Analysis of ESDs is the first step towards the development of event trecs that will subsequently be used to quantify the frequency of all modeled accident sequences. Although ESDs are easily understcod and are useful tools for documenting required plant system and operator actions after an initiating event has occurred, they do not lend themselves directly to accident sequence quantification. A necessary next step therefore is to convert the ESD into an event tree for the purpose of quantification of event or accident sequences. The event tree represents the transformation of the qualitativu details contained in the ESD into a functional logic framework for quarmfication. Specific actions identified in the ESD are grouped into top events for the corresponding event tree. For each top event, the system boundary, boundary conditions, and success criteria are defined for the system or operator actions associated with the top event. The event trees are described in Sections 3.1.3 through 3.1.5. 3.1.2.1 ESD Symbology The symbols used in constructing ESDs are shown in Figure 3.1.2-1. The initiating event is identified by a " waving flag" block. This first event is drawn in the upper left hand cornar of the diagram. Subsequent operator actions and system responses to tne initiator are then presented throughout the remainder of the figure. Trie normal, or expected, sequence of events is drawn straight down the figure, beginning with the initiator. These events are arranged, for the most part, in chronological order. This is not always strictly adhered to because sometimes it is easier to follow events if related actions, dependent on each other, are grouped together even th71gh they may not be closely related in time. Events whose occurrence or r,onoccurrence influences the course of a scenario are represented by rectangles. Succe3sful occurrence of the event described within the rectangle is represented by the arrow exiting the base of the rectangle; failure of the described event is represented by the arrow exiting the right side of the rectangle. These events are the only symt'ols in the ESDs having two exit paths. The path sequences leading l into the events are shown by arrows entering from the left or from the top of the rectangle. l These events are sometin" s ask 3d in multiple places in the ESD, even though they are along i a single sequenco path. This is because, like the emergency operating procedures (EOP), not all paths up to a specific point in the ESD are unique. Whi:e it may have been asked already along one path, it may not have been asked along another path to thet ooint. The oval symbol is used as a place for describing the status of key plant parameters or the phenomena that would likely occur as a result of an accident sequence described by the events up to that point in the ESD. Since the symbol is only a descriptive block, only one exit path is allowed. The exit path may be drawn from the bottom or the right sioe of the oval. Thc position of this exit path does not signify anything special, but is merely to facilitate the linking of the events. Several entry paths are permitted, however. The entry paths may enter from any direction. l Events representing an entire sequence may result in either successful mitigation of the initiatinp event or in core damage. Success or stable end states are symbolized by 3.1 16 31 ACCice91 sehence ochhe.non.
B :v;r Vcll:y P:wcr Stati:n Unit 1 Revisi:n 0 Pr:b:blllstic Rl:k Aes:ssm:nt parallelogram shaped figurcs. Sequences ecsulting in core damage are shown ending in I diamond shaped symbols. Descriptive information within the diamond shape details containment system conditions that hJlp to define the resulting plant damage state. There are no exit paths from such symbols. Two additional symbols are used to represent transfers to other places in the ESD logic that cannot be conveniently connected by continuous solid lines. The triangle transfer symbols connect tvvo locations in the same ESD. These transfers are numbered to permit ease of 1 identification. The large arrowhead symbol transfers the reader to a completely different j ESD. The specific ESD transferred to is identified within the symbol. The arrowhead symbol l is very sparingly used. Some paths through lho ESD are judged to have so small a likelihood of occurrence that no further modeling is performed. These paths may terminate in clongated hexagons that explicitly say, "Not developed further." The preceding stochastic event is then assumed to . always result in the alternative outcome, which is developed further. Throughout the ESD, reference is made to numbered steps in the Beaver Valley Unit i EOPs. These references indicate the places in the EOPs where the operators wculd be if the accident sequence had progressed to that point. The particular referenced step corresponds to the point in the procedures that instructs the operators to carry out or to verify the actions represented by the nearby event. 3.1.2.2 Beaver Valley Unit 1 Event Sequence Diagram Table 3.1.2-1 identifies the emergency procedures modeled explicitly in the detailed ESD. These procedures cover the plant response to all transient events, such as reactor trips, turbine trips, losses of main feedwater MFW, etc., and for a full spectrum of loss of coolant accident (LOCA) sizes. Anticpated transients without scram (ATWS) conditions (EOP FR S.1) and steam generater tube rupture (SGTR) events (EOP E 3) are transferred to other ESDs. The detailed ESD developed for Beaver Valley Unit 1 is presented in Figure 3.1.2 2. The SGTR ESD is presented in Figure 3.1.2 3. The ATWS ESD is presented in Figure 3.1.2 4. Pressurized thermal shock (PTS) conditions (EOPs FR P.1 and FR P.2) are not considered. Bnaver Valley Unit 1 meets the U.S. Nuclear Regulatory Commission (NRC) criteria for the reference temperature for PTS: i.e., less than 270'F at end of life (Reference 3.1.2-1). Unit 1's maximum temperature for P7S is 254'F, this realistically implies a degree of margin against such potential challenges to the reactor vessel. PTS considerations are not expected to be evaluated as part of the individual plant evaluation requirements. They have not been found
' be important when realistically evaluated in other PRAs, and are therefore not included in ine ESD cr in the associated event trees.
The purpose of these ESDs is tu document in. a fairly detalled way the possible plant response and the procedural guidance provided to the operators for a wide range of events. The intention is to identify plant conditions that may lead to core damage and to relate such conditions to the place wher.3 the operators may be in the procedures up to core damage so that the operator actions are properly accounted for. Once the core damage conditions are ir;entified, the events that may affect the subsequent response of the containment and amount of radioactive release from the containment (e.g., containment isolation, heat removal, spray !y status) are questioned. The detailed ESD is said to be fairly detailed in that it portrays more events than are actually ircluded in the final event sequence models (i.e., event trees) used in the quantification of the core damage frequency. This is true even thougn the diagrams i 3.1 17 3.1 Accioent seavence Dennenon.
B::v:r V:ll;y Pcwcr St ti:n Unit 1 R visi:n 0 Pr:bsbill: tic RI:k Ass:s:m:nt represent a substantial simplifir'ation of the complete EOPs. The specific events portrayed in the event tree mociels are indicated on the ESDs as dashes surrounding one or more events. ; The Beaver Valley Unit 1 ESD consists of several sheets, each indicated by transfers from the I first or subsequent sheets, l 3.1.2.2.1 General Transient /LOCAs ESD. The logical structure of the Beaver Valley Unit 1 ESD is developed so that it can be speciahzed for plant response to many initiating events. It includes various iuccess paths that satisfy the major core protection functions; i.e., core reactivity control, coolant inventory control, and core heat removal. The model also includes important features that can affect plant and containtr.ent response if core damage occurs; j,e., core debris cooling, containment heat removal, containment pressure control, fission product removal, and containment isolation. The specific plant response to each initiating event is modeled by adjusting the general event sequence framework to account for the unique impact of the event on each system, operator action, and function. Thus, the ESD can be viewed as the parent for the large family of detailed plant response event trees that are used for each specialized initiating event model. The following paragraphs describe each sheet of the general transient /LOCAs ESD. The reasons for not modeling selected paths through the ESD as par 1 of the event tree models is aiso provided. The particular events that appeat in the ESD and are modeled in the associated event trees are enclosed by dashed boxes. In the upper right corner of the dashed box is a two-letter character designation, This designation is the abbreviated name of the event tree top event heading that models the enclosed events. Some dashed boxes are designated *lE." which stands for imtlating event, Such events enclosed by these boxes are considered in the selection of initiating event categories, Individual causes for the occurrence of a safety injection condition as the cause of a plant trip are not modeled explicitly, instead, such causes are modeled implicitly by defining the Initiating event categories appropriately to cover each situation. As is standard practice, the frequencies of these initiating cent categories are then derived directly from industry experience and tant specific data. The ESD is entered if the conditions exist for a teactor trip or safety injection signal. The expected sequence of actions is shown down the left side of the diagram. With everything successful and no safety injection signal or conditbns present, the operators then continue to EOP ES 0.1; i.e., reactor trip respnnse. The normal plant responce following a reactor trip without a safety injection signal is for the MFW regulating valves to close when reactor coolant system RCS temperature is controlled to less than 554'F; i.e., a partial feedwater isolation occurs because the RCS temperature is reduced to 547'F. Auxiliary feedwater (AFW) then actuates automatically on low low steam generator icvel, and becomes the first option for secondary heat removat, The multiplicity of steam relief paths for each steam generator is very large. Failure of all of these paths was therefore not considered as a significant failure mode for secondary-side heat removal. Operation of the steam generator power-operated relief valves for controlled depressurizaOn of the secondary side is, however, considered, if there is no safety injection condition or signal, and secondary heat sink is established, transfer is made to transfer 1 of the ESD. The events depicted cover the plant response when the reactor has tripped and a safety injection is not required. Consideration is given in this portion of the ESD to events that may lead to an induced small LOCA. Two situations are 3.1 18 si amoent smence oenneation.
l Bo v:r Vall y Pow:r Stctisn Unit 1 Revisicn 0 l Prebabilistic Risk Asssssmont ) i l considered; a stuck open pressurizer power operated relief valve (PORV) train and a reactor ; coolant pump (RCP) seal LOCA. If the sequence of events leads to a small LOCA, transfer is made to transfer 4. If the sequence of events does not lead to a small LOCA, then the plant is assumed to be stable at hot standby. The actions to proceed to cold shutdown are then not necessary, and therefore are not modeled in the event trees. Long term manual action to ensure a continued water soarce for steam generator cooling may be necessary. This action is modeled in the event trees. Transfer 2 is entered whenever a loss of secondary heat sink has occurred. If secondary heat sink is eventually recovered, then the operators are directed back to the procedure and the step in effect at the time that the secondary heat sink was lost. Since EOP FR-H.1 may be entered from the critical safety function status tree, it may be entered from any number of places in the procedures. For the purposes of this diagram, it is assumed that the loss of secondary heat smk procedure would be entered when feedwater status is first checked; i.e., EOP ES 0.1 or EPS E 0. The event tree models consirier the primary actions to restore core cooling; i.e., recovering AFW, restoring MFW and establit.hing bleed and feed cooling. The additional action to depressurize the steam generators sufficiently to permit feeding the steam generators with condensate is not modeled in the event trees. Because of the redundancy of main feedwater pumps (including the dedicated auxiliary feedwater pump), it is assumed that for cases in which MFW cannot be reestablished, neither can the condensate svstem alone. Sleed and feed cooling then becomes the last ditch core cooling mechanism csnsidered. The bleed and feed cooling option is considered in. transfer 3. This transfer is entered when secondary heat sink cannot be recovered. Only one of the three pressurizer PORV trains are O needed for successful bleed and feed cooling (Appendix C). Successful bleed and feed cooling is then modeled as leading to an eventual requirement to go to cold leg recirculation when refueling water storage tank (RWST) inventory is low. This part of the ESD also indicates another place in the procedure (i.e., EOP FR H.1) where consideration is given to depressurizing at least one steam generator to allow feeding with a low pressure water source. This backup core cooling mechanism is not modeled in the initial event tree models. For sequences in which a safety injection signal is present or the conditions for cae exist, transfer is made to 4. As Indicated by the dashed boxes, nearly all of the events shown in tnis part of the ESD are included in the event tree models. The only exception is, again, the omission of the events concerned with secondary side steam relief. The multiplicity of steam relief paths for each steam generator is judged to make such failures sufficiently low in frequency as to obviate their consideration in the event tree models. if a safety injection signal is initially present, but the RCS is later determined to be intact, or at least leaking only at a slow rate, the ESD transfers to transfer 5. These actions then consider the termination of safety injection and the establishment of normal charging and letdown. If normal charging and letdown cannot be established, RCS inventory is, by procedure, controlled using the fill header, bypass header, excess letdown or the reactor vessel head vents. A:l of the events indicated in this part of the ESD are at least implicitly modeled in the event trees. Failure to promptly terminate safety injection flow is modeled as leading to a challenge to the pressurizer PORVs for pressure relief. If safety injection, in the absence of a LOCA. is successfully terminated, the ESD transfers to
-transfer 6 on the same sheet as transfer 1. This transfer recognizes that the series of events 3,1 19 M Accicent Secuence ocaneation.
00avar Vcllay Pcwcr Statien Unit 1 Rovi:Isn 0 Probabilistic Risk Aos:ssment following safety injection termination in EOP ES 1,1 are similar to those previously outlined for EOP ES-0.1; i.e., reactor trip with no safety injection. Transfer 7 is for sequences in wnich safety injection conditions have been verified to have occurred indicating that a LOCA or secondary side break within containment is in progress. If the safety injection termination critoria cannot be satisfied, a LOCA is in progress. Agam, nearly all of the even.3 shown in this transfer are modeled in the event trees. The one exception is the requirement for the operators to stop the low head safety injection (LHSi) pumps if RCS pressure rema ns above 250 psig ano is either stable or increasin0. At Beaver Valley Unit 1, the LHSI pumps recirculatc back to RWST. Therefore, the danger of overheating the pump by raising the temperature of the pumped fluid is minimized. Also, the LHSI pumps are capable to provide long-term recirculation from the containment sump following an accident. At low RWST level (less than 12 feet), auto recirc signal will automatically open the containment sump suction valves (MOV-SI-860A and B) and cinse the RWST suction valves (MOV SI 862A and B) to provide LHS1 fong term recirculation. The operator may have to manually re-start the LHSt pumps if it is not already running. Success of the events acsociated with this transfer means that LHSI or high head safety injection (HHSI) is successful. If the LOCA is large, the next events of interest are the transfer to cold leg recirculation. If the LOCA is small or medium, the EOPs transfer to post LOCA cooldown and depressurization; i.e., EOP ES 1.2. Transfer 8 considers the actions in the post-LOCA cooldown and depressurization procedure. Success of the events in this procedure means that the RCS is cooled down and depressurized sufficiently to avoid the need to transfer to cold leg recirculation. This is likely to be accomplished for only very small LOCAs in which some form of secondary heat sink is available. If the LOCA is not very small, the RWST will likely empty before RCS pressure can be reduced sufficiently to terminate the leak. Since it is difficult to distinguish occurrence frequencies for very small LOCAr versus small LOCAs, the event tree models treat very small LOCAs as small LOCAs that still require cold leg recirculation. Consequently, the post LOCA actions to depressurize the RCS are modeled in the event tree to distinguish RCS pressure at vessel breech in the event recirculation falls. Transfer 9 models the actions applicable when the RWST empties (i.e., is less then 19 feet), for LOCA sequences in which injection is successful. Successful completion of the actions in this part of the ESD leads to a stable plant configuration in cold shutdown. Most of the events shown are included in the event tree models. The action to align a redundant recirculation path given that both LHSl and HHSI pump trains are available is not modeled in the event trees. The event trees model success of the HHSI function for 24 hours. Therefore, success of HHS) in the event tree models also implies success of the injection flow path during recirculation. The operator action to stop the quench spray system pumps (QS) is not modeled in the event trees; i.e., EOP ES 1.3, Cavitation of the OS pumps should not occur as long as water is available in the RWST. Once the RWST is emptied, the OSS pumps are no longer necessary to mitigate the accident. Therefore, this pump protection action is not modeled. Approximately 14 hours after cold leg recirculation is established, the procedures instruct the operators to alternatoly establish first hot leg and then cold leg recirculation to avoid boron precipitation concerns. This actica is not modeled in the event trees. There is ample time to establish such alternate injection flow paths, and even if the plant remained on cold log recirculation, it is doubtful that boron precipitation would lead to fuel damage after the plant had already achieved such a stable state. Finally, one event in transfer 9 considers the response of the containment to LOCA sequences in which QS is not available. If containment atmospheric pressure exceeds the containment design pressure, there is a 3.1 20 31 Accicent smence Depeeon.
I Brv:r Vcil:y Pcw:r St:ti:n Unit 1 R:visi:n 0 Pr b:bilistic Risk Ass:ssm:nt potential for containment failure. In the NUREG/CR-4550 analysis for Surry Unit 1, such an event was modeled. For Beaver Valley Unit 1 it is believed thct the realistic containment pd failure pressure is sufficiently high that the containment wiH not fall during the blowdown if QS fails, even for large LOCAs. This assumption will be verified in later phases of the project, once the realistic containment failure pressure is established, if the contamment did fail in such everts, there is still only a small chance that the subsequent blowdown of the containment to the atmosphere would be sufficitently energetic to fall recirculation from the sump; in the Surry analysis, a 2% hance of consequential recirculation failure was assumed. Such a mechanism for falling recirculation is not modeled in the event trees. If cold leg recirculation is required but cannot be established, the actions indicated on transfer 10 are of interest. These actions have the operators reduce the amount of satety injection flow to minimize the amount of RWST required. Makeup to the RW3T is then provided to ensure continued injection. The success criteria as a function of break size ind location are unclear at this time. The diagram assumes that if the operators establish the minimum safety injection flow required to remove decay heat, as specified by procedure, and if they provide even a slow rate of makeup to the RWST, then continued injection at a rate sufficient to cool the core may be sustained, and the RWST level woulo remain above 44 inches. The actions to cool down the RCS and to place the residual heat removal system (RHR) in service would affect the time available to accomplish such actions, but are not believed to be essential to maintain core cooling. For the event tree models, in the event of a failure to establish cold leg recirculation, makeup to the RWST is required first from the spent Nel pool at a relatively high rate, and then via blending operations after several hours, ( at a lower, although sustained, rate. In the presentation of transfer 7 actions (i.e., for loss of reactor or secondary coolant), failure of HHS! during a small LOCA or medium LOCA is mapped to transfer 11. Transfer 11 considers the actions to establish HHSI in order to provide RCS inventory control. These actions are described in EOPs FR C.1 and FR C.2. If the LOCA is small, the RCS must be depressurized sufficiently to permit LHSI pump injection, While this cooling option may be appropriate for a number of initial plant states and LOCA sizes, the PRA team is unaware of any thermal hydraulic analysis to support the contention that the operators could wait until the entry conditions for EOP FR C.1 or FR C.2 are satisfied before implementing these actions. The event tree structures will not model depressurization for LHSI as being a viable alternative to HHSI. Verification of this assumption will require that thermal hydraulle analysis be performed, in the quantification of the event trees, no credit is given for these actions. Step 6 of EOP E 0 instructs the operators to verify that power is available to one of the 4.16-kV emergency buses. Loss of all emergency AC power transfers the operators to EOP ECA 0.0; i.e., loss of all AC power. The events in EOP ECA 0.0 are presented in transfer 12. The actions in this procedure are directed at restoring electrical power and taking the steps necessary to extend the time available for electric power recovery. For these sequences, the time-dependent RCP seal leak role model becomes important. Availability of vital bus instrumentation, as governed by the battery capt r ty and actions by the operators to shed loads from the batteries is also important since without vital instrumentation it will be difficult f to control secondary heat reuoval. Failure to eventually recover electric power from either offsite or onsite is modeled as core damage. The electric power recovery actions considered I 3.1 21 3M Accident sewence Dehnecon.
Bt av r Vcll;y Pcwor Stati:n Unit 1 Rsvici:n 0 Prcb:bilistic Risk Asc ssm:nt in this par 1 of the ESD are modeled in the electric power recovery analysis which is separate from the event tree models. Transfer 13 is a transfer point within the first sheet of the ESD. The sequence of events is returned to this point if electric power is recovered while in EOP ECA 0.0, or if secondary heat sink is recovered while in EOP FR H.1. For all places in the previously described portions of the ESD that result in core damage, the diagram transfers to transfer 14. Transfer 14 considers the status of containment systems and other parameters important for considering the performance of the containment boundary during a core damage acci*rnt. The status of such systems is important input to the Level 2 analysis for determining the likelihood and magnitude of radioactivity release into the environment. The events shown for transfer 14 are actually a simplification of all the plant events of interest for Level 2. The definitioris of the endpoints in transfer 14 are consistent with those identified in NUREG/CR 4550, Volume 3, for the Surry plant, except that the status of the containment is also questioned. The more complete definitions of plant damage states used for this study are described in Sections 3.1.6. One simplification is the response of the operators after it is determined that a core damage event has occurred. These actions are not included in the initial frontline event trees. Such actions will be considered as sequence-specific recovery actionr for sequences that are shown to be important, One such action indicated in transfer 14 is that of opening the pressurizer PORVs to depressurlie the RCS. Analysis of core melt progression scenarios has shown that reducing the RCS pressure prior to reactor vessel mell through helps to mitigate the impact on the containment. Although not written for postmelt conditions, currently Functional Response Guideline FR C.1 does instruct the operators to open the pressurizer PORVs to lower RCS pressure. This action is not considered for specific sequences. 3.1.2.2.2 Steam Generator Tube Rupture (SGTR) ESD: In the event of an SGTR event, the EOPs transfer the operators to EOP E 3. This transfer to the SGTR procedures is shown in transfer 4, The operators detect the ruptured steam generator based on the level of secondary radiation and/or the level in the steam generators. For the purposes of presentation, the actions associated with mitigating SGTRs are covered in a separate ESD; i.e., Figu re 3.1.2-3. Most of the actions indicated on the first page of Figure 3.1.2-3 are also modeled in the SGTR event tree. The status of the RCPs is not tracked. It is assumed that the RCPs are available if needed, provided that the support systems required for them to function [i.e., nonemergancy pows and primary component cooling water (CCR)] are available. As a resO % GTR, RCk pressure is expected to fall initially; see, for example, Figure 14.2 3 of tu a w- Fina) Safety Analysis Report (UFSAR). Consequently, the events associated with - denges to the pressurizer PORVs, immediately following the plant trip are also not n% v in the event trees. All of the other events on the first page of the SGTR ESD are modeled in the event trees. Transfer 15 of Figure 3.1.2-3 considers the subsequent actions called for by procedures to initiate an RCS cooldown. In order to simplify the event tree model, no credit is given for the condenser steam iumps when considering the equipment required to initiate depressurizm9 6 :s intact steam generators. The event tree model does consider the steam gener@t ; cheric steam dumps. Numerous options are available to the operators for accomplishins m J depressurization. As a last resort, the procedures call for use of the RCS head vents to depressurize. This option is not considered in the event tree. 3.1 22 31 Accident Seovence Denneaboi 1 l
Bsovsr Vcllay Pcwor St: tion Unit 1 Revislen 0 Probsbillstic Risk Assessm:nt Three events at the end of transfer 15 in the SGTR ESD are not considered in the event tree. These actions affect the amount of radiation release into the environment assuming that core O damage is pret. vented. However, the amount of radiation of concern is relatively small, compared with core damage events, in keeping with the focus of this study, thr'e events are not modeled in the ~ ant tree because they do not affect the frequency of SGTRs leading to core damage. l I Transfer 16 considers the final actions needed to mitigate SGTR events. These events ; consider the potential for a consequential small LOCA that would complicate the recovery. ' Such LOCAs may develop from RCP sealleakage or from failing to reseat a pressurizer PORV if it was opened earlier to depressurize the RCS. In the event that a small LOCA does develop, the need to transfer to cold leg recirculation would eventually result. The RHR system is needed only if a release path through the secondary side remains open so that the RCS must be further depressurized to reduce the break flow to inconsequential levels, thereby minimizing the need for makeup from the RWST. Late in the procedures for mitigatira an SGTR, the operators are instructed to check for adequate shutdown margin. The reaulvity concoln is due to the possibility of backflow of unbereieo water from the ruptured steam generator into the RCS while the operators attempt to achieve cold shutdown conditions. As long as high pressure injection is accomplished via the HHS! pumps, there should be no problem. For SGTR sequences in which the HHSI pumps are not available (i.e., no borated water mak up is available), when the operators attempt to cool down, there is a reactivity concern. This potential problem is not modeled in the initial event trees. The scope of this concern is still under investigation. If the reactor does go recritical and if this would lead to continued loss of inventory through the ruptured steam generator and eventual core damage, it would mean that tube ruptures together with failure of all HHSI could result in , O core damage and a bypass of the Containment. Such sequences are sufficiently frequent to be significant risk contributors. Currently, however, it is assumed that the post trip bulldup of xenon poison is sufficient to keep the reactor suberitical. 3.1.2.2.3 Anticipated Transient without Scram (ATWS) ESD: This section presents the ESD for the ATWS event. This ESD is entered ' rom the general transient /LOCAs ESD on failure of the reactor to scram on demand. The EP then leads the operator to EOP FR S.1 to mitigate the ATWS event. Figure 3.1.2-4 shows i ,e ESD derived for the steps listed in the EOP. For certain plant conditions, there is no chance of thereactor coolant system (RCS) pressure becoming sufficiently high to threaten the primary boundary. In these cases, the mitigation of the event is modeled the same as for normal shutdown after a general transient, and the ESD leads back to the general transient /LOCAs ESD through transfer 13. For all other plant conditions, the ESD reflects the steps outlined in EOP FR S.I. In case of equipment or operator failures that lead to core melt, the general transient /LOCAsESD transfer to the ESD that models containment cooling and containment isolation (transfer 14). At the end of the transient, when reactor shutdown has been achieved, the ATWS ESD also transfers back to the general transient /LOCAs ESD if the primary boundary was breached. Some of the steps in the EOP do not impact the transient and are not specifically modeled in the ATWS event tree as top events. These steps include repeated attempts to trip the reactor, sound alarms, verify AFW flow rate, and the like. Ar SGTR coincident with the ATWS is considered extremely unlikely, and the steps to check for suptures are also not modeled. O The step requiring the isolation of all dilution paths to the RCS is also not modeled as a top event because these paths are open for a very small fraction of the time, and, if indeed they 3.1 23 M Accicent se@ence Dehneeon. _ , _ _ _ _ _ , _ _ _ _ ~ __ . _ _ - _ __ , . _ - . .-
80cy;r Vcil:y Pcwcr Stctlen Un!t 1 Rcvisi:n 0 Prebabilistic Risk A6G ssment are open when the ATWS event occurs, the only effect would be to prolong the transient to the shutdown point. 3.1,2,3 Success Ci leria The system success criteria for each of the key safety functions, for a variety of initiating event c$gones are provided in Tables 31.2 2 through 3.1.2-8. As the name implies, the poneral transient success criteria apply to a wide variety of initiating event categories. Accident sequence frequencies for many of the initiating event categories identified in Section 3.1.1 are quantified using the criteria in Table 3.1.2-2. The effects of different initiating event categories (e.g., loss of offsite power versus a simple turbine trip) are reflected in the unavailabihties of the mitigating systems, These differences are discussed in Sections 3.1.3 1hrough 3.1.5. Separate system success criteria tables are provided for the different LOCA categories; i.e., Tables 3.1.2 3 through 3.1.2 7. The different size LOCAs impose different success cratoria on the mitigating systems. These different criteria are also reflected in the event tree structures, as seen in section 3.1.3.2. The success criteria for ATWS sequences are presented in Table 3.1.2-8. A separate event tree structure is also used to quantify the reactor trip failure sequences. The ATWS event tree is presented in Section 3.1.4. The success criteria presented in Tables 3.1.2 2 through 3.1.2-8 are basically consistent with those documented in NUREG/CR 4550 Volume 3 (Reference 3.1.2 2). A few exceptions are now noteo. For bleed and feed cooling, one HHSI pump with three Of three cold leg injection paths and one of the three pressurizer PORVs is adequate for heat removal (Reference Appendix C). The ATWS system success criteria is similar to those adopted in NUREG/CR 4550 Volume 3 (Reference 3.1.2 2). One difference is the criteria assigned for adequate pressure relief. The criteria developed in WCAP 11993 (Reference 3.1.2-3) were also adopted for use here. These criteria are further described in Section 3.1.4. For steam generator tube rupture events, which were not developed in Reference 3.1.2 2, the criteria are easily extrapolated from that for small LOCAs. One complication is the control of !eakage through the ruptured steam generator. it is assumed that if the ruptured steam generator is not isolated, successful RCS inventory control can still be achieved without HHSI, by successfully cooling down and going on RHR to stop the leak. The potential for the reactor to go recritical under these conditions. is still under investigation, but assumed not to be a problem. 3.1.2.4 References 3.1.2-1. Ray, N. K., et al., " Response to USNRC Generic Letter 88-11 for the Beaver Valley Unit i Reactor Vessel, Westinghouse Electric Corporation, prepared for Duquesne Light Company, November 1988, R AT-SM ART-209(88). 3.1.2 2. Sandia National Laboratories, Analysis of Core Damage Frequency from Internal Events: Surry, Unit 1", prepared for the USNRC, NUREG/CR 4550, Volume 3 November 1986. 3.1 24 3.1 Acceent seavence Denneeon
Be:ver V ll:y Pow;r Stati:n Unit 1 R;visi:n 0 Pr:babilistic Risk Ass:ssm:nt 3.1.2-3. Westinghouse Electric Company, " Joint Westinghouse Owners Group / Westinghouse f Program: Assessment of Compliance with ATWS Rulo Paasis for Westinghouse N PWRs," WCAP 11993, December 1988, proprietary, f)
'u)
I l l l L O G 3.1 25 3.1 Amcent sequence Denneation.
l B :v:r Vall:y Pcaer St:ti:n Unit 1 R;vlsl:n 0 ; Pr b:bilistic Risk Ast ssm:nt Table 3.1.21. Relationship of EOPs to Beaver Valley Unit 1 ESD ESD (Transfer Procedure Number Number)
.seactor Trip of Safety injection E0 GT/LOCAs (0.4,7)
Rediagnosis ES-0.0 N/A Reactor Trip Response ES-0.1 GT/LOCAs (0,1) Natural Circulation Cooldown ES-0.2 GT/LOCAs (1) Natural Circulation Cooldcwn wim Steam Vold in ES 0.3 N/A Vessel (with RVLIS) Natural Circulation Cooldown wit Steam Void in ES 0.4 N/A Vessel (without RVLIS) Loss of Reactor or Secondary co-! ant E1 GT/LOCAs (4,5.7.9) Safety injection Termination ES 1.1 GT/LOCAs (1,5) Post LOCA Cooldown and Depressurization ES 1.2 GT/LOCAs (8) Tr1nsfer to Cold Leg Recirculatiors ES 1.3 GT/ LOC As (9) Transfer to Hot Leg Recirculation ES 1.4 GT/LOCAs (9) Transfer from Hot Log to Cold Leg Recirculation ES 1.5 N/A Faulted Steam Generator Isolation E2 GT/ LOC As (4) and SGTR (0) Steam Generator Tube Rupture E3 SGTR (0,15,16) Post SGTR Cooldown Using Backfill ES 3.1 SGTR (16) Post SGTR Cooldown Using Blowdown ES 3.2 SGTR (16) Post SGTR Cooldown Using Steam Dump ES 3.3 SGTR (16) Loss of All AC Power ECA 0.0 GT/LOCAs (12) Loss of All AC Power Recovery without Safety EC A-0.1 GT/LOCAs (12) injection Required Loss of All AC Power Recovery with Safety ECA 0.2 GT/LOCAs (12) Injection Required Loss of Emergency Coolant Recirculation EC A 1,1 GT/LOCAs (10) LOCA Outside Containment ECA 1.2 GT/LOCAs (7) Uncontrolled Depressurization of All Steam ECA 2.1 N/A Generators SGTR with Loss of Reactor Coolant-Subcooled ECA 3.1 SGTR (0,15,16) Recovery Desired SGTR with Loss of Reactor Coolant-Saturated ECA 3.2 SGTR (15,16) Recovery Desired SGTR wjthout Pressurizer Pressure Control ECA-3.3 SGTR (15,16) Critical Safety Function Status Trees: Suberiticality F.01 N/A Core Cooling F 0-2 N/A . _.. .. .H e at S i n k F_0-3 N/A Le; GT/LOCA - General Transient /LOCAs ESD SGTR - Steam ,enerator Tube Rupture ESD ATWS Anticipated Transients withou. Scram ESD N/A - Not Applicable, Not Explicitly identified in the ESDs Note: Transfer number (0) is the first page of the ESD. 3.1 26 U Accdent sequence ookhew.,
~
80:v:r Vcil:y P:wer St:ti:n Unit 1 R;visi:n 0 Prcb:bilistic Risk Ass:ssm:nt Table 3.1.21. Relationship of EOPs to Beaver Valley Unit 1 ESD l
\
ESD (Transfer procedure Number Number) Integrity F.0-4 N/A Containment F.0-5 N/A Inventory F06 N/A Rosponse to Nuclear Power Generation /ATWS FR S.1 ATWS (0) Response to Loss of Core Shutdown FR S.2 N/A Response to inadequate Core Cooling FR C.1 GT/ LOC As (11.14) Response to Degraded Core Cooling FR C.2 GT/LOCAs (11) Response to Saturated Core Cooling FR C 3 N/A Response to Loss of Secondary Heat Sink FR H.1 GT/LOCAs (2,3) Response to Steam Generator Overpressure FR H.2 N/A Response to Steam Generator High level FR-H.3 N/A Response to Loss of Normal Steam Release FR H.4 N/A Capabilities Response to Steam Generator Low Level FR H.S N/A Response to Imminent Pressurized Thermal Shock FR P.1 N/A Cond.tlon Response to Anticipated Pressurized Thermal FR-P.2 N/A Shock Condition Response to High Containment Pressure FR-Z.1 GT/LC ' (14) Response to Containment Flooding FR Z.2 N/A O D Response to High Containment Radiation Level FR Z.3 N/A Response to High Pressurizer Level FR l.1 N/A Response to Low Pressurizer Level FR*l.2 N/A Resnonse in Volds in Rcactor Vessel FR-1.3 N/A Key: GT/LOCA - General Transient /LOCAs ESD SGTR - Steam Generator Tube Rupture ESD ATWS - Anticipated Transients without Scram ESD N/A - Not Applicable, Not Explicitly identifico in the ESDs Note: Transfer number (0) is the first page of the ESD. A 3.1 27 3.1 Accicent Sequence Dehneaton.
mm Table 312 2 Gercal Transient Success Criteria Summary infornv'. sert y 8, ' 7< Reactor Core Heat Core Heat RCS anteyity Press *Ee f.:mospherte PeM Corvuwds 7' Stecritkality Removal. Earty i 34p pressieri Removal, Late Remowat =<, , RDS 1/3 AFWP Any Open PORVs Nane Recueed ir3 1/2 RS (1 At*3) e, 1 RCS presswe r* bet rwt fi F or or Reciose CharerWHHS: Scray peoe revered However. g
~
Manua! Reactor 112 UFWP and aM and PORV may W Trrp or WW to Assocated K DCP Seat 1/2 Low Head PO7Vs assunW g Omecated FWP entagrity Sawy try c'm Heat EscW cha"e W sfloss et >e or (LHSI) or o%'e power or CCR tr3 Charg ngt
'#3
*" or tr2 RS (2Ar:Os m ' ads ,E HHSI Pump to 1/2 RS (2Al28) Vesset imec*roer 2 RS revires R W Si to be $1 30 Coed legs AhW to Vessel Mode weh RW to semted wa CS tw 3 o-
*3 and imecte et** RW Assoc'aied Heat *4PSH or owator must 1 PORV Opens (m Feed and q
tr, Assocated Heat ErcNinger E rcharcar or ture c ta pr-@s to avow 3 cawta'e.
~{ ..
Beed) or Steam Gene *ator 3 Core heat re evat. ta'e , Steam Generator Cooseg Awa taote and conta>w Coo 8:rg Availatte a'-escheer heat or Contenus re-evat are regerad Wa4eup procce oNy we te*C aM to RWST Weed 9 ce=N>nced or RCS en*egray rs sost
. Cm aeusee setoo.m
$ assW reachad 4 Saccrw3sry s? cam rebef assumed awadatM S ArwurW to one steam ganara'or suScent 6 tt RCS er tagrity es sost.
core heat removar, ear?y also ensres eory cor*rci va 1/3 C*argewJ
, cuacs, and raped RCS a * %+essurt2 arm trsmq 3/4 st*am garw eator y atmospherH: steam h @J-T waives (1 e , threm S a*mospheerc steam
@f*@s or th* residual E beat re+ase)1*/3 t E acewnulators, and 1/3 y PORvs no event ,s
# ge for LHSt memory a 2 conteof m the current <
i e E. g o
.: a o
3 O O O O
f
. (W N) \al'
(^1c 3 m. 2-1 Srnal8 t'CA Success Crlietta Summary infornation 3g tr .c Reactor eb:riticality Core Heat Removal, Early '"I'9'"Y ' ' "
- Core Heat Atmosp W _ Gmmets tr$
Removal, Late g4 Suppression Hest Remeu E Is, RPS kt Charging / See Comments Not Required 1/3 Charging / 1/2 RS (1 AltB) 1 Failure of RPS and or HHa! Pump to HHSI in Spray Mode manual reactor trip ,- 2 Manual Reactor 3/3 Cold Legs Trip and and with RW to transfers to ATWS 7j 1/2 LHS1 Pumps Associated tree. ' > #e 1/3 AFW Pump or Heat Exchanger or 1 RGiq hh M 1/2 RS (2A/28) or
***'**"" ,g 1/2 UFWP Aligned to 1/2 RS (2A/28) "C or Vessel injection in Vessel n tiat a gg 1 Dedicated Mode with RW Injection Mode ?. C FYrP to Associated with RW to
{_ on Heat Exchanger Associated , 1/3 Charging / or Heat Enchanger HHSI Pemp te Steam or 3/3 Colo Legs Generator Steam and j Cooling Generator p 1 PORV Opened Avaliable or Cooling
^
continuous Availatde @ makeup provided by RWST Y a B u, b 5, , a ~ ,"3 i E R O o ? o
o up . Table 3.1.2-4.' Meilum LOCA Success Criteria Summary infore. .,] og e tr < Reactor ' '"' Sv$ criticality Core Heat Removal. Es iy '"'
- 8' D I '#
Core Heat fm 8Pheric Comments l hS g< k r to' Removal. Late Heat Removal #18 Not Ftequired 1/3 Charging / HHSI Pump to See Comments None Requ red 1/2 LHSI Pumps or 1/2 RS 1/2 RS (1A/1B) in Spray Mode
- 1. 1/3 injection tones adecuate for LHSI.
k
-m 2/3 Col! Legs (2A/2B) Aligned and RW t w aM to Vessel As W atM 1 2/3 I @ s t h s 1/2 LHSI to injection with Heat Exchanger adequate for HHSI' IE 1/3 Cold Legs and RW to - 3. Reactor $gm a
Associated 1/2 k g. A!2B) subcrittcality is not y{ 2/3 Heat Exchanger in Vessel explicitty required. l is s Accumulators or injection Mode i If RPS fails, the 3. C 1/3 HHSI Pumps . ith RW to reactor will be 3 with Continuous Associated rnaintained , Makeup Heat Exchanger suberitical by. Provided to injection of RWST RWST inventory.
- 4. RCS integrity is lost a as a resuit of the bO initiator.
- 5. RE requires RWST to be infected via OS for NPSH or cperator must turn off the pumps to avoid cavitation.
Pa b 0 a E 2 8 o a 31 2-2 o
.g s o
e O O
3
/. wl 1e' Table 3.1.2-5. Large LOCA Success Criteria Summary information ' >
o j.
'"'*I"**#
Er < Reedor Core Heat
'"'*8' Core Heat ontainant Atmospheric g7
**" Coments Subcriticality , Removal. Earh' ~ I '
Removal, Late g; 4 Suppteaslon Heat Removal _ 1_ .1 Not Required ' 1/2 LHSI to See Comments None Required 1/2 LHSI or 112 Injection of LHSt . 1/2 RS (1A/18) 1. i 1/2 Cold Legs ' ' RS (2A/2B) ' in Spray Mode - into one RCS loop gi and. Aligned to and was considered . Wj' 2/2' Accumulators .
.. Vessel injection with RW to RW to Associated
. sufficient. ;g*
7 p g Associated H at Exday Heat Exchanger
,3c,,,%,,, y ,, n,,
gg ,g; or' ex ficitly required. ! 3o
" I 1/3 HHSI Pumps If RPC fails. the ' ;$ "
m Vessel ~C with continuous injection Mode reactor will be 3
,,, .g-makeup with RW to ., ,
Provided to Associated RWST Heat Exchanger i d RW mventory.
- 3. RCS integrity is lost u -- as a result of the
.y initiator.
3 i u
"a .)
8-u, 2
-6 2- := -
g =t'
-g r
- .a 8 5' s.
-p.
o
7 UI Table 3124 Steam Generator Tabe Rupture Success Criteria Summary Information y 8, Control of $$ Contairunent Containment ' ' ' " ::: le tiry R S va Earty R al te Rup ed Suppresslort Heat Removat no Steam Generator 3. .g g e RPS or 1/3 AFW Pump or (See Comments) NrA Required 1/3 Chargsng! HHSt 1/2 RS (1A/10) m Sprav Moce Ruptured Steam s 1 Fa&e of RPS aext manua? reactor trip Kh
>e Vanual 1/2 UFWP * * * # '# "" **~
PORV Opened Reactor Trap or g 1/2 LH St RW to 1scdared 8, 7 p 3 1 Deoscated Pumps Associated and e g , g FWP the RCS or Heat RCS enetrator. 3 _o g or p 5 1/2 RSS Excha v Depressurtred ,3 "1 Charging 1 (2At20) or to RHS Entry 3 Core heat removai, tate ,C M 'lPumpt RCP Seal 9 'O # I ' "U"' # %
;/3 t' Ad Legs ,"
Vesset en Vessel or a!mospheric heat vt Injecnon with injection Mode 1/3 Charging / removat .ve reqwred 1PORV RW to with RW to HHStPump ondy w+ien feed aN
*OW Opened Associated Assocated and t#eed is demanded, or ,f HHS1 Pump in Heat Heat RWST Maneup RCP seats fad, or a Seaf injectm Eschanger Dchanger or or RCS pressurizer PORV stic6 s P "* or Steam Depressurtred open Y "
Steam Generator to RHR Entry CCR to Generator Coormg and RHR mal Cochng Availat9e P! aced in Barne of Mt Ava latve Serece RCPs u a K e S a E e 8 m e 1 i e 3 0 = o a ? O O O 9
Table 3.1.2 7. Excessive LOCA Success Criteria Summaty Information 3g l tr < Reactor Core Heat
'"'*I"**"'
Core Hest Comments tr I
'"'*8' Y *""'" Atmospher!c 4 Subcriticality Removal, Early Removal. Late Heat Removal *.88, Suppression -_
None Required 1. TTS integrity is lost ,E Not Ret,. sired Failed Ly See Comments 3/2 RS (2Al2B) 1/2 RS (I AllB) Definition of Aligned to in Spray Mode as a re=utt of the -m initiator Vessel injection and irutiator. xy with RW to RWt 2. Ratm -N*
^* * ^*
- subcriticahty is not E V8 i
l Heat Exchanger Heat Exchanger g gg
" " If RPS fails, the 3o j 1/2 LHSI Pomps 1/2 RS (2A/28) e :: >
Abgned to Vessel Injection in Vessel injection Mode maintained
~hg with Suction with RW t "
As and inWe of RET ! frgm inventory. Contamment Heat Exchanger Sump
.S*
A (a) E a un b 28 g i t. i o a o
?
'o us Table 3.1.2-8. ATWS Success Criteria Summary information hE
=.
Core Heat RCS RCS Pressure E' Reactor Subcriticality Comments =< Removal. Early Integrity Rellef ga Manual insertion of control MFW 55 A!! SRVs Turbine Trip
- 1. Entry into the ATWS tree 2 x rods by operator. or and and assumes the reactor protection {j or 2 MDP PORVs n SRVs and m system failed. >%
Emergency boration using or M ost PORVs
- 2. AFW must be supplied to three E a 'm one charging pump taking 1TDP Reclose e (See Comments foe of three steam generators. *-iiT suction from boric acid when pr ssure 3o tank, or the RWST 3. If moderator temperature discharging through the relief is required.) E "C coefficient (MTC) < -20 pcm 'F 2.
~
normal charging line or the pressure relief required. . safety injection path, and remaining at elevated 4. If MTC > -7 pcm *F pressure temperature to maintain relief assumed not possible. p subcriticality. 5. Turbine trip riot required for -^ g low power initiators, or if MTC A is very low.
- 6. MTC criteria apply to high power only.
- 7. The number of SRVs and PORVs required varies with time of cycle and other U conditions. See top event descriptions for the ATWS
$ eventlicr-as
*Except when MFW is available, 2
8 $ 2 o 5 -. ! b
=
8 o O O O
B:cv:r V:ll:y P:wcr St:ti:n Unit 1 R visi:n 0 Prcb:bilistic Risk Ass:s:m:nt Figure 3.1.21. Event Sequence Diagram Symbology ,'~ .
) '
]NITIA1]NG CVtNT -ENTRY TO ESO gs Ot3CnIPTIVE NOTES FOR SE00ENCE SEGMENT l l
EVENT BLOCK WITH TWO OJTCOMES NOT DEVELOPED FURTHER TRANSFER 05 SEQUENCE SEGMENT TO ANOTHER PART DF SEQUENCE .D . As PLANT DAMAGE STATE ENDING SEQUENCE DEVELOPMENT SHUTDOWN OR STADLE STATE ENDING SEQUENCE DEVELOPMENT TRANSFER OF SEQUENCE SEGMENT TO ANOTHER EVENT SEQUENCE DIAGRAM s' ( 3.1-35 3.1 Acccent Sequence Dehneaton.
B::v:r Vcil;y Pcw:r St:ti:n Unit 1 Revisi:n 0 Pr b:bilistic RI:k Asocssm:nt Figure 3.1.2 2 (Part 1 of 14). Event Sequence Diagram for Beaver Valley Unit 1
.. ..... a
~
.jL . . a.
. .mt. _-. ..- .s. _ . . . .
i I ' M'. I. M . - t l
*_. r:" ... r w el.L. . j\
m..f. f n . - j .. .. -- Y !is I f .'To . t . ...a .
.xn. -
.cEFy. $h .
J'ryiy?.j). gg. .. _ rn- . u n+ __. g;,., . _ 1 t I 7 l 1 1
?
. =%~,
.a.s.3 iL j .,gri ,,
- . I ' ~
. . .... e.,.m .
. ...y .
.,.....s l n,,,k,. s.
% i!!;y,
.. u g:.r S- .
r:- m.a. 2z2
. y,,,.74p ;
- r. .
M1E' qQ~ "' ~*'
"'A*** _
k'%" f, h.*..D ".3*dra
; a, ' 'ma,4,
.. i . . . . . .
. . . . . i.
e.
$,'3kkk, --.
'h;.h L'S*3 % S 17' (M. IJ,'
I i r x \ I I
*"M I
-hEth i . . . .,. . . . .
'EG d..i~dir =m.:r r - . ' -. i - '"
'.:.m.
,n,;, f ; ny.n:; _
-Q"' -
I l c ur.
.w= .3, .,.O L
l au% 2 I
)
a t. 1. a *1* p EQ. Ju .--. M.. gy . l 4 n.. ya=~ .wa ' .a... 3 j /. hC,'
.g).y.
71 i ("..O .".'*T J
. f. .
" ~5.a.;;'
- w. g .*.% *."
, G. ..,**
3.1 36 3.1 Accioent secuence Denneation.
80 v r Vcil:y Pcwcr Stati:n Unit 1 R vislan 0 Pr:b:bilistic Risk Ass:ssm:nt Figure 3.1.2-2 (Part 2 of 14). Event Sequence Diagram for Beaver Valley Unit 1 hv
!. . m n.
T
, .= *;,f
- T _
.Y..Q4...I. g.
E9'M ._ Yd.. e20'". / - N#FT X E == j _ _ . .,e......, d4 I I?.11 I ~ r
~~f n.o r na.c.:u
~::
Oh -- Id m.=5 .
/. w v j.h .
"T 3 m ,65,3 L;,
ei c1 3 . . ..c. e I . . . . . - . I
. c.-
a-* -- w ..,
.r...= g.. .
Cfr.r.?' .r .
.w w.j..0 .
ntw l 1 894184 1. 3,, ppg
- .~.
.ar GT) wrJ,'1 .
n:
~
r=~'
~ * * "
s VgJ, n.4 ? '< . . . . . ,m 3 rs%T *%1"
.,c-... n, u.t n
. J." % r,* .
- .:T.4 ---
, , 't "
- g.p(J"g. ' '*"
; r: = u e:-
"Nd.Da N
.m )
- ,~
, 6 l i I I 3.1-37 3.1 Accident Sequence Denneeon. i
. . . . . , ..r .
Brav:r Vcil:y P:wcr St:tirn Unit 1 R visl:n 0 Prcb bilistic Risk As :ssm:nt Figure 3.1.2-2 (Part 3 of 14). Event Sequence Diagram for Beaver Valley Unit 1 g Mc- j ~.r. w-es a L j1*. . l :
*P'. -
lC4.!' ' l
... . g i. .
.4*.T n -
.2')$')
mamna !
- L:~5 QG - . : r.r. .
1 I I
~
4 ... -fJfE~)
..S...T.v L T i i
...f,..
an g:g,' -
$. .= . ~i.,}
_1~ +: - = m we rd@jf. _.g . WC-1S j g y;n-
.. u --
a,:nh.- , . . , . , u :n.r i i l 4 n. ni 4_; ifsr _ t _4. .. I 4%TA'E. Of=AE s " 1'%@w.T.O. - 1 I
'YY2N *
. ..j.,. .
- a. :T;*.
RTI*.:. t:"::"I D J _2 1
!d[;D.'
;J /\[
g 7 3.1-38 3.1 Accident Sequence Denneation.
'3
' 50:v:r Vcll:y P:wcr St:ti:n Unit 1-- 'R:vi:l:n 0-Prcb:bilistic Risk Ass:ssm:nt-Figure 3.1.2-2 (Part 4 of 14). - Event Sequence Diagram for_ Beaver Valley Unit 1 ivfi-A-
5e.3 - . I 1 pga) 1 WiLa i .
-, l. _
'fpli E@pi _.
@s*s..j, - 4.:::ss.:.
. n. ..
I 1 a
.g.
.. 9. , y.s
,n %*,.
o , . 35 {ditr 1
==
1 frwa 55,- 'wr A
-,/r ar -
_ . .:.:::. .T ea 4=g c , , . i M8; -- (==Q
, i 3%',l '
'hkY"' '
l
.t. . . _ . _
*%ENA
$_h.r).
1 w) Iw. A R A - en: w r, - ex
, /\
.3.1-39 3.1 Accident Sequence Denneaton.
Boster Vallay Powsr Stetton Unit 1 Revision 0 Probabilistic Risk Assessmsnt Figure 3.1.2 2 (Part 5 of 14). Event Sequence Diagram for Beaver Valley Unit 1 E 4 B't 4.ti .
~
*!"Lj' .
T l
. .,. . . . . . . f , x C*. iy4., Tf -
'* r'a, "R.n* ".T;;.3a' :s quc)
I 1
...p....... .
D.I.E5].
.p [yT.".11,3: " rA'".*M,
. e M. I.N... .
w:.. r-tec.,7. .= }
.,pL.
*i.'"Y at.'
i
- 1. . .a .
. . ,p e4a-.
. '"m, u
~ .,n n.
,A*",.*5...
..c. . ,
< . .w I
"%** * ' 3SEf
*~ T,;D,J
- Ta"/"t.L 1 1 1 I
.4.,j.....-
=w - =m- . qgs. g L.......
. .r ..
C';1%*r.A*T
""**')
'" M "T.'n';a
_._f*= r.1 ='T ( ) I l ' _ l Q*$ --< CJfa7 "4' E T
-l e4 ree w
~ .C*?*in
'*4 hem e .t"2' *kE' -
t i 1 d lV P ' ""*'-i
':" yJ*.' *'
'T.i.22 " "la%.KU. ..
;' - * * = = = =
I i g i 1 l nn6 ap uni. . Pc. a. ,
**;'1 W" l
UTIF . UL7.= - , , . .
; n: na..
I g t/.* 3.1-40 3.1 Accicent Sequeace Dehneation
.~. .
00 v:r Vcil:y Ptw:r St$tisn Unit 1 -
-- Rsvist n 0
~
Preb:bilistic Risk Ass:ssmsnt Figure 3.1.2-2 (Part 6 of 14), . Event Sequence Diagram for Beaver Valley Unit 1 ~ - ( buma
....v...,. ,,,,. :
azu - __. g ---, yg .-( meM w ) ' W l e=9 ue- A A a e 4. , p.e- , e ,
.. - - - " "J'.1 '"
...v.,._,
te-{.m.) O I i w a.a
. < ,,g m -.
. ,. -- (aggr., s.wrvj .
te rr a i
~
"Eik F
1 HERE - AL*,Ch d
+
J 3.1 3.1 Accident Sequence Dehneaton.
D::ver Vcil:y P:w:;r St:ti:n Unit 1 R:visi n 0 Prcb: bill: tic Risk Ass: sam:nt Figure 3.1.2 2 (Part 7 of 14). Event Sequence Diagram for Beaver Valley Unit i
.:,i. .. O
/*
{ Ka'L] 79;,.7 7. ",43, 4yy:--
/ .,
3 1*. -
#m=$'a ty.1d L 4 5'
\
l IT'"h Fl
'*h ,__
>$T) 1
. . .g. w ...
siESS.
-.. .. j . ., ,e
$N5. AM I*& a., h
,1 & I an i imy a
- l*. *' I
@$ l ft
,,w ;n=
*6*:"LS. .
~>
l
. . j., , ...,e E -
$k ;
'071" --(N-= )
............ I A
in t 1. RP S g". . . . .'*g,,
. - 98. 6 mau .'*N.a.*. %%"
.)
4,s"*6':7 s .. b,j-
- gg. .
Efa%. 3.1-42 3.1 Accicent Sequence Dehneation.
BC v:r 'Icll:y P:wcr St:tirn Unit 1 R;vist:n 0 Pr:b:bilistic Risk Ass ssm:nt Figure 3.1.2-2 (Part 8 of 14). Event Sequence Diagram for Beaver Valley Unit 1
/x O /...(u:nt I a......
.,5 L Lil"
....i.
i A.h;. - d.ru.g:- I . .. 6 LE' I' 'A * ** * * '"' 'E ' MG' 18 AS 6 k5' F9h99 -- I a
* ~
b* l j
..q. 1 NM
.45
-,A e y....,
r It
; ea r. '
A g .q, gw g (d
\
Jh. . g e lj' '"g gr acr.Tff' } I I
=w
"'t.1%**'
..-.,,i l e
.< *rg.
%*.*1.L... t1 (Et".r.10) k
I
. . ..v1 u.
4M. s
'{,.j'.'*gt --
I t , e . ye QLJ'a "23 2 ' n. wa+ L. . . .. .,w ,. 3- ! -.m i . u).- 84 8* 'OfA. - l l l- ........ .. . O m'. O Thi TiGE], c T.r.*.ei
.a. *T.o'A.
l g g,.ws..
- . a.
.Ei.842 - .
3.1-43 3.1 Accicent Secuence De4neation.
05 v:r V:ll;y P;w r Stati:n Unit '1 Revisi:n 0 Pr:b: bill? tic Risk Ass:ssm:nt Figure 3.1.2-2 (Part 9 of 14). Event Sequence Diagram for Beaver Valley Unit i
..i.,,i....
g Ecr - 't% .r. ,.1-
-{41U-)
1 l
...+.
- r. P L*J l
(w_:a_.u)sm.r. .
. j,.
e-p 'TX " 2 b,. ,, =)-
.n.u. g:Q RS) gg, i 1 i i
^
n p,. (1'). ~{ 4%%.} T
. .-...; a .
'a51r - #8 E -
D5.5
* * ^
ns -. . , u w
*t'5?
i m 'L% i .
.-i , a.a
-. T.TM r-
., a
'W:"2 r!. W i
("02'h'"- }
. . + .4i
.V..W.
I (I4 h.") ga-n %. .
. i .e ., = .-i. L"F#,
!:T."
^%*1 " -- E'fl"J' R Eftafe" .
I l 1
. .g. u 4,,,.y, 3.1 44 3.1 Accreent Secuence Dehneation.
30;v;r Vhil:y Pcw:r St:tisn Unit 1 R visl:n 0 ; j Prcb:bilistic Risk Aes:ssm:nt ~ Figure 3.1.2-2 (Part 10 of 1,4). Event Sequence Diagram for Beaver Valley Unit 1-Q. .--. *g - i
. ..l., .
.M.
. l 8
-...p..
12 N'31 -- g'ig, - e 11 7J
~EE Mi:
--i --
FA
#X9 A I
l
- Q$1
):
J ...
.l.
bh d$' , ('E*b g_ ., (.au.) 1 k% f.R r.:iL} n I i m. .. . . . . . . . y E M - 63' - 3r.:',tp ** =>
.%f,. -
..q . -
. "O'" da 1
.a[gg,g. "
b 'I'. . Il 3.1-45 3.1 Accident Sequence DeIInsaDon,
r BC ver Vcilly P w r St ti:n Unit 1 R visi:n 0 Pr:b:bilistic Risk Ass:ssm:nt Figure 3.1.2-2 (Part 11 of 14), Event Sequence Diagram for Beaver Valley Unit 1
.,..,.m...
a s., ., o y,.g.y . _
. IY3 --
I
) gja . **C C"'
SN:. .
- h. . .-, 1
.>,.i c. . . . . .
/.\. us: -{ersu)
- e. :.l a.
. *A.
. "hi":. y.
L5uS) i j m.i. e
'L i ,
'h-c
, i t i
.-i p ...
'Elshd) im m.i.p .
.'% 11.
,[se n. sews e.at.\
. .: EI. u'& )
~
~.J .
g
;}.% -g@y:pp m.,,
. .A, ..
9 t-3 I A W h"*r
"[k - T."y7. -
1
""Ci*" L iT..'T..
I "T;3'i 4.' f iJj
*#4*'
Ota i G
.3D=.
3,1-46 3.1 Accident Sequence Dehneation.
B :v:r Voll;y Pra r Stati:n Unit 1 - R'Gylilzn 0 ' Prsb bill: tic Risk Ase::sm:nt t Figure 3.1.2 2 (Part 12 of 14). Event Sequence Diagram for Beaver Valley Unit 1 y, -- A"seE e a-0
.J (w)
I !
*di.h m.I13 II we - -__ ,g,-
c.__)c..__ wi., u mi!*!112 NW" M" N O c-) e
=> .
FJ.1dlNI - (TAE}. (*) w
~
=. .
b , riL= re - C-) A M?d[ o
- -. Q -
e\ g.e. 3.1-47 3.1 Accident Sequence Delineauon.
7 B::ver Vcil:y Pcwcr St:ti:n Unit 1 R:visl:n 0 Prcb hilistic Risk Ass:ssm:nt Figure 3.1.2 2 (Part 13 ofnu14). Event Sequence Diagram for Beaver Valley Unit i w.
&ec,7 v.m, c O e.: .w e ,.-
e.. -_m
.sg. __3.g.,
, T
. . .s ... .
g; I
..w 9 A I l J. % ("$b ")
.c...
w ; j rp., ... . . . . . . . Qf . hyy- v ww} RQ' .
-.(m.wx}--. {'$,- -
' i ,
g,.g g E L*.'t.%
- w. 57, - 53, . -
I A\ RE as l (N'U" E3N ." - 1 i
^
+..,..
em e=a E IT.T u- --paa9 i I
...r*'"'"
}}. ;
- v::.r.:
I E
""f.'E" _
,fJ t. f.M.
. .j .
'@2.. #8.4I iw i . ,
. 3.
I 1 h . "'. M"
- e. ca. >
i 9 1 4 3' 3.1-48 31 Accident Sequence Denneanort !
B :vsr Vcil:y Pcwsr Statirn Unit 1 Rsvislen 0 Preb: bill: tic Risk Assosem:nt Figure 3.1.2-2 (Part 14 of 14), Event Sequence Diagram for Beaver Valley Unit 1 4 A-(W.+.c)
~......
cg. L.v-
~
!~. .pesSs5
@'a
,- [kjv L
.g. a;;Ib-lb.-
i
-dE a
.: s
_(i=. m}-(nzy=) i s
~ .m. . ...
gy - g W< p. - m --
!L . .
\_4 l
GW q m, a Gih --(-CO.=) _...? . ~.m. . ~.....
.rgg. __.
s(@ _ m- _. s, V. _.4 , ... i yA.. -
~...A.. m... i EUY -~(nim'f - ";.IE =' '-*
I
~ . . .,4 **
t.!h?' **
rh" r;ng -
~
. .r k,..,)e r.:4
- . .c'W.h.,.f
,a
.i g bch.
I 1 3.1-49 3.1 ACCicent Sequence Dehnea:lon. l
B :v:r V:ll:y P;w r St:ti:n Unit 1 R;visi:n 0 Pr b:bilistic RI:k Ass:ssm:nt Figure 3.1.2-3 (Part i of 3), SGTR Event Sequence Diagram O
. . ~ . . . -
IGb"f u. 11 . . . . uf ?fEF
.-r I 1
. . . . i.
(p
- r. . _l
.. im, .
ffflis y})2 -ME-)-(Kfk'A)- ~'h?r -{E @) a
@ -f GE*c M- n:E) l
. ..q . .. .
3%P I 5!4,,W,,J-(6:YEr) 4 . . . . . l .
- 4. .
; ...... r
=-
a;f. --- sMami a., ib 'f ' 'etM _. . . r %"= n,.[e7 = sp y I l
... .vja
' ~
': i b hSA' t
I&e.t (V ft N;.g(e {4T. &T.. 4: %dT3} i
.pb .IT R.,
A e.1 .
#hIk '
IC' Ia l i
- 3.1 Accident Sequence Dehneation.
B;cv:r Vcti y Pcw:r St:ti:n Unit 1 R:visi:n O' Pr4babilistic Risk Ass:ssm:nt-Figure 3.1.2 3 (Part 2 of 3), SGTR Event Sequence Diagram q i.n . - J . i.....,
'fil!!'
-(N)
I - = ~'
-('UNT K .=U,.h)
IJ ?;';AITJ ** *'
'"qgT l.?
u5"? g,. g,ogg i , SII Uli.b' ~ , nN51. -- W .
@, @ Er) l
T W *
~nnf5 I
l ... Iva fr.'r#.!
- tt 1.!Y '
ft@ --. W ---( m ) A " . p
, _ ,.,r m7 . .
l _ , 4 .475 UY ' ~ 1,! EAW.*i "fd E.'I'Xt ' " I%! E'i#II TVA' _1ggi. f f. E ie w H r s . I er
. .-.n.. ..
a p{ h , Ib.I'* OEWP) - . .
. I.t!T,te.rAwret.t: A" p
hh 4 k k." OI'W h. NS -. tF.e., MG' a gsF%C" (EEF-555.-(-as I.tlT.tilentT.* n lW"we (j g. l.. N. d E +-) i 1
- _ 3.1 51 3.1 - Acc.Jent Sequence Delineaton.
B;cv:r Vcil:y Ptw:r Stction Unit 1 R;visi:n 0 Prcb bilistic Hl:k Ass ssm:nt F;gare 3.1.2 3 (Part 3 of 3) SGTR Event Sequence Dia0 ram O DI;l. .f '"
--.-./d, **
[ f( -{W%7} -
$h -
-f"T1J"' ) n 1
g amo .
- ,M"M t.f.
g .,. p.. Sbl' i 1 M.'d.'.E l'61* '.J
, rs'UT'
[,
'dE } ~
"" ' E*) "\
t 1 R.'d.'Mi li.*J
..p .v ,r -
$U.2
- U[2.
n .-D l
??:?
. .Mt .
O 3.1-52 3.1 Accicent Sequence Denneation,
- B::v:r Vcil:y P:w:r St:tisn Unit 1 Raisign 0 L Preb:bille:lc Risk Ass::sm:nt-Figure 3.1.2 4.l ATWS Event Sequence Diagram. .
[%) 'GP F l a
. ..r .,
.%. .1.t .
l'
, ]
f I
=
Mw->- s$ ,
"Ik :
j @q.-{rt-;c;& (-w ) :
. $$, d - Ft E' = h = e = -
e , w 2) A
'RD ;
I I Ef.. . .3,TI-4 rses c e -- EW;D A
?J.'L?
'm"}- -
3E. A FIM. ',
% .(me >)
I
't- y,' _
'.*1 P.. _ ".",s,..c. ^
< j f\
EV,.
,,,x m
.T. .F,y.i.m- _
I n,i .. . ,, GC~h -- ew.j f5E.- - x *
-r t eensame
.d I '
.22 _ 3.1-53 3.1. Accacent Sequence Delmeation,-
B:avar Vallsy Powsr Ststion Unit 1 Rcvislan 0 Probsbillstic RI:k Aescssmsnt 3.1.3 Frontline Event Trees The Beaver Valley Unit i event sequence diagrams (ESD) were described in the previous section. The events enclosed by dashed boxes in the ESD are modeled as top events in the frontline and support system event trees. This section presents the fraatline event tree top events for the general transient /s nall LOCA event tree the medium LOCA event tree, the large LOCA event tree, the excessive LOCA event tree, and the steam generator tube rupture (SGTR) event tree. The ATWS event tree top events are described in Section 3.1.4. Special Event Trees. The support system event tree top events are described in Sec: ion 3.1.5. The general transient /small LOCA event tree is used to quantify all the initiating events in Table 3.1.1-1 that are not otherwise addressed by an event-specific tree. The process of tai'ering the general transient /small LOCA event tree for quantification of each of the initiating events is discussed in Section 3.3.7. The event trees referenced in this and following sections are all drawn in the sar format. Branches that go straight across signtiy that the top events along that path are .,uccessful. Down branches signify that the top event, under which the down branch is drawn, is failed. This is referred to as the " wind-swept" approach to event tree drawing. The dotted line shown under Top Event SE at sequence 7 in Figure 3.1.3-1 signifies a transfer to another portion of the drawing. This sequence transfers to substructure X2, which is shown along sequence 1, also under Top Event SE. Use of transfers allows the analyst to depict large event trees in a compact form, which takes advantage of repeated substructures that appear in the drawing. The 34 branches shown in Figure 3.1.3-1 actually represent 2058 sequences when fully expanded. The dotted knes signify that a transfer is to take place, and the transfer nnme is listed just to the right of the reduced sequence number. 3.1,3.1 General Transient /Small LOCA Event Trees Tables 3.1.2-2 and 3.1.2-3 summarize the system success criteria needed to ensure each of the key safety functions for the general transient and small LOCA initiators. respectively. More details concerning the syst im success criteria are provided in the top event descriptions that follow. To simplify the model preparation, the general transient /small LOCA event tree has been divided into two parts; i.e., the GENTR ANS and GTRECIRC event trees. Both the GENTRANS and GTRECIRC frontline event trees are used to quantify each initiating event category that uses the general transient /small LOCA system success criteria. The GENTR ANS event tree structure is shown in Figure 3.1.3-1. The GTRECIRC event tree structure is shown in Figure 3.1.3-2. For convenient reference, Tables 3.1.31 and 3.1.3-2 summarize the top events that appear in the general transient /small LOCA event tree mode!s. The following top events make up the GENTRANS event tree. e ~ sp Event 01 - Operator Action To Manually Trip the Reactor. rhis event models only the operator action to manually trip the reactor from the control room. The equipment needed to actuate in order to trip the reactor is modeled in Top Event RT. This particular operator act%n is separated to enhance visibility.
- Top Event RT - Automatic and Manual Reactor Trip. This top event considers the automatic reactor trip system function and the backup operator actions to manually hip the reactor. The backup manual actions are accounted for by evaluating Top Event RT conditionally on the status of Top Event OT. Success of this event requires that at least 1 of 2 reactor trip breakers open (or the initiator is a loss of offsite power), and that 47 of 48 control rod clusters are inserted into the reactor core. This assumption is conservative 3.1 54 31 Accment Sequence oewnhon.
g.m . - - . - . __ . _. . ._ _ __ B=v;r Velisy Pcwsr Statisn Unit 1 .R:visisn 0 Prababilistic Risk Asssssm3nt because, for many_ times during the operating cycle, depending on the particular accident-
,] sequence of _ interest and on the particular arrangement of control rod clusters that fall to V insert, manyjnore than one such cluster may fall to insert and yet the reactor may remain subcritical. Major equipment modeled in this top event' includes the undervoltage coils, shunt trip coils, reactor trip breakers, and the control rods. Successful, operatio.T of _ at E least one train cf SSPS, manual operator action to initiate reactor _ trip, or a loss of offsite -
power is required for success of Top Event RT. Fallures of Top Event RT are considered further in the ATWS event tree (Section ?.1.4).
- Top Event TT - Turbine Trip. This event models the likelihood of the turbine to trip _
following . an initiating event. Success requires that two- steam stop valves or two = governor valves must close on both steam supply chests. The signal to close comes from the auxiliary contacts on the reactor trip breakers, which goes through SSPS. _ An
- additional _ turbine trip signal is provided by AMSAC, which does not go through SSPS. No credit is given for the AMSAC signal except in the ATWS event tree (Section 3,1.4), where reactor trip fails.
- Top Event MS - Main Steam ! solation. This event models the successful isolation of at least two of three main steam lines. This event is of interest for steam line breaks inside or outside containment. For steam line breaks downstream of the non return valves, two of three ' main steam trip valves must close. For steam line breaks upstream of the non return valves, either the non-return valve in the broken line must close or the other two trip valves must close for. success, Failure to isolate implies that two or three steam generator inventories blow- down to the atmosphere or turbine building given a; main steam line break outside containmert, and into the containment if the break is inside p containment. Fallure to isolate at lect two main steam lines is assumed to lead to failure I
of the turbine-driven AFW pump, due to loss of steam pressure;i.e., failure'of two or three main steam lines to isolate is conservatively modeled as if all three failed to isolate. For steam line breaks outside containment, MFW is conservatively assumed failed regardless of whether the main steam lines isolate, For initiators other than steam line breaks, the status of main steam isolation is only of interest if the turbine falls to trip; i.e., it is assumed not to have an impact on subsequent events. Failure of both Top Events TT and MS (i.e., two of three main steam trip valves must close for success) leads to failure of the turbine-driven AFW pump. Inadvertent - , main steam trip valves closures are not considered here but, rather in the defin; tion and frequency quantification of initiating events that involve such events. For large steam line breaks and for turbine trip failures, failure to close two of three main i steam lines may potentially result in recriticality, as the RCS is quickly cooled down.- This concern is not modeled in the event trees. The frequency of such sequences is low, and the impact of going recritical is not expected to alter the success criteria for the mitigating systems. - Similarly, for a steam line break inside containment.with successful main steam - line. closure, but with failure of all HHSI, concerns about recriticality were not modeled in the event trees for the same reasons. C Top Event AF - Auxiliary Feedwater System (AFW) Provides Flow from One Pump to at - Least One Steam Generator.' For success of Top Event AF, at least one pump is required L to supply one steam. generator for 24 hours. Each of the two AFW motor driven pumps t and the one turbine-driven pump is headered to provide flow to'any of the three steam generators. _ This top event includes the required valve position changes, p' ump starts, and-pump operation to provide flow to the steam generator by taking suction from the primary _
- plant demineralized water storage tank (PPDWST) WT-TK-10. Since the PPDWST capacity L
3.1 55 U ACCicent Sequence Dehnea00n. L l'
r B;;vsr Vcil:y P wsr Stati:n Unit 1 R;visi:n 0 Prcb bilistic Risk Asc;ssm2nt will last approximately 9 hours, long term makeup is required for success. Top Event MA includes the equipment and operator actions associated with long term makeup to the AFW pumps. Success of top event MA is required with AF success for secondary cooling. Failure of either requires the operators to supply a steam generator with main feedwater or the dedicated auxiliary feedwater pump (Top Events MF, DF and OF). The AFW is demanded by a safety injection signal, loss of MFW, or low-low steam generator level r;gnal. A safety injection signal will demand the motor-driven pumps. Loss of power to at least two RCP buses will demand the turbintdriven AFW pump. Following an initiating event, which involves loss of MFW, the motor-driven AFW pumps are actuated upon the trip of all running MFW pumps via hardwiring through a relay. The solid state protection system (SSPS) is not required for this to cccur. In the current PRA model for general transient /small LOCAs, credit is only given for Mose signals that go through SSPS. The turbine-driven pump may subsequently initiate from low-low steam generator level, but this rignal was not modeled. After reactor trip with MFW available, MFW regulating valves will close on low T,,, and feedwater continues into the steam generators through bypass valves, which are only 10% open. This flow through the bypass valves is insufficient to prevent an automatic start of the AFW if the operators have not already manually started AFW. Thus, AFW is modeled as auto-starting on low-low steam generator level following a plant trip. Given that the Main Steam Trip Valves are closed (i.e., so that the condenser steam dumps are not available), decay heat may be removed by AFW using one of the following sets of valves:
- Steam Generator Atmospheric Steam Dumps (1 of 3)(nominally set at 1,040 psig)
- Residual Heat Release Valve (manually controlled)
- Steam Generator Safety Valves (setpoints range from 1,075 to 1,125 psig) (1 of 15)
Historical data and previous analyses for other plants indicate that the failure-to-open frequency of these valves is sufficiently small so that modeling the failure to open of all of these sets of valves is not required in this study. Failure to achieve at least one steam relief path for Decay Heat Removal will not be a dominant risk contributor. Therefore, to simplify the model, such failures are neglected. This assumption is even more valid if the main steam trip valves are open, and if flow hrough the condenser steam dumps is possible. For steam line break sequences or for turbine trip failure sequences, the analysis considers the unavailability of the affected steam generator's ability to r/ ply steam to the turbine-driven AFW pump. If the main steam lines are not isolated (i.e., = op Event MS fails), the turbine-driven AFW pump is assumed unavailable due to the locs of a steam supply. Failure of this event (i.e., Top Event AF) is modeled as placing a demand on the condensate, MFW pumps and valves, or dedicated auxiliary feed pumo and valves to provide steam geaerator feed flow. This modeling is consistent with the sequence of EOPs ES-0.1 and FR-H.1 for loss of AFW sequences.
- Top Event PR - Presturizer PORVs Are Challenged and, if Challenged, Pressure Relief is isolated after Challenge. This event models the RCS pressure relief function. Top Event PR is guaranteed to fail if the initiating event is a small LOCA. This is how small LOCA initiating events are modeled using the GENTRANS event tree. Otherwise, one pressurizer PORV must open to relieve RCS pressure, if a challenge occurs. This PORV must then either reciose or be isolated. The other two PORVs have their block valves 3.1-56 31 Accicent sequence ochneaton 1
l Bosvar Vollsy Power Statlen Unit 1 Rovisien 0 Probabilistle Risk Assossm3nt closed per OM 1.6, Section 2. If the PORV is challenged and fails to open, success of this top event conservatively requires that at feast one safety valve must open to prevent O overpressure. Operator action to close the PORV block valve to isolate a PORV that fails to rescal is modeled. The analysis includes the successful reciosing of the PORV and/or safety valves after the challenge, or alternately, the succostful manual closure of the block valves to Jolate the pressurizer PORV relief kne. This event includes the conditional probability that the pressurizer PORV is challenged during the sequence. Four situationb are considered separately: simple reactor trips, events involving loss of normal pressurizer spray, loss of all feedwater, and inadvertent s.ifety injection signels. For simple reactor trips, a small fraction of the sequences may lead to the need for pressure relief. The conditions in which simple reactor trips lead to RCS pressure relief challenges are not well understood. Others have tried to use historical data to infer a challenge fraction. For this model a simplifying assumption was made. Sequences without a safety injecDin signal and in which normal pressurizor spray is available (i.e., the RCPs are running) are assumed to not require pressure relief. Sequences without normal pressurizer spray (e.g., losses of offsite power, loss reactor plant component cooling water, and th > cas of all primary flow initiating event category) are assumed to require pressure relief, it is assumed, for simplicity, that any plant trip followed by failure of all feedwater (l.c., both AFW and MFW) will eventually cause a demand on the PORV, which, due to repeated cycling, is assumed to fail open. Non LOCAs involving a safety injection signal are not assumed to pose an initial
'O challenge to the pressurizer PORVs. The operator action to control charging following an inadvertent safety injection signal (per EOP ES 1-1, it should take less than about 4 minutes) or following a safety injection response to an excessive cooldown to prevent subsequent PORV challenge is analyzed in this top event. Failure of the operator to terminate the safety injection before the pressurizer fi!Is is assumed to teac, to a pressure ,
relief challeng6 in which the PORV must pass water. In the event that either instrument air or containment instrument air ,tre lost, which prevents the establishment of normal letdown but requires continued c: irging for RCP seal injection cooling, the operators will follow OM 1.34.4.AAC for loss of station air and control RCS inventory using excess letdown. The operators could use the reactor head vent and/or tne fill header as alternative to maintaining pressurizer level although this is not in the procedure. There la no need to consicer a chrtenge to the PORV. The opening of the head vents for long-term RCS inventory control is assumed successful for such low frequency situations. Failure of this top event is treated in the remainder of the model as a small LOCA; that is, it is assumed that failure to isolate will occur in only one pressurizer relief path.
