ML20116J531
| ML20116J531 | |
| Person / Time | |
|---|---|
| Site: | LaSalle  |
| Issue date: | 10/31/1992 |
| From: | Eide S, Lachance J, Payne A, Whitehead D SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1386 NUREG-CR-4832, NUREG-CR-4832-V04, NUREG-CR-4832-V4, SAND92-0537, SAND92-537, NUDOCS 9211160212 | |
| Download: ML20116J531 (130) | |
Text
_ - _ _ _
j
)
N UR EG/CR-4832-SAND 92-0537-Vol. 4 i
Analysis of the LaSalle Unit 2 Nuc ear Power Plant:
Risk Methods Integration anc Evaluation Program (RMIEP) i Initiating Events and Accident Sequence Delineation ammmmmmmmm _
Prepared by A. C. Payne, Jr., S. A. iiide, J. C. LaChance, D. W. Whitehead Sandia National Laboratories Operated by
- Sandia Corporation P.epared for U.S. Nuclear Regulatory Commission p
s i
AVt ' LAD!LITY NOTICE Aimbsty of Revence Matends Ceed in NRO Pubhcaboos Most documents cited in NBC publications wiu be aval:able from one of the following sources.
1.
The NRO Pubbe Document Room 2120 L Street. NW. Lower Level, Washington. DC 20555 2
The Sucenntendent of Documents. U S Government Printing Off'ce. P.O. Box 37182. Washington.
DC 20013-7082 3
The Nabonal T echnt x inf ormation erece. Sprin;fioid. V A 22101 Al' hough the hsting thM foboes represents the majority of documents cited in NRO pubhcabcns, it is not intended to be ee.a.ntwe.
Ref erenced documents available for inspection and ccpying for a f ee from the NRC Public Document Room include NRO corresponconce and interna: NRC memoranda; NRC bul!etins circulars. information notices, inspection and investigatio 7tices; bcensee event reports. vendor reports and correspondence Comrrvs-ston papers, and apphcant ano licensee documents anu correspondence The foDo*Ing documents in the NUREG senes a e availabie for purchase from the GPO Sales Program-f orma: NRC staff and contractor reports. NRC-sponsored conf erence proceedings, international agreement reports, grant pubhcations, and NRC booMets and brochures. Also avadable are regu!atory gutdes. NRC regulations in the Coae of Feaerut Regulancr's. and Nuclear Regwatnry Commission Issuan:es.
Documents avaMab'e from the National Technica! Marmahon Sery;ce include NUREG, series reports and tecnnical reports prepared by other Federa a chc'es and reports prepared by the Atomic Energy Comm!s-r sion forerunner agency to the Nuclear R@aiory Commission.
Documents asadab'e from pubbc and specia! technical hbranes inciude all open hterature items, sJch as books. journa! et ctes, and transactions, Federaf Register notices, Federaf and State leg'stabon, and con-gressiona! reports can usuaMy be obtained from these huraries Documents such as theses. d ssertations. toreign reports and trans!at: ens. and non-NRC conference pro-ceeings are avanab'e for purcnase from the organ 2atico sponsonng the pubhcation caed Sog:e cop'es of NRO craft repo*ts are avadable free to the extent of suppy, upon wntten request to the Off.ce of Administration. D stribution and Mad Services Section. U S. Nucicar Regulatory Commission.
Wasvgton. DC 20555.
Cco:es of industry codes and standards used in a substantive manner In the NRC regulatory process are mainta<ned at the NRC Ubrary, 7920 Norf oN Avenue. Bethesda, Manf and, f or use by the pubhc. Codes and i
standards are usua y copynghted and may be purchased from the originating organcation or, if they are n
American National Standards, from the Amencan Nabonal Standards institute.1430 Broadway. New York NY 10018.
DISCLAIMER NOTICE This report was prepam as an account o' work sponsored by an agency of tne United States Govemment.
Netther the United States Government nor any agency thereof, or any of their employees, makes any warranty, expreesod or imphed, or assumes any lega! liabihty of responsibity for any inird pany's use, or the results of such use. of any information, appa atus, product or process d;sclosed in this report, or represents that its use by such third party would not intnnge prwate!y owned rignis.
l
~
m
NUREG/CR-4832 SAND 92-0537 Vol. 4 RX Analysis of the-LaSalle Unit 2 Nuclear Power Plant:
Risk '
ethods Integration and M
Evaluation Program (RMIEP)
Initiating Events and Accident Sequence Delineation Manuscript Completed: September 1992 Date Published: October 1992 Prepared by A. C. Payne, Jr., S. A. Eide', J. C. LaChance2, D. W. Whitehead Sandia National laboratories Albuquerque, NM 87185 Prepared for Division of Safety Issue Resolution Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN A1386
' Currently with EI Inc., Idaho Falls, ID 2 Currently with SAIC Inc., Albuquerque, NM I
ABSTRACT This volume presents the results of the initiating event and accident sequence delineation analyses of the LaSalle Unit 2 nuclear power plant performed as part of the Level III PRA being performed by Sendia Naticnal Laboratories for the Nuclear Regulatory commission.
The initiating event identification included a thorough review of extant data and a detailed plant specific search for special initiators.
For the LaSalle analysis, the following initiating events were defined: aight general transients, ten special initiators, four LOCAs inside containment, one LOCA outside containment, and two interfacing LOCAs.
Three accident sequence event trees wm constructed: LOCA, transient, and ATWS.
These trees were general in nature so that a tree represented all initiators of a particulsr type (i.e.,
the LOCA tree was constructed for evaluating small, medium, and large LOCAs simultaneously).
The effects of the specific initiators on the systems and the different success criteria were handled by including the initiating events directly in the system fault trees.
In this way, if an initiator failed or partially failed a system, then the effects of the initiator would propagate correctly through the fault trees.
The initiator would appear in the sequence cut sets just like any other failure event.
The accident sequence event trees were extended to include the evaluation of containment vulnerable sequences.
In order te model this, additional events were added to the event trees in order to develop the sequences until resolution of the state of the core was obtained.
This process included: an expert elicitation of containment failure pressure, location, aad ize; the evaluation of reactor building environments as a result of cor ainment failure or venting using the MELCOR code; a determination of the location and type of equipment in the reactor building; the construction of simple Boolean expressions for failure of the systems in these severe environments; and an expert elicitation to evaluate equipment failure probabilities in these environments.
This methodology was used in simplified form in the NUREG-1150 analyses.
These internal event accident sequence event trees were also used for the evaluation of the seismic, fire, and flood analyses.
The systern fault trees were expanded to include cabling, piping, passive failures, multiple spurious actuations, and location information for all components, piping, and cabling.
The results of these analyses are presented in Volumes 8, 9, and 10 of this report, respectively.
-lii/iv-
TABLE OF CONTENTS f.eSD.
ABSTRACT...........................................................iil/iv LI ST O F FI GUR ES..,,................................................ vi i LIST OF TABLIS...
.......... ix FOREW0RD..........................................................
xi 1.0 Internal Initiating Event Analysis............................
1-1 1.1 Introduction............................................
1-1 1.2 Overview.........
....................................... 1-1 1.3 Methods.................................................
1-2 1.4 Analysis................................................
1 2 1.4.1 Initiating Event Identification.................. 1-2 1.4.2 Initiating Event Categorization....................
1-19 1.4.3 Anticipated Transient Without Scram (ATUS) Events.1-19 1.4.4 Quantification of Initiating Event Categories.....1-19 1.5 References..............................................
1-31 2.0 Accident Sequence Delineation.................................,2-1 2.1 Introduction...........................
.............. 2-1 2.2 Overview of Evaluation Process.......................... 2-2 2.3 Core Damage Functional Event Trees..................... 2-3
- 2. 3.1 LOCA Func tional Event Tree (L).................... 2-3 2.3.2 Transient Functional Event Tree................... 2-8 2.3.3 ATWS Functional Event Tree........................~2 13 2.4 Systems Available to Perform Required Functions........,.2 21 2.5 Success Criteria........................................ 2-21 2.5.1 LOCAs (L)......................................... 2-21 2.5.2 Transients With Automatic Reactor Scram........... 2-31 2.5.3 Transients Without Autcaatic Scram................ 2-32 2.6 Systemic Event Trees................................... 2-34 2. 6. 1 I DCAL............................................ 2 - 3 4 2.6.2 Transient With Scram..........
................... 2-42 2.6.3 ATWS Event Tree...................................
2-62 2.7 References............................................. 2-72
-v-j
1 LIST OF FIGURES Figure Page 1.1 Initiating Event Analysis Task Interfaces...................... 1-3 2.1 IDCA Functional Event Tree................................... 2 4 2.2 Transient Functional Event Tree............................... 2-9 2.3 ATWS Functional Event Tree................................... 2-15 2.4 LaSalle lhCA Systemic Event Tree.............................. 2-3P 2.5 LaSalle Transient Systemic Event Tree...............
......... 2-55 2.6 LaSalle ATVS Sys temic Event Tree.............................. 2 - 67
-vii-
LIST OF TABLES lable
- f. age 1.1 Potential Internal Initiating Events for LaSalle Unit 2....
..14 1.2 Summary of LaSalle Unit 2 Support System Special Initiator Search.
......... 1-11 1.3 Interfacing LOCA,'iping Survey.....
...... 1-17 1.4 Initiating Event Categories for LaSalle Unit 2...
... 1-20 1.5 Frequencies of LaSalle Unit 2 Initiating Event Categories.....1-26 2.1 LOCA Function / System Relationship.....
... 2-22 2.2 Transienc Function / System Relationship...................
.... 2-23 2.3 LOCA Success Criteria.................
.......... 2-24 2.4 Transient With automatic Reactor Scram Success Criteria....... 2-26 2.5 Transient Without Automttic Reactor Scram Success Criteria.... 2-27 6
2.6 Sequence of Events Following a Turbine Trip With Bypass....... 2-44 2.7 Sequence of Events Following a Turbine Trip Without Bypass.... 2-46 2.8 Sequence of Events Following an MSIV
'osure.
.... 2-47 2.9 Sequence of Events Following a Loss c1 Sondenser vacuum......
.2-49 2.10 Sequence of Events Following e Loss of Offsite Power.......... 2-52 i
-ix-
- C FOREWORD-LaSalle Unit 2 Level III Probabilistic Risk Assessment In recent years, applications of Probabilistic Risk Assessment (FRA) _ to nuclear power plants have experienced increasing acceptance and - use,
particularly in addressing regulatory -issues.
Although progress on: the PRA front has been impressive, the usage of PRA methods and insights to address _ increasingly broader regulatory issues has resulted'in the-need for continued improvement in and expansion of PRA methods to support the needs of the Nuclear Regulatory Commission (NRC).
Before any new PRA methods can-be considered suitable for routine use in the regulatory _ arena, _they need to be. integrated into the overall framework of a PRA,7 appropriate interfaces defined, and the utility of the_ methods evaluated.