- Top Event MA - Long Term Makeup to AFW, Given that top event AF is successful MA questions whether long term make up is provided to the PPDWST (WT-TK 10) or to the AFW pumps directly from river water.
Normal makeup to the PPDWST is automatic using a modulating supply valve (LCV WT 104A) that passes up to 200 opm flow from either one of two 350-gpm capacity O demineralized water transfer pumps (WT-P-33A and B) from the domineralized water storage tank (DWST) (WT-TK 26). This event models the above automatic mckeup and the operator actions to supply makeup to the PPDWST if the automatic suoply falls (EOP 3.1 57 3.1 Accicent se@ence Deuneation.
c _ _ B: aver Vcil:y Pcw;r St:ti:n Unit 1 R;visi:n 0 Pr:b:bilistic Risk Ass:ssm:nt Attachment 2 H). Makeup can be provided by the domineralizer pumps (WT P-4A and B) or from the condensato pumps (CN P t A ano 1B). The equipment associated with the manual makeup is not included in the model. Operator error is assumed to dominate. The above makeup capabilities all depenJ on normal AC power including the automatic makeup. Makeup is possible from a cross tic to Unit 2 domineralized water distribtion pumps (2WTD P 23A and B) that are powered by the ERF diesel. The model presently does not model this capability because it is not proceduralized and there are other makeup sources. In additior, this event models the operator and valves associated to supply river water directly to the AFW pumps if normal makeup is unavailable (EOP Attachment 2 H). Supplying river water is considered to be the last choice for makeup and the operators would try to reestablish main feedwater in top events OF and MF, or use the dedicated auxiliary feed pump (eor ;,ttachment 2-K) modeled in top events OF and DF.
- Top Event MF - Condensate /Mainfeed. This event includes the ability of the main condenser and the condensate system to provide sufficient flow and not positive suction head (NPSH) to a MFW pump and the ability of MFW pumps to provide flow to a steam generator. Failute of condensate precludes main feed flow to the steam generators. The condensa' iystem is not available if normal (nonemergency) power is lost. As the individual causes of events included in the loss of MFW initiatirg event category are not easily identified, the analysis conservatively takes no credit for recovery of MFW for total or partial loss of MFW initiators.
The condenser hotwell maintains a water volume of about 71,000 gallons by virture of a gravity feed line from the turbine plant demineralized water storage tank (TPDWST: WT-TK11), assuming condenser vacuum is maintained. The TPDWST contains 200,000 gallons. To achieve a continuous supply of steam generator feed at 350 gpm for 24 hours, 4 either the main steam trip valves and condenser steam dump valves must be open, or a makeup supply to the TPDWST must be provided. The TPDWST is filled from the domineralized water makeup system. Upon low level indication, the fill line level control valve is actuated, the level in the TPDWST is indicated, and the low /high 'evel alarm is experienced. For simplicity, this model assumes one of four sLacess paths:
- Mckeup to the TPDWST is provided from the DWST.
Makeup from the DWST is supplied directly to the condenser hotwell. Main steam trip valves and condenser steam dump valves are opened beforo depletion of the TPDWST.
- Feedwater flow is successfully controlled to match decay heat so that for 24 hours, even without makeup, sufficient water is available for condensate pump suction.
This top event is asked when Top Event AF or MA fails, and includes only the failure modes involving the equipment mentioned The operator actions to r 2 align MFW and open feedwater isolation and/or regulating valves after trip are modelet M Top Event OF. The equipment response modeled includes success of the condensat. system and that one MFW pump starts (DC control power supplied from a nonemergency bus) and runs. Failure of Top Event MF puts a demand on the dedicated AFW pump (Top Event DF).
- Top Event DF - Dedicated AFW Pump. This event includes the ability of the dedicated auxiliary feedwater pump to provide flow to a steam generator for 24 hours. 'he equipment response modeled includes the pump (FW P-4) discharge valve (MOvi60) 3 3.1 58 3.1 Accident sequence ochnution.
\
8:cvsr Vcilsy Pcwcr Stctisn Unit 1 Rovisisn 0 Prcb billatic Risk Assscamsnt i onening and the pump starting and ranning, ';he operator actions to align the dedicated O A. .. pump supply and open feedwater isolation and/or regulatory valves are modeled in Top Event OF. The dedicated AFW pump water normally is supplied by the turbine plant domineralized water storage tank (TPDWST. WT-TKii) which contains 200,000 gallons but can also be supplied by the DWST (WT-TK26) by opening a manual valve. The pump and discharge MOV power supplies are powered by the ERF diesel when offsite AC is lost. This top event is asked when Top Event MF is asked and falls. Failure of Top Event DF is treated as a requirement to establish cooling via feed and biced. Therefore, the opert. tor actions to restore adequate FW flow must be accomplished prior to the time when feed and bleed is to be initiated; l.e., < 8% wide range level in at least two steam generators, The model assumes that the RCPs are tripped in accordance with EOP FR H.1, if Top Events AF, DF and MF are unavailable.
- Top Event OF - Actions to Reestablish Secondary Heat Sink. This event models operator actions assor. lated with opening the main feed bypass flow control valves, main feed containment isolation valves and starting the dedicated auxiliary feedwater pump or main feodwater pump to supply a steam generator. The equipment associated with the dedicated auxilibry feedwater pumps and main feedwater are modeled in top events DF and MF. The bypass .alves and containment isolation valves are included in this top event model because tney are common to both top events DF and MF as are the operator actions. However, the equipment failure are not explicitly modeled since their contribution is insignificant.
The specific operator actions depend on the initiating event, support systems available, O and whether auxiliary feedwater is successful. These operator actions and dependencies are summarized below:
- The time available for the operator actions described for this top event depends on whether auxillary feedwater (Top Event AF) is successful. If top event AF is successful arid long term makeup (Top Event MA) has failed, then 9 hours are available for operator actions. If AF has failed, it is assumed the operators have i hour to recover secondary. cooling.
- The cperators must open one of three bypass flow control valves. This action is always required because the valves are normally not fully open and may have been initially closed by the operators or an Si signal. If an Sl occurred, it must first be reset, if instrument air (IA) is unavailable, the valves have to be opened locally (hand wheel) on the top floor of the Service Building.
- The operators must open the main feed containment isolation valve on the same line where the bypass valve is open. This action is only required when an SI has occurred and after the SI signal has been reset. These valves are powered by emergency ac orange (Top event AO) and fail as-is. If an Si occurs and AO falls after the valves close, then the vaive must be opened locally in the miin steam valve area.
- Starting and running a main feed pump is performed in the control room if offsite power is available (OG sucess). SI is reset first if it occurs. Given top event OF success, this equipment is modeled in top event MF.
- Starting and running the dedicated auxillary feed pump is performed locally in the turbine building per EOP Attachment 2K. Given top event OF success this equipment is modeled in Top Event DF.
3.1 59 3M Accicent sehence DeMea004
B :v:r Vcll:y Pw:r Stati:n Unit 1 Revisl:n 0 Pr:b: bill: tic Risk Ass:ssm:nt I If AFW is insufficient, the operators look to the MFW equipmer1 to provide flow to at least one steam generator through either the feedwater control and regulzhng valves, or the feedwater bypass valves. i Should the AFW fail to provide sufficient water and MFW pumps are still operating, then l EOP ES 0.1 provides for supplementing flow from the MFW pumps by opening the feedwater bypass valves. If MFW pumps are not operating, the operator can still align Dedicated AFW Pump to feed the steam generators. If all secondary feedwater is failed, then EOP FR H.1 is entered. Following a safety injection signal, the reactor would trip, and a feedwater isolation sgnal would cause a turbine trip, close feedwater isolation valves, control valves, regulating valves, and the bypass valves, and would shut off the MFW pumps. The turbine would trip, and the AFW pumps would actuate from the safety injection signal, if pressure in the containment rises above 3 psig, the main steans trip valves would close, isolating the steam lines. EOP E O instructs the operator to verify and close all feedwater control and bypass valves, and to stop the mainfeed pumps as required, following a safety injection signal. These equipment responses are assumed to ba successful because they lead to a requirement for subsequent manual intervention in order to reestablish MFW or the dedicated AFW If AFW fails, if MFW pumps are operating (i.e., no safety injoction condition), the modelbg of this top event evaluates the operator actions noted in EOF ES 0.1. The operators would trip one of the running MFW pumps if AFW is insufficient. Both MFW pumps running on recirc would eventually cause both purrips to trip due to low suction pressure. This action is assumed to be successful. 1 that when evaluating Top Event MF, only one pump is initially operating. If MFW sumps ate not operating and dedicated AFW pump falls to start, then this event models the operator actions noted in EOP FR-H.1. Functional response EOP FR-H.1 provides the steps to recover from an initial foss of flow to the steam generators, given that AC power is available. The procedure calls for restoration of secondary heat sink in the following order:
- AFW - Establish alternate AFW flow using dedicated AFW pump (FW P 4) in accordance with EOP Attachment 2 K - One MFW pump or condensate system into a depressurized steam generaur - Bleed and feed if a safety injection signal has occurred, the operators must reset safety injection and the feedwater isolation signal in order to reopen the feedwater isoiation valves. These isolation valves and the feedw.ter bypass valves must be opeled to allow the dedicated AFW pump, MFW pumps, or the condensate system to iced the steam generators. As a simplifying approximation, the model conservatively neglects the potential of achieving flow from the condensate system through a depressurized steam generator; i.e., given that both the MFW pumps and the dedicated AFW pumps are unavailable.
- Top Event OB - Bleed and Feed Cooling. This eu- is queried if no other source of secor.dary heat sink is available; i.e., Top Events Ai ~ F and MF failed. The case where AF is successful but long term makeup (Top Event MA) fails is conservatively modeled as allowing i hour for OB success. The operator actions considered in this event are in EOP FR H.1. In particular, the operators initiate safety injection, open the PORVs, open the PORV block valves ensure that at least one pressurizer relief line flow path remains open, 3.1 60 3i Accioent sewence ochneaton
-= , -. _
l B: v:r Vall:y Ptw r St:ti:n Unit 1 R visitn 0 Prcb bilistic Risk Ass:ssm:nt l j and verify HHSI pump operation, if the PORV block valves were initially closed due to PORV leakage prior to the initiating event, then power must be restored to these valves in
\
order to open them. To extend the time available to initiate feed and bloed cooling, the operators must have stopped the RCPs earlier, in accordance with EOP FR H.1. Hand calculations based on pump capacities, decay heat levels, and pressurizer PORV relief capacity have been performed to investigate the success criteria for feed and bleed cooling at Beaver Valley Unit 1. These calculations are documented in Appendix C. It was concluded that for Beaver Valley Unit 1, one HHSI pump with relief via one PORv ! train would provide adequate core cooling. Fur 1hermore, it was concluded that one cold leg injection path is required to provide sufficient flow. Failure of this event is treated as a complete loss of rector cooling without the possibility of depressurization for LHSl price so core damage. In addition to the operator actions, the equip.asnt that must function to provide at least one pressurizer relief path (l.c., the PORVs and associated block valves) is modeled. The cold leg injection paths are modeled in top event HC. The HHSI pumps are modeled in Top Event HH.
- Top Event HH - High Head Safety injection Pumps. This top event models the two HHSI trains with pumps CH P 1A and CH P 18. Success requires one pump train to be operable. The third pump, CH P 1C, may be electrically aligned to either orange or purple emergency power, if either of the other two pumps fall. Only two pumps at a ilme, however, receive an automatic start signal. Pump CH P 1C is included in the model, as a backup to either pump CH P 1 A or CH-P 1B with the associated operator actions to align it. If both pumps CH P 1A and CH P 1B have failed, but the required support systems are available to each train, the operator is modeled as aligning pump CH P-1C to train A.
These pump trains share a common dependence on the single suction line from the RWST which is modeled in Top Event VL of the support tree. The RWST itself is modeled in Top Event RW of the support tree. EOP E O asks the operators to recognize if the RCS is intact. If they decide that the RCS is intact following a Si, they are then instructed to go to EOP ES 1.1 for " Safety injection Termination." There is a danger, as occurred rt Three Mlle island (TMI), that the HHS! will be temporarily stopped. EOP ES 1.1, however, provides for a recheck of safety injection termination and an escape back to EOP E 1. Nevertheless, this potential error of commission is included in the system model for this top event. This top event includes consideration of the failure modes of the relevant pipes, valves (except MOV CH 1158 and MOV-CH 11SD mt 1eled in Top Event VL), and the HHSI pumps needed to model availability of the HHSI. Failure of this event implies that HHSI and chargiag flow for RCP seal injection are unavailable. Success of Top Event HH means that these two functions are possible. HHSI further requires the availability of water in the RWST (i.e. Top Event RW), and of flow path from the RWST to one of the three cold lege injection line entry points in the RCSt i.e., as modeled in Top Events VL and HC. Success of RCP seal injection Mes not require flow from the RWST, provided the volume control
.ak (VCT) remains available 's a source of water for HHSI pump suction.
Successful RCP seal injection flow also requires that flow paths from the discharge of the operable HHSI pump to each of the RCP seals be available. These RCP seal injection flow paths are modeled in Top Event SE. Top Event HC - HHSl Cold Leg Injection Path. Both HHSI and LHSI provide flow to ths RCS through the same three cold leg lines. Injection into one of three cold legs is sufficient for either HHS! or LHSI. If Top Event HH is successful (i.e., HHSI is available), 3.1 61 31 Accccent Sequence oeweation.
B::v:r V:ll:y P ::r St:ti:n Unit 1 R:visi:n 0 Prcb:billstic Risk Ass:ssm:nt then the three cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows:
- To cold leg i SI 100 cnd SI 23 must open.
- To colo leg 2 SI 101 and SI 24 must open.
- To cold hg 3 SI ', ? and SI 25 must open.
Top Event HC includes the redundant MOVs (i.e., 867A, 8678, 867C, and 867D) at the pumps discharge and the common check valve (SI 94) on the flow pcth from the redundant MOVs to the cold legs. In addition, operator action to open the alternate injection path (EOP E 0 Step 9) through MOV SI 836 is modeled. This action bypasses failure of the BIT path due to MOV failures or the common check valve. Flow diversica failures through the BIT recirculation system or spurious opening of relief valve RV SI 857 are modeled to fall HC.
- Top Event SE - RCP Seal injec%." Trmal Barrier Cooling. The charging system provides RCP seal injection. Nor al.'y. N 7r Ant component cooling water system (CCR) provides RCP thermal barri
- cuoSeat; ' W ,oling, and motor cooling. Either thermal barrier cooling provided g L(i < < <cai it.jaction provided by the charging system is sufficient to prevent a seal Luca are RCPs are not running.
Top Event SE models RCP seal cooling rom both thermal barrier cooling and seal injection. RCP seal injection is modeled as a success path if one of the HHSI (char 0ing) pumps (l c., in Top Event HH) is successful, and either flow from the RWST is available or there has not been an automatic switchover to the RWST and flow from the VCT remains available. Switchover of HHSI pump suction from the VCT to the RWST occurs on a safety injection signal. Switchover to the RWST also is necessary on low VCT 'evel. On low level, the switchover may occur automatically or be initiated manually. isolation of letdown alone is assumed to not require switchover because normal charging should automatically run back to minimum flow. However, loss of vital instrument bus I,11, or 111 (i.e., red, white, or blue) could lead to failure of pressurizer level control, depending on how the system is aligned. If vital instrument channel i fails, there is also a loss of automatic makeup to the VCT. Loss of pressurizer level control results in full flow from normal charging. Operator action is then required to return pressurizer level control before switchover occurs. The flow path from the common charging header to all three RCP seals is also bcluded in the Top Event SE model. All three charging purrps are headered so that any one pump can provide seal injection to all three RCPs. The valves in the seal injection flow path from the discharge of the HHSI pumps are either motor operated and normally open, or they are manual valves and normally open. A common hydraulic control valve (HCV-CH 186) falls open. if CCR flow to the RCPs is initially unavailable, but the RCPs continue to run, then success of Top Event SE requires that the operators quickly trip the RCPs, in accordanca with the RCP seal trouble alarm procedure, before any seal damage occurs due to pump vibration, whether one mode or both modes of seal cooling are available later. Thermal barrier cooling for the RCP seals is modeled in support system Top Event TB. If Top Event TB is successful, RCP seal injection is not required. Top Event SE is queried following non LOCA initiating events with a successful isolation of the pressurizer; i.e., no RCS teakage. This event is considered irrelevant if a LOCA has already occurred. Failure of Top Event SE is assumed to lead to a small LOCA by virture of RCP s~eal leakage. 3.1-62 3M ACC4ent secuente DeMuten.
80:v:r Vcil:y PIw:r St:ti:n Unit 1 R visl:n 0 Pr:b:bilistic Risk Ass:ssm:nt
- Top Event CD - Cooldown of RCS and Depressurization of Secondary Side. This event O models the operator action and equipment needed to cool down the primary and b depressurize the secondary. Some form of steam generator cooling (i.e., on either AFW dedicated AFW or MFW) is required. This action covers ES 1.2 or ECA 0.0. Failure of this event implies that the steam generators are not used for active plant cooldown in order to reduce RCS pressure.
One of the three steam generators' atmospheric dump valves is assumed to be required for success of this event. To simplify the model, use of the the condenser steam dumps and the condenser is conservatively neglected, instead, the cooldown and depressurization is accomplished by the operators lowering the prassure setpoint or locally opening one of the steam generator atmospheric dump valves. Success of Top Events CD and OC, given a small LOCA, followed by a failure of recirculation, is assumed to result in low RCS pressure at the time of vessel mell through. For sequences involving loss of all emergency AC power, success of Top Event CD implies that the RCS is cooled down and depressurized to limit the leakage rate of RCS through the RCP soak.
- Top Event OD - Depressurization of the RCS to RHR Entry Conditions. This event models the successful depressurization of the RCS to RHR entry conditions (i.e., RCS temperature less than 325'F, and RCS pressure less than 360 psig), given that the operators have already successfully cooled down the RCS and depressurized the steam generators; i.e., success of Top Event CD. The RCS depressurization is accomplished O using normal pressurizer spray, auxiliary pressurizer spray, or the pressurizer PORVs in V accordance with ES 1.2. Credit for using the RCS head vents alone, which may not be a viable approach, is conservatively neglected. Normal pressurizer spray requires successful operation of RCP A or C. RCP A or C is assumed to be available if both offiste power and reactor plant component cooling water are successful. Auxiliary pressurizer spray requires that at least one of the three HHSl pumps be available to supply charging and the letdown is maintained. For successful depressurization using the pressurizer PORVs, the operators must open the pressurizer PORV and its block valve if necessary.
Once depressurized, reclosure of the pressurizer PORV trains is modeled in Top Event Pl. Failure of Top Event OD implies that RCS pressure remains high. For LOCAs, this can affect the leak rate from the RCS. If steam generator cooling is not available, this top event is not queried. instead, RCS depressurization is modeled in Top Event OB for feed and bleed cooling.
- Top Event Pl- Pressurizer PORVc Are Isc!ated after RCS Depressurization. In the event that pressurizer spray is unavailaule, the RCS depressurization pressurizer PORV is assumed to be opened whenever Top Event OD is successful. The RCPs are assumed unavailable for normal pressurizer spray if offsite power or CCR (support system Top Event OG or CC), needed for RCP operation, have failed.
The analysis of Top Event PI models the successful reclosing of the affected PORV(s) after the challenge or, alternatively, the succorsful manual closure of the block valves to isolate the pressurizer PORV relief line(s). Failure of this top event is treated in the p remainder of the model as a small LOCA; that is, it is asrumed that failure to isolate will ( occur in only ne pressurizer relief path. 3.1 63 M Acc#ent sequence Denneation.
Beaver Vollsy Pswcr Stcticn Unit 1 Revisi:n 0 Probcbilistic Risk Ass:ssm:nt
- Top Event RR - Residual Heat Removal. Top Event RR evaluates the availability of the RHR to provide core decay heat removal, and the operator actions to initiate RHR onco i the RCS has been cooled cown and depressurized sufficiently to allow RHR to be placed in service (ES 1.2). To place RHR in service, RCS temperature must be less than 325'F, and RCS pressure must be less than 360 psig.
This event is only asked if the RCS must be cooled to cold shutdown conditions to limit RCS leakage. Success of this event imphes that cooldown to cold shutdown conditions is completed so that RCS leakage can be minimized, thereby avoiding the need for switchover to recirculation (Tep event NR is success in the GTRECIRC event trec.) Failure of this event indicates that RHR was not successfully established so that RCS leakage into the containment must be remedied some other way. For small LOCAs, the pR A model assumes that a CIB signal is reached that would trip the AC power (stub buses) to the RHR pumps. In addition, these pumps located inside containment are not qualified for accident conditions. This event may be of more interest later, should p'cnt l trips involving very small LOCAs be of interest. The GTRECIRC event tree makes up the second part of the general transient /small LOCA event tree sequence model. The top events in the GTRECIRC tree are summarized in Table 3.1.3-2 and described below.
- Top Event NR - Recirculation from Sump Not Required. This top event acts as a switch to assure that sequences in the GENTRANS event tree are correctly connected to the remainder of the sequence model in GTRECIRC. If Top Event NR is successful, this implies that the plant is in a stable configuration with recirculation from the containment sump not required, steam generator cooling successful, and no LOCA condition. Failure of Top Event NR implies that the status of containment systems is of it"e/est for recirculation from the sump.
- Top Event NM - No Melt Condition from Injection Phase. This top event is also a switch.
it is asked only if Top Event NR is failed. Success o' Top Event NM implies that during the early or injectior phaca of the accident, plant systems responded correctly but that recirculation from the containment sump is required to prevent core damage. Failure of Top Event NM implies that during the early or injection phase of the accident, core damage occurred. The status of containment systems is then queried to define the likely ricase paths from containment.
- Top Events QA and QB - Quench Spray Train & Train B. A high containment pressure of 8 psig initiates a CIB mignal that starts both QS pumps. The motor-operated valves in the suction MOV-OS-100A and MOV OS 1008, and discharge valves MOV-QS-103A and MOV-QS 103B are normally open. Discharge valves MOV OS-101 A and MOV OS 1019 are normally shut and receive a CIB signal to open. Check valves in the discharge piping would be required to open, if not already open.
Since the quench spray pumps divert some of their flow directly to the containment sump, I it is currently believed that if one quench spray train falls, the associated RS pumps would not have sufficient NPSH at the time they automatically start. Operators would then have to take manual actions to stop the pumps in order to protect them. This operator action is modeled in Top Event OP. A QS cutback feature is provided for when the RWST level falls to 11 feet to minimize subatmospheric peak pressure. This reduction to approximately 1100 gpm per train is accomplished by closing discharge valves MOV OS 103A and MOV-QS 103B, and redirecting flow through an orifice in each train. Procedures exist for both QS cutbacA verification ano for containment spray termination if the containment 3.1 64 31 Acc: cent sequence oeMeation-
Drav:r Vcil:y P; war St:ll:n Unit 1 R:visi:n 0 Prcb:bilistle Risk Ass:ssm:nt pressure is less than 8.9 psia. Success of the cutback also extends the time available for (v' ) switchover to recirculation. For PR A purposes the recirculation switchover timing only affects the backup operator action to perform the recirculation manually, since keeping the containment subatmospheric is not a concern, and therefore does not appear to be of great significance. For now, however, cutback will be included when computing time to switchover. OS operation influences the time to depletion of the RWST, and knowledge of its availability is required for contamment analysis. In the plant scouence model, a containment pressure of 8 psig is assumed to be reached for all LOCA sizes, steam line breaks, feed and bleed cooling scenarios, and for any scenario resulting in core damage.
- Top Event LA and LB - Low Head Safety injection Pumps Traln A & D. These top events query the availability of LHSI pump trains providing flow from the RWST suction valves (Manual Valve SI 30, Check Valve SI 5, and Motor Operated valves MOV-SI 862A and MOV SI 8628) through the pumps SI P-1 A and SI P-iB to the discharge check valves SI 6 and SI 7 up to the point where recirculation spray flow joins the lines, For small LOCAs in which HHSI is available and RCS pressure is greater than 250 psig, the LHS! pumps are turned off per EOP ES 1.2., post-LOCA cooldown and depressurization. For LOCAs in which HHSI is not available, RCS pressure would not be stable or increasin0 so that LHSI would remain operating to transfer RWST water to the containment once RCS pressure dropped sufficiently.
The LHSI pumps for Unit i have associated containment sump valves MOV SI-860A and MOV-SI 8609 for recirculation modo core cooling. These valves are modeled in Top O U Events VA and VB. For small LOCAs, success of this Top Event requires that the miniflow valves (MOV-SI 885A, B, C, & D) remain open since they are needed to protect the pumps against dead heading. Failure to close these valves during the recirculation phase of Si is modeled in Top Event OR. During small LOCAs the operators are required by EOP E-1 Step 10 to stop the LHSI pumps and then restart them, if required, during the recirculation phase. These operator actions are modeled in. The automatic and manual actions to align for cold leg recirculation from the sump are modeled in Top Event OR. The equipment needed to model the crosstic between high and low head pumps for recirculation is modeled in Top Event HR. For the purpose of containment status, success of either HHSI or LHSI is treated as a successful transIer of RWST inventory into the reactor vessel. Transients and LOCAs, characterized by nigh pressure core meltdowns (e.g., failure of Top Event HH during a small LOCA, or ::omplete loss of heat sink during a non-LOCA transient), in which the pressure stays at ove about 120 psig, do not provide the opportunity for LHSI prior to core mePdown. The actions identified in EOP FR-C.1 are assumed not to be sufficient to lower RCS pressure to permit LHSI prior tr core damage. 'W vessel failure, however, the head against which the low pressure pumps must operate may fall below their shutoff head, snu injection of the RWST inventory may then be achieved. The status of RWST inventory in the containment, particularly in the sump and reactor cavity, is required for containment analysis, should the accident progress to core damage.
- Top Event LC - LHS) Cold Leg injection Paths. Both HHSI and LHSI provide flow to the RCS through the same three cold leg lines. Injection into one of three cold legs is
[] U sufficient for either HHS! or LHSI. If both trains of HHS1 are not available during a small LOCA (i.e., Top Event HH fails), then the operators would attempt to use LHSl; i.e., Top Event LA and LB. In this case, the cold 3.1-65 3i Awcea,t seovence ochneaboh
Be:v:r Vcil y P:=r St:ti:n Unit 1 Revisi:n 0 Pr b:bilistic Risk Acs:ssm:nt tog injection paths of interest involve six check valves that are modeled in Top Event LC as follows:
- To cold leg 1. SI 12 and SI 23 must open.
- To cold leg 2. SI 11 and SI 24 must open.
- To cold leg 3. Sl 10 and SI 25 must open.
Top Event LC also considers the motor operated valves (i.e., MOV SI 864A, MOV SI 864B and MOV SI 890C) in the LHSI flow path downstream on the points where recirculation spray joins. but before the injection paths header, and then split three ways for flow into each cold leg.
- Top Event SM - Containment Sump. This event models the unavailability of the containment sump (e.g., due to plugging with containment debris) and common cause unavailability of all four recirculation spray trains due to their river water supply check valves.
If Top Event SM falls, then all recirculation spray pumps are ineffective and the LHSl sump recirculation valves modeled in Top Events VA and VB can not supply the LHSI pumps, consequently, neither rerirculation spray nor recirculation mode core cooling is available. The assessment of sump unavailability in this top event assumes that the scenario has not yet progressed to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis.
- Top Event OP - Operawr Protects RS Pumps. This event models the operators ability to stop the recirculation spray pumps when the containment sump level is too low. The inside and outside recirt.ulation spray pumps RS P 1 A and RS P 2A, respectively have a pump start delay time of 210 seconds after a CIB signal is initiated. The inside and outside recirculation spray pumps RS P-18 and RS P 28, respectively have a pump start delay time of 225 seconds after a CIB signal is initiated. Small LOCes that reach 8 psig in the containment and cause initiation of a CIB may not provide sufficient water in the containment sump to meet the minimum recirculation spray pump suction requirements with the delay time, if the associated OS pump does not operato, The procedures do not specifically instruct operators to stop the recirculation spray pumps if the associated OS pump fails to start /run, however, this could be an important action and will be modeled at this time.
- Top Event RS - Inside RS Train A or Train B. The four recirculation spray pumps are automatically started following a 210 second delay for the A pumps and 225 second delay for the B pumps after a ClB. This is to give the quench spray pumps sufficient time to fill the containment sump to provide the required NPSH for the recirculation spray pumps.
This delay tirne, however, may not be sufficient (i.e., depending on the RCS leak rate) to allow ample water to collect in the containment sump if the associated OS pump does not operate. The recirculating spray pumps must sometimes be manually turned off to prevent them from cavitating and then turned back on when NPSH is sufficient. Operator actions to first turn off and then to turn on the pumpe are modeled in Top Events OP and OR. Pumps 1 A and 18 are dedicated to providing recirce!ation spray, Pumps 2A and 2B can be realigned following a recirculation mode signal, during LOCA scenarios, to provide both recirculation spray and in vessel core cooling if Top Events LA LB, VA, anc' VB fail. Top Event RS includes the start and run of either recirculation spray pumps 1 A and 1B (or both) with the associated piping, valve operation, and spray header, Knowledge of 3.1 66 31 Accicen: Sewence Dehnecon.
B::v:r Vali:y P:w r Stctl:n Unit 1 R:visi:n 0 Prcbabillstic Risk Ascessm:nt success or failure of RS is required only for containment analysis; i.e., it does not impact the calculation of the core damage frequency. Given successful operation of the outside recirculation spray trains, but failure of the j inside recirculation spray trains, the 2A and 2B pumps would be aligned to provide only ; the recirculation spray function when either LHSI pump is providing reci*culation core l cooling. If neither LHSI pump can provide recirculation core cooling, then pump 2A or 28 ' l must be aligned to provide the recirculation spray and cooling function while the other pump provides core injection.
- Top Events RA and RB - Outside RS PumplSpray Train A & B. These events model the availability of recirculathn spray pump trains A and B, and the valves needeo for recirculation spray or to establish cold lag recirculation through the LHSI lines. The cross connect valves to the discharge of the LHSI pumps are modeled in Top Fvent OR for low pressure recirculation, and the cross connect valves to the suction of the HHSt pumps are modeled in Top Event HR for high pressure recirculation. Recirculation spray train A is aligned to recirculation spray and core cooling Train A, and recirculation spray train B is aligned to recirculation spray and core cooling train B.
The following equipment actions are modeled herein:
- Start and run of RS-P 2A and RS-P 2B following a CIB, or a manual start if a ClB does not occur. For purposes of this analysis, a CIB condition is assumed. (The operator actions are modeled in Top Event OR).
- Opening of the river water header for the coolers RS E 1C and RS E-1D. Only the recirculation spray water goes through the coolers, flow going to the core is not t cooled.
- Proper positioning of suction and discharge valves MOV RS 155A and MOV-RS-156A for the A pump, and MOV-RS 1558 and MOV RS-156B for the B. pump. MOVs 155A and 155B are normally open and must remain open. MOVs 156A and 156B are normally closed and must open. The recirculation spray header check valves must also open.
- Top Events VA and VB - Containment Sump Valve for LHSI Pump A and Pump B. The LHSI pumps can take suction from either the RWST during the-injection phase or the containment sump during the recirculation phase. These top events model the valves which are necessary to provide a suction path from the containment sump to the LHSt pumps. Motor operated valve MOV SI 860A and check valve Sl 1 are for LHSI pump A.
Motor operated valve MOV-SI-860B and check valve Si 2 are for LHSI pump B. MOV-SI-860A and B are normally closed and must open when the Si recirculation phase signal is initiated. This automatic action is modeled in Top Event OR. Presently the failure of VA during the recirculation mode is assumed to fail Low Head Safety injection Pump Train A. Failure of VB is assumed to fall Low Head Safety injection Pump Train B. A cross connect from VA to train B or VB to train A does exist by opening the RWST suction valves MOV-St 862A and B, however, this action will not be modeled at this time.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event models the automatic signal to transfer to recirculation and the operator actions considered in Oi realigning the plant from the injection mode to the recirculation mode for LOCA sequences when the automatic signal has failed, or the low pressure injection pumps or valves have failed and the operator must align one of the outside RS pumps to the core 3.1 67 3.1 Acement sewence oenneation.
B::v r Vcllsy Pewar Stellen Unit i Rcvislen 0 Prcb:bilistic Risk Assassm:nt injection mode. Realignment for both high pressure and low pressure recirculation is considered. Proper calibration of the RWST level sensors is considered in the model. When the RWST level drops below 20 feet, the operators are instructed to enter EOP ES t3. verify that the system is properly aligned, and, if not, manually align for cold log recirculation. (Actions to reset the safety injection signal, such as in EOP E 1, do no', reset the recirculation mode signal.) The recirculation mode signal, however, does not then restart the recirculation spray pumps. The operators must manually restart the pumps in order to complete the recirculation switchover, if the pumps had been stopped previously to avoid cavitation caused by insufficient NPSH. This action to restart the pumps is modeled in this Top Event. In the event that a ClB signal did not occur, the operators need not stop the RS pumps, but must start them for the first time to go to recirculation if the LHSI pumps are not available. For steam line breaks inside containment, sufficiently large to lead to a CIB signal, EOF E 1 permits the operators to stop the QS pumps once containment pressure is reduced to less than 1.0 psig. This action preserves RWST inventory in case it is needed later; i.e., for subsequent, induced small LOCAs following the steam lir'e break initiating event. Success or failure of this action can affect the required timing fe" switchover to recirculation from the injection mode. For the current model, the OS pumps are assumed to be stopped, which extends the time available for successful switchover to recirculation. Also considered in this top event, for all initiating events, is the isolation of the two recirculation paths from the LHSl lines to the RWST, and the two paths from the HHSI suction lines. This is to ensure that water from the containment sump is not inadvertently pumped back into the RWST and thus is unavailab!e for recirculation. The four lines considered are the two flow paths trough the LHSI pumps and MOVs SI 885 A & D and B
& C, and reverse flow through the two HHSI suction valves (MOVs SI 115B and D). Failure of the redundant valves on the HHSI lines or failure of both valves in series for the LHS1 lines to rescat or reclose is assumed to result in failure of Top Event OR.
Establishment of separate recirculation flow paths by 1solating the redundant lines from each other is not considered necessary for success. The. model, however, conservatively assumes that the trains are isolated. Isolation of the I nes, in this case, can actually reduce system availability because once separated, it then requires operator action to establish crossover paths to rucover from certain combinations of failures that involve two trains. These failure combinations are believed to be more likely than single pipe breaks, from which separation of the two trains was meant to protect. This event includes operator actions to control river water flow to the RS coolers to control containment pressure, and to restart the RS pumps fif they were stopped in Top Event OP) as well as verification and establishment of wrrect valve alignment for recirculation. The valve hardware failure modes themselves are modeled in Top Events RA and RB. Top Event OR will be conservatively modeled such that, for any low pressure recirculation realignment after core melt (i.e., MLOCA, LLOCA, etc.) and failure of the sump suction valves, the outside RS Train A pump (Top Event RA) can only be crosstied if the Low Head Safety injection Train A pump (Top Event LA) is available/ successful. This is due to the possibility of failing the common cold leg low pressure discharge valve MOV SI 864A which is modeled in Top Event LA. The same is true for the Train B pumps (Top Events RB and LB) due to the failure of MOV-SI 8648. For any high pressure recirculation realignment either outside RS pump can be used since Top Events RA and RB are not dependent on Top Events LA and LB since the common cold leg high pressure discharge 3.1 68 3M Accident seovence DeMeaton.
Bocysr Vallay Pcwor Stellen Unit 1 Rovision 0 Probsbilistic Risk Asssssmont valves MOV SI 863A and B are modeled in Top Event HR (Low Head to High Head flow path for recirculation core cooling). Failure of this event is treated as failure of the cold leg recirculation mode of emergency core cooling system (ECCS). The long term trensfer to hot leg recirculation 14 hours after the LOCA starts (i.e., following EOP ES 1.4) is not modeled, it is assumed that in the long period available before boron precipitation could become a problem, the operating staff will find a way to transfer to hot leg recirculation, even if initially unsuccessful.
- Top Event HR - Low Head to High Head Flow Path for Recirculation Cor Cooling.
Establishment of high head recirculation, given that low head recirculation is available depends on the availability of the charging pumps and the opening valves MOV SI 863A and MOV SI 8638. These valves receive an automatic command following a recirculation mode signal. Success of the recirculation mode signal requires proper operation and calibration of the RWST level sensors. The recirculation mode signal is considered in the Top Event OR event analysis along with the backup manual actions to establish recirculation. As the alternate cold leg injection path, MOV SI 836 has no power and is called out by procedure as an alternate flow path for HHSl once the transfer to recirculation phase is complete, however, this flow path is not modeled at this time. Success of Top Event HR requires that MOV SI 863A opens to permit flow from either SI P-1 A or RS P 2A and MOV SI 863B open permitting flow from either SI P-1B or RS P 28, which must be operable (i.e., as modeled by Top Evenis LA, LB, RA, and RB), to the suction of all three HHSI pumps.
- Top Event MU - Makeup to RWST. This event models the operator action and equipment necessary to supply borated water makeup to the RWST during a LOCA with failure of emergency recirculation. The makeup actions are called for by procedure; i.e., EOP ECA 1,1 when RWST level is low and cold leg recirculation is unavailable, and refer operators to OM 1.7.4.Q RWST Makeup procedures.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make up to the RWST. MaLnp from the coolant recovery tanks will not be modeled since it requires that a temporary hose connection be made. The spent fuel pool is normally filled to a level 20 inches above the technical specification limit. The technical specification required level is 23 feet above the top of the spent fuel. The total supply of borated water available for rapid makeup to the RWST is then approximately 108.000 gallons. Emergency makeup from the river water system into the spent fuel pool is also possible but requires that a locked shut manual valve (RW-124) be opened. Since use of this i system connection is not proceduralized, no credit for it is taken in the initial plant model. l At the fuel pool purification pump design rating of 400 gpm, the extra spent fuel pool l water inventory can be transferred in about 4.5 hours for one pump running, or half that time if both pumps are running, The required makeup rate to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, as indicated by Attachment E-G of EOP ECA 1,1, is less than 200 gpm for times greater than 100 minutes after plant trip. Therefore, this volume of borated water is sufficient to last at least 9 hours, after makeup begins. At least 120 gpm of makeup can be provided from the boric acid blender, At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after plant trip, then the alternate mede of providing borated makeup, via the boric acid tanks, would be insufficient. Therefore, makeup from the spent fuel pool is assumed required 3.1 69 31 Acceent secuence Dennenon. _. . _ , _ _ _._.m -
B:av r V ll:y P wcr St:ll:n Unit 1 R:visl:n 0 Pr:bstilistic Risk As0:s:m:nt 1 i initially, and then to continue providing makeup for 24 hours, manual blending operations I using the boric acid tanks is also required. Makeup from the spent fuel pool requires one of the two fuel pool purification punips (i.e., FC P 4A and FC P 48) to star 1 and run, and manual valves at the discharge of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2.000 ppm. For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. Clean water from the primary water storage tanks (l.c.,1BR TK 6A and 1BR TK-68) is blended with boric acid from the boric acid tanks; i.e., CH TK 1 A and CH TK 18), Manual intervention is required to assure the proper blend of boric acid and clean water to achieve a mixed concentration of roughly 2,000 ppm boron. Both boric acid tanks, but only one primary water storage tank, are needed to supply sufficient makeup for the remainder of the 24 hour mission time; i.e., after successful transfer of the availabic spent fuel pool inventory, only an additional 10 to 15 hours 15 needed. One of two of the primary water supply pumps (i.e.,1BR P 10A and 1BR P-108) and either of the boric acid transfer pumps (i.e., CH P 2A and CH P 28) are required for success since the boric acid transfer pumps can be crosstied. Success of Top Event MU means that continued HHSI Injection can be performed for RCS inventory control at full RCS pressure despite continuing RCS leakage. For sequences in which RHR cannot be placed in service, because either the initial cooldown and depressurization could not achieve RHR entry conditions (i.e., less than 325'F and less than 360 psig) or the RHR system is unavailable, success of Top Event MU can be very importart. Failure of Top Event MU means that inventory control is not available, and aventual core damage results.
- Top Event Cl- Containment Isolation. This top event questions the failure to create and maintain an isolated containment following safety injection, and CIA and CIB signals. The containment penetrations explicitly modeled are
- Containment Major Vents and Drains; e.g., sump pump discharge
- Connections to RCS: e.g., RCP seal water return
- Connections to Containment Atmosphere; e.g., containment vacuum line This model also includes operator actions to ensure that the isolation valves remain closed (e.g., in EOP ES 1.1), after the resetting of the CIA and CIB signals. The safety injection, CIA and CIB signals are reset in accordance with procedures by the operators in a number of situations. Examples of such situations include: post LOCA cooldown and depressurization (i.e., EOP ES-1.2), transfer to cold-leg recirculation (i.e., EOP ES-1.3), the response to loss of emergency coolant recirculation (i.e., EOP ECA 1,1) and for safety injection termination (i.e., EOP ES 1.1). Manual isolation of the RCP seal return line during a loss of all vital AC (i.e., EOP ECA 0.0) is also modeled in this top event. The status of containment isolation is needed for the containment analysis.
Two other potential failure modes have been postulated for loss of containment integrity. For small LOCAs, the CIA and CIB signals would not be generated immedietely. If the containment vacuum line or sump pumps discharge line is open at the start of the LOCA, a portion of the containment air would be swept out of the containment and replaced by steam prior to successful containment isolation. If 1 CIB signal then actuates the QS and RS pumps, containment pressure should quickly fall to subatmospheric, if the operators fall to terminate the QS pumps or RS pumps, there is the potential for containment 3.1 70 31 Accicent seawonce oennesbon.
B :v:r Vell:y Pcwcr Statien Unit 1 Rovislan 0 Preb:bilistic Risk Assassm:nt pressure to fall below design limits; i.e., less than 9 psia. However, a realistic containment failure mode for such sequences has not been identified. This potential O containment failure mode is not unique to Beaver Valley Unit 1. Because the penetrations at Beaver Valley Unit 1 (which may be open while at power) are relatively small, this l makes it difficult to purge much containment air prior to isolation. Therefore, this failure mode is not quantified in the PR A model. A second potential failure mode is associated with steam line breaks within containment. If feedwater fails to isolate, two or more steam generators blow down insido containment, or if the operators fail to control AFW flow to the faulted steam generator, containment pressure may exceed design limits. In the current model, it is assumed that the realistic containment failure pressure would still not be exceeded, so that containment integrity is maintained. Consequently, tNs postulated containment failure mode was also not quantified. 3.1.3.2 Medium LOCA Event Tree Medium LOCAs are quantified using a separate event tree from that of the general transient /small LOCA event trees, This was found to be convenient to reflect the different system success criteria to mitigate medium LOCAs. For example, both HHSI and LHSI are required for success to cover the full range of medium LOCAs. Table 3.1.2 4 summarizes the system success criteria needed to ensure it.at each of the key safety functions are performed. More details concerning the system success criteria are provided in the top event descriptions that follow. For convenient reference. Table 3.1,3 3 summarizes the top events that appear in the medium LOCA event tree models. The medium LOCA event tree structure is shown in Figure 3.1.3 3.
- Top Event HH - High Head Safety injection Purnps. This top event models the two HHS!
trains with pumps 1CH P 1 A and 1CH P 18. Success requires one pump train to be operable. The third pump,1CH P 1C may be electrically aligned to either orange or purple emergency power, if either of the other two pumps fall. Only two pumps at a time, however, receive an automatic start signal. Pump 1CH P 1C is included in the model as a backup to either pump 1CH.P 1 A or 1CH P 1B with the associated operator actions to align it. Il both pumps 1CH P-1A and 1CH P 1B have failed, but the required support systems are available to each train, the operator is modeled as aligning pump 1CH P-1C to train A. These pump trains share a common dependence on the single suction line from the RWST, which is modeled in Top Event VL of the support tree. The RWST itself is modeled in Top Event RW of the support tree. EOP E 0 asks the operators to recognize if the RCS is intact. If they decide that the RCS is iritact following a Safety injection, they are then instructed to go-to EOP ES-1.1 for
" Safety injection Termination". There is a danger, as occurred at TMl, that the HHSI will be temporarily stopped. EOP ES 1.1., however, provides for a recheck of safety injection termination and an escape back to EOP E 1. Never1heless, this potential error of commission is included in the system model.
This top event includes consideration of the failure modes of the relevant pipes, valves, and the HHSI pumps no jed to model availability of the HHSI. Failure of this event implies that HHSI and charging flow for RCP seal injection are unavailable. Success of Q V Top Event HH means that these two functions are possible. HHSt further requires the avalfability of water in the RWST (i.e., Top Event RW), and a flow path from the RWST to two of the three cold leg injection line entry points in the RCS; i.e., as modeled in Top Events VL and HM. 3.1 71 u Accioent sewence Denneeon.
B: v:r Vcll:y P:wcr St:ti:n Unit 1 R visl:n 0 Prcb:billstic Risk Ass::sm:nt
- Top Event HM - HHSI Cold Leg injection Paths.. Both HHSI and LHSI provide flow to the RCS through the same three cold leg lines, injection into two of thras cold legs is sufficient for HHSI. If Top Event HH is successful (i.e., HHSI is available), then the three cold leg injection paths of interest include six check valves that are mc. deled in Top Event HM as follows:
- To cold leg 1 SI 100 and SI 23 must open.
- To cold log 2. S1101 and SI 24 must open.
- To cold leg 3. 51102 and SI 25 must open.
Top Event HM also includes the redundant MOVs (i.e.,867A 867B 867C, and 867D) at the pumps' discherge and the common check valve (SI 94) on the ilow path from the pumps to the redundant MOVs to the cold legs.
- Top Event AM - Two cf Three Accumulators Discharge.. Current success criteria for medium LOCAs require adequate accumulator discharge to avoid core melt. Top Event AM requires that the water from two accumulators enter the vessel, it is traditionally assumed that the water from one accumulator is lost out of the break during a large LOCA because certain cold leg break locations will cause this to occur. This conservative assemption is not made for a medium LOCA. Accordingly. Top Event AM is successful if two of three accumulators and the associated valves operate properly.
The equipment included in this top event is as follows:
- The accumulator tanks at the specified 600 psia over pressure.
- MOVs SI-865A, SI 8658, and SI 865C on the discharge lines. These valves are normally open with power removed during Modes 1 and 2. In addition, they are given a safety injection signal to open.
- Two normally closed check valves in each accumulator discharge line must open. Top Event AM is not questioned in the event tree if Top Event HH or HM falls since core damage is already assumed to have occurred.
Failure to Top Event AM implies that an a result of the LOCA, the core uncovers, and before RCS pressure drops sufficiently to allow adequate injection, fuel damage r s, success of Top Event AM means that sufficient water is injected to keep the fue! Ad until RCS pressure falls to allow adequate injection via the LHSI pumps.
+ Top Event AF - Auxillary Feedwater System Provides Flow from One Pump to at Least One Steam Generator.. For success of Top Event AF, at least one pump is required to supply at least one steam generator for 24 hours when normal offsite power is available.
When normal AC power ic unavailable (i.e.. LOSP initiator), then the mission time is 9 hrs. (Normal makeup is unavailable and PPDWST is depleted) when the dedicated AFW must be aligned (Top Events DF and OF) or offsite power recovered or river water aligned to AFW suction. Both of these last two recovery actions are considered in Top Event RE. Each of the two AFW motor-driven pumps and the one turbine-driven pump is headered to provide flow to any of the three steam generators. This top event includes the required valve position changes, pump starts, and pump operation to provide flow to the steam generator by taking suction for the primary plant domineralized water storage tank (PPDWST) WT TK 10. It also includes the equipment and operator actions needed to provide long-term makeup from the dnmineralized water storage tank (DWST) to the PPDWST (EOP Attachment 2-H). The principal mode of makeup to the PPDWST is automatic using a modulaing supply valvo (LCV-WT-104A) that passes up to 200 gpm flow 3.1 72 U Acocent sewente Demiestion
D: v:r Vcll:y P wcr St:ti:n Unit 1 R0vlsl:n 0 Prcb bilistic Risk Acs:ssm:nt from either one of two 350-gpm capacity domineralized water pumps WT P 33A er WT P-33B, There are additional manual makeup sources from domineralizer pumps (WT P 4A & 4B) or from the condensate pumps (CN-P 1 A & 18). All the above makeup sources to the PPDWST depend on normal AC power. On loss of normal AC (LOSP or Top Event OG failure), makeup is possible from a cross tic to Unit 2 domineralized water distribution pumps (2WTD P23A & B). However, this is presently not modeled because it is not proceduralized. On loss of offsite AC power either river water must be supplied to AFW pumps or the dedicated auxiliary feed pump must be aligned as discussed above. When offsite AC is available, the automatic makeup source and the operator action to align other sources if the automatic source fails is modeled. As can be seen from the medium LOCA success criteria summary provided in Table 3.1.2 4, the status of the AFW has no direct bearing on the frequency of core damage from medium LOCAs in the current model. Top Event AF !s included in the event tree for two reasons. One reason is to distinguish sequences in which the operators must follow EOP FR-H.i from those in which thev do not. A second reason is because AFW provides - another means of removing heat from the containment in the event that the R$ pumps operate but without river water to the RS heat exchangers. This heat removal path is not considered in the current analysis, but muy be of interest in future model versions, in the initial PR A model for medium LOCAs, credit is only given for those AFW actuation signals that go through SSPS, Given that the main steam trip valves are closed (i.e., so that the condenser steam dumps are not available), decay heat may be removed by AFW using one of the following sets of O valves: Steam Generator Atmospheric S~ lam Dumps (nominally set at 1,040 psig)
- Residual Heat Release Valve (manually controlled)
- Steam Generator Safety Valves (setpoints range from 1,075 to 1,124 psig)
Historical data and previous analyses for other plants indicate that the failure-to open frequency of these valves io sufficiently small so that modeling the failure to open of all of these sets of valves is not required in this study. Failure to achieve at least one steam relief path for decay heat removal will not be a dominant risk contributor. Therefc 'e to simplify the model, such failures are neglected.
- Top Event QAIQD - Quench Spray Train A & Train B. Since the Quench Spray Pumps divert some of their flow directly to the containment sump, it is currently believed that if one quench spray train falls, the associated RS pumps would not have sufficient NPSH at the time they automatically start. Operators would then have to take manual actions to stop the pumps in order to protect them. This operator action is modeled in Top Event OP. A QS cutback feature is provided for when the RWST level falls to 11 feet to minimize subatmospheric peak pressure. This reduction to approximately 1100 gpm per train is accomplished by closing discharge valves MOV-QS 103A and MOV OS 1038, and redirecting flow through an orifice in each train. Procedures exist for both OS cutback verification and for containment spray termination, if the containment pressure is less than 8.9 psia. Success of the cutback also extends the time available for switchover to
, recirculation. Since the recirculation switchover timing only affects the backup operator l
action to perform the recirculation manually it does not appear to be of great significance. For now, however, the cutback will be modeled as necessary for the success of the associated OS. I 1 3.1 73 u Accieent seovence Dennmon.
D v:r Velisy pcwar Stotien Unit 1 Rcvisicn 0 Preb bilistic Risk Assessm nt
- Top Event LA and LD - Head Safety injection Pump Train A and Train D. Followmg a medium LOCA, these top event query the availabihty of the LHS! pump trains providing flow frota the RWS1 suction valves (manual valve SI-30, check valve SI 5 and motor operated valves MOV SI 862A and MOV SI 8628) through the pamps SI P 1 A and SI P 1B to the discharge check valves SI 6 and SI-7 up to the point where recirculation spray flow joms the lines. Failure of both trains is treated as leading to core damage.
The LHSI pumps for Unit i have associated containment sump valves MOV SI 860A and MOV SI 8608 for recirculation modo core coohng. These valves are modeled in Top Events VA and VB. Because of the recirculation, the analysis must take care to model proper operator actions to protect the pumps at various RCS pressure. The automatic and manual actions to abgn frc cold leg recirculation from the sump are modeled in Top Event OR, the equipment needed to model the cross lie between high and low head pumps for recirculation is modeled in Top Event HR. For the purpose of containment status, success of either HHSI or LHSl is treated as transfer of the RWST inventory into the reactor vessel. LOCAs characterized by medium pressure core moltdown (e.g., failure of Top Event HH during a medium LOCA in which the pressure stays above about 120 psig), do not provide the opportunity for LHSI, in these cases, the RWST water may not have x.an injected before core meltdown, The actions identified in EOP FR C.1 are assumed not to be sufficient io lower RCS pressure to permit LHSI prior to core damage. After vessel failure, however, the head against which the low pressure pumps rnust operate may fall below their shutoff head, and injection of the RWST inventory may then be achieved. This top event is then queried to determine the potential for postmelt core cooling. However, the status of RWST inventory in the contamment, particularly m the sump and reactor tavity, is required for containment analysis, should the accident progress to core damage.
- Top Event LM - LHSl Cold Leg injection Paths. Both HHSl or LHS! provide flow to the RCS through the same three cold leg lines. Injection into one of three cold legs is sufhcient for LHSI.
In this case the cold leg injection paths of interest involve six check valves that are modeled h Top Event LM as follows:
- To cold leg 1, SI 12 and SI 23 must open.
To cold leg 2, SI 11 and SI-24 must open.
- To cold leg 3, SI 10 and SI-25 must open.
Top Event LM also considers the motor operated valves (i.e., MOV Si 864A, MOV-SI-864B and MOV SI 890C) on the LHSI flow path downstream of the points where recirculation spray joins, but before the injection path header, and then split three ways for flow mto each cold leg.
- Top Event SM - Containment Sump. This event models the unavailability of the containment sump (e.g., due to plugginD with containment debris).
If Top Event SM fails, then all recirculation spray pumps are ineffective, and the LHSI sump recirculation valves modeled in Top Event VA and VB can not supply the LHSI pumps consequently neither recirculation spray nor recirculation mode core cooling is available. The assessment of sump unavailability in this top event assumes that the scenario has not yet progrested to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis. 3.1 74 31 Acc4ent seosence Dehnecon.
B::v:r Vcil:y Pgw:r Stati:n Ifnit 1 Rcvisl:n 0 Prcb:billatic Risk Ass:ssm:nt
- Top Event OP - Operator Protects RS Pumps. This event models the operators ability to
'~'
stop the recirculation spray pamps when the containment sump level is too low. The inside aad outside recirculation spray pumps RS P 1A and RS P 2A, respectively have a pamp start delay time of 210 seconds after a C19 signal is Inillated. The inside and outside recirculation spray pumps RS P 1B and RS P-28, respectively have a pump start l delay tirne of 225 seconds after a CIB signal is initiated. Small LOCAs that reach 8 psig in the containment and cause inillation of a CIB may not provide sufficient water in the containment sump to meet the minimum recirculation spray pump suction requirements ; with the delay tirne if the associated OS pump does not operate. The procedures do not specifically instruct operators to stop the recirculation spray pumps if the associated QS pump falls to start /run, however, this could be an important action and will be modeled at this time.
- Top Event RS - Inside RS Train A or Train B. The four recirculation spray pumps are automatically started following a 210 second delay for A pump and a 225 second delay for the B pump after a CIB. This is to give the QS pumps sufficient time to fill the containment sump to provido the required NPSH for tne recirculation spray purrps. This delay time, however, may not be sufficient to allow ample water to collect in the containment sump if the associated OS pumps fall. The recirculating spray pumps must sometimes be manually turned off to prevent them from cavitating and then turned back on when NPSH is sufficient. Operr.or actions to first turn off and then to turn on the pumps are modeled in Top Events OP and OR.
Pumps 1 A and 18 are dedicated to providing recirculation spray. Pumps 2A and 2B can be realigned following a recirculation mode signal, during LOCA scenarios, to provide both recirculation spray and in vessel core cooling if Top Events LA, LB, VA and VB fail. O Top Event RS includes the start and run of either recirculation spray trains 1 A or 18 (or both) with the associated piping, valve operation, and spray header. Knowledge of success or failure of Top Event RS is required only for containment analysis; i.e., it does not impact the calculation of the core damage frequency, Given successful operation of the outside recirculation spray trains but failure of the inside recirculation spray trains, the 2A and 28 pumps will be aligned to provide only the recirculation spray function when either LHSI pump is providing recirculation core cooling. If neither LHSI pump can provide recirculation core cooling, then pump 2A or 2B must be aligned to provide the recirculation spray and cooling function while the other pump provides core injection. l
- Top Events RA and RB - Outside RS PumplSpray Train A & Train B. These events l model the availability of recirculation spray pump trains A and B, and the valves needed l for recirculation spray or to establish cold leg recirculation through the LHSI lines. The cross connect valves to the discharge of the LHSI pumps are modeled in Top Event OR.
Recirculation spray train A is aligned to recirculation spray and core cooling Train A, and recirculation spray from B is aligned to recirculation spray and core cooling train B. The following equipment actions are modeled herein:
- Start and run of RS P-2A and RS P 28 following a CIB, or a manual start if a CIB does not occur. For purposes of this analysis, a CIB condition is assumed. (The operator actions are modeled in Top Event OR),
- Opening of the river water header for the coolers RS E 1C and RS E 10. Only the
'O' recirculation spray water goes through the coolers flow going to the core is not cooled.
3.1 75 31 Accident sewence ocaneation.
Bosv r Vciby Pcwcr Steti:n Unit i Revisl:n 0 Prebsbillstic Risk Assssem3nt
- Proper positioning of suctio*1 and discharge valves MOV RS 155A and MOV RS 156A for the A pump and MOV-RS 155B and MOV RS 156B for the B pump. MOVs 155A and 1558 are nntmally open and must remain open. MOVs 156A and 156b are normally closed and must open. The recirculatio,1 spray header check valves must also open.
- Top Events VA and VD - LHSI Recirculation Suction Valves. The LHSI pumps can take suction from either the RWST during the injection phase or the containment sump during the recirculation phase. These top events model the valves wiiich are necessary to provide a suction path from the containment sump to the LHSI pumps. Motor operated valve MOV St-860A and check valve SI i are for LHSI pump A. Motor operated valve MOV-SI b60B and check valve SI 2 are for LHSl pump B. MOV SI 860A and B are normally closed and must open when the Si recir:ulatic n phase signal is initiated. This automatic action is modeled in Top Event OR.
Presently, the failure of VA during the recirculation mode is a.Jurned to fall Top Event LA. - Failure of VB is assumed to fail LB. A cross connect from VA to LB or VB to LA does exist by using the RWST suction valves MOV-SI 862A and B, however, this action will not be modeled at this time.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event models the automatic signal to transfer to recirculation and the operator actions considered in realigning the plant from the injection mode to the recirculation mode for LOCA sequences where the automatic signal has failed, or low pressure injection pumps or valves have failed and the operator must abgn one of the outside RSS pumps to the core injection mode. Realignment for both high pressure and low pressure recirculation is -
considered. Proper calibration of the RWST level sensors is considered in the model. When the RWST love! drops belo:v 20 feet, the operators are instructed to enter EOP ES 1.3, verify that the sy*,iem is preperly aligned, and, if not, manually blign for cold leg recirculation. (Actions to reset the safety injection signal, such as in EOP f 1 do not reset the recirculation modo signal). The recirculation mode signal, however, u,Js not then restart the recirculation spray pumps. The cperators must manually restart the pumps in order to complete the recirculation switchover, if the pumps had been stopped previously - to avoid cavitation caused by insufficient NPSH. This action to restart the pumps is modeled in this Top Event. In the event that a CIB signal did not occur, the operators need not stop the RS pumps, but must start them for the first time to go to recirculation if the LHS! pumps are not available. For steam line breaks inside containmcot, sufficiently large to lead to a ClB signal, EOP E-1 permits the operators to stop the QS pumps once containment pressure is reduced to less than 1.0 psig. This action preserves RWST inventory in case it is needed later; i.e., for subsequent, induced small LOCAs following tne steam line break initiating event. Success or failure of this action can affect the required timing for switchover to recirculation from the injection mode. For the current model, the QS pumps are assumed to be stopped, which extends the tune available for successful switchover to recirculation. Also considered in this top event, for all initiating events, is the isolation of the two recirculction paths from the LHSI lines to the RWST, and the two paths from the HHSI suction lines. This is to ensure that water from the containment sump is not inadvertently pumped back into the RWST and thus is unavailable for recirculation. The four lines considered are the two flow paths through the LHSI pumps and MOVs SI-885 A & D and B
& C, and reverse flow through the two HHSI suction valves (MOVs SI 1158 and D). Faih. e of the redundant valves on the HHSI lines or failure of both valves in series for the LHSI lines to reseat or reclose is assumed to result in failure of Top Event OR.
3.1-70 3i Acc4ent se@ence Demeshon.
B::v:r Vcil:y Prw:r St:ti:n Unit 1 Rsvisi:n 0 Pr:b:billstic Risk Ass:ssm:nt Establishment of separate recirculation flow paths by isolating the redundant lines from I' . each other is not considered necessary for success. The model, however, conservatively assumes that the trains are irlated. Isolation of the lines, in this case, can actually reduce system availability bec io once separated, it then requires operator action to establish crossover paths to rv ar from certain combinations of failures that involve two trains. These failure combinations are believed to be more likely than single pipe breaks, from which separation of the two trains was meant to protect. This event includes operator actions to control river water flow to the RS coolers to control containment pressure, and to restart the RSS pumps (if they were stopped in Top Event OP) as well as verification and establishment of correct valve alignment ar recirculation. The valve hardware failure modes themselves are modeled in Top Events R A and RB. Failure of this event is treated as failure of the cold leg recirculation mode of emergency ' core cooling system (ECCS). The long-term transfer to hot leg recirculation 14 hours after the LOCA starts (i.e., following EOP ES 1.4) is not modeled.11 is assurned that in the long period available before boron precipitation could become a problem, the operang staff will find a way to transfer to hot leg recirculation, even if initially unsuccessful.
- Top Event MU - Makeup to RWST, This event models the operator action and equipment necessary to supply borated water makeup to the RWST. The makeup actions are called for by proceduro; l.e., EOP ECA 1.1 when RWST level is low and cold leg recirculation is unavailable, and refer operators to OM 1.7.4.0 RWST makeup procedures.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make
/^ up to the RWST, Makeup from the coolant recovery tanks will not be modeled since it requires that a temporary hose connection be made. The spent fuel poolis normally filled to a level 20 inches above the technical specification limit. The technical specification required levelis 23 feet above the top of the spent fuel. The total supply of borated water available for rapid makeup to the RWST is then approximately 108,000 gallons.
Emergency makeup from the river water system into the spent fuel pool is also possible but requires that a manual locked shut valve (RW-124) be opened. Since use of this system connection is not proceduralized, no credit for it is taken in the initial plant model. At the fuel pool purification pump design rating of 400 gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours for one pump running, or half that time if both pumps are running. The required makeup rate to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, as indicated by Attachment E G of EOP ECA-1.1, is less than 200 gpm for times greater than 100 minutes after plant trip. Therefore, this volume of borated water is sufficient to last at least 9 hours, after makeup begins. Makeup from the boric acid tanks can only be provided at if0 gpm. At this rate, if the RWST inventcry is reduced sufficiently to require makeup in the first 8 hours after plant trip, then the alternate mode of providing borated makeup, via the boric acid ~.anks, would be insufficient. Therefore, makeup from the spent fuel pool is assumed required initially, and then to continue providing makeup from 24 hours, manual blenr%g operatirns using the boric acid tanks is also required. Makeup from the spent fuel pool requires one of the two fuel pooi purification pumps (i.e., (N FC-P 4A and RC P-48) to start and run, and manual valves at the dist large of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2,000 ppm. 3.1 77 3.1 Accicent Secuence ochnestion,
Os:vsr Velisy Powar Sistion Unit i Rovlsion 0 Prebsbilistic Risk Asssssmsnt For makeup from the boric acid tanks and the primary grade water storage tank, using ! manual blonder operations, the makeup ahgnment is more ;omplex. Clean water from the primary water storage tanks (i.e.,1BR-TK 6A and 1BR 1K 68) is blended with boric acid from the boric acid tanks; i.e.. CH TK-1 A nad CH 7K 10), Manual intervention is required to assure the proper blend of boric acid and clean water to achieve a mixec l concentration of roughly 2,000 ppm baron. Both boric acid tanks but only one primary ; water storage tank is needed to supply sufficient makeup for the remainder of the 24 hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only an additional 10 to 15 hours is needed. One of two of the primary water supply pumps (i.e.,1BR P 10A and 1BR P-108) and either of the boric acid transfer pumps (i.e., CH P 2A and CH P 28) are required for success since the boric acid transfer pumps can be crosstied. Success of Top Event MU means that continued HHS) injection can be performed for RCS inventory control at full RCS pressure despite contmuing RCS leakage. For sequences in which RHR cannot be pbced in service, because either the imtlal cooldt- m and depressurization could not achieve RHR entry conditions (i.e., less than 325'F and less than 360 psig) or the RHR system is unavailable, success of Top Event MU can be very important. Failure of Top Event MU means that inventory control is not available, and eventual core damage results.
- Top Event Cl - Containment isolation. This top event questions the failure to create and maintain an isolated containment following safety injection, CIA, and CID signals. The containment penatrations explicitly modeled are:
- Containment Major Vents and Drains; e.g., sump pump discharge
- Connections to RCS; e.g., RCP seal water return
- Connections to Containment Atmosphere; e.g., containment vacuum line This model also includes operator actions to ensure that the isolation valves remain closed (e.g., in EOP ES 1.1), after the resetting of the CIA and CIB signals. The safety injection, CIA, and CIB s!gnals are reset in accordance with procedures by the operators in a number of situations. Examples of such situations include: post-LOCA cooldown and depressurization (i.e., EOP ES-1.2), transfer to cold leg recirculation (i.e., EOP ' S 1.3), the response to loss of emergency coolant recirculation (i.e., EOP ECA-1.1) and for safety injection termination (i.e., EOP ES 1,1). Manual isolation of the RCP seat return line during a loss of all vital AC powe (i.e., EOP ECA 0.0) is also modeled in this top event. The status of containment isolation is needed for the containment analysis.
3.1.3.3 LarDe LOCA Event Tree Large LOCAs are quantified tsing a separate event tree from that of the general transient /small LOCA event trees and the medium LOCA event tree. For example, only LHS1 is required in the injection phase for core heat iemoval. fhis was found to be convenient to reflect the different system success criteria to mitigate large LOCAs. Table 3.1.2 5 summarizes the system success criteria needed to ensure that each of the key safety functions is performed. More details concerning the system success criteria are provided in the top event descriptions that follow. For convenient reference. Table 3.1.3-4 summarizes the top events that appear in the large LOCA event tree model. The large LOCA event tree is shown in Figure 3.1.3 4.
- Top Event HH - High Head Safety injectior, Pumps. This top event models the two HHSI trams with pumps CH P-1 A and CH-P-18. Success requires one pump train to be operable, The third pump, CH-P 1C, maybe electrically aligned to either orange or purple 3.1 78 31 Amoent semenn Dehnesbon
B::v:r Vcil:y P w:r St:ll:n Unit 1 R vlsl:n 0 Preb:bilistic Risk As::ssm:nt emergency power, if either of the other two pumps fall. Only two pumps at a time, however, receive an automatic start signel. ' ump CH P 1C is included in the model as a backup to either pump CH P 1A or_ CH P 1B with the associated operator actions to align it. If both pumps CH P 1 A and CH P 18 have failed, but the required support systems are available to each train, the operator is modeleu as aligning pump CH P iC to train A. These pump trains share a common dependence on the single suction line from the RWST, which is modeled in Top Event VL of the suppor1 tree. The RWST itself is modeled in Top Event RW of the support tree. This top event includes consideration of the failure modes of the relevant pipes, valves, ar'd the HHSI pumps needed to model availabliity of the HHSI. Failure of this event implies that HHS! is unavailable. Success of Top Event HH means that this function is possible and that the RWST inventory will be transferred to the RCS and eventually to the containment. HHSI further requires the availability of water in the RWST (i.e., Top Event RW), and of a flow path from the RWST to one of the three cold leg injtsetion line entry points in the RCSt 1.e., as modeled in Top Events VL and HC. HHSI for a large LOCA is only modeled to track whethe: valor from the RWST is injected inside containment. This information is used in the Level 2 analysis to determine the containment response to postmelt conditions. It is not used to determine the core me!t frequency.
- Top Event HC - HHSI Cold Leg injection Paths. Both r,HSI and LHSI provide flow to the RCS through the same three cold leg lines, injection into one of three cold legs is sufficient for HHSI. If Top Event HH is successful (i.e., HHSI is available), then the three O cold leg injection paths of interest include six check valves that are modelec' in Top Event HC as follows:
- To cold leg 1 SI 97 and SI 23 must open.
To cold leg 2 SI 98 and SI 24 must open.
- To cold leg 3 SI 99 and SI 25 must open.
Top Event HC also includes the redundant MOVs (i.e.,867A,867B,867C, and 867D) at the pumps discharge and the common check valve on the flow path from the BIT to the cold leg injection paths (SI 94). Success of both Top Events HH and HC assumes that the RWST inventory will be transferred to the RCS and eventually to the containment via the break.
+ Top Event AL - Two of Two Accumulators Discharge. Current success criteria for large LOCAs require adequate accumulator discharge to avoid core melt. Top Event AL requires the water from two accumulators to enter the vessel, it is traditionally assumed that the water from one accumulator is lost out of the break during a large LOCA because certain cold leg break locations will cause this to occur. Accordingly. Top Event AL is assumed to be successful if two of two accumulators and associated valves operate properly, t he equipment included in this top event is as follows:
- The accumulator tanks at the specified 605 to 661 psig over pressure.
- MOVs SI-865A, SI 8658, and SI-865C on the discharge lines. These valves are normally open with power removed during Modes 1 and 2. In addition, they are givea V a safety injection signal to open.
- To normally closed check valves in each accumulator discharge line must ts,. n.
3.1 79 31 Accment Sewence ochneatch.
E av:r Vciloy Pcw:r Ststlen Unit 1 Rovislan 0 Preb: bill: tic Risk Assossm:nt Failure of Top Event AL implies that as a result of the LOCA, the core uncovers, and before RCS pressure drops sufficiently to allow adequate injection, fuel damage occurs. Success of Top Event AL means that sufficient water is injected to keep the fuel cooled until RCS pressure falls to allow adequate injection via the LHSl pumps.
- Top Events QA and OD - Quench Spray Train A & Train B. A high containment pressure of 6 psig initiates a ClO signal that starts both QS pumps. The motor-operated valves in the suction MOV-OS 100A and MOV-OS-1008, and discharge valves MOV-QS 103A and MOV OS 103 Bare nortnally open. Discharge valves MOV OS 101 A and MOV OS-101B are normally shut and receive a CIB signal to open. Check valves in the discharge piping would be required to open, if not already open.
Since the quench spray pumps divert some of their flow directly to the Containment Sump, it is currently believed that if one quench spray train fails, the associated RS pumps would not have sufficient NPSH at the time they automatically start. Operators would then have to take manual actions to stop the pumps in order to protect them. This operator action is modeled in Top Event OP. A QS cutback feature is provided for when the RWST level falls to 11 feet to minimize subatmospheric peak pressure. This reduction to approximately 1100 gpm per train is accomplished by closing discharge valves MOV OS 103A and MOV OS 103B, and redirecting flow through an orifice in each train, Procedures exist for both QS cutback verification and for containment spray termination if the containment pressurn is less than 0.9 psia. Success of the cutback also extends the time available for switchover to recirculation. For PRA purposes the recirculation switchover timing only affects the backup operator action to perform the recirculation manually, smco keeping the containment subatmospheric is not a concern, and therefore does not aL car to be of great significance. For now, however, cutback will be included when computmg time to switchover. QS operation influences the time to depletion of the RWST, and knowledge of its availability is required for containment analysis. In the plant sequence model, a containment pressure of 8 psig is assumed to be reached for all LOCA sizes, steam line breaks, fond and bleed cooling scoriarios, and for any scenario resulting in core damage.
+ Top Event LA and LD - Low Hes; safety injection Pumps Train A & Train B. This top event queries the availability of the LHSl pump trains providing flow from the RWST suction valves (manual valve SI 30, check valve SI 5, and MOVs SI-862A and B) through the pumps SI P 1 A and SI-P 1B to the discharge check valves SI 6 and 517 and up to the point wher- ~ circulation spray flow joins the lines. Failure of both trains is treated as leading to . damage.
For the purprsse of containment status, success of LHS! is treated as transfer of the RWST ( inventory into the reactor vessel. The status of RWST inventory in the containment, l particularly in the sump and reactor cavity, is required for containment analysis, should the accident progress to core damage.
- Top Event LL - Low Head Cold Leg injection Path and Valves MOV SI 864A, MOV SI 864H, and MOV SI 890C. Both HHSI and LHSI provide flow to the RCS through the same three cold leg lines. Injection into one of two cold legs is sufficient for LHSI The third cold leg injection loop is assumed not to be r~ailable because of the break. For LHSI, as required l
for large LOCAs, the cold leg injection paths of interest involve six check valves that are modeled in Top Event LL as follows:
- To cold 1e01 S1-12 and SI 23 must open.
- To cold leg 2 SI 11 and SI 24 must open.
3.1 80 31 Accicent Se@ence Devenon
I B:cv:r Vcll:y P:wcr St:llen Unit 1 R:visi:n 0 Pr:b:bilistic Risk Assessm:nt
- To cold leg 3, SI 10 and SI 25 must open.
Failure of Top Event LL is conservatively treated as precluding allinjection. One of these cold legs must provide a flow path. Top Event LL also includes the LHSI train flow paths downstream of the recirculation line connections; that is MOV SI 890C and one of two of the following valves must be open:
- MOV SI-864A
- MOV SI 864B
- Top Evont SM - Containment Sump. This event models the unavailability of the containment sump (e.g., due to plugging with containment debris) and common cause unavailability of all four recirculation spray trains due to their river water supply check valves.
If Top Event SM falls, then all recirculation spray pumps are ineffective and the LHS1 sump recirculation valves modeled in Top Events VA and VB can not supply the LHSI pumps, consequently, neither recirculation spray nor recirculation mode core cooling is byaltable. The assessment of sump unavailability in this top event assumes that the scenario has not yet progressed to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for cons!deration in the Level 2 analysis, The assessment of sump unavailability assumes that the scenario has not yet progressed to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis.
- Top Event OP - Operator Protects RS Pumps. This event models the operators ability to stop the recirculation spray pumps when the containment sump level is too low. The inside and outside recirculation spray pumps RS P 1A and RS P 2A, respectively have a pump star 1 delay time of 210 seconds after a CIB signal is initiated. The inside and outside recirculation spray pumps RS P-18 and RS P 28, respectively have a pump start delay time of 225 seconds after a CIB signalis initiated. Small LOCAs that reach 8 psig in the containment and cause initiation of a CIB may not provide sufficient water in the containment sump to meet the minimum recirculation spray pump suction requirements with the delay time, if the associated OS pump does not ooerate. The procedures do not specifically instruct operators to stop the recirculation spray pumps if the associated QS pump fails to start /run, however, this could be an important action and will be mndeled at this time.
- Top Event RS - Inside RS Train A or Train B. The four recirculation spray pumps are automatically started following a 210 second delay for the A pumps and a 225 second delay for the B pumps aher a CIB This is to give the quench spray pumps sufficient time to fill the containmont sump to provide the required NPSH for the recirculation spray pumps. This delay time, however, may not be sufficient (1,c., depending on the RCS leak rate) to allow ample water to collect in the containment surap if the asFociated OS p.mp does not operate. The recirculating spray pumps rest sometimes be nanually turned off to prevent them from cavitating and then turrod back on when IslPSH is sufficient.
Operator actions to first turn off and then to turn on 6 ptmps aru modeled in Top Events OP and OR. Pumps 1 A and 18 are dedicated to providing recitevlation cray. Pumps 2A and 28 can be realigned following a recirculation mode signal, during LOCA scenarios, to provide both recirculation spray and in vessel core cooling if Top Ovents LA, LB, VA, and VB fail. Top Event RS includes the start and run of either redrculation spray trains 1 A and 1B (or 3.1 81 M Accicet sewence Dehnecon.
B:av:r Vcil:y Pcwsr St:tlen Unit 1 % visi: n 0 Prcb:bilistic Risk Ast:ssm:nt both) with the associated piping, valve operation, and spray header. Knowledge of success or failure of RS is required only for containment analysis; i.e., it does not irrepact the calculation of 1 te core damage frequency. Given successful operation of the outside recirculation spray trains, but failure of the inside recirculation spray trains, the 2A and 2B pumps would be aligned to provide only the recirculation spray function when either LHSI pump is iroviding recirculation core cooling. If neither LHS! pump can provide recirculation core cooling, then pump 2A or 28 must be aligned to provide the recirculation spray and cooling function while the other pump provides core injection. ! l
- Top Events RA and RB - Outside RS Pump / Spray Train A & Train B. These evsnts model the availability of recirculation spray pump trains A and B, and the valves needed for recirculation spray or to establish cold leg recirculation through the LHSI lines. The cross connect valves to the discharge of the LHSI pumps are modeled in Top Event OR for low pressure recirculation. Recirculation spray train A is aligned to recirculation spray and core cooling train A and recirculation spray train B !a aligned to recirculation spray and core cooling train B.
The following equipment actions are modeled herein:
- Start and run of RS P-2A and RS P 28 following a CIB, er a manual start if a CIB does not occur. For purposes of this analysis, a CIB condition is assumed. (The operator actions are modeled in Top Event OR).
- Opening of the river water header for the coolers RS E-1C and RS E-1D. Only the recirculation spray water goes through the coolers, flow going to the core is not cooled.
- Prnper positioning of suction and discharge valves MOV RS 155A and MOV-RS 156A for the A pump, and MOV RS 1558 and MOV RS 1568 for the B pump. MOVs 155A and 155B are normally open and must remain open. MOVs 156A and 156B are normally closed and must open. The recirculation spray header check valves must also open.
- Top Events VA and VB - Containment Sump Valve for LHSI Pump A and Pump B. The LHSI pumps can take suction from either the RWST durirg the in!ection phase or the containment sump during the recirculation phase. These top ovehts model the valves which are necessary to provide a suction path from the containment sump to the LHSI pumps. Motor operated valve MOV SI-860Aand check valve SI 1 are for LHSI pump A.
Motor operatored valve MOV St 860B and check valve SI 2 are for LHSI pump B. MOV SI 860A and B are normally closed and must open when the Si recirculation phase signal is initiated. This automatic action is modeled in Top Event OR. Presently the failure of VA during the recirculation mode is assumed to fail top event LA (Low Head Safety injection Pump Train A). Failure of VB is assumed to fall LB (Low Head Safety injection Pump Train B). A cross-connect from V/s to LB or VB to LA does exist by opening the RWST suction valves MOV-SI 862A and B. however, this action will not be modeled at this time.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event modrls the automatic signal to transfer to recirculation, ano the operator actions considered in realigning the plant from the injection mnde to the low pressure recirculation mode for LOCA sequences when the automatic signal has failed, or the low pressure injection pumps or valves have failed and the operator must align one of the outside RS pumps to 3.1 82 3.1 ACCicent sequence Dehneatch.
l B::v:r Vcil:y P wcr St ti:n Unit i R:visl:n 0 Prcbabillstic Risk Ast:ssm:nt the core injection mode. Proper calibration of the RWST level sensors is considered in the model. When the RWST level drops below 20 feet, the operators are instructed to enter EOP ES 1.3, verify that the system is ptoperly aligned, and, if not, manually align for cold leg recirculation. (Actions to reset the safety injection signal such as in EOP E 1 do not reset the recirculation mode signal). The recirculation mode signal, however, does not then restart the recirculation spray pumps. The operators must manually restart the pumps in order to complete the recirculation switchover, if the pumps had been stopped previously to avoid cavitation .Jsed by insufficient NPSH. For large LOCAs, the RS pumps need ortly be stopped to avoid pump cavitation if the associated QS pumps fall. Also considered in this top event is the isolation of the two recirculation paths from the LHSt lines to the RWST, and the two paths from the HHSI suction lines. This is to ensure that water from the containment sump is not inadvertently pumped back into the RWST and thus is unavailable for recirculation. The four lines considered are the two flow paths through the LHSt pumps and MOVs Si 885A & D and B & C, and reverse flow through the two HHSI suction valves (MOVs SI 115B and D). Failure of the redundant valves on the HHSI lines or failure of both valves in series for the LHSI lines to reseat or reclose is assumed to result in failure of Top Event OR. Establisnment of separate recirculation flow paths by isolating the redundant lines from each other is not considered necessary for success. *ihe model, however, conservatively assumes that the trains are isolated. Isolation of the lines in this case can actually reduce N system availability because once separated, it then requires operator action to establish (V crossover paths to recover from certain combinations of failures that involve two trains. These failure combinations are believe to be more likely than single ploe breaks, which is the reason that the operators are instructed to isolate the trains. This event includes operatur actions to control river water flow to the RS coolers to control containment pressure and verification and establishment of correct valve alignment for recirculation, The valve hardware failure modes themselves are modeled in Top Events RA and RB. Failure of this event is treated as failure of the cold leg recirculation mode of ECCS. The long term transfer to hot leg recirculation 14 hours after the LOCA starts (i.e., following EOP ES 1.4) is not modeled, it is assumed that in the long period available before boron precipitation could become a problem, the operating staff will find a way to transfer to hot leg recirculation, even if initially unsuccessful.
- Top Event MU - Makeup to RWST. This event models the operator action and equipment necessary to supply borated water makeup to the RWST during a LOCA with failure of emergency recirculation. The makeup actions are called for by procedure; i.e., EOP ECA 1.1 when RWST level is low and cold leg rec!'culation is unavailable, and refer operators to OM 1.7.4.Q RWST Makeup procedures.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make up to the RWST. Makeup from the coolant recovery tanks will n; ie modeled since it requires that a temporary hose connection be made. The spent fuel pool is normally filled a to a level 20 inches above the technical specification limit. The technical specification h required level is 23 feet above the top of the spent fuel. The total supply of borated water available for rapid makeup to the RWST is then approximately 108.000 gallons. Emergency rt.akeup from the river water system into the spent fuel pool is also possible 3.1 83 U Accicent Sequence Dehneate
s B :v:r V:ll:y Piw:r Stati:n Unit 1 R;vis8cn 0 Pr:b:bilistic Risk Asso:sm:nt j but requires that a locked shut manual valva (RW 124) be opened. Since use of this system connection is not proceduralized, no credit for it is taken in the initial pl ant model. At the fuel pool purification pump design rating of 400 ypm, the extra spent fuel pool water inventory can be transferred in about #5 hours for one pump running, or half that time if both pumps are running. The required makeup rate to sustain high head injection at a rate sufficient to maintain RCS Inventory above the fuel, as indicated by Attachment E G of EOP EC/e1.1, is less than 200 ppm for times greater inan 100 minutes after plant trip. Therefore, this volume of borated water is sufficient to last at least 9 hours, after makeup begins. At least 120 pgm of makeup can be provided from the boric acid blends At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after plant trip, then the alternate mode of providing borated makeup, via the bo ic acid tanks, would be insufficient. Therefore, makeup trom the spent fuel pool is assumed required initially, and then to continue providing makeup for 24 hours, manual blending operations using the boric acid tanks is also required. Makeup from the spent fuel pool requires one of the two fuel pool purification pumps (i.e., FC P 4A and FC P-48) to start and run, and manual valves at the discharge of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2000 ppm. For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. Clean water from the primary water storage tanks (i.e,1BR TK-GA and 1BR TK-6B) is blended with boric acid from the boric acid tanks; i.e., CH TK 1 A and CH TK 18). Manual intervention is required to assure the proper blend of boric acid and clean water to achieve a mixed concentration of roughly 2.000 ppm boron. Both boric acid tanks but only one primary water storage tank is needed to supply sufficient makeup for the remainder of the 24 hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only an additional 10 to 15 hours is needed. One of two v the primary water supply pumps (i.e.,1BR P-10A and 1BR P 108) and either of the boric acid transfer pumps (i.e., CH P 2A and CH P-28) are required for success since the boric acid transfer pumps can be crosstied. Success of Top Event MU means that continued HHSI injection can be performed for RCS inventory control at full RCS pressure despite continuint RCS leakage. For sequences in which RHR cannot bo placed in service, because either the initial cooldown and depressurization could not ac ,seve RHR entry conditions (i.e., less than 325"F and less than 360 psig) or the RHR system is unavailable, success of Top Event MU can be very important. Failure of Top E' w MU means that inventory control is not available, and eventual core darnage, resd,-
- Top Event Cl - Containmn isolation. This top event questions the failu o to create and maintain an isolated containmsnt following safety injection, CIA, and CIB signals. The containment penetrations explicitly modeled are Containment Major Vents and Drains; e.g., sump pump discharge
- Connections to RCS; e.g., RCP seal water return
- Connections to Containment Atmosphere; e.g., containment vacuum line This model also includes cperator actions to ensure that the isolation valves remain closed (e.g., in EOP ES-1,1), after the resetting of the CIA and CIB signals. The safety injection, CIA, and CIB signals are reset in accordance with procedures by the operators 3.1 84 D Amcent semence oehneation.
--. - - . - - . - - - - - - - ~ - . ., _
~
Bssysr Vcil:y Pcw:r StatlIn Unit:1' ' R:vislinN Preb: bill: tic Risk Asssssm:nt in a number of .nuations. Examples of such situations include: post LOCA cooldown and O depressurization (i.e., EOP ES 1.2), transfer to cold-leg recirculation (i.e., EOP ES 1.3), the.
- response to loss of emergency coolant recirculat;oni (i.e., EOP ECA-1,1), and for safety _
njection termination; (i.e., EOP ES 1,1). To simplify the model, when evaluating Top Event: 01, it is conservatively assumed that resetting CIA and CIB was always performed so that .. this potential failure mode is always included.' Manual isolation of the RCP seal' return [ iine during a loss of all vital AC power (i.e., EOP ECA-0.0)-is also modeled in this top. event. The status of containment isolation is n eded for the containment analysis. 3.1.3.4 Steam Generator Tube Rupture Event Trees SGTR initiating events are quantified using two event trees; i.e.,_SGTR and SGTRRECIRC. = Table 3.146 summari?.es the system success criteria needed to ensure that each of the key safety fu,,ctions is performed. More details concerning the system success criteria _ are provideo in the top event descriptions that follow.- For convenient reference, Table 3.1.3 5 and 3.1.3-6 summarize the top events that appear in the SGTR event tree models.' The SGTR event free structures are displayed in Figures 3.0.3 5 and 3.1.3-6. Steam generator tube rupture events that result from other imtiating events (e.g., steam line-brec s) are not modeled. It has been postulated that in a steam line break accident with limited AFW flow, the affected steam generator may experience one or more drying and rewetting transients, which _would be very _hard on the tubes, Such :onsequential steam - generator tube failures are not modeled. q The SGTR event considered herein is for a sing,. ,ube offset rupture. Multiple tube rupture
-Q eventt. _would be more severe, but also much less frequent. Previous PRA studies (e.g., for indian Point, Seabrook, and Diablo Canyon) have argued that such initiators are - Jd less risk significant than the modeled single tube offset. This is assumed to be tr.* me for Beaver Valley Unit 1. No plant-specific features have been identified that make Beaver Valley Unit 1 more susceptible.
The following top events make up the SGTR event tree.
- Top Event OT - Operator Action to Manually Trip Reactor. This. event models only the operator action to manually trip the reactor from the control room. The' equipment needed to actuate in order to trip the reactor is modeled in Top Event RT.
- Top Event RT - Automatic and Manuct Reactor Trip. This top event considers the entomatic reactor trip system function and the backup operator actions to manually trip:
the reactor The backup manual actions are accounted for by_ evaluating Top Event RT conditional y on the statas of Top Evec OT. Success of this event requires that at least 1: of 2 reactor trip breakers open (or the initiator is a loss of offsite power), and that _47 of 48 - control rod clusters are inserted into the reactor core. This assumption is conservative because, for many t%es during the operating cycle, depending on the particular accident' l- sequence of interes: and on the particular arrangement of control rod clusters that fail to insert, many more thsn one such cluster may fail-to insert and yet the reactor many L remain suberitical. Major equipment modeled in this top event includes the undervoltage coils, shunt trip coils, reactor trip breakers, and the control rods. Successful operation of at least'one train of SSPS, manual ' operator action to initiate reactor trip, or a loss of-
; offsite power is required for success of Top Event RT. Failures of Top Event RT are only considered further in the ATWS event tree; i.e., Section 3.1.4.
3.1-85 3.1 Accident sequence ochneanon. ' N
- B:sv:r Vcil:y P wor Stnti:n Unit 1 Rsvisi:n 0 Prob:bilistic Risk Ass:ssm:nt
+ 7op Event TT - Turbine Trip. This event models the likelihood of the turbine to trip following an initiating event. Success requires that all two stop valves or two governor valves close on both supplies. The signal to close comes from the auxiliary contacts on the reactor trip breakers, which goes through SSPS. An additional turbine trip signal is provided by AMSAC, which does not go throu0h SSPS. No credit is given for the AMSAC signal except in the ATWS tree (Section 3.1.4) where reactor trip fails.
- Top Event MS - Main Steam isolation. This event models ne successful u n of the mbin steam lines by closure of at least two of three main steLm isolation va* .NIStV).
For steam generator tube rupture initiators, the status of main steam isolation is only of interest if the turbine fails to trip; i.e., it is otherwise assumed not to have an impact on subsequent events. Failure of both Top Events TT and MS leads to failure of the turbine-driven AFW pump; i.e., failure of two or three MSIVs to close is conservatively modeled as if all three failed to isolate, c Consideration of MSIV closure for the purpose of isolating the ruptured steam generator is modeled in Top Event SL.
- To;; Event AF - Auxillary Feedwater System Provides Flow from One Pump to at least One Steam Generator. For success of Top Event AF, at least one pump is requireo to supply at least one of two steam generators for 24 hours. Each of the two motor-driven pumps and the one turbine driven pump is headered to provide flow to any of the three steam generators. However, steam flow from the ruptured steam generator is assumed unavailable; i.e., successfully isolated.
The AFW is demanded bv a safety injection signal. For the initial PRA model, credit is only given for those signa' that go through SSPS. This top event includes the required valve position changes, pump starts, and pump ' operation to provide flow to the steam generator by taking suction from the primary domineralized water storage tank (PDWST) (WT-TK-10) or river water system. It also includes the equipment and operator actions needed to provide long-term makeup from the demineraiized water storage tank (DWST) (WT-TK-26) to the PDWST (EOP Attachment 2-H). The principal mode of makeup to the PDWST is automatic using a modulating supply valve (LCV-WT-104A) that passes up to 200 gpm flow from either one of two 350-gpm-capacity demineralized water transfer pumps WT-P-33A or WT-P-33E. There are additional manual makeup sources from demineralizer pumps (WT-P-4A & 48) or from the condensate pumps (CN-P-1 A & 18). All the above makeup sources to the PDWST depend g on normal AC power. On loss of normal AC (LOSP or Top Event OG Failure), make-up is possible from a cross tie to Unit 2 demineralized water distribution pumps (2WTD-P23A & B). However, this is presently not modeled because it is not proceduralized. On loss of offsite AC power either river water must be supplied to AFW pumps or the dedicated auxiliary feed pump must be aligned. The dedicated AFW pump is modeled in Top Event M F. The PDWST will be depleted in approximately 6 to 9 hours without makeup. River water woult' be used only if no other source of water is available, and PDWST level has decreased to less than 3.97 feet. Given that the Main Steam Trip Valves are closed (i.e., so that the condenser steam dumps are not available), decay heat may still be removed by AFWS using one of the following sets of valves:
- Steam Generatnr Atmospheric Steam Dumps (nominally set at 1,040 psig) (only two available) 3.1-86 31 Accident sequence Demenon.
Bssvar Vcilsy Pcwsr Statisn Unit 1 Rsvisisn 0 Probabilistic Risk Asssssment Residual Heat Release Valve (manually controlled, but not used for SGTR)
- Steam Generator Safety Valves (setpoints range from 1,075 to 1,125 psig)
Historical data and previous analyses for other plants indicate that the failure to open frequency of these valves is sufficiently small so that '1odeling the failure to open of at least one of these sets of valves not required in this study. Failure to achieve at least one steam relief path for DHR would not be a dominant risk contributor. Therefore, to simplify the model, such failures are neglected. This assumption is even more valid if the Main Steam Trip Valves are open, and if flow through the condenser steam dumps is possible. Failure of this event is modeled as placing a demand on the conomate, MFW pumps and valves, or dedicated auxiliary fend pump and valves to provide a steam generator feed flow. This modeling is consis, a sith the sequence of EOPs found in ES-0.1 and FR-H.1 for loss of AFW sequences.
- Top Event OF - Manual Actions to Reestablish MFW. This event models the operator actions to reestablish MFW following a safety injection signal due to the SGTR event that resulted in a full feedwater isolation.
If AFW is insufficient, the operators look to the MFW equipment to provide flow to at least one steam generator through either the feedy ater control and regulating valves or the feedwater bypass valves. Should the AFW system fail to provide sufficient water and the MFW pumps are not operating, then EOP FR H.1 is entered. Following a safety injection signal, the reactor would trip; a feedwater isolation signal O. would close feedwater isolation valves; control and regulating valves, and the bypass valves; and it would shut off the MFW pumps. The ARV pumps would actuate from the safety injection signal, if pressure in the containment rises above 3 psig, the MSIVs would close isolating the steam lines. EOP E-0 instructs the operator to verify and close all feedwater control and bypass valves, and to stop main feed pumps as required, following a safety injection signal. These equipment responses are assumed to be successful because they lead to a requirement for subsequent manual intervention in order to reestablish MFW, if AFW fails. Since the MFW pumps are tripped off, this event models the operator actions noted in EOP FR-H.1. Functional response EOP FR-H.1 provides the steps to recover from an initial loss of flow to the steam generators, given that AC power is available. The procedure calls for restoratinn of secondary heat sink in the following order:
- AFW
- Establish alternate AFW flow using dedicated AFW pump (FW-P-4) in accordance with EOP attachment 2 K
- Ona MFW ' 1p or Condensate System into a Depressurized Steam Generator
- Bleed and Feed The operators must reset the safety injection and the feed
- vater isolation signal in order to reopen the feedwater isolation valve. These isolation valves and the feedwater bypass valves must be opened to allow the dedicated AFW pump, MFW pumps, or the
( condensate system to feed the steam generators. As a simplifying approximation, the model conservatively neglects the potential of achieving flow from the condensate system 3.1-87 3.1 Accicent serese Dehnecon.
Bsevsr Vall2y Pcwor Station Unit 1 Rsvisicn 0 Prebebilletic Risk Ass 2ssmsnt through a depressurized steam generator; i.e., given that both the MFW pumps and the dedicated AFW pump are unavilable.
- Top Event MF - Condensatell.,ainfeed/ Dedicated AFW. This event includes the ability of the main condenser and the condensate system to provide sufficient flow and NPSH to a MFW pump, and the ability of main feed or dedicated AFW pumps to provide flow to a steam generator. Failure of condensate system precludes main flow to the steam generators. The condensate system is not availabic if normal (non-emergency) power is lost. The dedicated APN pump is supplied from the ERF diesel.
The condenser hotwell maintains a water volume of about 71,000 gallons by virtue of a gravity feed line from the TPDWST (WT-TK11), assuming condenser vacuum is maintained, the TPDWST contains 200,000 gallons. To achieve a continuous supply of steam generator feed at 350 gpm for 24 hours, either the MSIVs and condenser steam dump valves must open, or a makeup supply to the TPDWST must be provided. The TPDWST is filled from the demineralized makeup system. Upon low level indication, the TPDWST is filled from the domineralized makeup system. Upon low level indication, the fill line level control valve is actuated, the level in the TPDWST is indicated, and the low /high level is experienced. For simplicity, this model assumes one of four success paths: (1) makeup to the TPDWST is provided from the DWST (WT-TK26), or (2) makeup from the DWST is supplied directly to the condenser hotwell, or (3) the MSIVs and condenser steam dump valves are opened before depletion of the TPDWST, or (4) feedwater flow is successfully controlled to less than 350 gpm to match decay heat so that for 24 hours, even without makeup, sufficient water is available for condensate pump suction. The analysis of this top event includes only the failure modes involving the equipment mentioned. The operator actions are modeled in Top Event OF. The equipment response modeled includes the feedwater isolation and regulating valves are opened, dedicated AFW pump discharge valve MOV160 opens, one MFW pump starts (DC control power supplied from a non-emergency bus) and runs, and the dedicated AFW pump starts and runs. Failure of Top Events MF and AF is treated as a requirement to establish cooling via feed and bleed. Therefore, the operator actions to restore adequate MFW flow must be accomplished prior to the time when feed and b'eed is to be initiated; i.e., < B% wide range level in at least two steam generators. The model assumes that the RCPs are tripped in accordance with EOP FR-H.1, it both Top Events AF and MF are unavailable.
- Top Event OB - Bleed and Feed Cooling. This event is queried if no other source of secondary heat sink is available; i.e., Top Events AF and MF failed. The operator actions considered in this event are in EOP FR-H.1, in particular, the operators initiate safety injection, open the PORVs, open the PO1V block valves as needed, ensure that at least one pressurizer relief line flow path remams open, and verify HHS) pump operation. If the PORV block valves were initially closed prior to the initiating event, power must be then restored to these valves in order to open them. To extend the time available to initiate feed and bleed coc!ing, the operators must have stopped the RCPs earlier, in accordance with EOP FR H.1.
Hand calculations based on pump capacities, decay heat levels, and pressurizer PORV relief capacity have been pNtu med to investigate the success criteria for feed and bleed cooling at Beaver Valley Uni 1. These calculations are documented in Appendix C. It was concluded that for Beav(* Valley Unit 1, one HHSI pump with one of three cold leg injection paths and relief via cre PORV train would provide adequate core cooling 3.1-88 31 Accicent sequence Dehneaton.
Boov:r Vsilay Pcwsr Statien Unit 1 Revision v-Preb2billstic Risk Assssamsnt Failure of this event is treated as a complete loss of reactor cooling without possibility of depressurization for LHS! prior to core damage, In addition to the operator actions, the equipment that must function to provide at least one pressurizer relief path (i.e., the PORVs and associated block valves) and three cold leg injection paths is also modeled in this top event. The HHSI pumps are modeled in Top Event HH.
- Top Event HH - High Head Safety injection Pumps. This top event models the two HHSi trains with pumps CH-P 1 A and CH-P-18. Success requires one pump train to be operable. The third pump, CH P 1C, may be electrically aligned to either orange or purple emergency power, if either of the other two pumps fail. Only two pumps at a time, however, can receive an automatic start signal. Pump CH P-1C is included in the model as a backup to either pump CH P-1A or CH P-1B with the associated operator actions to align it. If both pumps CH-P-1 A and CH-P-1B have failed, but the required support systems are available to c ch train, the operator is modeled as aligning pump CH P-1C to train A.
These pump trains top events share a common dependence on the single suction line from the RWST, which is modeled in Top Event VL of the support tree The RWST itself is modeled in support system Top Event RW. EOP E-0 asks the operators to recognize if the RCS is intact, if they decide that the RCS is intact following a LOCA, they are then instructed to go to EOP ES 1.1 for " Safety injection Termination". Thc.'e is a danger as occurred at TMl, that the HHSI will be temporarily stopped. EOP ES-1,1, however, provides for a recheck of safety injection termination and an escape back to EOP E-1. Nevertheless, this potential error of commission is included in the system model for this top event. O This top event includes consideration of the failure modes of the relevant pipes, valves (except MOV-CH 1158 and MOV CH-115D modeled in Top Event VL), and the HHSI pumps needed to model availability of the HHSI. Failure of this event implies that HHSI and charging flow for RCP seal injection are unavailable. Success of Top Event HH means that these two functions are possible. HHSI further requires the availability of water in the RWST (i.e., Top Event RW), and of a flow path from the RWST to one of the three cold leg injection line entry points in the RCS; 1.e., as modeled in Top Events VL and HC. Success of RCP seal injection does not require flow from the RWST, provided that the VCT remains available as a source of water for HHSI pump suction. Successful RCP seal injection flow also requires that flow paths from the discharge of the operable HHS1 pump to each of the RCP seals be available. These RCP seal injection flow paths are modeled in Top Event SE.
- Top Event HC - HHSI Cold Leg injection Paths. Both HHSI and LHS! provide flow to the RCS through the same three cold leg lines. Injection into one of three cold legs is sufficient for either HHSI or LHSI. If Top Event HH is successful (i.e., HHSI .is available),
then the three high head cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows:
- To cold leg 1, Sl-100 and SI 23 must open.
- To cold leg 2, SI-101 and SI-24 must open.
- To cold leg 3, SI 102 and SI 25 must open.
O Top Event HC also includes the redundant MOVs (i.e.,867A. 8678,867C, and 867D) at the pumps discharge and the common check valve (Si-94) on the flow path from the redundant MOVs. j l 3.1-89 31 Accment Sequence Dehnehon.
B :v:r Vcti:y Prw:r St:ti:n Unit 1 Revisian 0 Preb:bilistic RI:k Ascsssm:nt -
- Top Event SE - RCP Seal injection / Thermal Barrier Cooling. The charging system provides RCP seal injection. Normally, the CCR system provides RCP thermal barrier cooling, bearing cooling, and n.otor cooling. Either thermal batrier cooling provided by CCR or seal injection provided by the charging system is sufficient to prevent a seal LOCA if the RCPs are not running.
Top Event SE models RCP seal cooling from both thermal barrier cooling and seal injection. RCP seal injection is modeled as a success path if one of the HHSI (charging) pumps is successful, and either flow from the RWST is available or there has not been an automatic switchover to the RWST and flow from the VCT remains available. Switchover of HHSt pump suction from the VCT to the RWST occurs on a safety injection signal. Switchover to the RWST also is necessary on low VCT level. On low level, the switchover may occur automatically or be initiated manually. luolation of letdown alone is ar3umed to not require switchover because normal charging should automatically run back to minimum flow. However, joss of vital instrument bus I,11, or Ill (i.e., red, ~<hite, or blue) could lead to failure of pressurizer level control depending on how the system is aligned. if the failure involves vital instrument channel I, there is also a loss of automatic makeup to the VCT. Loss of pressurizer level control results in full flow from normal charging. Operator action is then required to restore pressurizer level control before switchover occurs. The flow path from the common charging pumps are headered so that any one pump can provide seal injection to all three RCPs. The valves in the seai injection flow path are either motor-operated and normally open, or manual and normally open. A common hydraulic control valve (HCV CH-106) fails open. If CCR flow to the RCPs is unavailable but the RCPs continue to run, then success of Top Event SE requires that the operators trip the RCPs before any seal damage occurs due to pump vibration whether one mode or both modes of seal cooling are available la'm Thermal barrier cooling for the RCP seals is modeled in support system Top Event TB. If Top Event TB is successful, RCP seal injection is not required. Top Event SE is queried following steam generator tube rupture initiating events with a successful isolation of the pressurizer; i.e., no RCS leakage. This event is considered irrelevant if a LOCA caused by a stuck open pressurizer PORV has already occurred. Failure of Top Event SE is missumed to lead to a small LOCA by virtue of RCP seal leakage.
- Top Event SL - Secondary Leakage to the Environment. This event models the operator actions and equipment needed to isolate the ruptured steam generator from the environment. The analysis of actions to isolate the ruptured steam generator is simplified by assuming that the corresponding Main Steam Trip Valves and all steam valves upstream must close. The operators must identify and manually isolate these valves, if open, in accordance with EOP E-3. The valves that must close are, irt addition to the Main Steam Trip Valves, the five safety relief valves, the steam generator atmospheric relief valve, the residual heat release valve, the steam generator blowdown valves, and the steam supply from the ruptured steam generator to the turbine-driven AFW pump. In requiring each of these valves to close, it is conservatively assumed that the steam generator atmospheric steam dump, the five safety valves, and the residual heat release valve have all opened sometime during the sequence.
In addition to identifying and isolating the ruptured steam generator to prevent it from leaking, the operators must also control feedwater level to ensure that it does not overfall the ruptured steam generator (i.e., EOP E-3) and stop unnecessary HHS1 pumps (i.e., EOP 3.1-90 3i AcC4ent sequence ochheMon-
Sc:vsr Vallay Pcwor Steticn Unit 1 Revision 0 Probabilistic Hlsk Asssssmsnt E 3, EOP ECA-3.1, EOP ECA-3.2, and EOP ECA-3.3) to allow RCS pressure to be reduced. O Failure of the operators to limit these later challenges to the same steam valves on the ruptured steam generator is assumed to lead to a failure of Top Event SL, A second operator action is also included to consider locally isolating one of the ruptured steam generator valves should it stick open following the initial challenge. Except for the Main Steam Trip Valves and the steam generator safety valves EOPs (i.e., EOP E-3 and EOP E-2) instruct the operator to isolate the steam generator steam valves locally if they cannot be closed remotely. A similar operator action to locally gag a stuck open safety valve is also believed credible, though not explicitly specified by procedures. Two operator actions are included in the model for Top Event SL to consider these local valve isolations as a backup. While failure of the ruptured steam generator Main Steam Trip Valves to close could be mitigated by isolating all three secondary steam -lines downstream of this valve, this success path is conservatively neglected in the Top Event SL modei. This alternative path to secondary isolation may be considered in the future on a sequence-specific basis. Success of Top Event SL means that the ruptured steam generator is initially isolated. Failure of Top Event SL means that a release path from the RCS to the environment is available; consequently, to preserve RCS inventory, the RCS pressure must be reduced and maintained below the ruptured steam generator ,nressure, or a long-term source of RCS makeup must be provided. Normally, the operators would be required to place RHS in service in order to proceed to cold shutdown, effectively stopping the leak. If R C S inventory control cannot be established (i.e., either by continued makeup or stopping the leak), eventual core damage is assumed with containment bypass through the ruptured O steam generator.
- Top Event CD - Cooldown of RCS and Depressurization of Secondary Side. This event models the operator action and equipment needed to cool down the primary and depressurize the secondary in order to subcool or saturate the RCS relative to the ruptured steam generator pressure. Some form of steam generator cooling (i.e., on either AFW or MFW) is required. This action covers steps in EOP E-3, EOP ECA-3.1, EOP ECA 3.2, and/or EOP ECA-3.3. Failure of this event implies that the steam gvwrators are not used for active plant cooldown to stop leakage from the RCS to the rur rad steam generator. Failure of this event is assumed to result in an eventual filling of ti ; aptured steam generator and, subsequently, continued leakage from the ruptured steam generator into the environment.
One of the two intact steam generators' atmospheric dump valves is assumed to be required for success of this event. The ruptured steam generator is isolated on the steam side in accordance with EOPs (i.e., EOP E-3); consequently, its atmospheric dump valve and the residual heat release valve are assumed unavailable for the cooldown. To simplify the model, use of the condenser steam dumps and the condenser is
- conservatively neglected. Instead, the cooldown and depressurization is accomplished by l- the operators lowering the pressure setpoint or locally opening one of the steam l generator PORVs.
- Top Event OD - Depressurization of the RCS to RHR Entry Conditions. This event models the successful depressurization of the RCS to RHR entry conditions (i.e., RCS O temperature less than 325'F, and RCS pressure less than 360 psig) given that the operators have already successfully cooled down the RCS and depressurized the intact steam generators; i.e., success of Top Event CD. The RCS depressurization is 3.1-91 D Acc! cent sequence Deuneabon.
1 Be:v;r Vclisy Pewsr St2 tion Unit 1 Rsvision 0 j Preb:bilistic Risk Assssamant accomplished using normal pressurizer spray, auxiliary pressurizer spray, or the pressurizer PORVs in accordance with EOP E-3. EOP ECA 3.1, EOP ECA 3.2, or EOP ECA 3.3. Credit for using the RCS head vents alone, which may not be a viable approach, is conservatively neglected, Normal pressurizer spray requires successful operation of RCP A or C. RCP A or C is assumed to be available if both offsite power and reactor plant component cooling water are successful. Auxiliary pressurizer spray requires that at least one of the three HHSI pumps be available to supply charging and that letdown is maintained. For successful depressurization using the pressurizer PORVs, the operators must open the pressurizer PORV and its block valve if necessary. Once depressurized, reclosure of the pressurizer PORV trains is modeled in Top Event Pl. Failure of Top Event OD, even if Top Event CD is successful, is assumed to imply that RCS pressure remains above the steam generator safety valve setpoints, so that reactor coolant is lost to the environment through the ruptured steam generator. if steam generator cooling is not available, this top event is not queried, instead, RCS depressurization is modeled in Top Event OB for feed and bleed cooling.
- Top Event Pi - Pressurizer PORVs isolation Given RCS Depressurization. For SGTR sequences, RCS pressure initially falls to the low pressure safety injection setpoint.
Consequently, an initial PORV demand for RCS pressure control is not assumed. However, during such sequences, the operator may open the PORVs for feed and bleed cooling or, in the event that pressurizer spray is unavailable, for RCS depressurization. A pressurizer DORV is assumed to be open whenever Top Event OD is successful, but the RCPs are not available for normal pressurizer spray; i.e., offsite power or CCR (support system Top Event OG or CC) needed for RCP operation have failed, The analysis of Top Event PI models the successful reclosing of the affected PORV(s) after the challenge or, alternately, the successful manual closure of the block valves to isolate the pressurcer PORV relief line(s). Failure of this top event is treated in the remainder of the model as a small LOCA; that is, it is assumed that failure to isolate will occur in only one pressurizer relief path. .
- Top Event RR - Residual Heat Removal. Top Event RR evaluates the availability of the RHR to provide core decay heat removal, and the operator actions to initiate RHR once the RCS has been cooled down and depressurized sufficiently to allow RHR to be placed in service. To place RHR in service, RCS temperature must be less than 325'F, and RCS pressure must be less than 360 psig.
This event is of particular interest if there is a failure to isolate the ruptured steam generator (i.e., Top Event SL fails), so that the RCS must be cooled to cold shutdown conditions in order to stop the RCS leakage into the environment. Success of this event implies that cooldown to cold shutdown conditions be completed so that RCS leakage to the environment can be minimized. Failure of this event indicates that RHR was not successfully established so that RCS leakage into the environment must be remedied some other way.
- Top Event WM - Makeup to RWST Given Leakage through Secondary. This event models the operator action and equipment necessary to supply borated water makeup to the RWST for SGTR sequences. The makeup actions are called for by procedure, i.e.,
EC A-3.2 and OM-1.7.4.0. EOP ECA 3.2 is entered from EOP ECA-3.1 when RWST level is low without a corresponding increase in containment sump level, or when the ruptured steam generator level is high. These are both indications that the ruptured steam generator may not be isolated, allowing RCS leakge into the environment. If the 3.1-92 M Accident Sequence Deveatrom
Beevar Vallsy Powar Station Unit 1 Rsvision 0 Probabilistic Risk Assossmsnt secondary side is leaking, makeup to the RWST is important if the RHR is not placed in service to cool down the RCS cold shutdown conditions in order.to stop the leakage. O. Makeup to the RWST is then necessary for continued HHSI pump injection to maintain RCS inventory. Borated water from either the spent fuel pool or the boric 3cid tanks may be used to make up to the RWST. The spent fuel pool is normally filled to a level 20 inches above the technical specification limit. The plant technical specification required level is 23 feet above the top of the spent fuel, The total supply of borated water available for rapid makeup to the RWST is then approximately 108,000 gallons. Emergency makeup from the service water system into the spent fuel pool is also possible but a spool piece must be installed. Since use of this system connection is not proceduralized, no credit for it is taken in the initial plant model. At the fuel pool purification pump design rating of 400 gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours. The required makeup rate in order to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, as indicated by EOP ECA 1.1 and EOP Attachment 5-G, is less than 200 gpm for times greater than 100 minutes after plant trip. Therefore, this volume of borated water is enough to last at least 9 hours, after makeup begins. Makeup from the boric acid tanks can only be provided at 120 gpm. At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after plant trip, then the alternate mode of providing borated makeup, via the boric acid tanks, would be insufficient. Therefore, makeup from the spent fuel pool is assumed required initially, and then to continue providing makeup for 24 hours, manual blending operations using the boric acid tanks is also required. Makeup from the spent fuel pool requires one of the two fuel pool purification pumps (i.e.. 1FC-P 4A and 1FC-P-48) to start and run, and manual valves at the discharge of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2,000 ppm. For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. Clean water from the primary water storage tanks (i.e.,1BR-TK-6A and 1BR-TK-6b) is blended with boric acid from the boric acid tanks; i.e.,1CH-TK-1 A and 1CH-TK-18). Manual intervention is required to assure the proper blend of boric acid and clean water to achieve a mixed concentration of roughly 2,000 ppm boron. Both boric acid tanks but only one primary water storage tank is needed to supply sufficient makeup for the remamder of the 24-hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only an additional 10 to 15 hours is needed. One of two of the primary water supply pumps (i.e.,1BR P 10A and 1BR-P-108) and either of the boric acid transfer pumps (i.e.,1CH P-2A and 1CH P-28) are required for success since they can be cross connected. Success of Top Event WM means that continued HHSI injection can be performed for RCS inventory control at full RCS pressure despite leakage through -the ruptured steam generator. For sequences in which RHR cannot be placed in service, because either the initial cooldown and depressurization could not achieve RHR entry conditions (i.e., less than 325 F and less than 360 psig) or the RHR system is unavailable, success of Top Event WM can be very important. Failure of Top Event WM means that inventory control is unavailable, and eventual core damage results. Top Event WM is also asked if all steam generator cooling is lost. For bleed and feed scenarios, there would be continued leakage through- the ruptured steam generator. Eventual makeup to the RWST would then be required. The required RWST makeup rate 3.1-93 p acc:aent secuence oenneanon.
I Boavor Vollsy Pcwsr Ststlen Unit 1 Rovialon 0 Prebsbilistic Risk Acc ssmsnt 1 for bleed and feed scenarios should be greater than for SGTR events with AFW available. The PRA model conservatively assumes that the makeup rate for continued bleed and 1 feed is also necessary for scenarios with steam generator cooling. l The SGTRREClRC event tree makes up the second part of the steam gene ator tube rupture event tree sequence model. The top events in the SGTRRECIRC tree a e summarized in Table 3.1.3-6 and described below.
- Top Event NR - Recirculation from Sump Not Required. This top event acts as a switch to assure that sequences in the SGTR event tree are correctly connected to the remainder of the sequence model in SGTRRECIRC. If Top Event NR is successful, this implies that the plant is in stable configuration with recirculation from the containment sump not required, steam generator cooling success lul, and no LOCA condition. Failure of Top Event NR implies that the status of cor,tainment systems is of interest for recirculation from the sump.
- Top Event NM - No Melt Condition from injection Phase. This top event is also a switch.
it is asked only if Top Event NR is failed. Success of Top Event NM implies that during the early or injection phase of the accident, plant systems responded correctly but that recirculation from the containment sump is required to prevent core damage. Failure of Top Event NM implies that during the early or injection phase of the accident, core damage occurred. The status of containment systems are then queried to define the likely release paths from containment.
- Top Events QA and QB - Quench Spray Train A & Tra!n B. A high containment pressure of 8 psig initiates a CIB signal that starts both QS pumps. The motor operated valves in the suction MOV-QS-100A and MOV-OS 1008, and discharge valves MOV OS-103A and MOV-OS-1038 discharge valves MOV-QS-101 A and MOV OS-101B are normally shut and receive a CIB signal to open. Check valves in the discharge piping would be required to open, if not already open.
Since the Quench Spray Pumps divert some of their flow directly to the Containment Sump, it is currently believed that if one quench spray train fails, the associated RS pumps would not have sufficient NPSH at the time they automatically start. Operators would then have to take manual actions to stop the pumps in order to protect them. This operator action is modeled in Top Event OP. A OS cutback feature is provided for when the RWST level falls to 11 feet to minimize subatmospheric peak pressure. This reduction to approximately 1100 gpm per train is accomplished by closing discharge valves MOV-OS 103A and MOV-OS-1038, and redirecting flow through an orifice in each train. Procedures exist for both OS cutback verification and for containment spray termination if the containment pressure is less than 8.9 PSIA. Success of the cutback also extends the time available for switchover to recirculation. For PRA purposes the recirculation switchover timing only affects the backup operator action to perform the recirculation manually, since keeping the containment subatmospheric is not a concern, and therefore does not appear to be of great significance. For now, however, cutback will be included when computing time to switchover. QS operation influences the time to depletion of the RWST, and knowledge of its availability is required for containment analysis. in the plant sequence model, a containment pressure of 8 psig is assumed to be reached for all LOCA sizes, steam line breaks, feed and bleed cooling scenarios, and for any scenario resulting in core damage. l
- Top Event LA and LB - Low Head Safety injection Pumps Train A & Train B. These top events query the availability of the LHSI pump trains providing flow from the RWST l
3.1 94 31 Accment sequence Denneat on. l
B:cvsr Vcilsy Pcwsr St:ti;n Unit 1- R vislin 0 Prob bill: tic Risk Ass ssm:nt suction valves (Manual Valve SI-30, Check Valve SI 5, and Motor -Operated valves 3 MOV-SI-862A and MOV-SI 8628) through the pumps SI P-1 A and SI-P 1B to the discharge (d check valves SI 6 and SI-7 up to the point where recirculation spray flow joins the lines. For small LOCAs in which HHSI is available and RCS pressure is greater than 250 psig, the LHSi pumps are turned - off per EOP E S- 1.2., post-LOCA -cooldown and depressurization. For LOCAs in which HHS) is not available, RCS pressure would not be stable or increasing so that LHSI would remain operating to transfer RWST water to the containment once RCS pressure dropped sufficiently. The LHS1 pumps for Unit 1 have associated containment sump valves MOV St-860A and MOV SI-8608 for recirculation mode core cooling. These valves are modeled in Top Events VA and VB, For small LOCAs, success of this Top Event requires that the miniflow valves (MOV SI-885A, B, C & D) remain open since they are needed to protect the pumps against dead heading. Failure to close these valves during the recirculation phase of Si is modeled in Top Event OR. During small LOCAs the operators are required by procedure E-1 Step 10 to stop the LHSi pumps and then restart them, if required, during the recirculation phase. Thece operator actions are modeled in. The automatic and manual actions to align for cold leg recirculation from the sump are modeled in Top Event OR, The equipment needed to model the crosstle between high and low head pumps for recirculation is modeled in Top Event HR. For the purpose of containment status, success of either HHSI or LHS1 is treated as a successful transfer of RWST inventory into the reactor vessel. Transients and LOCAs,. characterized by high pressure core meltdowns (e.g., failure of Top Event HH during a small LOCA, or complete loss of heat sink during a non-LOCA transient), in which the pressure stays above about 120 psig, do not provide the opportunity for LHSI prior to core meltdown. The actions identified in EOP FR-C.1 are assumed not to be sufficient to lower RCS pressure to permit LHSI prior to core damage. After vessel failure, however, the head against which the low pressure pumps must operate may fall below their shutoff head, and injection of the RWST inventory may then be achieved. The status of RWST inventory in the containment, particularly in the sump and reactor cavity, is required for containment analysis, should the accident progress to core damage.
- Top Event LC - LHSI Cold Leg injection Paths. Both HHSI and LHSt provide flow to the RCS through the same three cold leg lines. Injection into one of three cold legs is sufficient for either HHSi or LHSI.
If both trains of HHSI are not available during a small LOCA (i.e., Top Event HH falls), then the operators wouid attempt to use LHSl; i.e., Top Evnet LA and LB In this case, the cold leg injection paths of interest involve six check valves that are modeled in Top Event LC as follows:
- To cold leg 1, SI-12 and SI-23 must open.
- To cold leg 2, SI-11 and SI-24 must open.
- To cold leg 3, Si 10 and SI-25 must open.
Top Event LC also considers the motor operated valves (i.e., MOV-SI-864A, MOV-SI-8648 and MOV-SI-890C) in the LHSI flow path downstream of the points where recirculation spray joins, but before the injection paths header, and then split three ways for flow into each cold leg. O h
- Top Event SM -
Containment Sump. This event models the unavailability of the containment sump (e.g., due to plugging with containment debris) and common cause 3.1-95 3.1 Accident Sequence Dennemon.
BC vsr Vall:y Pcwcr Stcti:n Unit i Revisi:n 0 Preb bilistic Risk Asc:ssm:nt unavaihbility of all four recirculation spray trains due to their river water supply check valves. If Top Event SM fails, then all recirculation spray pumps are ineffective and the LHSi sump recirculation valves modeled in Top Events VA and VB can not supply the LHSI pumps, consequently, neither recirculation spray nor recirculation mode core cooling is available. The assessment of sump unavailability in this top event assumes that the scenario hcs not yet progressed to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis.
- Top Event OP - Operator Protects RS Pumps. This event models the operators ability to stop the recirculation spray pumps when the containment sump level is too low. The inside and outside recirculation spray pumps RS-P-1 A and RS-P-2A, respectively have a pump start de!ay time of 210 seconds after a CIB signal is initiated. The inside and outside recirculation spray pumps RS-P-18 and RS-P-28, respectively have a pump start delay time of 225 seconds after a CIB signal is initiated. Small LOCAs that reach 8 psig in the containment and cause initiation of a ClB may not provide sufficient water in the containment sump to meet the minimum recirculation spray . ump suction requirements with the delay time if the associated OSS pump does not operate. The procedures do not specifically instruct operators to stcp the recirculation spray pumps if the associated QSS pump fails to start /run, however, this could be an important action and will be modeled at this time.
- Top Event RS - Inside RS Train A or Train B. The four recirculation spray pumps are automatically started following a 210 second delay for the A pumps and A 225 second delay for the B pumps after a CIB. This is to give the quench spray pumps sufficient time to fill the containm,X sump to provide the required NPSH for the recirculation spray pumps. This delav time, however, may not be sufficient (i.e., depending on the RCS leak rate) to allow ample water to collect in the containment sump if the associated QS pump does not operate. The recirculating spray pumps n;ust sometimes be manually turned off to prevent tnem from cavitating and then turned back on when NPSH is sufficient.
Operator actions to first turn off and then to turn on the pumps are modeled in Top Events OP and OR. Pumps 1 A and 18 are dedicated to providing recirculation spray. Pumps M and 2B can be realigned following a recirculation mode signal, during LOCA scenarios, to provide both recirculation spray and in-vessel core cooling if Top Events LA, LB, VA. and VB fail. Top Event RS includes the start and run of either recirculation spray trains 1 A and 18 (or both) with the associated piping, valve operation, and spray header. Knowledge of st.ccess or failure of RS is required only for containment analysis, i.e., it does not impact the calculation of the core damage frequency. Given successful operation of the outside recirculation spray trains, but failure of the inside recirculation spray trains, the 2A and 2B pumps would be aligned to provide only the recirculation spray function when either LHSI pump is providing recirculation core cooling. If neither LHSI pump can provide recirculation core cooling, then pump 2A and 28 must be aligned to provide the recirculation spray and cooling function while the other pump provides core injection.
- Top Events RA and RB - Outside RS Pump / Spray Train A & Train B. These events model the availability of recirculation spray pump trains A and B, and the valves needed for recirculation spray or to estat3!ish cold leg recirculation through the LHSI lines. The cross-connect valved to the discharge of the LHSI pumps are modeled in Top Event OR 3.1-96 31 Accident Sequence ocaneOO%
Lecv;r Vcil:y P wcr St:tlin Unit 1 Rcylal2n 0 Pr:b:bilistic Risk Ass:ssm:nt low pressure recirculation, and the cross-connect valves to the suction of the HHSI pumps A are modeled in Top Event HR for high pressure recirculation, Recirculation spray train A h is aligned to recirculation spray and core cooling Train A, and recirculation spray from B is aligned to recirculation spray and core cooling train B. The following equipment actions are modeled herein:
- Start and run of RS-P 2A and RS P-28 following a CIB, or a manual start if a CIB does not occur. For purposes of this analysis, a CIB condition is assumed. (The operator actions are modeled in Top Event OR).
- Opening of the river water header for the coolers RS-E-1C and RS E-1D. Only the recirculation spray water goes through the coolers, flow going to the core is not cooled.
- Proper positioning of suction and discharge valves MOV-RS 155A and MOV-RS-156A for the A pump, and MOV-RS-1558 and MOV RS-156B for the B pump. MOVs 155A and 1558 are normally open and must remain open. MOVs 156A and 1568 are normally closed and must open. The recirculation spray header check valves must also open.
- Top Events VA and VB - Containment Sump Valve for LHSl Pump A and Pump B. The LHSI pumps can take suction from either the RWST during the injection phase or the containment sump during the recirculation phase. These top events model the valves which are necessary to provide a suction path from the containment sump to the LHSI pumps. Motor operated valve MOV-SI-860A and check valve SI-1 are for A LHSI pump, Motor operated valve MOV-SI-8608 and check valve SI-2 are for LHSI pump B.
,_ MOV SI-860A and B are normally closed and must open when the Si recirculation phase signal is initiated. This automatic action is modeled in Top Event OR.
Presently the failure of VA during the recirculation mode is assumed to fail top event LA (Low Head Safety injection Pump Train A). Failure of VB is assumed to fall LB (Low Head Safety injection Pump Train B). A cross-connect from VA to LB or VB to LA does exist by opening the RWST suction valves MOV-SI-862A and B, however, this action will not be modeled at this time.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event models the automatic signal to transfer to recirculation and the operator actions considered-in realigning the plant from the injection mode to the recirculation mode for LOCA sequences when the automatic signd! has failed, or the low pressure injection pumps or valves have failed and the operator must align one of the outside RSS pumps to the core injection mode. Realignment for both high pressure and low pressure recirculation is considered. Proper calibration of the RWST level sensors is considered in the model.
When the RWST level drops below 20 feet, the operators are instructed to enter EOP ES-1.3, verify that the system is properly aligned _and, if not, manually align for cold leg recirculation. (Actions to reset the safety injection signal, such as in EOP E-1 do not reset the recirculation rnode signal). The recirculation mode signal, however, does not then restart the recirculation spray pumps. The operators must manually resta-t the pumps in order to complete the recirculation switchover, if the pumps had been stopped previously to avoid cuitation caused by insufficient NP.i>H. This action to restart the pumps is modeled in this Top Event. In the event that a CIB signal did not occur, the operators need not stop the RSS pumps, but must start them for the first time to go to recirculation if the LHSI pumps are not available. For steam line breaks inside containment, sufficiently large to lead to a CIB l 3.1-97 3. Acciced Sequence ochneeon.
Bscv;r Vall:y Pewar St:ti:n Unit 1 R visien 0 Prcb:bilistic Ri:k As:scsmsnt signal, EOP E-1 permits the operators to stop the OSS pumps once containment pressure is reduced to less than -1.0 psig. This action preserves RWST inventory in case it is needed later; i.e., for subsequent, induced small LOCAs following the stearn line break initiating event. Success or failure of this action can affect the requ:'ed timing for switchover to recirculation from the injection mode. For the current model, the QSS pumps are assumed to be stopped, which extends the time available fer successful switchover to recirculation. Also conddered in this top event, for all initiating events, is the isolation of the two recirculation paths from the LHSI lines to the RWST, and the two paths from the HHSI suction lines. This is to ensure that water from the containment sump is not inadvertently pumped back into the RWST and thus is unavailable for recirculation. The four lines considered are the two flow paths trough the LHSI pumps and MOVs SI-885 A & D and B
& C, and reverse flow through the two HMSI suction valves (MOVs SI-11SB and D). Failure of the redundant valves on the HHSI lines or failure of both valves in series for the LHS1 lines to rescat or reciose is assumed to result in failure of Top Event OR.
Establishment of separate recirculation flow paths by isolating the redundant lines from each other is not considered necessary for success. The model, however, conservatively assumes that the trains are isolated. Isolation of the lines, in this case, can actually reduce system availabili;y because once separated, it then requires operator action to establish crossover paths to recover from certain combinations of failures that involve two trains. These failure combinations are believed to be more likely than single pipe breaks, from which separat.an of the two trains was meant to protect. This event includes operator actions to control river water flow to the RSS coolers to control containment pressure, and to restart the RSS pumps (if they were stopped in Top Event OP) as well ar., verification and establishment of correct valve alignment for recirculation. The valve hardware failure modes themselves are modeled in Top Events RA and RB. Top Event OR will be conservatively modeled such that, for any low pressure recirculation realignment after core melt (i.e., MLOCA, LLOCA, etc.) and failure of the sump suction valves, the outside RSS Train A pump (Top Event RA) can only be crosstied if the Low Head Safety injec: ion Train A pump (Top Event LA) is available/ successful. This is due to the possibility of failing the common cold leg low pressure discharge valve MOV SI-864A which is modeled in Top Event LA. The same is true for the Train B pumps (Top Events RB and LB) due to the failure of MOV-SI 8648. For any high pressure recirculation realignment either outside RSS pump can be used since Top Events RA and RB are not dependant on Top Esents LA and LB since the common cold leg high pressure discharge valves MOV-SI-863A and B are modeled in Top Event HR (Low Head to High Head flow path for recirculation core cooling). Failure of this event is treated as failure of the cold leg recirculation mode of emergency core cooling system (ECCS). The lorig-term transfer to hot leg recirculation 14 hours after the LOCA starts (i.e., following EOP ES-1.4) is not modeled. it is assumed that in the long period available before boron precipitation could become a problem, the operating staff will find a way to transfer to hot leg recirculation, even if initially unsuccessful.
- Top Event HR - Low Head to High Head Flow Path for Recirculation Core Cooling.
Establishment of high head recirculation, given that low head recirculation is available depends on the avaihbility of the charging pumps and the opening vales MOV-SI-863A and MOV-SI-8638. These vales receive an automatic command following a recirculation mode signal. Success of the recirculation mode signal requires proper operation and 3.1 98 3M Accicent secuence Dehnemon.
1
=B 2 var Vcilsy P w:r Steti n Unit 1 Rcvislan 0 Preb:bilistic Risk Aes:ssmsnt calibration of the RWST level sensors. The recirculation modo signal is considered in the Top Event OR event analysis along with the backup manual actions to establish
(' recirculation. As the alternate cold leg injection path, MOV SI-836 has power and is called out by procedure as an alternate flow path for HHSI once the transfer to recirculation phase is complete, however, this flow path is not modeled at this time. Success of Top Event HR requires that MOV-SI 863A opens to permit flow from either SI P-1 A or RS-P-2A and MOV St-863B open permitting flow from either SI P-1B or RS P-28, which must be operable (i.e., as modeled by Top Events LA, LB, RA, and RB), to the suction of all three HHSI pumps.
- Top Event MU - Makeup to RWST. This event models the operator action and equipment necessary to supply borated water makeup to the RWST during a LOCA with failure of emergency recirculation. The makeup actions are called for by procedure; i.e., EOP ECA-1.1 when RWST level is low and cold leg recirculation is unavailable, and refer operators to OM 1.7.4.0 RWST Makeup procedures.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make up to the RWST. Makeup from the coolant recovery tanks will not be modeled since it requires that a temporary hose connection be made. The spent fuel pool is normally filled to a level 20 inches above the technical specification limit. The technical specification required level is 23 feet above the top of the spent fuel. The total supply of borated water available for rapia makeup to the RWST is then approximatcly 108.000 - gallons. Emergency makeup from the river water system into the spent fuel pool is also possible but requires that a locked shut manual valve (RW-124) be opened. Since use of this L system connection is not proceduralized, no credit for it is taken in the initial plant model. At the fuel pool purification pump design rating of 400 gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours for one pump running, or half that time if both pumps are running. The required makeup rate to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, as indicated by Attachment E-G of EOP ECA-1,1, is less than 200 gpm for times greater than 100 minutes after plant trip. Therefore, this volume of borated water is sufficient to last at least 9 hours, after makeup begins. At least 120 pgm of makeu[ can be provided from the boric acid blender. At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after plant trip, then the alternate mode of providing borated makeup, via the boric acid tanks, would be insufficient. Therefore, makeup from the spent fuel pool is assurned required initially, and then to continue providing makeup for 24 hours, manual blending operations using the boric acid tanks is also required. For makeup from the ooric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. -Clean water from the primary water storage tanks (i.e,1BR-TK-6A and 1BR-TK-68) is blended with boric acid from the boric acid tanks; i.e., CH TK-1 A and CH-TK-18). Manual intervention is required to assure the proper blend of boric acid and clean water to achieve a mixed concentration of roughly 2,000 ppm boron. Both boric acid tanks but only one primary , water storage tank is needed to supply sJfficient n,akeup for the remainder of the 24-hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only ON an additional 10 to 15 hours is needed. One of two of the primary water supply pumps (i.e.,1BR-P-10A and 1BR-P-108) and either of the boric acid transfer pumps (i.e., CH-P-2A 3.1-99 3M AcciceN Sequence DenneaDon.
B :v:r Vcil:y P:w:r St ti:n Unit 1 R; vision 0 Prcb: bill: tic RI k Ass:ssm:nt and CH P-28) are required for success since the boric acid transfer pumps can be crosstied. Success of Top Event MU means that continued HHSI injection can be performed for RCS inventory control at full RCS pressure despite continuing RCS leakage. For sequences in which RHR cannot be placed in service, because either the initial coofdown and depressurization could not achieve RHR entry conditions (i.e., less than 325'F and less than 360 psig) or the RHR system is unavailable, success of Top Event MU can be very important. Failure of Top Event MU means tnat inventory control is not available, and eventual core damage results.
- Top Event Cl- Containment isolation. This top evert questions the failure to create and maintain an isolated containment following safety injection, and CIA and CIB signals. The containrr.. ant penetrations explicitly modeled are
- Containment Major Vents and Drains; e.g., sump pump discharge
- Connections to RCS; e.g., RCP seal water return
- Connections to Containment Atmosphere; e.g., containment vacuum line This model also includes operator actions to ensure that the isolation valves remain closed (e.g., in EOP ES 1.1), after the resetting of the CIA and CIB signals. The safety
) injection, CIA and CIB signals are reset in accordance with proceduras by the operators in a number of situations. Examples of such situations include: post-LOCA cooldown and depressurization (i.e., EOP ES 1.2), transfer to cold-leg recirculation (i.e., EOP ES-1.3), the response to loss of emergency coolant recirculation (i.e., EOP ECA-1.1) and for safety injection termination (i.e., EOP ES-1.1). Manual isolation of the RCP seat return line during a loss of vital AC (i.e., EOP ECA-0.C) is also modeled in this top event. The status of containment isolation is needed for the containment analysis. Two other potential failure modes have been postulated for loss of containment integrity. For small LOCAs, the CIA and CIB signals would not be generated immediately. If the containment vacuum line or sump pumps discharge line is open at the start of the LOCA, a portion of the containment air would be swept out of the containment and replaced by steam prior to successful containment isolation. If a CIB signal then actuates the QSS and RSS pumps, containment pressure shoud quickly fall to subatmospheric. If the operators fail to terminate the QSS pumps or RSS pumps, there is the potential for containment pressure to f all below design iimits; i.e., less than 9 psia. However, a realistic containment failure mode for such sequences has not been identified. This potential containment failure mode is not unique to Beaver Valley Unit 1. Because the penetrations at Beaver Valley Unit 1 (which may be open while at power) are relatively small, this makes it difficult to purge much containment air prior to isolation. Therefore, this failure mode is not quantified in the PRA model. A second potential fallure mode is associated with steam line breaks within containment. If feedwater fails to isolate, two or more steam generators blow down inside containment, or if the operators fail to control AFW flow to the faulted steam generator, containment pressure may exceed design limits. In the current model, it is assumed that the realistic containment failure pressure would still not be exceeded, so that containment integrity is maintained. Consequently, this postulated containment failure mode was also not quantified. O l 3.1 100 3. ; Accicent Sequence ochneation.
Beaver Valley Power Station Unit 1 Revision 0 Probabilistic Risk Assessment 3.1.3.5 Excessive LOCA Event Tree Excessive LOCA events (i.e., too large to be mitigated by the ECCS) are quantified using a separate event tree; i.e., excessive LOCA. Table 3.1.2-7 summarizes the system success criteria needed to ensure that each of the key safety functions is performed. Table 3.1.3-7 summarizes the top events that appear in the excessive LOCA event tree. The excessive LOCA event tree structure is displayed in Figure 3.1.3-7. By definition, excessive LOCA events all result in core damage. The event tree structure is only to determine the status of containment systems. Therefore, the event descriptions are nearly the same as those for large LOCAs. The reader is referred to the large LOCA top event descriptions for complete descriptions. There are three top event differences between the excessive LOCA and large LOCA event - trees. Top Events AL (Accumulators) and MU (Makeup to the RWST Given Recirculation Failed) are not asked in the excessive LOCA event tree, because these events only prevent core damage, but by defmition of the initiating event core damage is knov6n to occur. The third difference involves Top Event LC. Again, since core damage is assumed, the more g stringent success criteria for low pressure cold leg injection paths defined for large LOCAs is not required. Only one flow path is needed for cold leg injection after core melt. This relaxed success criteria is consistent with Top Event LC, described in the discussion of the GTRECIRC event tree. 3.1.3.6 Con avment Bypass LOCA Events 3.1.3.6.1 Introduction. A containment bypass loss of coolant accident (LOCA) is a leak in the reactor coolant system (RCS) pressure boundary at the interface with systems that communicate with the RCS through a series of check valves and/or isolation valves. Since some of these interfacing systems are low pressure systems and since they are partially located outside the containment, the potential exists for leaks or ruptures of valves at this interface to result in a containment bypass. Because of the role of these valves at the system _ interfacing, containment bypass LOCAs are also called interfacing systems LOCA. Such a leak can lead to a loss of high pressure reactor coolant and can disable all or part of t!)e emergency core cooling system (ECCS). If core melt occurs in a containment bypass LOCA event, a direct path from the RCS to the outside atmosphere may exist for the release of radioactive materials. 3.1.3.6.2 Containment Bypass Paths Review: In this analysis, a review of the BV1 piping systems that may have the potential of initiating a containment bypass LOCA was first conducted. These include piping belonging to the residual heat removal (RHR) system, the accumulators, the low head safety injection (LHSI) system, the high head safety injection (HHSI) system, and the charging system. Previous PRAs on PWR plants have indicated that the most significant contributors to a containment bypass LOCA are those pipings that meet the following criteria:
- Connect directly to the RCS; i.e., RCS loop piping or pressurizer.
- Consist of high pressure piping inside containment (i.e., same design pressure as RCS G design pressure) and sufficlently low pressure piping outside containment, including flanges and seals that would be susceptible to rupture if exposed to RCS pressure. High pressure systems outside usually provide a closed system (another containment barrier).
3.1-101 3M Accident sequence Dehneation.
Boovar Vclisy Powar Statirn Unit 1 Rcvielen 0 Prob 2bilistic Risk Asssssmsnt
- Sufficiently lar0e to cc Jse an initiating event (> normal makeup).
- Cause damage to LOCA miti0ation systems such as HHSl and LHSI,
- Contain less than three pressure barriers between RCS and low pressure design. The initiating frequency of a containment bypass LOCA is very small when three barriers exist.
The results of the evaluation of all of the piping systems that are connected to the RCS are presented in Table 's,1.3-8. The reasons for screening out some of the piping systems for furtner bypass LOCA analysis are also provided in Tabla 3.1.3-8. The evaluation reveals that the most likely piping or line to initiate a containment bypass LOCA is a line from the LSHI system, through Penetration No. 61, to the RCS cold legs. Although not connected directly to the RCS, the component cooling water (CCR) system piping has the potential for overpressurization, resulting from failure of a component cooling water tubing within an RCP thermal barrier heat exchanger. If the safety related check valve (upstream of the ruptured thermal barrier heat exchanger) or the downstream safety related isolation valve, which serves the CCR side of the heat exchanger, fails wjth the RCP thermai barrier heat exchanger tube rupture, fluid from the RCS (2,485 psig at 650 F) will enter the CCR system piping and challen00 the integrity of the containment isolation valves (designed for 150 psig at 500 F) at the CCR supply header and CCR return header, Failure of the containment isolation valves would allow RCS fluid to escape outside the containment. This concern has boon addressed by Beaver Valley Unit 1, with the installation of sufficiently sized relief valves between the safety related check valves (upstream of the ruptured heat exchanger) and the containment isolation valves, at the CCR supply header, and between the safety-related isolation valves (downstream of the ruptured heat exchanger) and the containment isolation valves at the CCR return header. This will maintain the CCR system pressure less than 150 psig in the event of thermal barrier tube rupture with failure of the safety-related upstream check valve or the safety-related downstream isolation valves (see Reference 3.1.3.6-1). The relief valves will divert the flow from the RCS into the containment. 3.1.3.6.3 Configuration of the LHSI System Piping: The LHSI to RCS cold legs line consists of one 6-inch header that penetrates containment at Penetration No 61, inside containment, the line branches into three 6-inch injection lines that go to each of three RCS cold legs. The isolation valve arran0ement for the subject line is shown in Figure 3.1.3-8. High pressure to low pressure boundary isolation capability is provided by two series check valves (located insido containment in each of the three injection branch lines) and by one motor-operated containment isolation valve (MOV St-890C) located outside containment in the common 10-inch header. Durin0 normal power operation, pressure boundary isolation is only provided by the two check valves in each injection branch line since containment isolation valve MOV SI-890C is in the normally open position, which is the required engineered safety feature (ESF) position. The piping from the RCS connection to outside containment isolation valve MOV-St-890C (including the salve) is designed as Class 1502 piping to withstand RCS pressure. The piping upstream of outside containment isolation valve MOV SI-890C is designed as Class 153 piping. This Class 153 piping is protected from overpressure due to check valve leakage by a small-capacity (50 gpm at 220 psig) relief valve (RV-SI-8458) upsteam of MOV SI-890C. Ten-inch discharge lines from both LHS1 pumps connect to the six-inch cold leg injection header upstream of MOV SI-890C. Isolation capability provided for each LHSI discharge line consists of one normall> spen motor-operated isolation valve [MOV-St-864A(B)] and one check valve [SI-6(7)]. Upstream of each motor-operated isolation valve is an additionai, small capacity relief valve that provides overpressure protection for the individual LHSI discharge hnes. Thus, the LHSI pump flanges and seals that may be 3.1-102 31 ACC4ed Sequence DeWabon.
J Baovsr Vallsy Pewsr Ststlen Unit 1 Revision 0 Prob:bilistic Rick Asssssmsnt somewhat less robust than the piping and pump casing are protected by three check valves during normal power operation, 3.1.3.6.4 initiating Event Analysis 3.1.3.6.4.1 Plant Response: The initial plant response to a containment bypass LOCA at the LHSI system will be dependent on the leakage rate of reactor coolant past the LHSI system injection line's check valves. Coolant leaking through the LHS1 system injection line check valves would be discharged through the relief valves RV SI 845A, RV SI 8458, and RV St 845C. These valves are in 3/4 inch piping that tees off the it)-inch I.HS1 piping, and each relief valve has a capacity of 50 gpm at the set pressure of 220 psig. However, when the upstreem fluid of these valves is saturated water at 540*F (saturation pressure is about 1,000 psig), the relieving capacity of the valves will be reduced because of the choked flow flashing. it was estimated that the relief capacity reduces to about 35 gpm (see Reference 3.1.3.6-2), if the water is saturated at 540*F. If the reactor coolant leakage is less than 105 gpm, the leakage can be accommodated by the relief valves, and loss of coolant can be made up by the normal charging system. The first indication of loss of reactor coolant will be the actuation of the pressurizer low-level alarms. Normal charging pump flow from the volume control tank (VCT) will increase in an effort to maintain pressurizer level. If the level in the VCT decreases below the low low level setpoint, a signal is provided to isolate the charging pumps from the VCT and to switch pump fonction to the 440,000 gallons of water in the refueling water storage tank (RWST). Even if the leakage remained at 105 gpm, it would take approximately 63 hours to exhaust the contents of the RWST. Plant shutdown can be accomplished with the normally operating charging and cooling systems and, thus, LHSI system injection lines check valvo leakage less than 105 gpm would not be considered a O bypass LOCA in this analysis Should the leakage of reactor coolant exceed the relief capacity of the three relief valves (RV St 845A, RV-SI-845B, and RV SI-845C (i.e., > 105 gpm)), the integrity of the Class 153 LHSI piping system would be challenged. If the integrity of the piping system is maintained and if the check valve [SI-6(7)] in the discharge of each LHSI pump functions properly, the loss of reactor coolant will be restricted to the relief valve (s) discharge capacity, and plant shutdown may be accomplished with normal operating systems. However,. if the LHSI pump discharge check valves fail or do not function properly, the LHSI pumps will be subjected to pressures greater than their design, and reactor coolant will leak to the RWST via the normally open LHSI pump miniflow lines. If the integrity of the Class 153 piping system is not maintained, reactor coolant could be lost through broken flanges, seals, or piping. The magnitude of coolant loss would be dependent on the magnitude of leakage past the failed pressure boundary check valves snd the size of the rupture in the Class 153 piping system. The continued loss of RCS inventory will lead ta a reactor trip signal and a safety injection signal generated by low pressurizer pressure (about 1,845 psig). The safety injection signal performs the following functions:
- Emergency Diesel Generator Start
- Reactor Trip
- Containment isolation Phase A
- Feedwater isolation
- High Head Safety injection Pump Start (Two of Three Pumps)
- LHSI Pump Start
- River Water Pump Start (Two of Three Pumps)
- Auxiliary Feedwater Pump Start (Motor-Driven Pumps) 3.1-103 11 Acccent Secuence DenheaDon.
B:Ov:r Vall:y P:wsr St:ti:n Unit 1. R:visi:n 0 i Pr:b:bilistic Risk Ass:ssm:nt
- Turbine Trip As plant pressure decreases, the RWST continues to supply borated water through the charging /HHS1 pumps to the RCS at an increasing flow rate. When tM RCS pressure falls below that of the accumulators (600 psig), their contents are also dis 2arged into the RCS.
The LHSI pumps start upon receipt of the safety injection signal but will not provide low pressure injection until RCS pressure falls below their shutoff head (110 psi). Prior to reaching this pressure, flow from the LHSI pumps is recirculated back to the RWST through the miniflow lines of the LHSI pumps to prevent pump overheating. If the RCS pressure remains over 250 psig and is either stable or increasing, the operator is required to stop the LHSt pumps. The LHSI function is expected to be seriously degraded or negated entirely for the postulated containment bypass LOCA event. After initiation of reactor trip or safety injection signals, the operators are trained tc implement Emergency Procedure E 0. After verifying that ESFs are functioning as required, that the main steam lines need not be isolated, and that the steam generator pressure boundary is intact, the operator is instructed to check if the RCS is intact (Procedure E-0). If containment radiation, pressure, or containment sump level is greater than normal, the operator is instructed to go to Emergency Procedure E-1, Loss of Reactor or Secondary Coolant. Procedure E-0 requires the operator to check for radiation in the auxiliary building and to transfer to Emergency Procedure EC A-1.2, LOCA Outside Containment, if above normal radiation is detected. 3.1.3.6A.2 initiating Event Frequency 3.1.3.6 A.2.1 Initiating Event Frequency Equation: In general, the frequency of failure of two normally closed check valves, V1 and V2, in series can be expressed as LP = LV1*P(V2lV1) + LV2*P(VilV2) (3.1.3,6.1) where LP = the frequency of failure of both series valves in a path, LV1. = the frequency of a random, independent failure of valve V1. P(V2lV1) = the conditional probability that V2 fails, given Vi has failed. LV2 = the frequency of a random, independent failure of valve V2. P(VilV2) = the conditional probability that Vi falls, given V2 has failed, in some cases, the random, independent failure frequencies and conditional probabilities for the two valves will be approximately equal, but, in other cases, they will not. For example, if Vi leaks slightly (V1 being nearest the RCS) but V2 does not, V2 would be exposed to differential pressure loading to which V1 is normally exposed. In this situation, V1 would have RCS pressure on both sides of the disc and would be expected to have a lower failure than V2, which is exposed to a greater differential pressure. Although this may be true, the distinction cannot be made practically; therefore, it is conservatively assumed that LV1 = LV2 and P(VilV2) = P(V2lV1) where 3.1-104 31 Acciaent semence Denneaoon.
B::v:r Vclisy Pcwcr St:ti:n Unit 1 Rcvisi:n 0 Pr:babilistic Risk Ass:sument LV1 = the frequency of random, independent failure of valve V1 with full
, differential pressure loading.
k P(V2lV1) = the conditional probability that V2 falls, given Vi has failed. Therefore, the system failure frequency (Equation 3.1.3.6.1) becomes LP = 2'LV2'P(V2lV1) (3.1.3.6.2) Given that V1 has failed independently, V2 could fall on demand (due to sudden pressure challengo), or it may fail randomly in time after failure of V1. This latter failure mode may be evaluated by the standby redundant system model. Consider the reliability block diagram presented as Figure 3.1.3-9. From this figure, we see that both vavies must fail to cause the initiating event. If valve 1 is closest to the RCS system, then valve 2 is effectively in standby. The reliability expression for the system of two identical, independent check valves operated sequentially during time T with perfect switching is r (3.1.3.6.3) RS(T) = R,(T) + 1,(t)Rg (T - t)dt
*0 where R (T) 3
= reliability of check valve 1 for time T.
( f (t) 3
= failure probability density of check valve 1.
R2 (T - () = reliability of check valve 2, after check valve 1 failed at time t. If LV = LV1 = LV2 = failure rate of the series check valves comprising the system, and assuming that the check valve failures are random (thus, the exponential distribution is used to model the reliability of the check valve), we will have R 1(t) = exp - (LV't) (3.1.3.6.4) e f t(t) = LV*[exp - (LV't)] (3.1.3.6.5) and R r(T - t) = exp - [LV'(T - t)] (3.1.3.6,6) The reliability of the system becomes
.r (3.1.3.6.7) l RS(T) = exp - (L V' T) + LV'( exp -(LV't}} x (exp - [LV'(T- t)]}dt
*0 Solving this, we have RS = (exp - (LV'T)}'{1 + LV} (3.1.3.6.8) i By defining LE as the effective failure rate for the two series valves, we have l 3.1-105 3,1 ACCicent sequence Dehnenon.
B::v:r Vcil:y Powcr St:ti n Unit 1 R vislan 0 Prcb:bilistic Risk Ass:ssm:nt RS = exp - (LE*T) (3.1.3.6.9) Taking the differential of RS with respect to T gives d (3.1.3 A10)
= - LE*[exp - (LE'T)] = - LE*RS dT Solving for LE yields LE = (-1/RS)*dRS/dT (3.1.3.6.11)
Substituting Equation (3.1.3.6.9) into (3.1.3.6.11) and simplifying, LE = (31.3112) (1+ 'T ) Every 18 months, the plant is expected to go to cold shutdown, at which time these valves will be testod for leakage per Procedure OST 1.11.16 and repaired if necessary. The average failure rate over this period of time is given by
. 7so
< LE over 18 months =
1/ Tsd* LV/(1 + 1/LV'T)dT
*0
=
1/ Tsd*[LV'Tsd - (n(1 + LV* Tsd)] For LV'Tsd < < 1, this result may be approximated by expanding the logarithmic function in series and neglecting the third and hi 0her order terms for LV*Tsd, and is given by
< LE over 18 months > =
(3.1.3.6.14) f (LV)'Tsd This result is derived based on failure of check valve given that the other check valve has failed. Since there are two such combinations LP = 2LE and the result becomes
< LP over 18 months > = (LV)' Tsd (3.1.3.6.15)
In addition to the random failure frequency LV, there is also a demand failure frequency LD that results when one valve fails, thus exposing the remaining valve to a sudden pressurization. Two such possible combinations lead to system failure: valve 1 failing randomly and valve 2 falling on demand, or valve 2 falling randomly (valve i leaked, thus ressurizing valve 2) and valve 1 failing on demand. Counting 2 combinations here is actually conservative because even though either valve can randomly fall only one initiating valve failure will impact a sudden pressure load on the other valve. The particular valve failure sequence that creates this condition depends on whether the inboard valve is initially leaking. Returning this small conservation, the path failure rate year is
< LP over 18 months > =
(LV)"Tsd + 2*LV'LD
=
(LV)*(LV*Tsd + 2*LD) 3.1-106 3i Acccent sequence oelmeation.
B:cv:r Vclhy Pew:r St:tlen Unit 1- ' R:visi n C Preb: bill: tic Risk Ass:ssm:nt
. Equation (3.1.3.6.15) represents the initiating. event frequency for one of-the three LHSI .