The LaSalle Unit 2 Level III PRA, described : in this and associated reports, integrates.new methods and new applications
.of previous methods into a PRA framework :that. provides for this -
integration and evaluation.
It helps lay the bases for both the routine-use of the methods and the preparation of procedures ' that willtprovide-guidance for future PRAs used in addressing regulatory issues. These new-methods, once integrated into. the framework - of a PRA and evaluated, lead to a more comple t.e. PRA analysis, a better understanding 1 of the uncertainties in PRA results, and broadar insights into' the importance of plant design and operatienc1 characteristics to public risk.-
In order to satisfy the needs described above, the LaSalle Unit 2, Level III PRA addresses the following broad objectives:
1.
To develop and apply' methods to integrate internal, external, and dependent failure risk methods to. achieve greater _ efficiency, consistency, and completeness in the conduct-of risk assessments; 2.
To evaluate FRA technology developments and - formulate' improved-PRA procedures; 3.
To identify, evaluate, 'and <sffectively display the ' uncertainties in PRA risk predictions that stem from limitations L-in plant modeling, PRA methods, data, or physical ~ processes that-occur during the evolution of.a severe accident; p
4.
To conduct a PRA - on a BWR 5, Mark II nuclear power plant, ascertain the plant's dominant accident sequences, evaluate the core and containment response to accidents, _ calculate - the consequences of the accidents, and assess ' overall risk; and finally 5.
To formulate the=results in such a manner as to allow the.PRA to be easily updated and to allow testing of future improvements in
-methodology, data, and the treatment oi phenomena.
-xi-l J
The LaSalle Unit 2 PRA was performed for the NRC by Sandia National Laboratories (SNL) with substantial help from Commonwealth Edison (CECe/
and its contractors.
Because of the si: e and scope of the PRA, various related programs were set up to conduct different aspects of the analysis.
Additionally, existing programs had tasks added to nerform some analyses for the LaSalle FRA.
The responsibility for 'verall direction of the PRA was assigned to the Risk Methods Integrr.cion and Evaluation Program (RMIEP).
RMIEP was specifically re eponr!'le for all aspects of the Level 1 analysis (i.e.,
the core damage an n sis).
The Phenomenology and Risk Uncertainty Evaluation Progrr.m (FRUEP) was responsibic for the Level II/III analysis (i.e.,
accident pror,ression, source term, conserjuencF analyses, and risk integration).
Other programs provided support in various areas or performed some of the subavlyses.
These programs include the Seismic Safety Margins Research Program (SSMRP) at Lawrence Livermore National Laboratory (LlEL), which performed the seismic analysis; the Integrated Depent nt Failure Analysis Program, which developed methods and analyzed data for dependent failure modeling; the MELCOR Program, which modified the MELCOR code in response to the PRA's modeling needs; the Fire Research Program, which perforced the fire analysis; the PRA Methods Development Program, which developed some of the new methods used in the PRA; and the Data Programs, which provided new and updated data for BWR plants similar to LaSalle.
CECO provided plant design and operational information and reviewed many of the analysis results.
The LaSalle PBA was begun before the NUREG-ll50 analysis and the Lasalle program has supplied the NUREG-11~,0 program with simplified locetion analysis methods for integrated analysis of external events, insights on possible subtle interactions that come from the very detailed system models used in the LaSalle PRA, core vulnerable sequence resolution methods, methods for handling and propagating statistical uncertainties in an integrated way through the entire analysis, and BWR thermal-hydraulic models which were adapted for the Peach Bottom and Grand Gulf analyses.
The Level I esults of the LaSalle Unit 2 PRA are presented in:
" Analysis of the Iasalle Unit 2 Nuclear Power Plant:
Risk Methods Integration and Evaluation Program (RMIEP)," NUREC/CR-4832, SAND 92-0537, ten volumes. The reports are organized as follows:
NUREG/CR-4832 - Volume 1:
Su mary Report.
NUREG/CR-4832 - Volume 2:
Integrated Quantification and Uncertainty Analysis.
NUREG/CR 4832 - Volume 3:
Internal Events Accident Sequence Quantification.
NUREG/CR-4832 - Volume 4:
Initiating Events and Accident Sequence Delineation.
xii-
l NUREG/CR 4832 - Volume 5:
Parameter Est.mation Analysis and Human Reliability Screening Analysis.
NUREC/CR 4832 Voluae 6:
System Descriptions and Fault 're e Definition.
NUREC/CR-4832 - Volume ~7:
2xternal Event Scoping Quantification.
NUREG/CR-4832 Volume 8: Seisedc Analysis.
NUREC/CR-4832 Volume 9:
internal Fire Analysis, NUREG/CR-4832 - Volume 10:
Internal Flood Analysis.
The Level II/III results of the LaSalle Unit 2 PRA are presented in:
" Integrated Risk Assessment For the LaSalle Unit 2 Nuclear Power Plant:
Phenomenology and Risk Uncertainty Evaluation Program (PRUEP)," NUREC/CR-5305, SAND 90-2765,-3 volumes, The reports are organir.'d as follows:
NUREG/CR 5305 Volume 1: Mait Report i
NUREG/CR-5305 - Volume 2: Appendices A G NUREG/CR-5305 - Volume 3: MELCO'R Code Calculations Important associated reports have been - issued by the RMIEP Methods Development Program in: NUREG/CR-4834, Recovery Actions in PRA for the Risk Methods Integration and Evaluation Program (RMIEP); NUREG/CR-4835, Comparison and Application of Quantitative Human Reliability Analysis Methods for the Risk Methods Integration and Evaluation Program (RMIEP);
NUREG/CR-4836, Approacher to Uncertainty Analysis in Probabilistic. Risk Assessment; NUREG/CR 4838, Microcomputer Applications and Modifications to the Modular Fault Trees; and NUREG/CR-4840, Procedures for rhe External Event Core Damage Frequency Analysis for NUREG-ll50.
Some of the computer codes, expert judgement elicitations, and - other supporting information used in this analysis are documented in. associated reports, including: NUREG/CR-4586, User's Guide for a Personal-Computer-Based Nuclear Power Plant Fire Data Base;- NUREG/CR-4598, a. User's Guida for the Top Event Matrix Analysis Code (TEMAC); NUREG/CR-5032, Modeling Time to Recovery and Initiating Event ' Frequency for Loss of - Off-Site Power Incidents at Nuclear Power Plants; NUREG/CR 5088, Fire Risk Scoping Study: Investigation of Nuclear ' Power Plant Fire. Risk, Including Previously Unaddressed Issues; NUREG/CR-5174, A-Reference Manual for the Event Progression Analysis Code (EVNTRE); NUREC/CR-5253, PARTITION:_A.
Program for Defining the Source Term / Consequence Analysis Interface in the - NUREG-ll50 Probabilistic Risk Assessments, User's Guide ; -- NUREC/CR-5262, PRAMIS: Probabilistic Risk Assessment Model Integration System, User's _ Guide; NUREC/CR 5331, MELCOR Analysis for Accident ' Progression Issues; NUREC/CR-5346, Assessment of the XSOR Codes; and NUREG/CR-5380, A
-xiii-
..'I
I I
4 4
1 4
User's Manual for the Postprocessing Pro 6 ram PSTEVNT.
In addition the I
reader is di rec te.d to the N11 REC-1150 technical support reports in
- f. -
NUREC/CR 4550 and 4551.
Arthur C. Pa ne. Jr.
u Principal Invastigator l'honomenology and Risk Uncertainty Evaluation Program and 3
Risk Met. hods Integration and Evaluation Program Division 6412 Reactor Systerns Saf ety Analysis Sandia National Laboratories Albuquerque, New Mexico 87185 k
l 1
6 i
O F
'.h i
l r
1 xiv.
p-
f 1.0 INTERNAL INITI ATING EVENT ANALYSIS 1.1 Introduction i
r This section describes the methodologies used to identify and quantify the initicting events for the LaSalle Unit 2 Nuclear Power Plant.
An initiating event is defined as an anomalous event which requires a plant shutdown and challenges the plant syritems that can be used to mitigate the event (either safety or balance of plant systems that are included in the PRA nodel).
For such events, subsequent. failures in the modeled systems could result in core damage and radionuclide release. from the-fuel.
Initiating events occurring during startup, shutdown, refueling, or other modes of operation are not considered in this analysis, nor-are those events concerned with sources of radioactivity other than the core (e.g., the spent fuel pool, etc.).
The objective of_the initiating event task is to identify and quantify all probabilistically significant initiating events applicable to the LaSalle Unit 2 nuclear power plant that can occur while the plant is at power.
The remainder of this section contains an overview of the task, a methods review, and the actual analysis and results.
I 1.2 overview Hethodologies.used in the initiating event analysis. task may be grouped' into - those relating to identification and those relating to quantification. The methodology used for identification is that referred-to as a comprehensive engineering evaluation - ("PRA Procedures Guide,"
terminology).1 Identification of init atiny, events was perforaed first on a generic and then on a plant specif.c basis. The generic sources for initiators included the following:
1.
EPRI NP 2230,2 2.
Nuclear Power Exnerience,3 3.
NUREG/CR 3862,' and 4
Past PRAs of plants with similar characteristics.
Review. of these sources resulted in a list of initiating. events potentially applicable to the 1.aSalle Unit 2 design.
The second step in the identification of initiating events was a detailed study of the LaSalle Unit 2 design and operating experience, This step-was used to identify LaSalle specific initiators not already identified in the generic review, and to, evaluate those initiators identified in=the first step as to their applicability to LaSalle _ Unit 2.
The two steps described above were = applied to both the transient and loss-of coolant
- accidents' (LOCA) classes of initiators.
Wrious quantification methodologies were used, depending. on the type of-initiator.
Because of the limited operating experience for LaSalle Unit
.1 i
l 11 i
,~~;.__.__.
a..,-
A,
~.., _
-a___
,.., a..,.,, I
.E
l'
}
3 i
J i^
j 2,
generic frequencies obtained frorn U.S.
BWR commercial nucicar power plant experience were generally used.
Exceptions to this include the 4
}
LOCAs and certain special initiators which were evaluated on a plant +
i specific basis.
The relationship of the initiating event analysis, task to other systems j
analysis tasks is shown in Figure 1.1.
The basic input to this task was 1
f rom the plant design and operation information collection task.
The j
event tree analysis task interacted uth the initiating event analysis j
task in the grouping of initiators into categories.
Also the fault tree j
analysis task interacted with the initiator task in order to accurately determine the effect of an initiator upon systems responding to the
-]
j accident.
Finally, interaction also occurred with the data base and l
uncertainty analysis task in order to quantify the initiator frequencies.-
s l
Output from the initiating event analysis task,- a list of initiating j.
event categories and frequencies applicable to LaSalle Unit 2, was input-j to the event tree analysis task.