Injection lines. 3.f.3.6.4.2.2 Valve failure. Rate: The failure modes of interest a_re-(1) disc rupture or gross leakage of a seated check valve on the pressure boundary and (2) failure of the checir valve downstream of the first check valve to hold, given the failure of the first check valve. The parameter associated with the first failure mode is the rate of failure per hout, but for the second mode, a frequency of failure on demand is required. The failure rate of the first failure mode 'used in this analysis is estimated from the results of the valve failure data- - analysis of Reference 3.1.3.6-3. The analysis addressed check valve failure events in the U.S. light water reactors (LWR), as reported in Nuclear Power Experience (Reference 3.1.3.6-4) from 1972 through 1984. For this study, however, the leakage rate range associated with each check valve failure event was normalized to a pressure differential across the check valve of 2.230 psi. This was to adjust the leakage rate to the conditions to which a check valve in the LHSI line nearest the RCS in BV1 is subected. The leakage events of Reference- 3.1.3.6-3 and the-adjusted / corrected Icakage rate used in developing the failure frequency are presented in Table 3.1.3-9.- Table 3.1.310 lists the number of events in various leak-rate categories'. Table 3.1.3-10 also provides the estimated frequency per hour of check valve leakage events for. each leak-rate category. - A total exposure time of about '32 x 10' check valve-hours was used (Reference 3.1.3.6-3). The data points in Table 3.1.3-10 (frequency of exceedance) were - plotted against the leak rate, and.a best il,te fit was obtained. This line is shown in Figure 3.1.3-10. To account for the uncertainty stemming from estimation of leak rates in Reference 1 3.1.3.6-3 for the check valve failure events, the uncertainty range was subjectively increased to a factor of 10. - The bounds were then used as the 95th and 5th percentiles of a lognormal - distribution representing the overall uncertainty.- Based on Figure 3.1.3-10, the median frequency of a single check valve fs!!ure resulting in leakage that exceeds the relief capacity of the LHSI pump relief valves (i.e.,105 gpm) is approximately 2.9 x 10e per hour. Assuming a lognormal distribution for this frequency and a range factor of 10 to account for uncertainty stemming from estimation of leak rates, this L yields:
' Parameter Frequency (events per reactor-year)-
Mean 6.8 x 104 5th Percentile - 2.4 x 10-s l - 95th Percentile 2.5 x 104 Median. 2.5 x 104 l-I For the second failure mode, the generic frequency of failure to reseat on demand for check valves was used in the analysis. The distribution of this frequency has the following-characteristics (see Reference 3.1.3.6-4): 3.1 107 3.1 Accident Secuence Deunecon;- #
B::vsr Vcil;y Ps=cr Stnti:n Unit 1 Rsvisirn 0 Prtb billatic Risk Acs:ssm:nt Parameter Frequency (events per demand) Mean 8.4 x 104 5th Percentile 1.6 x 10 8 95th Percentile 2.4 x 104 Median 2.2 x 104 However, this frequency is very conservative when applied to the second failure mode (that is, failure of a check valve to hold when subjected to normal RCS pressure). To reduce the conservatism, the frequency is judgmentally divided by a factor of 10 when it is applied to failure of a check valve to hold under normal RCS pressure. The distribution of the resulting frequency has the following characteristics: Parameter Frequency (events per demand) Mean 8.4 x 108 Sth Percentile 1.6 x 104 95th Porcentile 2.4 x 10 4 Median 2.2 x 10 s 3.1.3.6.4.2.3 Initiating Event Frequency Calculation There are three LHSI injection lines to the RCS cold legs, each with two series check valves. The initiating event frequency associated with the LHSI injection line check valves is (from Equation 3.1.3.6.13) VI = 3*LV'(LV'Tsd + 2*LD) (3.1.3.6.17) where LV = freque icy (por year) of check valve leaking at a rate of at least 105 gpm. Tsd = time interval between refueling shutdowns when the valves are tested. LD = heck valve demand failure rate. Using the distributions for LV and LD derived in the previous section, and assuming that Tsd is 1-1/2 years, the initiating event 0.e., leakage of at least 105 gpm from the RCS through the LHSI injection lines check valves) frequency distriubtion was obtained using the STADIC j computer code (Reference 3.1.3.6-5). This code calculates the distribution using Monte Carlo simulation technique, and has the following characteristics. l Mean = 1.61-5 l Sth Percentite = 2.56-8 l 50th Percentile = 1.36-6 l 95th Percentile = 3.71-5 1 3.1,3.6.4.3 Containment Bypass LOCA Scenarlos. Leakage from the RCS through the LHSI sytitem injection line check valves to the LHS1 low pressure piping will be relieved through the LHSI pump discharge piping reliet valve (RV-SI-845A, RV-SI-8458, and RV-SI-845C); each relief valve is rated at 50-gpm flow at 220 psig. Since the volume of fluid in the LHSI system , piping from the LHSI pump discharge check valves (1Sl6 and 1Sl7) to the LHSt system l l l 3.1 108 11 Acccent sequence Deunea00n. l
BC v:r Vcilsy Pcwsr Stzti:n Unit 1 R;vivan 0 Prob:bilistic Risk Assacsmsnt injection line check valves (SI-10, SI 11, and SI 12) is estimatea to be approximately 250 p gallons, the water in this piping will be heated up to the operational RCS cold leg V temperature of about 540*F in a very short time for leak rates greater than 105 gpm. The corresponding saturation pressure for watar at 540 F is about 1,000 psi, it was estimated that, under these conditions, the relieving capacity of the LHSI pump discharge piping relief valves will be reduced to about 35 gpm each because of choked flow flashing (see Reference 3.1.3.6-2). Thus, the total relief capacity of the LHS) pump discharge piping relief valves will be 105 gpm. It the leakage of the reactor coolant exceeds the relief capacity of the relief valves (i.e., > 105 gpm), the integrity of the low pressure LHSI syste m piping would be challenged. Since the mean bursting pressure, in particular, for the piping of 10-inch diameter in the LHS1 system was estimated to be 1,100 psi (see Figure 3.1.3-11 taken from Reference 3.1.3.6-6), it is very likely that the piping will fail when the leakage of the reactor coolant exceeds 105 gpm and the LHSi pipirm is pressurized. This would lead to a containment bypass LOCA. If the leakage of the mctor coolant l' 1ss than 105 gpm, the low pressure piping will be pressurized but at a lower value, compaied to the case of leakage e- teding 105 gpm. There is still a likehhood that the pl?ing will fail under this condition. For the purpose of this analysis, it was assumed that, for i reactor coolant leakage rate of about 105 gpm, the low pressue piping in the LHSI systen will fail. Since the capacity of normal charging is 105 gpm, the loss of coolant through the LHSI line check valves 9t a rate of $ 105 gpm can be made up by the normal charging system with suction aligned to the RWST. Since it takes sevaral hours to deplete the RWST, the operators have sufficient time to depressurize the RCS (thus reducing the leakage rate through the LHSl line check valves) and bring the plant to stable, cold shutdown conditions. Studies in NUREG-1150 assumed that for a very small LOCA, operators are able to cool down and Jepressurize the RCS via the RHR system. The upper limit for the size of this small LOCA is to a loss of coolant from a d 1/2-inch diameter pipe break. The leakage rate (for choke flow) of saturated water at 2,230 psia from a 1/2 inch diameter pipe break is about 108 gpm (see Reference 3.1.3.6-1). Therefore, for this study, a leakage rate of less than 105 gpm would not be considered a bypass LOCA in this analysis. To mitigate the accident caused by a reactor coolant leakage rate greater than 105 gpm and leading to a containment bypass LOCA, the operators must diagnose the containment bypass LOCA event and terminate the loss of coolant through the failed LHSI piping by closing the normally open isolation valve MOV SI-890C. If the operators fail to terminate the containment bypass LOCA, they must provide borated water makeup to the RWST for continuing RCS inventory control at full RCS pressure. Failure to provide RCS inventory control will lead to core toelt. A si.nple event tree model was developed to quantify the frequency of containment bypass LOCA scenarios leading to core damage. This model, which considers a reactor coolant leakage rate Greater than 105 gpm, is snown in_ Figure 3.1.3-12. The top events in the event tree question the availability of the high head safety injection pumps (i.e., Top Event HH), whether the high pressure injection path is available (Top Event HC), and whether makeup to the RWST is available for continuing RCS inventory control if the LOCA is not isolated (Top Event MU). A detailed description of each of the top events is given below.
- Top Event HH - High Head Safety injection Pumps. This top event models the two HHSI trains with pumps CH-P-1 A and CH-P-18. Success requires one pump train to be operable. The third pump, CH-P 1C, may be electrically aligned to either orange or purple emergency power, if either of the other two pumps falls. Only two pumps at a time, h
D however, receive an automatic start signal. Pump CH-P-1C is included in the model as a backup to either pump CH-P-1 A or CH-P-18. with the associated operator actions to align it. If both pumps CH-P-1 A and CH-P-1B have failed hut the required support systems are available to each train, the operator is modeled as aligning pump CH P-1C to train A. 3.1-109 3.1 Accment secuence ochneabon.
B cvsr Vcilsy Pcwsr St tlan Unit 1 Rovlslan 0 Preb:bilistic RI k Asustmsnt These pump trains share a common dependence on the single suction line from the RWST, which is modeled in Top Evant VL of the support tree. The RWST itself is modeled in Top Event RW of the support tree. EOP E-0 asks the operat es to recognize if the RCS is intact. If they decide that the RCS is intact following a LOCA, they are then instructed to go to EOP E91.1 for " Safety injection Termination." There is a danger, as occurred at Three Mile Island (TMI), that the HPSI wnl be temporarily stopped. EOP ES-1.1, however, provides for a recheck of safety injection termination and an escape back to EOP E-1. Nevertheless, this potential error of commission is included in the system model for this top event. This top event includes consideration of the failure modes of the relevant pipes, valves (i.e., including LCV-CH-115B and LCV CH 115D), and the HHSI pumps needed to model availability of the HHSI. Failure of this event implies that HHSI for RCS inventory makeup I is unavailable. Success of Top Event HH means that these two functions are possible. HHSl further requires the availability of water in the RWST (i.e., Top Event RW), and of a flow path from the RWST to one of the three cold leg injection line entry points in the RCS; i.e., as modeled in Top Events VL and HC.
- Top Event HC - HHS1 Cold Leg injection Path Available. HHSI provides flow to the RCS through the three cold leg lines, injection into one of three cold legs is sufficient for HHSI. If Top Event HH is successful (i.e., HHSl is available), then the three cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows;
- To cold leg 1, SI-23 and SI 100 must open. - To cold leg 2, SI-24 and SI-101 must open. - To cold leg 3. SI 25 and SI 102 must open.
l Top Event HC also includes the redundant MOVs (i.e., MOV SI-867A, MOV-SI-8678, MOV-SI-867C, and MOV-SI-367D) at the pumps discharge and the common check valve 1Sl94 on the ' low path from the pumps to the rec'"ndant MOVs.
- Top Event MU - Makeup to RWST, Given Failure To Terminate Containment Bypass LOCA. This event models the operator action and equipment necessary to supply borated water makeup to the RWST. The makeup actions are called for by procedure (i.e., EOP ECA-1,1) when RWST level is low and the LOCA is not isolated.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make up to the RWST. The spent fuel pool is normai,, filled to a level 20 inches above the technical specification limit. The technical specification required level is 23 feet above the top of the spent fuel. The total supply of borated 'Nater available for rapid makeup to the RWST is then approximately 108,000 gallons. Emergency makeup from the service water system into the spent fuel pool is also possible but requires that a spool piece be installed. Since use of this system connection is not proceduralized, no credit for it is taken in the initial plant model. At the fuel pool purfication pump design rate of 400 gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours. The required makeup rate to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, as ind;cated by Attachment A-4.7 of EOP ECA-1,1, is less than 200 gpm fr., times greater than 100 minutes after plant trip. Therefore, this volume of borated "ater is sufficient to last at least 9 hours, after makeup begins. Makeup from the boric acid tanks can only be provided at 120 gpm. At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after plant trip, then the alternate mode of providing borated makeup, via the boric acid tanks, would 3.1-110 31 Accrow secuence Dehneation.
l B::v:r Vell:y Pcwcr Stcti n Unit 1 R viticn 0 1 Prchtbillctic Risk Acco cm:nt be iraufficient. Therefore. makeup from the spent fuel pool is assumed required imtlally, ( and then to continue providing makeup for 24 hours, manual b'inding operations using
\ the boric acid tanks is also required.
Makeup trom the spent fuel pool requires one of the two fuel pool purification pumps to start ar.d run, and manual valves at the discharge of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2,000 ppm. For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. Clean water from the primary water storage tanks (i.e.,1BR TK 6A and 1BR-TK-68) is blended with boric acid from the boric acid tanks; i.e., CH-TK-1 A and CH-TK-18. Manual intervention is required to ensure the proper blend of boric acid and clean water to achieve a mixed concentration of approximately 2,000-ppm boron. Both boric acid tankc but only one primary water storage tank are needed to supply sufficient makeup for the remainder of the 24 hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only an additional 10 to 15 hours is needed. One of two of the primary water supply pumps (i.e.,1BR-P-10A and 1BR-P 108) and either of the boric acid trLnsfer pumps (i.e., CH-P-2A and CH-P-28) are required for success since the boric acid transfer pumps can be crossited. Success of Top Event MU means that continued HHSI injection can be perfomed for RCS inventory control at full RCS pressure despite continuing RCS leakage. For sequences in which RHR cannot be placed in service because either the initial cooldown and depressurization could not achieve RHR entry conditions (i.e., less than 325 Fand less g than 360 psig) or the RHR system is unavailable, success of Top Event MU can be very important. Failure of Top Event MU means that inventory control is not available, and eventual core damage results. 3.1.3.6.4.4 Summary of Results: The interfacing LOCA, via the LHSI injection line, event frequency for Beaver Valley Unit i has a mean value of 1.6 x 10r5 per reactor-year. The results of the quantification of core damage frequency for event ?equences initiated by an interfacing LOCA are presented in Section 3.4. The operator error rate for failure to diagnose a containment bypass LOCA event and to isolate the LOCA and the operator error rate for failure to align borated water source (s) to the RWST for continuing RCS inventory control are dependent on the amount of time available to the operator between the onset of the accident end the uncovering of the core resulting in core damage. This duration is a function of the leakage rate of reactor coolant passed through the LHSI injection line's check valves. The greater the reactor coolant leakage rate, the less time is available to the operator to mitigate the accident, and the higher the human error rate is therefore expected to be. The initiating event frequency, however, decreased with the increasing reactor coolant leakage rate. Table 3.1.3-11 shows the mitigating event frequencies at different reactor coolant leakage rates through the LHSI injection line's check valves and the corresponding time available to the operators for accident mitigation. The times calculated are conservative since they were based on the time for the depletion of the contents of the RWST. Even for the worst scenario (i.e., leakage rate of 9,000 gpm), there are at least 44 minutes available to the operators for accident mitigation. The LHSI piping that is most likely to fail when overpressurized is the 10-inch piping located b near the floor of the safeguards areas at Elevation 732'6~ (Reference 3.1.3.6-6). The areas are enclosed, and water from the pipe break would flow into the valve pit at Elevation 686'5" . l I 3.1-111 3.1 Accment Secuence oerutton.
B;cycr Vcil:y P w:r St:ti:n Unit 1 R visl:n 0 Prcb bilistic RI::k As :ssm:nt Preliminary calculations (Reference 3.i.3.6-1) estimated that it would take about 31,000 gallons of water to fill the top pit and then the safety injection safeguard areas up to the elevation of the 10-inch LHSI piping of concern. It would taken another 28,000 gallons of water to cover the 10-inch piping in the afeguard areas up to a depth of about 3 feet. Since the content of the RWST is much more ti sn the amount of water required to flood the 10-inch LHSt pipings, it is likely that, in interfacing LOCA initiated core melt scenarios in which RCS j coolant is lost through the LHSl piping, the piping would be submerged in water. This would create a mechanism for fission product " scrubbing" prior to any release in the auxiliary building atmosphere. 3.1.3.6.5 References 3.1.3.6-1. Memo from Leang, S. T. (Duquesne Light Company), to K. N. Fleming (PLG), on
" Component Cooling Water System Piping Overpressure Concern,"
SWEC-1257-DOC-162, dated May 14, 1990. 3.1.3.6-2. Memo from Buttemer, D. R., to D. J. Wakefield, on " Relieving Capacity of Beaver Valley Low Head St Pump Releif Vavles at Predicted Failure Pressures," dated June 1,1990. 3.1.3.6-3. Fleming, K. N., et al., "Seabrook Station Risk Managemera and Emergency Planning Study " PLG-0432, December 1985. 3.1.3.6-4. " Database for Probabilistic Risk Assessment of Light Water Nuclear Power Plants," PLG 0500, Volume 2, Pevision O. July 1989 3.1.3.6-5. Wakefield, D. J., and K. N. Fleming, "STADIC Computer Code User Manual," PLG-0689, October 1990. 3.1.3.6-6. Letter from Carl O. Richardson, Jr., to Mr. K. E. Halliday, on " Beaver Valley Power Station, Unit 1 - Evaluation of V Sequence Event," SWEC 1257-DOC-177, June 28, 1990. 3.1.3.6-7. Moody, James H., " Preliminary Calculations on the Flooding of the Valve Pit and Safeguard Areas due to Break of the 10" LHSI Piping," SWEC-1257-DOC-202, October 8,1990. O 3.1-112 3M Accident Sequence oeaneation,
l B::v r Vcll;y P:w:r St:ti:n Unit 1 R:visi:n 0 j Pr b:billstic Rl:k Ass: sm:nt ! ^ Table 3.1.31. Top Event Names for the GENTRANS Event Tree Top Description Event OT Operator Manually Trip Reactor RT Automatic / Manual Reactor Trip TT .urbino Trip MS Main Steam isolationi AF Auxiliary Feedwater PR Pressurizer Relief and Reclosure MA Lt,ng "Trm AFW Makeup MF Condensate / Main Feedwater DF Dedicated AFW Pump OF Manual Action To Reestablish MFW ; OB Bleed and Feed Cooling HH High Head Safoty injection Pumps HC HHSI Cold Lieg injection Paths SE RCP Seal injection / Thermal Barrier Cooling CD Cooldown RCS and Depressurize Secondary O 7 Depressurization of RCS for RHR Entry Pzr PORV isolation Given RCS Depressurization i l Residual Heat Removal l l l O 3.1 113 M Accioent sequence Dehnestion.
Be:v;r Vcil:y P w r Statlin Unit 1 R;visi:n 0 Pr b:billstic Risk Ats:ssm:nt Table 3.1.3 2. Top Event Names for the GTRECIRC Event Tree E ent escrlPtion NR Recirculation From Sump Not Required NM No Mott Condition From injection Phaso QA Quesich Spray Train A QB Quench Spray Train B LA Low Head Safoty injection Purnp Train A LB Low Head Safo:y injection Pump Train B LC LHSI Cold Log injection Paths SM Containment Sump Plugging OP Operator Protects RS Pumps RS Inside RS Train A or B RA Outsido RS Pump / Spray Train A RB Outside RS Pump / Spray Train B VA Containment Sump Valvo For LHSI Pump A VB Containment Sump ', .lvo For LHS) Pump B OR Auto / Manual Actions For Cold Log Rocarc HR LH to HH Cross Tio For Recirc Core Cooling MU Makeup to RWST Olven Recirc Failuro Cl Containment Isolation i I l 3,1114 31 Accident Sequence Denneatici L
80:ver Vcil:y Pcw:r St:ti:n Unit 1 R;visl:n 0 Pr:b:billatic Risk Ass:ssm:nt Table 3.1.3 3. Top Event Names for the Modlum LOCA Event Tree ] Top Event ' "" ' ' P " " HH High Head Safety injection Pumps HM HHSI Cold Leg injection Paths (two of three) AM Two of Three Accumulators Discharge AF Auxillary Feedwater QA Quench SprLy Train A QB Quench Spray Train B LA Low Head Safety injection Pump Train A LB Low Head Safety injection Pump Train B LC LHSI Cold Log injection Paths SM Containment Sump Plugging OP Operator Protects R5 eumps RS Inside RS Train A or B RA Outside RS Pump / Spray Train A RB Outside RS Pump / Spray Train B VA Containment Sump Valve For LHSI Pump A VB Containment Sump Valve For LHS! Pump B OR Auto / Manual Actions for Cold Leg Recirc HR LH to HH Cross-Tie For Recirc Core Cooling MU Makeup to RWST Given Recirc Falls Cl Containment Iscistion _ O - 3.1 115 3.1 Accioent Seavence Denneation.
8:c,or Vcil;y P:w:r Stati:n Unit 1 R visl:n 0 Pr:b:billstic Risk Ass:ssm:nt Table 4.1.34. Top Event Names for the Large LOCA Event Tree P De5CrlP lion Event HH F.y Head Safety injection Pumps HC +4. Cold Leg injection Paths (one of two) AL ' Two of Two Accumulators Discharge QA Quench Spray Train A QB Quench Spray Train B LA Low Head Safety injection Pump Train A LB Low Head Safety injection Pump Train B LL LHSI Cold Leg injection Paths (large LOCA) SM Containment Sump Plugging OP Operator Protects CS Pumps RS Inside RS Train A or B RA Outside RS Pump / Spray Train A RB Outside RS Pump / Spray Train B VA Containment Sump Valve For LHSI Pump A VB Containment Sump Valve For LHSI Pump B OR Auto / Manual Actions For Cold Leg Recirc MU Makeup to RWST Given Recirc Failure Cl Containment isolation O 3.1 116 31 Accident Seavence Dehneation
Bosvar Valley Power Station Unit i Revislen 0 Probabilistic Risk Assessment Table 3.1.3 5. Top Event Names for the SGTR Event Tree Top escrlPtion Event OT Operator Manually Trip Reactor RT Automatic / Manual Reactor Trip TT Turbine Trip MS Main Steam Isolation AF Auxiliary Feedwater OF Manual Action to Reestablish M'W DF Dedicated AFW Pump MF Conoensate/ Main Feedwater OB Bleed and Feed Cooling HH High Head Safety injection Pumps HC HHSI Cold Leg injection Paths SE RCP Seal Injection / Thermal Barrier Cooling SL Secondary Leakage to Atmosphere CD Cooldown RCS and Depressurize Secondary OD Depressurization of RCS for RHR Entry Pl Pzr PORV lsolation Given RCS Depressurization RR Residual Heat Removal WM Makeup to the RWST Given Leakage thru Secondary O 3.1-117 M Accicent seQvence oeunution.
B v:r Vcil:y P wcr St ti:n Unit 1 R:visi:n 0 Pr:b:bilistic Risk Ast:ssm:nt Table 3.1.3 6. Top Event Names for the SGTRREClRC Event Tree - P Description Event NR Recirculation From Sump Not Required , NM No Melt Condition From injection Phase QA Quench Spray Train A QB Quench Spray Train B LA Low Head Safety injection Pump Train A LB Low Head Safety injection Pump Train B LC LHSI Cold Leg injection Paths __ SM Containment Sump Pluggin0 OP Operator Protects RS Pumps RS Inside RS Train A or B RA Outside RS Pump / Spray Train A E RB Outside RS Pump / Spray Train B VA Containment Sump Valve For LHSI Pump A VB Containment Sump Valve For LHSI Pump B OR Auto / Manual Actions For Cold Log Recirc HR LH To HH Cross Tie For Recirc Core Cooling MU Makeup to RWST Given Recirc Failure Cl Containment Isolation O 3.1 118 U ACC! cent Sequence ochneation. l
B;;v:r Vcll:y Pcw:r St:ti:n Unit 1 R;visi:n 0 Prcb:bilistic Risk Ass:ssm:nt Table 3.1.3 7. Top Event Names for the Excessive LOCA Event O Tree Description Eve t HH High Head Safety injection Pumps HC HHSI Cold Leg injection Paths (one of three) AL Two of Two Accumulators Discharge QA Quench Spray Train A QB Quanch Spray Train B LA Low Head Safety injection Pump Train A LB Low Head Safety injection Pump Train B LC LHSI Cold Leg injection Paths SM Containment Sump Plugging OP Operate Protects RS Pumps RS inside RS Train A or B RA Outside RS Pump / Spray Train A RB Outside RS Pump / Spray Train B VA Containment Sump Valve For LHS! Pump A VB Containment Sump Va!ve For LHSI Pump B OR Auto / Manual Actions For Cold Leg Recire Cl Containment Isolation l l l l { 3.1 119 3.1 Ar cent secuence Dehneation.
t tn Table 3.1.3-8. Bypass LOCA 8g Pen e< (Dia) Description Valves Normal Signal Falls Screening Model - g4 7 (3) HHSt to Hot Leg (1) CV-1SI-20 Cosed None mm As is Two Check Valves No :- = Injecteon Lines (to (1) CV-1SI-21 Closed None As is Admmistratively RCS) (I) CV-2Si-22 Closed None As Is Isolated g7 (I) CV-1SI-83 gG) MOV-St-869A Closed Cosed None None As is As is High Pressure Design ga g 15 (3) Charging (to RCS) Open am (I) CV-CH32 None As is Two Check Valves No y ~~g (I) MOV-CH-310 Open Safety injection Asis High Pressore Design a :s (1) CV-CH3I Open None Asis EC (0) MOV-CH-289 Open Safety inject on Asis 3-(O) FCV-CH-122 Open None Open Charging (to RCS (f) CV-CH222 Closed Nom Asis Two Check Valves No Pressurizer Spray) (f) MOV-CH-311 Cosed None Asis High Pressure Design (t) CV-CH31 Open None Asis [ (O) MOV-CH-289 Open Safety injection Asis a (O) FCV4H-122 Open None Open o 19 (3) Seat Water frorn (t) MOV-CH-307 Open None Asis Note 1 No RCPs (from RCS) (1) MOV-CH-378 Open CIA As is (Note 1) (t) MOV-CH-381 Open CIA Asis 19 (3) Excess Letdown (t) MOV-1 RC-557A Possibly Open None As is Note 1 No (from RCS) (t) MOV-1RC-5578 Possibly Open None Asis (Note 1) (I) MOV-1RC-557C Possibly Open None Asis , (I) MOV-1CH-201 Posssbly Open None Asis (t) MOV-1CH-137 Possibly Open None As is (t) MOV-1CH-378 Open CIA Asis R (O) MOV-CH-381 Open OA Asis E "2 E i N a :n E 3 W [, E o O O O
Q O Table 3.1.3-8. Bypass LOCA ,. i 3* Pen j tr <
*e (Dia) Description Vafves Normal Signal Fails Screening Model =_ g 20 (1) Makeup to Safety Cosed triection (I) CV-Sl51 (t) CV-StS2 Cosed None None Asis Three Check Vafwes No 5$
As is Accumulators (to (I) CV-Sl53 Cosed None As is ;;- D RCS) (I) CV-S148 Cosed Ncne Asis K (t) CV-SI49 . Oosed None As is gel , (1) CV-StSO Oosed None As Is (I) MOV-SI-8GSA Open Mone As is gg eg ) (I) MOV-St-865B Open Nrme As is y {--- 5 (I) MOV-SI 865C Open rione Asis es (1) MOV-Sl451 A Cosed None As is "C (I) MOV-Sl451B Oosed None (l) MOV-SI-85tC Closed None Asis Asis s (1) CV-Sl42 Closed None Asis (O) MV-Sl41 Cosed None As is 24 (6) RHS to RWST (from (t) CV-S152 ' Cosed None Asis Adrmmstratively No
..[ RCS via RHS return (t) CV-Sl53 Cosed None Asis isolated a fines) (1) MOV-RH720A Cosed RCS Pressure As is 3 (I) MOV-RH720B Oosed RCS Pressure As is (1) MV-RH14 Closed None As is (0) MV-RH15 Cosed None As is RHS to RWST (from (1) MOV-RH700 Cosed RCS Pressure As is Administratively No RCS via RHS (I) MOV-RH701 RCS Pressure As is isolated 4
4 suction lines) (I) MV-RH14 Cosed None Asis (O) MV-RHIS ' Cosed None As is 5 28 (2) RCS Letdown Open PRZR Low Level l- (1) LCV-CH460A Gosed Note 2 No (I) LCV-CH460B Open PRZR Low Level Oosed (Note 2) i R (I) TV-1CH-200A Open CIA Closed E (l) TV-1CH-2008 Open CIA Cosed E (1) TV-1CH-200C Open CIA Oosed m Open (O) TV-1CH-204 CIA Oosed
? 3 t
s y RCS Letdown (via (1) MOV-RH700 Closed RCS Pressure As is Admitustratively No RHR suction) (I) MOV-RH701 Cored RCS Pressure Asis isolated by Th*ee E (1) MOV-1CH-142 Cosed None As is MOVs [ 1.
)at (O) TV-1CH-204 Open CIA Cosed "-
o S' 3 o
. n, - - -
3 T tp Table 3_f.3-8. Bypass LOCA 3g Pen E$ (Dis) l Description Valves Normat Signat Faas Screening Model hh RCS Letdown (via (t} CV-StS2 Closed None Asis Adrmrvstr a'wef y No bb RHR discharge) Ocsed None As is isolated by Two (t) CV-5153 Cosed RCS Pressure As is MOVs -7 (I) MOV-RH720A Cosed RCS Pressure As is One Check Valve :rj (t) MOV-RH7208 Pe (t) MOV-1CH-142 Closed None As is Open CIA Cosed E i (O) TV-1CH-204
** ts Open/Cosed CIA Cosed Note 3 No } "*g 27(2) Primary Drain (t) TV-1 DG-108 A Transfer Pump Open/ Closed CA Cosed (Note 3) ea (O) TV-1DG-108B Discharge (from 3. C 2
RCS) a Closed None As is Two CSeck Va!ve No 33 (3) HHSI to RCS Hot (t) CV-St20 Cosed None Asis Admemstratrvety Leg injection Unes (t) CV-St21 Cosed Mone Asis isolated l (1) CV-Sr22 (t) CV-SI54 Cosed None As !s Cosed None Asis P (0) MOV-tSI-8698 T a Open None As Is Two Check Vafves No y 35(2) Seal injection to (t) CV-CH188 RCP1A Open None As is H95 Pres.ure Desagn (t) CV-CH181 Open None Asis (O) MOV-tCH-308A Open None Asis Two Check Valves No 36 (2) Seal infection to (1) CV4H189 Open None Asis Hgh Pressure Dessga RCP1B (1) CV-CH182 (O) MOV-CH3088 Open None As is Open None As is Two Check Vatves No 37 (2) Seal injection to (1) CV{H190 Open None As Is High Pressure Design
-- RCP1C (t) CV-CH183 Open None Asis (O) MOV-CH308C E Cosed None Asis Three Normany No s 45(3) Primary Grade (1) MOV-1RC-516 Water to PRT (1) CV-1RC-72 Cosed None Asis Closed valves (Note N CIA Cosed 4) g' (O) TV-RC519 Cosed S As is H,gh Pressure Des >gn No Charging Fall Cosed None y 46 (2) (t) MOV-RC556A
- Header to RCS (t) MOV-RC5568 Cosed None Asis Three Normany [
at Cosed None Asis Closed Valves E (1) MOV-RCSSGC None Asis E 3 (1) CV-CH170 Closed Ocsed None Ocsed $ LQ11CEClil60 O O O O
\ '
v V Table 3.1.3-8. Dypass LOCA 3g Pen 5e (Dio, Description Valves Normal Signal Fails Screening Model hh aa 48 Primary Vent (t) TV-1DG-109A2 Open CIA Closed Note 5 No "4 p (1-%) Header (from RCS) (0) TV-1 DG-109A1 Open CIA Cosed (Note 5) ;;;- m
#h 49 (M) Nr Supply to PRT (I) MV-RC69 Cosed None Asis Three Normally No ge (1) CV-RC68 Cosed None As is Cosed Valves (Note gg (O) TV-RC101 Cosed CIA Cosed 6) se s 5=
55-1 Safety injection (I) TV-1SS-109A1 Open CIA Cosed Small Une No N$ (3/8; Accumulator (O) TV-1SS-109A2 Open CIA Cosed 3. C 3 l } Sample (from RCS) - a 55-4 PRT Gas Sample (1) TV-tSS-111 A1 Open CIA Cosed SmaitUew No (3/8) (from RCS) (O) TV-1SS-111 A2 Open CIA Cosed 56-1 Pressurizer Uquid (i) TV-1SS-100A1 Open CIA Cosed Small Une No P
, (3/8) Sample (from RCS) (O) TV-1SS-100A2 Open CIA Oosed 1.s y 36-2 RCS Cold leg (I) TV-1SS-102A1 Open CIA Cosed Small Une No (3/8) Injection Une (O) TV-1SS-102A2 Open CIA Closed Samples (from RCS) 56-3 RCS friot Leg (1) TV-1SS-105A1 Open CIA Cosed Small Une No (3/8) Injection une (O) TV-1SS-105A2
- Open CIA Closed Samples (from
, RCS) 60 (6) LHSI to Hot Leg (1) "V-St20 Cosed None As is Three Check Valves No R Injection Unes (to (1) CV-SI21 Cosed None As is 6 RCS) (I) CV-St22 Cosed None Asis E (I) CV-Sit 5 Cosed None As is y (I) CV-Sl16 Cosed None As Is y' (I) CV-Sit 7 Closed None Asis s (1) CV-Sl13 Cosed None As is -
0 (O) MOV-S1890A Cosed None As Is ,2 {, (O) MV-S1451 Cosed None As is 1 I O~ 8 =
-' o
Table 3.1.3-8 Bypass LOCA mm og Pen tr < l (Dia) Description Valves Normal Signal 7 Fails Screening Model j 61 (6) LHSl to Cold leg
=<
ea (1) CV-Sl23 Cosed None Two Check Valves Injection Unes (to (I) CV-Sl24 Cosed None Asis Asis Yes g-g RCS) (1) CV-S125 Cosed None y x As is K7 (I) CV-S112 Closed None Asis K (I) CV-Sit t Closed None (I) CV-5310 Cosed None Asis As is (*h gn (O) MOV-Sl890C Open None As is eE en 62(6) LHSI to Hot Leg (I) CV-Si20 Closed None As is Three Check Vafves No 3o es Injca-tion Unes (to (1) CV-SI21 Cosed None Asis 3. C RCS) (t) CV-Sl22 Closed None Asis 3 (1) CV-S115 Closed None Asis (i) CV-5116 Cosed None Asis (t) CV-Sit 7 Closed None Asis (1) CV-Sl14 Closed None Asis (O) MOV-518908 Cosed None As is {* (O) MV-SI452 Cosed None Asis g i 95 (1/4) RVLIS (from RCS) Sensor Open None As is Small Une No Bellows Open None Asis B6(3) HHSI to Cold leg (I) CV-Sl23 Closed None Asis Three Check Valves No injection Unes (to (1) CV-Sl24 Closed None Asis RCS) (t) CV-Sl25 Cosed None Asis (I) CV-Si10O Oosed None Asis (1) CV-SIl01 Llosed None As is
- y (1) CV-Sl102 Closed Nane Asis (1) CV-S195 Closed None As is (O) MOV-1836 Cosed None n"
5 97 1 RHR Inlet Sample (1) TV-1SS-104A1 Open CIA Cosed Smar l Une No E (3/8) (O) TV-1SS-104A2 Open CIA Cosed 97-2 RHR Outtel Sample (1) TV-1 SS-103A t Open CIA Closed Smafi Une No j (3/8) (O) TV-1SS-103A2 Open CIA cosed a 2 { 105-2 Pressurizer Vapor Space Sample (1) TV-1SS-112A1 Open CIA Cosed Small Une No e 5, y (3/8) (Os TV-1SS-112A2 Open CIA Cosed { O O O O ~
/* ("'N Table 3.1.3-8. Bypass LOCA 3g Pen Ee (Dia) Description Valves Normal Signal Fails Screening M odel hh 106 (3/4) Safety injection (I) CV-S:51 Cosed None Asis Note 7 No E$
Acc. Test Une (1) CV-Sl52 Cosed None Asis (I) CV-SI53 Closed None Asis Cosed None As is (!) CV-Sl48 (I) CV-Sl49 Cosed None As is
>el7 K
(I) CV-S150 (I) MOV-Sl850A Cosed Cosed None None Asis As is Eh Ig (I) MOV-Sl850C Cosed None Asis }g i (I) MOV-SI850E Oosed None Asis es (1) MOV-S!850B Cosed None Asis 3. C
- . (1) MOV-Sl850D Cosed None Asis 3-(1) MOV-S1850F Oosed None Asis [
(f) MOV-S!842 Cosed CIA Asis (O) TV-stb 89 Cosed CIA Oosed 109 (%) RVLIS Sensor Open None Asis Srnati Une No f Bellows Open None Asis i 4 to
, t16 Pressurizer Dead (O) MV-RC-277 Cosed None As is Small Une No (t/8) Weight Cahbrator (O) MV-RC-278 Cosed None As is 112 (3) BIT to Cold Leg (1) CV-S123 Closed None Asis Three Check Valves No i Injection Unes (!) CV-St24 Cosed None Asis (I) CV-Sf25 Cosed None Asis (1) CV-S1100 Closed None As is (1) CV-SI101 Closed None As is
, (i) CV-S1102 Cosed None Asis W Cosed None Asis (f) CV-S194 ,
(O) MOV-Sl867C Cosed Safety injection (Open) Asis R (O) MOV-Sl867D Gosed Safety injection (Open) Asis S (O) MV-St91 Cosed None Asis E
'E e
3 3 := 2= 5 8 =
? o
C :v;r Vcil:y P:wcr St:tien Unit 1 R:visl:n 0 Prch:bilistic Risk Ace ssm:nt Notes to Table 3.1.3 8
- 1. This line (penetration 19), with flow out the RCS, is isolated at containment by two auto isolation valves that close on a CIA signal. Piping upstream and downsteam of the containment isolation valves is low pressure Class 153 piping. Low pressure Class 153 pip ~ng inside containment is protected from overpressurization by a relief valve inside containment that discharges to the pressurizer relief tank (PRT) inside containment.
Additional isolation capabihty for the RCP seal leakoff is providad by one MOV isolation valve in the outlet of the RCP seal leakoff lines. Piping downstream of the RCP seal leakoff isolation valves is low pressure Class 153 piping. The risk of a bypass LOCA event in this line is insignificant because failures outside containment are unkkely to fail high head safety injection, and high pressures are unlikely unless there is an RCP seal LOCA. RCP seal LOCA is modeled in the PRA, and this penetration is included in the containment isolation model Additional isolation capability for the excess letdown line is provided by three MOV isolation valves (two upstream and one downstream of the excess letdown heat exchanger) in the excess letdown line. Piping downstream of the MOV that is downstream of the excess letdown heat exchanger is low pressure Class 153 piping. The risk of a bypass LOCA event in this line is insignificant because a high overpressure condition is required, this is a small line, and failure of high head safety injection is unlikely. This penetration is included in the containment isolation model.
- 2. This line (penetration 28), with flow out the RCS, is isolated at containment by two auto isolation (fail-closed) valves that close on a CIA signal. Additional auto isolation capability for the normal letdown line is provided by two AOV isolation valves upstream of the regonerative heat exchanger. Piping downstream of the inside containment isolation valve is low pressure Class 602 piping. Overpressure protection for the low pressure Class 602 piping inside containment is provided by a relief valve inside containment that discharges to the pressurizer relief tank (PRT) inside containmern. The risk of a bypass LOCA event in this line is insignificant because a high overpressure condition is required, this is a small line, and failure of high head safety injection is unlikely. This penetration is included in the containment isolation model.
- 3. The primary drains system is a low pressure leakage and drainage collection system located inside containment with a low pressure Class 152 piping penetration for transfer of collected leakage outside containment. This line (penetration 29),
with flow goir g out the containment, is isolated at containment by two auto iso!ation (fail-closed) valves that close on a CIA signal. The primary drains transfer tank is connected to the RCS via various low pressure lines that collect leakage and drainage from RCS components. These leakage collections lines are small, and drain lines are administratively controlled in a manner that the primary drains l systems does not pose a potential pathway for a bypass LOCA. The risk of a bypass LOCA event in this line is ir "a nifica nt. This penetration is included in the containmJ,3t isolation model.
- 4. The PRT is a low pressure tarm inside containment for collection of relief, leakage, and drainage from RCS components, it has a design pressure of 100 psig and is provided with a rupture disc for overpressure protection. The PRT is serviced by a number of low pressure Class 153 piping lines that penetrate containment, including 3.1-126 M Accident Sequence ochneshon.
D::v r Vctl;y Prw:r Stati:n IJnit 1 R:visi:n 0 Preb:bilistic Rick Ass:ssm:nt the primary grade water supply. This line (penetration 45), with flow into h containment, is isolated at containment by check valve and auto isolation (fail closed) valve that closes on a CIA signal. A loss of reactor coolant from the RCS to the PRT would result in everpressurization and rupture of the PRT rupture disc with subsequent release of reactor coolant ins! <e containment. The risk of a bypass LOCn event in the primary g'ade water supply line is insignificant.
- 5. The primary vents system is a low pressure leakage and vent collection system located inside containment with a low pressure Class 152 piping penetration for transfer of collected leakage outside containment. This line (penetration 48), with flow going out the containment, is isolated at containment by two auto-isolation (f ail-closed) valves that close on a CI A signal. The primary vents system is connected to the RCS via connections to the PRT PDTT that collect leakage and vented gases. These leakage collection lines are small and administratively _
controlled in a manner that the primary vents system does not pose a potential pathway for a bypass LOCA. The risk of a bypass LOCA event in this line is insignificant. This penetration is included in the containment isolation model.
- 6. The PRT is a low pressure tank insido containment for collnction of relief, leakage, and drainage from RCS components, 11 has a des "1 pressure of 100 psig and is provided with a rupture disc for overpressure proteuon. The PRT is serviced by a number of low pressure Class 153 piping lines that penetrate containment, including the Nr supply. This line (penetration 49), with flow into containment, is isolated at containment by check valve and auto-isolation (fail closed) valve that closes on a CI A signal. A loss of ret 'or coolant from the RCS to the PRT would result in
/ overpressurization and rupture of the PRT rupture disc with subsequent release of \ reactor coolant inside containment. The risk of a bypass LOCA event in the Nr supply line is insignificant.
- 7. The safety injection accumulator test line (penetration 106) connects to each of the three safety injection accumulator injection lines. Connections are in two locations:
upstream of the first accumulator line check valva, and upstream of the second _ accumulator line check valve. The connection upstream of the second accumulator line check valve has two check valves and an NC/FC lsolation valve. Therefore, this connection is not a significant contributor to the risk of a bypass LOCA. The connection upstream of the first accumulator line check valve contains four normally closeo isolation valves (i.e., one check valve, two motor operated isolation valves, and one NC/FC air-operated isolation valve) in the high pressure Class 1502 piping between the RCS connection and the low pressure Class 153 piping outside containment. Since previous analysis has shown that isolation arrangements with three norrnally closed valves are sufficient to preclude a line from being a i significant contributor to a bypass LOCA, the safety injection accumulator test line connection upstream of the first accumulator line check valve is not a significant contributor to the risk of a hypass LOCA. ( N 3.1 127 M Accident Seavemce oeuneation
~
7 12 Table 3.1.3-9. Ct.eck Valve Leakage Event Database 3g tr < Pressum m C e e d-U w" eak Rate Plant Leak Rate 3< across ** NPE Plant Description Range g p Plant (Date) Check rt R&m (gpm) Valve (psi) 2_2 A leak rate of -O 25 gpm was detected from Y=0 25 30% Power 1.830 Y =0 28 b
>j Vil A 126 Zeon 2 ,e (October 1975) the *A* accumulator check valve Wrong size e gasket insta!!ed
*a Vil A 32 Turkey Poent 4 One of the three check valves in the high head Y=033 - 180 Y =1 16 y{
na s (nAay 1973) safety injection lines to the RCS cold legs Ec developed II3-gpm leakage with 180 psi of water pressure applied. Two other check $ valves showed only slight leakage. Fa+ture of soft seats. Y<5 55% Fower 1.830 Y<55 Vil A 175 San Onofre 1 A tiltir.g disc check valve that was f< rated in (May 1978) the LPI system as the first valve inside containment failed to close with gravity Valve
.] installed in a vertetal rather than a horizontal a pipeline.
y Check valves 1-51-128, 130 leaked, causmg Y < 10 100% Fower 1.830 Y < 11 Vll.A 114 Surry 1 Y < 11 bnton dilution in the ~B" accumulator. Y < 10 (July 1976) Y < 10 L,% Fower f 830 Y < 11 Vil A 182 Calvert Chffs The outlet check valves that were associated Y < 11 with the safety injection tanks 21B and 228 Y < 10 (September 1978) teaked, reducing the boron concentration from 1.724 and 1.731 ppm to 1,652 and 1,594 ppm. e respectively, in 1-month period. Y < 10 100% Power 1.830 Y < 11 Vil A 291 Surry 2 Check valve that was associated with the R safs ty injection accumulator "C" leaked. 8 (January 1981) resulting in accumulator boron d:tution. Cause E m unknown 8 Hot Standby Y < 12 7 Y < 10 1.375 (3) 5 g Vtl.A 306 McGuire 1 Discharge check valves that were associated with the coid leg injection accumulator A Y < 10 Y < 12 7 y
* (April 1981) 1 I
leaked Cause unspecir.ed * - [ 3 S O o
?
O O O
O 'N g Table 3.1.3-9. Check Valve Leakage Event Database i 3g tr < ressweW CorrectedW trI NPE Leak Rate Plant
'*' Leak Rate
~
=<
R* m Plant (Date) Plant Description Range across *s (gpm) Check Rg en e Valve (psi) 'A Vil.A.343 Point Beach Check valve 1-853C. serving as the first-off Y < 10 Refuel.ng 50 (4) Y < 38 6 7y (October 1981) check valve from the RCS for the low head
>e m,
safety injection. m am Vll A 63 Ginna (September 1974) Accumulator "A~ check valve leaked leadi.v; to boron dilution (from about 2.550 down to 1,617 Y < 20 At Power 1.830 Y < 22 yp e= ppm) Cause unknown. EC 3._ , Vil.A.85 Surry 1 Check valve associated with accumulator 1C Y < 20 Hot Standby 350 0(5) [ (August 1975) failed to seat, resultmg in increase in accumulator level. Cause unspeofied Developed 6p teakag-a. [ Vll.A.105 Robinson 2 *B' safety injection accumulator check valve Y < 20 100% Power 1.830 Y < 22 a (Jar.ary 1976) developed leakage. Cause unspecified. U V.A.122 Zion 1 Discharge check valve on accumulator 1D Y < 20 50% Power f830 Y < 22 (June 1976) da.e:cgd back leakage. Cause unspecified V.A 407 McGuire . Cold leg injection accumulator check valve 20 < Y < SO 50% Power 1,830 22 < Y < 55 (k1ay 1983) leaked, resulting in low accumulator boron r concentsation. Cause unspeofied.
, V A 452 St. Lucie 2 The SIT outlet check valve dc.dag-J 20 < Y < SO Hot Standby 22 < Y < 55 1.600 (6)
(December 1984) excessive leakage Foreign material caused bail galhng leading to 30mt bitwimg. 2 6 V A 456 Calvert Cliffs 2 SIT check valve developed excessive leakage. 20 < Y < 50 100% Power 1.830
' 22 < Y < 55 ,
d (January 1985) Ethylene proplyene O-eing material ' t' degradat m 3' , i V A 437 Farley 2 Loop 3 cold let safety injection check valve 50.< Y Refucimg 193 < Y
" 150 (4)
(September 1983) developed excessive leakage. Incomplete < 100 k contact between disc and seat.
< 386 [
1 ii
- ,E :
?
O
==
Table 3.1.3-9. Check Vatre Leakage Event Database 3*, tr < Pressure 31 2 # Corrected:M tr , NPE L'8 "#' #' =< Plant Description Plant Leak Rata ~ ReRrence Plant (Date) Range scross i Conditiens Range O= (;pm) Ch*ck th e Valve (ps4 IIP *I V A 273 Davis Besse 1 Gross back feakage .hrough core flood check 20 < Y < 50 Hot Standby 1.200(T) 27 < Y < 63 xj (October 1980) valve Cause unspecMed. >e
= = '
r.n VII A 384 Calvert Cliffs 1 SIT outlet : heck valve leaked at the rate of Y=200 startup 1.750 (8) Y = 226 g puty 1982) -200 gpm. O-ring deteriorated y {-- o3 Notes: 1C3
- 1. Unless stated it is assumed that the RCS pressure at power is approximatefy 2.230 pssg and that the ac Ma?or 6scharge pressure, 2 upstream of the cold leg injection check valve nearest to the RCS. is approximately 600 pseg Thes wat gave a pressure daf'erent'at across
- the check valve of 1.830 psi Since there is no accumulator upstream of the LHSt infectron valves in BVI, the pressure d,fferential across the check valve nearest to the RCS at po er wdl be approxirrately 2.230 psi.
- 2. The leak rate is normalized to a pressure differential of 2.230 psi across the check valve. The corrected leak rate is therefore LQ2230 IAP.
[ where L is the leak rate at pressure differential of AP. g 3. The RCS pressure was 1.800 psig and the accumulator discharge pressure was 425 psig o 4 Assurne that leak rate test pressure was 150 psi 5 The inteakage was terminated when the RCS pressure was increased
- 6. Assurne that RCS pressure at hot standby was 1.800 psi.
7 Assume that RCS pressure at hot standby was 1.800 psi, and that the core flood system pressure was 600 pseg
- 8. RCS pressure was greater than 1.750 psia w
N ft 2 e w 4 , 2 W S g F 2 O 5 s ? o O O O
80 ver Vall;y Pow:r St:ti:n Unit 1 R; viol:n 0 Pr:b: bill: tic Risk Ass:ssm:nt Table 3.1.310. Statistical Data on Che[ halve Leakage Events in PWR, ECCS, and RCS Jyttems Q(m Leak Number Frequency of Frequency of Rate of occurrence Exceedance (gpm) Events (per hour) 5.5 3 2.94 8 1.96 7 13.0 7 6.86-8 1.67 7 22.0 3 2.94 8 9.80-8 30.0 1 9.80 9 6.86-8 55.0 3 2.94 8 5.88 8 68.0 1 9.80-9 2.94 8 226.0 1 9.80-9 1.96 8 386.0 1 9.80 9 9.80-9 Note: Exponential notation is indicated in abbreviated form I 6.,2.94 8 = 2.94 x 104
- 0) l V i
l 3.1 131 3.1 ACCicent Seosence Del.neaticen.
B:av:r V ll:y P:w:r St:ti:n Unit 1 R:visl:n 0 Pr:t:billstic Risk Ast:ssm:nt Table 3.1.311. Time Availah!e in Operators for Accident Mitigation at Various Reactor Coolant Leakage Rates Medlan Frequency Approximate Reactor (per hour) of a Mean InitiatinD Time Avallable to Coolant SinDie Chreck Valve Event Frequency Operators for Leakage Rate Failure Resulting in (per year) Accident (gpm) the Leakage (Equation 5.12) Mitigation * (Figure 5 3) (hours) 150 2.9 x 10 8 1.61 x 10 8 44 1.000 6.0 x 10 ' 1.22 x 104 6 3.000 2.5 x 10' 3,81 x 10 7 2 9.000 1.1 x 10 ' 1.45 x 10 7 44 minutes I
- Based on the time to deplete the 400.000 gallons of water in the RWST.
O O 3.1 132 3.1 Accicent Secuence Dehneation,
B:ay:r Vcil:y Pcw:r Stati:n Unit 1 Rcvisi:n 0 Preb:bilistic Risk Ass:ssm:nt J
] .
.~.
z.u seu ncy: t ~. ge . - r-
. -.. .euessateamastre.r:--
g,sg- ,r e y
. v.. . sc. . ......, .e
. r s . t . :. :. :. e. .
.e ie.
a: E
-* * * *0" *
- R O D C g C
- b 2 P R E::0:',C 2%R R A;2 A A yjg B $
I EI9 gl3*!-= C g}t t g
- wgN8g f #
p I
,i*
! .i .i !. .! : !! ! ! !
a
-8 bb- u gEIE C3 ~
. D2
.A
- 4- I EE I .
- .:..::.: : 9:a ya
- .' : : y 8W3 $~ E
. . : : : : ' . ::: : '. :' s W
. s .
8 ..:1 I E E E EE
- 0
- t' ::;
. : :t-
- : . . : ' :' ' : 'I :: .
N E : !
!! ii
- . a :::: .::::: .
V
- :.: I ::' ::::
I B 8IVW D82 3
- e. - *:
l B t. ! L i:!:i i i E
- : : W
- t
;;::: : : E
~
.. ::::. : .' OE a
;; -- r: r a s : :': :
lV g I
!. ! !. i.
6
.p i$
2 5.$h! - t- ,= g - - r
- : 1
- V . : 3
- : o y 1 : : . :
g 8: o : 5 *- % a u-Ea: y.- y;
- 3g g - , _. L .
- 3 5 4 t t t - ! :
- b
~ .
'["
I
. e. . g s S E: : T: It x e
s Figure 3.1.31. GENTRANS Event Tree Structure 3.1 133 3.1 Accicent Sequence Cehneation.
B :v:r Vall:y P wcr St:ll:n Unit 1 R vlsl:n Prcb:bilistic RI:k Ass: sam:nt
-+~ .. - -
a . r"e "h 3.ss: - -.33.3.3s
-~.! E..n.6.s! 8:
.. .. . ~
s
***8 *AR R R R* # =
.c%R's:c.~
. . . . 3 C L. &>...hr, -
d~E.. 3 "-~a2-33---.3.. --
.3
- - - c .i. ..
s - 15 u a .i.
= 5 M
~........
. . . . . , t ~. ~. . . .... t t t . . P. E. R. ;. :. :. 7. c. . s. c. r. e. 2 2 2 ;
. e --0 y y
~
*** ** *** ** P;2 s e s *tRn4C C C RtRRR;2 Ana:EA3 2 E s:
a, .s" - 5 l l yg I a r.g ((:g g
- s-a 5
3 . :.:..::.:: ::::::.:: ::.: .: .......
- ::: - - g
...... .... 8m, gg[E[ E" g2" 2{ I.
.....: :: .:.:. "*3 E 2) .:: :::: :::::: :
.:::::- ::::..:: :::::. g3 - 5 1W t-
=,.
...... 3
, u E
3 -
.... .... 4 ...,.
8 C t .:: : :.:: : _ _ :.::. : ......
. .+ ..
- i i:!! -
i l'i. i! It t8 t fc t _:: ::.:. : .: :. .: :. e + I. : : i.. .: i.. .. ...:~.. :-
!l.i!!'i g
. n .. . ... a . '
- 3~ 8- ! :
...... g
- .*: gWG
* .t.
6 ::::::: :::: : 2 88*
- : : 8 -=
... ..... U w .
- 3..
"g
.. =. g. g .-
5 n ~. -- .
.2- : c!
- l
- A t r2 t
s: u o. :....
- : :.. .:.C.
- -. aa . t ,
.- g 5f 2 2 a
.- g s". r r ;I s;g
.: -r u . .
. rs e- 2.. &. r., .
- t ! ! !!! .i a _ _
s I t I 3 8** % &b: I L r O Figure 3.1.3 2. GTRECIRC Event Tree Structure l 3.1 134 3,1 Acc! cent $eggence Dennwien. l L
Snver Vcil:y Pow:r St:ti:n Unit 1 R vlsl:n 0 Prc:bilistic Risk Asrssm:nt
. * . . . . r - e,s . . . 4. .e ., , - e-
. Ne .ee~Ad. e, ~ ~, ~ ~ ~ ~ ~ ~ . 80 0 0~ph8- es . .
We N .pon-N . M y h. 4 e=e.em.M,eesow -. R, e h g .. M. eS.e d. .v e.n e d.ee. g.e e g d. e p. .a e . ,e e S. e* *W M d ee . m es ~ 8ee em e= e- ** N 4 e's ** en en es ** en em en e= ** ** * ** se e- 8= se > #w n N. N. N. m. . m. m. e e. 2 e. m. . o. .. . . N. !. h. k. $. $. . . W t o. k. . . . . . . . . . N. 4 4 . [. k. k. k. k. 6 . . k
.- .r.~....~-e,r
. ~ M e, . . . . . - ~= eween.> e e=ce*. *.e en.=.
e* e.= eh4~ 444 N e ry fe N M en m en e m m em. M qo.et. .ey. -4 ,, J .es 6 q, .ee.eJ . q. e. -e ~e em - e e e e e e e e e e e e e 4 4 e e 4 4 4 4 e 6 ( ee e g e e e e ee ee ee ee e a e o 4 e e e e aee e e= e eeeee 9e e e 4 ee e a e4 ee ,e e ee e$ e e ea eeee e e
# e o e e # . ee e
e e
- e e .e ee ee ee e e < e e e e 4 - ee ee a e e e ee e e o e ce s i e e re e
e 4 e e e e e e e e e e# e e e e e e ee ea <# e4 eeo eeee ee ee ee e e ae e U em e e e a e e e e e e e e po e# e e ee ae ee eo e ee 4e eo ee e e a ee ee 4 e a ee e e ee e e e ee e e ee e e o e e e e e e e e e e e e e e e o e e e e a ee ee ee ee ee ee eeeee e e e ee ee e e e e e e ee ee e eo ee ae e e e e e e o e ea e ee eeo e - e !iesq e.e eee 6ee - e
, e e e e e e e e e o e a e e e e e e e o e e4 4 e e e ee e e a e e e e e e I e e e o e e e e e e a e a e e e e o e e e e e e, e. e. e e *
- e e e e e e e e e e e 9 e e e e a . .e e . .e e e e e e e g e. a e e e e a.e 4 = oe ee 4e !e e e o e e e e e ee ee g ee ee ao e
e e e e e e ee e e e e e e e e e e e e e e e e e e e e e e e t e e e e e a e o e e e e e l e e e I e e ee eo e e e e e e e e e e e e e e e a e e * *
- a e e e e
i e . e e e c . e e e e e e f , e e e e e e e # 4 e e e e
.e e. e e e e e e e e e e e e e e e e e e e e ee e o e e e e 4 e ee 9 e e e e e ee e e e e e e e e e e e +ee e e e e e ee e a e e e e ,e e ee ee e e
- ee g wJ
. e o e e
e e . esmes e o e # e e a e
- a e * * *
- 4 e e e e s
. e. 8 e e e e e e e e e e e
e 4 e. o e ee e e e e e a e e a ee 6 e e e
- e ee e e # ##> ee ee e
e e e ee e e e e e e # # e a e e eo eee e t e e e a e e e e e e e e e e e e e e e e e e # # e e e e e e e e e e e e e e e o e e e e
- a. e o a e e e e e o e 4 e e e e e <e e 4 4
- 4 e e e e e e ee e e e a e e e e e e e ee les i
e O ae
- e. e e e e ' e e e4 e e a beesuis d e ee e r a ee ee ee ee ee e e e e e 4 4 e e e - e e 4 e e e e e e e e e e e e e e e o e e o e a e e.- e . e e e ee ee ee ee e 9 e e 4ea 9 e e ,aeee ea 4 e e e e e e e e e e e ee e e e e e ea 4 e e e e e i e.
e e a, e e e e e
- e e e e e e +
e e e e e e 8 e e ee i e e e e e a e e e
. ee o e e ' e e e e e e e 9 8 ee e e e 8
ee e e oa e a e
. M. ee ee eu e e e e e e e 4e ea ee ae' P. memase e e o e e e e e e e e ee e e e e e e e e e a e e
e e e e e 6
- e e e o e e
e e 4 e se e e e e e e e e e e e e e a e e e e e a e e e o e e o e 4 e e e e e e e e. 6 4 4 p ,e e4 e e e e e e e ee e e ' 4 e o e 6 e e e 4 4 g e e e e e e e eeee6eeeeee o e e y s,eesemame e e -e eeeeaee eee eeoeeene =e oe e e met e e e e e e e e e e e ee e e e e e e e e e ee e ie e e e e o ee ee e ee ee ee ee oe e e eeeee e e e ee e e e e e o e e e e e o e e e a e e e e e e o e -e e e e e e e e e e e e e e a .e ee e
,e e e o e e w e. e e e e .e . e4. e e s
,e e e
.e . ee .,- e e g e e e e e,- ee e e e a e e e e 4 e a e ee e e e e a oeee e e e e e e e e e - e e e e e eaeee e e e e4
- e* e o e e e e e e e e e e e 1
e e e e e e o e
- 4 e e 4 e e e e e e ed 4 e$ ee o a e W
8 e e P.
+
O 1 eoe e eee 4 e e e e e e e e # ee e' $ e e e ee ee e ee e e e e a oe4e+ee eeee e e ea e e e e
, e e e e a e **D.
e a b e e e e e e- e e e e eeeee e e e ee ee e e e e g
-eeeeeee e
e e e e e e e e ee=4e eee ee ee ee eo ee 4 4 e e e e e e e e ee k 4 e e e s ee e4 e e e e e e e e gr , g e e e e e e e e e e . e e a e e e e o e e e e e eg 4 e + + e e e 4 e e e e e e e e e e e e e e e e e e e e e e e e ee e e e e e e e e e e e e e e e e e e e e e o e 9 a e e
.e e e e e . . e o e e e .e .
o
.e e A . t f .e e e e o e e 4 e e .e e . e e e ,.ee e e e 1e e e e e v . 6
- W e s e
. e e
4 . 0 se s e e e e e e s e e e e e e s e e. e. 4 e
+ .s see.ese s t e d
. e . + e o
. ~ ee ee o e e .e . +
- o e s e t .e .e A,- e 4 .e e e e e e e e .m .t ,e 4 e e e e .e e .e .
e
. e
_ee e e e e e e e e e e e e.
. . e . e e e e *
- e . e e e e. e
. e e e . e e e o e e
- e e e o e + + e
- e $ e _ s e e. e e s e .e e e .
e e e
.e e o e ,e e e e e e .e .
4 e e
. e e
.e
., e s e- . e e s e e
.e e, . s. e .ee ~. e s e *
- e e e
e e e a e e e e e . o .
- es
- e 8 -
+
e e e e . 4 e e e
, e e
.e 4 e e e e e~ e e e .
a t et e e e e e e , e o e e e e
- s. e .e
. t. ~a e e .
. _e . e .
e i .e e i s 4. e:e E I I essee. Figure 3 ele 3-3e Medium LOCA Event Tree Structure l (v i 1 1 i l 3.1e135 u moent seavence Dennenon.
"U U3 n m o C
_T) g( me at 6L CA JS (A 13 (L EM OP ft GA #$ Ve vs tw att Cf j Og C' < C me 1 y, O' 14 ,97 84- II E2 e i 2 = 2 g l E5 t.. . _ . si_ 3 3 ,4,
~
6 L
'.a '
5 x1 5e oe 6 31 9 12 M b - y ... .. . T st 13-16 _g 8 x2 17 32 e O p . ..... ...... . . ... . 33-48 F g
.. .. .. .. 9 32 c2 I 13 12 69 6a yg It 33 65-12S y , l O" . . .. .. . . ....... .... . . .. ...
y 12 st 129 M6 i3 S nr 250 o $2 r nS- a T 14 to 2t4 261 $2 O a?! a t t - t ti. -- t9 $ 15 ne 262-263 3 ". () l
. .... .. ?6 2T 2g.26r a3 O
y IT as 268 275 iTT
... .... . .. ... 18 v9 276-201 3g is u?3 292-323 j . . . ..
20 sil 324 IST h
..... 21 ur sm M1 3 . ... ........ ... ..
..... .... 22 att 392-182 a . . ... . .
...... . ............ ... . .. 23 st2 733-1173
........................ .. . . . 2c m:3 1176-1505 O I . ................... . . .. . .. ........ .. . . 1306 1437 O , ... .. ......... . . ..... . .... . 25 st3
.. 26 att 1sts Zert g . . . . . ... .... .... ..... . .. ................... .... ......... . ... .. . 2r 314 2s75-4311 29 a14 4312 SFt3 2 g a f 6 -- - s ti-29 as Srt9 57',0
. u n at?....... -2* si b _.stT
- B19 _ . ..... .. . .. 33 36 5751-3752 1 ,
- 31 e6 57" $754 d
. k . . . .....
32 115 * $s-17A1 W o .. ...... . .. ... 33 n15 5761-5766 (p ^ g
...... ........ .. 34 at$ 5767- 57T2 ep n ............ .. . . . .. 35 vie Str3 Srg6
.......................... 36 sia 5P87 5820 o I 37 R16 5821-5844 0 ................. ...... .... . 58k1 5960
. .................. .. . 18 aff a .. .
39 s*8 5941 6132
... . .. . .. .... . ...... ..................... . 40 m19 4133 6136 0.,
. .. .......... 41 313 613T 6268
.... . .. ...... . ... . .. 42 E23 6269 6656 O 121----............ ... .. ................ ................ . ... .. .
. .. ................... ........... 43 til 6657-6738 t----.. ... ... ... . .... .. . . . ... ........... L6 n21 6T89-7305
.... . ... ..... .... . .... 45 at3 73C9 TEL3
.. ... ..... ... . ......... . && s13 TL&1-7572 53 I ....................... ... ............................... .... .. .. . ...
..... 4T 222 T3T3 9396 68 522 937F 11220 49 E22 11221 130&&
R I ................................... ...... ... .. . ... . .... ............... ... .....
. . . .. ..... 53 st? 11 % 3-13435 13436 13326
- . r25 -z2b I
. .. .. ...... .... .. . ....... ... ....... .. 31 a12 9 . .... ... .. .. ... ........ ... ........... ... 52 312 1382T-1421F g
a l I
. .. . . . .. .... .. . 33 313 ulte h349 14358 itL81
. . . . . . . . . _ 54 all l . . .. . .. ... .. . . .. 55 523 1&L82 159'8 Y
D L M N o f: ~ O 3
$** O O ?
O O O
. s "N .
'T3 C "SB W llf We 8C at - en se ta ta it $m GP eS en es' va vs at au Ct l Om Q F<
I'
- me
.g- g
- ... . . .... . ......... .... ...... . . ... ................ ......... ............... Se n23 t1919 tT355 F' 5T a12 1TI56 tTTto .
G l I .............................................................................
............................................................................. 58 E12 1TT&T tE13T
=4 7g i
-1, g ....... ..... .... ....... . .. ................... ........................ 59 at2 18138 18528 a=
....... 63 e6 18W9 18550 Oe L N24 19531 19550
, ................................................................. ........... 61 R21 [-g
; l 62 alt 63 =n 19C51-19 mn 20.570 0 =O .
EC3
, ............................................................ ......... -a m 2e m 2 m 2 5 .
C ..... ....... .............................. ........................ 65 a?3 2C223-2C154 )> e
........................................................................................... 66 m26 2C355 22115 en s g- 6T E24 22179-26002 #
Q
....... .............. . . . .. .. ......................... ............ 68 s21 24305 24522
*g 1
o l ................................... ......................................... 6e =2s 2 523 25= 2
=_-
M I ............................................................................. TO R21 253ES-n562 3O
....... Ti a6 25563 n164 t m- ............................................................................................................... 72 n2s 25565 setas *3 '
O EE
- e. '
;p 3 n es
$NI R195 ptAD Safff? IPJECflOn PtfrS
~4
, .s -
O #C 5 COLD LES fuJECTIDW PAfd$ 1 OF 3 ,' i O jy at inst Of IM) SCDA 4JR9ftEt3 St%C4afGE M 2 0A SJE1BCS SPfaf t#ats A ' O h g" es 4RJfuta Speaf teste S I
~h .3 !at ' tow seas SartrT is nt:30m assip rease a i N .~.
"U LS low 944D Saft?T IsJECf!ON PLpr Thale 5 ED f C LL e nSt COLD LEE SEJECT105 Pates LLOCA G
go . 3m - CoutaleM et Supe -t
.k W OP(Gef0E P99fEC1 RSS PtSPS j 4 .N w ES fuSIDE #fCIRC Speaf TRAIS A (R S I
~RA CUTSIDC DECISC SPeaf Ptpr teate a i f
'# R$ (RitSIDE atCISC Speaf PLSP 10af t S I
L i
.te CDetatentut S\SP WatvE FOR LsSt Ftpr A +
I
'N v5 ConfAtestruf St.sqP watwC 70s tpSt PtsP 3 i e a
-$' OR miff 34aflC/stemunt ACifOWS TOR DES LfC 3 SECitOAaf ttui .
N featt W TO SwST Etwee RECteOAaff0m fattte P
- g.
ItJ c
.. 3es CI CDuf alWWEWT ISulailOII
, 3 3 o .. i 2 < T
- 27 s.
2 O l S. 3 i
? e o
I t 4 l 1
, as .. ,,-s.. ., , , , , , . . _ .
, , _ _ . . , , , _ . . . . . _ . , . . , , , , , ,m.._ . , , , -
l Beaver Valley Power Station Unit 1 Revision 0 Probabilistic Risk Assessment
- e etccet :u ---* -
.... '...r: setrenzzes::::nsanassass:ss BS5aggggggg 5g3 ,,
s sss sassss us itsass :
--- - :~esratreccccccetetana:scanaisso:::::sts j
i -; j i .- s . _ I :
. __ _ _ J '. '
l e _ _ __ ._ _ _ _ -.J i i : 0 _ - - ', s - a -- W i - 1 i .
- : . _ i!,.- .
e t a n. : a _i e t j.. 8 i . . r _ E ._ _e Figure 3.1.5-5. SGTR Event Tree Structure d 9 1 3.1-138 s.1 Accioent sequence oenne. tion.
Bs::vsr Vellay Powor Statlan Unit i Rovlsinn 0 Prob bilistic Risk Asssssrnant r . . . ....,- . CO 3 "O.333355./.%.*s*.lR
-giiiii-i-----r--- . *36 ~I
.C*? ~ D- .~
- ~ . ,. ., . . - ~ a xaeIl#3 2 4 36. 3 3.d. . 3 kN.- .'. .,3 ~ 31Ce .f *
- R 7 5 3 5 t j g 2 h. h, E 3.%23C;
-- A
" " J. - .- -- --- -
-~ ---- -
-h E
. . y =
~. . .., ....... . ~. ~. . ... . ., g. . g . . e. n. . :. :. :. e. r. .s. e. e. r. s. s. e.
I~3 E
~********E02:2e2 hat 27.%O2C20ERRK 23K2 ARO --6 s a 5 a
.p gu -
i
-B i
3 258..
,s, u
*: : 5 g
.,. , .s ...
.W f -
9 .8 i
* .: ,: :: E g
. .g 9 1 5 :
': : : : ::': .:: : : : .:: 5 3 8
}
{Ikl g e - - 5- -eV E - l'l
....'. E .g
- E g"- " w:,
gd
- g o g" 1 - :. ::'::
* . g. 1 n.
c B,B., ~
....... . ... d 5 h. =t 8" 5 U :'..:.::
. . .::::...L.
t ::.:: ...:. : ,_
. .. .= ... .
- :.::..: : : :: - * **25 I E o-
. ... . .~ .. . ... .
V ::: : :: . :.: :
. . . . . : '. . E
. o. . . : ' !. :. .* :. .
. ...:'..:: W 3 . .
l :
.. .' ..... :: .t 3
=
.= 3 6 ......
..... ,.. g -t
.. e 5 * -
... g g %.
5
. . .' :. 2 :.:: : : . 88* t .
. .... .. F - - 5
.u% %c.
. .. . ... e.
... .. a . .u .
8 u e ; * * : :C
) g "W *
- ' :" 5. . 2 G,,. E.
8 .- .,*"
- 2- - $ 5 2
*r *E a s - s . .
g"E5
- r 9
t t s 5 I-: a- =.~ e 2 :; : '. :: y g g g { g W, g g ; 3 - - - 3 a 3 __ a _ E E 38 5 5 5 h: l
._r Figure 3.1.3-6. SGTRRECIRC Event T ree Structure 3.1 139 3.1 Acc4ent Sewence Deweation.
~
17 93 0n,5 a5~ lE "" #C cA es tA LC to sM OP s$ mA en ,A ve De CI c3 n, c: d' cr < es at uT 26 r5 n' E3 x2 1 1 EE ~'
'ca s.1 2 2 == <c
.* g 3 at 3-4 (J .......
4 R2 5-8 . __at
'44 rs es I . .......... 5 22 9-12 *C pn
.............. 6 22 13-16 7__333
............................ 7 E3 1T-12
>< .............. .......... 8 W3 33-48 "r C3 r- 3E 9 R3 49-64
() ............................ 10 x3 65-83 35 at en -e () l I ................... ..... ..
.... ................ . .... 11 13 81 96 3> ......................... .. ?? N3 97-112 "l"En as I
[f (D 13 m3 14 R$ 113-125 129-144 as -. 3] CI
- 3 ..... 15 21 145-146 m :2
~~ ............................. .. ... ........................ . 16 54 14T-292 :P --
-4 ...... ...................... ........... .......................... . 17 KS 293-584 ~*$~
;; i .......................... ............................. ............. 1 K5 t ,8 r5 555-876 -
C3
................... ............................... ... .............. s<7-ii6a
....................................................... . . ........................ 23 R6 1169-2316 '
b2 I .............. ................................. ........... ..... ................. 21 n6 2337 3504
~j ......... ................................. ................................... . . 22 af 3575-66T2 r,
...................................................................... ....... ........ . ........ 23 IT L673-9 544
; i -.-...................-....... ................. ........... ....................--.-...........--
2' mr 95's-1'c16
. .... ....................... ........... .......... ......... ....................... 25 nr icatr-is6as
- Le CD
, IE .a a
26 y, utsu kE AD sArtiY Is1ECTION PUMP 5 C3 35 lastof REtttC SPAtt itAta A Os a NC wh51 Cott LEG tuJECT!0m Pates 3A OUT5tDE etCIRC SPEAf TRAIN A GA QUENCE SPWAT TEAL # 8 33 OUTSIDE RECTRC SPSAT IRAle 8 as outeCW 5.atA7 f tAtu 3 wA Cou1Al**Eul Simp WatvE FOR 1458 Pule A ta (tw ME AD SAFETF tsJECTION PUF f t AIN A vg COntAgostut size WAtwE FOR (MSI PUMP 3 t,g LOW #E AD SAffiY IWJECTICDs PUMP TaAl4 S Og AUTOMAtlC/MAWJ4t ACflCat FCat CDt0 (EG w LC LMSI CDtB LEG ! EJECTION PAINS I On:AtsMtut IsotATIOu SM CDefAINNEnf SUMP o OP opt #A7C5r P901ECTS tSS PU P5 9 o G w 3 c H 3 n D 3D o se aC O_ 3 WB o -- 2 01 6 :2 3 C3 O O O
~B: v;r Vall:y Pcw:r St:tlan Unit 1 Rcvisi:n 0.
Prcb:bilistic RI:k Ass:com:nt
- 3 :- : :
3 5 3 o i i 1 e- e e 2 T T r , r , m r , mr ^ m .\ r:
-g' v:- r: v: r: w:
g' t' C' t'- t' 59 e e9 a? e2 e7 35 'EE 53 - EE E2 'EE ww',m1 a w ww r w: m mr , v: r: v: we w: t- f' C+ .E' E' fe a? si ' e? e? ei-EE EE _h 3B 35 W Q w ',J W GW ih 7 , r
' g;
,& ~
_ g;
- 5. .'s g'- t' 9,E e? e9 Il- 33 Ei
-- g,-
L GJ GJ . I I em (
=
+ 1 s. rm - Wg 8r gf %":- !'8 I' I
'9 g
#!c* -
5 II - E@ ga 56 g-9! I- Eo I G[7JuJ .. wa O uw
\ PR
- n. ,
*:srg
- la I- ::~
G l .E. a r ,r ., r vs -rs y a
-4 sq -gs g. s'n:
ei ss gi el 3 gg gr 3 E g-ll GJ w w >L a I
- r. mr , m rm U
. v. v.
$a-
=c.k.
f lIga 2h-
-g v' -
- a w w I * $
+ s
.i s. - d. .i Figure 3.1.3-8. Bypass Paths from_ RCS to HHSI, LHSI Pumps and Low Pressure (CL-153)
Piping
.f 3.1-141' 3.1 Accident SaQuence Dehnestion.
- - . . _ _-m - - ._ ._ . - , -, . - . _ , - - . .
B:.rir '!clI:y P:w;r Ste. tit,n Unit 1 R:visirn 0 Pr:b:bilistic Risk Ast:ssm:nt VALVE 1 VALVE 2 Figure 3.1.3-9. Reliability Block Diagram for Containment Bypass LOCA O 3.1-142 3.1 Accident Secuence Denneabon.
8 :v:r V:ll:y Pcw:r Stati:n Unit i R visl:n 0 Pr:b: bill: tic Risk Ass:ssm:nt [sT
' ' 'O.., _ iis i iilij n, i a i ielij i i e 4 i 141 j . i I i .;.._
's' ) a
$ =
s - e . 3 -
. a s -
e s 1e to.7 -- s ._; h,_ x
=
's _
2h . . e
~5 e -
s ~
~
M J = 5 0 E 1
- 10', "-
e - 1 - LICENO: : 6 a . f b ~ . I, 4 - '
*g ,
' 3 =
- B'!T fit 2
= = A55WutD llTM Amo nim Ptactufatts =
l e 10 10 _,,
~.