The initiator list was also input to 1
the fault tree analysis task so that initiators could be modeled in the fault trees and their effects on the systems could be - accurately represented, where appropriete.
f 1.3 Methoda No new methodologies were developed for the Initiating event analysis task.
The work essentially followed guidelines presented - in the "PRA Procedures Guide"1 and the "1 REP Procedures Guide'.S A survey of BWR.
l operational - experience and past PRAs was combined with a comprehensive j
analysis of the LaSalle Unit 2 design.-
Cornprehensive searches for special initiators ard interfacing system IDCAs were conducted._ The resulting initiating events were then grouped into categories based on similarity of effect on the-balance of plant -and safety systems' Finally, the initiating event categories were quantified.
1.4 Analysis r
1.4.1 Initiating Event Identification
-As mentioned in the overview, initiating event identification occurred in two - _ steps.
The first step involved a - survey of U.S. ; boiling. water reactor-(BWR) experience and various PRA: studies.
EPRI NP 2230,2 Nuclear
- Power Experience,8 and NUREG/CR 3862' were used in - the BWR - operating experience - survey.
The. EPRI NP 22;W source, represents events occurring -
at.16 different BWRs'over 102 plant years, spanning the period from 1964-
-through 1980.
NUREG/CR 3862 is 'an update of the'_ EPRIf analysis through 1983 using different. statistical techniques.
, Initiators identified; in this survey are listed in Table 1.1.
e 12
. ~
, ~ - -.. - _
i Event Tree Analysis n
Plant Design and Initiating Data Base and 0,:eration Information Event Analysis Uncertainty Analysis Collection o
II Fault Tree Analysis Figure 1.1 Initiating Event Analysis Task Interfaces 13
'l I
Table lil Potential Internal Initiating Events for LaSalle Unit 2 Potential Initiating Event Applicable to for LaSalle Unit 2 Initiator Type Source LaSal'_e Unit 2 (EPRI NP-2230 Nomenclature)
Study:
4 1)J Electric load rejection Transient (general)
EPRI NP-2230 Yes
-2)
Electric load. rejection with Transient (general)
EPRI NP-2230 Yes turbine bypass valve failure
- 3) Turbine trip Transient (general)
EPRI NP-2230 Yes
- 4). Turbine trip with turbine bypass Transient (general)
EPRI NP-2230 Yes i'
valve failure L
.5)
Main steam isolation valve closure Transient (general)
EPRI NP-2230 Yes p..
- 6) Inadvertent closure of one main Transient (general)
EPRI NP-2230 Yes (above 80% power) steam isolation valve 7): Partial main steam isolation valve Transient (general)
EPRI NP-2230 Yes closure.
- 8) Loss of normal condenser vacuum Transient (general)
LTRI NP-2230 Yes
.9)-
Pressure regulator fails open Transient (general)
EPR1 NP-2230 Yes
- 10) Pressure regulator fails closed Transient (general)
EPRI NP-2230 Yes 11). - Inadvertent opening of a Transient (general)
EPRI NP-2230 Yes
- (stuck) safety / relief. valve
- 12) : Turbine' bypass fails open Transient (general)
IFRI NP-2230 No (does not cause a plant trip)
Y.
.e y..v p
~
q
, +..
n y-,,
s
,uw,-
em y
w,
e--
.e.-
w -,..,- -,
n '
i i
I L
Table 1.1 Potential Internal Initiatin6 Events for LaSalle Unit 2 (Continued) f Potential Initiating Event Applicable to for LaSalle Unit 2 Initiator Type Source LaSalle Unit 2 (EPRI NP-2230 Nomenclature)
Study:
i
- 13) Turbine bypass or control valves Transient (general)
EPRI NP-2230 Yes
-cause increased pressure (closed)
- 14) Recirculation control failure -
Transient (general)
EPRI NP-2230 Yes 4
increasing flow
- 15) Recirculation control failure -
Transient (general)
EPRI NP-2230 Yes decreasing flow 7
- 16) Trip of one recirculation pump Transient (general)
EPRI NP-2230 Yes
['
- 17) Trip of'all recirculation pumps Transient (general)
EPRI NP-2230 Yes i
t
- 18) Abnormal startup of idle Transient (general)
EPRI NP-2230 Yes l
n recirculation pump l
i 19)' Recirculation pump seizure Transient (general)
EPRI NP-2230 Yes i
EPRI NP-2230 Yes at power i
- 21). Loss of feedwater heater Transient (general)
EPRI NP-2230 Yes j
5 i-
EPRI NP-2230 Yes 1
i j'
EPRI NP-2230 Yes
-(or condensate pump) i t
24)
Feedwater -- low flow at power Transient (general)
EPRI NP-2230 Yes
~
~
i 1;
Table 1.1 Potential Internal Initiating Events for LaSalle Unit 2 (Continued)
[
l Potential Initiating Event Applicable to j
for LaSalle Unit 2 Initiator Type Source LaSalle Unit 2 j
(EPRI NP-2230 Nomenclature)
S*udy:
{
'?
EPRI NP-2230 No - startup/ shutdown startup or shutdown events are not considered l
EPRI NP-2230 No - startup/ shutdown
'L startup or shutdown events are not i
considered I:
f
- 27) Rod withdrawal at power Transient (general)
EPRI NP-2230 Yes l
Transient (general)
EPRI NP-2230 No - startup/ shutdown
- 28) High flux'due to rod
~
withdrawal at startup events are not i
considered j
- 29). Inadvertent insertion of rod Transient (general)
EPRI NP-2230 Yes or rods
- 30) Detected fault in reactor Transient (general)
EPRI NP-2230 Yes protection system l
l
- 31) Loss of.offsite power' Transient (general).
EPRI NP-2230 Yes f
- 32) Loss of auxiliary power (loss Transient (general)
EPRI NP-2230 Yes of ' auxiliary transformer)
[
- 33) Inadvertent.startup 'of HPCI/HPCS.
Transient (general)
EPRI NP-2230 Yes f
EPRI NP-2230 Yes I
l
- 35) Spurious trip via' instrumentation, Transient (general)
EPRI NP-2230 Yes reactor protection system fault
=
i
~
Table 1.1 Potential Internal Initiating Events for LaSalle Unit 2 (Continued)
Potential Initiating Event Applicable to for LaSalle Unit 2 Initictor Type Source LaSalle Unit 2 (EPRI NP-2230 Nomenclature)
S tudy:
- 36) Manual scram - no out of tolerance Transient (general)
EPRI NP-2230 Yes condition
- 37) Cause unknown Transient (general)
EPRI NP-2230 Yee I
- 38) Partial loss of compressed gas
. Transient (special)
Nuclear Power
'Yes system Exrerience 39)- Complete' loss of service Transient (special)
Nuclear Power Yes water system Experience 40)' Loss of.an emergency AC bus Transient (special)
Nuclear Power Yes
{
4 4
Experience
- 41) Partial loss of reactor vessel Transient (special)
Nuclear Power Yes vater level measurement system Experience 4
i
Past PRAs Yes t
- 43) Small primary system LOCA LOCA Past PRAs Yes inside containment 44)- Medium primary system LOCA LOCA Past PRAs Yes f
inside containment t
inside containment i
l
~
m..
6 i
].
i.
l l
r i:
ie i
i 3
Table 1.1 Potential Internal Initiating Events for LaSalle Unit 2 (Concluded) l Applicable to Potential Initiating Event for leSalle Unit 2 Initiator Type Source LaSalle Unit 2 Study:
[
(EPRI NP-2230. Nomenclature) f 4
-f
- 47) Reactor vessel rupture 4
- 48) Interfacing system IDCA t
i f
4-t i
I l
4 i
t f
i
)
l i
i.
w
i The operational exp.rience search was supolomented by examining Nuclear Power Exntt}tuf 3 Tor events of significance in EVRS similar to LaSalle Unit 2.
The plants included were the following:
1.
LaSalle Unit 1 t
2.
Nine Mile Point Unit 2, 3.
Brunswick Unit 1, 4.
Brunswick Unit 2,
$4 Peach Bottom Unit 2, and 6.
Peach Bottom Unit 3.
At the time of the search, N.uclear Power Exoerfence was up to date I
through April 1984, which means that plant events through approximately l
January 1984 were included.
Therefore, the search of this source was both a check of the comprehensiveness of the EPRI NP 2230 event categories and an. update of recent years experience.-
The search of Nuclear Power Exoerlence resulted in four additional initiators being identified:
1.
Partial loss of compressed gas system, 2.
Loss of service water system,_
3.
Loss of an emergency AC bus, and 4.
Partial loss of reactor vessel water level measurement system.
These initiators are also listed in Table 1.1.
1 Several PRAs of BVRs were alss surveyed.
The studies were:
1.
Shoreham,5 2.
Limerick,7 and j
3.
Peach Bottom.e From these studies, additional initiating events were -identified which' are also shown in Table 1.1.
In general, the new events _ from these sources fell in the LOCA category, l
The initiating events identified in Table 1.1 are historically divided into two groups: Transients and LOCAs.
The transient category may be i
further divided into general and special initiators.
Special initiators involve failures in support systems which result in both-a plant trip or shutdown and adverse effects in one ' or more of the systems used to-mitigate the accident.
The LOCA category may be subdivided into LOCAs -
within containment. - LOCAs outside containment, and interfacing system LOCAs. The divisions are shown in the table.
In general, the transients.
are frequent enough such that. they appear -in the operational survey of.
l U.S. BVRs.
Although very small leakages in primary systems of BWRs have.
occurred, the sizes covered in the LOCA categories _in Table 1.1 have not 7
l
-yet occurred.
(An exceprion is the small LOCA, which has occurred when primary pump seal' leakages are counted.)-
I l
19 l
-+-.---s,
--*e-P 4
de
- W e sw+
+--re--
-- = - - -
e--y+-++-vv,v*--
v--r-v e-v-
v
%v
The second step in the initiating event identification process involved a review of LaSalle Unit 2 inforation to < limitat e any initiators from the first step which ar e not applicable to LaSalle or to this study and to identify any additional initiators specific to LaSalle.
The following initiators from Table 1.1 were found not to be applicable:
Initiator Branon Not At'rM tahlg
- 12. Turbine bypass fails open Does not cause a plant trip at LaSalle Unit 2.
llowever will require a controlled shutdown.
- 25. Low feedwater flow during Only events occurring while the startup or shutdown plant is at or near full power are considered in this study.
- 26. litch feedwater flow during Only events occurring while the startup cr shutdown plant is at or near full power are considered in this study.
- 28. Ili ;h flux due to rod only events occurring while the withdrawal at startup plant is at or near full power are considered in this study.
In addition, all support systems for LaSalle Unit 2 were examined for failures which would cause a plant trip and which would adversely affect front line systems (i.e., thote systems that could mitigate the accident and which were included in the FPA model).
Such a search is used to identify what are termed special initiators or special transients.
The results of this examination are shown in Table 1.2.
Twenty two special initiators are identified in the table.
llowever, six of these can be included as contributors to the loss of all feedwater and loss of condenser vacuum general initiators listed in Table 1.1.
Another six can as indicated in the table.
The be subsun.ed by other special initiators remaining ten special initiators are listed below:
1.
Loss of 125 VDC bus 2A, 2.
Loss of 125 VDC bus 2B, 3.
Loss of 4160 VAC bus 241Y, 4.
Loss of 4160 VAC bus 242Y, 5.
Loss of instrument air (IA),
6.
Loss of normal drywell pneumatic (IN, instrument nitrogen),
7.
Loss of 100# drywell pneumatic, 8.
Total loss of reactor vessel narrow tange level instrumantation (false high level indications),
9.
Loss of channels A and C of the reactor vessel narrow range level instrumentation (false high level indications), and
- 10. Loss of channels B and D of the reactor vessel narrow range level instrumentation (false high level indications).
1 10
A t
E i
Table 1.2 Summary of LaSalle Unit 2 Support System Special Initiator Search
[
Teilure Causes a Reason for yront-line or Support Cerered by i
Support Systers Reactor Scram?
Reactor Scram System Affw ted Special Inittster?
General Yransient Yrenstant l
Electrieel Pewer 250 VDC Bus 2 No Laector Core Isolation No Cooling (RCIC) 125 VDC Bus 2A Bigh probability High pressure in Condensete, ADS, RER LPCI, Yes No drywell or high LPCS, RPS reactor water level or TW or CDS trip Bus 2B High probability High pressure in FW, ADS, RER, LPCI, RPS Yes No
(
drywell or hi;)
reactor water level or IW or CDS trip j
l H.
Bus 2C No EK S, DGs No L
g 4150 VAC Bus 241Y Eigh probability CRD low pressure RER, LPCI, LPCS, DGs, Yes No i
or high containment CRD, RBCCW, IN, RPS pressure Bus 242Y Bish probability CRD low pressure RER, LPCI, DGs, RECCW, Yes No or high ctstairssent CRD, RPS pressure Bus 243Y Ne HPCS No Bus 241X Yes, if powr is Loss of eendenser Service Water Yes Loss of condenser not reduced qu*ckly vacuuss vecmas r
Bus 242X Yes, if power is Loss of condenser Service water Yes Loss of condenser not reduced quickly vacusas vacmas 6100 YAC Bus 251 Yes, if power is EBC instabilities Condensate Yes Loss of ell PW not reduced galckly I
Bus 252 Yes, if power is EBC instabilities IW Yes Loss of all Pw r
not reduced quickly See Note 1 for abbreviations.
{
t Table 1.2 Summary of LaSalle Unit 2 Support Systern Special Initiator Search (Continued)
Failure Causes a Reason for Front-line or Support Covered by Support System Reactoe Scram?
Reec*ar Scram Systern Affected Special initiator?
General Translant Transient Cooline Water Service Water System Shutdown s equired Recirculation pop Condensate,. W Yes Loss of Condenser (SWS).
seal failure vacuum Turbine Building Closed Shutdown required Generator Condensate, W Yes Loss of all FW Cooling Water (TBCCW) overheating Reactor Building Closed Shutdown required Recirculation pump None No Cooling Water (RBCCW) seal failure Core Standby Cooling-No RE2, LPCI. LICS No Systema (CSCS)
Compressed Gas g
Service Air (SA)
No None No Instrument Air (IA)
Shutdown required CRD discharge vol m e N,PSITs Yes No high or control rods drift up Normal Drywell Shutdown required fCIV closure ADS, M51Ys SRYs Yes No Pneumatic (IN or DPS) 100f Drywell Shutdown required MSIV closure MSIYs, SRTs Yes No Pneumatic (IN or DPS) '
Beatier Ventiletion. and g r-Conditionitz Primary Centeirament No None No Auxiliary and Radweste No None No Area Ventilation Turbine Building Area No None No Ventilation See note 1 for abbreviations.
.m.
i b
Table 1.2 Summary of LaSalle Unit 2 Support System Special Initiator Search (Continued) d f
Failure Causes a Reason for.
Front-line or Support Covered by
- upport System keector Screm?
Reactor Scram System Affected Special Initiator?
General Yransient Yransient Control Room Ares Ventilation i
Control Room No Operator environment No Auxiliary Electrical No Control and instrumentation No Equipment Room i
Engineered Safety Features i
Switchaeas Heat No Many No Removal DG Fact 11 ties
~ No (not normally DGe No Ventilation running) i
. CSCS Equipment Areas No (not normally RER. LPCI, LPCS No Cooling..
runnir4)
=
Miscellaneous All Reactor Yessel Yee RFY high level.
Yes (Fail High Chly, No Narrow Ranse Level lew level does LPCS, RFS Reference Lege)
Instrumentation not degrade systems Channel A 0.5 IW control fallure FW f ails, EICS Yes No, see A T (Reference Leg) and RFS degraded bele=*
Channel B.
0.5 IW control failure IW failed. ADS, RER B&C.
Yes No, eee B*D j
(Reference Leg)
RCIC. and RFS degraded belo=*
i Channel C No HPCS, RFS No (Reference Les)
Channel D No ADS, RER A. LICS, RCIC.. RFS Fo 5
(Reference Leg)
See note 1 for abbrosiations.
~-
~~.
.- ~
- _ - - ~ ~ ~ ~
i
(
1
. Table 1.2 Surmnary of LaSalle Unit 2 Support Systern Special Initiator Search (Concluded) s.
Teilure Causes a Reason for Front-lio, or Support Covered ty l
Support System Reactor Seren?
Reactor Scram Systee Affected Special Init iator?
General Transient Transient l
l Channels A*B or A*D Yes RPS scres on high FW failed. HPCS, RCIC ADS, Yes No. see A*C t
j or C*B er C*D.
level and either LPCS*RER A or RER er B*D belew*
(Reference Legs)
B*C degraded
[
Channels A*B or C*D Yes RPS scram on low FW, HPCS, RCIC. ADS RER, Me (Variable Legs)-
level and RPS Auto Actuation of systems
[
Channels A*C 0,5 FW control system FW, HPCS failed, RPS Tes Mc2 (Reference Legs) degraded Chennels B*D 0.5 fu control system W. RCIC ADS. LPCS RER Yes 902 (Reference Legs) failed. KPS degraded
?
\\
L 7
Note 1 ' ADS = Automatic Depressurization system, CDS = Condensate system, CRD = Control Rod Drive system. CSCS - Core Starvfby Cooling system. DGs
{
Diesel Generators, EBC = Electro-Eydraulic Centrol system. FW = Feedwater system, HPCS = High Pressure Core Spray system. IA
Instrument Air system. IN (DPS) = %trument Nitrogen (or Drywell Pneumatic) system. LPCI = Lew Pressure Ce:Lant Injection erstem. LPCS =
i Low Pressure Core Spray system, P! SIT = Main Steam Isolation valves. RBCCW = Reector Buildins Clesed Coolins Weter system. ROIC = Reacter f
Core Isoletion Cooling system, RER = Residual Heat Removal system, RPS = Reacter Protection system. SA = Service Air system. SRT - Safety
[
Relief Yalves, SWS = Service Water system. TBCCW = Turbine Buildirs Closed Cooling Water system.
All these systems are described in i.
detail in volisme 6 of this report.
j Note 2..Rather then model all of these as separate initiators. A*C and B*D were used used to represent the rest.
These two effect the minimas and maximum systems of all the possible combinations that can also result in reacter seres. They represent, therefore, the mininitse end maximaze impact on the plant of instrument line failures that also fail responding systems. These initiators were not significant for the intemal events enetysis but were included so that. they could evaluated in the seismic analysis where C ltiple pipe failures were thought to be more likely. For LaSalle, pipe failures were unisely even in seismic events and so these initietors do not shw wp==
important in the overall analysis.
i
?
r i
i h
I i
4 l
1 1
~
e
All of these types of special initiators are covered by the list in Table 1.1.
However, the special fi.itiator search resulted in specific events being identified.
For example, under the general event concerning loss of an emergency DC bus, the applicable events for LaSalle Unit 2 are j
losses of buses 2A and 2B, but not bus 2C.
i i
The special initiator search was conducted in the following manner: (1) the initiating event analyst tamined the reactor - trip system and determined all parameters whose variation could result in a plant trip, (2) the systems analysts, in the process of modeling the front line and support systems, looked for direct and indirect connections to balance of plant systems and the parameters which could potentially result in plant trip and where failures of systems or components could degrade the i
modelet systems and simultaneously result in a plant trip, (3).some of j
the initiators were evaluated using the LaSalle simulator to see if the simulator would-predict a plant trip, (4) all potential special initiators were discussed with system engineers at the architect / engineer.
(A&E) for LaSalle, Sargent & Lundy, and the PRA - team's analysis was-
' evaluated to determine if the trip would actually occur for each special initiator, and (5) the systems and initiating event analysts evaluated-whether _ or not the initiator should be represented -- in the model as _ a special initiator or included.in some previously defined class.
The LOCA search for LaSalle Unit 2 was-divided into three categories:
LOCAs inside containment, LOCAs outside containment, and interfacing-system LOCAs.
For LOCAs within containment, the following systems had piping which was a_part of the primary system:
1.
Recirculation loops, 2.
Reactor Water Cleanup (RWCU) within the containment, 3.
Residual Heat Removal (RHR) (except for containment spray) within the containment, 4.
Reactor Core Isolation Cooling (RCIC)' piping.within the containment, 5.
Standby Liquid Control (SLCS) piping within the containment,
- 6.
Control Rod Drive-(CRD)_ piping within the containment, 7.
High Pressure Core Spray (HPCS) piping within the containment, j
8 Hain steamlines within the containment, and 9.
RCIC/RHR steamline within the containment.
Distinctions were made for the Small, Medium, and LarSe LOCA-cases.
The Small LOCA case was defined as-a liquid or steam pipe _ break small enough auch that RCIC. would. be sufficient to keep the core covered.
24708Ae indicates that, for BWRs with - primary system characteristics similar to - LaSalle,- liquid pipe breaks up - to and including 0.005 ft 4
-(1-~ inch diameter) and steam pipe ' breaks up to and including' O.1 ftz l
(4-inch diameter)'er-be handled by RCIC.
_A Large LOCA.was_ defined as a steam 1 liquid pip break large enough to cause' rapid ;enough vessel
)
_ depre' rization suen that the low : pressure : injection systems could opera
- uccessfully to prevent core. damage.
Based on _ information-
)-
presented in NEDO 24708A,e ste.,m f and liquid pipe break sizes greater 4
1 15 9 -
t=w-*-+a--ewa-t-,
ww re ev win-'----9 P -T
--e--+T1P
--<w F-W rnv'-
-'-W-
-*-w--
m
- t-w-
w-m w<wwr-wwwr r Jw
-e e
,-e e
a---u
than or equal to 0.3 it2 (8 inch diameter) were considered to be Large LOCAs.