S - 4 = 3 - 2 -
,,,g all . e e . ee 1 . . . .,..t , , . ,,,,t ,
t 80 too 1.000 to C00 CMtCE vaLvt Lt Ac RAf t ICPut Figure 3.1.3-10. Frequency of Check Valve Leakage Events (m.} ml 3.1-143 3.1 Amcent Sequence Dehneaton
4 B: aver Vcil;y P;w:r St:ti:n Unit 1 R visi:n 0 Pr:b:bilistic Risk A:s:ssm:nt 06-13-1990 RISKHalt Ploi-Dell!!TY filllCT!0!1 . IITLE: 572 07:48:51 UNCollDlil0llob Fall.URE PRESSURE OF LilSI (*2000 PSIA) s XEAll: 1,14EiB3 5th: 0.20EiO2 50th: 1,10Et03 95th: A d4Et03 P P 0 hd f ae h0 1 5 1 i i t t y 9
- .l : . :: ,
.l Failure Pressure ( 2 :1.0E+2 )
Figure 3.1.3-11. Probability Distribution for LHSI Piping Failure Pressure (see Reference 3.1.3.6-6). O i i O 3.1 i44 3.1 Accident Sequence Dehnea00n_ .
Bsevsr Vstlay Powsr Station Unit 1 Revision 0 Probabilistic Risk Asssssmsnt 8 m
-um< :
ae as 8*
- E 8 8 E: 2 g
-um, 35 -
- - ~
g 'E - 0
.- E E 2 l
l u E _ S E E E E Z W x kW E E E e Figure 3.1.3-12. Containment Bypass LOCA Event Tree Structure J 3.1-145 3.1 Accident Sequence Dehneation.
80cv r Vcilay Pewar StItlon Unit 1 R;visisn 0 Preb:bilistic Risk Acc2ssmtnt 3.1.4 Special Event Trees This section presents the event tree top event descriptions and the event rees for the anticipated transient without scram (ATWS) event and a brief discussion of the recovery tree. 3.1.4.1 Frontline Top Event Description for ATWS Tree For successful ATWS mitigation, certain systems must operate in the early part of the transient. The success criteria for these systems and the assumptions that are made for initial conditions of the reactor at the time of the transient are shown in Table 3.1.2-8. Table 3.1.4-1 lists the top events considered for the mitigation of the ATWS in the ATWS event tree Figure 3.1.41. The ATWSRECIRC event tree (Figure 3.1.4 2) makes up the second part of the ATWS event tree sequence model. The top events are summarized in Table 3.1.4-2 and the top event description are the same as the GTRECIRC description in Section 3.1.3.
- Top Event OT - Operator Actions To Trip the Reactor after a Trip Signal. Following their training, the first action of the operators in the control room after the receipt of a trip signal is to verify that the reactor did indeed trip. If this has not occurred, the next step is to manLally trip the reactor. This top event models the actions of the operators only.
Hardware that is associated with the opening of the trip breakers or dropping o' the control rods is considered next in Top Event RT. Subsequent operator action (Top E vent RI) is made depens .:nt on the status of this action.
- Top Event RT - Reactor Trip. Thic top event models the hardware that is associated with tripping the reactor. The top event is conditional on the failure or success of the premous Top Event OT. If the operators have been successful, then the availability of the solid state protection system (SSPS) is not questioned and only the breakers and the rods are required to function correctly. If the operators have failed, then the reactor trip cepends on the signal from the SSPS. In this case, the top event includes the SSPS logic and circuitry in addition to the reactor trip breakers and the control rods.
- Top Event PL - Power Level <40%. This top event evaluates the fraction of the time that the reactor is operating at a power level higher than 40% power. At power levels below 70%, even with no main feedwater (MFW), the reactor coolant system (RCS) pressures will not rise beyond the American Society of Mechanical Engineers Level C service limit criterion ( > 3,200 psig). Pressure greater than 3,200 psig are assumed to guarantee a break in the RCS boundary. Reference 3.1.2-3 conservatively assumes that ai power levels below 40%, the RCS pressure will not exceed 3.200 psig since the ATWS mitigating system actuation circuitry (AMSAC) is activated at all power levels abov, 40%. The Beaver Valley Unit 1 model also assumes the power level cutoff to be 40%.
- Top Event FA - Main Feedwater. This top event evaluates the availability of the MFW system after the initiating event until the peak RCS pressure has occurred. If MFW remains available, then, for all power levels, boration is required through the normal charging and letdown lines with long-term shutdown cooling. With MFW available, there is no char.ce that the RCS pressure will exceed 3.200 psig for any reactivity feedback and RCS pressure relief capacity. For continued MFW operation, sufficient relief must be available from the steam generator atmospheric dump valves and the safety relief valves because, according to procedure, the operators will hhve closed the condenser dump valves.
3.1-146 11 Accicent sequence Dehneaton.
-.. -~ . _ _ -. .. .-
Basvar Vcilsy Pcwar Stet!cn Unit 1 Revisisn 0 Prebsbilistic Riak Assssamsnt
- Top Event AS - ATWS Mitigating System Actuation Circuitry. This top event questions
/'~' the availability of the AMSAC to provide redundant signals to trip the main turbine and to actuate the AFW system; i.e., independer,t of SSPS. AMSAC gets its input from the status of MFW system and from turbine impulse pressure and is activated at all power levels above 40%. Failure of Top Event AS results in r'o automatic turbine trip signal.
- Top Event TT - Turbine Trip. This top event questions the availability of a turbine trip after event initiation. Without a reactor trio, a turbine trip is required to occur within 60 seconds after the initiating event. Without a turbine trin the steam generators will continue to boil off the inventory at the same rate as bef- , and the heat transfer will reduce drastically after the steam generator tubes are exp d. Failure of turbine trip will result in the RCS pressure rising above the referenced 5, 00 psig, possibly resulting in a vessel rupture. For ATWS events, turbine trip failure is conservatively assumed to lead to core melt, due to RCS overpressure, regardless of the response of the pressurizer PORVs and safety valves.
The early turbine trip signals come from the auxiliary contacts on the reactor trip breakers or from AMSAC. If the reactor trip breakers do not open, the only early signal for turbine trip is from the AMSAC. Because of the short time window for this event, no credit is taken for operator actions to manually trip the turbine, or for secondary sigt.als to come in for main steam isolation valve (MSIV) closure from low steam line pressure. For successful turbine trip, two steam stop valves must close or two governor valves must close on both steam supply chests.
- Top Event RI- Manual Rod insertion. If the reactor falls to trip, the emergency operating procedures (EOP) instruct the operatcr to manually trip the reactor from the coritrol room O and, if this fails, by manually inserting the rods. This top event questions the success of the operator in starting to step in the control rods within the first 1 minute after the event.
To limit the peak RCS pressure, at least 1 minute of this action should have been completed at the time the peak pressure is expected. The number of pressurizer valves that is required for RCS pressure relief dt: pends on the status of this top event.
- Top Event AW - Auxiliary Feedwater Actuation. Flow from one AFW pump can provide sufficient makeup for long-term core decay heat removal after the reactor has been shut down. However, during the early stages of an ATWS event, an AFW flow rate greater than 700 gpm is required. For this model, it is assumed that the turbine-driven pump or both motor < driven pumps must actuate and supply water to all three steam generators within 1 minute. (The flow rate through each steam generator is limited to approximately 300 gpm). For steam generator tube rupture initiated sequences, 't is assu'ned that even the ruptured steam generator would be used initially to mitigate the RCS pressure increase.
AN/ will initiate automatically from SSPS on low-low steam generator level, on MFW trip, and through AMSAC on low feedwater flow. Failure to actuate the AFW in time will result in RCS pressure ris.ng to levels aoove 2,900 psig, where the HHSI pumps are not capable of injecting. The continuously increasing RCS pressure will eventually result in damage to the RCS boundary. The model here assumes that if AFW fails to actuate automatically and MFW is not available, the sequence will resu!t in a high pressure early melt.
- Top Event PA - Primary Relief. This top event represents the availability of pressure
( relief for the RCS after loss of MFW and failure of the reactor trip. The success of this top event implies that sufficient relief capacity was available for the existing core conditions 3.1-147 3M Accident Sequence ochneat:on. *
. Bry;r Vcil:;y Pewsr Ststlen Unit 1 Rcvisicn 0 l Prcb2bilistic Risk Ass:ccmsnt such that the RCS peak pressure did not exceed 3,200 psig, if this pressure is exceeded, the integrity of the reactor vessel is questioned. The number of required pressurizer valves [ power-operated relief valves (PORV) and safety relief valves (SRV)] depends on the moderator temperature coefficient, the status of secondary cooling, and whether manual insertion of control rods was successful. The analysis that is presented in WCAP 11993 (Reference 3.1.2 3) for determining the number of valves for RCS pressure relief was adapted to Beaver Valley Unit i by adjusting for valve capacities. The Beaver Valley Unit i valve capacities are given in the Beaver Valley Op Manual (Reference 3.1.4-1) as 345.000 pounds por hour of steam for each SRV and 210.000 pounds per hour of steam for each PORV. The table for base case (18-month cycle core) is then as follows: Unfavorable Exposure Days Available in addition to Three SRVs Condition Three Two PORVs PORVs
- 1. With Success of Top Event RI and AFW 0 18.9 82.6
- 2. With Failure of Top Event RI and with AFW 110.7 154.8 209i For condition one, there are 18.9 days during which relief from more P an three SRVs and two PORVs is required, and there are an additional 63.7 days duhng which relief from more than three SRVs is required. Following these first 82.6 days, relief from three SRVs is sufficient to keep the RCS pressure from exceeding the established limit of 3,200 psig.
For this condition, we will assume that for the first 18.9 days, relief from three SRVs and three PORVs will ba .equired; for the following 63.7 days, relief from three SRVs and two PORVs will be required; and following this pe.iod, relief from three SRVs is sufficient for -- the rest of the fuel cycle. For condition two, for the first 110.7 days, even three PORVs do not provide sufficient overpressure protection. For the next 44.1 days, more than two PORVs are required, and for the following 54.3 days, two PORVs are sufficient. Following this time, relief from three SRVs is sufficient for the rest of the fuel cycle. Usmg Table B-3 from Reference 3.1.2-3, the following is derived:
- Condition 1: For 18% of the time, three SRVs and three PORVs are required.
For 28% of the time, three SRVs and two PORVs are required. For 54% of the time, three SRVs are sufficient (or two SRVs and two PORVs),
- Condition 2: For 48% of the time, there is insufficient RCS relief.
For 10% of the time, three SRVs and three PORVs are required. For 12% of the time, three SRVs and two PORVs are required. For 29% of the time, three SRVs are sufficient (or two SRVs and two PORVs).
- Top Event OA - Operator Actions for Emergency Boration. This top event models the operator actions to start emergency boration after the failure of reactor trip following a reactor trip demand. After aligning emergency boration and verifying its success, the 3.1-148 3M Acctdent Sequence ochneaton.
B::v:r Vcil:y P wcr St:ti:n Unit 1 R:vi:l:n 0 Pr:b:bilistic Rl:k Ast ssm:nt operators are required to ; rip the reactor by deenergizing the motor generator sets. If this action is successful, then' emergency boration is no longer required and the operators (O) proceed to cold shutdown in a normal way. For emergency boration, EOP FR-S.1 requires the operator to open the charging fibw path CH-FCV122 and to align the source of boration to the charging pumps through any of the following three paths: A. Open emergency boration isolation valve MOV-1CH-350. B. Open alternate emergency boration isolation valve 1CH-135 and flow control valve FCV 1CH-113A. C. Open boration flow path from refueling water storage tank (RWST) by opening MOV-1CH 115B and MOV-1CH-1150, and by c;osing valves MOV-1CH-115C and MOV-1CH 115E. If the charging flow path thrcugh CH FCV122 is not successful, then the flow path through valves MOV 1RC-556A, B, C and FCV-1CH-160 is considered next. Although the EOP does not specifically call for an alternate flow path in case this second path is not successful, it is obvious that the operator will try to inject the boron into the RCS through the normal safety injection path. For this top event, we will take credit only for this last flow path, as is described in the discussion for Top Events HH and HC in the general transient initiating event tree. If a break has already occurred, then a safety injection will eventually be generated frcm containment high pressure input, and operator actions are not required for boration except as recovery actions. For the initial PRA model, manual initiation of emergency
' boration is assumed to be required.
To allow continuour injection, a relief path must be available, and this has already been questioned in Top Event PA. however, to depressurize the reactor for cold shutdown, at
! east one of the three PORVs must be manually locked open. This action and the availability of a PORV are ircluded in this top event.
- Top Event VI - Vessel integrity. This top event evaluates the chance that the vessel ruptures from excessive RCS pressure following failure to trip the turbine or failure of sufficient RCS pressure relief through the pressurizer PORVs and SRVs (i.e., Top Event PA fails). If the vessel does not rupture, then only a small LOCA is assumed. Failure of Top Event VI results in high pressure early melt.
- Top Event HH - High Head Safety injection, Charging Pumps. Same as for General Transients (see.Section 3.1.3).
- Top Event HC - High Head Safety injection, Flow Path. Same as for General Transients (see Section 3.1.3).
- Top Event PK - All Pressurizer PORVs and SRVs Reseat. After successful boration and reduction of tne reactor power level to zero, this top event questions the integrity of the primary boundary. Since the pressurizer relief valves have to open for the initial pressure surge or for establishing the boration path, all of these valves must reseat. If they do not rescat, then long-term high head recirculation is required after the entire RWST has been injected into the core. This event models the reclosure of the pressurizer valves. Failure Q of Top Event PK is modeled as a small LOCA.
The rest of the top events (Top Events SE through Cl described in Tables 3.1.4-1 and 3.1.4-2) are identical to those defined for general transients in Section 3.1.3. Credit for h 3.1-149 31 Accident sequence Deuneaton.
B:cv:r Vall:y Powar Ststien Unit 1 Rsvisien 0 Prebsbillatic Rick Asesssmsnt long term makeup to the RWST. in the event of a failure of recirculaticn from the sump, is conservatively omitted from consideration in the ATWS tree. 3.1.4.2 Recovery Event Tree The recovery event tree structure is not presented as a separate figure because it consists of only one top event (i.e., Top Event RE), and just two branches. This special tree is used to assign nonrecovery factors to the frequency of individual sequences through the plant model. The definitions of recovery Top Event RE change depending on the sequence that is being considered. For thi., initial PRA Model, Top Event RE considers the nonrecovery of electric power in these sequences for which emergency AC power is lost. The modeled recovery actions consider the cause of emergency AC power loss, difficulty in restoring power, and the time available for recovery before core damage becomes inevitable. The electric power recovery models are described in Section 3.3.3. 3.1.4.3 References 3.1.41. Duquesne Light Company, " Beaver Valley Power Station Unit 1 Operating Manual Chapter 6. Section 1." O O 3.1-150 3.1 Accident Secuence Dehneation.
.- . . . . . - - . - . .~
T
- 5:av:r Vcllhy Psw:r Statisn Unit 1- Revi:1::n -0
' Preb:bilistic Risk Ass:ssm:nt
+
Table 4.1.41. Top Event Names for the GENTRANS Event Tree escription Event OT Operator Manually Trip Reactor. RT Automatic / Manual Reactor Trip PL ' Reactor Power Level > 40% ,. FA Main Feedwater/Flowpaths ATWS AS AMSAC Signal TT Turbine Trip RI Manual Rod Insertion AW Auxiliary Feedwater-ATWS PA Primary Pressure Relief ATWS OA- Operator Initiates Emergency Boration VI Vessel Integrity HH High Head Safety injection Pumps HC HHSI Cold Leg injection Paths PK PRZR PORV and SRVS Reseat or SGTR 1E SE RCP Seal InJJThermal Barr. Cooling O g. G l i L ls l' ll .
\}
3.1-151 s.1 Accident Sequence ochneadon.
B::v:r Vcil:y P wcr St:ti:n Unit 1 - R:visi:n U Pr:b bilistic Risk Aes; sm:nt Table 3,1,4 2. Top Event Names for the ATWSRECIRC Event Tree P Description E ent NR Recirculation From Sump Not Required NM No Melt Condition From injection Phase QA Quench Spray Train A QB Quench Spray Train B LA Low Head Safety injection Pump Train A LB Low Head Safely injection Pump Train B LC LHSI Cold Log injection Paths SM Containment Sump Plugging OP Operator Protects RS Pumps RS Inside RS Train A or B RA Outslue RS Pump / Spray Train A RB Outside RS Pump / Spray Train B VA Containment Sump Valve For LHSI Pump A VB Containment Sump Valve For LHSI F.mp B OR Auto / Manual Actions For Cold Leg Recirc HR LH to HH Cross Tie For Recir Core Cooling MU Makeup To RWST Given Recirc Failure Cl Containment isolation O 3.1-152 3.1 Accident Sequence ochneauon. <
B:: ver Vcll:;y Prw::r St:ti:n Unit 1 Rsvi::Ign 0 - Preb:bilistic Risk ' Ass:ssm:nt -
- /.. e i* 3
.'- w 8
-8 g .-
- E a 22 * -
3E 42E;R SO$R;"? $ I e
'seeL4:au eewe----wMeeR.,442?.ww 22 n
= 35
-w. -$
.* 3 Q !q= .
= s a
-- g W tr
==y w
*= 3. 2 w u
= , ~,, y E.%
s. U ~~-e
==== =======
menwewe
= .
, gg .-
w
=
-weve4%epe-amweewoon-~n
----------~~~~ 3.
*= ==
, 5 g w d
=I4 E a 5"
- Bg d *W
. ... .4 , . ... =- W D.E * -
i 2 8 -
- t::
-ZE.5-= 5 E = 1 y ~b
=
2 - : : ::: W : : :: : : : : ::: g - ..
- :: : ::: 8sE WE*
- :: : ::: g 8 Q : :: - : :::
'E g
_=_
- i. ...
s -
^
e ::-- *
= 3
- ::: , g e 3 -
=
- 3 -y
... w -
I,
... . 8 =.-
= t : ..: a eI.
.= w
=
- . a g ~ :: 3. I .- - .<; n.s= -
=
e
= ..
- c. u .d 3 : -
s: 3-
- ..m.s
. : =
EEy*-1 = 1.
-l ! f I.
.a .
- s. :
E =5 : : : : : ;3 e Figure 3.1.4-1. ATWS Event Tree Structure
.( ,
b 3.1-153 3.1 - ACCdent SeQuenCO Dehneation,
71 OC E ER 881 44 0F LA 18 (C SM OP R$ RA v4 Nt tt V9 OE sRJ CI l h O' as: O # #
.) 1 1 1
( u9 sS- s T n' 25 . - U* s 24 E! 2 2 I ~ *tl". il S 4 3 4 ,W. m-
-J.h x.1 to ... . ... .
5 6 n2 5 6-s oo-
.. . . ... . ...... . T n) 9 15 N_.y x.
".,, , .. . . .... .. .. .. . 8 m3 16-22 en
. .. . . . .... ... ..... 9 A.3 23 29 JR- O 10 24 30 ST' 4
M I
. . ., . . . . ... . . .... 11 M4 58 85 >I#
12 24 D f71
.. . . .. ... .......... . . .. 11 u5 86 $13 114 225 $ &'l g
O 14 me 35 m2 226 449 450-452 em 89 Q
.... .. 16 iT It irt m 9n 904 1805 3 5-O .... . . . ...
18 us 1806-2 TDT g 3 y 3 ITI . . . . . . .............. .. . . ... . . .................. ... ..... . ... 19 ES 2T08 3609 *C
< ...... .. ................ . .. .. .. . . .. .. . . . . . .. .. 2a r9 36>0 mT s CD g . ... . .. ..... .. .. . . .. .. . . ....... .. 21 k9 T218-10825 -
3 ... .. . ............... ... ....... ........ .. ....... ............. ...................... 22 N9 10826 14433 M1' E1 M I14 313 - I12 E11 IIC .. . .. 21 R1 14434-144 M
--4
- 24 m1 14436-14437 g l . . ...... ........ .....
25 r?O 14438-14441 (D 1
.... . .. . . . . . . . .... 26 510 14442 14441
.. ....... . .. ..... ... . 27 sto 14446-14449 M - -... . . . .. .... . . ...... ... ... 28 x11 14450 14465 Q , . ... .. .... .. .. ........... .. . . . 29 Elf 14466 14481
.N C .. .... ... ... ....... . .. . 30 mit 14482 14497 h O .. . 31 x12 14498 14561 f,6 y . . . . .
32 M13 14562 14689 m , .. ... 33 *1 14690-14691 26 m .. . .. . . . ... ..... .. .. ... ..... . . .... .... .. . ... ..... 14 44 14692 14949
. .. .. .... . ...... .. .<. .. ..... . .. ... .......... ... .. . ....... .. 35 815 14950-15465 g
. . .. . .. .... .. .. . ...... ..... .. .. ..... . ... ... .. ..... . 36 at5 15466-15981
. . .. . .... ... . . . . . . . .. ..... ...... .. ... ...... ..... . ......... IT N1% 159R2- 1M97
.. . .... . ........ .. ..... .. ... . .. . . . . . ... ... . .. ........ . . ... ... 38 x16 1M98 1 Rut I
. .. . . .. .. .... . . . ........ . ....... ...... .. ....... .. .. 39 R16 18562-20625
.. . . .. ........ ...... .......... . .... . . ..... ... ... .... . .. ... ..... . . 60 x16 20676 27689 ue RfCIRQJtAficit FROt SLDP WOf RitMJIffD gg gjggggg 333 pg.pt/srtAt TRAla A IM NO leFtf CONSillos PtfBt luJECitou PRAlf gg g ygggg g33 ptpyjgpgAy tants g QA QUEttil $ PEAT 1948W A va u CDuf Alurent StsEP WAlvt 50s (msg Ptair A 08 M uta $rtAf TRAlm 8 vs C0hfAles(sf stor WALVE FOG Last PLMP S tA (fAf stf AD SAf f ff IEJECTIDW PtsrP ttAtt A OR N AutortaffC/94Amua4 ACflans 908 COLD LEG O ffCIRCULATION LS tal al AD SAf f f f IEJECTIDW PLMP f tAlu 8 o
LC
,,, toy atA3 to Nf ta ktAD CROSS ISE FOR ttCitWLAf t04
, LW58 Cots tfG luJECTIOu PATNS Cane CM11mG W
$4 CtzuT AIIstaf 9815' po 3 am tur 70 RW57 Givts RfCIRClitAflom FAttutt
$ OP (Pf tAf0R P90!ECf 5 s$s PmPS Ci C0erateseraf 190t Af ttus a al futIDE R$$ TRAIS A OR S M ID as:
=
3
$ 0-e 3 o
?
O O O
B:cv:r Vcil:y Pcwcr Stetl:n Unit i RGvisitn 0 Prcb:bilistic Risk Ascrem:nt 3.1. Support System Event Tree
/ \
V The support system model in this study is used to characterize the response of Beaver Valley Unit i support systems following an initiating event. This response is described by event sequences that model various combinations of support system successes and failures. Support systems are those plant systems that do not directly perform the plant mitigating functions in response to a plant transient. Instead, they provide the necessary motive and control power, cooling water, and actuation signals needed for the frontline systems to perform the plant-mitigating functions. However, the distinction between support and frontline systems is not rigorous. The support systam event tree model is largely dictated by the dependencies between support systems and by the dependence of frontline systems or specific trains of the support systerns. The intersystem dependency tables, which are an intermediate product of the systems analyses, are presented in Section 12.3. The support model event tree structure is displayed in Figure 3.1.5-1. The support tree branches everywhere, so that a very large number of possible support system success and failure state combinations are considered. The top event names are indicated in Table 3.1.5-1. The top events of the support model event tree are defined below. 4
+ Top Event OG - Offsite Grid. This event models the supply of AC power from the 138-kV switchyard following a plant trip. In flie event of a loss of offsite power mitiating event, t ) which is assumed to result in loss of power from both the 133-kV and 345-kV grids, tilis V event is assumed f ailed. Loss of power at the 138-kV grid would result in failure of the normal power supply to all of the emergency AC buses.
, The DC control power from battery 1-5 is needed to permit the fast transfer of nonemergency buses 1 A and 1D to the system station transformers is modeled in this top event, it is possible to backfeed the emergency buses from the 345-kV switchyard via the unit station service transformers if that crid is available. This action, however, requires substantial time. This action is therefore not considered in the initial PRA model.
- Top Event AO - 4.16-kV and 480V AC Emergency Buses Train A (orange). This event models the supply of AC power at emergency buses 1 AE and 1B for 24 hours following a plant trip. If power is available from the 138-kV grid (i.e., success of Top Event OG), this event models system %ation transformer 1 A, the 4.16-kV nonemergency bus 1 A, and the fast transfer of bus 1 A from unit station service transformer 1C to the system station service transformer as one source of power to the emergency switchgear. If this equipment fails, power from emergency diesel generator EE EG-1 (EDG 1-1) is also modeled, if power is not available from offsite (i.e., Top Event OG fails), then just the power from the EDG is considered. The supply breaker from bus 1 A must then open, and EDG 1-1 must start and loaa. The diesel is required to run for 24 hours. The 125V DC control power needed to start the diesel and river water from header A needed to cool the diesel are assumed to be available for the purposes of this calculation. These support system dependencies are modeled separately in later top events; i.e., Top Events DO and d WA.
3.1-155 3.1 Accmem semence Depeeon.
B:avar Vall:y Pcwsr St tion Unit 1 RGvielen 0 Prcbabilistic Risk Assassmsnt This top event does however, include the diesel generator heat exchanger (EE-E-1 A), and the valves required to open to supply it (i.e., MOV-RW 113B and check valve RW-111), t The manual discharge valve RW-114 is also modeled.
- Top Event BP - 4.16-kV and 480 V AC Emergency Buses Train B (purple). This event models the supply o. AC power at emergency buses 1DF and 1-9 for 24 hours following a plant trip. If power is available from the 138-kV grid (i.e., success of Top Event OG), this event models system station transformer 1B, the 4.16-kV nonemergency bus 1D, d the fast transfer of bus 18 from unit station service transformer 1D to the system station service transformer as one. source of power to the emergency switchgear. If this equipment fails, power from EE-EG 2 (EDG 1-2) is also modeled. If power is not available from offsite (i.e., Top Event OG fails), then just the power from the EDG is considered.
The supply breaker from bus 1D must then open, and diesel generator EE-EG 2 must start ant) load. The diesel is required to run for 24 hours. The 125V DC control power needed to start the diesel and the river water from header B needed to cool the diesel are assumed to be available for the purposes of this calculation. These support system dependencies are modeled separately in later top events; i.e., Top Events DP and WB. Thia top event dcas however include the diesel generator heat exchanger (EE-E-18), and the valves required to open to supply it (i.e., MOV-RW-113C and check valve RW 112). The manual discharge valve RW-114 is also modeled.
- Top Event DO -- 125V DC Bus 1-1 Train A (orange). This event models the availability of DC control power at DC bus 1-1 for 24 hours following an initiating event. THe 4.16-kV bus 1 AE supply and feeder breakers require control power from bus 1-1, or they fail as is. In the event that AC power is available from offsite (i.e., success of Top Event OG), success of Top Evell DO requires that power be available at bus 1-1 for 24 hours via a battery charger from = motor control center (MCC) supplied by 480V bus 1-8. If AC power from effsite is not available (i.e., Top Event OG fails), but EDG 1-1 is available to supply power to emergency bus 1 AE, success of Top Event DO also requires that the battery for DC bus
-1 be available initially in onler to start EDG 1-1. Assuming successful start of the diesel, .
DC control oower must again be supplied for 24 hours via the battery charger. If offsite power is avaliable and EDG 1-1 is unable to supply AC power to 4.16-kV emergency bus 1 AE, power at bus 1-1 can only be supplied by the associated battery. Since this battery has the capacity to last only 3.5 hours without recharging or operator intervention to shed loads, success of Top Event DO under these conditions only requires that DC control power be available for 3.5 hours, after which time DC control power is unavailable.
- Top Event DP - 125V DC Bus 1-2, Train B (purple). This event models the availability of DC control power at DC bus 1-2 for 24 hours following an initiating evcnt. The 4.16-kV bus 1DF supply and feeder breakers require control power from bus 1-2, or they fail as is, in the event that AC power is available from offsita. (i.e., success of Top Event OG), success of Top Event DP recuires that power be available at bus 1-2 for 24 hours via a battery charger from ari MCC supplied by 480V bus 1-9. If AC power from offsite is not available (i.e., Top Event OG fails), but EDG 1-2 is available to supply power to emergency bus 1DF, then success of Top Event DP also requires that the battery for DC bus 1-2 be available initially in order to start EDG 1-2. Assuming successful start of the diesel, then DC control power must again be uunolied for 24 hours via the battery charger. If offsite power is not available and EDG 1-2 anable to supply AC power to 4.16-kV emergency bus 1DF, then DC power at bus 1-2 can only be supplied by the associated battery. Since this battery has only the capacity to last 3.5 hours without recharging or operator intervention to shed loads, success of Top Event DP under these etnditions only reauire that DC control power be avrilable far 3.5 hours, after which DC control power is unavailable.
l 3.1-156 31 Accdent secuence Denneation.
l Bonvar Vallay Pcwsr Ststisn Unit 1 Rsvislen 0 Probsbilistic Risk Ass 2:smsnt
- Top Event D3 - 125V DC Bus 13, Train A (orange). This event models the availability of DC control power at DC bus 1-3 for 24 hours following an initiating event, in the event that AC power. is available from offsite (i.e., success of Top Event OG), success of Top Event D3 requires that power be available at bus 1-3 for 24 hours via a battery charger from a motor control center (MCC) supplied by 480V bus 1-8. If AC power fro'a offsite is not available (i.e. Top Event OG fails) EDG 1-1 is available to supp!y power to emergency bus 1 AE and the MCC. Assuming successful start of the diesel, DC control power must again be supplied for 24 hours via the battery charger, if offsite power is not available and EDG 11 is unable to supply AC power to 4.16-kV emergency bus 1 AE, DC power at bus 1-3 can only be supplied by the associated battery. Since this battery has the capacity to last only 8 hours without recharging or operator intervention to shed loads, success of Top Event DO under these conditions only requires that DC control power be available for 8 hours, after which time DC control power is unavailable. Success of Top Event D3 is required in order to start the motor driven auxiliary feedwater pump FW-P-3A.
- Top Event D4 - 125V DC Bus 1-4, Train B (purple). This event models the availability of DC control povier at DC bus 1-4 for 24 hours following an initiating event. In the event that AC power is availaole from offsite (i.e., success of Top Event OG), success of Top Event D4 requires that power be available at bus 1-4 for 24 hours via a battery charger from an MCC supplied by 480V bus 1-9. If AC power from offsite is not available (i.e., Top Event OG faits) EDG 1-2 is available to supply power to emergency bus 1DF and the MCC.
Assuming successful start of the diesel, DC control power must again be supplied for 24 hours via tne battery r, harger. If offsite power must again be supplieo Sr 24 hours via the battery charger. If offsite power is not available and EDG 12 is unable to sapply AC power to 4.16-kV emergency bus 1DF, then DC power a: bus 1-4 can only be supplied by the associated battery. Since this battery has only the capacity to last 8 hours without recharging or operator intervention to shed loads, success of Top Event DP under these conditions only requires that DC control power be available for 8 hours, after which DC control power is unavailable. Success of Top Event D4 is required in order to start the motor driven auxiliary feedwater Pump FW-P-38.
- Top Event IR - 120V AC Vital Bus Red. This event models the availability of 120V AC vital bus ied; i.e., channel 1. Success of this event requires power from one of two sources of 480V AC power from emergency bus 1-8, or from DC bus 1-1 through an inverter. If AC power is available, success of this event requires that 120V AC power be available for 24 hours following a plant trip. If 480V AC power is unavailable, success of this event is defined to mean that 120V AC power is available for as long as the batteries last; i.e.,
about 3.5 hours. Therefore, this event depends on the status of both Top Events AO and DO.
- Top Event IB - 120V AC Vital Bus Blue. This event models the availability of 120V AC vital bus blue; i.e., channel 111. Success of this event requires power from one of two sources of 480V AC power from emergency bus 1-8, or from DC bus 1-3 through an inverter. If AC power is available, success of this event requires that 120V AC power is available for 24 hours following a plant trip. If 480V AC power is unavailable, success of this event is defined to mean that 120V AC power is available for as long as the batteries last; i.e., about 8 hours. This event depends on the status of both Top Events AO and D3.
- Top Event IW - 120V AC Vital Bus White. This event models the availability of 120V AC
^ vital bus white; i.e., channel 11. Success of this event requires power from one of two sources of 480V AC power from emergency bus %9, or from DC bus 1-2 through an inverter. If AC power is available success of this event requires that 120V AC power is available for 24 hours following a plant trip. If 480V AC power is unavailable, success of 3.1 157 3.1 Acacent se@ence ochneation.
80:v:r Velisy Pewar Strtien Unit 1 Rsvislan 0 Prcbebilistic Risk Assassmant this event is defined to mean that 120V AC power is available for as long as the batteries last; i.e., about 3.5 hours. Therefore, this event depends on the status of both Top Events BP and DP.
- Top Event lY - 120V AC Vital Bus Yellow. This event models the availability of 120V AC vital bus yellow; i.e., channel IV. Success of this event requires power from one of two sources of 480V AC power from emergency bus 1-9, or from DC bus 1-4 through an inverter. If AC power is available, success of this event requires that 120V AC power is available for 24 hours following a plant trip. If 480V AC power is unavailable, success of this event is defined to mean that 120V AC power is available as long as the batteries last; 1.e., about 8 hours. This event depends on the status of both Top Events BP and D4.
- Top Evert SA - SSPS Actuation Train A (SI, CIA, CIB). This event considers the operability of train A of the solid state protection system. Success of this event ensures that the appropriate train A actuation signals are provided to the safeguard equipment.
The signals that are required from the solid state protection system (SSPS) depend on the specific initiating event; e.g., safeguards actuation, main steam isolation valve (MSIV) closure, AFW startup, containment isolation, and containment spray actuation. Failure of Top Event SA implies that the associated emergency core cooling system (ECCS) equipment and containment isolation valves are not actuated, in addition, failure of Top Event SA prevents the associated reactor trip breakers from receiving an automatic trip signal. Major equipment modeled in this top event includes the process and control signal channels (i.e., field transmitters, signal modifiers, and bistables), the SSPS internal cabinet power supplies, SSPS input relays, and SSPS logic train A and the associated master and slave relays.
- Top Event SB - SSPS Actuation Train B (SI, CIA, CIB). This top event is similar to Top Event SA, but involves SSPS train B. h
- Top Event OS - Manual Actions for Safety injection. The operators are asked to verify and actuate safety injection, and to verify operation of certi. equipment given a safety injection. These actions are found in the procedures; i.e., EU. Manual intervention is required whether only one or both trains of SSPS fails, as modeled in the proceeding Top Events S A and SB.
Th's event is important if r.utomatic actuation of safety injection has failed upon a demand for it; e.g., for a small loss of coolant accident (LOCA) or a steam line break. Failure of Top Event OS is treated as a failure to both automatically and manually initiate one or more trains of high pressure injection, auxiliary feedwater, and containment isolation following a demand for it. Success of Top Event OS means that the operators have manually actuated HHSI, auxiliary feedwater, and containment isolation. lf both trains of SSPS are successful, Top Event OS is guaranteed successful. Different operator error i rates are used, depending on the specific mitiating event being evaluated; i.e., small LOCA versus a large LOCA.
- Top Event BK - Nonemergency 4.16-kV Bases 1G and 1H and 480V Buses 1Q and 1R.
This event questions whether AC power is available to 4.16-kV and 480V buses 1G,1H, 10, and 1R for 24 hours following an initiating event. These buses are of interest because they provide power to filtered water pump 1WF-P-2B which suppiies compressor cooling, and the dedicated auxiliary feedwater pump. In the event inat power is not available to the nonemergency buses (i.e., Top Event CG fails), the ERF (black) diesel generator starts and loads. If offsite power is available (i.e., success of Top Event OG), then this event models both the supply of AC power from the 138-kV grid via the emergency response facility (ERF) station transftrmer and the black diesel generator supply. The DC control 3.1-158 11 AccSent smence Dehneeon= l
Baavar Vsilsy Powar Station Unit 1 Revicien 0 Probabilistic Risk Asssssmant power for the black diesel generator, which comes from a se,arate ERF-battery and charger, is also modeled in this top event. in the event that o. :te power is lost, the d diesel must operate for 24 hours for success of Top Event BK.
- Top Event WA - River Water Header A. This event models the supply of river water to header A following a plant trip. Individual coolers supplied by river water header A (e.g.,
recirculation spray system heat exchangers, component cooling water (CCR) heat exchangers) are modeled with the respective system served, rather than being included here. Success of Top Event WA requires that the flow from either river water pump WR-P-1 A or auxiliary river water pump WR-P-9A provides adequate flow to header A. This event models the operator actions to start pump 9A and supply header A with a train B pump (WR-P-1B and WR P-98) if both are available. Swing pump WR-P-1C can a!so be aligned for flow to header A. However, the manual action to align this pump for service to a particular header is not included in the analysis of Top Event WA. It may be considered as a recovery action for particular sequences in which the appropriate operator response is cetter defined; i.e., without regard to the specific sequence, it is unclear whether the swing pump should be aligned to header A or to header B and whether there is sufficient time to align it. Therefore, the actions for loss of river water / normal intake structure to restore r!ver water (i.e., ta align the backup pump or to cross-connect to Unit 2 service water or a diesel fire pump) are all considered as recovery actions rather than being considered here, if a CIB signal is present, then the valves to the RSS coolers, for the purposes of evaluating Top Event WA, are assumed to be opened for containment spray. For f!ow from one pump still to be sufficient, either valve RW-MOV106A or RW-MOV-114A must close to eliminate header A ' low to the CCR. If Top Event WA fails following a loss of offsite power, cooling for diesel generator EG-1 is lost. Success of Top Event WA implies that sufficient flow is provided to river water header A to supply all of its loads for 24 hours.
- Top Event WB - River Water Header B. This event models the supply of river water to header B following a plant trip. Individual coolers supplied by river water header B (e.g.,
recirculation spray coolers and CCR heat exchangers) are modeled with the respective system served, rather than included here. Success of Top Event WB requires that the flow from either river water pump WR-P 1B or auxiliary river water pump WR-P-98 provides adequato flow to header E This event models the operator actions to start pump 9B and supply header B with a train A pump (WR P-1 A and WR P-9A) if both are available. Swing pump WR-P-1C can also be pligned for flow to header B. However, the manual action to align this pump for service to a particular header is not included in the analysis of Top Event WB. It may be considered as a recovery action for particular sequences in which the appropriate operator response is better defined; i.e., without regard to the specific sequence, it is unclear whether the swing pump should be aligned to header A or to header B and whether there is sufficient time to align it Therefore, the actions for loss of river water / normal intake structure to restore river water (i.e., to align the backup pump or to cross-connect to Unit 2 service water or a diesel fire pump) are all considered as recovery actions. If a CIB signal is present, then the valves to the RSS coolers, for the purposes of evaluating Top Event WB, are assumed to be opened for containment spray. For flow from one pump still to be sufficient, either valve RW-MOV-106A or RW-MOV-114A must close to eliminate header B flow to the CCR system, if Top Event WB fails following a loss of chsite power, cooling water to diesel generator EG-2 is lost. Success of Top Event WB implies that sufficient flow is provided to l river water header B to supply all of its loads for 24 hours. 3.1-159 31 Accident sequence Delmeation.
B0:v:r Vclisy Powsr Station Unit 1 Rsvisisn 0 Prcbabilistic Risk Asssssmsnt
- Top Even* CT - Turbine Plarc Oomponent Cooling. This event models equipment needed to pNvide cooling to the station air compressors, containment air compressors, and main feed and condensate pumps for 24 hours after a clant trip, Failure of this top event implies that cooling water to air compressors and main feedwater pumps is unavailable.
In addition to CCT (turbine plant component cooling water), this event models the turbine plant river water (river water) system which provides the heat sink for CCT and the nonemergency power from the offsite grid to power the CCT and river water pumps. Therefore, given success of Top Event OG, the model for Top Event CT includes ..e . system station service transformers and nonemergency 4.16-kV buses 1 A and/or 1D that are needed to power the CCT and river water pumps. The top events that model the 4.16-kV emergency buses (i.e., Top Events AO and BP) also include the nonemergency equipment (e.g., system station service transformers) that provide power to these buses from offsite. Consequently, if one of the emergency AC buses is unavailable, the corresponding nonemergency buses that feed from the same station service transformer are also conservatively assumed to be unavailable; i.e., for power to be available to CCT pumps. Top Events OG, AO, and BP must all be successful.
- Top Event CC - Reactor Plant Component Cooling Water To Both Headers A and B, This event models the availability of the CCR for the 24-hour period following a plant trip.
Major pieces of equipment included in the model are the three CCR pumps and tne three CCP heat exchangers. Success of this event implies that at least one CCR pump operates to suppy water through at least one heat exchanger cooled by river water. Under extreme conditions, when all components require cooling water and the river water temperature is at its maximum, two of the three CCR pumps may be necessary. However, since this occurs only infrequently and the system is only marginally degraded, for the purposes of the PRA model, one pump is always assumed to be sufficient to provide cooling for the RCP thermal barrier coolers and the residual heat removal system heat exchangers. Tne individual cooling water loads (i.e., including the cooler, ano its inlet and outlet isolation valves) are modeled separately with the system served by CCR; e.g., cooling to the individual RCP thermal barrier coolers is modeled in frontline Top Event SE, which considers all forms of RCP seal cooling. The CCR system is normally operating. AC power to the CCR pumps is supplied from stub buses that are shed on a CIB signal. This is included in the model as a failure of Top Event CC. No credit is given to recovery of CC, This may be considered in the recovery analyses, as appropriate.
- Top Event lA - Station Instrument Air System. This event models the equipment needed to prcvide station instrument air for a 24-hour period following a plant trip. Failure of this-top event implies that station instrument air is unavailable to all of the air-operated equipment supplied by the instrument air system; e.g., reartor coolant pump thermal barrier cooling supply from CCR, the feedwater valves, the condenser dump valves, the MSIVs, and the crosstie to the containment instrument air system, Major equipment modeled in this event includes the station air compressors and filtered water systern as backup cooling to the compressors. The station air compressors normally require cooling water from CCT; i.e., Top Event CT. However, filtered water can be aligned to the compressors for cooling and filtered water pump WF-P-2B is powered by the black diesel generator.
Success of Top Event IA requires successful operation of one of two normally aligned compressors or manual start of the third standby compressor from the Control Room or manual start of the diesel air compressor locally.
)
3.1-160 31 ACf. gen sequence ochnea00n. l l
\
B:sv:r Vcil:y P:w r St:ti:n Unit i R:visl:n 0 Pr:b: bill: tic Risk Ass:ssm:nt For loss of offsite power or CCT, the model allows the operator to start the diesel D compressor within 1 hour (local actions required). The thermal barrier isolation valves [d. must re-open in Top Event TB for successful cooling of RCPs.
- Top Event IC - Containment instrument Alr. This event models the equipment needed to provide containment instrument air for a 24 hour period following a plant trip. Failure of this to avent implies that containment instrument air is unavailable to the air-operated equipment supplied by the system, in parti?.ular, compressed air would then be unavailable to the RCP thermal barrier cooling isolatio" valves in the CCR system, and to the air-operated inboard containment isolation valves. Major pieces of e quipment included in this top event model are the contal'1 ment instrument air c.ompressors and the chilled water system which cools the compressors. One of two compressors are required for top event success.
Failure of chilled water is modeled as failure of Top Event IC. Since ove, temperature trip must be reset locally inside containment, aligning river water to cool the corr. pressors is not modeled. Recovery of containment air (Top Event IA) is modeled ir Top Event TB.
- Top Event RW - RWST Availability. This event models the availability of water in the RWST. The RWST must contain the minimum inventory sillowed by technical specifications; i.e., 441,000 gallons. Success of this event implies th t a source of water exists for LHSI, HHSI, and OS.. Proper RWST water temperature is also required by plant technical specifications to maintain the water between 45'F and 55'F. A cooling water system is provided to maintain this temperature range. Heat tracing it provided to keep level transmitter lines from freezing. However, neither of these subsystems is modeled n explicitly. Even assuming that these systems fall at the time of plant trip, the tercperature
( is not expected to drift sufficiently to prohibit use of the RWST as a water source. Temperature indications and surveillance requirements are also expected to minimize the possibility of getting into any problems. Historical events related to freezing of RWST suction lines in cold weather at other plants are very unlikeiy at Geaver Valley Unit 1 due to the temperature indications and surveillance recpirements imposed; e.g., the heat traceing panel is checked every day.
- Top Event VL - VCT Switchgear to RWST. This event models the successful opening of check valve SI 27. This check valve is common to the suction of all three HMSI pumps from the RWST. Also, opening of the RWST MOVs (CH-115B and D) and closure of VCT MOVs (CH-1'iSC and E) are included in the model. This equipment failure is modeled separato1y from the rest of the HHSI system because its failure we d prevent HHSI for cold leg injection, but would not prevent RCP seal in, action unless tt&re was a switchover of HHSI pump suction from the VCT to the RWST. Failure of Top Event VL along with the conditions for switchover of the VCT to the RWST is modeled ar failing both HHSI cold leg injection and RCP seal injection. Subsequent RCP seal injection would be precluded even, for example, if the safety injection signal were later reset.
- Top Event TB - RCP Thermal Barrier Cooling. RCP thermal barrier cooling requires success of CCR, modeled in support systein Top Event CC, and also that the CCR thermal barrier isolation valves (TV-1CC-107A. 107,B and 107C) remain open. Containment instrument air supplies these three valves, which fall closed on loss of air. Loss of vital instrument bus I or 11 (i.e., red or white) fails thermal barrier cooling because loss of (q
g either bus causes a spurious high flow signal to close the thermal barrier isolation valves. in addition, a CIB signal or loss of emergency 125VDC bus or instrument air causes CCR containment isolation valves supplying the RCP thermal barriers to fail closed in the model. 3.1-161 s.1 Acccent sequence ochneahor..
B::v:r V:ll:y P;w:r Stati:n Unit 1 R;visl:n 0 4 Prcb:bilistic Risk Ass:ssm:nt The system model for Top Event TB does consider recovery actions to reestablish thermal barrier cooling when the containment instrument air system fails, by cross connecting . containment instrument air tostation instrument air. The present model does not consider recovery when a CIB signal occurs, by resetting the signal, realigning river water to CCR, restarting CCR, and alignir.g AC power to CCR and to the containment instrument air
- ompressors, etc.
5 O O 3.1-162 3.1 Accdent Secuence ochne.ation.
Bnv:r Vcilty Pcw:r St:ti:n Unit 1 R:vislan 0-. Prsb:bilistic Risk Ass:ssm:nt
-- : e -li .. ~. 215 2.~ 12. :. e. .. r e. s. ...s. t e. =. =. x. - .
- v. . -~~~ =*s::ees ca::ee zc:mzcz
[ 1
- ::j ::::
. : : :: ;' : : :. :::::::: : t : : :::::::: :::
,::.;:!:::t:.:*:
.. ' t. :. :. ' . . . . : : .: .::. :.
. . : l.. ': : : .. : : :.....:
s D
- :it:::tjfJsit: 1 a . - :!::::::, : :!:: : ::::.::; ::::
.: 12.::*.;::. ..!.:. .: .
- 8 : . :::: - ::::::::::
l i, j i j l i ' . : j, j::ij.*i s e ::::1 ::. :', :: :: .: U ll :.::: :::.::'.::':: g 1.
- : : :' j::: :::::::: : !: :::::: t -
8
'. .:.: . :::: ':'s t E
*'t?* '9: :: :
- ! !' :: :: : l C U
- 1. j '
* -g
. .. t. :. 3 s
. i.: ::: .: : 3 -
- 8 = a 3 2 3 3 3 1; . '
- : ::: ..::: : -y" **
e 5 a = I. g {
- 5 3
r.. .2: 5
- : : :::: :: . :- e*8 -
3 g --
- ... .::: : . 2a 2 .
,-. ..... .. . . g g_Rg_;E
.! .! !
- i ! .! .! ! .!
.. . .! !$gI__55 . .
y g . I .,;; g, gg E E ..:'.::. ;; ' 3 .... ay ; I *E ]. , l-
- ,i'ii:::i
- gI.t
* . 3 5
IW E
.I If B
I i A *
"l
.-- ::.::.::i::
s : .::: .:: :
!!:i!!!! !
8 El -
- li.:- !!!!!! -
'e- -
- +:-
l
- !.!:!!::i aaasssaasra e a
- I!:: :.::.i:!
l ..... .. e l :. ::. ..
. -.3 3.;
IsII
- o
#--3
+
i ::::. .
- -- -=
y y t ' ~ -
.;- e w.a g - ,3.-
' ' ., .: w xa x xs x .; =. m 8
4 .
= :za
' ;3" - "!: $'EEi9IEIIIIE g !'* : Ed!!!259
- s a r .r .r. .r. .e. v = :a :a :r 1-d :
s :* ..: l :- 6 -2 .: l s -: g 2 521 21212: 4 : 3 2
. Figure 3.1.5-1. Support System Event Tree Structure 3.1-163 3.1 - Accicent Sequence Dehneat1on.
B:cv r Vcil:y Powcr Strtirn Unit 1 Rcvisitn 0 Prcbabilistle RI- e seassm:nt Table 3.1.51. Top Event Names for Support Event Tree Description Event OG Offsite Grid AO Emergency AC Orange BP Emergency AC Purple DO Emergency DC Orange DP Emergency DC Purple D3 Emergency DC Orange D4 Emergency DC Purple IR Vital Bus I Red IB Vital Bus ll Blue IW Vital Bus ill White lY Vital Bus IV Yellow SA SSPS Train A SB SSPS Train B OS Operator Initiator S BK ERF Black Diesel WA River Water Header A 2 WB River Water Header B CT Turbine Plant C Reactor Plant lA Station instrument IC Containment RW Refueling Water VL VCT Switchover to TB RCP Thermal Barrier O 3.1-164 3.1 Acocent Sequence Dennecon.
Baovsr Vallsy Pawsr Statisn Unit 1 Rsvisian 0-Probabillstic Risk Asssssmsnt 3.1.6 Sequence Grouping and Back-end Interfaces (Plant Damage states) To complete the accident sequence models, each sequence through the innked event trees is assigned to an end state; i.e., to success or core damage. In past PRAs, core damage sequences were further subdivided into plant damage states. The plaht damage states were defined in such a way that all core damage sequences assigned to a single plant damage state would be modeled the same in the Level 2 containment event tree quantification. Cor core damage sequences, the parameters of interest for Level 2 analysis are the RCS pressure at the time of vessel failure, the availability of steam generator cooling, the transfer of RWST inventory to the containment, containment isolation or bypass, the availability of containment heat removal, and the availability of containment spray. The process of developing these relatively finely divided plant damage states specifically for Beaver Valley Unit 1 is described in Section 4.3. The number of plant damage stoqs of interest for Level 2 analyses is large; i.e., more than 100 plant damage states are defined in Section 4.3. The frequencies of all of the plant damage states could be computed by RISKMAN* as part of the Level 1 analysis. However, it was found to be more convenient to quantify the Level 2 containment event tree by physically linking it to the Level 1 event trees and then quantifying the entire accident sequence frequencies from initiator to telease category. The grouping of Level 1 sequences into fine plant damage states then becomes unnecessary because, by directly linking the trees, the containment event tree branch probabilities can then be made dependent on any or all of the top events in the Level 1 event trees. lt was judged appropriate, however, to group the core damagt sequences whose frequencies O' are computed in the Level 1 analysis for purposes of presentation and understanding. A much coarser grouping of core damage sequences than that represented by the plant damage states was selected for these purposes. Four parameters were selected to define the Level 1 coarse plant camage states: RCS pressure at the time of core damage; containment isolation status; .he size of the cpening, if not isolated; and, if the containment isolater successfully, the status of containment heat removal. The coarse plant damage states are illustrated in Table 3.1.6-1. The four ranges of RCS pressure were selected to be compatible with the plant damage states defined in Section 4.3. RCS pressure at core
- damage is a part.at measure of the threat to tra containment later in the accident. The five different containment states were chosen because, prior to considering additional containment failure modes in the containment tree, they define categories of core damage sequences with roughly similar radio!ogical release.
l- The assignment of core damage sequences to the coarse plant damage states is performeo j by specifying logic rules in terms of the successes and failures of top events in the event trees. With these rules, RISKMAN can then evaluate each sequence through the plant model and assign it to one of the sequence groupings listed in Table 3.1.6-1. l l The thinking behind these logic rules is now described. The rules themselves may be examined in Reference 3.1.6-1. Rules for identifying sequences not resulting in core damage (i.e., successes) are first explained. The frontline event tree structures have all asked the containment isolation question, Top Event Cl, as the last event in the sequence. In developing the event trees, if the sequence did not result in core damage, there was no
\ branch drawn under Top Event Cl. Therefore, most of the success sequences are easily seen to be those in which there is no branch at Top Event Cl. For those sequeres in which the last top event in the last event tree used is recovery Top Event RE, the success paths are l
l 3.1-16:i 3.1 Accident sequence Denneaton.
Beavcr Vclisy Pcwsr St:ti:n Unit 1 Rcvisi:n 0 .Preb2bilistic Risk Ass:ssm:nt also success sequenc6s. All other sequences, whether ending in Top Event Cl or Top Event RE, result in core damage. RCS pressuie is low (i.e., less than 200 psia) at the time of core damage for excessive, large and medium size LOCA initiating events; i.e., LOCAs greater than 2 inches in diameter. RCS pressure is also assumed to be low for ATWS events in which vessel integrity is lost due to inadequate pressure relief and for interfacing system LOCA events. All other core damage sequences are at higher RCS pressure at the time of core damage. The logic for asssgning core damage sequences to medium, high, or system setpoint RCS pressure at the time of core darrage, gn/en that it is not assigned to low RCS pressure, is illustrated in Table 3.1.6-2, for sequences with successful reactor trip. For ATWS sequences resulting in core damage, but in which vessel integrity is maintained, system pressure is assumed at the system setpoint if steam generator cooling falis and at high RCS pressure otherwise. Steam generator cooling is successful if either auxiliary feedwater or main feedwater systems operate successfully and emergency switchgear ventilation is successful. For sequences in which main feedwater is initially isolated, operator action to restore main feedwater must also m be successful to provide steam generator cooling with main feedwater. For sequences in which steam generator cooling is initially available, but there is a loss of emergency switchgear ventilation, the vital instrument buses and 125V DC buses may eventually overheat and fail; steam generator cooling is then assumed to be lost. The resulting core damage sequences for these cases are assumed not to have steam generator cooling at the time of vessel breach. The containment may be bypassed for two initiating event categories: steam generator tube ruptures and interfacing system LOCAs; i.e., V-sequences. All V-sequences are currently assigned to the large bypass grouping. Steam generator tube rupture sequences that result in core damage are assigned to the small containment bypass grouping if a secondary valve in the ruptured steam generator fails open and RCS leakage continues through the secondary - side of the environment. Containment isolation is successful if Top Event Cl is successful. The containment has a small leak (i.e., less than 3-inch diameter) and is included into the small bypass grouping if Top Event Cl fails and Top Event SE fails. Such sequences represent a bypass via the failed RCP seals and through the unisolated seal return line. Containment isolation failures resulting in large leak areas (i.e., greater than 3 inches in diameter) have not yet been identified for Beaver Valley Unit 1. For core damage sequences in which the containment is isolated and not bypassed, the status of containment heat removal is estabhshed. Containment heat removal is successful whenever recirculation spray operates, in addition, containment heat removal can be provided by operation of RS pump trains A and B operating in the vessel injection mode. By suitably combining the parameters described above, each core damage sequence is assigned to one, and only one, coarse plant damage state indicated in Table 3.1.6-1. Later, in Section 3.3, a description is provided of how the frequencies of coarse plant damage states and the total core melt frequency are computed. l l 3.1-166 3M Accicem sequence oenneaton
'Bsavar Valley Power Station' Unit 1 Revision 0 Probabilistic Risk Assessment i
I References 3.1.6-1. " Beaver Valley Unit 1 Probabilistic Risk Assessment," Appendix D. Sequence Quantification, July 1992. O O 3.1-167 3.1 Acescent Sequence Dehneation.
v c2 Table 3.1.6-1. Level 1 Sequence Groupings hE en . Containment Bypassed Containment isolated E' Containment =< RCS Pressure at Core Damage i Small Large With Heat Removal No Heat Removal (SBYP) (LBYP) Not isolated (WCHR) hhx (NOHR) 2
-m Low (L)) (0-200 psia) LOSBYP LOLBYP LONISO LOWCHR LONOHR Ej
>e Medium (MD) (200-600 psia) MDSBYP -
MDNISO MDWCHR MONOHR C e '23 High (HI) (600-2,000 psia) HISBYP - HINISO HlWCHR HINOHR E !". 3 5~ System Setpoint (SY) (>2,000 SYSBYP - SYNISO SW/CHR SYNOHR "" psia) ** E
=
a N Y
- i
= 8 w n $ z 2 1 g . $ 0 8 " ? o O O O
p p C. U Table 3.1.6 2. Assignment of RCS Pressure at the Time of Core Damage for Sequences with Reactor T b Successful o$ cr < Steam Generator **
- HHSI Cooling Available Available '* * '#* **
Cooldown Damage .h. rs e
=[
Yes RU Seals only Yes Yes Medeum p
-7 Yes RCP Seds only Yes No H,gh E-g ,
A Yes RCP Seals only No Yes Hagh
>e an Yes RCP Seats oniy No No e ~M Hrgh
- as Yes Pressurizer PORV or Ruptured Steam Generatorm Yes t Yes Medeum , hh Ws 1
~
l Pressurizer PORV or Raptured Steam Generatorm Yes No High ' Ye Pressurizer PORV or Ruptured Steam Genera # No Yes High a Ye. Pressurizer PORV or Ruptured Steam Gener:MS No No H gh f th None Nom Nom System Setpomt*
$ A RCP Seals onh; Nom Nom System Setpoint i
, o, No Pressurizer PORV or Ruptured Steam Generator" Nom Nom H gh e No N/A Yes# Nom High l- (1) The ruptured steam generator is sd isolated so that leakage of reactor coolant through the secondary side to the erv s .wwrent occurs HHSI j is considered unavailable in the long term for such circumstances if it is initialty successful but makeup to the RWS;* is not pronded ' l (2) Bleed and feed cooling unsuccessful. (3) No secondary depressurization possible if steam generav cooling unsuccessful.
- 5 (4) At c.r above the pressurizer PORV setpoint.
j (5) Bse. and feed Ming successful. 1 R , 4 e , e a a .,, E c t M M g i :-
!, 5 o
8:cv:r Vcil:y P:w:r Stati:n Unit 1 Royl:l:n 0 Prcb:billstic Rl:k Asssssmsnt l I 3.2 SYSTE'A ANALYSIS 3.2.0 SYSTEMS ANALYSIS METHODOLOGY The determination of t'.0 split fractions for each system in the plant event trees is done by a process called systems analysis, This task assesses the likelihood that a system will fail to meet its functional succms criteria as defined by the plant response event tree models. System failures may result from independent or dependent equipment hardware failures, human utror, or trom combinations of equipment failure, human errors, mlintenance actions, and testing activities. Specific system failures may affe;t the availability of other systems (e.g., suppori system failures), or they may directly affect the ability to mitigate the consequences of accidents or transient events; e.g., frontline system failures. The systems , analysts definns physical and functional dependencies among the systems and is used in ' constructing the plant event tree models, The logical structure of the event trees, in turn, defines scenario specific success criteria for system performance and bouadary conditions within which the system is required to operate. Therefore, the systems analysis task provides:
- Engineering knowledge about the plant systems needed to develop the plant risk model; i.e., dependency matrices and event tree models.
- Input for quantification of the integrated plant event tree models; i.e., failure frequency of each system top event split fraction for specified boundary conditions.
1 Note that a frontline system directly maintains the reactor core or containment protection safety functions. The support systems provide suppori functions, such as motive power, O
\ control power, actuation signal, cooling water. Sc., for the frontline and/or other support systems.
This section describes the approach used in develogng systems analyses for this study, Because tha systems in a plant differ greatly f,om each other, the analyses of different systems have different detailed formats. Nevertheless, all of the systems analyses conform to the same analysis structure and contain the same essential elements. l 3.2.0.1 Scope of Systems Analysis It is impor1 ant to recognize that the system models developed in these analyses include only those coinponents necessary to quantify system unavailability for the split fraction boundary conditions of tnis study. The level of detail in modeling r.,ubcomponents is consistent with the best available equipment data. For example, the models for motor-operated valves do not specifically identify individual motor circuit breakers, torque switches, and limit switches because the best available data for valve failures include all subcomponents of the valve assembly and its motor operator. Similarly, relay models do not separately identify individual contact fail' res, and electronic circuit models are developed only to the level of replaceable modules or major circuit boards. The toundaries of certain systems may also be redefmed slightly from normal engineering l and design descriptions to facilitato efficient model integration. For example, the sport l system event tree model includes the top event that evaluates the unavailability of * -actor l plant component coo'ing water (CCR) system. This system provides coolin(- irious componcnts. To efficiently model the effects from failure of CCR, the analysis of .. ,ystem
-includes only those components that are common to all equipment cooling by CCR. Failures 3.2-1 u System Avysis.
D :vsr Voll:y Pcwor Stati n Unit 1 Rovlsl:n 0 prob:bilistic Risk Assessm:nt of individual CCR valves branching off ftam the crmmon headers are included with the failure frequency distributions for the equipreent cooled by CCR. Without this simphfication, the support system event tree model would regalte considerably more system top events since the additional valves are not common te all components cooled by this system. This modeling treatment does not effect the estimate of system unavailability with its use in providing a good estimate for the frequencies of various plant damage states. Howeve , analysts must be aware of this division if they attempt to separately evaluate system unavailability out'Ude the context of that study. Because of their broad effects and interrelationships among several components, these modeling boundary divisions are most often redefmed in PR As for support systems. The boundaries and scope of frontline system modelc are generally the same as those found in plant system engineering descriptions. Eler.frical boundaries for mechanical and fluid systems are generahy made between the but or panel contaming the supply circuit breakor and the supply breaker itself. Failure modes @ involving the circuit breaker ere included as a part of the failure rates for the component being supplied. The boundarios between actuated systems and the solid state protection system (SSPS) are made at the pomt where the commonahty ends. For example, a relay that is common to the actuation o' several systems is modt No as part of SSPS, and the successive relays are modeled as parts of the actuMed systems. The boundaries between cooling water systems and the systems that they support are made so that the cooling water system analysis includes all components needed for support of , more than one other system. Generally, this includes pumps, headers, and header isolation valves. Failure of cooling water system components that support only one other system is included in the analysis of the supported system. Examples of these components are branch lines to individual cooling loads, cooling lead isolation valves, and individual load cooling coils. However, piping or valve failures that might disable an entire train of a support system or impact more than one analyzed system are included in the cooling system. Each system analysis contains all major components required for system success as defined by the event tree system split fractions. The contribution to system unavailability from common cau te depender" 'ailures is treated by the multiple Greek letter (MGL) method for each system vnalysis, according to the general methodology described in Reference 3.2.01. The database ised for qucntification of the system models includes generic failure rate and maintenaace dita and common cause parameters that have been screened for Beaver Valley Umt1. The plant-specific operating and test procedures were reviewed during the systems analysis task. Human errors during testirg that could contribute to system unavailability are included in the systems models when considered significant. 3.2.0.2 Systems Analysis Approach The systems analysis approach described in t hit. section involves the methodology associated with modehng in the RISKM AN format (Reference 3.2.0-2). 3.2.0.2.1 Qualitative Systems Analysis O 3.2 2 m s _._ l
, L 80:v:r Vcil:y P:w:r St:ti:n Unit 1 Rovisl:n 0 Prch;bilistic Risk As::ssm:nt 3.2.0.2.1.1 System Familiarlzstion and Documentation: For operating a nuclear power plant, f A good engineering knowledge of plant systrems is an integral and essential element of a PRA.
U The systems analysis is designed to integrate '1is knowledge with the plant model development and quantification process. The first step in the systems analysis is the collection of applicable documentation. The documents include the UFSAR system descriptions, plant procedures (maintenance, test, operations), and drawings; e.g., electrical schematics, logic drawings, and flow diagrams. These documents are used in the systems analysis as well as in the development of the plant event sequence models. , During the plant familiarization task, the plant response to various initiating events is used to select systems for possible further analysis. The systems screening process encompasces all systems at Beaver Valley Unit 1. It determines the response of each system to normal and transient operat 9g conditions. The combinations of all possible system successes and failures characterize the possible responses of the plant to initiating events, One result of the inillal screening was a categorization of each system as either a " support' system cr a "frontl.ne" system. Each system was also classified as to whether further analysis was required. Those systems considered as important to risk were analyzed in detail. After the systems screening, a summary is developed for each of these selected systems. These summaries briefly describe the system and generally include:
- 1. System Function
- 2. System Success Criteria O~ 3. Support Systems Required for System To Perform Function
- 4. Systems Sur '-. .1ad
- 5. System Operation and Special Features including Test / Maintenance and Recovery Considerations
- 6. Technical Specification Requirernents
- 7. Surveillance Test Requirements
- 8. System Diagram
- 9. References
- 10. Modeling Assumptions The purpose of this system summary is to help the analyst document how the system works, how it is tested, how it is maintained, and how it can be misaligned, etc. The first section, System Function, provides a general discussion of the system functions to be considered in the analysis, Some systems may have many functions. Each function is listed here since this aids in understanding intersystem dependencies, one of the-most difficult aspects of system analysis. System interdependencies are also es+sblished by careful enumeration of l support systems required in the third section of the summary.
l The second sc :llon of the system summary contains the system success criteria, in general, l s )- the system success criteria for this study are derived from the UFSAR. In the cast of l exceptions where UFSAR criteria are not directly applicable or are unrealistically j' conservative, success criteria are developed by application of engineering iudgment based i l~ 3.2 3 - 3.2 system Awysis. l-I
Deavor Valley Power Station Unit 1 Revision 0 Probabilistic Risk Assessment on documented analyses and previous probabilistic risk assessments using similar success criteria. The third section lists the support systems required for the system to perform its functions. Variations in support system requirements for different system functions, if applicable, are hsted in this section. All system dependencies on AC or DC power, actuation signals. ventilation. coolmg for heat exchangers, etc., are included in this section. The fourth section lists the systems supported by this system. The fiftn section outlines information about system operation and special features, included in this section are special operating configurations, system actions, interlocks, and manual actions required for the system to perform its function. System actions involve normal and automatic operations. Normal system lineup during plant power operation is indicated. Which equipment is normally running cnd how the system is designed to respond automatically to emergency actuatiN signals is explained. Manual actions that must be performed for the system to achieve the designated success criteria is also described. This section includes descriptions of how tho system alignment changes during testing, the frequency and approximate duration of each test, and the possible system misalignments that could 00 undetected following tests. This section describes maintenance that is performed on the system, including maintenance alignments and potential misalignments following maintenance. Maintenance %quencies and durations are generated as part of the data analysis. Recovery considugaons such as alarms and indications, abnormal procedures, and any possible operator recovery actions are also described. The sixth and seventh sections list applicable technical specification and surveillance test requirements, including limiting conditions for operation (LCO). The eighth section provides a system diagram or references the system drawings its the UFS AR. The ninth section lists the references used in the system analysis. - The tenth section lists important assumptions related to the system. , 3.2,0.2.1.2 Definitions for Quantitative Analysis: Once the system information is documented and the event sequence diagram developed, the next step is to define tne top event split fractions for the quantitative systems analysis. The split fraction definitions identify the success criteria for each system under a specific set of boundary conditions. These definitions include the major components (or systems) required to operate, the operating mission time, and the support systems available. The grouping of system equipment within each top event is performed in the support and frontlino event tree development task. The event tree top events model the effects from system and subsystem successes and failures. These provide efficient event logic models for the plant response to various initiating events and also preserve all important physical and functiol,al dependencies among the plant systems. Scenario-specific boundary conditions may affect the number of available components or the detailed success criteria for a system. These effects are evaluated by defining one or more conditional split fraction under each top event. Top event success criteria and quantification boundary conditions are determined and provided as input to the systems analysis. 3.2-4 3 2 system Avysis.
02;v:r V:ll:y P:wcr St ti:n Unit 1 R:visi:n 0 Pr:b:bilistic Risk As:::sment Some systems and/or components of a system may be included in more than one top event. When this is done *.he event tree models and split fraction success criteria are carefully (v structured 'o avoid double counting or asking if a system or picca of equipment is failed when a prior split fraction has already analyzed the failure. This structuring is done by carefully partitionmg parts of the system into different split fractions (i.e., usually by train) or by evaluating the system for different time periods and ensuring that failure in a prior period logically results in failure at a later time, in some cases, only portions of a system are included in the top event split fractions. In cther cases, independent parts of a system are assigned to different split fractions. Furtherm ... .~,.. systems included in this study perform multiple functions. The event tree analysis defines the specific functions modeled for each system. Some general modeling assumptions that are applicable to most system models follow:
- The import.nt plant systems are assumed to be oper.:ted and maintained in accordance with the plant technical specifications except for explicitly modeled system misalignments and maintenance errors.
- A missh time of 24 hours is assumed for most systems. This provides a sufficient time base on which accident progression can be measured, and provides a realistic and consistent time in which outside actions could be started to prevent later (after 24 hours) core damage.
- Other systems are assumed to be operated and maintained in accordance with the g current, written operating and maintenance procedures, b + Pipe treaks are considered in the model only if the break by itself can fall the systern.
Additional pipe breaks are considered in the internal flooding analysis (see Section 3.3.8).
- Vents and drains are not modeled for flow diversion because of their smallleak sizes and because they are normally closed.
- Relief valve leakage or premature opening is only considered if it is deemed possible to divert sufficient flow to defeat the train or system.
- Common cause failures are assumed to exist and are modeled for the components and failure modes, which are listed in Table 3.2.0-1, when the failure mode is applicable. The common cause failure ;ontributions to system failures were quantified tsing the multiple Greek letter method, as defined and explained in Reference 3.2.0-2. The treatment of common cause failures is generally consistent with NUREG/CR-4780.
;.2.0.2.2 Logle Model Development: Using the system summaries and top event success
! criteria, the systems analysis then develop the system logic models. The logic model relates ( a system output state, '.tuch as a system success or fm ure, to combinations of more basic events, such as component states, 3.2.0.2.2.1 Rellability Block Diagram and Component Table: A piping and inst umentation diagr7m or schematic diagram, such as an elementary electrical drawing, is used as a basis l for constructing the block diagram. The block diagram portrays the " success paths" of the system. These paths are combinations of component success states that enable successful 4
) functioning of the system. The success paths, which have the same logical information i
contained in a listing of the minimal cutsets, provide the basis for calculating system unavailability, o 3.2 6 3 2 syste.? Ana'ysis.
D :v;r Vciley Pcwer St:ti:n Unit 1 Rovi::n 0 Prob:bilistic Risk Ass:sem:nt in general, a block diagram showing the success logic for the normal system alignment is prepared for each top event. Figure 3.2.0-1 gives an example of a block diagram for Top Event RS. Major system components included in each block of the block diagram are listed in the block component description table. Table 3 2.0-2 is an example of the component table for Top Event RS. For eaci, component, the postulated failure modes, the support systems needed for the component to perform its function, the actuated position o' ihe component while performing its function, the initial component state prior to the initiating event, and the position that the component fails to on loss of support are listed. The failure mode designations have bNn standardized, so the sarne failure raode is given the same designation in all of the systems analyses. Each failure modo designator corresponds to a database variable. The construction of the block component description table links the plant-specific data table to the systems models. The level of detail in the models is dictated - by the level of detail in the database. The designator and failure frequency distribution for the failure of a pump to run, for example, includes the pump, pump motor, coupling, and controls. The level of detail in the system model therefore should be at the pump level, not at the level of the pump motor, pump packing gland, pump rotor, etc. The interrelationship between data and model requires that the systems analyst be knowledgeable about the data and data requirements in order to match the component failure modes and data to the model. 3.2.0.2.2.2 Fault Tree Models: Fault tree models of each system top event Po constructed to provide the logic structure for deriving the algebraic unavailability equations that are used to quantify the top event split fractions. The development of the fault trees is based on the block diagrams and converts the success logic of the block diagrams to failure logic. Fault trees serve three purposes: (1) to provide a cross check of the model logic, (2) to provide an analysis format that can be casily reviewed, and (3) to allow the generation of minimal cutsets to be used by RISKMAN to develop algebraic equatiors. Basic cvents associated with common cause failures are added to the fault trees prior to Boolean reduction in accordance with NUREG/CR 4780. The basic event designators used in the fault trees have been stendaroized according to the naming convention presented in Figure 3.2.0-2. Up to 16 characters may be used in each g basic event designator, in all cases, the first two characters represent the type of component being modeled, and the next two characters represent the failure mode modeled for that component. The remaining 12 characters are available for including the 1.D. for the component as shown on tl'c VGND (Valve Operating Number Diagram). Some components do not use all 12 characters The minirnal cutsets are r'etermmed by using the R!SKMAN code (Reference 3.2.0-2). The fault trees, developed tc the component level, are the primary input to RISKMAN. Figure 3.2.0-3 gives an examr4 of a component levet fault tree for Top Event RS Table 3.2.0-3 lists the fault tree basic r vents with a description of what the basic event represents. 3.2.i2 0 3 Corr. mon Cause Modeling: To incorporate common cause events into the systems analysis, the analyst must understand the factors that determine the dependence or independence among the components M the system. Such factors include how groups of components are used, the extent of their diversity (if any), the physical proximity or separation of redundant components, and the susceptibilities of system components to varied environmental stresses. Similarity in design, manufacture, and type among components of different trains implies the existence of strong dependencies. On the other hand, common 3.2 6 M syCem AWYS'S
. - - -- =. -=. - -
82avar Vcil:y P wcr Stati:n Unit 1 R0visi:n 0 Prcbebilistic Risk Ass:ssm:nt cause offects would not be expected for dissimilar equipment. To account for these factors,
/ the analyst must identify those components in the system that will be included or eliminated
( from the common cause analysis and categorize commco cause groups of components for systems of interest. A common cause group is a group of components having a significant likelihood of experiencing one or more common cause events affecting two or more components in that group. Based on experience in evaluating opetaling data, the following guidelinas are developed to help assign component groups:
- When identical, nondiverse, and active components are used to provide redundancy, they should be considered for assignment to common cause groups, one group for each identical redundant component.
+ When identical, nondiverse, and active components are present in the system, the probability of common cause events linking diverse components in the system can always be assumed to be negligible.
- When diverse redundant components have parts that are identically redundant, the components should not be assumed to be fully independent. (One approach is to break down the component boundaries and identify the parts as a common cause component group).
- When each redundant leg of a system contains one or more active components, the contributions due to both independent and common cause events involving passive components are generally insignificant in the calculation of system unavailability.
,
- In redundant systems in which no identical active components or parts can be ident!!!cd, f-~ no common cause grouping can be attempted.
The outcome of this part of the analysis is a list of the various groups of similar components that are judged to be subject to common cause failures. it should be noted that, due to practical limitations, all of the possible ways that similar components within a system can be grouped for common cause analysis may not be able to be modeled. Once the common cause groups have been determined, the groups are entered as input to the RISKMAN code. Table 3.2.0-4 is a list of the common cause basic events for Top Event RS. RISKMAN then expanris the component failures to include all possible common cause combinations within a common cause group and adds these common cause failures to tne fault tree input file. ! 3.2.0.2.3 Atgebraic Model Development 3.2.0.2.3.1 Unavailability Causes and Baundary Conditions: Having developed the logic model, the next step is to convert the logic model into an algebraic model in perameters that l can be quantified. The logic model discussed in the previous section was only developed for j the normal alignment case. The initial conditions for the normal alignment assume that no equipment l' unavailable due to test or maintenance at the time of the initiating event and that all suppart systems me available. However, when the system is under maintenance conditions or test alignments, the equipment may be functionally unavailable due to system I configuration changes, cuch as valve position changes. Therefore, in addition to the component failure modes of the system identified in the logic model development task, the analyst must also identify all the important causes for the unavailability of components in the system. These include:
- Functional Unavailability due to Lack of Required Support.
3.2 7 3.2 system Ansiysis.
B:cv:r Vclicy Pcw r Stcti:n Unit 1 R visi:n 0 Prcb:bilistic Risk Ass:ssm:nt
- Independent and Dependent Hardware Failures. These random failures include undetected failures while in standby, failures or demand, and failures during operation.
- Test and Maintenance. System unavailability may change when test or maintenance is in progress. Since technical specifications do not allow systems with redundant trains to be disabled during test and maintenance. additional failures must occur for the system to fail.
- Human Errors. Sysiem misalignments may occur due to errors of omission and commission.
The first cause (i.e., component unavailability due to degraded support states) is accounted for by the use of boundary conditions and the conditional split fractions technique in the event tree quantificatinn. For each Top Event T, the unavailability, F(T), can be expressed as F(T) = f(B,)
- F(Tl B,)
#m1 where F(B,) = frequency of the ith set of bour.dary conditions.