Finally, Medium Lucia covered liquid pipe breaks of the range
>0.005 to <0. 3 f t2 and steam pipe breaks of the range >0.1 to <0.3 fta, Transient Induced LOCAs resulting Irom stuck open safety _ relief valvee (SRVs) which discharge to the suppression pool through the SRV discharge lines and not directly into *he drywell were also divided into Small (1 SRV stuck open), Medium (2 SRVs stuck open), and Large (3 or more SRVs stuck open).
Transient sequences having transient induced LOCAs were evaluated separately from standard LOCAs.
LOCAs outside of the drywell were divided into three separate cases:
steamline breaks, feedwater or condensato piping breaks, and in_terfacing system LOCAs.
For steamline breaks, closure of the main steam isolation valves (MSIVs) is required in order to isolate the break from the reactor vessel.
The size of the break is not an important consideration, assuming that MSIV closure occurs.
Therefore, only one initiating event was used to represent all steamline breaks outside of the dryvell.
Accident sequences consisting of steamline breaks followed by failure of the inboard and outboard MSIVs to close and failure of sufficient systems probabilistically negligible.
such that core damage may result are Similarly, a steamline break outside the primary containment but before the outboard MSIV with failure of the inboard MSIV and sufficient systems such that core damage may result is also negligible. The flood analysis, reported in Volume 10 of this report, considered the effects of unmitigated steamline breaks and found them to,be negligible.
The second type of LOCA considered outside of the ' containmnnt was a feedwater. or condensate piping break.
Because the feedwater lines penetrating the containment each have two check valves in series, isolation of a pipe break from the reactor. vessel is automatic. A single initiator was used to represent ruptures in the feedwater or condensate systems.
The flood analysis, reported in Volume 10 of this report, considered the effects of pipe breaks in all systems and found them to be negligible except for two breaks in the service water piping.
Interfacing system LOCAs are the third _ type of LOCA outside of the containment. A comprehenaive search was conducted for piping penetrating the containment and connecting to the_ primary system.
Water lines with diameters of one-inch or larger were considered, as were 'steamlines with diameters of four-inches or larger.
The results are shown in_ Table 1.3.
The table indicates the containment isolation valves in each line, and whether or not the piping outside of the. containment is rated for high pressure.
A line was considered to - have potential for an interfacing system LOCA if piping beyond the_ isolation valves is ' rated only for low :
pressure or if there are fewer than two isolation valves.
The following lines were considered to have-the potential for interfacing system lhCAs:
~
1.
RHR suction from recirculation loop A for shutdown cooling (one),
2.
RHR injection for shutdown cooling to recirculation loop A and B e
-(two),
1 16 l
I l
i l
i Table 1.3 Interfacing IDCA Piping Survey Pipe No.
Isolation Velves Bish Pres.
Possible Significant Piping Description and Size Inside Drywell Outside Drywest Piping Beyond?
Interfacing System LOCA7*
Water Ploina (21")'
- 1) REit suction from rectr9 2RR18A-20 1 707 1907 Yes (treated es No)
Yes Loop A
- 2) RER S/D.coling return 2RR07AA-12 1 check 1 907 Yes (treated as Ne3 Yes to recirc. Loop A or 1 POV (2* line)
- 3) RER S/D cooling return 2RR07AB-12 1 check 1 POV Yes (treated as No)
~.* e to recire. Loop B
- 4) RWCU suction frena 2RTD18-6 1 check 1 check Yes No recire. Loops A and B S) 3145 injection line 2sco23-1 1/2 1 check 1 check Yes so
[
- 7) RER reactor vessel 2RB40BA-12 1 check 1 fCY Yes (treated as No)
Yes I
injection line (LPCI)
(2RR40BB-12)
(Yhere are three lines)
(2RH535-12) 2
Yes
- 10) JW inlet line 2JWO2BA-24 1 check 1 check Yes No (Yhere are two lines)
(27WO2BB-24) and 1 MOV i
2
etc.
Note - there are also 185 3/4" withdrew lines with siallar configurations
- If there are two or more isolation valves plus high pressure piping beyond the valves (outside the drywell), then the Joe was not censidered to have significant interfacing system LOCA potential. Randesa failure of high pressure piping plus failure of two or more wives to isolete the break was considered to be negligible compared with cases =bere low pressure piping would be subjected to high pressure.
j
l i
i Table 1.3 Interfacing IDCA Piping Survey (Concluded)
- i..
Pipe No.
Isolation Velves Eigh Free.
PossLble Significent Piping Description and Size Inside Drywsil Outside Dry wil Piping Beyond?
Interfacing System LOCA?*
h l
Steamline Pipinz (24")
6
- 12) Main'atoesline M 1EA-25 1 gmemetic 1 pneumatic les No
. (four of them)
(2MS01EE-26)
(MSIV)
(MSIV)
- (2PE01EC-26 )
(2PE01ED-26)
{
steamline
- 14) RCIC/RER heet excbenser 2RIO1A-10 1 tCT 1tm Yes No i
steemline If there are two or suore isolatian valves plus high pressere piping beyond the volves (outside the drywell), then the line was net censidered to beve significant interf acing system 10CA potential. Random failure of high pressure piping plus failure of two or more valves to isolete the break was considered to be negligible compared with cases where le= pressurt-piping would be subjected to high pressure.
w e
W CD h
r s
i I
l i
i
?
t i
nc n -
3.
Low Pressure Coolant Injection (LPCI) and Low Pressure Core Spray (LPCS) injection lines (four), and 4.
CRD drive water insert lines (185).
The RiiR, LPCI, and LPCS systems are low pressure systems; but, at leSalle, the piping in these systems was the same as that used for the i
high pressure systems.
The pipin6 itself, therefore, is high pressure piping.
lioweve r, the piping was treated as low pressure piping in evaluatin8 the potential for interfacing LOCAs in these systems.
1.4.2 Initiating Event Categorization in order to minimize the event tree development efforts, the initiating events were grouped into categories.
Grouping was accomplished by l
examining the following effects on the plant of each initiatin6 event:
1.
Trip signals expected following the initiator, 2.
Plant systems required to respond to the initiator, and 3.
Effect of the initiator _ on the availability of plant systems required to respond.-
Initiators that resulted in a similar plant response were combined into a group.
The final initiating event categories for LaSalle Unit 2 are shown in Table 1.4.
Twenty-two categories were used.
The - unique characteristics of each category are also listed in the table.
~,
1.4.3 Anticipated Transient Without Scram (ATWS) Events All of the initiators that lead to a plant trip, with the exception of two, can also occur with subsequent failure to scram.
The events that can-not have a subsequent failure to_ scram were initiating events 35 and 36, both 'of_ which involve scraming_ of-the reactor when no _ out of tolerance conditions exist.
In such a case, successful reactor scram has i
occurred by definition of.the event and failure to scram is not possible.
For this analysis, a separate evaluation of the turbine trip with turbine-bypass available - category with these two events removed was not performed.
While this-initiator category will have.a frequency for ATWS events that is - slightly high, this difference is wellwithin the-uncertainty bounds of the initiator frequency-and does not,significantly affect the final results.
1.4.4-Quantification of Initiating-Event Categories Quantification of the LaSalle Unit 2 initiating _ event categories listed-in Table' 1.4 can be divided into four separate cases.
The four cases are:
1 1-19
-- ~ -
S Table 1.4 Initiating Event Categories for IaSalle Unit 2 Initiating Events Included EFRI NP-2230 Cecewnts Initiating Event Transient Designator Categor-Mesiets (Geeral)
BWR1 Mein steem stop velves 1)
Turbine trip with turbine 11 Electric load rejection clo.wre se orpected to bypese sveilable cause e reactor trip BWR3 for these initteting
- 3) Turbin, trip events.
Ma o of the
- 14) Recirculation control failure - increasing flow BWR14 eefety systme are effected.
- 15) Recirculation control f ailure - decreasing flow BWR15 BWR16
- 16) Trip of one recirculati;.e pump F4t17
- 17) Trip of eli recirculation pumps BWR18
- 18) Abnormal startup of idle recirculotton pimp v*
BWR19
- 19) Recirculet.on purup seizure to O
BWR2C
- 20) Teodwater - increasing flow at power BWRJ1
- 21) 1.oss of Teodester boeter BWR27
- 27) Rod withdrawal at power BWPl9
- 29) Inadvertent insertion of rod er rods BWR3C
- 30) Detected fazit in reactor protection systme BWR33
- 33) Inadvertent startup of EPCI/FJC5 BWR34
- 34) Scram due to plant occurrences BWR35
- 35) Spurious trir vie instrurmentetien.
reactor protection system fault BWR36
- 36) Manasi scram - no out of tolerance condition BWR37
- 37) Cause unknown I
l t
I I
i i
I Table 1.4 Initiating Event Categories for LaSalle Unit 2 (Continued)
Initiating Event Initiating frente Included EI1tI NP-2230 Coeusents l
Ca.egory
. Transient Designator 2)
Turbine trip with turbine
- 2) Electric load rejectice with turbine bypass B'R2 Siellar to category 1 bypese uneveilable velve failure but with failure of the turbine bypass. It is
- 4) Turbine trip with turbine bypass velse failure BWR4 aostmood that initiating events 10 and 13 result i
i
- 10) Pressure regulator fails closed BWR10 in loss of the turbine bypass.
f
- 13) Turbine bypass er control velves cause BWR13 increased pressu-o (closed) i 3)
Total main steam isolation
- 5) Main steers isolation velve closure ImRS Main eteem isolation valve valve closure closure is orpected to cause e
]
reactor trip. It is essweed i
- 6) Inadvertent closure of one main steam BWE6 that reopening of the velves is l
isolation valve not possible. In such a case y
7 the turbine 4 riven feedwater
.L PO
- 7) Fertial main steam isolation valve closure BWR7 pumps and the turbine bypass f
are lost. It is assurned that j
- 9) Pressure regulator fails open BWR9 initteting events 6, 7. and 9 lead to closure of eli esin 1
9 steem isolation velves.
4)'
Loss of normal conJenser
- 8) Loss of normal condenser vacutaa
- BWR8 1.ow conde.iser vecmse is orpected to result in a tuttine I
trip and = feessater trip.
3 hector Trip occurs as a result of main steen stop velve clusure. The motor-driven a
feedweter pump starts entomatically upon feedwater trip. The turbine-driven i
feedwater pumps and turbine bypeos are lost.
3)
Total less of feedwater
- 22) Irss of feedwater flow BWR22 loss of all feedweter, including the motor-driven puwp, occurs.
esstmoed to be possible. Reacter
level in the roector r 1
{
+
i'
- !I tf!
)
iI
[t f!,[}
r j y}f}
tI[ih[*
- lijII![I
!I i-s kLI f
d
.rMd o
sf p o
ns s
r l
it es r
o l l en s oe1
.ai f
oyc t e e
u e
h n.
t ai car l eW
.aA rspd rs
.S ri ewF
,2 ti ps nueTC er ae c mt ae wy l
trl a
aat et yrf oR s oMasvCP h
td utb epm s
eR s rd ore u wL I ol PL g re b
a ri os e t
d tRb o
C
.l oL i ows rt a s i
.n f sn l
BSCv Y '
h dV
.rl RP
.1 l oI s
s si h oso
. r ei ct u r
nR4 D eeS S t e i
ari f es g
ocS o D s R.
e.
itl Df R s1
) oE2 R vTM av tl ea f c hl WA C e nYiR Ce ywe e a nt t or rd n uea n uoe u
.T r
,i1 t s
l
.d nhl o l ot r e s n f o s pra4 af u m
t r s
r z
oee g eb t at c
l s u
eeof os e
er2l ob oef a c
a es rrio l
rll t( o rni o ef uM,ruh r uo f
t sA fl l s sr f at rb s
t o
o t.
a ot
.t cg f edl aa s e eiI rieo l dt
.t pwh o
sf po u
c w e
oci ow c
p l ss s
i yc
,sd s ivd o td t s noh os i soos o
e a r s pr e resl oro rr ps ro,
r e
)
s uv t
i l ul tdl meel o t erd d
t g m i uflf e
s g
n nu d cil oe occl e
m c
l u wbtl e
rrl a.
u C
ris ec i
r l i c a rrr al cs rhep t eA oao
,d ans mo:wt u rov oueraoi ogw ui t h r e
ti yD n
'c. s l t itis chrR l i a m
r l s l t ot
.t c ctt s i
i a i pupus acpp sl t
mme i cis e t eio eeiS rCC a
dC
/ rss asnso i e r orc rer ol rt erhD aPF er N nag o eiool n
S ra Nt ot r p Tet s R pcC pLL R o11IiPDL Rdcl c o
C
(
ro 2
ta t
0 n 3 g i
2i n
2 s
- e 3
1 1
2 U
PD 2
1 3
3 e
e e
e e
N R
R R
R n
n n
n n
e t
W W
W W
o o
o o
o I n E
B E
B N
p F
N M
l R e l
Fi a
E sn S
a a
r
)
L T
yna r
p y
o e
r f
t a
a i
s f
l s
n e
i e
i x
e d
l u
i n
e a
r o
r c
/
f o
y o
g r
t o
e s
e f
s
(
t e
o a
d p
e l
C e
s
(
Y Y
s 1
2 d
i a
u p
r 4
4 t
l f
e A
3 2
2 r
i c
r o
r w
2 2
n n
e e
o s
s a
e I
t g
w p
s s
u u
a n
o u
u B
B t
v w
i p
y B
B s
E t
d n
r C
C n
e e) e a
C C
A A
e e
pk t
i D
D V
V g
v f
oc i
l V
V i
n E
u s
i )
0 3
t e
t t f
xr 5
5 6
6 s
g n
ns f
ue 2
2 1
1 n
i t
n o
e(
o am 1
1 4
4 i
a i
t r
t f
r e f
f o f
f f
f f
a o
ev o
of o
o o
o o
i i
vl s
t i
t p
d a s
sn s
s s
s s
i i
av s
sa s
s s
s s
n n
r n
o or o
o o
o o
I I
T I
L Lt L
L L
L L
)
)
)
)
)
)
)
)
)
3 1
1 2
2 2
0 0
8 2
1 3
3 4
4 4
4 3
4 1
e l
r a
b o
r a
f i
r oe r
T e
v e
s a
t gl w
s u
a na o
u b
t..
wp i v p
b t
d m n
C n
eu ef e
C A
e ep pe t
D V
v f
oi i
V E
e l
s 0
t I
y et t e' f
5 6
s gr na nr f
2 1
n no os e-)
o 1
4 i
i g n
t yk f
t e f e rt c f
f f
. o at od ee u o
o o
i a n
vf t s'
s tC po d a s s
s s
i i c a s(
s s
s n
r n
o o
o o
I T
I L
L L
L
)
)
)
)
)
)
0
. 1 6
7 8
9 1
1 7N" i!f.
- i j
l
)'
!41 a
1 9
Table 1.4 Initiating Event Categories for LaSalle Unit 2 (Continued)
Initiating Event Initiating Events Included EFRI NP-2230 Corsesnts Category Transient Designator
- 12) Loss of drywell pneumatic
- 38) Loss of normal drywell pneumatic Bone Shutdown is required by the technical specifications. Loss of ADS and inboard MSITs.
Partiet loss of SRVs.
- 13) Loss of 100f drywell
- 39) Loss of 100f drywell pnetsnatic Mone Similar to cetesory 12, but with pnetsnatic no effect on ADS.
- 14) Complete loss of reactor
- 41) Complete loss of reactor vessel narrow pone Reactor trip on either high or vessel narrov range range level inste mentation (falso high low level in tbo roector vessel.
level instrsseentation levet indications)
Loss of EPC3 and RCIC.
(felse high level indications)
- 15) Ioss of Channels A and C
- 41) Loss of channels A and C of reactor vessel None Reettor trip on either high or or C and D of reactor vessel narrow range level instrumentation low level. the reector vessel.
l g
U.
marrow range level (falso high level indications)
Loss of EPC3.
e instrsamentation (false
- 41) Loss of channels B and D of reactor vessel pone Reector trip en either high or high level indications) narrow range level instrumentation low 1 m L in the reactor vesse;.
(falso high level indications)
Loss of RCIC, ADS, LPC5, and 29R.
LOCA (Inside Centel'unent)
- 16) Small IICA inside
- 43) Small LOCA inside containment None Reactor trip as a result of high 2
2 conteirusent
( 50.005 ft for liquid. $0.1 ft for stees) drywell pressure or low level
( 50.00S ft2 for liquid.
In the reactor vessel. RCIC is 50.1 ft2 for stems) capable of providing adequete coolant mekeup.
- 17) Meditas LOCA inside
- 44) Meditas JCA inside conteirunent None Similar to category 15. However, conteirmnent (0.005 to 0.3 ft2 for liquid.
RCIC is not adequete for coolant 2
0.1 to 0.3 ft2
(>0.005 to <0.3 ft for stems) meseup.
for liquid, >0.1 to
<0.3 ft2 for steam)
- 18) Large 14CA inside
- 45) Large LOCA inside containment ( 20.3 ft2)
None Rosetor trip as a result of hiah contairusent ( 20.3 ft2) containment pressure or 1cw level in the reeeter vessel. The primary coolant system depressurines rapidly and remains depressurized.
~
i 1.
I Table 1.4 Initiating Event Categories.for LaSalle Unit 2 (Concluded)
?
EPRI NP-2230 Corements Initiating Event-Initiating Events Included
[
Transient Designator Category i
None Reactor trip as a result of
- 19) Reactor vessel rupture' 471 Reactor vessel rupture high contairmeent pressure or low
[
1evel in the reector vessel.
l The break ette is large enouah such that coolant level cannot i
be meirrtained in the reactor vessel. Such an event is assioned to lead directly to core damage.
4 LOCA (Outside Containment)
- 20) Steamline LOCA outside es) Stomaline LOCA outside contairzeent None Reactor trip as a result of watn stems iselation valvo closure.
contairunent Turbine-driven feedweter and the turbine bypass are lost.
r 94 LOCA (Interfacina System. Outside Contaireent)
- 48) RER suction line for recirculation loop A.
None Non.solatable LOCA in large i
outside contairunent IDCA outside contstrument without isolation piping (12 to 20 im h dierneter).
Reactor trip es a esult of low without isolation level ir. the reec'sr vessel.
ab) RER shutdown cooling return line (two) to None Since isolation is not possible, the coolent level cannot be recirculation loop. LOCA outside contairunent maintained in the reector without isolation vessel. Sech an event is e
assumed to leed directly to core
[
contairunent without isolation.
-22) CRD **JCA outside drywell
- 46) CRD drive water insert line (185). LOCA None Non-isolatable IDCA in smell without isolation outside drywell without isolation pipe (1-inch dieneter). Manuel trip.
l 6
f l
I.-
i i
L s
t I
i Y
r
- e. v-y g
y y
w
l i
)
1 1.
Cencrai transients, I
2.
Special transients (or initiators),
i 3.
LOCAs, and 4.
Interfacing system LOCAS.
l l
Screening values for the initiating event categories are discussed below.
A general discussion of the whole data analysis, screening, and final values for the initiating events is presented in Volume 5 of this report j
on Parameter Estimation Anclysis and Screening Human Reliability Analysis.
Frequencies for the LaSalle Unit 2 general transient categories were obtained from the data presented in Reference 4.
This source, which is an update of EPRI NP 7230,2 is based on the - operating experience of 25 4
U.S.
commercial BWR nuclear plants and covers 228 reactot years of experience up through the end of 1983._
Events occurring during the first year of commercial operation were included, but events occurring at low power (less than 264) were excluded.
The event grouping in Reference'4 is identical to that used in EPRI NP 2230, so each category frequency.was-1 obtained by combining the appropriate _ data for the contributing EPRI
~
i~
events.
The resulting frequencies for the LaSalle Unit 2: general 3-transient categories are shown in Table 1.5.
i Special transients (or initiators) were evaluated on generic bases.
The frequency for loss of a DC or an AC bus was, taken f rom NUREC 4550.10 Both types of events were assigned a frequency of 5E 03/yr.
Thu - other i
special initiators were assigned a frequency of 3.0E 03/ year.
This valu'e i
was obtained by calculating a 50% Chi Square estimate based on no events in 275. BVR reactor years of operation.*
IACAs inside containment were assigned frequencies based on the data base developed for the National Reliability Evaluation Program (NREP).11 The Small LOCA frequency is 0.03/ year, the Medium LOCA frequency is 3.0E-03/ year, and the Large LOCA was assigned ~ a frequency _ of 3.0E 04/ year, i
Finally, the reactor vessel rupture frequency was assumed to be 3.0E-l 07/ year, based on WASH 1400.8 The - steamline LOCA outside containment was quantified based on.no occurrences in 275 BWR reactor years of experience, similar to what was done for several of the special initiators e - The 50% Chi Square estimate is 3.0E 03/ year.
Interfacing system LOCAs outside containment were quantified based on the I
LaSalle Unit 2 design.
All seven of the RHR and.LPCS lines.incivded in this category include,two isolation valves, both of which must fail in.
4
- ' 'At the:end of 1983, approximately 275 BWR reactor years'of.? operation had occurred. (neglecting atypical plants such ~as ' Big Rock Point: and Dresden Unit 1).
!=
?
I l 25-
=
a..