F(TlB,) = conditional split fraction for Top Eve-t T, given boundary condition set B,. and F O T;M (0,) = 1.0 Since the integration of boundary conditions and condhional split fractions is performed in the event tree quantification process, systems analysts need only evaluate each top event split fraction under a specific set of boundary conditions; i.e., F(TlB,). Tcble 3.2.0-5 is an example of the boundary condition file for Top Event RS with a key added to identify the events used to represent support system trains. These events appear in the fault tree input file and are represented in the graphical fault tree as " house" events. These house events are either successful or failed, as shown by the boundary condition file, and do not appear in the equations for the top event split fractions. 3.2.0.2.3.2 System Alignments: For the remaining causes of unavailability, the algebraic model must combine their contributions in accordance with how the system is designed and operated. If there are no dependencies as to how these unavailability contributions may be combined, the algebraic equations may be directly enumerated from the Boolean anslysis of the logic model. However, when plant procedures are being followed, certain combinations of unavailability causes cannot coexist. The technical specifications disallow the coexistence of maintenance or test activities on redundant components. To correctly model these dependencies, one approach uses the coexistence dependencies to define a complete and mutually exclusive set of system alignments or initial conditions; i.e., the different possible sta;es that the system might occupy at the time of the initiating event or system demand. in general, the following alignments are considered in th development of algebraic models:
- Normal Alignment 3.2-8 3.2 system Anatysis.
B :v;r Vcil:y P w:r Stati:n Unit 1 R:visl:n 0 Pr:b:btlistle Risk Ass 3ssm:nt
- Test Alignments ,
- Maintenance Alignments
- Misalignments l i
The system can be in only one of these alignments at any given time. ThLs, the contribution l fo the system failure frequency from a specific alignment is the conditional system failure i frequency, given that the system is in that alignment, multiplied by the fraction of time that the system is in that alignment. Consider this example. System X is tested monthly. The test takes i hour to perform. The 1 system failure frequency while in this test is Xl71 (read as conditional failure frequency of ' system X, given test alignment T1). The contribution to the overall system failure frequency due to this test, XT1, is given by XT1 = (fraction of time in T1)'XlT1
= (freqconcv s. T1)'(average duration of T1)*XlT1 1 test ,1 hour.ylp 720 hours lost
= (1/720)'XlT1
/~T Each split fraction is quantified by summing the contributions from the various alignments for C the system. An algebraic expression is developed for each alignment based on the minimal cutsets for that alignment. Each minimal cutset frequency is determined by olvir.g algebraic equations for the basic events and multiplying them together. For simplicity, the frequency of the basic events is also represented by the basic event designators in the algebraic model. For example, the frequency of basic event PMSSRSP1 A is simply indicated as PMSSRSP1 A, the notation of its Boolean designator. The frequency of each minimal cutset is the product of the frequencies of the basic events making up the cutset. -Therefore, the frequency of minimal cutset (PMSSRSP1 A, PMSSRSP1B) is PMSSRSP1 A'PMSSRSP18. Since each minimal cutset is a means of falling the system wh!Ie in a particular alignment, the sum of the minimal cutset frequencies %r an alir'nment is the failure frequency of that alignment. Table 3.2.0-6 shows the alignments n 'eled for Top Event RS and the effects on the system of those alignments. For example, ths MAINT1 alignment corresponds to the guaranteed failure of basic event PMSSRSP1 A which represents the start failure mode of pump RS-P-1A. Alignment MAINT1 is the systern alignmant when pump RS P 1 A is in maintenance and is unavailable for service. The equations that are used to calculate the fraction of time that the system is in each of the alignments are pre sented in Table 3.2.0-7 for Top Event RS. 3.2.0.2.3.2.1 Normal Alignment! In the normal alignment, no components are out of service for maintenance, and no tests are in progress. For a standby system or an infrequently operated system, the normal alignment le the alignment that the system is in most of the time, it is from this alignment that the system is reconfigured to other alignments, and it is to this alignment that the system is returned after test or maintenance. To develop the Os algebraic equation for this alignment, tha algeoraic equation for the failure frequency of each of the minimal cutsets for the normal alignment is developed, and then all are added together, 3.2 9 u systen Awys s.
80:vsr Vell:y Pcwsr Stell3a Unit 1 Revisitn 0 Prcb:btlistic Risk Asssssm:nt 3.2.0.2.3.2.2 Test Ahgnments: When a system is taken out of its normal alignment for a test, the minimal cutsets for system failure are often changed. For some tests, tne system failure frequency is reduced while being tested, such as when a standby system is actuated for an operabihty test. The system is therefore in the alignment needed to perform its function during the test. In these cases, no cre# is taken for the test alignment. The fraction of time spent in such tests is conservatively mohled as if the system were in the normal alignment. Other tasts increase the bystem failure frequency during the test. An example of this is when one tra;n of a two train system is placed in a recirculation mode, preventing that train from performing its function, in these cases, the eninimal cutsets for the test alignment can be generated from a fault tree that is modified from the normal alignment fault tree, the frequency and duration of testing can be determined, and the equations for the contribution to system failure can then be written. Assume that the above recirculation test is performed once every T hours on each train and that the mean duration of the test is T. The system failure occurs when one train is being tested and the other train fails. The fraction of time of being in this test alignment is 2f. All tests on analyzed systems and their alignm9nts are consWered in the systems analys's, but only those judged to be significant are explicitly modeled. 3.2.0.2.3.2.3 Mamtenanco Alignments: Scheduled and unscheduled maintenance on system components can affect the system failure frequency in much the same way as testing. When componants are removed from service for mainteriance, trains are often made inoperable, redundancy is reduced, and functions can be defeated; all of which impact the system failure f rca ue ncy. Maintenance on all major components that is possible with the reactor at power and is allowed by the plant technical specifications is considered. The general approach to determine the contribution of maintenance is to modify the logic models for each maintenance alignment, and then to determine the new minimal cutsets. These are converted into algebraic equations expressing the contribution of each alignment to the system failure frequency, given that the system is the maintenance alignment being considered. Each of these equations is then multiplied by the fraction of time that the system can be expected to be in the given alignment. These equations are summed to obtain the total contribution due to maintenance. 3 2.0.2.3.2.4 Misahgnments: Misalignments are generally caused by human error. Improper restoration of the system after testing or rnaintenance is the most common type of misalignment. Misalignment can also result from errors in calibration that leave the system or components within the system inoperable. Misalignments, as considered in this study, do not always imply a violation of the technical specifications. System alignments that are less l than optimal, but allowed by technical specifications, fall into this category. The approach to analyzing misalignments is simila to that for testing or maintenance alignments. Possible misalignments that could reasonably occur are postulated, and thei* impacts on the logic models and minimal cutsets are determined. Equations are then written for the system failure frequency that is applicable when in the misalignment mode. The frequency of being in each misalignment is determined by researching the operrotion, maintenance, and test procedures for operator interacfon with the system. The duration c' l be!ng in each misalignment is determined by analyzing the checks, tests, and operator l interactions that would detect the misalignmera and the intervals between them. 3.2 10 3 2 system Awyvs.
l B:av:r Vcil:y P:w:r Ststlen Unit 1 R:visirn 0 Prcb:bilistic Risk Ass:ssrr. ant 3.2.0.2.3.3 Basic event frequency and component unavailability: The rplit fraction frequency f
\
is the sum of the alignment failure frequencies are the sums of the minimal cutset frequencies, and the minimal cutset frequencies are, in turn, the products of the basic event frequencies, the buildin0 blocks of the analysis. The basic event frequencies are determined by identifying the failure modes for the components making up the basic events and by assigning failure rates to the tailure modes based on industry and plant-specific failure information. The failure modes and frequ'ncies used in this study ara listed in the data analysis section. The calculation of component unavailability can be explained by evaluating the failure modes of the example components. For a standby pump to be unavailable for an emergency mission, it may fail to start on demand or fail ouring operation. For a normally closed, motor operated valve to be unavailabie to pass flow, it may fall to open on demand or fall to remain open during the mission time. For a normally open, motor operated valve to be unavailable to pass flow, it may fail to remain open during the emergency mission time or during the period of time between the previous test and the initiating event. The unavailabihty of these three components can then be modeled as Q,, = standby pump unavailability. (Pump must start and run for tu hours.) qes + A,tu' O, = normally closed MOV unavailability. (Valve must open and remain open for tu hours).
= q. + A,tu' O. = normally open MOV unavailability. (Valve must be open and remain open for tu hours).
AT' vg .
= g + A,tu where q,, = demand failure rate fur pump; failure to start per demand.
q, = demand failure rate for MOV; failure to open per demand. A, = operation failure rate for pump; failures per operatmg hour, b)
- Note: A is an approximation for the exact expression 1 - e. At.
, 3.2 1j 3 2 !ystem Anatysis.
80:v:r Vcil:y P;w:r Stati:n Unit 1 R visl:n 0 Prcb:btll: tic Rl:k Ass:ssm:nt A, = transfer closed failure rate for MOV; failures per operating hour. T, = syrtem flow test interval; hours. O tu = system mission time; hours. 3.2.0.2.3.4 Multiple top events for redundant trains in a single system: In the analysis of many systems, redundant trains of a system are modeled in a single top event. However, to provide t'etter train-dependency tracking in the event tree models, certain plant systems with redundant trains are modeled by multiple top events. This section describes the approach used to develop the algebraic equations for conditional split fractions with the consideration of dependsncies, such as technical specifications and common cause falNres, across these top events. Consider the event tree for a typical two train system with asuociated Top Events A and B, as shown in Figure 3.2.0-4. The conditional split fractions that can be used directly in event tree quantification are denoted by S1, S2, and S3. For example, conditional split fraction S3 represents the failure frequency of train B given that train A has failed. The sequence frequencies of this event tree are denoted by fi, f2, f3, and f4. To express the split fractic. in terms of train and system unavailabilities, consider the frequency of each sequence. (1 = (1 - S1)(1 - S2) = 1 - [P(A) + P(8 )] + P( AB )
/2 = (1 - S1)S2 = P(B)- P(AB) /3 = Sill - S3) = P(A)- P(AB) /4 = S1S3 = P(AB) where P(X) = the unavailabihty of train A due to all causes.
P(K6) = tho unavailability olboth trains A and B or the probabthly of system failure. The above train and system Unavailabilities include common cause contributions, and the system unavailability takes into account the technical specification dependency. Solving for split fractions S1, S2, and S3, we have Si = P(X) P(B ) - P( AB ) S2 = _ 1 - P(A) i 3.2-12 M system Awyrs.
1 B::v:r V:ll;y P:wcr St:ti:n Unit 1 R:vist:n 0 l Pr:b:billstic Risk Ast:ssm:nt P(X5) I pi S3 n _ P(A) .G 1 The expressions for the conditional split fractions derived above are applicable to any two train system top events. If trains A or 8 are completely symmetrical, P(A) is equal to P(6). The above split fraction expressions become S1 = P(K) P(A ) - P(AB )
$2 = _
1 - P(A) P(XE) S3 = -- P(A) 3.2.0.2.3.5 Modeling of initiating Event Frequency: In addition to developing and quantifying split fractions in the systems analysis task, certain initiating event frequencies are also evaluated, when generic or plant specific data on initiating event frequency are not available. The logic models developed for the all suppor1 systems available split fractions are applicable to the initiating event frequency analyses. The quantification of the minimal cutsets differs significantly for the initiating events. Each minimal cutset is quantified by first n identifying one of the basic events as the event that first disturbs the system from normal Q operation. The failure frequency per hour for this event is then determined, and the failure frequency of the remaining events within the minimal cutset is evaluated, conditional on the occurrance of the first event. This process is repeated for all of the important cJtsets and for each system alignment. The results are then summed to yield the total failure frequency for the initiating event. For systems with a normally operating train and a standby train, the basic events involving the operating train are identified as the first failures to disturb the system. For cases with multiple trains normally operating, any of the basic events could first disturb the system. Therefore, esich basic event is chosen, in tern, to be the first failure. The timo required for operation of components after the first failure is the actual repair time for the first failure. 3.2.0.2.4 Split Fraction Equations and RISKMAN imp! mentation 3.2.0.2.4.1 Split Fraction Equations: In summary, the first step in analyzing system failure for each top event split fraction is to identify all important unavailability causes for the systeni components in the fault tree. The fault tree provides the logic structure for evaluating system failure; i.e., it idernifies the !ogic combinations of component failure modes that are necessary and sufficient to prevent the system from meeting its success criteria. Using the fault trees as the b.1 sic logic framework, the systems analysts then convert fault trees to fault tree input files using RISKMAN. RISKMAN gent: rates a set of basic cutsets from the faul' tree input. These basic cutsets are reduced using the initial conditions and boundary conditions to produce a set of minimal cutsets for each of the system alignments. The minimal cutsets are then converted into equations that can be used to quantify each of the system split fractions. A separt.te group of cutsets and a separate set of equations are 3.2 13 u system Anrysis.
Bosv:r Vcllay pcwsr Station Unit 1 Revisien 0 Prebebilistic Risk Ascessmsnt generated for each alignment that is considend significant. The alignment contributions are summed to give the total for a particular split fraction. The basic equations that are generated by RISKMAN are in cutsets that are; in turn, basic evente frcm the f auit tree input. These basic events must be related to failure designators from the database. RISKMAN allows the system analyst to provide the database designator that applies to each basic event, and adds thera equations to the bottom of the equation file. 3.2.0.2.4.2 RISKMAN Implementation: All of the system equat!ons are managed and quantified by the RISKMAN computer code. The equation files in RISKMAN contain the algebraic equations for all of the top event split fractions. The cause table files list the identified cutsets in a tabularized format with their associated frequencies to clearly display the quantitative effect from each cutset v<ithin a specific alignment. The designators for the top event split fractions in RISKMAN consist of three characters; e.g., CC1 for the reactor plant component cooling water system. Designators used in the equations are limited no more than six characters and must begin with a letter. The top event split fractions are quantified using componer.t failure data, maintenance frequency and duration data, human error rates, and common cause parameter data stored in the RISKM AN file, DBF.RM3. RISKMAN uses the Monte Carlo technique to combine the discrete probability distributions for the database elements inodeled in each split fraction equation. This results in a mean or point estimate value and a discrete probability distribution for the conditional unavailability of each split fraction. The mean or point estimate values are used initially to quantify the support and fror'lline event trees. Subsequently, the disc ete probabihty distribution for each split fraction is used in the plant model uncertainty analysis for the identified important sequences. An equation and cause table file is used by RISKMAN for each system. The format of the ecuation and cause table permits a detailed unraveling of the contributors to system unavailabihty. The system designator (e.g., CCP for reactor plant component cooling water system) and the system name are ased by RISKMAN to locate an equation set for display or quantification. For example, split fraction CC1 is filed unoer Top Event CC within the reactr'r plant component cooling water system file, A simplified schematic of the RISKMAN file structure is presented in Figure 3.2.0-S. The system designators (e.g., CCR) are located in input file SYS.RM3. The top event designator (e.g., CC) is located in the file called TOP.RM3. The equations and cause tables for each top event split fraction for the primary component cooling water system are contained in the CCR.EOS and CCR. CTS files, respectively. An abbreviated cause table for split traction RS1 is presented in Table 3.2.0-8. Only the top 20 or so cutsets within each alignment are shown in this cause table. Split fraction RS1 represents the "all support available" boundary condition. Tables 3.2.0-3 and 3.2.0-4 can be used to decipher the cutsets in the cause table. For examole, the highest frequency cutset in the normal alignment is PMS. According to Table 3.2.0-4, PMS represents the common cause failure of the two events, PMSSRSP1 A and PMSSRSP18. Table 3.2.0-3 shows that events PMSSRSP1 A and PMSSRSP1D represent the failure of pumps RS P-1 A and RS P-1B to start. , in a similar manner, any of the cutsets for any of the split fractions can be related to both specific components and failure modes, it must be emphasized that the systems analysis methodology outlined in the preceding paragraphc provides a set of general guidelines for the systems analysis task. Each system 3.2 14 at system Avysis.
80:ver Vcil;y Prw r Stati:n Unit 1 f!ovl:l:n 0 Pr:babilist!c nisk Ass:s:m:nt surnmary, equation set, and cause 'able follows these general guidelines. Individual analyses may not have all of these olorients docuinented in the same style or detail. Some Q systems may have greater detail in the aquations to provide more clarity. These variations in model structure are expected, dependmg on the system configuration and split fraction quantification requiroments. However, analysis input to RISKMAN must adhere to the rules listed in Reference 3.2.0 2. 3.2.0.3 Assignment of Systems for Analysis As discussed in the proceding sectior, an initial step in systen.s analysis is plant famillarization and the definition of split fractions. The preceding discussion also describes the approach used in the Beaver Valloy Unit 1 PRA to make these systems assignrnents. Tablo 3.2.0-9 presents a list of the systems modeled in the Beaver Valley Unit 1 PRA. 3.2.0.4 References 3.2.0-1 Pickard, Lowe and Garrick, Inc., "PR A Procedures for Dependent Events Analysis, Volume 11 System Level Analysis," prepared for Electric Power Research institute, PLG 0453, December 1985. 3.2.0 2 Pickard. Lowe and Garrick, Inc., "RISKMAN@ PRA Workstation Software, User Manual ll: Systems Analysis," Release 3.0, Proprietary, November 1989. O o Q 3.2 15 3.2 System Ancysis.
B::v:r Vcll:y P:wsr St:ti:n Unit 1 R:visi:n 0 Pr:b bilistic Rl:k Assessm:nt l i Table 3.2.0 *. Common Cause Failures Typically Modeled Component Faliure Mode i Pump Falls To Start Pump Falls during Operation Diesel Generator Falls To Start Diesel Generator Fails during Operation i Ventilation Fan Fails To Start l Ventilation Fan Fails during Operation Motor Operated Valve Falls To Open on Demand Motor Operated Valve Falls To Close on Demand Air Operated Valve Falls To Open on Demand Air-Operated Valve Fails To Close on Demand Check Valve Fails To Open on Demand Solenoid Valve Fails To Open on Demand Solenoid Valve Fa!!s To Close on Demand Air Compressor Falls To Start Air Compressor Fallo during Operation Air Conditioning Unit Falls To Start Air Conditioning Unit Falls during Operation Circuit Breaker Falls To Open on Demand Circuit Breaker FailElO Close on Demand O l O 3.24. m , _ .. .. . .
80:v:r Voll:y P:wcr Steti:n Unit 1 Rcvisl:n 0 Preb:bilistic Risk Asses:m:n) 7.w. s.a.o a. ComPPa.ai Tew. e., T., em Rs MARKNO. O p.CODI #' BLOCK F AttuR t thiflAL ACTU AT!D N O. D!$CRIPTION MOOL $TATI STAT ( g MOV 1RS 151A VALVLX 1 OUTSIDE RfCIRC SPRAY XOR CLO$f
" OpfN gg gg OPIN AS :$
f SOJT 10% MOV 1451$5B VALVEk 2 OV10lDL PEC!RC $PR,AY XFIR CLOSE [g 3 OPIN OPJN y9 AS t$ 15037aON RS.P.l A PUMPM EMRT 4"Ov $UB i #N N3 3 IN$1DC RtCIRC $ PRAY TO RL'N 125V DC 11 e ' R' 8 8 BK STAND 9Y RUNNING OFT PUMP CIB TRAtN A TD 210 $8C R $ - P.2A PVWPM gg9 4KV 1 AE BER 115' 4 OUT$tDE RECIRC SPRAY TO RUN 125 )C 1 1 BKR 6 4 STANDBY RUNNING OFF PUMP ClO TRAIN A TD 22$$fC Rs.P to PUMPM g7 ,gy 44 W kR W 4 OUTsiDE RtCrRC EPRAY 12fv DC 12 BKR 64 STANDBY RUNNING OFF TO P.UN PUMP CIB TRAIN O f*) #10 stC R S - P.18 PUM*M g3ggy 4aw $UB 16IP BKR DP4 6 INSIDt Rf C.RC $ PRAY 99,jg itiv DC 67 BER t-5 $7Am9Y AVNNING 04 PUMP CiB TRAIN 3 TD 225 SEC
, " ,*~, ,#',, KGR CLO$t MCCI (4 BKRB OPEN OPEN AS 13 1RW.193 VALVEJr.
RW TO RS.t 1A INLET CHECK M OPW # XFTR CLO$t " # VLVE MOV tRW 105A VALVEx 7 RIVER WAf tR OUTLET FRM XFIR CLOst MCCf(4 BKR0 OPIN OPIN A$IS R$.t 1A REJ 1 PtPEM AW TO R$ E.1A INLt7 EXPAN RUP'URE WA WA WA WA 40n* < RSt1A HTEXCH R(CIRC $PKAY PEAT RUPTURE WA WA NA EXCHANGFR
+
M # NI # #* TO OPEN MCCt ES BKR AD RS 2A DISCWCE LOS OPEN AS l$ ISOLATION V Xf tR CLOS 1 CtB TRAIN A
? AS 100 VALVEX TO OPIN R$.P 2A Di$CHARCE CHECK WA C W ED OPEN WA VALVE XFER CLOSE MOV 13w 164C VALVEx RIVER WAf tR TO RS-E.IC XFIRCLOSE MCC1 E5 8KR
- OPEN OPEN AS 15 INLET V 1RW 194 %ALVEX TO Opf N 8 RW TO RS E+1C INLET CHECK WA XFIP CLOSE CLOstD OPEN WA VLVE MOV 1RW 10$C VALVEX RW OUTLET VALVE FROM XFf R CLOSE McCl E8 BKR G OPEN OPEN A% t$
RS-E 1C REJ.7 PtPE)Ut RIVER WATER 60 RS E '.C EX* RUPTURE WA N/A NA WA JNT R$ E-1C HTEXCH RfCIRC SPRAY HEAT RUPTURE VA NA WA EXCHANGER i O
)
3.2 17 M Sysp Avysis, '
Be:v r Vcil:y P:wcr Stati:n Unit i R:visl:n 0 Prcb:billstic Risk Ass s:m:nt T. i. s.a.o.a. C.,n ..ni T..i. v., , s ei R $ W ARR No. j COMP, C003 II O' I SLUCK i F AIL U R t INITIAL ACTUAT(D kO' 8T SU W RT j DISCRIPTION MODI staff ETA't STATI MOV 1R$ 1MB VAtVEA TC OPEN MCC 1-I4 BKR AD CS P 20 D$CHARG( 0500 OPEN AS is LINE ;50L V xrtf' CLOSE CiB TRAIN B i i 1RS 101 VALVEx TO OPW R$.P4B D:$ CHARGE HEADER N/A CLOSCC OPCN 4A ArER CLOSE 0 CV M0/1RW 1040 VALVEX RW TO RS-I 1D INLET xFf R CLOSE MCC1t6 BKR C OPEN OPEN As tS 1506 V ! i 1RW- 1M VALVfx l TO OPm /A 9 kW to RS f 1D INLET CHtCK CLOSCD OPEN WA xrER CLOSE W.VE MOV IRW 10$D VALVER RW OUTLti vALVi rROM XFf R CLOS $ MCCi f 6 BKR O OPEN OPLN AS 13 R$4 1D ISOL VLV R(JJ PIP [XA RW 70 R$41D INLET RUPTURr WA WA N/A WA LXPAN JONT RSt10 HTCxCH RECiRC SPRAY HEAT RUPTURE NA NA N/A N/A EXCHANGER M0v 1RW tu48 vALVEx RW HEADED B TO R$ i 1B XFIR CL0st uCC1 f 6 BKR 0 CLO$tD OPEN As is ISOL V 1 RW-195 VALVtx TO OPEN RW INLE1 TO RS-t 1B gg g N/A CLOSED OPEN NA CHECK VLVI MOV 1RW 10$8 VALVEX 10 RW OLTLET FRM RS I 18 xrER CLOSE MCCIEt BKR D OF '; N OP(N A$ 1$ ISOL VL.V. REJJ PIPl%X RW 'O R$-E 1B INLfT EXPAN RUPTUR$ NA N/A 'VA N/A JONi R$ [.1B HTENCH RECIRC $ PRAY HEAT RUPTURE WA WA N/A N/A (XCHANGER
$ PRAY NOULES N0ZlLE 11 IN5fDE RECIRC $ PRAY PLUG VA OPEN Ot'N NA HE ADE R 1 A
-+- -
' $ PRAY NOZZLES NO U L; 12 OUTS.DE RECIRC $PRAW PLUG N/A OrtN OPEN N/A HEADER 1C
& PRAY N0ZZLt$ NO7J E 13 OUT$lDE RECIRC SPRAY PLUG WA OPEN OPEN N/A HE)sDtR 10 SPRAY N0ZZLES NOZ~l L1 14 1NSIDE RECIRC $ PRAY N/A PLUG OPEN OPEN VA HEADf R 1B G
3.2-18 3 2 sptem Anryn
Bc:v:r Vcil:y Pcw:r St:ti:n Unit 1 Rcvisi:n 0 Prcb2illatic Risk AO cam:nt Table 3.2.0 3. Fault Tree Basic Events for Top Event RS O Basic Event Description CVs ORW193 is replaced in CVFORW193 CHECK VALVE RW 193 FAILS TO OPEN Common Cause Group CVD [CVFORW193] Common Cause: Group CVD,1/2 (1-(ZBVCOD))*(ZTVCOD) = 7.9039E-05 CVFORW195 CHECK VALVE RW 195 FAILS TO CVFORW195 is replaced in OPEN Common Cause Group CVD [CVFORW195] Common Cause: Group CVD,1/2 (1-(ZBVCOD))*(ZTVCOD) = 7.9039E 05 HXRPRSE1A RECIRC SPHAY HEAT EXCHANGER ZTHXRB*@T1 = 4.6631E-05 RS E 1A RUPTURES HXRPRSE1B RECIRC SPRAY HEAT EXCHANGER ZTHXRB'@Ti = 4.6631E-05 RS E 10 RUPTURES MVXCMOVRW104A RIVER WATER INLET MOV RW 104A ZTVMOT*@T4 = 3.4406E 04 TRANSFERS CLOSED MVXCMOVRW104B RIVER WATER INLET MOV RW 1048 ZTVMOT*@T4 = 3 4406E-04 TRANSFERS Cl.OSED MVXCMOVRW105A RIVER WATER OUTLET ZTVMOT*@T4 = 3 4406E 04 MOV RW 105A TRANSFERS CLOSED O' MVXCMOVRW105B RIVER WATER OUTLET MOV RW 105B TRANSFERS ZTVMOY'@T4 = 3.4406E 04 CLOSED PMSRRSP1A INSIDE RECIR. PUMP RS P 1A PMSRRSPi A is replaced in FAILS TO RUN Common Cause Group PMR [PMSRRSP1A] Common Cause: Group PMR.1/2 (1-(ZBPMLR))'(ZTPMER*@T1) = 8.1244E-04 PMSRRSPiB INSIDE RECIR. PUMP RS P 1B PMSRRSP1B is replaced in FAILS TO RUN Commor' Cause Group PMR [PMSRRSP10] Common Cause: Group PMR,1/2 (1-(ZBPMLR))'(ZTPMER'@T1) = l 8.1244E 04 PMSSRSP1A INSIDE RECIR. PUMP RS P 1A PMSSRSP1 A is replaced in FAILS TO START Common Cause Group PMS [PMSSRSP1A] Common Cause: Group PMS.1/2 (1-(ZBPMLS))*(ZTPMES) = 1.7808E 03 PMSSRSP1P INSIDE RECIR. PUMP RS P 1B PMSSRSP1B is replaced in FMLS TO START Common Cause Group PMS [PMSSRSP18] Common Cause: Group PMS,1/2 (1-(ZBPMLS))'(ZTPMES) = 1.7808E-03 SNPLRS1 A INSIDE RECIRCULATION SPRAY ZTSPNP'@!T1 = 1.6944E-06 O L HEADER NOZZLES 1 A PLUGGED l 1 3,2-19 3 2 system Awysis.
Beaver Vallay Power Station Unit 1 Rovision 0 Proonbilistic alsk Assessmont Table 3.2,0 3. Fault Tree Basic Events for Top Event RS l Basic Event Description l - SNPLRS1B INSIDE RECIRCULATION SPRAY ZTSPNP*@T I = 18944E-06 HEADER 1B NOZZLES PLUGGED XJRPREJ7 RW EXPANSION JOINT REJ-7 ZTPP2B'@Ti = 2 0640E-07 RUPTURE l XXACOR LOSS OF EMERGENCY AC Constant Value.10 ORANGE TRAIN w XXACPU LOSS OF EMERGENCY AC PURPLE Cons int Value: 1.0 TRAIN XXDOFF LOSS OF EMERGENCY 125 VOC Constant Value 1.0 ORANGE BUS NO.11 . XXDPFF LOSS OF EMERGENCY 125 VDC Constant Value: 1,0 l PURPLE BUS NO.12 i 1 XXOPFF OPER FAILS TO STOP RS52B ON Constant Value: 10 LOSS OF QB (OP= F) , XXQAFF QUENCH SPRAY TRAIN A FAILS Constant Value; 1.0 (Q A = F) XXQBFF QUENCH SPRAY TRAIN B FAILS Constant Value: 1.0 (QB = F) [CVFORW193, Common Cause: Group CVD,2/2 (ZBVCOD)*(ZTVCOD) = 6.9611E 07 CVFORW195] [PMSRRSP1 A, Common Cause: Group PMR,2/2 (ZBPMLR)*(ZIPMER'@T1) = PMSRRSP1B] 5.8462E-06 [PMSSRSP1 A, Common Cause: Group FMS,2/2 (ZBPMLS)*(ZTPMES) = 6 2796E-05 PMSSRSP1B] _
)
O 3.2 20 3.2 System Awyst
B:cv:r V:ll:y P:w:r St:ti:n Unit 1 R:visi:n 0 PrcL:billstic Rihk As::ssm:nt
.s f atdo 3.2 04 Common Cause Basic twents for Top Event Rs Group ID Basic f ronts Description Algsbraic Mettrod MOL INSID[ RECIR. PUMP R$.P.1 A FAtt$ Orcer = 1 og of 2 PMS$RFPiA
$^ Failure Moce ID: $ TART pys IN$1DE 4(CIR. PUMP RE.P.1B FA L$ Total Faowre Rate = ZTPMES PM$5RSP1D Beta = 2BPMLS TO $ TART INSIDE RLCIR. PUMP Rt P 1A FAIL $ Orcer = 1 oA of 2 PM$RR$P1 A OM Failure Mooe ID, RUN PMR th51DE SLCIR. PUMP R$.P 1B FAILS Total Failure Rata = ZTPMER*@T1 PM$$R$P1B Bete = ZBPML4 TO RUN CHECK VALVE RW 193 FA!LS TO Orcer = 1 out of 2 ORW193 OPEN Faoure Moce ID. OfIN ON DEMAND U
CHECK VALVE RW.195 FA'L! TO Total Failure Rate = ZTVCOD CVFORW195 Beta = ZBVCOD OPEN O l l l ("\ () 3.2 21 3 2 system Anatyus.
BO v;r Vell:y P Or Sistirn Unit 1 Rcvisi:n 0 Prgbsbillstic Rl:k Ass:s:m:nt Table 3.2.0 5. Boundary Conditions foi Top Event RS Split Fractions Split Fraction RS1 -INSIDE RECIRC. SPRAY TRAINS A & B ALL SUPPORT AVAILABLE PE Mean = 1.5962E 04 Date: 25 JUN 199219:05 MC/LH Mean = 1.722BE-04 Date: 03 JUL 1992 02:51 Basic Event impacts for Split Fraction: RS1 Basic Event l Stata l Description XXDOFF S LOSS OF EMERGENCY 125 VDC OR ANGE BUS NO.11 XXACOR S LOSS OF EMERGENCY AC ORANGE TRAIN XXACPU S LOSS OF EMERGENCY AC PURPLE TRAIN XXDPFF S LOSS OF EMERGENCY 125 VDC PURPLE BUS NO.12 XXQAFF S QL'ENCH SPR A',' TR AlN A FAILS (OA = F) XXOPFF S OPER FAILS TO STOP RS P 2B ON LOSS OF QB (OP = F) XXQBFF S QUENCH SPRAY TPAIN B FAILS (QB = F) Split Frar, tion RS2 -INSIDE RS TRAIN A UNAVAIL DUE TO FAILURE OF SUPPORT i PE Mean = 1.4983E-02 Date: 25 JUN 199219:05 MC/LH Mean = 1.4953E-02 Date: 03 JUL 1992 02:51 Basic Event trnpacts for Split Fraction: RS2 Basic Event State Description XXDOFF S LOSS OF EMERGENCY 125 VOC ORANGE BUS NO.11 XXACOR S LOSS OF EMERGENCY AC ORANGE TRAIN XXACPU S LOSS OF EMERGENCY AC PURPLE TRAIN XXDPFF S LOSS OF EMERGEl'CY 125 VDC PURPLE BUS NO.12 XXQAFF S QUENCH SPRAY TRAIN A FAILS (QA= F) XXOPFF S OPER FAILS TO STOP RS P 28 ON LOSS OF QB (OP = F) XXQBFF S QUENCH SPR AY TR AIN B FAILS (QB = F) Sp' t Fraction RS3 - INSIDE RS TRAIN B UNAVAL. DUE TO FAILURE OF SUPPORT PE Mean = 1.4983E 02 Date: 25 JUN 199219:05 MC/LH Mean = 1.4860E-02 Date: 03 JUL 1992 02:51 Basic Event impacts for Split Fraction: RS3 Basic Event State Description XXDOFF S LOSS OF EMERGENCY 125 VDC OR ANGE BUS NO.1-1 XXACOR S LOSS OF EMERGENCY AC ORANGE TRAIN l XXACPU S LOSS OF EMERGENCY AC PURPLE TRAIN l XXDPFF S LOSS OF EMERGENL1' 125 VDC PURPLE BUS NO.1-2 XXQAFF S QUENCH SPRAY TRAIN A FAILS (QA = F) ! XXOPFF S OPER FAILS TO STOP RS P 2B ON LOSS OF QB (OP = F) l XXQBFF S QUENCH SPRAY TRAIN B FAILS (QB= F) 3.2 22 3.2 system Awysts. l
C::v;r V:ll:y P w:r St:ti:n Unit 1 R:visl:n 0 Prrb:billstic Risk Ass:ssm:nt I Table 3.2.0 5. Boundary Conditions for Top Event RS Split Fractions (' Split Fraction RSF - GUARANTEED FAILURE
- PE Mean = 5.0000E + 00 Date: 25 JUN 199219:05 MC/LH Mean = 1.0000E + 00 Date: 03 JUL 1992 02:51 Condition Split Fraction: 1.0 (v
l l l l Q , V l 3.2 23 2.2 system Awysis.
B :v:r Vcil y P:w r Ststi:n Unit 1 R;visi:n 0 Pr:b:bilistle Risk Act:ssm:nt Table 3.2.0-6. Alignment Report for Top Event RS hht Fraction RS1 - INSIDE RECIRC. SPR AY TR AINS A & B - ALL SUPPORT AVAILABLE PE Mean = 1.5962E-04 Date: 25 JUN 199219:05 MC/LH Mean = 1.7228E 04 Date: 03 JUL 1992 02:51 Alignment l Total Prob. l Frequency Total Importance NORM AL 9.1510E-05 9.7690E 01 8.9400E 05 5.1680E-01 MAINT4 3.5800E-03 1.0460E 02 3.7450E-05 2.1650E 01 MAINT3 3.5800E-03 1.0460E-02 3.7450E 05 2.1650E 01 MAINT1 3.5800E 03 1.2130E-03 4.3420E 06 2.5100E 02 MAINT2 3.5800E-03 1.2130E-03 4.3420E 06 2.5100E 02 __ Split Fraction RS2 INSIDE RS TRAIN A UNAVAIL. DUE TO FAILURE TO SUPPORT PE Mean = 1.4983E-02 Date: 25 JUN 199219:05 MC/LH Mean = 1.4953E-02 Date: 03 JUL 1992 02:51 Alignment Total Prob. Frequency Total importance MAINT4 1.0000E + 00 1.0220E 02 1.0220E-02 6.8350E 01 NORMAL 3.5530E 03 9.7740E-01 3.4730E 03 2.3220E 01 MAINT2 1.0000E + 00 1.2200E-03 1.2200E-03 8.1570E 02 MAINT3 3.5530E-03 1.0220E-02 3.6330E 05 2.4290E 03 MAINT1 3.5530E 03 1.2200E-03 4.3350E-06 2.8980E 04 Split Fraction RS3 INSIDE RS TRAIN 8 UNAVAIL. DUE TO FAILURE TO SUPPORT PE Mean = 1.4983E-02 Date: 25 JUN 199219:05 MC/LH Mean = 1.4860E-02 Date: 03 JUL 1992 02:51 Alignment Total Prob. Frequency Total importance MAINT3 1.0000E
- 00 1.0290E-02 1.0290E 02 6.9240E 01 NORMAL 3.3780E-03 9.7720E-01 3.3010E 03 2.2220E-01 MAINT1 1.0000E + 00 1.2300E-03 1.2300E-03 8.2790E-02 MAINT4 3.3780E 03 1.0290E-02 3.4740E 05 2.3390E-03 MAINT2 3.3780E 03 1.2300E-03 4.1540E-06 2.7960E 04 No Alignmen were quantified for Split Fraction RSF O
3.2 24 3.2 System Ana!ysts.
Stavar Vcil y P:w:r St ll n Unit 1 Rcyl:l:n 0 Pr:b:bilistic Risk As :ssm:nt f Table 3.2.0 7 Alignment Contribution Report For Top Event RS \ NORMAL Alignment - Fraction of Time in the Alignment is: 1.0 2*ZMPMEF'ZMPLSD - 2'ZMHXRF'ZMHXMD = 9.7717E-01 M AINT1 Alignment - Fraction of Time in the Alignment is: ZMPMSF'ZMPLSD = 1.2210E 03 Basic Event Impacts for MAINT1 Alignment Basic Event State Description PMSSRSP1 A F INSIDE RECIR. PUMP RS P 1A FAILS TO START MAINT2 Alignn. ant - Fraction of Time in the Alignment is: ZMPMSF'ZMPLSD = 1.2210E-03 Basic Event impacts for MAINT2 Alignment Basic Event State Description PMSSRSP1B F INSIDE REClR. PUMP RS P 1B FAILS TO START O _ M AINT3 Alignment - Fraction of Time in the Alignment is: ZMHXRF'ZMHXMD = 1.0323E 02 , Basic Event impacts for MAINT3 Alignment Basic Evsnt State Description HXRPRSE1A F RECIRC SPRAY HEAT EXCHANGER RS E-1 A RUPTURES MAINT4 Alignment - Fraction of Time in the Alignment is: ZMHXRF'ZMHXMD = 1.0323E-02 Basic Event Impacts for MAINT4 Aligr. ment Basic Event State Description HXRPRSE1B F RECIRC SPRAY HEAT EXCHANGER RS-E-1B RUPTURES O 3.2 25 M system Awysis,
Bosysr Voll:y Pow r St:ti:n Unit 1 Revi:l:n 0 Preb: bill::lle Risk Ass:ssment Table 3.2.0-8. Cause Table For Split Fraction RS1 N. utsets Value AHgnment importance Cumulative 1 E ^' 6.507E-05 37.7709 3 7709 NORMAL P SSRSP B] 2 [PMSSRSP1 A] 1.937E-05 11.2436 49.0146 MAINT4
- [PMSSRSPiB] l 1.937E 05 11.2436 60.2382 MAINT3 4 , [PMSRRSP1A] 8.278E-06 *.8051 65.0633 MAINT4 5 l [PMSRRSP1B] 8.278E-06 4.8051 69.8684 MAINT3 E ^
6 7.607E 06 4.4156 74.2840 NORMAL PMSSRSP B E b RS 1^' 7 P SRR p B] 5.496E-06 3.1902 77.4743 NORMAL 8 MVXCMOVRW104B 3.673E-06 2.1321 79.6063 l MAINT3 9 MVXCMOVRWiO4A 3.673E-06 2.1321 81.7384 MAINT4 10 MVXCMOVRW105A 3.673E 06 2.1321 1 83.8704 MAINT4 11 MVXCMOVRW105B 3.673E-06 2.1321 86.0025 MAINT3 12 [PMSSRSP1B] 2.251E 06 1.30ti6 87.3091 MAINT1 13 [PMSSRSP1A] 2.251E 06 1.3066 88.615/ MAINT2 14 b RSP A] 2.005E 06 1.1638 89.7796 NORMAL P Rpgp g 15 PMSRRSP 1.494 E-06 .8672 90.6468 NORMAL E ^ 16 PMSRRSP B 1.494E-06 .8672 91.5140 NORMAL 17 [PMSRRSP1B] 9.811E-07 .5692 92.0835 M AINT1 18 [oMSRRSP1 A] 9.811E 07 .5692 92.6530 MAINT2 19 [CVFORW193] 8.387 E-07 .4868 93.1398 MAINT4 20 [CVFORW195) 8.387E 07 .4868 93.6267 ! MAINT3 b ^* 21 6.836E-07 .3968 94.0235 MAINT4 P SSRSP B] 9 : 3.2 26 u System Andysis.
5 :ver V:ll;y P;w:r St ti:n Unit 1 R vi:l:n 0 Preb: bill 6 tic Risk Ass s m:nt l Table 3.2.0 9. List of Beaver Valley Unit 1 PRA Systems AC Electric Power l DC Electric Power ! Solid State Protection System ! River Water and Auxiliary River Water System l Reactor Plant Component Cooling Water System l Turbine Plant Component Cooling Water System Station instrument Air / Containment instrument Air Reactor Protection System Turbine Trip / Main Steam isolation Auxiliary Feedwater System Main Feedwater System Primary Relief Emergency Core Cooling System High Head Safety injection Low Head Safety injection Containment Depressurization System
- Recirculation Spray
- Quench Spray Residual Heat Removal System Containment isolation Ventilation System O
(. 3.2-27 3.2 System Analysis.
B: v;r Vcil;y P: war St:ti:n Unit i Rcvisi:n 0 Pr:babill: tic Risk Assr,ssm:nt FIGURE 3.2.01. Reliability Block Diagram For Top Even* RS O
.i 1
I I I: I:
!! il ,
i i g r-- i e ff[' e
$c 1' h
g s I H I IN lh' 9 ,9' - i i 1
-l !
l l l 9 i$ i$ !$ i$ ! 1 l ! I i,.c P G . I I ! i [tl Q' 2; 1 % i i i ._.
!!!! 6 1581 b fi O
' : .2-28 u system Analym.
i ~ o COMPOWENT itPE FAltt/RE MCOE 'O s COMPOWENT l.D. (f rom P & I D) DESIGNATOR DEstGWAfDR {2g tr ,
~<
n' 57 Coepar ent falture Mode 23
- Designator Descriptfon Designator .....ription Desc .- 7
...................... ......... ................. g AV RC Air Operated Valve Bettery Charger SR Fall to Start - Stendr fall During operettan / CwponentStandby Copponent St DisteMe 05 Fa to Start - Nortett E o (D 8$ sus OR fa Dur jng Operation y Operatine ComponentNormatty Operating Caponent Si Bettes' FO Fe to Dpen e E.
C8 Circui,t Breehr i Fa i to Close es . CC Control Cable FC FR T1 3E se s CH Chitter FD Fa.j to Resentfaj, to Operate on Demand "y Caepressor s CP FF Fasa to Go to Failed Position
-* C 1 CA Control Rod XO Transfe. Open C 3 l CV %eck Valve IC Transfer Closed 2 ~~
04 Pneunet c Desrer RP R @ture m DB BeckdraHt Daaper PL Ptbg w DF F{re Danper LK Gross Leakage DG Dieset Gerarator PO Premature Ing -50 EV Electro Rydraulic Valve 50 Spyrtous ration 9 FI F FW Falt to R tose Following Water tell2f to FL Floufruficatortter, Y mtitation
- FN fan C3 75 Fuse #
u FX Flow Transmitter " b JV Turbine Control Valve n y Hi neat Tracing m
. MV Marcel Valve <
l NX Neat fuchanger is IN Inverte. 3 LG Logic Modate ~ LX Levat Transmitter O MG Motor Generator e MV Motor Operated Vatye " CA Op-Aap Signet Matris to_ OP Opearter falta to do ... 3 PC Pressure Control Valve to FM Motor Driven Pug- 5 PP Pipe Section PS Power S*4 ply # Pi Turbine Drivef PV Power Operuteo} Purp Retlef Valve PX Pressure fransmitter RL Relay RV Relief Vet e RX Reactos ir Bretter
$L Levet Swit SM $lgnal Mod Ier sw spray Nort es y SP Pressure Switch 5, 50 Sequencer
$1 Strainer
$V Safety valve 2 D" TC iceperature Control Valve 8 5 TK Stor ge Tank 1 3 TV furb ne Stop Valve y VL Vent lation Louvre #_
v5 Solenoid vatve o a s XR Trsreformer i
, l
B::v:r Vcil:y P wcr St:ti:n Unit 1 R;visi:n 0 Pr:b bilistic Risk Ass:ssm:nt FIGURE 3.2.0 3. Top Event RS rault Tree 9 i$lo @ i n X
;$[ -
! liii!! I V V n
IL)c fli! i V n n
~
I d - k V V n n j V V n A C - I![ ! Ry I Is., [ V 'V A A si V i -
$ V i e I
n n f
~ ~
V V - A A
~
\
x X Tl[!.
! !!!ii ,
(' V n
~
($ Y~ . Y ~ u n n n' == u , Q-k l I If v V A A
~
k k - V V O
~
'th$ m
[;ll V - N[st.rs {$3 V 3.2-30 3 2 System Analysis. ' L______ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . . . . .
Bs:v r Vcil:y Pcw r St ti:n Unit 1 . R:vitn 0 Prsbabill: tic Risk AssOesm:nt FIGURE 3.2.0-4. Event Tree for a Two Train System A 3 lS2 ' E S1
; S3 14 b
v f v 3.2-31 3.2 system Analysis.
Beavsr Valley Power Station Unit 1 Revision 0 Probabilistic Risk Assessment
- FIGURE 3.2.0 5. RISKMAN File Structure o
SYSTEMS INPUT NFCRMATON
- ..= FOR E SYSTEMS. DATA NPUT NFORMATION SYS.RM3 (SYSTEM DESIGNATORS) ~
TOPAQ FCP EVENT DESGNATORS) FOR EArM SYSTEM. DBFAO (DATA BASE) TYSTEW.CRT FOP ES2NT SPUT FPACTONS)
*SYSTEW. CTS (SYSTEM CAUSE TABLE)
*SYSTEW.EOS (SYSTEM FOUATONS)
V ,r RISVi%NS
\ O '
'r h SYSTEM OUTPUT NFORMATON MASTER FREQUENCY OUTPUT FILES-OUANTIFIED CAUSE TABLES SYSTEMS ECUATONS &WF.RM3 (SPUT FRACTON POINT ESTlk%TES)
CSF.RMS (SPUT FRACTCN DISTR 30 TONS) -
+ ,r PRA DOCUMENTATON TO MNTTREE QUANBFICADON ,
9 I 3.2-32 3.2 sysbm Analysis.
5:av:r Vell:y P war Stati:n Unit:1 RicvislIn 0 - Pr:b bill: tic Risk As:ce:m:nt: C 1
-3.2.1 SYSTEM DESCRIPTIONS
~
ISystem summaries were created for the. systems analyzea in the Beaver Valley Unit 1 PRA, These. system: summaries or system descriptions are ther result of- the qualitative systems analysis, as described in Section ? 2.0, and are presented here. The system _ descriptions are: arranged int? the following subsections: , 1, ! System Function
- 2. ' Success Criteria (For Each Mode of Operation)
- 3. Support Systems
- 4. Systems Supported
- 5. Operating Features including Test / Maintenance and Recovery Considerations
- 6. Technical Sperifications
- 7. Surveillance Tests (Dcne during Ops?; tion or Shutdown) 8c System Diagram_
- 9. References-
- 10. Modeling Assumptions The content of each subsection is riescribed in Section 3.2.0. .
D Detailed information concerning the. quantitative system mode.s is.not presented .here, but is di -presented in Appendix A,_which includes the reliability block ulagram for each top event and, the component table-associated with each block diagram. The component table lists each piece of equipment modeled for a particular top event and-includes a list of the support systems required, the failure mode', initial state, actuated state, and loss of support state for
- the components in the table. Appendix A also_ includes the fault tree for each top _ event and the RISKMAN cause table, equation file, and input files for each system.
3.2.i.1 AC ELECTRIC POWER SYSTEM 3.2.1.1.1 System Function: The electrical power systems include the facilities for providing power _for operation and : control L of all' BVPS-1 auxiliary electrical equipment and-instrumentation during normal operation and during loss of normal station power. The 4160 Volt AC Station Service System controls and distributes normal and emergen:y 4160-
, Volt . power for use .within the station. it supplies power to various motors and the 480V-substation transformers.
The 480 Voit AC Station Service System supplies 480 Volt, three phase. 60 Hertz ungrounded -
, power to various 480 Volt; motors and heaters throughout the station. In addition, it supplies an alternate source of power to the 120 Volt AC vital busses, and a normal source of power to
, the 120/240 VAC station lighting and control transformers. p .The-120 Volt AC Distribution System _ provides a reliable and regulated source of power to vital equipment throughout the plant. .A 3.2-33 u system Analysis.
Beaver Valley Power Station Unit 1 Revision 0
}'
Probabilistic Risk Assessment r 3.2.1.1.2 Success Criteria
- 1. UFSAR During normal operation, onsite electrical power from the main generator via two unit station service transformers (USST) supplies all AC loads. Offsite power can
} also be supplied from the 138 KV switchyard via two syr tem station services transformers (SSST). On failure of the preferred source, automatic throwaver is provided to the alternate source to ensure continuous power to the equipment. During normal startups/ shutdowns, all of the AC ioads receive power from the offsite power supply via the SSST's. Following a loss of offsite power, two fast starting diesel generator sets provide the source of the AC power for the two 4160 i Volt emergency buses. The fuel oil transfer system supolies fuel from the underground storage tank to the day tank at the diesel generator to ensure continuous operation of the diesel generators for up to sever days. - r 2. PRA Each of the two Emergency AC trains (orange and purple) will be modeled , separately. The success criteria for each train is the continuous supply of AC power to the safety-related loads for a mission time of 24 hours. 3.2.1.1.3 Suoport Systems 125 VDC Orange Train Control Power for orange emergency 4160V and 480V breakers Diesel start and load 125 VDC Pur ele Train Control Power for purple amergency 4160V and 480V breakers Diesel start and load 125 VDC Bus 5 Control Power for non-emergency 4160V and 480V breakers. 125 VDC - Switchyard Control Power for switchyard breakers _ Offsite Power Supply River Water System Cooling Water for emergency diesel generators Solid State Drotection System - Train A Actuation Signal on Si to Diesel A and River Water MOVs Solid State Protection System - Train B Actuation Signal on Si to Diesel 9 and River Water MOVs SSPS CIB Signal Disconnects Stub Buses and overrides diesel protective trips 3.2.1.1.4 Systems Supported
- i. Normal 4160V System Reactor Coolant System Win Feedwater System Secondary Component Cooling System (CCT)
Condensate System 3.2 34 u system Awys:s.
Bacv:r Vcil:y Pcwcr St:ti:n Unit 1 R;vini:n C Prcbsbilistic Risk Ass:ssm:nt
- 2. Emergency 4160V System f%
Residual Heat Removal System Reactor Plant Component Cooling System (CCR) Auxiliary Feedwater System Low Head Safety injection System River Water System Charging /High Head Safety injection System Recirculation Spray System '
- 3. Normal 480V System Switchgear Area Ventilation Station Air System j
- 4. Emergency 480V System Recirculation Spray System Quench Spray System Supplementary Leak Collection and Release System Control Room Air Conditioning Containment Air Recirculation PORV Block Valves
- 5. 120V AC Emergency Distribution System Safety-Related HVAC p Safety-R.ilated Radiation Monitoring V Containment isolation Valves Hydrogen Analyzer Isolation Circuits Safety-Related MOV Monitoring
- 6. 120V AC Vital Bus System Reactor Protection System Solid State Protection System Radiation Monitoring System
- 7. Alternt m'u supplied from ERF (Black) Dietel Generator Filtered Water Pump 28 3.2.1.1.5 Operating Features 1 System Actuation
- a. Automatic
- 1) Following a plant trip, a fast transfer (.15 seconds) to the offsite power source via the SSSTs, will occur.
- 2) For a plant trip with coincident loss of offsite power, emergency AC power is supplied from the two emergency diesel ge.~.erators (EDG). Each EDG p will supply its own respective emergency 4,160V t,Js. Loads will be yl tripped off the emergency buses and reconnected by the load sequencer.
- 3) For a safety injection without a loss of offsite power event, a fast transfer from the USSTs to the SSSTs will occur. The EDGs will start automatically 3.2-35 3.2 sys:em Analysis.
B; ver Vcil:y P:w;r St: tion Unit 1 , R visi:n 0 Pr:b: bill: tic Risk Ass:ssm:nt and accelerate up to rated speeo, but the EDG output breakers will not . close.
- 4) For a safety injection witn a loss of offsite power event, the EDGs will automatically start, trip Class 1E bus feeder breakers, shed loads of emergency buses, energize emergency buses from their respective EDG, and reload the emergency buses according to a predetermined sequence.
- 5) On loss of power to the emergency buses, all diesel generator trips, except overspeed, generator differential current, and generator overexcitation, are automatically disabled.
- 6) Supply creaker 1 A10(1D10) from 4u.0V bus 1 A(1D) (USST or SSST) to emergency bus 1 AE(1DF) trips open on undervoltage et bus 1 AE(1DF).
)) The EDGs start automatically due to any of the following conditions; a) Low voltage on the emergency bus, b) Opening of the supply breakers to the emergency bus from the preferred source, c) Safety injection signal.
The EDGs are started using a compressed air system. Eacn EDG is capable of reaching rated speed and voltage and ready to accept the ioad 10 seconds after receiving a start signal.
- 8) Each EDG has onsite fuel storage to run at rated load for 7 days. Each-EDG has a day tank (1,100 gallons) and a storage tank with 2 transfer pumps (4 total) that operate automatically at preset levels in the day tank.
The first pump starts on a low-level signal from the day tank; if the first pump fails, the second pump starts on a low-low level signal from the day tank. The fuel oil transfer pumps are powered from their respective EDGs following a loss of offsite power. The fuel oil transfer pump is tripped ofi on high le /el in the day tank and restarts when low level is reached again. This cycle takes approximately 1.6 hours, which leads to 15 start demands for the fuel oil transfer pump during a 24-hour mission time of the emergency diesel generator.
- 9) The vital 120V AC buses have three separate power supplies: onsite (USST)/offeite (SSST) power, emergency diesel penerator, and 125V DC
! batteries.
- 10) Electric power trains are completely separated with no swing buses;-
however, some loads can be manually aligned to either train. l b. Manual. A single nonsafety diesel generator is sharec with UNt 2 to provide
- backup power to significant nonvital loads. This black (ERF) diesel starts l automatically on low bus voltage, and loads are realigned by way of a load
- sequencer.
l 2. Tasts/ Maintenance (Frequency, System Reconfiguration, and Potential Misalignments) l
- a. The EDGs can be synchronized manually to the offsite power source for periodic testing.
l 3.2-36 3 2 system Awysis.
s
- 8:c,:r Vcilty Psw:r Stctlen Unit _1 ' Revisl:n 0 Prebsbill: tic Risk Ass:ssm:nt -
s
- b. The- EDGs. are _ tested periodically' as indicated 'in the technical specification i section, but this testing does not contribute to EDG unavailability.-
- 3. Recovery Considerations (including Alarms, Indications, and Abnormal Procedures)-
La.1There are numerous alarms-and-indications in the control room that indicate
- the condition of the emergency buscs.
-b. Operators are directed by emergency ~ procedures'(ECA-0.0. Step 9) to attempt-to restore AC power if it is lost.
3.2.1.1.6 Technical Specifications (LCOs)
- 1. One offsite circuit or diesel generator may be out of service for 72 hours with the ,
plant at power. (3.8.1.1).
- 2. One offsite circuit and one diesel generator may be out of service for 12 hours ~with the plant at power _ (3.8.1.1).
~ 3. Two offsite ~ circuits may be 'out of service for 24 hours 'with the plant at power -
~(3.8.1.1). .
4 Two diesel generators may be out of. service for 2 hours with the plant at power (3.8.1);
- 5. An emergency bus (4KV bus 1AE or 1DF or 480V bus 1N or 1P) or a vital bus (120V-bus I. II 111. or IV) may be out ni servica for 8 hours with the plant at power (3.8.2.1).'
3.2.1.1.7 Surveillance Tests (Done During Operation or Shutdown)_
- 1. . Breakers from offsite sources to the Class 1E distribution system are verified to be in correct alignment every 7 days (4.8.1.1.a).
2, Transfer from the t. nit circuit (USST) to the system circuit (SSST) is tested, manually. and automatically, every 18 months (4.8.1.1.1.b)l
- 3. Diesel generators are started and loaded every 31 days _on- a staggered basis -
(4.8.1.1.2.a). -
- 4. Diesel. generators are tested with a simulated loss of offsite power and a_ safety injection signal every .18 months (4.8.1.1.2.b).
- 5. Correct breaker alignment on the emergency buses and vital buses is verified every 7 days (4.8.2.3.1)..
J 3.2.1.1.8 System Diagrams ;
- 1. The electrical system one line diagram is shown in UFSAR Figure 8.1-1.
< ~
- 2. The fuel oil system diagram.le shown in UFSAR Figure 9.141.
3.2.1.1.9 Referenees -
- 1. - 8700 RM-127A-17 ,
' 2. 8700 RE-100A 3
- 3. 8700-RM-15* A-9 '
- 4. _ UFSAR Chapter 8, Rev. 6 (1/88) 3.2 37 3,2 System Analysis.
1 , .. .--,-m- -
._ _ . . - . a, .. . . . ,;-_ ._ ,. _ _ , . . . _.
D: v:r Vall:y P:wcr St:ti:n Unit 1 R:visl:n 0 Pr:b:bilistic Risk Ass:ssm:nt
- 5. OM Chapter 36, Issue 2, Revision 5
- 6. 8700-RE-1G 9
- 7. 8700-RE 1H 11
- 8. 8700-RE 1T-19
- 9. 8700-RE 1K-13 3.2.1.1.10 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagram and component table for the AC electric power system is presented in Appenuix A.
- b. Emergency 480V AC supply is included with the 4160V AC supply model, but is a small con:ribution to system failure since 480V AC failures are passive l failures (e.g., breaker transfers open), which are relatively low frequency compared to the breaker demand failures needed to transfer lhe 4160V breakers after a plant trip.
- c. It is assumed that failures of the air start tystem are included in the failure rata data for diesel generators and are therefore not modeled explicitly.
- d. Nonvnai buses are not modeled explicitly. The fcequency of failure of these ouses is assumed to be small compered to the frequency of the loss of offsite power.
- e. The response of the emergency diesel generators is not modcled as dependent on the occurrence of an SSPS signal. instead, the occurrence of an SSPS signal is reflected in the individual system models for each piece of equipment loaded onto the diesels.
- 2. Initial Conditlans. AC power being supplied from turbine generator through USSTs, EDGs are in standby and plant is operating at 100% power at the time of the initiating event.
- 3. Failure Mode Impacts
- a. Loss cf both emergency AC orange and DC bus 11 fails vital bus chanrmi I (red). Loss of both emergency AC orange and DC bus 1-3 fails vital bus channel 111 (blue),
- b. Loss of both emergency AC purple and DC bus 1-2 fcils vital bus channel !!
(white). Loss of both emergency AC purple and DC bus 1-4 fails vital bus channel IV (yellow).
- 4. Common Cause
- a. Common cause failure of breakers to operate on demand.
- b. Common cause failure of diesel generators to start or to run_
- c. Common cause failure of fuel oil transfer pumps to start or to run.
- d. Common cause failure of ventilation fans to start or run.
- e. Common cause failure of motor-operated dampers to oper, on dernand.
3.2 3tl 3 2 system AnaTsis,
BC ver Vcil:y P&w:r Stctbn Unit 1 R visi:n 0 Prrb;bilistic Risk As Gssm:nt
- f. Corrmon cause groups are shown in Table 3.2.2-3.
p () 3.2.1.2 DC ELECTRIC POWER SYSTEM (125 VDC) 3.2.1.2.1 System Function: The 125 VDC supply system proviJes power for the safety and nonsafety equipment listed in the " Systems Supported" section, it provides a supply of direct current electric power for the 120 VAC vital buses, control oower for all the vitt.! 4160 VAC and 480 VAC feeder breakers, and power for many other saMy functions. 3.2.1.2.2 Success Criteria (for each mode of operation)
- 1. UFSAR. The 125 VDC povcer supply is designated to function either with AC power available or during a station blackout to provide the power necessary for the restoration of other power sources.
- 2. PRA. Each of the emergency DC power trai s will be modeled separately. The success criteria for each train iu the continuous supply of DC power to the safety-related loads.
3.2.1.2.3 Support Systems 480 VAC Safety-Related Power Orange Train Provides power to Battery Charger 1-1 and (MCC-1-E9) 1-3 480 VAC Safety-Related Power Purple Train Provides power to Battery Charger 1-2 and (MC0-1 E-10) 1-4 p Q Normal AC Provides power te Battery Charger 1-5 Safety-Related Area Ventilation System Provides required air flow for proper system operation 3.2.1.2.4 Systems Supported
- 1. Safety-Related Systems Powered by DC Buses 1-1 and 12
- Safety Related 4160 VAC owitchgear Breaker Comro' Breaker Control Field - Safety-Related 480 VAC Unit Substation Flash and Control Circuits Backup Power to inverters - Emergency Diesel Generators - - Vital Bus Uninterruptible Power Supply - Reactor Protection System Power to the Four Instrurr entation Channels ma ntal - Reactor Trip Switchgear - Miscellaneous Valves, Cabinets, Protective Circuits, etc.
- 2. Nonsafety Related Systems p Powered by DC Buses 1-1 and 1-2 k
3.2-39 3.2 system Analysis. '
0::v:r Vall:y Pcwcr St:ti:n Unit 1 R visi:n 0 Pr:b bilistic Risk Ass:ssm:nt
- Nonsafety-Related 4160 VAC Switchgear Breaker Control - Nonsafety-Related 480 VAC Unit- Breaker Control Substation - Turbine Emergency Auxiliaries - Control Room Air System - Emergency Lighting System DC Power and Backup AC Power Annunciator System - Computer Uninterruptibie Power Supply Backup Power to inverter - Fire Protection Power for Control Panels - Fire Detection - Miscellaneous Valve. I Circuits, etc.
- 3. Safety Related Systems Powered by DC Buses 1-3 and 1-4
- Vital Bus Channels lil and IV Backup Power to inverters - Aux Feed Pump Initiating Circuits Instrument and Control Power 3.2.1.2.5 Operating Features -
- 1. Initial Configuration. Each 125 VDC has an associated battery and battery r.harger.
The chargers provide a continuous float charge to the batteries. The chstgers are supphed from the safety-related 48C VAC power system through Motor Control Center (MCC) E9 for Banery Chargerr,1 and 2 and MCC E10 for Battery Chargers 2 and 4.
- 2. System Actuation
- a. Automatic
- 1) The 125 VDC supply automatically supplies power to the 120 VAC vital buses following a loss of AC power, through inverters.
- 2) Following a loss of AC power to the chargers, the batteries have the ability to supply the normal and emergency loads for a minimum of 2 hours.
- b. Manual. There are no manual interventions that need to be performed.
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments)
There is a potential for leaving the batteries disconnected following battery maintenance. 4 Recovery Considerations (including Alarms, Indications, and Abnormal Procedures) 3.2-40 32 system Analysts.
B v;r Vcil:y P:wcr Steti:n Unit 1 R: vision 0 Preb:bilistic Risk Ase:s m:nt The DC bus voltage. and battery charger breake: positions are continuously O indicated on th main control boards in the control room to provide the status of the (d DC buse' . 3.2.1.2.6 Technical Specifications (LCOs): One 125 VDC battery bank may be inoperable for 2 hours during power operation (3.8.2.3.a) 3.2,1.2.7 Surveillance Test (Done During Operation or Shutdown)
- 1. Breaker alignment and povrar indications are verified every 7 days for each train of DC power (4.8.2.3.1).
- 2. Battery charger operability and battery condition are verified every 7 days (4.8.2.3.2.a).
3.2.1.2.8 System Diagrams
- 1. One line diagrams for the 125V DC system are shown in UFSAR Figures 8.41 and 8.4 2, 3.2.1.2.9 References
- 1. 8700-RE-1Z
- 2. 8700-R E-1V 3.2.1.2.10 Modellng Assumptions l
O V 1. Equipment Boundaries
- a. The block diagram and component table for the DC electric power system is presented in Appendix A.
- b. Loss of power at 125 VDC Bus 1-3 (1-4) is assumed to be a failure of auxiliary feedwater pump FW-P-3A (FW-P-3B).
- c. Power to tha associated bus and distribution panels is required for success of tnat train.
l d. The battery and the charger associated with a particular train are both required
- to be available for success u that train for 24 hours. if AC power is unavailable. DC power is evaWMed for a mission time of just 2 hot.rs, during which the chargers are not necessary.
! e. DC Bus 1-5 is not mooeled since it only supplies nonsafety-related equipment I l which are not modeied in this analysis.
- f. The input and output breakers internal to the battery chargers are considered as being part of the battery chargers.
- 2. InlMi Conditions. DC power is being supplied from the battery chargers, batteries are fully charged, and the plant is operating at 100% power at the time of the initiating event.
- 3. Common Cause. Common cause failure of the battery chargers during operatior, is
))v possible.
3.2.1.3 SOLID STATE PROTECTION SYSTEM 3.2-41 u syste n Ar., ysis. '
B:cy;r Vcil:y Pcw;r St:.ti:n Unit 1 R;visi::n 0 Pr:b: bill: tic Risk As:Ossm:nt 3.2.1.3.1 System Function: The solid state protection system (SSPS) monitors key sensed and calculated process and I. ' clear parameters to ensure that safe operating conditions exit - nt all times. In case the parameters exceed preset safe limbs, the SSPS will produce activation signals as required, for the following:
- Reactor Protection System Reactor Trip RT
- Turbine ' rip TT Generator Trip GT
- Auxiliary Feedwater System Startup AFW
- Feedwater Isolation FWI Safety injection and Associated Actions Si Steam Line Isolation SLI
- Containment isolation Phase A CIA Containment Isolation Phase B ClB
- Emergency Diesel Generator Stadup EDG
- River Water Pump Start RW The system as mo 'eled includes the analog plant parameter ansing devices (the orocess instruments and cc 'rols), the inpt;t relays. the logic cards, the SSPS rnaster relays, and ' ie SSPS slave relays.
3.2.1.3.2 Succees Criteria
- 1. UFSAR Support the RPS in initiating automatic reactor trip whenever necessary to prevent fuel damage. There are two redundant trains. The success criteria for each train to fulfill this function is the generation of a reactor trip signal. It should be noted, however, that only one train needs to function to obtain a reactor trip.
Generate additional signals to protect against the effects of design basis e mnts. This involves unique signal generation as a func' n of an initiating event. The , a below describes the necessary signal generation for several events in terms of the functions listed above. As in the case of reactor trip, each train is functionally redundant.
- 2. PF. A There are two SSPS trains which are redunuant in function. To obtain a successful response from the SSPS, at least one of the two trains must produce an actuation signal for all necessary safety functions.
3.2.1.3.3 Support Systems a 120V Vital instrument AC is required as follows: O 3.2-42 3.2 system Aralysts.
BC;ver Vcil:y Pcwcr St:ti:n Unit 1 R;visi:n 0 Prc.b;bilistic RI:k Ass:ssm:nt
' Logic Train A Input Relays, Logic Devices, Bus I or il
(' C and Master Relays Logic Train A Slave Relays' Buri Logic Train B Input Relays, Logic Devices, Bus 111 or IV and Master Relays Logic Train B Slave Relays' Bus 11
- Signals for all actuated systems require operation of the slave relays.
- In addition to the above, instrument AC is required by the parameter sensing devices.
Because these vital instruments are in general fail-safe, loss of one instrument channel will cause trip signals in the corresponding devices. 3.2.1.3.4 Systems Supported: The SSPS provides signals to the following systems:
- 1. *l Signal
- Emergency Diesel Generator Start Signai
- Raactor Trip Signal
- Containment isolation Phase A Signal
- Feedwater Isolation Signal
/ h - Safety Irjection Actuation Signal H!gh Head Safety inject!on Pump Start Signal (Two of Three Pumps) Low Head Safety injection Pump Start Signal
- River Water Pump Start Signal (Two of Three Pumps Start of SI Signal)
- Auxiliary Feedwater Pump Start Signal (Motor Driven Pumps)
- Turbine Trip Signal
- 2. CIA Signal
- Containment isolation Valves Close Signal
- 3. CIB Signal
- Quench Spray Pump Start and Valves Open Signal
- Recirculation Spray Pump Start and Valves Open Signal
- RHR Pump Stop Signal
- Reactor Plant Component Cooling Water Pump Stop Signal
- 4160V and 480V AC Stub Buses De-energized
- 4. SLI Signal
/"T - Main Steam Line Isolation Valves
- Bypass falvas
- Drain Valves Close Sigral 3.2-43 3.2 system Analysis.
C v:r Vcil;y Pcwcr St: tion Unit 1 R:vi:l:n 0 Prcbabilistic Risk Ass:ssmsnt
- 5. FWI Signal Faedwater Pump Stop Signal
- Feedwater Valves Clnse Signal
- Turbine Trip Signal
- 6. RT Signal
- Reactor Trip Signal
- Turbine Trip Signal 3.2.1.3.5 Operating Fsatures
- 1. Initial Configuration
- a. Trains A and B are redundant and independent to the degree that only one train is required to initiate necessary safety functions. However, if there is a failure of one train, some safety system components will not receive automatic start signals,
- b. System Actuation
- 1) Automatic a) In general, an initiating event will cause certain p!arit parameters to exceed safe operating bounds. Sensors note these exceedances and bistables react producing signals describing the parameters involved.
The SSPS logic cards will, in turn, produce signals as necessary (i.e., _ in accordance with the design logic) by de-energizing the mbster relays that activate clave relays and lead to propar safety equipment actuation. b) Each master relay is connected to redundant instrument channels and an output from an SSPS logic card. An activation signal is caused wnen the SSPS logic card output is de-energized, resulting in a current flow through the master relay, c) The following plant parameter signals produce- a safety injection signal: low pressurizer pressure, containment high pressure, or low steam line pressure. The Safety injection Signal produces a CIA or containment isolation Phase A signal. d) The following produces a main steam isolation signal: containment intermediate high-high pressure, high steam line pressure rate, or low steam line pressure, e) The following produces a CIS or containment isolation Phase D signal: containment high-high pressure. f) The following produce a reactor trip signal: manua! trip activation, high neutron flux (different signals for source range, intermediate range and power range as determined by interloc..,s P-6 and P-10), high neutron flux rate, overtemperature detta T, overpower delta T, low flow in reactor coolant pumps, undervoltage of RCPs. underfrequency at RCPs, pressurizer high pressura, pressurizer low pressure, pressur!Ier high level, steam / feed flow mismatch with low 3.2-44 3.2 System Analysis.
4 B::v:r Vcil:y P;w;r Station Unit 1 R visi:n 0 Prcbabilistic Rl:k As :s:m:nt SG level, low-low steam generator level, turbine trip, or an Si signal. [] V The following table describes. by initiating event, the expected parameter exceedance signals, and the resulting safety actions. Initiating Event Palameter Signals Sciety Functions General Transient High high steam generator Feedwater isolation, level or safety injection - turbine trip, and reactor-(SI signal), trip. Low-low steam generator Reactor trip, turbine level, trip, and auxiliary feedwater system startup. Small LOC A Pressurizer low pressure, Same as general transient overtemperature delta T, plus: safety injection and steam generator low-low containment isolation level, high containment Phase A. pressure, RT, TT. Steam Generator Tube Pressurizer low pressure, Same as small LOCA. Rupture steam generator low-low level, low T average, overtemperature delta T, RT.TT.
- (g%.
Medium LOCA Same as small LOCA. Same as small LOCA. Large LOCA Pressurizer low pressure, Same as small LOCA plus: containment high high containment isolation pressure, overtemperature Phase B. delta T, RT, TT. Steam ine Break Outside Low steam line pressure, Same as small LOCA plus: Containment pressurizer low pressure, main steam isolation. RT,TT. (Note: Contamment isolation Phase A will occur due to Si signal, but is not necessary for event mitigation). Steamline Break inside Pressurizer low pressure, dame as large LOCA plus:
' Contairement containment high-high main steam isolation.
pressure, low steam line pressure, TT. Note: RT = Reactor Trip TT = Turbine Trip l9) l Si - Safety injection L .. 3.2-45 u system Analysis.
D::v:r Vcil:y Pcw;r St:ti n Unit 1 R:vici:n 0 Pr b:bilistic Rl:k Ass:ssm:nt 2J Manual. Safety functions can be initiated by plant operators in the event of SSPS falltre provided that power for the slave relays is available. This provides an opportunity for both recovery action and human errors,
- c. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments)
- 1) Maintenance for the SSPS is r.at needed on a scheduled basis, in general, maintenance involves the replacement of failed items which, in turn, involves a minimum of SSPS outage time.
- 2) SSPS trains are taken out of service, one at a time, every other month for testing. During the test, '.he tested train may bo disabled for 2 hours with an absolute limit of 4 hours.
- 3) Individual functions within each train are tested quarterly. The individual function is disabled on the train being tested for e short period of time.
- 4) Instrumentation is calibrated every 18 months during refueling.
- 5) Channel checks are perdormed twice daily and are done N comparing indicatior's of the same parameter from different channei Channel checks do not result in any system unavailability,
- d. Recovery Considerations (including Useful Alarms, indications, and Abnormal Procedures)
- 1) Various indications and alarms in the control room alert the operators of a failure of SSFS.
- 2) Emergency procedures direct operators to manually start safety systems if they have not already started automatically.
3.2.1.3.C Technical Specifications
- 1. LCOs. The signals below correspond with those listed in the operating features sections. From Technical Specification 3/4.3.2, Table 3.3-3, the minimum channels operable are shown for modes i and 2:
Signal Nortnal Logic to Trip Minimum Channels Action Operable Containment High 2/3 2 14 Pressure Pressurizer Low 2/3 2 14 Pressure High Steam Pressure 2/3 Per Loop for 1/3 2 Por Loop 37 Rate Loops Steam Line Low 2/3 Per Loop for 1/3 2 Per Loop 14 Pressure Loops Containment High-High 2/4 3 16 Pressure - 3.2-46 3.2 system Awyrs.
B: v:r Vcilsy P:wcr St:tlIn Unit 1 Rcylsign 0 Prcbabill: tic Risk Asssssm:nt Signal Normal Logic to Trip Minimum Channels Action ( Operable Steam Generator 2/3 Per Steam 2 Per Steam Generator 14 High High Level Generator for 1/3 Steam Generator Undervoltage RCP 1/1 Per Bud for 2/3 2 14 Busses Steam Generator 2/3 Per Steam 2 Per Steam Generator 14 Low-Low Level Generator For 1/3 Steam Generator Containment 2/3 2 14 intermediate High-High Pressure Actions if the number of operable channels is one less than the total number of channels:
- 14. Above P 11 and P-12, operation may proceed until the performance of the next -
required channel functional test, provide 1 the inoperable channel is placed in the trioped position within one hour.
- 16. Operation may proceed with the inoperable channel bypassed provided within 1 hour the minimum channels operable requirement is met; however, the inoperable p channel may be bypassed for up to two hours for surveillance testing of other
, V channels.
- 37. Operation may proceed provided that the inoperable channel is placed in the tripped condition within i hour and the minimum channel OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 2 hours for surveillance testing of other channels.
- 2. Tests.
l
- a. From Technical Specification 4.3.2.1. Table 4.3-2, each instrumentation channel and interlock and the automatic actuation logic and relays shall be demonstrated operable. Each SSPS train autorntic actuation shall be channel l functional tested every 62 days on a staggered-test basis. Calibrations shall be I performed every 18 meaths, functional tests shall be performed monthly, and channel checks shall be performed twice every 24 hours.
l
- b. From Technical Specification 4.3.2.1, the response time of each engineered safety function actuation system function shall be demonstrated to be within allowable lim;ts at least once per 18 months.
l 3.2.1.3.7 References
- 1. UFSAR, Sections 7.2 and 7.3
- 2. Technical Specification Section 3/4.3.2 3 Logic Diagrams 1-4 and 27-15
- 4. Operating Manual Chapter i l
( 3.2-47 M system Analysis. ' L
B :v r Vcllty Pcwcr St:ti:n Unit 1 RGvici:n 0 l Pr:b:btll tic Risk As::ssm:nt 3.2.1.3.6 Modeling Assumptions
- 1. Equipment Boundaries. At this phase of the analysis, the individual components of the SSPS are not modeled explicitly, due to the inherent reliability of the system.