Table 1.5 Frequencies of LaSalle Unit 2 Initiating Event Categories j
Initiating Event Category Frequency (Yrd)
Reference for Screening Value l
Screening / Final
.i i
Transients (General)
- 1) Turbine trip with turbine bypass available 5.0/4.5 Reference 4 2)' Turbine trip with turbine bypass unavailable 0.5/0.52 Reference 4
- 3) Total main steam isolation valve closure 0.7/0.61 Reference 4
(
- 4) Loss of normal condenser vacuum 0.4/0.41 Reference 4 l
- 5) Total loss of feedwater 0.6/0.6 Reference 4
- 6) ' Trip of one feedwater or condensate pump 0.2/0.2 Reference 4 f
- 7) Inadvertent opening of a -
0.2/0.14 Reference 4 safety-relief valve (stuck).
- 8) Loss of offsite power 0.1/0.096 Reference 4 Transients.(Special)
~9)
Loss.of 125 VDC bus (T9A-Bus A or T9B-Bus B) 5.0E-03/5.0E-03 Reference 10 1
- 10) Loss of 4160 VAC bus (T101-Bus 241Y 5.0E-03/5.0E-03 Reference 10 or'T102-242Y) 11). Loss of. Instrument Air 3.0E-03/3.0E-03 No events in 275 5'JR reactor years. 50% Chi Square estimate.
i i
i-
I Table 1.5 Frequencies of LaSalle Unit 2 Initiating Event Categories (Continued)
{
i Initiating Event Category Frequency (Yr-1)
Reference for Screening Value j
Screening / Final i
- 12) Loss of drywell pneumatic 3.0E-03/3.0E-03 No events in 275 BWR reactor 4
years. 50% Chi Square estimate.
i '
'13) Loss of 100# drywell pneumatic 3.0E-03/4.4E-03 No events in 275 BWR reactor i
years. 50% Chi Square estimate.
- 14) Complete loss of reactor vessel narrow range 3.0E-03/4.0E No events in 275 BWR reactor i
level instrumentation (false high level years. 50% Chi Square indication estimate.
j t
- r. -
tj
- 15) Loss of two channel of reactor vessel 3.0E-03/2.0E-07 No events in 275 BWR reactor narrow range level instrumentation years. 50% Chi Square I
(false high level indications) (T15A-A and C estimate.
i or TISB-B and D) f LOCA (Inside Containment)
- 16) Small LOCA inside containment 0.03/0.03 Reference 11
( $0.005 ft2 for liquid,.
- 50.1 ft2 for steam)'
- 17) Medium LOCA inside containment 3.0E-0&/3.0E-04 Reference 11 t
(0.005 to 0.3 ft2 for liquid.
0.1 to 0.3 fta for steam)
I
- 18) Large LOCA inside containment. ( 20.3 ft )
3.0E-04/1.0E-04 Reference 11 2
j
- 19) Reactor vessel rupture
<3.0E-07 Reference 8 l
i 4
{..
m
. = _ _. _. _...
___.m
_. _.. _ _.. = - -.
'i Table 1.5 Frequencies of LaSalle Unit 2 Initiating Event Categories (Concluded)
Initiating Event Category Frequency (Yr-1)
Reference for Screening Value Screening / Final IDCA (Outside Containment)
- 20) Steamline iDCA outside containment 3.0E-03 No events in 275 E'a'R reactor.
years. 50% Chi Square estimate.
LOCA (Interfacine System. Outside Containment)
without isolation
- 22) CRD iDCA outside of drywell without isolation 3.0E-07 LaSalle-specific analysis 7g.
8
order. for low pressure piping beyond the-valves to be exposed to high pressure.
Six of the lines include a check valve inside containment and an MOV outside containment, while the seventh contains two MOVs.
Each.
case is analyzed below.
For a check valv.
..-A MOV combination,- both valves cannot be open or have experienced a catastrophic internal leakage at the-time of plant startup.
(In such _a case the open flowpath to the low press ure piping would be noticed.)
Tbarefore, failure of both. valves must occur as a result of either simul.aneous failure or failure of one combined with r
unavailability of the other.
Simultaneous failure was assessed to be negligible.
Therefore two cases - remained: failure of the check valve combined with (previous) unavailability of the MOV, and - failure of the MOV combined with (previous) unavailability of the check valve.
Internal catastrophic leakage of a check-valve occurs with a frequency of 5,0E-07/hr. As an initiator, the frequency is:
(5.0E 07/hr) * (8760 hr/yr) - 4.4E-03/yr.
Unavailability of the MOV results from catastrophic internal leakage or failure of the MOV to have closed prior to startup but with an indication that the valve did close.
(Spurious operation of the MOV was-neglected because normal leakage past the check valve will result in the MOV being exposed to high pressure on one side. With such a pressure differential, the motor on the MOV is incapable - of opening the valve.)
The MOV catastrophic internal leakage frequency is _5.0E-07/ hour.
The MOV is tested every 18 months, so the average unavailability over-this period is:
(Oc5) * (5.0E-07/hr) * (13140 hr) - 3.3E-03, Unavailability resulting from failure to.close but with - a closed indication was, quantified by modifying the-fail to operate value of 3E-03/ demand.
Reference 12 indicates that 2.5% of MOV failures to operate were cases in which the valve did not operate but there was an iudication that - correct operation did occur.
Therefore, unavailability resulting.
from this failure mode is:
(1 demand) * (3E-03/ demand) * (0.025) - 7.5E-05.
Combining the. check valve initiator and the MOV unavailabilities results
=in:
.i l4.40-03/yr) * (3.3E-03 +-7.5E-05) - 1.5E-05/yr.
The other case considered for the check valve and MOV combination was check valve unavailability combined with MOV failure as the initiator.
The initiator frequency is:
(5.0E-07/hr) * (8760 hr/yr) - 4.4E-03/yr.
1-29
Check valve unavailability. results from catastrophic internal - leakage.
The average unavailability over the 18-month test period is:
(0,5) * (5.0E 07/hr) * (13140 hr) - 3.3E-03.
Combining the MOV initiator with the check valve unavailability results-in:
(4.4E 03/yr) * (3,3E-03) - 1.5E-05/yr.
Combining the. above two cases for the check valve. and MOV combination results in:
1.5E 05/yr + 1.5E-05/yr - 3.0E-05 for each of the three lines with this valve combination.
The otaer line in:1uded in this interfacing system LOCA category has two -
MOVs.
/
- astrophic internal leakage ir.itiator frequency is:
(5.0E-b
'8760 hr/yr) - 4.4E-03/yr.
Une a MOV is:
05 - 3.4E-03.
Combin< _
..iitiator with the unavailability and accounting for each MOV possibly being the initiator results in:
(2) * (4.4E 03/yr) * (3.4E-03) - 1.5E-05/yr.
The combined frequency for the seven large piping interfacing system-IDCAs is then:
(6) * (3.0E-05) + (1.5E-05) - 2.0E-04/yr.
Another interfacing system LOCA. category involves the CRD. drive water lines. An interfacing system IDCA would occur if the piping ruptured and the manual valve (on each line)-were not closec. No CRD drive water line ruptures have occurred while at power, so the frequency of such an event, was based on a - 50% Chi-Square estimate based on no eivents-in 275 BWR reactor years. The: result is 3.0E 03/yr.
It was assumed that because of the significant time _ involved before core - uncovery would.- _ occur, mechanical _ failure of - the manual valve _ dominates any. human errors.
'A manual valve fal are to operate probability is 1.0E-04/ demand. Combining.
'this failure v'.th the initiator frequency results in 3.0E 07/yr.
1.5 References 1.
The American Nuclear Society and the Institute of Electrical and Electronics Engineers,. "PRA Procedures Guide," NUREG/C'l-2300, U.
S.
Nuclear Regulatory Comnission, Washi on, DC, January 1983.
1-30
2.
A. S. McClymont and B. W.
Poehlman, "ATWS: A Reappraisal," EPRI NP-2230, Electric Power Research Institute, Palo Alto, CA, January 1982.
3.
S. M. Stoller. Corporation, " Nuclear Power Experience," S. M. Stoller Corporation,-Boulder, CO, I
4.
D.
Mackowiak, et al.,
" Development of Transient Initiating Event Frequencies for Use in Probabilistic. Risk Assessment," NUREC/CR 3862 Draft, Idaho National Engineerins Laboratory, Idaho Falls, ID, June 1984.
5.
D.
D.
Carlson, et al.,
" Interim Reliability Evaluation Program Procedures Guide," NUREC/CR-2728, SAND 82-1100, Sandia National Laboratories, Albuquerque, NM, January 1983.
(
6.
Science Applications, Incorporated, "Probabilistic Risk Assessment, Shoreham Nuclear Power' Station Unit 1,"
3AI-372-83-PA 01, Science Applications, Incorporated for Long Island Lighting. Company, Palo Alto, CA, June 1383.
7.
Philadelphia Electric Conpany, "Probabilistic Risk Assessment, Limerick Generating Station," Philadelphia Electric Company, Philadelphia, PA, March 1981.
8.
U.
S.
Nuclear Regulatory Commission, " Reactor Safety Study An Assessment of Accident Risks in U.
S.
Commercial Nuclear Power Plants," WASH-1400 (NUREG 75/014),
U.
S.
Nuclear Re6ulatory Commission, Washington, DC, October 1975.
9.
General Electric Company, " Additional Information Required for NRC Staff, Generic Report on Boiling-Water Reactors," NEDO-24708A, Revision 1, Volume 1,
General Electric Company, San Jose, CA, December 1980, 10, D. M. Ericson, et al., " Analysis of Core Damage Frequency: Internal Events Methodology," NUREG/CR-4550 Vol, 1,
Rev.
1, SAND 86-2084, Sandia National Laboratories, Albuquerque, NM, January 1990, 11.
A. J. Oswald, et al,, " Generic Data Base for Data and Models - Chapter of the National Reliability Evaluation Program (NREP)," EGG-EA 5887-Incerim Report, Idaho National. Engineering Laboratory,: Idaho Falls, ID, June 1982.
4 12.
Pickara, Lowe, and Garrick, Inc., "Seabrook Station Probabilistic Safety. Assessment," Pin-0300, Pickard, = Lowe, and Garrick, Inc. for Public Service Company of New Hampshire, -Irvine, CA, December 1983..
13.
U. S. Nuclear Regulatory Commission, " Anticipated Transients Without Scram for Light Water Reactors," NUREG 0460,.Vol. 1, U. S. Nuclear Regi:latory Commission, Washington, DC, April 1978.
1-31
2.0 ACCIDENT SEQUENCE DELINEATION 2.1 Introduction The evaluation of the risk to the public imposed by operation of LaSalle
~
Unit 2 requires calculation of the fregocucy and magnitude of radioactive releases to the environment due to potential core damage accidents.
This calculation is done in a three stage process.
In the first stage, the accident sequences which can lead to core damage-are delineated and evaluated.
This is called a Level I analysis and includes both internal and external events.