System availability as a whole will be taken from previously analyzed SSPS systems that are all very similar.
- 2. Initial Conditions. The plant is operating at 100% power at the time of the initiating event,
- 3. Failure Mode Impacts
- a. Control Room ventilation may result in a long-term failure of the SSPS instrumentation due to overheating.
- b. Loss of instrument Channel I will disable Train A due to loss of slave relays. _
- c. Loss of instrument Channei 11 will disable Train B due to loss of slave relays.
- d. Loss of instrument Channels 111 or IV will increase the likelihood of spurious
' rips and equipment actuation due the failsafe nature of the parameter sensors; i.e., upon the loss of power, the associated channel sensors will produce trip (parameter out of safe envelope) signals.
3.2.1.4 REACTOR PLAN 7 RIVER WATER AND AUXIL!ARY RIVER WATER SYSTEWI 3.2.1.4.1 System Function: The reactor plant river water system suoplies cooling water to various plant auxiliary systems from the Ohio River via a main intake structure, or from the auxillary river water system located in the alternate iniake structure, and discharges to the coo!ing tower circulating water discharge line or to the Unit No. 2 cooling tower blowdown lit.e. 3.2.1.4.2 Success Criteria
- 1. UFSAR
- a. The river water system is designed to provide a continuous supply of cooling wattr to cool the following components during normal and cooled down operation:
- 1) Reactor plant component cooling water heat exchanger (s)
- 2) Charging pump lube oil coolers
- 3) Control room air conditioning condensers or control room river water cooling coils
- 4) he motor bearing cooling water and pump bearing lubrication water of the river water pumps a
- b. Post Design Basis Accident operation. The system is designed to supply redundant cooling water to the following components:
- 1) Recirculation spray heat exchangers
- 2) Charging pump lube oil coolers
- 3) Control room air conditioning condensers or control room river water cooling Coils 3.248 3.2 System Analysrs.
Bosysr Vall2y Pawar Stailan Unit 1 Ravisisn 0 Prcbsbilist ; Risk Ass 2ssmsnt
- 4) Emergency Diesel Generator cooling syfem heat exchangers n
( c. The redundant design perraits the safety furction to be performed assuming a single, active failure coincident with the loss of offsite powct, The system isolates individual components and subsystems if necessary,
- 2. PRA One river water or auxiliary rivs. water pump supplies cooling water to all the loads associated with its header, as listed in Section 3.2.1,4.4, except that the following loads are not required: fuel pool cooling, chlorinated water injection, secondary water 5eader supply, fire protection, Unit 2 service water supply header, circulating water, reactor plant component cooling water, chilled water system cooling for the containment air recirculation cooling coils, and RWST coolers. One pump is sufficient unless a CIB signal occurs. Then both reactor plant component cooling and chilled sater cooling systems must be successfully isolated for one pump to still be sufficient.
3.2.1.4.3 Support Systems
- 1. Emergency 4KV 1 AE Bus for [RW P 1 A]
4KV 1DF Bus for [RW-P 1B] 4KV-1 AE or 1DF Bus for [RW-P-1C] 4KV-1 AE Stub Bus for [RW-P-9A] 4KV-1DF Stub Bus for [RW P-9B]
- 2. Unit 1 filtered water provides normal seal and motor cooling.
- 3. Unit 1 chlorination system to prevent silt settling.
- 4. Chemical injection system to prevent silt settling.
- 5. Cross connect from raw water WR-P-6A or 68 to river water "A" header and cross-connect from Unit 2 service water to river water "B" header.
- 6. 480V AC emergency MCCs for (MOV) valve operations.
- 7. 120V AC for pressure transmitters.
- 8. 125V DC for pump breaker control to start.
- 9. HVAC systems for selected equipment.
3.2.1.4.4 Systems Supported
- 1. Normal supply - During normal operation the river water system supplies two reactor plant component cooling heat exchangers, chlorinated water injection supplies, two charging pump lube oil and gear oil coolers, one control room air l
conditioner condenser, two control room redundant cooling coils, and makeup to the circulating water system, Only one river watcr pumo is needed to supply the system during normal conditions. I 2. Following a CIB signal- In addition to those normal loads that are not isolated, there (g) are at least two recirculation spray coolers, at least one diesel generator cooling system heat exchanger and post-accident sampling coolers are in service.
- 3. Backup supply - Reactor plant river water system may be manuaily aligned to the una 2 emce water supply via "A" header, raw water supply via "A" header, steam l
! 3.2-49 3,2 system Ana:ysis. l {
B::ver V:ll;y P wcr St:ti:n Unit 1 R:visi:n 0 r'r:b:bilistic Ritk Ass :sment generator auxiliary feedwater pumps supply via "A" header, the containment air recirculation cooling coils, containment air compressor cooling via "A" header, the . spent fuel pool and the fire protection system. 3.2.1.4.5 Operv J Features
- 1. Initial Configuration
- a. One river water pump [WR-P-1 A] is normally operating except when the river is warm or there are large cooling loads. The second river water pu t r.p
[WR-P-1B] is off and in " auto" position. The third pump [WR-P 1C] is racked out and in disconnected position,
- b. The auxillary river water pumps [WR P 3A or 98] are in off position,
- c. The discharge MOVs are lined up to their own header. The other header MOV is in the manual and closed position. The standby header is pressurized through a downstream CCR heat exchanger cross-connect isolation valve,
- d. Seal water for cooling, lubricating and sealing the river water pumps are normally provided from the filtered water system. A backup supply of seal water is provided by the discharge of the river water pumps or the discharge of raw water pumps [WR-P-6A or 6B] via strainers and booster pumps. Another backup seal water supply is provided by the discharge of the river water pumps via a pressure control valve (PCV).
- e. River water normally discharges to the main circulating system and to the emergency outfall structure.
- f. Normal seal water to the auxiliary river water pumps is from 'the filtered water supply header. The booster pump [WR-P-10] and strainer [WR S 4] is provided as a backup. PCV-RW-116A & B are the second backup seal and motor cooling supply,
- g. Normal operation loads include two reactor plant component cooling (CCR) heat exchangers, two control room air conditioning condensers, and one charging pump cooler,
- h. The diesel generator chemical addition pump is not operating.
- 2. System Actuation
- a. Automatic
- 1) On a CIB signal, flow is diverted from the CCR heat exchangers toward the recirculation spray coolers, and directed to the cooling tower blowdown.
- 2) On a safel, injection signal, flow is directed to the emergency diesel generator cooling system heat exchangers, ar'd two of the river water pumps receive start signals.
- 3) On a loss of offsite power, the valves to the diesel generator are opened.
l The chemical addition pumps are not operating. The Unit 1 filtered water is isolated. Two of the river water pumps receive start Lignals. The auxiliary river water pumps must be manually loaded onto the diesels. l 4) On a CIB signal, the auxiliary river water pumps [WR-P-9A & 98] will not be available because its power supply stub buses are de-energized. I 3.2 50 3.2 system Analysis.
_. Braver Vcil:y P;w:r St:tica Unit 1 R;visi:n 0 Pr:b:bliistle Risk As cssm:nt 5)- On low header pressure with vital AC available, the standby river water _ (] pump starts automatically and its associated MOVs (10281 and 82) open. (' The valves close when the pump stops.
- 6) The backup seal water injection valve [PCV-RW 115A, B & C] opens when the normal seal water supply header pressure is low.
- 7) The river water pump discharge valves [MOV-RW-102A1, A2, B1, 82, C1 &
C2] close automatically on failure of the associated pump.
- 8) The river water pump discharge valves open automatically when the pump -
is on, and the control selector switch is set to " auto".
- b. Manual
- 1) River water may be aligned to provide an AFW cupply in the long-term after the primary plant demineralized water storage tank is emptied.
- 2) Alignment and startup at the auxiliary river water system requires operator-action.
- 3) River water may also be aligned to provide makeup to the spent fuel pool,
- 3. Tests / Maintenance (Frequency, System Reconf;guration, and Potential Misalignments)
- a. Flow test to recirculation spray coolers and to diesel generator coolers can be performed during plant operation.
/'N. b. The auxiliary river water system can be flow tested with the plant at power 'd without stopping the corresnanding river water pump.
- c. The control switches for automatic valve alignments and pump starts must be left in the " auto
- positions; e.g., MOV-RW-116A & B for WR-P-9A & 98. These controls are located in the control room.
- 4. Recovery Considerations (including Alarms, Indications, and Abnormal Procedures)
- a. The 1C river water pump may be operated from either 4.16 KV vital bus via a two-key interlock. River water pump. and discharge valve controls and indications are available in the control room, The 1C river water pump can be aligned to either the A or B header.
- b. The auxiliary river water pumps may be manually loaded onto the diesels during a loss of offsite power. Auxiliary river water pump controis and indications are available in the control coom.
- c. System temperatures, header pressures, and pump current measurements allow the operators to determine the status of the river water and auxiliary river water system pumps,
- d. Diesels can only run for 170 seconds without cooling water. Charging pumps can only run for 60 seconds without cooling water.
- 5. Other. The river water pumps can operate for river levels between 648'-6" and 730'.
The auxiliary river water pumps can operate between 654' ano 705'. , V l 3.2-51 a 2 system Analysis
B::v:r Vcil:y P:wcr Sta.cn Unit 1 R vist:n 0 Pr:b:billstic Risk As:cesm:nt 3.2.1.4.6 Technical Specifications (LCOs)
- 1. Two river water subsystems may be out of service for up to 72 hours with the plant at power (3 7 4.1); i.e., only one river water pump is operational.
- 2. The Ohio River water level and temperature may violate design limits for up to 6 hours (3.7.5).
- 3. One auxiliary river water system may be out of service for up to 7 days with the plant at power (3.7.13),
3.2.1.4.7 Surveillance Tests i
- 1. Positions of all unlocked valves are verified every 31 days (OST 1.30.13). I
- 2. All MOVs are cycled every 3 months (OST 1.30.4 & 1.30.5). ~
- 3. Pumps are tested quarterly for differential pressure (OST 1.30.2, 1.30.3 & 1.30.6).
- 4. River water temperature and level are verified every ':4 hours (T.S. 4.7.5.1).
- 5. Auxiliary river water pumps are flow tested every 18 months during shutdown (OST 1.30.8).
- 6. Auxillary river water pumps are tested quarterly for differential pressure (OST 1.30.1 A & 1.30.16).
3.2.1.4.8 Reviews of individual, Operating Surveillance Tests
- 1. OST 1.30.2 river water pump WR-P-1 A operboility test performed quarterly. This test verifies that the pump operates with its discharge valve open, the discharge check valve allows forward flow, the pump seal and motor cooling function, and the vacuum breaker at pump discharge seats to prevent reverse leakage, if the motor-operated discharge valve is already open, it is not cycled. This test does not degrade the system in any way during its performance.
- 2. OST 1.30.3 river water pump WR-P-1B operability test performed quarterly. This test is similar to OST 1.30.2.
- 3. OST 1.30.4 river water system valve test for A header, performed quarterly. All valves listed in the attachment are verified to be in the correct position.
- 4. OST 1.30.5 river water system valve test for B header, performed quarterly. All valves listed in the attachment are verified to be in the correct position.
- 5. OST 1.30.6 river water pump WR-P-1C operability test performed quarterly. The test verifies that each of the three pumps operates, all three river water pump motor operated discharge valves are cycled, and all discharge check valves and the RW-488 vacuum breaker are tested for forward and reverse flow.
3.2.1.4.9 System Diagram 1, The river water and aniliary river water systems are shown on UFSAR Figures 9.9-1 A, 9.9-1B and 9.9-1C. 3.2.1.4.10 References
- 1. UFSAR Sections 9.9.1 and 9.9.2 and Associated Drawings:
3.2-52 u system Ana ys:3.
Brav:r Vcil:y Pcw r Stati:n Unit 1 R;visi:n 0 1
. Prcb: bill: tic Risk Assecam:nt
- a. tFigure 9.9-1 A, Rev. 28
' /\ g b. Figure 9.9-18, Rev.1
- c. Figure 9.9-1C, Rev. 2
- d. Figure 9.9-2 Rev. 7
- e. Figure 9.9-3, Rev. 6
- 2. 080-30, Revision 0; River Water and Auxiliary River Water System
- 3. Technical Specifications
- a. 3/4.7.4, Reactor Plant River Water System
- b. 3/4.7.5, Ultimate Heat Sink - Ohio River
- c. 3/4.7.6, Flood Protection
- d. 3/4.7.13, Auxiliary River Wa:er System
- 4. System re.nriptions 1, River Water System, issue 4 end 17 2, Auxiliary River Water Sy. nam. 'ssue 1
- 5. Valve Operating Number Drawings:
- a. 8700-RM-127A-17
- b. 8700-RM-1278-10
- c. 8700-R M-127AB-1 V
3.2.1.4.11 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagram and component table for the river water system are presented in Appendix A.
- b. Neglect the requirements for the auxiliary river water booster pump [WR-P-10]
and self cleaning strainer (WR S-4) (i.e., conservatively model only the automatic seal cooilng directly from pump discharge) from the secondary source via PCV-RW-118A and PCV RW-1188.
- c. Neglect failure of the redundant intake structures.
- d. Specific cooling loada are not included in the river water system analysis, instead, they are modeled with the respective system served.
- e. No credit is assumed for the normal river water pump seal and motor cooling from Unit 1 filtered water even if an Si signalis not present.
- 2. Initial Conditions
- a. The 1 A river water pump is initially running.
- b. River water supply to the chilled water system is isolated.
p '
- 3. Dependencies Not Modeled
- a. The following support systems are not nece-sary for accident conditions:
- 1) Unit 1 Filtered Water 3.2 53 3.2 System Analysts.
Brav:r Vcil y Pcw:r St:ti:n Unit 1 R:visl n 0 Prcb: bill: tic Risk Ast:ssm:nt O
- 2) Unit 1 Chlorination
- 3) Domineralized Water
- 4) Chemical injection System
- b. The river water pump's seal header pressure is assumed to be 'aw for the purpose of pressure control valve opening and aligning for seal and motor cooling from its pump discharge.
- 4. Failure Mode impacts
- a. Failure to isolate the chlorinated water system or the Unit i filtered water system does not result in failure of the associated river water train.
- b. Failure to isolate the CCR syst. n in the event of a CIB signal is conservatively assumed to result in a failure of river water to that header, even if both the -
river water and auxiliary river water pumps are operable for that header.
- c. One river water pump is assumed sufficient if a loss of offsite power occurs, even with the added diesel loads.
- d. If a CIB signal occurs, one river water pump is also assumed to be sufficient, provided the CCR loads are successfully isolated.
- 5. Common Caue
- a. River water p0mps fail to run (or fa;l to start and run after LOSP).
- b. Standby river water pumps fail to start or run,
- c. Common cause groups are shown m Table 3.2.2 3.
- 6. Other. The possible recovery action to reni tely open the opposite river water pump dischcrge valve to allow the crosstrain river water pump to supply the opposite header is modeled.
3.2.1.5 REACTOR PLANT COMPONENT COOLING WATER SYSTEM (CCR) 3.2.1.5.1 System Function: The CCR does not perform any Engineered Safety Features functions. The CCR does perform a number of functions that may affect the risk in operating BVPS-1. These functions are itemized below: Comoonent Coolino Water Subsystem:
- 1. Provide cooling water to the Residual Heat Removal System (RHR) beat exchangers and RHR Pump Seal Coolers during the second phase of plant cooldown to permit the plant to be cooled down to cold shutdown conditions.
- 2. Provide cooling water to the Spent Fuel Pool Cooling _ System (SFPCS) heat exchangers to cool the fuel stored in the spent fuel pool.
- 3. Provide cooling water to the Chemical and Volume Control System (CH)
Non-Regenerative, Excess Letdown and/or Seal Water Return heat exchangers to permit letdown of reactor coolant from the Reactor Coolant System (RCS) to the / Channel and Volume Control System. 3.2-54 u System Awysis. {
B:cycr Vcil:y Pcwsr Stitlan Unit 1 Rcvisi:n 0
~ Preb;bilistic Risk Asocssm:nt
- 4. Provide cooling water to the Reactor Coolant Pump (RCP) thermal barriers, motor O lube oil coolers and motor air coolers to support the integrity of the RCP seals and O permit operation of the RCPs.
- 5. Provide cooling water to the Containment Penetration Coolers to cool the concrete in the vicinity of high temperature containment penetrations.
- 6. Provide cooling water to the Control Rod Drive Mechanism (CRDM) Shroud Cooling Coils to cool the air being directed over the CRDMs for cooling purposes.
Chilled Water Subsystern: (physically separate from the CCR cooling water)
- 1. Provide chilled cooling water to the Containment Air Compressor Aftercoolers to support operation of the Containment instrument Air System.
- 2. ProvcJe chilled cooling water to the Containment Air Recirculation Cooling Coils to control the temperature of the air inside containment.
- 3. Provide chilled cooling water to the Refueling Water Storage Tank (RWST) Coolers to control the temperature of the water in the RWST.
The BVPS 1 PRA addresses events which may occur from power operating conditions. Of the several functions provided by the CCR, the function that has potential risk significant implications is the cooling of the RCP thermal barrier, motor lube oil coolers and motor air coolers. Cooling flow to the thermal barrier supports pressure boundary integrity of the RCP controlled leakage seal assembly and flow to the motor tube oil coolers and motor air coolers supports RCP
/9 operation. Both pressure boundary integrity and operation of the RCP are of V importance in mirnmizing RCP seal leakage (i.e., prevention of seal LOCAs) and mitigation of operational transients.
The remaining functions of the CCR either have safety-related backup systems (i.e., River Water) that can provide cooling water to satisfy the function or are not considered as risk significant. 3.2.1.5.2 Success Criteria: The success criteria for the function of RCP cooling is as follows: l 1. UFSAR Explicit success criteria is not specified. The system is determined to have sufficient redundancy to perform its functions of transferring heat to a heat sink under both normal operating and accident conditions, even assuming a loss of
- offsite power and any single active failure. It also has the capability to isolate components and systems as is necessary to maintain its function.
l I j 2. PRA l During power operation, the number of CCR pumps and heat exchangers in j operation depends on the number of components that require cooling water and the i temperature of the River Water to the CCR heat exchangers. Most power operating j modes require only one pump. For the PRA. one p"mp is assumed sufficient to supply cooling water to the RCP thermal barrier and motor coolers; i.e., without manual interventien of the operator to isolate unnecessary loads. l \ l 3.2.1.5.3 Support Systems 3.2 55 n system Awys:s.
Beaver Vallsy Power Station Unit i Revisie, d probabillstic Risk Assessment 4 60V AC Bus 1AE Stab Bus Train A Provides motive power for Component (Orange) Cooling Water Pump 1 A and Pump 1C. Interlocks provided for Pump 1C power supply. ! 4160V AC Bus 1DF Stuo Bas Train B (Purple) Provides motive power for Component Cooling Water Pump 1B and 1C. Interlocks provided for Pump 1C power supply. 125V DC Bus 1 Train A (Orange) Provides control power for Component Cooling Water Pump 1 A and Pump 1C. Provides control power to maintain air-operated Train A valves in the open position. 125V DC Bus 2 Train B (Purple) Provides control power for Component Cooling Water Pump 18 and Pump 1C. Providas control power to maint in air operated Tre'i B valves in the open position. SSPS Train A Provides Os signal for TV CC 103A,103B, 103C,105D2,105E2,107D2, and 107E2 (RCP containment isolation valvet). SSPS Train B Provides CIB signal for TV-CC 103A1,10381, 103C1,105D1,105E1.107D1, and 107E i (RCP containment isolation valves). River Water System Provides cooling water to Component Cooling Water Heat Exchangers. Station Instrument Air Providca air to maintain air operated valves outside containtnent in the open position: PCV CC-100 (CCR Pressure Control Valve). TCV CC 100 (CCR Temperature Control Valve), and TV CC ' WA,103B,103C,105D2, 105E2,107D2,107E2 (RCP con'ainmer.- isolation valves). Containment instrument Air Provides air to maintoc. air-operated valves inside containment in the open position. TV CC 107A, B, C (RCP thermal barriet isolatior, valves), TV-CC 105A, B, C (RCP motor tube oil cooler isolation valves), and TV-C C- 103 A 1, 10381, 103 C 1, 105D 1, 105 E 1, 107D1,107E1 (RCP containment isolation valves). 120V AC Vital Bus 1 (Red) Provides power for FT CC-107A for isolation signal to TV-CC 107A. Provides power for PT-CC-100 for control signal to PCV-CC 100. Provides power for TRB CC-100 for control signal to TCV-CC-100. 3.2 56 u system Anryos
- - - - . ~ _
. _ _ _ _ _ _ _ _ _ _ _ ~ _ _ . . - -. .-. . _ _. -
Boav:r Vciley P:wcr St:ti:n Unit i R0visl:n 0 Prcbabilistic Rl:k Ascossm:nt-120V AC Vithi Bus 2 CNhite) Pro"Les power for FT CC-1078, C for isolation signals to TV CC-107B and C. ! f Provides power for auto / manual stations for PCV CC 100 and TCV CC 100.
- .2.1.5.4 Systems Supportet The key supported system related to the PRA is the Reactor Coolant Pump Motors and Thermal Barrier Coolirig.
3.2.1.5.5 Operating Features
- 1. Initial Configuration
- a. Crosstles are : pen.
- b. Pump 1 A is normally running.
- c. A second pump ir normally set up for an automatic backup,
- d. The third pump is aHgned as a manual standby,
- 2. System Actuation
- a. Automatic
- 1) Valve PCV-CC 100 controls discharge pressure of the pumps.
- 2) On high flow, the air opeated trip valves (TV-CC 107A,B,C) isolate flow to tho affected RCP thermal Darrier. The piping that is isolated can withstand RCS pressures and temperatures.
- 3) Temperature control valve (TCV-CC-100) maintains CCR HX outlet temperature at 100*F,
- 4) Upon loss of offsite power, the temperature control, pret%re control, and thermal barrier cooler isolation valves fall closed. The normally running pump and standby pump are sequenced onto the diesel generator.
- 5) Phase A isolation (CIA) - System loads not needed for orderly shutdown are isolated; i.e., boron recovery equipment, liquid waste equipment, refueling water refrigeration units, and sample coolers.
- 6) Phase B isolation (CIB) - The CCR pumps are stopped, and the systr n is completely isolated. The pumps cannot be restarted if the CIB s'gnal is present.
- 7) Air-operated fall closed valve (LCV-CC 100A) controls makeup of water to the surge tank.
- 8) The automatic standby pump starts on a header pressure less than 110 psig.
- 3. Tests / Maintenance (Frequency, System Reconfiguration. and Potential Misalignments)
- a. OST 1.15.1, Component Cooling Water Pump CC-P-1 A operability test - is performed quarterly. The test includes pump start capability / performance end operability of the discharge check valves (forward flow opening for discharge che".k valve of operating pump and reverse flow isolation for discharge check valves of stopped pump 3).
3.2 57 as system Awysts.
1 B::v r Vcll:y Pcw:r St:ti n Unit i Revisi:n 0 Pr:b bl!!stic Risk Ass:ssm:nt I l
- b. OST 1.15.2. Component Coeling Wa*,er Pump CC P 1B operability test, similar to the test for Pump 1 A, is performed quarterly,
- c. OST 1.15.3, Component Cooling Water Pump CC P 1C operability test, similar to the test for Pump 1 A, is performed quarterly.
- 1. Recovery Considerations (including Useful Alarms, Indications and Abnormal Procedures)
- a. Alarm / annunciator for high low surge tank level is in the control room.
- b. Flow indication in control room and low flow alarm provided for each RCP upper lube oil cooler, lower tube oil cooler and stator.
- c. Fiow indication in control room and high fiow alarm provided for e:d RCP thermal barrier.
- w. iemperature indication and high temperature alarm / annunciator are in the control room for CCR heat exchanger discharge temperature.
- o. Flow indicators are provided in the control room .or each CCR supply header.
- f. Alarm / annunciator for 'ow CCR header pressure is in the control room.
3.2.1.5.6 Technical Specifications
- 1. Operable CCR power-operated or automatic containment isolation valves must be cycled at least every 92 days and after each maintenance action (3.6.3.1).
- 2. Each CCR cnntainment isolation valve must be demonstrated to be operable every 18 months (3.6.3.1).
- 3. Two CCR subsystems must be operabla; or, within 72 hours, the plant must go to hot standby within the next 6 hours and in cold shutdown witnin the following 30 hours. The pumps must be tcsted for differential pressure and flow rr'e each .
quarter (3.7.3.1).
- 4. The positions of the ystem s valves must be verified every 31 days (3.7.3.1).
- 5. Power operated vakee crust be tested through at least one complete cycle every 18 months (3.7.3.1).
3.2.1.5.7 Surveillance Tests
- 1. CCR Pump 1 A (OST 1.15.1)
- 2. CCR Pump 1B (OST 1.15.2)
- 3. CCR Pump 1C (OST 1.15.3) 3.2.1.5.8 System Diagram
- 1. The system dlagram for the reac%r plant component cooling water system is ch .
in UFSAR Figures 9.4 1, 9.4 2. 9.4-3 ar,t 9.4-4, 3.2.1.5.9 References
- 1. UFSnR, Section 9.4 3.2 58 >$ tem A@ysis.
Beaver Valley Power Station Unit i Revision 0 Probabilistic Risk Assessment
- 2. Operating Manual System descriptions: Chapter 15, Reactor Plant Component and Neutron Tank Cooling Water
- 3. Technical Specifications 3.2.1.5.10 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagram and component table for the reactor plant coinponent cooling system are presented in Appendix A.
- b. The specific loads associated with the RHR heat exchangers and pumps, containment air recirculation coctors, RWST coolers, containment instrument air compressors, excess letdown, control rod drive mechanisms, fuel pool heat exchangers, seal water, containment penetration cooling colls, neutron shield tank coole,s, sample coolers, boron recovery system, gaseous waste sistem, liquid waste system, refueling water refrigeration units, and nonregenerative heat exchangers, are not modeled in this analysis. The cooling flow paths to the RCP motors and thermal barrier coolers are modeled explicitly in this systems analysis,
- c. The automatic makeup valve (LCV CC 100A) to the CCR surge tank is not modeled. The makeup flow is assumed insufficient to mitigate substantial pipe breaks.
- 2. Initial Conditions
- a. One CCR heat exchanger (CC E-1 A) is assumed to be isolated at the time of an initiating event. Only two heat exchangers are normally operational.
- b. The flow path to the neutron shield tank cooler is normally open.
- c. Pump 1 A is assumed normally running. Pump 1B is aligned for automatic backup. Pumg 1C is aligned only for manual standby.
- d. -The RHR heat exchangers are isolated from CCR.
- e. Swing pump 1C is assumed initially aligned to the same 4KV bus 1 AE as pump 1 A.
- 3. Dependencies Not Modeled. The followirg supporting system is not modeled:
primary grade water for makeup.
- 4. Failure Mode impacts
- a. Failure of surge tank results in a loss of NPSH at the CCR purnps.
- b. Failure of the CCR pump discharge pressure control salve (PCV CC 100) to modulate does not cause failure of the system, c, if the heat exchanger bypass temp 3rature control valve (TCV CC-100) falls open, this does not cause failure of the heat exchangers. (Note: They fail open on loss of air).
- d. Failure of the CCR heat exchanger temperature control valve (TCV-CC 100) to O modulate does not cause failure of the heat exchangers. (Note: It fails open).
- e. Failure of the level control valve (LCV-CC-100, Fall close d) to surge tank (which happens on loss of air) does not lead to failure of the surge tank.
3.2 59 M system Awyos.
.- _ .--- ~.. . - - . - .. _ _ - . _ _ _ . - _ - . . - -_ ____ - -
Beevor Vellay Power Station Unit 1 Roylsion 0 Probabilistic Risk Asssssment f, Failure of the system valves to isc: ate on a CIA signal does not lead to a change in the number of pumps required for system success. The containment isolation function of tnese valves is considered separately in another system analysis. 3.2.1.6 TURDINE PLANT COMPONENT COOLING WATER SYSTEM (CCT) 3.2.1.6.1 System Function: The Turbina Plant Component Cooling Water System (CCT) is a closed loop, recirculating, intermediate cooling water system that transfers heat from designated nonsafety rotated turbine p!Ont equipment, listed in the Systems Supported section, to the Turbine Plant River (Raw) Water System. The Raw Water System supplies river water to various turbine plant heat exchangers for cooling and as a supply to the Water Treetment System. 3.2.1.G.2 Success Criteria
- 1. UFSAR The system has suf'icient redundancy to perform its function of transferring heat to a heat sink under norma! operating conditions. It also has the capability to manually isolate supported system heat loads necessary to maintain its function.
During accident conditions, the systern has no safety functions, and therefore, is not designed for siesmic or single fa!!ure criteria, and is not connected to Class IE power supplies. Under CCT shutdown conditions, station air compressor jacket cooling water and cooling for the aftercoolers can be supplied from the Filtered Water (Water Treatment) Syst<rti.
- 2. PRA One 100% capacity CCT punip and two CCT heat exchangers are required for tooling, based on the maximum heat load that could cccur during normal Beaver Valley Umt 1 operation with the river water inlet temperature at its maximum limit.
Normal plant operation requires only one cump cnd one heat exchanger, which is assumed to be sufficient in this analysis, to supply cooling to the station instrument air compressor coolers. /siso included in this model are the two 1CJ% capacity Raw Water pumps and the two 100% capacity sand filter pumps, which are required for the support of CCT. It is assumed that only one of each of these pumps are required for the success in supportirig CCT, ! 3.2.1.G.3 Support Systems i I O 3.2-G0 3 2 sys:em Ans>ys's.
B:av:r Vcll:y Pow:r Sicti:n Unit 1 Rcvislen 0 Preb:blllatic Risk As:Ossm:nt 8 4160V AC Bus 1A Provides motive power foi CC P 3A (CCT Pump A) and for WR P 6A (Raw Water Pump A).
"J 4100V AC Bus ID Provides motive power for CC P 38 (CCT Pump B) and for I WR P 6B (Raw Water Pump B). i 125V DC Bus 5 Provides control power for CC P 3A and CC P 3B (CCT Pumps A & B) low pressure pump start switch PS CC 202. '
Station instrument Air Provides air to maintain air operated valves in the open , position: TCV CC 215 (CCT HX Temperature /DP Control Valve). Provides cooling water to CC E 3A, CC E 3B, and CC E 3C Raw Water System (CCT Heat Exchangers). 3.2.1.6.4 Systems Supported: The key supported system related to the PRA is the Station Air compressors and aftercoolers. 3 9.1.6.5 Operating Features
- 1. Inillai Corfiguration
- a. Pump CC P 3A is normally running.
- b. Pump CC P 3B is set in auto start for automatic backup.
f
- c. Pump WR P 6A is normally runriing.
O d. Pump WR P 6B is set in auto start for automatic backup.
- o. Pump WR P 12A is normally running.
- f. Pump WR P 12B is set in auto start for automatic backup.
- g. Heat exchanger CC E 3A is normally in service.
- h. Heat exchangers CC E 3B and CC-E-3C are normally in standby with their CCT and Raw Water outlet isolation valves closed.
' 2. System Actuation
- a. Automatic
- 1) Air operated, fall closed valve TCV CC 215 normally modulates to maintain the CCT heat exchanger outlet temperature at approximately 95 F, but will lock in its current position when the differential pressure indicating switch PDIS CC 100 reaches its high setpoint of 13 psid and closes SOV CC 215.
- 2) PS-CC 202 auto starts the standby CCT pump on a low discharge header pressure oi 60 psig.
, 3) PS RW.1r'4 auto. starts the standby Raw Water pump on a low discharge header pressure of 15 psig.
- 4) PS-RW 108B will prohibit the staring of the standby Raw Water pump on a low bearing water pressure signal of 20 psig.
- 5) MOV RW 110B will open on the standby Raw Water pump start demand signal.
3.2 6's 3 2 system Analysis.
B::v r Vcil;y P:w:r Stati:n Unit 1 R:visl:n 0 Prcb Cllistic Risk Ass:csm:nt , 1 j
- 6) The standby Sand Filter pump will automatically start if the normally running pump has tripped and the suction pressure (PS RW-116) is normal.
- 7) PS RW 116 will trip the running Sand Filter pump and prohibit the starting )
of the standby pump if the suction pressuia is below a predetermined ) value for a longer than specified period of time. l
- b. Manual
- 1) CCT 11 and RW 34 are locally opened to place the standby CC E 3B heat exchanger into service.
- 2) CCT 12 and RW 35 are locally operied to place the standby CC E 3C heat exchanger into service.
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments)
- a. No preventive maintenance or test procedures are planned for the CCT system.
- b. Corrective maintenance and test procedures are performed only after trouble or malfunctions occur.
- 4. Recovery Considerations (In':luding Useful Alarms, Indications and Abnormal Procedures)
- a. An alarm / annunciator for the high low CCT surge tank level is in the control room.
- b. An alarm / annunciator for the CCT pumps low discharge header pressure is in the control room.
- c. Ar, alarm / annunciator for the CCT heat exchanger high discharge temperature is in the control room,
- d. An alarm / annunciator for the CCT heat exchanger high differential pressure is in the control room,
- e. Electrical current indication and alarm / annunciation for each CCT pump is provided in the control roorn.
- f. An alarm / annunciator for the Raw Water pump low discharge pressure is in the control room,
- g. An alarm / annunciator for the Raw Water pump low seat injection water pressure is located m the control room.
' Electrical current indication and alarm / annunciation for each Raw Water pump h. is provided in the centro l room. 3.2.1.6.6 Technical Specifluations: No Technical Specifications are associated with the CCT or Raw Water Systems. 3.2.1.6.7 Surveillance Tests: None 3.2.1.6.8 System Diagram
- 1. The system diagram for the Turbine Plant Component Cooling Water System is shown in Operating Manual Figure Number 2E-1.
3.2-62 3.2 System Awysis.
B::v:r Vcil;y P w:r St:ti:n Unit 1 R:visi:n 0 Prcb:billstic Risk Ac00ssm:nt
- 2. The system diagrams for the Raw Water System is shown in UFSAR Figure 9.916 and Operating Manual Figure Nurnber 311.
U 3 The system diagram for the Sand Filter / Seal Injection Water Subsystems is shown in UFSAR Figuro 9.9-18. 3.2.1.6.9 Referenees
- 1. BVPS 1 Operating Manual Chapter 28, Turbine Plant Component Cooling Water System.
- 2. BVPS 1 Operating Manual Chapter 30. River Water Systems.
- 3. Valve Operating Number Diagram 8700-RM 126A, Circulating Water System.
- 4. Valve Operating Number Diagram 8700-RM 127B, intake Structure.
- 5. Valve Operating Number Diagram 8700-RM 130A. Turbine Plant Component Cooling Water 3.2.1.6.10 Modeling Assumptions
- 1. Equipment Boundarier
- a. The block diagram and the associated component table for the CCT system (Top Event CT) are presented in Appendix A.
- b. The specific loads associated with the CCT heat exchangers and pumps, such as the turbine tube oil coolers. electrohydraulic o6l coolers, hydrogen side seal g) oil coolers, air side seal oil coolers, main generator exciter coolers, main generator hydrogen coolers, vacuum priming pumps, turbine plant sample coolers, bus duct air coolers, * ?ater drain pump coolers, main feedwater pump coolers, and condensate pump coolers are not modeled !n this analysis. The cooling flow path up to and from, but not including, the station air compressor headcr manual isolation valves (CCT-78 and CCT-85 are modeled in Top Event IA) is modeleu explicity in this system.
- c. The automatic makeup valve (LCV CCT 131) to the CCT surge tcak is not modeled. The makeup flow is assumed to be insufficient to mitigate substantial pipe breaks.
- d. The Raw Water system is modeled from the pump suctic. lines to the CCT neat exchanger discharge header.
- c. The Sand Filter / Seal injection Water system is modeled from the Raw Water pump discharge header to the Raw Water pump bearingtseal injectict, lines.
The Screen Wash pumps are not modeled.
- 2. Initial Conditions a The CC E-3B and CC-E-3C heat exchangers are assumed to be isolated at the time of an initiating event. Only one heat exchanger (CC E 3A) is normally operating.
m b. Pumps CC-P 3A, WR-P-6A and WR P 12A are assumed to be normally running. ( Pumps CC-P-3B, WR-P-69, and WR-P-128 are aligned for automatic backup.
- c. The sand filter (WR-FL-1) is modeled as a strainer.
i 3.2 63 3 2 system A4ysis.
8 :v:r Vcil:y Pcw r St:tirn 'Jnit 1 R0vist:n 0 Pr:b bilistic Risk Aes:ssm:nt
- d. The rubber expansion joints (REJs) on the Raw Water sido of the CCT heat exchangers are not modeled at this time.
- 3. Dependencies Not Modeled
- a. Makeup to the CCT surge tank from the condensate pump discharge header is not modeled. l
- b. Station Instrument air to the air operated /alves is not modeled.
- 4. Failure Mode Impacts ,
l
- a. Failure of the CCT surge tank results in a loss of NPSH to the CCT purnps,
- b. Failure o. the level control valve LCV CCT 131 to the CCT surge tank does not lead to a failure of the surge tank
- c. Fanure of the CCT heat exchanger temperature / differential pressure control j va've TCV CC 215 to modulate door not cause e failure of the system, since the valve locks in position when a high differential pressure is reachec'
- d. If TCV CC 215 transfers closed, a high differential pretsure across the CCT heat exchtngers woulu result. This is modeled as a failure.
- e. The CCT heat exchanger relief valves (RV-CC-21?A, B, & C) are not required for success, and premature lifting will not fall the system. Therefore, they are not modeled.
- f. The CCT neat exchanger and pump vent and drain valves transferring open will not fall the system, and therefore are not modeled.
- g. Backflushing of the river water strainers and sand filter is not required for success, and theref n is not modeled, h, Failure of the seal water pressure regulator valve PCV RW 117 to modulate, leads to the failure of maintaining the required flow rate and pressure for the Sand Filter / Seal injection Water to the Raw Water pumps bearings and seals,
- i. Only pluggmg failures of the river water strainers and sand filter are modeled (run failures associated with this equipment are not currently in the model).
- 5. Common Cause Possible common cause failures of the CCT pumps to run, the Raw Water Pumps to run, and the sand filter pumps to run are modeled, Other possible common causs failures include circuit breakers falling to open and close. See Table 3.2.2 3.
- 6. Operator Actions ZHECT1. The operator action to locally align a standby CCT heat exchanger, given the failure of the normally aligned heat exchanger.
3.2.1.7 STATION INSTRUMENT AIR AND CONTAINMENT INSTRUMENT AIR 3.2.1.7.1 System Function: The station instrument air system is a subs) stem of the station compressed air system and provides compressed air for air-operated instruments and . controls outside of the containment, 3.2-64 3 2 system Aneytt.
800v:r Vcil y P:w:r St:tisn Unit 1 R vi l n 0 Preb:billstle Risk Ass:ssm:nt j i The containment instrument air system is a separate system that provides compressed air to instrumentation, controls, and air operated valves inside the containment. Both the station instrument air system and the containment instrument air system are l non safety rel,ated systems. 3.2.1.7.2 Success Criteria
- 1. UFSAR
- a. Station instrument Air. Provides 100 % of the station instrument air requirements at a dischargo pressure of 110 psig.
- b. Containment Instrument Air. Provides 100% of the containment !nstrument air requirements at a dischacgo pressure of 110 psig.
- 2. PRA
- a. Station instrument Air. One of two station air compressor trains operates and
' supplies instrument alt for a mission time of 24 hours,
- b. Containment instrument Air. One of two containment instrument air compressor trains operates and supphes containment instrument air for a mission time of 24 hours.
3.2.1.7.3 Support Systems: Cooling water for station air compressors and aftercoolers is from turbine plant component cooling water during plant operation. Backup cooling is from O seal water tank or filtered water during plant shutdown. Filtered water pump 2B can supply cooling with power from the ERF diesel on loss of offsite AC. Cooling water for containment instrument air compressors and aftercoolers is from the chilled water subsystem. Lackup is provided by river water system with motor operated valves operable from the control room. Both sourcas of cooling water are isolated on a ClB signal, loss of either 125V DC 11 or b2, or failure of station instrument air, i 480V AC 1-1, Bus 18 Station air compressor SA-C 1 A 480V AC 1-2, Bus 1C Station air compressor SA C-1B 125V DC Bu 5 Station air compressor SA C 1A & 1B Control Power l 400V AC, Bus 1N1, MCC-1 E11 Containment air compressor IA C 1 A l L 480V AC, Bus 1P1, MCC-1-E12 Containment air compressor IA C 1B l- 480V AC MCC-14 instrument air dryer IA-D 1 120V AC PNL-AC SGBD from 480V AC Instrument air dryer IA-D-2 MCC-1-4 through PNL AC-2 120V AC PNL-AC SGBD from 480V AC SOV I A-230 MCC 1-4 through PNL AC 2 ( 3.2.1,7.4 Systems Supported L. l l- 3.2 65 3.2 system Awyrs l
8::v:r Vcil:y Pcw:r St:ti:n I,Init 1 R:visl:n 0 Pr:b:bilistic Risk As:cs:m:nt Containment Isolation System Containment and Station Instrument Air MSIVs Station Instrument Air Residual Heat P,tlease Valve Station Instrument Air Condenser Dump Valves Station Instrument Air Atmospheric Steam Dump Valves Station Instrument Air Main Feedwater Valves Station Instrument Air CCR/RCP Coeling Con alnment &nd Station instrument Air Primary PORVs & Pressurizer Spray Containment Instrument Air 3.2.1.7.5 Operating Features
- 1. lnitial Configuration .
- a. One compressor normally operates in a load / unload mode while the second compressor is in standby. This is the case for both the station instrument air system and the containment instrument air system; each system is equipped with two compressors,
- b. The containment instrument air system takes suction from the containment atmosphere and discharges to the instrumer.tation and control header inside containment.
- 2. Systern Actuation
- a. Automatic
- 1) The standby compressor in each system starts on low pressure in the corresponding system.
- 2) If station compressed air pressure drops below a predetermined point, the station service air header will close automatically (TV SA 105) to divert all station compressed air to the statinn instrument air header. - Another pressure switch opens SOV-IA 230 to bypass the station instrument air dryers on low pressure m station instrument air receiver,
- b. Manual The containment instrument air system can be alignea for supply from the station instrument air systen by opening an isolation valve outside control room.
Backup river water cooling to the containment instrument air can be aligned from the control room by opening MOVs. There are backuo compressors in the station air system. A diesel-driven compress r can be aligned to receiver ta% A (SA TK 1 A).
- 3. Tests / Maintenance
- During normal operation, periodic tests are performed on the standby station l service air compressor to ensure ability to start automatically on low pressure. The j running compressor in the containment instrument air system is switched on a scheduled basis and no auto test is performed when containment is under vacuum.
3.2-66 32 system twysts.
B:3v:r Vell:y Pcwcr Stati:n Unit 1 Rcyl:l:n 0 Pr:b:bilistle Hisk Aes:ssment
- 4. Recovery Considerstions
- a. Annunciation is provided in the control room for station compressed air system low pressure, station instrument air receiver tank low pres.,ure and compressor trouble.
- b. Indication is provided in the control room for station compressed air pressure and station lostrument air pressure.
- c. Annunciation is provided in the control room for low containment instrument air pressure, compressor trouble, and compressor high discharge temperature,
- d. Indication is provided in the control room for containment instrument air pressure.
- e. Receiver capacities of both cystems allow air requirements to be met for 10 minutes to allow recovery such as starting backup compressors, changing dryer trains, or aligning station instrument air to containment instrument air, 3.2.1.7.6 Technical Specifications: None 3.2.1.7.7 Surveillance Tests: None ,
3.2.1.~ ' System Diagram: The system diagram for the station instrumer.1 air and conta... ment instrument air systems is shown in UFS AR Figure 9.8 2. 3.2.1.7.9 References O' 1. UFSAR Section 9.8
- 2. Operating Manual Chapter 34 (O.M. 34), " Compressed Air Systems"
- 3. Logic Diagrams 11700-LSK 16-3A,3B,5A
- 4. Electrical Drawing 8700-RE 1GC 2 and RE 1GO 1 3.2.1.7.10 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagrams and compoa.cnt tables for the station instrument air system and containment instrument air system are presented in Appendix A.
- b. The station instrument air system model includes the compressors and associated components from the station compressed air system that are r ecossary to supply compressed air to the station instrument air system main headers. Air supply paths to individual loads are included in the models for the equipment served.
- c. The diesel driven compressor is included in model, but requires operator actions to start the compressor and open a valve locally,
- d. The automatic bypass of station instrument air dryers is modeled, and or e dryer train is assumed isolated when not in use.
c The crosstie from station instrument air to enntainment instrument air is not included oecause it requires an operator action to open the _ crosstic valve locally. This action rnay be modeled at a later date for recovery purposes. 3.2 67 2 2 system Ana'ysts.
Bav r Vcil';y Pcw;r St:ti:n Unit 1 R0visi:n 0 Preb:bilistic Risk Ass:ssm:nt ; i
- f. The containment instrument air system model includes the compres., ors, i valves, and atsociated components that are necessary to nupply air to the main j headers of the containment instrument air system. Air supply paths to !
Individual loads are included in the models for the equipment served. j
- g. The filtered water system backup supply to the station air compressors is included in the station instrument air model. The cortainment instrument air )
model includes the chilled water system supply.
- 2. Initial Conditions One compressor operating in the instrument air system and one compressor operating in the containme it instrument air rystem. One instrument air dryer train is operating and the other is isolated.
- 3. Dependencies Not Modeled Two normally closed manual blowdown valves are installed in series in the common station instrument air supply to the main steam trip valves. Spurious operation would trip plant and fallinstrument air.
The compressor internal unloading valves are considered part of compressor unit. The normally closed manual valves in the filter bypass lines (see dryer trains) are neglected. The air operated valves in the station instrument air dryers are considered part of dryer unitt
- 4. Failure Mode Impacts Loss of support for the air dryer in the station instrument air system is assumed to be a failure of the system.
- 5. Common Cause Possible common cause failure of compressors to run, within each system.
Possible common cause failure of compressors to start, following a loss of offsite power. Station air compressors are different from containment instrument air compressors, so common cause is less likely across systems. Other possible common cause failures modeled include; MOVs falling to open, check valves failing to open, failures of the chilled water circulating pumps to start and run, and failures of the chilled water chillers to operate. See Table 3.2.2-3. 3.2.1.8 REACTOR PROTECTION SYSTEM 3.2.1.3.1 System Function: The reactor protection system trips tt,e rea: tor on a signal from the solid state protection system (SS7S) or manual signal from control room. The SSPS signal is generated when sensed and calculated process and nuclear parameters fall outside preset safe limits. The purpose of the sudden trip is to protect against the onset and consequences of condities that threatori the integrity of the fuel barrier. The trip. action consists of rapid insertion of the control rods. 3.2.1.8.2 Success Criteria
- 1. UFSAR. The reactor protection system automatically initietes reactor trip whenever necessary to prevent or limit '.sel damage and to protect the reactor coolant system pressure boundary. The reactor protection system initiates a turbine trip to prevent ev.cessive coolcown of the reactor coolant system.
3.2-68 u system A4ysts.
. - _- . - . . _ . _ _. - . ~ _ . . .. . . .. . - - _ _ . _ . . - .
l 80 v:r Vcilsy Powsr St:tirn Unit 1 Revl21:n 0 Prebebillstic Risk Asecssm:nt
- 2. PRA. System success is defined in all cases as at least 47 of the 48 control rod O cluaters successfully inserted into the core on demand. This is t.onservative, since it is possible for several rods to fail to int,?rt and still maintain subcriticality.
3.2.1.8.3 Support Systems
- 1. SSPS Train A. Provides trip signal to:
- a. Undervoltage coil 52(UV)/RTA which opens trip breaker 52/RTA under normal operation,
- b. Shunt trip coil 52(SHTR)/RTA which acts like a backup to 52(UV)/PTA.
- c. Uncervoltage coil 52(UV)/BYB whicn opens bypess trip breaker 52/BYB when Train B is in testing or the maintenance mode,
- d. Undervoltage coils 52(UV)/RTA "1d BYB are energized by SSPS Train A 46V DC control power.
Note: Opening a trip breaker causes loss of. power to the control rod drive power bus and causes an immediate gravity powered rod insertion.
- 2. SSPS Train B. Provides trip signa, to:
- a. Undervoltage coil 52(UV)/RTB that opens trip breaker 52/RTB under normal oporation,
~
- b. Shunt trip coil 52(SHTR)/RTB that acts like a backup to 52(UV)/RTB.
- c. Undervoltago coil 52(UV)/BYA that opens bypass trip breaker $2/6YA when Train A is in testing or the maintenance mode.
- d. Undervoltage coils 52(UV)/RTB and BYA are energized by SSPSA Train B 48V 2( control power.
Note: Opening a tr!p breaker causes loss of power to the cortrol rod drive power bus and causes an immediate gravity powered rod insertion.
- 3. 125V DC Oiange. Provides power necessary for shunt trip coils 52(SHTR)/RTA and 52(SHTR)/BYB.
- 4. 125V DC Purple. Provides power necessary for shunt trip coils 52(SHTR)/RTB and 52(SHTR)/BYA.
- 5. Offsite Grid. Provides power to nonvital switchgear which, in turn, provides pov'er to control rod motor-generator sets. Specifica'ly, nonvital 480V switchgear bus 1 A serves motor-generator set 1, and bus 1D serves motor generator set 2.
3.2.19.4 Systems Supported: A> turbine trip signa: is generated through the SSPS when reactor trip breakers open (P-4 signal). 3.2.1.B.3 Operating Features
- 1. Initial Configuration
- a. The control rod drive n.echanisms are normally energ; zed from the two l . motor-generator sets through the two sets of ' reactor trip breakers. The j motor generator sets are, in turn, p iered by non-emergency buses 1A and l 1D.
l l 3.2 69 3.2 sys*em Analysis.
- . - - - , . . . _ . ,, . . ~ . . _. _ . ..
C :v:r Vcil:y P w:r SM..e Unit 1 R:visI:n 0 Pr:b:billstic Risk As: Ora m*;nt
- b. During full power operation, all of the control rods will be withdrawn. The drive mechaaisms must be energized to withdraw m control rods.
- c. Thero are 48 control rod clusters, each with 24 individual control rods.
- 2. System Actuation
- a. Automatic
- 1) Reactor trip breakers can be tripped by de oriorgizing the undervoltage coils or by energizing the shunt trip coils. Either action is sufficient to cause a reactor trip.
- 2) There are two redunda RpS trains to react to automatic reactor trip signals. Train A consist 'orrm! 9perating mode trip path and a bypass path that is used while i i:1 is in the test r.onfiguration. The normal mode trip pLth is made up of an undersoltage trip coil 52(UV)/RTA and a shunt trip coil 52(SHTR)/RTA, either one of which can open reactor trip l
breaker c ,etTA. The bypass trip path is rnade up of an undervoltage coil 52(UV)/BYB which can open reactor trip bypass breaker 52/BYB. Train B is identical with syrnmetric nomenclature; i.e., undervoltage coil 52(UV)/RTB, shunt trip coil 52(SHTR)/RTB, trip breaker 52/RTB, bypass undervoltage trip coil 52(UV)/BVA, and bypass trip breaker 52/BYA, An automatic trio results when an SSPS Train A or Train B signal de energizes t'le undervoltage coils and, in it,rn, opens the reactor trip breakera. This de-elergiros the control rod drive mechanisms, and the control rods fall by gravity into the core. This is the expected action' redursdancy is built in by the presence of the shunt trip coils and the need for only one RPS train to function.
- 3) input signals to causo reactor trip are the SSPS signals (manual trip, neutron flux signals, prima y coolant signals, pressurizer signals, steam generator signcis, safety irdection, and turbine trip signal) and two shunt signals: manual trip and manual safety injection signal.
- 4) SSPS signals are transmitted to the shunt trip coils, the undervoltage coils, and the shunt trip auxiliary relays to their respective train,
- b. Manual. In the rare event of SSPS failure, the operator can initiate a reactor trip manually from the control room. Also, the reactor trip breakers can be tripped Ic.cally at the motor-generator sets room, or the MGs can be de-energized at the switchgear (normal 480V AC).
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments). The two reactor trip breakers and the two bypass breakers are tested monthly on a staggered basis (each train tested every other month). To test the reactor trip breaker, the bypass breaker is closed and the re e trip breaker is tripped by way of the undervoltage coil and thu shunt t ; coil, anernately. During the time that the reactor trip breakes and the cypass breaker are both closed, if an initiating event should occur, both breakers would have to open for that train to be I
successful.
- 4. Recovery Considerations (Int:luding Useful Alarms, Indications, and Abnormal ,
Procedures) 3.N0 u system ansysis. 4 a _ _ _
C :v:r Vcil:y Pow r St:ti:n Unit 1 Rcst:ltn 0 Prebsbilistic Risk Acs:ssm:nt
- a. There are variouti indicaitons and alarms in the contro; room that would alert the operators of the need for a reactor trip and of the failure of an automatic O' reactor trip.
- b. Emergency procedures instruct operators to initiate manual reactor trip im,nediately upon failure of automatic reac"2r trip. Both the manual trip by nushbutton and the manual trip by de energizing the motor gunerator sets should be considered.
3.2.1.8,0 Technical Specifications: LCOs. At a minimum, the PPS instrumentation channels and interlocks et Technical Specificatiun lable 3.31 shall be operable with response times as shown M Technical Specification Table 3.3-2. Essentially, this means that all componeYs must be in working order at all times (3.3.1.1). 3.2.1.9.7 Surveillance Tests: Testing of individual instrument channel interlocks and autornatic trip logic shall be done as specified in Technical Specification Table 4.3-1. Each logic train is to be tested at least once in any 36-month period. (All channels are tested at least once overy N times 18 months where N is the total numoer of redundant channels in a specific trip function). Raattor trip breakers and bypass breakera are tested monthly on a staggered basis (each tiain tested every other month). Breakers are tested during all modes of operation. , f 3.2.1.8.8 System Diagram: None 3.2.1.3.9 References V 1. Tee.hnical Specifications 3/4.3.1
- 2. UFS AR Sections 7.2, 7.3 and 3.3 3 Operating Manual Chapter 1 i
actrical Drawing 870ERE 1G 0,1V 12,21YZ-2
- a i U *: Modeling Assumptions
- 1. Equipment Boundaries
- a. The Hock diagram and component table for the reactor protection system is presented in Appendix A.
- b. The reactor protection system includes the trip breakers, control rods an; drive mechanisms, and the moin?-generator sets. The equipment necessary to generate an automatic reactor trip signalis modeled as part of the SSPS.
- 2. Imtial Condluons
- a. Loss of either SSPS Train A or Train B in a trip situation will result in a loss of the corresponding RPS train's ability to cause a reactor trip. A spuriouc trip signal fron. 9'ther SSPS Train A or Train B will cause an unwanted reactor trip.
(Such spu' ;us signals might be generated by power lostes, as out4ned below). O Q b. Loss of DC orange train or purple train causes a toss of power to their respective shunt trip coils causing a loss of shunt trip capability,
- c. Loss of SSPS control power to either undervoltage coil will cause a reactor trip.
3.2 71 a t system Ana!yst
.___________.)
B::v:r Voll y Pcnor Stati:n Unit
- Revisi:n 0 Prob:billstic Rink Aso:ssm:nt
- d. Loss of offsite grid will lead to reactor trip if the ramp back to house load is unsuccessful. Loss of nonvital power in 480V bus 1 A and bus 1D cuts off power to the control rod's MG sets. '
- 3. Common Cause. Possible common cause failure of reactor trip breakers to ocen on demand. Preser$ce of both undervoltage coil and shunt trip coil reduce the probability of this common cause failure. See Table 3.2.2 3.
3.2.1.9 TURDINE TRIP / MAIN FTEAM ISOLATION 3.2.1.9.1 System Function: The turbine trip system isolates the main turbine from the steam supply by closing the turbine stop valve (throttle valve) and turbino control valve (governor valve) in each of four steam lines. There are three fur.ctions associated with main steam line isolation:
- 1. A fr4 valve in each of three lines isolate steam line breaks downstream of the neora;otn valves and limit blowdown to one steam generator for steam line breaks berwarn tne steam generator and the trip valves. The nonreturn valve in each of three lines provides backup isolation of line breaks between steara generator and trip valves (nonreturn valve in broken lit.e is the backup).
- 2. The trip valves r'rovide backup to turbN trip (turbine throttle and governor valves) function.
- 3. The trip valve isoiates a faulted t'eam generator tube rupture event to prnvent containment bypass.
3.2.1.9.2 Success Criteria
- 1. UFSAR
- a. Turbino Trip. Closes all throttle stop valves, governor control valves, intercept vaives and reheater stop valve 1 given a trip condition and prevents turbine overspeed.
- b. Main Steam isolation. Trip valves close within 5 seconds to isolate steam line breaks downstream of the trip valves. For steam line breaks upstream of the trip valvos, the nonreturn valve in the ruptured line or the trip valves in the other steam lines prevent blowdown from the other steam generatcrs.
- 2. PRA
- a. Turbine Trip. At least one throttle stop valve or one governor control valve in each steam line closes on demand, given a trip signal,
- b. Main Stecm isolation. All three trip vales cicse on demand for steam line breaks downstream of the trip valves. The nonreturn valve in the ruptured line of an upstream break closes on derT and or the trip valves close in the other two lines. For steam generator tube ruptures, the trip valve closes to isolate the faulted generator.
3.41.9.3 Support S> stems Main Steam isolation: 3.2 72 3 2 S ystem A",rys!$.
00:v:r Vcll2y P:wsr St:tlan Unit 1 R visl:n 0 Pr:b:billstic RI:k Ac :ssm:nt Trip Valve: TV MS 101 A D V SOV MS 101 A1 (train A) SOV MS 101 A2 (train B) Battery 1 1, PNL-DC 3 Battery 12, PNL DC 2 Trip Valve: TV MS 1010 SOV MS 10181 (train A) Battery 1-1 PNL DC 3 SOV MS-10182 (trcin B) Batterv 12, PNL DC 2 Trip Vulve: TV MS 101C SOV MS 101C1 (train A) Battery 11. PNL DC 3 SOV MS 101C2 (train B) Battery 12, PNL DC 2 Station Instrument Air Hold main st9am trip valves open; valves close on loss of air Steam Line Isolation Signal Both signal trains to each mah sitam trip valve Nonreturn Valve, NRV MS 101 A Bus 1G MCC-117 Nonreturn Valve, NRV MS 1010 Bus 1E MCC 119 Nonreturn Valve, NRV MS 101C Bus 1F MCC 1-18 AC power provides a motor operated stem for seating nonreturn valve after closure,
- p. Bypass Valvo, MOV MS-101 A Bypass Valve, MOV-MS 101B MCC 1 E6 MCC 1 E6 Bypass Valve, MOV MS 1')1C MCC 1 E6 Turbino Trip:
Trip Signals (Traln A & B) including input to Auto Stop SOVs AMSAC EH high Pressure Fluid Header 120VAC IPNL VITBUS 1V) PT-TB-213 EH System Control Power Exciter [EXC SWGR] Section 2 120 VAC [PNL-AC-7] CKT 1 AST Primary Turbine Trip 125 VDC [PNL DC 3] Battery 1 1 CKT 1ASTA Auxiliary Primary Turbine [PNL-DC-5) Trip 125.VDC Battery 15 OKT 2AST Backup Turbine Trip [PNL-DC 2] 125 VDC Battery 1-2 CKT 2ASTA Auxiliary Backup Turbine [PNL DC-4] Trip 125 VDC Battery 1-5 O 3.2 73 u System Analysis.
00cv:r Voll:y Pcwcr St:ti:n Unit 1 Revisl:n 0 Prebsbillstic Rick Ass ssm:nt SOV 20ET, SOV 21 OPC, and [PNL DC 2) SOV 20-2-OPC 125 VDC Battery 12 J.2.1.9.4 Systems Supported: Isolation of the steam generators during steam line break initiating events ensures a steam supply to the turbine-driven auxiliary feed pump. 3.2.1.9.5 Operating Features
- 1. Initial Configuration
- a. Turbine throttle stop valves and governor control valves are all norr. illy open during normal operation,
- b. The main steam bypass valves are normally closed during a power operation.
- c. The main steam trip valves require instrument air to open. They are held pen by air pressure on two side mounted operating cylinders. Each trip valve i as '
two solenoid valves that vent air pressure off the cylinders when energizcd. One solenoid is powered by 125V DC Train A and the other by Train B.
- 2. System Actuation
- a. Automatic
- 1) Turbine Trips on any of the following signals:
a) Reactor Trip b) Various protection and overspeed trips c) Manual pushbuttons trip in the Control Room d) Steam generator hi-hi level (2/3 in any line) e) Safety injection f) AMSAC (low FW flow)
- 2) Main steam trip valves close on any of the following signals:
a) High steam pressure rate (2/3 in any line) b) Low steam line pressure (2/3 in any line) l c) Intermediate hi hi containment pressure (9/3)
- 3) Each main steam trip valve receives a Train and a Train B signal to l close.
- 4) Automatic turbine trip can occur in the following ways:
- a) Redundant trip sh,als (train A and B) cause the turbine auto stop oil pressure to drain. This m turn causes the emergency trip fluid header i
to dump, which closes the stop and control valves. I b) Train D signals cause a cirect emergency trip fluid header dump, which closes the stop and control valves, j 5) The main steam nonreturn valves close automatically, preventing rever ce
- flow (e.g., steam line break between valve and steam generator).
3.2 74 u sycum Ansiym
. - -- - - - ~ - - - - - - - -. . . _ _ - .. - . .
80:v:r Vcll:y Pcw r St:ti:n Unit 1 Rsvisl:n 0 Prob:bilistic Risk Ass:ssm:nt
- b. Manual
- 1) The main steam trip valves can be manually closed by either train A or train 8 control switches in the Control Room.
- 2) Turbine can be .rlpped by either train A or train 8 pushbutton trips.
- 3) The instrument air supply blowdown valves in the common air supply header to the trip valves can be opened from the auxiliary feed pump room.
- 3. Tests / Maintenance
- a. Tests penormed on turbine throttle stop and governor control valves involve closing one valve at a time during power operation and do not contriSufo to-unavailability of the system function.
- b. Tests performed on main steam trip valves involve partial movement and do not contribute to system unavailability.
- 4. Recovery Considerations
- a. Main steam trip valve and bypass valve positions are it'dicated in the control room,
- b. Following a reactor trip, Emergency Procedure E 0 instructs operators to verify turbine trip, and if the turbine trip has not automatically tripped, to trip the turbine manually, if turbine cannot be tripped E-0 instructs operator to close all main steam trip valves and bypass valves.
3.2.1.9.6 Technical Specifications
- 1. Power operation is allowed for 4 hours with one main steam isolation valve (trip valve) inoperable (Technical Specification 3.7.1.5).
3.2.1.9.7 Surveillance Tests
- 1. Main steam isolation valves Fe eXnrCised, part Stroked, every 92 days (Technical Specification 4.7.1.Sa).
- 2. Power operation is allowed with one auto stop oil pressure channel inoperable so long as the inoperable channel is in the tripped coridition (Technical Specification 3.3.1.1. Table 3.31).
- 3. Power operation is allowed with one turbine stop valve inoperable so long as the inoperaule channel is in the tripped condition (Technical Specification 3.3.1.1, Table 3.3-1).
3.2.1.9.8 System Diagram: None 3.2.1.9.9 References
- 1. UFSAR Section 10.3
. 2. Technical Specification Sections 3/4.71.5 and 3.3.1.1 \ 3. Operating Manual Chapter 26 (OM 26) Main Turbine and Condenser :
3.2 75 12 System Awysis. o
Banv:r Vcll:y P wcr St ti:n L : 1 R:vi:l:n 0 Preb:bilistic Rld Ass:Osm:nt
- 4. System Description 15-2, Main Steam Trip and Trip Bypass Valves (Issue 4, August 15, '974) and Logic Diagrams 11700-LSK-15 2A through 2D.
- 5. Electrica' Drawing 11700 RE 21 AC-8 (Turbine Trip)
- 6. Manufacturer's Print 8700-2.13-63A (Turbine Trip) 3.2.1.9.10 Modellt.g Assumptions
- 1. Equiptnent Boundaries
- a. The block diagrams and compone-* tables for the turbine trip function and main steam isolation function are presented in Appendix A.
- b. Turbine trip system, as modeled, includes only the components necessary to trip the turbine following an automatic trip signal or a manual trip signal from the control room,
- c. Main steam isolation, as modeled, includes the trip valves, bypass valves, and nonreturn valves.
- d. The motor operated stem is assumed unnecessary for successful nonreturn valve isolation.
- 2. Dependencies Not Modeled MSIV bypass valves are normally closed duri g power operation and do not require support systems in order to rema' , chsod. Failure mode is transler open during operation, which is very unlikely. *
- 3. Common Cause (See Table 3.2.2 3)
- a. Possible common cause failure of main steam trip valves.
- b. Possible common cause failure c.f auto stop solenoid valves.
3.2.1.10 AUXILIARY FEEDWATER SYSTEM 3.2.1.10.1 Syutem Function: The auxiliary feedwater system (AFWS) transfers either deminerallzed water from the primary plant domineralized water storage tank [WT TK 10], domineralized water storage tanks [WT-TK-11], [WT-TK 26], or river water from the reactor plant river water system to the steam generators during certain off normal conditions. The AFWS 's designed to provide feedwater to the secondary side of the steam gen 'ators to maintain water level for adequate RCS heat removal following:
- Loss of Normal Feedwater
- Steam Line Break
- Feedwater Line Break
- Small LOCAs
- Steam Generator Tube Rupture p
- Loss of Station "ower
- Safety INection 3.2 76 M sptem An#yst
l Deaver Valley Power Station Unit 1 Revit,lon 0 Probabilistle Risk Assessment The AFWS can operato during startup, hot standby, or cold shutdown, but is not intended to do this. 3.2.1,10.2 Success Criterla: The auxiliary feedwater system is designed to provide 350 gpm total to at least one steam generators. Each motor-dciven pump is capable of 350 gpm at 2.696 feet total discharge head, and the turbine-driven pump is capable of 700 gpm at the same discharge head. Therefore, any one pump is capable of providing sufficient flow. The turbine-driven pump is steam powered from three lines connected upstream of the MSIVs. two steam flow paths are normally available, the third steam path is normally isolated by a manual valve. Any one line provides sufficient steam pressure and flow to drive the turbine. The analysis is to be carried out for 24 hours following the initiating event. Note that a loss of - offsite AC power for 9 hours requires river water since all makeup to WT TK 10 is unavailable. 3.2.1.f15 Support Equipment
- 1. The motor-driven pumps are powered from emergency buses 4KV-1 AE and 4 KV-1 D F. Bus 1AE is designated " orange" and is normally associated with train A equipment. Bus iDF is designated " purple" and is normally associated with train B equipment. 8
- 2. Feedwater control valves for train A operate from MCC-1 E5 on 480V substation 18.
bus 1N on 4KV 1 AE bus.
- 3. Feedwater cor. trol valves on train B are powered from MCC 1 E6 on 480V substation 19 bus 1P on 4KV 1DF bus.
- 4. Motor driven pump control is p avided by 125V DC bus switchboard J Bkr. 8-6 for FW P-3A and 125V DC bus switchboard 4 Bkr. B-6 for FW P-3B.
- 5. Motor operated control valve signals to open is provided by instrument channel I to
~
MOV FW 1518, D, F and instrument channel 11 to MOV FW 151 A, C, E.
- 6. Turbine-driven pump steam supply valos are powered from 125V DC bus 1
[PNL-DC 3] Bkr. 8-10 and instrument air for train A and 125V DC bus 2 [PNL-DC 2] Bkr. 8-10 and instrument air for train B. Each valve falls open on loss of air or itt respective DC power.
- 7. Pumps are self-cooled.
- 8. Demineralized water system is required to provide primary water supply.
- 9. River Water system is required if a backup water supply is needed (i.e.,
unavailability of PPDWST or loss of offsite AC without recovery).
- 10. The residual heat release valve [HCV-MS-104] is an electropneumatic valve using train A vital bus [PNL-VITBUS-1] Bkr.1-7. It fails closed on loss of power and loss of air.
- 11. The atmospheric steam dump valves require the following electric power supplies:
- PCV-1MS-101 A [PNL DC-3] Bkr. 8-14 & 23,125VDC switchboard #1
- PCV-1MS-101B [PNL-DC-2] Bkr. 8-14 & 23,125VDC switchboard #2
- PCV-1MS 101C [PNL-DC-2) Bkr 8-14 & 23,125VDC switchbchrd #2 3.2 77 M system Avyts.
B :v:r Vcilty Pc::Or St:ti:n Unit 1 R:vi:l:n 0 Prcb:bilistic Risk As :ssm:nt These valves fall closed on loss of power or station instrument air.
- 12. PPDWST level transmitter LT-WT 104A requires 120V AC bus. Loss of power causes LCV WT 104A to open (f ail safe).
- 13. Lc,ss of instrument air to LCV WT-1048 uses valve to open.
- 14. Offsite power is lequired for PPDWST makeup.
3.2.1.10.4 Equipment Supported: Not applicab,e. 3.2.1.10.5 System Operation: The AFWS is initiated either automatically or manually from main control board. Motor-driven pumps and steam supply valves must be set to " auto" position on control board. The AFWS starts from ari SSPS signal. The turbine driven pump staris on a low low steam generator level in one steam generator. it also starts on undervol'. age on two reactor coolant pump buses. The motor driven pumps stat on low low steam generator in two steam generators. They also start on a safety injection signal, turbine-driven pump low flow, and via the diosus generator load sequences after loss of station power. Loss of both main feedwater pumps will automatically stari both motor driven pu mps. This does not go through the SSPS. The system may be controlled from the emergency shutdown panel (ESP) and the main control boatd. Partial control may be achieved from the auxiliary shutdown panel (ASP). Feedwater cor trol is manual via MOV FW-151 A, B, C, D, E, and F. Turbine speed is controlled by the turbine governor valve and the hydraulic trip throttle valve mounted on the turbine. This valve will trip the turbine on overspeed. The terry turbine pump oil dump valve also provides the ability to manually (locally) trip the turbine driven pump. Water level in the PPDWST [WT-TK-10] is maintained from the domineralized water storage tank [WT-TK-26] vis transfer pumps [1WT P-33A & 33B] The tank capacity is 140.000 gallons. There is a PPDWST supply level control valve [LCV WT-104A] that modulates opened and c!cted to maintain level using level transmitter LT WT-104A. There is also a make-up flow path to [WT TK 10] via demineralizer pumps [WT-P 4A & 4B] by manually opening the valve [WT-1002] or make up from condensate pumps [CN P 1 A & 1B] via a procedure (OM 32, Section 4.X (Emergency Makeup to Primary Piant Domineralizer Water Storage Tank). Each of these options can provide mekeup flow of 3:50 GPM. The primary plant domineralizer water storage tank enclosure has two electric space heaters powered from (MCC118) to keep the water from freezing. Control switches with indicating lights for the auxiliary feedwater pumps are provided on the main control board, and on the ESP (emergency shutdown panell. Pushbuttons, for transfer of control from the main control room to the ESP, are provided at the ESP, with a manual reset at the relay used to transfer control back to the main control room from the ESP. The motor-driven auxlhary feedwater pumps can be operated manually or automatically from either the main control room or the ESP. If no loss of power condition exists, the pumps are started automatically on a low low steem generator in two out of three stt;am generators, safety injection signal, main feedwater pumps tripped, or failure of the turbine-driven auxiliary feedwater pump. If a loss-of-power condition exists, the pumps are automatically started by the diesel-loading sociuence and any of the preceding conditions. 1 l 1 3.2-78 u symm Awym.
. _ ~ _ . - . -- - - - . - -_ - - _ _ - -
8::cv:r Vcil:y Pcw:r St:tlen Unit 1 Revi:l:n 0 Prcb:bilistic Risk Assocament The turbine driven auxiliary feedwater pump can be operated manually from the main control room or the ESP, but automatically only from the main control room. Automatically, a low low
/ levelin any steam generator or an undervoltage on the reactor coolant pump's bus will start the pump by opening the trip vales (TV MS 105A & B) in the steam supply line, admitting steam to the turbine. 5 The motor driven auxiliary feedwater pumps can be stopped manually from the main control board under any condition. The turbine driven auxillary feedwater pump cannot be stopped using the benchboard trip valvo control switches if it started by automatic start signal.
However, the [ pump] can be stopped by isolating the steam supply isolat'on valve MOV MS 105. The auxiliary feedwater motor-operated control valves are normally open, and are provided with open/close indicating lights in the main control room and the ESP. Control of the auxiliary feedwater control valves may be initiated from either the main contro! room or from the ESP. A pushbutton on the ESP will transfer control from the main control room to the ESP. A manual reset at relay is used to transter control back to the main control room from the ESP. Annunciation is provided in the main control room fc r control at ESP, and steam generator auxlilary feedwater pump auto start /stop. The preceding conditions are monitored by the BVPS Unit 1 computer. Computer inputs are provided for the auxiliary feedwater turbine-driven pump steam O admission valves' open/close position, auxillary feedwater flow, main feedwater line pressure, auxillary feedwater pumps lube oil discharge pressure, and motor driven auxiliary foodwater pumps start /stop. Indicators are provided in the main control room for auxiliary feedwater pump steam supply pressure, stearn generator water level, and auxiliary feedwater flow. Arnmeters are provided in the main control room for the motor driven auxillary feedwater pumps. A level recorder and level indicators are provided in the main control room for the PPDWST. Annunciation is provided in the main control room for high and low PPOWST levels. These conditions are also monitored by the BVPS Unit 1 computer system. An input not associated with the annunciation system is pravided for the PPDWST level for monitoring by the DVPS Unit 1 computer. 3.2.1.10.6 Tests / Maintenance: Testing and surveillance are defined by technical specifications:
- Flow test pumps using recirculation lines every 31 days.
- Cycle each river water to auxillary feedwater system valve eve y 31 days.
L
- Verify flow to steam generators from the PPDWST (WT-TK 10) after a plant outage that exceeds 30 days.
i-
- 3.2 79 3.2 system Awysis.
Beaver Valley Power Station Unit t Revision 0 Probabillstic Risit Assessment
- Cycle each power-operav.,d nonautomatic valve that is not testable during plant operation every 18 months during shutdown.
- Verify that each automa.ic valve goes to the correct position and that each pump starts on an auxiliary feed actuation test signal every 18 months during shutdown.
3.2.1.10.7 Technical Specifications 3.2.1.10.7,1 LCOs
- One AFW pump may be inoperable for 72 hours; the plant must then be in hot standby within 6 hours and in hot shutdown within the next 6 hours. (Technical 3pecification 3.7.1.2)
+ If swo AFW pumps are inoperable, be in hot standby within 6 hours and in hot shutdown within the next 6 hours.
- If three AFW pumps are inoperable, restore at least one to be operable as soon as possible.
- ll less than 140,000 gallons are in the PPDWST, restore water level within 4 hours or be in hot shutdown within 12 hours; or demonstrate operability of river water system supply, restore water level within 7 days, or be in hot shutdown within the next 12 hours.
(Technical Specification 3.7.1.3) 3.2.1.10.7.2 Surveillance
+ Every 31 days, two independent operators must verify that each unlocked valve is in its correct oosition. If any discharge valve is closed, maintain constant communication between the control room and auxiliary feed pump room.
- Verify water level in PPDWST evi ry 12 hours, 3.2.1.10.8 System Diagram: The system diagram for the auxiliary feedwater system is shown in UFS AR Figure 10.3-5. Thc steam supply to the turbine driven auxiliary feedwater pump (FW P 2) is shown in UFSAR Figure 10.3-1.
3.2.1.10.9 Referances
- 1. UFS AR, Chapter 10.3.5
- 2. Operating Manual Cnaptor 24:
- a. Section 1, Domin 'ralized Water Storage Ta.'ks
- b. Sections 1-3, Steam Generator Auxiliary he.] r mps and Valves
- 3. VOND Diagrams;
- a. 8700-RM-124 A 17
- b. 8700-RM 120A-12
- c. 8700-RM 144 A-16
- d. 8700-RM 1440-4 4 Piping Drawings:
- a. 11700 RM-18A
8:av:r Vcil y Pcw:r St:ti:n Unit 1 R vi:l:n _0 Pr:b:bilistic Risk Acs:ssm:nt
- b. 11700-RM 14A
- 5. Electrical One Lines
- 6. Technical Specifications 3/4:
- a. Section 3.7.1.2
- b. Section 4.7.1.2
- c. Section 3.7.1.3
, d. Section 4.7.1.3
- 7. BVPS-Unit i Design Basis Document, Auxiliary Feedwater System, DBD 248, Revision 0 3.2.1.10.10 Modeling and Modeling Approximations: The block diagram and component table for the auxiliary feedwater system is presented in Appendix A.
The model was formulated using the following guidelines:
- 1. PPDWST tank is assumed to be initially filled.
- 2. Pump FW P 2 is aligned to the same discharge header as pump FW P-3A. Alternate discharge to header B through closed valve FW 39 is assumed to be unavailable.
- 3. One of three steam supply valve paths is necessary.
- 4. One of three pumps is necessary.
- 5. One of three river water supply trains is necessary as a backup water source.
- 6. Each discharge header (one from FW P 3A and one from FW F 3B) supplies three feedwater motor operated control valves.
- 7. Flow to one of three steam generator is necessary,
- 8. Demineralized water system and river water system are modeled separately.
- 9. Pump recirculation line (and relief valve, if full-open) takes 30% of the flow and therefore falls the respective pump train.
- 10. The steam relief paths needed for steam generator outflow are not modeled because of the multiplicity of available paths: main condenser dump, residual heat release valve, atmospheric dump, and steam generator safet> /alves.
3.2.1.11 MAIN FEEDWATER SYSTEM 3.2.1.11.1 SYSTEM FUNCTION: The main feed water system (MFW) supplies feedwater to all l' three steam generettors at all load conditions. The MFW , also used to provide steam j generator heat removable during emergency condition if the condensate system is available. l 3.2.1.11.2 Success Criteria (for Each Mode of Operation)
- UFSAR. The main feedwater and condensate systems are designed to remove
[ condensate from the hotwell of condenser and supply heated feedwater to the steam generators at all conditions. 3.2 81 3.2 system Analysis, 1 . ..- -- ,, ,- , -
I B;;v;r Vcil;y Prw r St:ti:n Unit 1 R0virl:n 0 j Prcb:billstic Risk As::s:m:nt j
- PRA One main feedwater pump and the condensate system operate and provide feed flow to all steam generators for at least 24 hours.
3.2.1.11.3 Support Systems
- 1. Normal 4KV Bus 1 A and 1B Provide motive power for main feedwater pump (FW P 1 A) and cendensate pump (CN P 1 A).
Normal 4KV Bus 1C and 1D Provides motive power for main feedwater pump (FW P 18) and condensate pump (CN P 18).
- 2. Normal 480V AC MCCs Provides motive power for main and bypass feedwater path's motor operated valves (MOVs).
- 3. 480V AC Emergency MCCs Provides motive power for main feed pumps discharge MOVs and feedwater containment isolation MOVs.
- 4. 125V DC Bus No. 2 Provides control power for main and bypass flow control valves operations.
- 5. 125V DC Bus No. 3 Provides control power for main and bypass flow control valves operations.
- 6. 125V DC Bus No. 5 Provides breaker control power for main feed and condonsate pumps.
- 7. SSPS Train A and B Provides Si signals for FW P 1 A and FW P-18,
- 8. FW lsolation irain A Provide main feedwater isolation signal for MOV-FW 156A,B & C, 9 Station Instrument Air Provides air to maintain main and bypass feedwater control valves in the open position. (FCV FW-478,488. 498,479,489 and 499).
3.2.1.11.4 System Supported: The key supported system related to the PR A is the steam Generators heat removable capability from the reactor coolant system (RCS). 3.2.1.11,5 Operating Features 1, initial Configuration. The MFW is designed to be normally running to provide feedwater for steam generators. The main feedwater flow control valves are normally in automatic position and the bypass flow control valves are in manual throttled position. All motor operated valves are normally in open position. Main feed pumps FW-P-1 A and FW-P-1B are tripped off on Si and FWI signal. Pumos will also tripped on low suction pressure. Main Feed Pumps discharge MOVs will close when pumps are stopped. 3.2-82 3 2 system Avys+s.
_ - _ _ . _ _ - - . _ _ _ _ _ _ _. _. _ ~ __ _. _ R:vi:ltn 0 5:av:r Vcil:y Pcw r St:ti:n Valt 1 Prcbsbilistic Risk Ass;;sm2nt The containment isolation valves MOV FW 156A, B & C will close on SI. Feedwater Isolation signals or Hi Hi steam generator levels. The main feedwater and bypass feedwater flow control valves will closes on full feedwater isolation signal. The main feed valves will also close on partial feedwater ! isolation.
- 2. System Actuation
- a. Automatic.
- 1) No automatic system actuation is considered.
- b. Manual.
- 1) Main feedwater may be aligned to provide a long term steam generator heat removable during an accident in the event that the auxiliary feedwater system is not available
- 2) The main feedwater pumps may manually started from the control room.
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments)
Not Applicable.
- 4. Recovery Considerations (Including Useful Alarms, Indications and Abnormal Procedures)
- a. Main Feed Pump suction pressure low (ANN Window No. A7 6).
- b. Main feedwater flow greater than steam flow (ANN Window No. A7-42,50 & 58),
- c. Steam Generator levels Hi Hi (ANN Window No. A7-44 & 52).
- d. Main Feed Pump auto stop (ANN Window No. A7-37).
3.2.1.11.6 Technical Specifications: Not applicable. 3.2.1.11.7 Survelliance Tests: Not Applicable. 3.2.1.11.8 System Diagram: The system diagram for the main feedwater system is shown in Operating Manual Figure No. 24-1. 3.2.1.11.9 References
- 1. UFSAR Section 10.3.5
- 2. Operating Manual Chapter 24 3.2.1.11.10 Modeling Assumptions
- 1. Equipment Boundaries
- a. The success block diagrams and component tables for the main feedwater system are presented in Appendix A.
- b. The main feedwater system model includes the pumps and associated valves from the main feedwater system that are necessary to supply feedwater to the steam generators. The main and bypass feed paths are modeled in Top Event 3.2 83 u system Awysts.
~ . - _- ..~ ._ __ _ _ _ ___. , . _ . - _ . _ _ - - .
Beave" VaNey Power Station Ur.It 1 , Revielon 0 Probabilistic Riah Assesament s OF which shares ther common flow paths for both Top Events MF and DF. In ATWS conditions, the main feedwater system Top Event FA models that feed
'* water flow pathe nce the Top Event DF is not asked in the ATWS event.
- c. The condensate supply to the mairi feedwr
- system are $ assumed to be available to maintain adequate suction for th, a dwater pumpr the failure rate for the conriensate syctem are not mooeled a tn 8 time. -
- i tralal Conditiv i main feedwater pumps are in operations with the main feedwater flow control zi ..as are in automatic and mainiaining the steam generator levels, the bypass flow Mi of valves are in requal throttled positiof with about 10% opon.
h#" vependencias Not Modeled g -1 main feedwater recirc flow and pressure control paths and associated valves. ie candensate systerr.. The first point heaters. The leading edge flow mGter. P ;
- 4. Failure Mode Impacts Loss of turbine plam compone ;ooling water vstern #s essumed to be a failure of main feed pumps.
- 5. Co nman Cw e common s iailure of main '3edwater purnps to start following a '7ss of offrite ower. See i sole 3.2.2-3.
3.2.1.12 PRIM ARY P,lEF GYSTEM 3.2.1.12.1 System Function: The fonctions of the crimary relief system are to:
- 1. Limit reactor coolant system (RLS) pressure within ASME B&PV Coda Section lli design limits. This function is performed by the pressurizer safety valves and PCRVs. Tne pressurizer PORVs have lower relief set pressures that serve to limit challenges to the reactor pro *ection system (i.e.. reactor trip) and the safety valves, g -
Control PCS pressure within the operational limits specified within the emergenc-orerating procedures to mitigate operational transients and accidents eJch as Lots of Secondary Heat Sink. This function is performed by the pressurizer PORVs. 3.2.1.12.2 Success Criteria (For Each Mode of Operation)
- 1. UFSAR
- a. The pressurizer safety valves open (automatic) as required to maintain RCS pressure belov: RCS design pressure.
- b. This function is not in the UFSAR since operational transients and accidents such as the' Loss of Secondary Heat Sink are not design basis accidents.
- 2. PRA 3.2-84 3.2 syste n Analysis
_ _ _ . , _ _ _ _ _ _ . m o s ,
- B:ev:r Vcil:y Pcwcr Stati:n Unit 1 -
Rcvisi:n 0 Preb:bilistic Risk Ass:ccmsnt
- a. The pressurizer safety valves or PORVs open (automatic) as required to maintain RCS pressure below RCS design pressure. The valve (s) subsequently O reclose.
- b. In general, at least one pressurizer PORV opens (manual control) as required to depressurize the RCS as defined within the emergency operating procedures. The valve (s) subsequently reclose.
At least one pressurizer PORV is. required to open (manual control) following a loss of secondary heat sink transient to reduce RCS pressure sufficiently for b!eed and feed cooling of the reactor core. 3.2.1.12.3 Support Systems 125V DC > , ple (Train S) PCV-RC-455C 125V DC Orange (Train A) PCV-RC-455D, PCV-RC-456 480V AC Orange (Train A) MCC 1 E5 MOV RC-535 480V AC Purple (Train B) MCC-1 E6 MOV-RC-536, MOV-RC-537 120V AC Vital Bus 1 (Red) PT-RC-455,SSPS P 11 Permissive 120V AC Vital Bus 2 (White) PT-RC-4FS,SSPS P-11 Permissive 120V AC Vitcl Bus 1 (Blue) PT RC-457.SSPS P 11 Permissive. PT-RC445, Auto Open Signal for 455D an : 456 120V AC Vital Bus 4 (Yellow) PT-RC-444, Auto Open Signai fcr 455C SSPS (Teain A) P-11 Permissive for 455D and 456 auto open SSPS (Train B) P-11 Permissive for 455C auto open Containment instrument Air System Required to open PORVs or N Backup Required for 455C & D Pneumatic N 2 Backup System Required to open PORVs 455C & D if Containment air unavailable 3.2.1.12.4 Systems Supported: Reactor Coolant System 3.2.1.12.5 Operatin0 Features
- 1. Inlllal Configuration >
- a. Pressurizer DOPVs and pressurizer safety valves discharge to the pressurizer relief tank.
- b. Pressurimt PORVs are air operated valves that open automatically on signal from Pressurizer pressure sert ars or by manual control.
- c. Pressurizer safety va;ves are spring-loaded, pop type valves that open if
,O Pressur!zer pressure increases to the valve set pressure. V d. Pressurizer POPV block valves are normally open.
- 2. System Actuation 1 2-85 12 $ystem Analysis.
1 B :v r Vcil:y P:wcr Stcti:n Unit 1 R visl n 0. Prcb: bill:lle RI:k Assacem:nt i
- a. Automatic
- 1) Safety valves open automatically at an RCS pressure 012,485 psig.
- 2) Pressurizer PORVs open automatically on signal from Pressurizer pressure sonsors at a pressure of 2.335 psig and reclose when pressure drops to 2.315 psig,
- b. Manual
- 1) PORVs may be operated manually frorn the control room to control RC3 pro::sure, for examplo, for bicad and food cool
- 2) PORV block valves are operated manually from in, control room.
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potentia' -
Maalignments) One or more PORV block valvos may bo initially closed to isolato one or more loaking PORVs. The leaking FC%V(s) may remain isolated until the next refueling r.ut age.
- 4. Recovery Considerations (including Useful Alarms, Indications, and Abnormal Proceduros) a .. A PORV/ safety valvo acoustic flow monitor alarm and annuriciator light in the control room alerts operators of a leaking PORV or safety valvo,
- b. PORV! safety valvo dischargo line high temperature alarm and annunciator light alert operators of a leaking PORV or safety valve.
J.2.1.12.G Technical Specifications
- 1. Power operation is allowed for only 15 minutos with an inopuablo pressurizer safety valvo (3.4.3.a).
2 Power operation is allowed for an unllruited time period with one or moro PORVs isolated by a closed PORV block valve with its power supply removed.
- 3. Power operation is allowed for i hour with an inoperablo PORV block valvo unless the block valvo is closed with its power supply removed (3.4.11.b).
- 4. - PORVs are cycled each timo plant enters Mode 5, unless tested within p.uceding throo months (4.4.9.3.1.d), and block valves ero cycled overy 92 days (4.4.11.2).
12.1.12.7 System Diagram: Nono 3.2.1.12.8 Refer ances
- 1. UFS AR Section 4.2.2.7
- 2. Techmcal Specifications 3/4.4.3, 3/4.4.9, and 3/4.4.11
- 3. Operating Manual Section 6 3.k.1.12.9 Modeling Assumpilons
- 1. Equipment Boundaries 3.2 86 3.2 System Ana'ysrt.
B::v:r Vcil:y P wnr 5tcti:n Unit 1 Rcvisl:n 0 Pr:b:bilistic RI:k A:s:s:m:nt
- a. The block diagram and component table for the primary' relief function is
(~N presen:ed in Appendix A.
'\) b. Equipment modeled includes the PORVs, PORV block valves, and safety valves.
- c. PORV block valves are modeled only for their ability to isolate a PORV that faits to reclose after opening.
- 2. Initial Conditions. One or more PORVs may be initially isolated.
- 3. Dependencies Not Modeled. None.
- 4. Failure Mode impacts
- a. Failure of a PORV or safety valve to reclose is assumed to result in sufficient flow to represent a small LOCA.
- b. Failure of a suiicient numbe. of PORVs and/or safety vaiven to open is assumed to result in a small LOCA.
- 5. Common Cause (See Table 3.2.2-3)
- a. Possible common cause failure among 'ORVs.
- b. Possible common cause failure among safety valves.
- c. Possible common cause failure among PORV block valves.
3.2.1.13 EMERGENCY CORE COOLING SYSTEM
,9
( 3.2.1.13.1 System Name: Three olant systems are to be analyzed together because of the L high degree of Ir"erdependencies among them. These systems are:
- 1. Low Head Safety lnjection (LHSI)
- 2. High ;4ad Safety injection (HHSI)
- 3. Accumulators -
3.2.1.13.2 System Functions: As a group, these systems function to prevent core overheating during and after certain initiating events. These initiating events fall under the following genera' categories:
- 1. Large (> 6") and medium (2* to 69 LOCA.
- 2. Small LOCA (1/2" to 2") (inch 9ing stuck-open PORVs).
- 3. Stoam line breake 'nsioe and o " Side containment.
p 4. Steam generator tube rupturt -
- 5. Transients with loss of steam generator ecoling in which bleed and feed is necessary.
The LHSI system provides RWST water via two trains to the cold legs of the reactor coolant system following a safety injection signal or manual initiation. Following a signal to initiate the recirculation mode of ECCS, two trains align to provide water from the sump to the cold ( ')- legs of the reactor coolant system for leng-term core cooling. The LHSI pumps can provide flow directly to the RCS at pressures below about 110 psi. The LHSI pumps are also aligned to providt water to the suction of the HHSI pumps. l I 3.2 87 u system Anatyus.
l B :v;r Vcil2y Pcwsr St:ti:n Unit 1' Rcvisi:n 0 Pr:b bill: tic RI:k Ass:s:m:nt The HHSI system provides RWST water via two trains to the cold lege of the reactor coolant system following a safety injection signal or manual initiation, it provides water for situations in which the RCS pressure is below 2,500 psia. The HHSI pumps can take suction either from tne RWST or from the containment sump via the LHSI pumps or recirculation spray pumps, in the recirculation morte the HHSI system provides sump water to either the cold legs or hot legs of the reactor coolant system. Each of the three accumulators passively discharges wate to the RCS cold legt when its pressure drops below about 600 psig. 3.2.i 1?.3 Success Criteria: The following criteria are required for large and medium LOCAs:
- 1. During the injection made:
- a. One of two LHSI pumps and its associated train aligned to one of three cold legs for RCS inventory control and core cooling,
- b. One of two HHSI pumps and its associated train aligned to one of three cold le g s.*
- c. Accumulators discharge into the RCS as follows:
- 1) Two of two for large LOCAs
- 2) Two of three for medium LOCAs
- 2. During the recirculation mome:
- a. One of two LHSI pumps and trains eligned to the cold legs. The capability exist to manually align one of two outside recirculation spray pumps to its respnctive LHSi train (either train A or B).
- b. One of two HHSI charging pumps an:1 trains aligned to the cold legs. 11 must be the one aligned with flow from an LHSI train. The third charging pump is not powered following a safety injection signal. Only one HHSl pump can be racked into a (KVS bus at one time.
The success criteria oe small LOCAs, &w ra genMator tube ruptres, steam lin2 s br6aks inside or outside af containment, and transients without steam generator cooling are the seme as for medium LOCAs except:
- 1. LHS! pumps are not required for injection mode operation.
- 2. Actumulators are not required.
3.2.1.13.4 Support Systems 4160V AC Bus 1 AE Train A (Orr.nge) orovide motive pow er for HHSI Charging Pump A and LHSI P imp A.
*1130V AC Bus 1DF Train 8 (Purple) Provide motive power for HHSI Charging Pump B and LHSI Pump B.
O
- This is for medium LOCAs only.
3.2-88 3.2 system Awysts.
-i.
B :vsr Vcil:y Prw:r Stati:n Unit 1 Rcvisi:n 0 ' Prcb:bilistic Rl k *ccessm:nt 480V AC Substation Bus 18 Train A (Orange) Provide power for Train A MOVs and RWST
'O level transmitter heat tracing.
480V AC Substation Bus 1-9 Train 8 (Purp a) Provide power for Train B MOVs and RWST level transmitter heat tracing. 125V_DC Bus 1 Train A (Orange) Provide control power for HHSI Charging Pump A cnd LHSI Pump A. 125V DC Bus 2 Train 8 (Purple) Provide control power for HHSI Charging Pump B and LMSI Pump B. SSPS Train A Provide Safety injection Signal for auto start of Train A pumps, auto realignment of Train A valves, and permissive for auto switchover to recirculation. SSPS Train B Provide Safety injection Signal for auto start of Train B pumps, auto realignment of Train 8 valves, and permissive for auto switchover to recirculation. River Water System Provides cooling water to HHSI Charging Pump lube oil coolers. Station Instrument Air Provides for control of tube oil flow through/around the HHSi Charging Pump lube oil coolers. tO Domineralized Water System Provides cooling water to LHSI Pump shaft' mechanical seat coolers. 120V AC Vital Bus 1 (Red) Provides power for L'l-QS-100C low level signa: for auto switchover to recirculation. 120 V AC Vital Bus 2 (White) Provides power for LT-QS-1000 low level signal for auto twitchover to recirculation. 120V AC Vital Bus 3 (Blue) Provides power for LT-QS-100A low level signal for auto switchover to recirculation. 120V AC Vital Bus 4 (Yellow) Provides power for LT-QS 1008 tow level signal for auto switchover to recirculation.
'3.2.1.13.5 Systems Supported: Not applicab;e.
3.2.1.13.6 System Operation: A safety injection signal is generated from one or more of the following:
- Steam line pressure low (about 510 psig).
- Pressurizer pressure low (about 1,845 psig).
- Containment pressure high (about 1.5 psig).
= Manual initiation.
3.2-89 3.2 System Analysis.
B0cvar Vall:y P:wer Stztlen Unit 1 Rcvi:lsn 0 Probsbilistic Risk Ass 9esmsnt The first three occur on two out of three signal logics. Manual initiation occurs on a one-of-two signal logic. Both trains are actuated concurrently. A safety injection signal generates a CIA signal and a reactor trip. The RWST (OS-TK 1) and its associated lines are temperature maintained (kspt from freezing or becoming too warm) by heat tracing on lines; and an RWST recirculation system consisting of two pumps, two coolers (chilled by CCR chilled water system), and associated valves. The HHSi and LHSI pumps are started, and valv9 realignment occurs upon a saf y injection si;,nel. A recirculation signal occurs from a two-of three RWST low water level signal coupled with a continued safety injection signal. The following automatic vale and pump actions occur following a safety injection signal. (Manual aci.on is not required for safety injection).
- The HHSl/ charging pumps start,
- The LHSI pumps start.
* 'ho HHSle , rging pump discharge to cold legs isolation valves MOV-SI-867A, B and MOV W-867C, D open.
- The RWST to HHSI/ charging pump valve , MOV-CH-11SB, D open.
- The normal charging .w isolation valves (MOV-CH-289 and MOV-CH-310) close.
- The volume-control tank (VCT) to HHSI charging pump suction isolation valves MOV-CH-115C, E close.
- The accumulator isolation valves MOV SI-86SA, B, C open, if closed. (These valves are normally open and have their power removed).
- The BIT recirculation pumps stop and the BIT recirculation isolation valves (MOV-St 884A, B nd C) close.
The following containment isolation valves close on a containment isolation Phase A (CIA) signal;
- lsolation valves TV-SI-101-1,1012 in the nitrogen (N 2) supply line to the accumulators.
- Isolation valves MOV-SI-842 and TV-SI-989 in the check valve test lines.
- isolation valves in the sampling lines from the accumulators, pressurizer, and hot and cold legs.
After these actions are complete, two LHSI and two HHSl pumps provide water from the RWST to " roe RCS cold legs. On an RWST low level concurrent with a safety injection signal, recirculation mode is initiated, and the following automatic actione occur:
- The LHSI pamp discharge minimum flow irolation valves MOV-S!-88bA, B, C, D close.
- The LHSI pump discharge crossconnect valves MOV-Sf-863A, B to the HHSI charging pumps open.
3.2-90 3 2 9ytem Awym.
Beaver Valley Power Station Unit 1 Revision 0 Probabilistic Risk f\ssessment
- The LHSI pump suction isolation valves MOV-SI-860A, B from the Containment Sump open.
- After a 30-second time delay, the HHSI charging pump suction isolation valves MOV-CH-115C, D from the RWST close.
- Aftet 3 2-minute time delay, the LHSI pump suction isolation valves MOV-SI-162A. B from the RWST close.
During injection, both HHSI pumps provide flow through valves MOV SI-867A, B, C, and D. During recirculation, the c,perator manually separates the HHSI trains ; d opens valve MOV SI 836 to provide a redundant high head flow patti to the cold legs. Specifically, the operator takes the following valve realignment actions following a recirculation mode signal:
- Open the alternate HHSI discharge path isolation valve MOV-St-836.
- Separate the two HHSI charging subsystems by closing the appropriete manual isolation valves in the HHSI charging pump discharge header (either CH-25,26 or 27 and CH-158, 159 or 161, At the appropriate time (about 14.5 hours after the start of recirculation), the operator realigns the ECCS for simultaneous cold leg and hot leg recirculation by tha following actions:
- Open tne HHSI discharge isolation valves MOV SI-PS9A. B to the hot legs.
- Close the HHSI discharge isolation valves MOV-SI-867A, B or MOV St 867C, D and isolation valve MOV-St-836 to the cold leg.
- During the switchover to Simultaneous Cold Leg and Hot Leg Recirculation, the HHSI ,
charging pumps continue to operate while respective isolation valves are realigned to deliver flow to the hot legs.
- During the switchover to Simultaneous Cold Leg and Hot Leg Recirculation, the LHS1 ,
pumps continue to operate with flow delivered to the cold legs as well as to the suction of toe HHS1 chargmg pumps. - The ECCS is now aligned for simultaneous cold leg and hot leg recirculation with two LHSI pumps providing ' low to the cold legs and two HHSI charging pumps prov. ding flow to the hot legs. Simultannous cold leg and hot leg recirculation serves to remove precipitated boron from the RCS and core. The switch to simultaneous cold leg and hot leg recircuiation is not required to avoid core melt. Certain valves have the power to their control circuits removed. Power may be supplied to these circuits by inserting banana plugs into the proper receptacles on the control board. The valves with power removed are: MOV-S-890A, B, C MOV-SI-869A B MOV-SI 865A, B, C 3.2.1.13.7 Test / Maintenance
- On a quarterly frequency, charging pumps and ,issociated discharge and miniflow check valves are tested via OST 1.07.04, OST 1.07.05, and OST 1.07.06.
3.2-91 u System Awysis
1 Secv;r Vcil y Pcwcr Staticn Unit 1 R;visi:n 0 l Prcb:bilistic Risk Ass s:msnt
- Every 18 months, HHSI and LHSI valveu nc,t tostable during operation are tested during shutdown via OST 1.1.10.
- Every 18 months, HHSI and LHSI are verified to actuate on a safety injection signal during shutdown via OST 1.07.11.
- On a quarterly frequency, LHS1 pump, discharge check valves, and recirculation flow check valves are tested via OST 1.11.01 and OST 1.11.02.
- On a montnly frequency, ECCS flow path and vatve positions are checked via OST 1.11.00 and OST 1.11.07.
- On a weekly frequency, BIT level is verified via OST 1.11.03.
- On a monthly frequency, accumulator isolation valves are verified to have power removed via OST 1.11.09.
- Every 18 months, accumulator isolation valves are verified to automatical!y open upon receipt of a P-11 signal via OST 1.11.11.
- Every 18 months, accumulator isolation valves are ve.ified to automatically open upon receipt of a safety injection signal via OST 1.07.11.
- Containment is inspected for loose debris prior to establishing containment integrity and following each subsequent containment entry via OST 1.47.002.
- Maintenance is performed on an as-needed basis.
3.2.1.13.0 Technical Speelfications
- 1. Accumulators
- a. LCOs
- 1) One accumulater may be inoperable for 1 hour; then the plant must ce in hot standby within 6 hours and in hot shutdown within the next 6 hours.
- 2) If ti,a accumulator is inoperable because of a closed isolation valve, iramediately open it or be in hot standby in 1 hour and hat shutdown within the next 12 hours.
- b. Surveillance
- 1) Every 12 hours, verify that the isolation valve is open, water volume, aad pressure.
- 2) Every 31 days. verify boron concentration and power removed from iso'ation valve cortrol circuit.
- 3) Every 18 months, verify that the accumulator isolation valve opens to a P-11 signal and a safety iujection signal.
- 4) Every 31 days, perform a channel functional test and every 18 months perform a channei calibration for each ovuoi..utater'c water ! eve! and pressure alarm channel.
- 5) Verify that the itLlation valves close and are de-energized when RCS g pressure reduces to 1,000 psig during normal plant depressurization. W l
- 2. '.HSi and HHS!
3.2-92 3 2 system Ana'ysis,
B cv:r Vcil:y P:w:r Stati:n Unit 1 R viclin.0 Pr:b; bill: tic Risk Ass:ssm:nt
- a. LCOs. One train may be inoperable for 72 hours; then the plant must be in hot
[ shutdown within the next 12 hours
- b. Surveillance .
- 1) - Every 12 -- hot. s. verify that the following valves are irt the indicated positions with control power removed.
MOV SI-89A closed LHSI to Hot Leg MOV SI 8908 closed LHSi to Hot Leg MOV-SI 890C open LHSi to Cold Leg MOV SI S69A closed Charging Pump to Hot Leg MOV SI 869B clcsed Charging Pump to Hot Leg
- 2) Every 92 days, verify HHSI Charging and LHSI pumps develop required dilferential pressure.
- 3) Every 31 days, verify the valve positions of all valves noi locked or sealed.
- 4) Every 31 days, verity that each train is properly allCned with its electrical buses.
- 5) Visually inspect containment for debris prior to establishing containmen'.
integrity and following each contair, ment e-try.
- 6) Every 18 months, visually inspect containment sump and suction inlets and verify ' hat they are free from debris.
,n 7) Every 18 months durin0 shutdown, cycle each power-operated ( (r;onautomatic) vs've in the flow path that is not testable during operation,
- 8) Every 18 months during shutdown, verify that each automatic valve actuates 'e its correct position.
- 9) Every *6 months during shutdown, verify that the HHSI and LHSI pumps start upon receipt of a safety injection signal.
- 3. Boron injection Tank
- a. LCOs
- 1) The Boron injection Tank (BIT) may be inoperable for one hour; then the plaro must be in hot standby and borated to cold snutdown conditions within the next six hours, if the BIT is not restored to operable status within the next 7 dayt:; then be in hot shutdown within the next 12 hours,
- b. Surveillance
- 1) Every 7 days, verify the water level and boron concentration in the Boron injeMon Surge Tank.
- 2) 'wv zu hours, verify the water temperature and water flow through the Bown injection Tank.
3.2.1.13.9 System Diagram: The system diagrams for the ECCS systems are shown in s UFSAR Figures 6.1-1, 6.3-1 and 6.3-2. The alignment for the injection mode it, shown in s UFSAR Figure 6.3-8 and the alignment for the recirculation mode is shown in UFSAR Figure 6.3-9. 3.2 93 u system Anrysis.
B::v:r Vcil y Prw r St:ti:n Unit 1 R:visl:n 0 Pr:bsbillstic Rl:k As ssm:nt 3.2.1.13.10 References
- 1. UFSAR, Chapter 6
- 2. Operating Manual, Chspter 11
- 3. VONDS Diagrams 4, Flow Diagrams
- 5. Technical Spechication 3/4.5
- 6. Emergency Operating Procedures EOP ES 1.3.1.4 3.2.1.13.11 Modeling and Modeling Approximations: The block diagrams and component tables for the Emergency Core Cooling Systems are presented in Appendix A.
Heat tracing and RWST cooling were not modeled, as discussed velow. RWST water temperature extremos could potentially be important to risk analysis as follows:
- 1. Freezing water could plug ECCS suction lines.
RWST cr.,oling pumps and associated lines, valves, and coolers are provided in BVPS 1 to maintain the RWST water teraperature between 43 F and 55'F during normal power operation. The system is not needed after a safety injection signai to maintain te@erature. Heat tracking is provided on RWST cooling lines and on outside lines that feed the ECCS and the quench sprey system frons the RWST to keep them from freezing. The hat tracHng consists of a redundant pair of circuits that are powered from separate emergency buses. The surveillance of proper RWST water temperature during power operation is provided by Technical Specifications. Surveillance Requirement 4.1.2.8 requires ver.ification of proper RWST temperature every 24 hours whan ambient air temperature is not between 45* and 55'F. If RWST temperature (water) is not between 45'F and 55'F, then action 3.1.2.8 requires:
- Restoration of the temperature within 1 hour.
- Be in hot standby within the next 6 cars if temperature is not restored.
- Be in cold shutdown 'vi' ., the following '30 hours.
Te m oerature instruments TRB-QS-100A and TR B-QS-1008 monitor RWST temperature, and provide indication and high temperature alarms in the control room. Because of the RWST cooling equipment technical specifications and instrument monitoring, the potential for RWST high temperature is not treated further. A block is provided in the modci; however, to cover the potentist for freezing and plugging ECCS suction lines from the Kvv5i coincident with the demand for these
- ystems. The RWST cooling equipment also serves as a water heater when the ambient temperature is below about 40*F. Freezine;, owing to the failure of this syntem, is not treated further because of the instrumentation and Technical Specifications on RWST water.
3.2 3 2 system Ana'yms.
80cvsr Vollsy Pawsr Statlan Unit-1_ Rsvislan 0 Prcb:bilistic Risk Asssssmsnt Freezing, owing to failure of heat tracing, remains a factor. There are two methods for modeling this as follows:
- Directly from historical records.
- From detailed component logic models of heat tra .ing and power sources.
Because the event of freezing hn historically been rare, it does not warrant the detailed effort of modeling. The models were formulated using other simplifying approximations es follows:
- 1. Thu 'iHSI injection model assumes that valves MOV-SI 069A. B are closed. These valves cro normally in thov oositions with their power removed.
- 2. Charging pump A is racked into 4KVS-1 AE and charging ,mmp B is racked into 4KVS 1DF; charging pump C ic anpowered. Chargin0 pump C does not automatically start from a safety injection sigt.al, ant does not have a safety injection signal. This pump could potentially serve as a backup to pump A or B, but is currently not modeled.
- 3. Modeling for the recirculation mode assumes that both high head and low nead recirculation is required for smt!I LOCAs only.
- 4. HHS! discharge train crocs connect valves CH-25, 26, 27.158,159 or 161 neea not close for successful operation. Train separation is not necessary for successful flow.
- 5. LHSl suction valves MOV-SI-862A, B are not required to close for successful O recirculation.
- 6. Failure to open MOV-SI-836 is medaled as failing flow from train A because EOP ES-1,3, Step 4, does not prov!de for leaving HHS1 discharge cross-connect valves open in that case.
- 7. T!;e recirculation spray pumps could potentially serve as a backup to the LHSI pumps in the recirculation mode, twt is currently as modeled.
- 8. The auxiliary tube oil pump is pa,. of the HHS! charging pump assembly; however, it is not ;uired to be running prior to auto start of the HHSI charging pump on a safety injection :;igr" Following pump start, the shaft-driven lube oil pump functions to circuit a lube oil for HHSI charging pump operation. Therefore. the auxiliary lube oil pump is not included in the model.
l 3.2.1.14 CONTAINMENT DEPRESSURIZATION SYSTEM i 3.2.1.14.1 System Functions: The containment depassurization system is composed of two l ryoups of subsystems: (1) the quench spray, and (2) the recirculation spray subsystem. The quench sprx subsystem is made up of two separate parallel trains consisting cf a pump dischargi.79 a 360-degree spray header located just beneath the top of the reactor l contanmern nach of the quench sp.ay pumps (each one being 100 pt rcent) independently , draws water from thn refueling water storage tank (RWST) to cool and depressn'ze the ! containment to_ subatmospheric pressure in less than 60 minutes following a design basis accident (DBA). l-The recirculation spray subsystem is made up of four parallel spray trains, consists of an inside/outside recirculation pump, a recirculation spray cooler, and each feeds a 180-degree 3.2-95 u system Anafysa. l l , _ _ _ . .
B::v r Vcli:y P:wnr St ti n Unit 1 Rcvisl:n 0 Prab:bilistic Risk Asc0ccm:nt spray ring header located beneath the top of the containment approximately 80 feet above the operating _ floor. The four recirculation spray pumps take their suctic n from the containment sump, and are capable of maintaining the containment at subaimospheric pressure for many months following an accident. As a group, these systems fu nct.on to p: event core overheating and containment overpressure during and after certain initiating events. These initiating events fall under the following general categories:
- 1. Large and medium LOCA
- 2. L.nall LOCA (including stuck-open PORVs)
- 3. Steam line creak inside containment The quench spray syster.' vovi- m. RWST water via two trains to two spray headers to limit containment overpressure fol'owing a CIB signal. It is designed to limit containment pressure to 45 psi following a design basis LOCA. This system is not capable of iaking suction from the containment sump.
The recirculation spray system has two functions as follows:
- 1. It takes suction from the containment sump following a ClB signal via four trains, it provides water to four recirculation spray headcrs to limit containment overpressure for long-term plant stabilization.
- 2. Following a signal to ir!tiate the recirculation mode of ECCS, two ou'. side -
recirculation trains can be aligned to provide water from the containment sump to the discharje piping of the LHSt system for long-term rore cooling. It can provide flow directly to the RCS at pressures below about 90 psi. This system is not capable of taking suction from the RWST. 3.2.1.14.2 Succ.ss Criteria: The following criteria are required for LOCAs and steam line breaks inside containment;
- 1. Coring the injection mode:
- a. One of two quench spray pumps, its associated train, and spray header for containment pressure suppression.
- 2. During the recirculation mode:
- a. Two of four recirculation spray pump coolers (including river water cooling! and trains aligned to a recirculation spray header are required after a time delay on a CIB signcl.
- b. One of four recirculation spray pump coolers (including river water cooling) and train aiigned to a recirculation spray header is requhed one day after the accident.
- c. One of two outside recirculation spray pumps can be aligned to the LHSt train in the event that its respective LHS1 pump is out of service.
3.2.1.14.3 Support Systems
- 1. Outside recircu*atim pumps are powered from emergencj 4KV buses 4KV-1AE and 4 KV-1 DF.
3.2 96 u symm Awysis.
B00ver V:ll:y Pcw:r Stati:n Unit 1 R visi:n 0 Prcb:bilistic Risk Acs:scm:nt -
- 2. Quench spray and 'Inside recirculation pumps are powared froni emergency 460 (7 .VAC substatlun buses 18N and 19P.
X) 3. Pump control on bus 4KV-1 AE and 480V-1-8N comes from 125 VDC bus No.1.
- 4. Pump control on bus 4KV 1DF and 480V-1-9P comes from 125 VDC bus No. 2.
- 5. MOVs on train A (orange; operate from MCC-1 E5 (480V bus 1-8N supplied by_4160V bus 1 AE).
MOV-RW 103A & C are poveered from emergency MCC-1-E3.
- 6. MOVs on train B (purple) operate from MCC-1-E6.(480V bus 19P supplied by 4160V
- bus 1DF). An indiv!d::, motor control center for each MOV is provided in Table 1 14.
MOV-RW 1b38 & D are powered from emergency MCC-1-E4.
- 7. River water is required for the recirculation spray coolers.
- 8. Demineralized water system is required to provide water io out=ide recirculation pump snaft mechanical seal coolers.
- 9. Containment ' olation pha:;e B signa' is required for automatic quench rpray ano recirculation . ray initiation.
- 10. Quench spray water is d rected to the suction of the inside (RS P-1 A, 8) and outside recirculation spray pumps (RS-P 2A, B) at a flow rata of 150 gpm and 300 gpm, respectively, to meet pump minimum flow requirements.
3.2.1.14.4 Systems Supported: Not arplicable 3.2.1.14.5 System Operation: A CIB signal is generated from two of four hi-hi containment pressure signals (about 10 psig) from PT-LM-100A, B, C~and O. The RWST (QS-TK-1) and its associated lines are temperature maintained (kept from freezing or becoming too warm) by heat tracing on lines, and a RWST recirculation system consistin9 of two pumps, two refrigeration units (cooled by CCR), and two cooleis (chll led by the chilled water system) and associated valves. The querch spray and recirculation spray pumps start automatically frem a CIB signal only, i One insida recirculation spray pump (RS-P-1A) and one outside reurculation spray pump (RS-P-28) arc started with a time delay of about 210 seconds. The other inside recirculation L sprr, pump (RS-P-18) and outside recirculation spray pump (RS P 2A) are started with a time l delay of 225 seconds following a CIB signal. l The following valves are given open signals: ! Quench Spray MOV-QS-100A, B l MOV-QS-101 A, B MOV-OS-103A. E v Outside Recirculation Sprav 3.2 97 M system Awym. _ s
B::v:r Vcil y Pcwsr St ti:n Unit 1 R vi:1:n 0 Prob bilbtle Risk Acces: mint MOV-RS-156A, B 3.2.1.14.6 Test / Maintenance -
- a. Valves and pumps positioned in the recirculation _ spray and quench spray rystem are verified by operator on a daily udsis from the control room.
- b. Quench spray pumps are started and run to verify proper flow and pressure
- t. sing the recirculatien flow line on a month'y basis.
- c. Inside and outside recirculation spray pumps are started a. d run without water for one minute every quarter.
- d. Schedule maintenance (CMPs anti PMPs) are perfermed on all quench spray pumps, recirculation pumps, and recirculation heat exchangers.
3.2.1.14.7 Technical Specifications
- 1. Quench Spray System
- a. LCOs. One quench spray train can be inoperable for 72 hours; then the plant must be in hot standby within 6 hours and cold shutdown within the next 30 Murs. (Technical Specification 3.6.2.1)
- b. Surveil!ance
- 1) Every 31 days, verify that the pumps develop proper flow and pressure using the recirculatior flow lines. (OST 1.13.1, OST 1.13.2)
- 2) Every 18 months during shutdown, verify that each quench spray pump and their automatic valves in the spray flow path actuate to the correct position on a test signal (CIB). (OST 1.13.11)
- 3) Every 31 days, verify that each valve in the flow path that is not locked or sealed is m its correct position. (OST 1.13.12)
- 4) Every 5 years, verify that each spray nozzle is unobstructed.
- 2. Reciret.lation Spray System-
- a. LCOs. With on recirculation spray subsystem inoperable for 7 days, then the plant must be in hot standby within next 6 hours and can stay in hot stardby for 48 hours. if train is not restored, plant must be in cold shutdown withi'1 the next 30 hours. (Technicai Specification 3.6.2.2)
- b. Surveillance
- 1) Every quarter, verify that each pump is started and run without water for one minute. (OST 1.13.3.1.13.4,1.13.5, and 1.13.6)
- 2) Every 18 months, verify that each pump starts on CIB signal after a 205 to 215 second delay (RS-P-1 A & 2B) and.after a 220 to 230 second delay
[RS-P-2A & 18] (OST 1.13.7)
- 3) Every 18 mo'1ths during shutdown, verify inat each pump provides sufficient flow. (OST 1.13.7)
- 4) Every 31 days, verify that each valve in the flow path that is not locked or sealed is in its correct position. (OST 1.13.12) 3.2-98 u system Anaiysis.
Pr:b: bill: tic Risk Ass:esm:nt
- 5) Every 18 months aurinC shutdown, verify sufficient flow from the reactor piant river water system to the recirculation spray coolers. (OST 1.30.12)
--U []
- 6) Every 5 years, verify that each spray nozzle is unobstructed.
3.2.1.14.8 System Diagram: The system diagram for the containment depressurization system is shown in UFSAR Figure 6.41. 3.2.1.14.9 P eit.nnces
- 1. UFSAR, Chapter 6.4
- 2. System Descriptions - Group 27
- 3. VONDS Diagrams (8700-RM 165A 12,11700 RM-35A-37)
- 4. Piping Dray!!ngs
- 5. Electrice' One Lines
- 6. Technical Specifications 'l/4.6.2
- 7. Emergency Operating Procedures
- 8. Operating Procedures - OM 13
- 9. Operating Surveillance Tests 3.2.1.14.10 Modeling and Modeling Approxirnations: The block diagram and component ,
Od tables for the cortainment depressurization systems a e presented in Appendix A. U Quench Spray discharge to the containment sumps is not modeled in the recirculation spray system model as a requirement tor success (this has to be justified further or modeled). Heat tracing and RWST cooling were not modeled, as discussed below. RWST water temperature extremes could potentially be important to risk analysis as follows: -
- 1. High temperature could reduce the ef'ectiveness of quent.h spray to decrease containment pressure.
- 2. Freezing water could plug the quench spray suction lines.
RWST cooling pumps and asociated lines, valves, and coolers are provided in BVPS-1 to , maintain the RWST water temperature between 45Y ar.d 50 F during normal power operation. Heat tracing is provided on RWST cooling lines and on outside lines that feed , e quench spray system from the RWST to keep them from freezing. The hest tracing is powered from an emergency 480V MCC-1-E5 and MCC-1-E6. 1
.e surveillance of proper RWST water temperature during power operation is provided by Technical Specifications. Surveillance Requirement 4.1.2.8 requires verification of proper RW31 temperature every 24 hours when the ambient air temperature is not between 45*F and 55'F. If the RWST water temperature is not between 45*F and 55*F, then action Technical
.p~J Specification 3.1.2.8.b requires:
"
- Restoration of the temperature within 1 hour.
- Be in hot standby within the next 6 hours if temperature is not restored.
3.2-99 3.2 system eatyn .
B:svar Voll2y Powsr Stati:n Unit 1 Revislan 0 Prabsbilletic Risk Assassmant
- Be in cold shutdown within the following 30 hours.
Temperature indicators TI-OS 100A and TI-OS-1008 monitor RWST temperature, and l TSH-OS-100A and TSH-OS 100B prov;de annunciation of high temperat :re in the control room Because of the RWST cooling equipment technical specifications and instrument monitoring, the potential for RWST high temperature is not treated further, A block is provided in the model; however, to cover the potential for freezing and plugging the quench spra/ feed li.ies from the RWST coincident with the demand for these systems. The RWST coolirg equipment also serves as a water heater when the ambient temperature is below about 40*F. Freezirg, owirg .o the fa, lure of this svstem, is not treated further because , of the instrumentation and Technical Spe ;ifi- .ons on RWST wa'.cr. Freezing, owing to failure of heat tracing, remains a factor. There are two methou for modeling this as follows:
- Directly from historical records.
- From detailed component logic models of heat tracing and power sources.
Because the event of freezing has historically been rare, it does not warrant the detailed effort of modeling. Tha models were formulate 1 using other simplifying approximations as follows:
- 1. The Chemical Addition system is not required for containment cooling and is not '
mode:ed. Common cause failures of OS pumps to start and run following a CIS signal were modeled (See Table 3.2.2-3). 3.21.15 RESIDUAL HEAT REMOVAL SYSTEM 3.2.1.15.1 System Function: The residual heat removal system (RHR) transfers heat frori, +he reactor coolant system (RCS) to the reactor p_lant comoonent cooling water system (CCR) to r ed t, the temperaiore of the reactor coolant to the cold shutdown ternperature at a controlled rate during the second part of normal plant croldown and maintains- this temperature until the plant is started up. The RHR also is used to transfer refueling water from the refueling cawy and transfer canal to '.he refueling water storage tank (RWST) at the end of the refueling operatior.. 3.2.1,15.2 Success Criteria (for Each Mode of Operation)
- f.lFS AR. The RHR is placed in operation when the temperature and pressure of the RCS are approximately 325"F and 360 psig, respectively, and reduce the temperature of the reactor coolant.
- PR A. One heat exchange and one pump operate for at least 24 hours.
3.2.1.15.3 Support Systems 3.2-100 3 2 system Avysis
B::v:r Vcil y Pcw:r Stitlin Unit 1 Rcvisi:n 0 Prsbebill: tic Risk Ass; sm:nt MCC-1-E05(O) MOV RH-700 D- MOV-RH-720A MOV-CC-112A2 MOV-CC-112A3 MCC-1E06(P) MOV-RH-701 MOV RH-720B MOV-CC-712B2 MOV-CC-11283 MCC-1-t9 (O) MOV-RH-758 MCC-1-E10 (P) MOV-R H-605 CCR Header A Train A RHR Heat Exchanger and RHR Purrp A Seal Cooling CCR Header B Train B RHR Heat Exchanger and RHR Pump B Seal Cooling 4KV-1 AE Stub Bus (C) Pump RH P 1A 125V DV '3us 11 (O) Pump RH-P-1 A Control 4KV-1DF Stub Bus (P) Pump RN-P-18 125V DC Bus 1-2 (r )8 Pump RH-P 1B Control Vital Bus Channel ill PT-RC-402 (provides signals to MOV-RH-700
; L: d MOV RM-720A)
Vital Bus Channel 11 PT-TC-403 (provides signals to MOV-RM 701 and MOV-RM-7208) 3.2.1.15.4 System Supported: Reactor Coolant System 3.2.1.15.5 Operailng Features
- 1. Initial Configuration. The RHR is designed to be in standby during normal operation with two normally closed MOVs in series isolating the RHR from RCS on each RHR pump suction ano one normally closed MOV in series with an ECCS check valve on each RHR pump discharge.
L The inlet lines to the RHR are connected via a single suction header to the loop 1A L hot leg, while the reutrn lines are connected to the cold leg of the two reactor coolant loop 18 and 1C. The inlet isolation MOVs in each RHR subsystem are separately anc' independently interlocked with pressure signals to prevent their opening:when RCS pressure is greater than 360 psig, or to shut if RCS pressure increases to approximately 630
- - psig. MOV-RH-701 also interlocked with pressurizer vapor temperature signal to prevent its opening when pressurizer vapor temperature is greater than 475'F.
l - The RHR is to be isolated from the RCS whenever the RCS pressure exceeds the l RHR design pressure. The isolation of the RHR fror1 the RCG is done by two MOVs in series on each pump suction line. 3.2 101 3.2 system Ansysis.
CO v:r Vcil:y Pcw;r St ti:r' Un!t 1 R vi:!rn 0 Prcb:bilistic RI:k A:s : m:nt RHR pumps are tripped off their emergency stub bus on CIB signal. RH-P 1 A is tripped off ACB-1F.5 on CIB Train A signal, RM P 16 is tripped off ACB 1F5 on CIB Train B sigrial. Loss of emergency AC Orange or AC Purple will fall NHR because the RHR pumps suction are supplied from two MOV in series which are powered from MCC-1-ES and MCC-1 E6.
- 2. System Actuation
- a. Automatic. No automatic syrtem actuation is cons!dered,
- b. Manual. The RHR is ta bn initiated from the control room after reactor shutdown when the temperature and pressure of the RCS are approximately 325T and 360 psig, respectively.
The operation of the RHR MOVs and pumps can be initiated from the control room.
- 3. Recovery Consideration,
- a. Various indications and annunciations in the control room help the geratorb to identify failed equipment.
3.2.1.15.0 Technical Specifications
- 1. LCO. When in Mode 5, refueling operation, at least one residual heat removal loop shall be operable and in operation (3.9.8.1).
- 2. Tests. At least one residual heat removal loop shall be verified to be operable and circulating reactor coolant at a flow rate of > 3,000 gpm at least once every 4 hours when making boron dilution changes, and > 1,000 ppm for decay heat removal when the reactor coolant system is in the drained down condition within the loops (4.9.8.1).
3.2.1.15.7 References
- 1. UFS AR, Section 9.3.
- 2. Operating Manual Chapter 10.
- 3. Design basis document DBD-10.
- 4. Drawings:
- a. 8700-RM-156A 8.
- b. 8704RM 38A.
3.2.1.15.8 Modeling Assumptions
- 1. Equipment Boundaries. The pump miniflow recirculation line are not modeled
.'ecause M is assumed that they do not have a significant failure impact on the RHR, due to their small size.
The heat exchanger bypass line and valve MOV-RH 605 are modeled, because it is assumed that this valve falls open will bypass most of RHR flow from heat exchangers, and therefore, is assumed will fail the RHR heat removal capabilities.
- 2. Block Diagram for the RHR r .aented as follows, along with the component tabic.
3.2 102 n symm Anrys+
B:cv;r Vcil;y P:wcr St:ti:n IJnit 1 R0visl:n 0 Pr:b bill: tic Risk Ass:sem:nt
- 3. Failure Mode Impact. If one of the two pumps or one of the two heat exchaMars is
(] not operable, safe cooldown is not compromised; however, the time r;s .c ?J 'or U cooldown is extended. 4 Common Cause. See Table 3.2.2-3. 3.2.1.16 CONTAINMENT ISOLATION SYSTEM 3.2.1," 3.1 System Functions: Containment isolation refers to the function of closing lines that penetrate containment for the purpose of preventing radio,'ctive release from the contairment to the environment. Many systems that support reactor operation inside containmem have lines for transporting fluids such as steam, feedwater, normal reactor coolant m%eup, emerCency coolant, and pressurized air. Other sys-tems that support containment environment operation have such lmes for containtrent environment control, containment monitoring, ano containment sampling. With few exceptions, each line contains at least one inboard isolation or check valve and one outboard isolation valve. Isolation valves respond to an actuation signal to move to their proper emergency response position, if 'he line is not required for reactor core or containment cooling, then the isolation valves close on either a containment isolation Phase A signal (CIA) or Phase B signal (CIB). Valves in lines required for reactor core or containment cooling either rercain in their appropriate position or "nove to their appropriate position for those functions. Note that initiating events that impact containment isolation (i.e., containment bypass ( ) sequences) are not modeled bre. Consideration of steam generatur isolation for SGTR
..tiating evems is modeled in the SGTR event tree mode l and top event SL described in Section 3.1.3.4. LOCA outside containment initiators (interfacing systems LOCA) are evaluated and moJeled in Section 3.1.3.6.
3.2.1.16.2 Screening for Risk Significant Penetrations: Tha objective of the ontainment isolation analysis is to estimate the frequency of failure to isolate lines that could cause a significant risk of radioactive release. Screening criteria has evolved to climinate those penetrations that have been found, in previous analysis, to be relatively unimportant. The screening criteria used are as follows:
- 1. Cosed System. This criteria is used to screen out penetrations that do not connect (inic. or outlet) to either the Reactor Coolant System (RCS) or the Containment environment. The combination of a closed system inside contair$ ment and containment isolation valves make the risk of radioactive release froin these penetrations insignificant.
- 2. Containment - Normally icolated. This creerion is used to screen out cer%ratWu
> 2 inches in diameter that conr.ect to Containment environment that are isola; ad during normal plant nperation. Since BVPS-1 has a subatmospheric containment, the ability to maintain a subatmosoberic containment during normel operation provides assurance that the isolation valves on lines connecting to the containment environment are closed and that the lines are let susceptible tc leakage.
Assurance of this condition is provided by:
- a. Containment pressure is monitored by two methods.
- b. There is a technical specifiation ihrit on coatainment pressu*e during operation.
3,2-103 3 2 system Anaps.
8 :v:r Vclisy Pcw r St tlan Unit 1 R vislan 0 Prebsbill: tic Risk As:::sm:nt
- c. Control room alarm is provided for containment pressure in excess of technical specification limit.
- d. The low capacity of the containment vacuum system makes it unlikely that in leakage will go undetected.
- 3. NO/FC isolation Valves. This criterion is used to screen out penetrations that connect to either the RCS or Containment that are isolated during normal power operation by:
- a. One normally closed (NC)/ fall closed (FC) isolation valve outside containment and one NC/FC isolation valve inside containment, or
- b. One normally closed (NC)/ fall closed (FC) isolation valve outside contair. ment and one check valvo inside containment.
- 4. NC Manual isolation Valves. This criterion is used to screen out penetrations that connect to either the RCS or Containment that are isolated during normal power operation by;
- a. One normalb; closed (NC) manual isolation valve outside containment and one NC manual isolation valve inside containment, or b One NC manual isolation valve outside containment and one check valve inside containment.
- 5. NC/AC isolation Valves. This criterion is used to screen out penetrations that connect to either the RCS or Containment that are isolated during normal power operation hv one normally closed (NC)/ administratively closed (AC) Motor Operated Isolation valve outside containment and one check valve inside containment.
Administrative control must be via pownr lockout (PL) and must be verified by Technical Specihcations.
- 6. Three Check Valves. This criterion is used to screen out penetrations that connect to either the RCS or Containment that provide isolation with at least three check _
valves. This criterion only applies to lines with flow into Conta'nment.
- 7. ESF Service. This identifies penetrations that connect :o the RCF or Containment that are required to be in operation (e.g., safety injection, containment spray or other safety function) as part of the Engineered Safety Features (ESF) to mitigate the initiating event. Since containment isolation is of interest during and after core damage sequences, these penetrations must also be considered. Usually ESF systems provide extentions (closed system outside containment) to Containment or the RCS (hlgh pressure design outside) such that releases to the environment are unlikely.- These additional screening considerations are provided in Table 3.2.1.16-1.
The above screening criteria have been applied to the BVPS-1 cantainment penetrations. Table 3J 1.16-1 lists all containment penetrations, identifies the screerting criteria applicable to each penetration, and identifies the penetrations that are to be modeled (summarized in Table 3.2.1.16-2). The following summarizes the information provided in Table 3.2.1.16-1. Pen (Dia) This column identifies the penetration number and pipe diameter. O I l 3.2-104 3.2 sytem Analysis.
B:av:r Vallsy Pcwcr St:tinn Unit 1 R;visI:n 0 l Prcb2bilistic Risk Asssssment Valves This column identifies the valves classified as
- containment isolation" valves. (1)
O and (O) denote that the valve is either insioe or outside cuntainment, respectively. There may be additional valves that provide isolation but are not classified as
" containment isolation" valves. The " screen;ng" column and its notes will identify -
sorae of these valves. Normal This column denotes whether the valve is normally open or closed during power operation. Sianal This identifies automatic signals primarily containment isolation (CIA or CIB). Note some valves actually receive an open signal such as ESF systems and are identified. Fails This column identifies how the valve fails given loss of support systems such as air, AC power, DC, etc. In general, trip valves (TV) are designed to close given loss of support system, whereas as motor operated valve (MOV) fails "as is". Screenina First of all each penetration is characterized as one of this following three:
- 1. Closed system - This denotes that the connected system inside containment is closed (does not connect to RCS or containment S environment), i
- 2. Containment - This indicates that piping opens to containment .
environment when not isolated.
- 3. RCS - The piping connects to the reactor coolant system. These lines are further evaluated for interfacing systems LOCA in Section 3.1.3.6.
l Then the screening criteria described above and additional notes are denoted, if applicable, to justify excluding penetration frora model. Model Denotes whether the penetration will be 'ncluded . in the containment isolation model (yes or no) based on the screenir.g evaluation. These penetrations are summarized in Table 3.2.1.16-2. 3.2.1.16.3 Guccess Criteria: Each line is successfally ismated if at least one valve closes on demand and stayr closed for 24 hours (or until required for sampling / monitoring). 3.2.1.16.4 Support Equipment
- 1. Motor-operated valves require electric power from 480V bus E5 for train A (orange) and 480V bus E6 for train B (purple). These valves fail as-is without power.
- 2. Air-operated valves require instrument air and fail closed without it. Valves inside containment utilize Containment Instrument Air and valves outside containment utilize Station Instrument Air.
- 3. Air-operated valves require control power from 125V DC bus 1-1 (orange) or 125V DC bus 1-2 (purple) from either battery 1-1, bat +ery 1-2 or associated battery charger.
Specific support equipment for each valve is provided in Appendix A. 3.2.1.1G.5 Equipment Suppoit: Not applicable. 3.2-105 3.2 system Anaiysis. l
l B::v:r Vcil:y Ptw:r St:ti:n Unit 1 Rsvisi:n 0 [ Pr:b: bill: tic Risk Ast s. m:nt 3.2.1.16.6 Operation: Air-operated 7d motor-operated valves that have survived the _ screening and are listed in Table 3.2.1.16 2 are open during normal operation and must close upon receiving a Phase A cor,tainment isolation signal. Check valves must close on demand. Some of the lines must be opened and reclosed to provide sampling or monitoring after the isolction sigr al. These lines are:
- RVLIS (penetration X 95 and 109)
- Containment air activity rnonitor (pene' rations X 43 and 44)
{
- Containment Leakage Monitoring Open Taps (X 55-2,57-1,57 2 and 97 3) 3.2.1.16.7 Test / Maintenance: Type C leak tests are required for all valves in Table 3.2.1.16-2.
Containment isolation valve operability is verified quarterly via OST 1.47.3A. Containment purge exhaust and supply va:ves are rnanual, and their operators are locked closed before __ going to Mode 4 from Mode S. Maintenance is performed on an as-needed basis, and valve operability is checked after each maintenance. 3.2.1.16.8 Tecimical Specifications
- a. LCOs
- 1) One or more isolation valves may 'co inoperab;c for 4 hours before being restored to operable, if i' cannot be restored, secure line in isolated position within 4 hours using a deactivated automatic valve or within 6 hours using a manual valve (or blind flange). If it can be neither restored or secured. be in hot standby within the next 6 hours and in cold shutdown within the following 30 hours.
- 2) Close an ope 7 steam. jet air ejector suction line valve within 1 hour or be in hot standby in the next G hours and cold shutdown in the following 30 hours, e
- b. Survehlance
- 1) Every 92 days, each power-operatee, eJtomatic and weight / spring loaded check valve testable during plant operation is cycled.
- 2) Cycle each valve as above prior to return ng valve to service after maintenance, repair or replacement.
- 3) Every 18 months during cold shutdow or retuoling:
- Verify that each Phase A(B) lsolation valve moves to its isolation position after a Phase A(B) signal.
- Verify that purge and exhaust valves close upon a containment purge and exhaust isolation signal.
- Measure the isolation time by cycling each valve.
- Cycle each weight / spring loaded check valve not testable during plant operation.
- Cycle each manual valve not locked, sealed, or secured in the closed position.
3.2 106 u system Awym
Occy r Vcil;y Pcwsr St ti:n Unit 1 R:visl:n 0 Preb: bill: tic Risk Ass:ssm:nt
- Visually determine ~ th
..te outboard manual isolation valve of the O)'
b steam jet air ejector suction line is closed before reactor coolant temperature is increased above 330*F and every 31 days thereafter.
+ Visually deterrnine that the inboard manual isolation valve of the steam jet-air ejector suction line is sealed or locked closed before reactor l
coolant system temperature is increased above 350*F.- 3.2.1.16.9 System Diagram: None 3.2.1.16.10 References
- 1. UFS AR, Sections 5.3 (Table 5.3-1), 5.4, 6.3. 6.4, 6.5. 6.6, 9.1, 9.4, 9.7 1
- 2. Technical Specifications, Sections 3/4.6.3 and 3/4.6.5-3.2.1.16.11 Modeling and Modeling Approximations: The block diagram and coraponent table for containmer t isolation is presented in Appendix A.
The following relief valve discharges into containment so it is not modeled as a path for isolation failure:
- RV-CH203
- O i
l i i l l l-I l' (- i: , O i 3.2-107 3.2 System Analysis. l'
~o Table 3.2.1.15-1. Containment isolation oa Fatts Screemng P.* gel e Descrlpilon Valves Normal Sianal Pen (Dia_)
CCR to RHR (1) MOV-1CC-112A2 closed none as is closed system no hg 1 (18) Train A (O) MOV-1CCR-247 closed none as is R.= CCR from RHR (1) MOV-1CC-11283 closed none as is closed system no h m<: 2 (18) closed none as is ry Train B (O) MOV-1CCR-252 >a no 3 Spare E
*$'2 closed rione as is closed system no E *.
4 (18) CCR from RHR (!) MOV-1CC-112A3 j30 Train A closed none as is (O) MV-1CCR-251 o . closed none as i . closed system no ** E 5 (18) CCR to RHR (t) MOV-1CC-11282 - closed none as is Train B (O) MV-1CC4-248 6 Spare closed none as is RCS - NC/AC isolation no 7 (3) HHS1 to HLs (1) CV-151-83 closed none as is Vafve RCS - ESF (O) MOV-1SI-859A Service (Note 10) 1 open CIB closed closed system no g 8 (3) CCR from RCP (1) TV-1C^-107D1 open CIB closed 1B & 1C (O) TV-1CC-107D2 Thermal Barriers open CIB closed closed system no 9 (5) CCR from (1) TV-1CC-111D1 open CtB closed Shroud (0) TV-1CC-11102 no 10 i Spare open CIB closed closed system no 11 (8) CCR from Air (I) TV-1CC-110D open CIB closed Recire (O} TV-1CC-110F1 open CIB closed (O) fV-1CC-110F2 no i 12 Spare u no closed none as is Containment - NClFC
$ 13 (4) FPW to Cnmt (!) CV-1FP-827 ;n closed CIA closed isolat';on Vafve I Hoses (O) TV-1FP-107 I open CIB closed closed system no 14 (8) CCR to Air (1) TV-1CC-110E3 a g open CIB closed
- Recirc (O) TV-1CC-110E2 3 *
?
O O O
p r
.Y W4p p IO q.
V @ ^ y' IMAGE EVAL.UATION j/ [,8gjf/Qyff ?fg g\/- ('q#~ %)$9 TEST TARGET (MT-3) NN gyp 4 /f ,\NN'
- N
** 4f l
'%9%#
% Ak%~
- , : n ;2s l,O ,,,
L g ,p33 @ =2.7
~
j,l !c :n gi 2D m m M l.8
$!ms l.25 llI.4 i 1 nEa jk.6 m 150mm
- 4 - - -
6"
- h% $
p:W 4>Ap 4%*h (p* p <& WW m:>. o,
.$>/ ,#
- r t
t.sM_,n[4
.a 9, v go r.
$ .k
/g I '
A "Q
%O *,4 s.
IMAGE EVAL.UATION #,@, o ;. 4:: j['/ x yff y' ?nS) TEST TARGET (MT-3) <jf}),% gj, go wg4 8
\\ s #g $ # '
$4 4ql#
#4
$ 44 1e0 I w.
'~
i ,, E II, 2,2 hdRii t 16 2p j,j - {ihm
, ljN l.8 lii!?5rs l.25 F
ti 1 4 I.4n wll i.6 150mm > 4 -- _ _ _ - ~ . 6"
- 4 _. .
a %e' N* #++sA o
&, , w , .
s .
,a, k [ 'b, , //x x
,! /, A k' ?y"[
. /F
~ 'sfy;- s(gs Q
, , .jb ,;f$'
Q./ ;
-s y
y . I ' [j
~ S%~ _ .. .-
,,.c a. j,asi$$
As ( op'. e, p.m9. to e v r e* ~ > IMAGE EVALUATION M.% g h [o X.Y9, QI TEST TARGET (MT-3) p;-
}*f$
q
4---
6
4__._____..__.-
e.y Sp%, +p x777,+g s
A xkW ;)//z,c .
Q/4 y,,
o .
4.p , y,
, , ze l,
4r.; , 4 dM 'N <_.... , A-.
;t . . .
O Table 3.21,16-1. Containment Isolaticn E o em Pen (Dia ) Description Valves Normal SinnJ fails Screenina Model e 15 (3) Charging (I) C s _41-31 open none as is RCS - (Note 1) no h ,< (O) MOV-1CH-289 open SIS as is (Note 1) %y CCR to Shroud open "x, 16 (6) (f) TV-1CC-111 A2 CIB closed closed system no u (O) TV-1CC-111 A1 open C:B closed wI
>e 17 (6) CCR to RCP 1B (1) TV-1CC-103B1 open CIB closed closed sysiem no 3' .
(O) TV-1CC-103B open CIB closed 3 CCR to RCP 1C open CIB closed closed system no 18 (6) (!) TV-1CC-103C1 open l[ (O) TV-1CC-103C CIB closed Ee3 19 (3) Seal Water (I) MOV-1CH-378 open CIA as is RCS -(Note 2) yes from RCPs (I) CV-1CH-369 open none as is (Note 2) (O) MOV-1CH-381 open CIA as is 20 (1) Makeup to Si (1) CV-1S!-42 close d none as is RCS - NC Manual no y Accumulator (O) Mi 'SI-41 closed none as is isolation Valve RCS - y Three Check Valves E 21 Spare 22 Spare 23 Spare 24 (6) RMR to RWST (1) MV-1RH-14 closed none as is RCS - closed system no (l) MV-1RH-16 closed none as is during operation (O) MV-1RH-15 closed none as is 25 f 6) CCR from RCP (I) TV-1CC-105D1 open CIB closed closed system no 13 & 1C (O) TV-1CC-105D2 open CIB closed Motors , 26 (2) CCR from RCP (I) TV-1CC '07E1 open CIB closed closed system no a 1A Thermal (0) TV-1CC '07E2 open CIB closed Y Barrier t- x I 27 (4) CCR from RCP (1) TV-1CC-105Et open CIB closed closed system no 3 I 1 A Motor (O) TV-1CC-105E2 open CIB closed E $ S b O N
E Table 3.2.1.16-1. Containment isolation hE Description Valves Normal Sianal Fails Screeninn Model ge Pen (Dia.) hj closed RCS (Note 6) yes open CIA 28 (2) RCS Letdown (l) TV-1CH-200A CIA closed (Note 6) %y (I) TV-1CH-2000 cpen m* CfA closed (1) TV-1CH-200C (1) n,.OV-1CH-142 open closed none as is [E y% closed none as is (1) RV-1CH-203 og-en CIA closed $
* '!O (O) TV-1CH-204 closed RCS- yes EE open/ closed CIA 29 (2) Primary Drain (1) TV-1DG-108 A open/ closed CIA closed )3 0 Transfer Pump (O) TV-1DG-1088 EC Discharge 5 a
30 Spare as is Containment - NC/FC no closed none 31 (4) FPW to Cable (1) CV-1FP-804 closed Isolation Valve closed CIA Penetration (O) TV-1FP-105 Area as is Containtnent - NC/FC no closed none FPW to RHR (I) CV-1FP-800 $ 32 (3) closed ( iA closed Isolation Valve y Platform (O) TV-1FP-108 none as is RCS - NC/AC isolatien no (1) CV-1St-84 closed 33 (3) HHSI to RCS as is Valve closed none HLs (O) MOV-1SI-8698 34 Spare as is RCS - ESP Service no open none 35 (2) Seal injection (1) CV-1CH-181 as is (Note 10) (Note 10) open none to RCP 1 A (O) MOV-1CH-308A as is RCS - ESF Service no e v er, none 36 (2) Seat injection (l) CV-1CH 182 as 's (Note 10) (Note 10)
~n none to RCP 1B (O) MOV-1CH-3088 as is RCS - ESF Service no open none 37 (2) Seal Injection (l) CV-1CH-183 as is (Note 10) (Note 10) open none to RCP 1C (O) MOV-1CH-308C closed Containment - yes open/ closed CIA 38 (2) Containment (1) TV-1DA-100A closed g open/ closed CIA z Sump Pump (O) TV-1DA-1008 y, a Discharge 7.
c - - - closed system no l-SG1A (f) None (Note 8) o 39 (3) open CIA closed 3 A Blowdown (O) TV-1BD-100A o 1* G O G
O O O Table 3.2.1.16-1. Containment isolation gg Valves Normal Sinnal Fails Screening Model h5 Pen (Dia 1 Description
- closed system no hg 40 (3) SG1B (1) None
@g open CIA closed (Note 8)
Blowdown (O) TV-1BD-1008 x 41 (3) SG1C (1) None
- - - closed system no fm xy open CIA closed (Nate 8) j Blowdown (O) TV-1BD 100C >e 1 Compressed closed none as is closed system no E-;
42 (2) (1) CV-1SA-15 closed none as is Eg Air to Fuel (O) MV-1SA-14 Handling $@ es Equipment ,C 3 open CIA closed Containment - yes 43 (1) Air Activity (1) TV-1CV-102-1 a Monitor - la open CIA closed (O) TV-1CV-102
- Containment yes Air Activity - -
44 (1) (I) None open CIA closed Monitor - Out (O) TV-1CV-101 A open CIA closed (O) TV-1CV-101B
" RCS - NC/FC isolation no Primary Grade (1) CV-1RC-72 closed none as is ,'? 45 (3) closed Valve Water to PRT (O) TV-1RC-519 closed CIA ] closed none as is RCS - NC/7C isolation no 46(2) Charging Fill (1) CV-1CH-170 closed none closed Valve Header to RCS (O) FCV-1CH-1GO closed none as is closed system no 47 (2) Instrument Air (1) CV-ilA-91 closed none as is (O) MV-ilA-90 open CIA closed RCS yes 48 (1 1/2) Primary Vent (1) TV-1DG-109A2 open CIA closed Header (O) TV-1DG-109A1 closed none as is RCS - NC/FC isolation no 49 (3/4) N, Supply to (1) CV-1RC-68 Valve closed CIA closed PRT (O) TV-1RC-101 50 Spare U 51 Spare v, z j 52 Spare 3 closed CIA closed RCS - NC/FC isolation no > 50 :1) N2 Supply to SI (1) TV 1SI-101-2 5" closed CIA closed Valve @ Accumulator (O) TV-1SI-101-1 r
m Table 3.2.1.16-1. Containment Isolation f Pen (Dia_) Description Valves Normal Signal Fails Screening Model 54 Spare h5 {$_ l 55-1 (3/8) SI Accumulator (I) TV-1SS-109A1 open CIA closed RCS - (Notes 7 & 9) no Q l Sample (O) TV-1SS-109A2 open CIA closed (Notes 7 & 9) , "a - O 55-2 (3/8) Cnmt Leakage
- Open Taps (1) None (O) TV-1LM-100A1 open CIA clo a d Ccmtainment - yes h]
E' (O) TV-1LM-100A2 open CIA closed j 55-3 Spare { .h. - 3o ' oa 3 55-4 (3/8) PRT Gas (f) TV-1SS-111 A1 open CIA closed l Sample open RCS - (Note 9) no "E ( (0) TV-1SS-111 A2 C;A closed (Note 9) i 56-1 (3/8) Pressurizer (1) TV-1SS-100A1 open CIA closed RCS -(Note 9) no Liquid Sample (O) TV-1SS-100A2 open CIA closed (Note 9) 56-2 (3/8) RCS CL (1) TV-?SS-102A1 open CIA closed RCS -(Note 9) no l m Samples (O) TV-1SS-102A2 open CIA closed (Note 9) 56-3 (3/8) RCS HL (1) TV-1SS-105A1 open CIA closed RCS - (Note 9) no Samples (O) TV-1SS-105A2 open CIA closed (Note 9) I j 56-4 (3/8) SG 1A (1) None - - - closed system no l Blowr'own (O) TV-1SS-117A open CIA closed (Note 8) l Sample 57-1 (3/8) Cnmt Leakage (I) None - - - Containment - yes l Monitoring - (O) TV-1LM-100A1 open CIA closed f Open Taps (O) TV-1LM-100A2 open CIA closed 57-2 (3/8) Cnmt Leakage (!) None - - - Containment - yes l Monitoring - (O) TV-1LM-100A1 open CIA closed Open Taps (O) TV-1LM-100A2 open CIA closed i 5 57-3 Spare un i o 57 4 Spare z e 58 (6) CCR to RCP 1A (I) TV-1CC-103A1 open CIB closed closed system .no
$ open
.h (O) TV-1CC-103A CIB closed o 2
Y a e O O _
p - m Table 3.2.1.16-1. Containment Isolation o aI Pen (Dia_) Description Valves Normal Signal Fails Screenina Model E$ tr 59 Spare '@g 2= 60 (6) LHSl to HLs (I) CV-1SI-13 closed none as is RCS - NC/AC isolation no " (O) MOV-1SI-890A closed closed none none as is as is Valve (Note 3) RCS - Three Check Valves (Note 3)' '[Qv (O) MV-1SI-451 K$
> se 61 (6) LHSI to CLs (l!. CV-1SI-10 closed none as is RCS - ESF Service no E ',
(1) CV-1SI-11 closed none as is (Note 11) (Note 11) 3g (1) CV-1SI-12 closed none as is gy (O) MOV-1SI-890C open none as is g3
-- C S2 (6) LHSI to HLs (1) CV-1SI-14 closed none as is RCS - NC/AC isolation no 2.
(O) MOV-1SI-8908 closed none as is Valve (Note 3) RCS - '(Note 3) $ (O) MOV-1SI-452 closed none as is Three Check Valves 63 (10) QS Pump (1) CV-1QS-4 closed none as is Containment - ESF no Discharge (O) MOV-1QS-101B closed CIB (open) as is Service (Note 12) (Note 12) y 64 (10) QS Pump (I) CV-1QS-3 closed none as is Containment - ESF no-g Discharge (O) MOV-1QS-101 A closed CIB (open) as is Service (Note 12) (Note 12) l 65 (2) Fuel Transfer (l) Blind Flange closed none as is Containment -(Note 5) no + Tube (O) Gate Valve (Note 5) SS (12) Outside RSP (I) None - - - Containment - ESF no l 2A Suction for (O) MOV-1RS-155A open CIB (open) as is Service (Note 13) (Note 13) Cnmt 67 (12) Outside RSP (1) None - - - Containment - ESF no l 28 Suction (O) MOV-1RS-155B open C1B (open) as is Service (Note 13) (Note 13) from Cnmt 68 (12) LHSIP 1A (l) None - - - Containment - ESF no Suction from (O) MOV-1SI-860A closed RS (open) as is Service (Note 13) (Note 13) b Cnmt u>
$. 69 (12) LHSIP 18 (1) None - - -
Containment - ESF no :o 3 Suction from (O) MOV-1SI-8608 . closed RS (open) as is Service (Note 13) (Note 13) $
$ Cnmt E S ? o l .
__._____._______._.__________________._______m.___ _ _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ _
Table 3.2.1.16-1. Containment Isolation IE. o Description Valves Normal Signal i Fails Screening Model I P_enjDia ) Outside RSP (1) CV-1RS-101 closed none as is Containment - ESF no hg 70 (10) {g 2B Discharge (O) MOV-1RS-1568 open CIB (open) as is Service (Note 12) (Note 12) c closed none as is Containment - ESF no u Outside RSP (I) CV-1RS-100 71 (10) 2A Discharge (O) MOV-1P.S-156A open ClB (open) as is Service (Note 12) (Note 12) h$ 7
>e 72 Spare $'
oN
- closed system no E !*.
73 (32) Main Steam (1) None - - Loop 1 A (O) TV-1MS-101 A open SLI closed (Note 8) l36
- closed system no E 73 (1 1/2) Main Steam (t) None - -
~
open SLI closed (Note 8) Line Drain (O) TV *MS-111 A
- closed rystem no 73 (3) Main Steam to (i) None - -
AF Pump open none as is (Note 8) (O) MOV-1MS-105
- closed system no I Main Steam - -
73 (6) (i) None Atm. Dump closed none closed (Note 8) (O) PCV-1MS-101 A a - ~ closed system no g 73 (6) Main Steam (f) None Safety Valves (O) Safety Valves closed none closed (Note 8)
- - closed system no 74 (32) Main Steam (t) None open SLI closed (Note 8)
Loop 1B (O) TV-1MS-1018
- - closed system no 74 (1 1/2) Main Steam (1) None open SLI closed (Note 8)
Line Drain (O) TV-1MS-111B
- - closed system no 74 (3) Main Steam to (I) None -
AF Pump open none as is (Note 8) (O) MOV-1MS-105
- - closed system no 74 (6) Main Steam (l) None}}