Core damage is defined as the release of radioactive fission products f rom - the fuel.
The delineation of the accident sequences is usually provided in the form of event trees.
These event trees define the different sequences of events, usually plant system successes and failures, that can lead to core damage.
The event trees are supplemented by system fault trees.
The fault trees delineate t h_e different ways component, human, and phenomenological failures or occurrences can result in system. failure.
By solving the fault trees and then combining them to form a particular sequence, we can qualitatively and quantitatively evaluate the thousands.
of combinations of component, human, and phenomenological events that can result in the sequence.
Each unique combination of failures thet can lead to a sequence is termed a cut set for that sequence.
In the second stage, the progression of each accident is evaluated and the characteristics of the source term (i.e.,
the amount : of fission products released to the environment) are calculated.
In order to de this, the accident sequerce cut ' sets are first regrouped into. plant damage states (PDSs).
Each PDS presents unique initial and boundary _
conditions to the evaluation of the accident Irogression from the time of core damage to the termination of the accident.
The _ various possible accident progressions are then evaluated using an accident progression event tree which evaluates the conditional probability of the accident progressions and groups the progressions into accident progression bins, which present unique initial and boundary -conditions to the source term analysis.
A parametric code is used to evaluate the magnitude, timing, and energy of the release to the environment for each accident progtession bin.
This parametric code uses input from more detailed accident sequence analysis codes and expert judgement. (both from-independent experts and from in-house experts, depending on the issue) in order to extrapolate and interpolate estimates of the source -terms ; for all the accident progression bins coming out of the_ accident progression analysis.
This accident progression and source term-calculation form a Level II analysis.
I In the third stage, the accident progressions are partitioned by similar.
source term characteristics and consequences are _ calculated for_ each g
partition using a consequence analysis ' code.
The final ~ risk to the public is then calculated by combining the frequencies of the PDSs, with l
2-1 4
1 1
the conditional probabilities of _ the accident progression. bins, : the.
conditional probabilitics of the partition groups, and the magnitudes of g
i the consequences. This consequence and risk calculation form a Level III analysis.
The Level I analysis defining-the initial set of accident sequences to be analyzed ' in' this PRA is ~ presented in this : chapter and the final results of the analysis are presented in Volume 2 of this report.
The Level -
II/Ill analyses results are reported in a series of reports issued by the Phenomenology' and Risk Uncertainty Evaluation Program (PRUEP) - as described in the foreword.1 t
5 One of the major purposes of the RMIEP program was e o develop methods for the integrated evaluation of all Level I initiating events.
So while only one. set of event trees will be presented in this chapter, these trees will be used in.four different analyses:. internal events, seismic-fire,'and flood.
The fault trees to be used with these event trees have been expanded-from the usual level of detail used in the internal events analysis to include information necessary to perform an integrated evaluation' of the internal and external events.
Each of.these analyses are discussed in detail in separate volumes of this report (Volumes 3, 8, 4
9, and 10, respectively).
2.2 Overview of Evaluation Process In this chapter, functional and systemic event trees will be defined I
where the accident sequence is followed until the end state is resolved into no core damage or core damage.
No core damage, or success otexes, are those in which sufficient systems work in order to - prevent core-damage.
This may mean only core heat removal is successful or both core and containment heat removal are successful, depending on the particular systems being used.
For some sequences, in which core heat - removal is.-- success ful but containment heat removal fails, core damage does not result directly from the system failures but from phenomenological events - in the_ containment which can possibly lead to failure of the core heat removal function and j
result in' subsequent core dawage.
The event ~ trees will include the 3
feedback effects oa the core heat removal systems as~ a result of the containment - phenomenology in order to predict if core damage.will occur given-failure of the containment heat removal systems and the subsequent-i containment phenomenology.
The end states of the accident sequences are either: (1) success-no core damage but containment may or may 'not have failed, (2) core damage without direct containment. failure or (3) - core damage with. containment venting or uncontrolled release failure (either controlled release structural failure).
.t 2-2 i
e A
a
~ ~.
2.3 Core Damage Functioaal Event Trees The functional core damage event trees are presented.in this scition.
The functional event trees delineate the general plant response to LOCAs,<
anticipated transients, and anticipated transients without scram (ATWS).
The delineation is presented in terms of success or failure of safety functions required to mitigate the transient or LOCA.
l Far each safety function identified in the functional event trees, the systems available to perform the func' tion were idencified.
The success criteria for each system was also defi ned.
These steps provided the information necessary to delineate the systemic event trees 'and the
~
results are presented in Sections 2.4 and 2.5, respectively.
Systemic event trees for ihCAs, anticipated transients with Oram, and ATWS are developed in Section 2.6.
The interaction between articular initiating event and mitigating system is modeled by i-auding the initiating event in the system fault tree in the appropriate place so 1
that the effect of its occurrence is properly propagated in the tree and' fails the appropriato components in the system.
2.3.1 LOCA Functional Event Tree (L)
The LOCA functional event tree represents the general plant response to a lo.ss-of coolant accident.
To mitigate a LOCA (L), it is necessary to shutdown the nuclear reaction (reactor suberiticality, RS), protect the containment ' from early overpressurization by condensing steam released from the vessel (early containment overpressure protection-or vapor suppression, VP), keep the fuel covered with water and remove decay heat (core coolant makeup, CCM), and protect the containment ' from late overpressurization by transferring heat from the containment to the ultimate heat sink (conteinment heat removal, CHR).
Another function usually considered is removal of radioactive nuclides -from the containment _ before or following core damage.
However, in this study,.
l this function will be addressed in the accident progression event tree in L
the Level II/III analysis.
[
The four functions discussed above and their - interactions following _ a LOCA are shown in_the event tree illustrated in_ Figure 2.1.
Each of the functions is discussed in more depth in _ the following paragraphs.
In l
constructing this event tree, potential _ interactions between functions -
are considered.
Reactor-Suberiticality (RS)
Following a LOCA, it is necessary to limit the core heat _generacion by shutting down the clear reaction.
This is normally-done by incarting the control rods into the core.
Backup systems and procedures _ are '
available for reducing core power given a-~ f ailure ' to insert the control rods.
2-3 r
y u
2.3 Core Damage Functional Event Trees The functional core damage event trees are. presented - in this section.
The functional event trees delineate the general plant response to LOCAs, anticipated transients, and anticipated transients without scram (ATWS).
The delineation is presented in terms of success r failure of safety-functions required to mitigate the transient or LOCA.
i For each safety function identified in the functional event trees,'the-systems available to perform the func' tion were identified.
The success criteria for each system was also defined.
These steps provided the information necessary to delineate the systemic event trees and the results are presented in Sections 2.4 and 2.5, respectively.
Sy:temic event trees for LOCAs, anticipated transients with scram, and ATWS are developed in Section 2.6.
The interaction between a particular initiating event and mitigating system is modeled by including the initiating event in the system fault tree in the appropriate place so that the effect of its occurrence is properly propagated in the tree-and fails the appropriate components in the system.
2.3.1 LOCA Functional Event Tree (L)
The iDCA functional event tree represents the geners.1 plant response to a loss-of coolant accident.
To mitigate a LOCA (L), it is necessary to shutdown the nuclear reaction (reactor suberiticality, RS), protect the containment from early overpressurization by condensing steam released from the vessel (early containment overpressure protection or vapor suppression, VP), keep the fuel covered with water and remove decay heat (core coolant makeup, CCM), and - protect the containment from late overpressurization by transferring heat from the - containment to - the ultimate heat sink (containment heat removal, CHR).
Another f'metion usually considered is removal of radioactive. nuclides from__the containment before - or following core damage.
However, _ in this study, this function will be addressed in the accident progression event tree in the Level II/III analysis.
The four functions discussed above ~and their interactions following a LOCA are shown in the _ event. tree illustrated in Figure 2.1.
Each of the n
~
l functions is discussed in more depth in the following - paragraphs.
In constructing this event tree, potential interactions between functions are considered.
Reactor Suberiticality (RS)
Following a IDCA, it is necessary to limit the core heat generation by shutting down _ the - nuclear reaction.
This is normally done by inserting
.the control rods into the core.
Backup systems and procedures are available for reducing core power given-a failure to insert the control rods.
2-3
+
______-m_
SEQ END L
RS VS CCt/ i CHR CCM2 CCM3 STATE i
1 OK 2
OK 3
CD 4
CD 5
CD 6
(1) 7 (1) 8 (1) 9 (1) e 10 (1) 11 (2)
(1) Sequence proceeds similar to VSS success except much iastar. CHR success may be unlikely.
(2) Transfer to ATWS Tree, Figure 2.3.
Figure 2.1 1DCA Functional Event tree 2-4
Failure to shutdown,the nuclear reaction would cause large amounts of the remaining water in the core to boil off much quicker than with only decay-heat available.
The loss of coolant would remit in a power reduction; i.
however, the coolant makeup systems would reintroduce coolant into ' the core for decay heat removal.
The reactor power would increase sgain and boil off the coolant This cycle could continue until the operator took manual control of the plant in order to reduce core power and stabilize 2,
the plant or until subsequent phenomenological or mechanical interaction resulted in system failure Failure to stabilize the plant can result in core damage and/or containment ' failure.
Sequences with failure. of the reactor suberiticality function are transferred to the ATWS event tree.
i 5
If the reactor suberiticality function is successful,- it is still necessary to remove heat from the core and replace lost coolant.
Early Containment Overpressure Protection (Vapor Suporession. VS)
During a IDCA, the normal heat removal path ' is - disrupted by the. pipe break and coolant is released to the containment.
The steam generated by the hot coolant released _during a LOCA is released into the dryvell and
]
forced by its own pressure to flow through downcomers into the vetwell.
The wetwell contains a= pool of water, called the -suppression pool, for condensing the steam and thur, reducing the temperature and. pressure of -
the drywell.
This vapor suppression pool has sufficient. heat capacity-for storing all the heat released to the containment for several hcurs after a LOCA before it becomes necessary to transfer heat. from the containment to the ultimate heat sink.
(
If the steam released during a LOCA is -not condensed by the vapor suppretsion pool, pressure will quickly _- buildup in the primary containment and the containment will need to be vented or it will mechanically f ail (for large IDCAs, the time could be_ as _ short as 30 sec).
Containment venting or failure may result in failure of the
~
coolant injection systems and containment: heat removal equipment'due to the - severe environments produced in the reactor building where most - of j
the' systems modeled in this analysis have components.
If the early containment overpressure protection function is available,_
it is still necessary to replace lost coolant in the~ core and eventually remove the heat transported to the suppression pool.
The vapor suppression pool also removes radioactivity released during a l
LCCA.
This occurs as radioactive partic1cs released during the LOCA are-L
' forced through the suppression pool water _ where the particles are.
essentially filtered and retained in the water. Noncondensible gases are tot affected and remain in the primary containment atmosphere.
Core Coolant Makeun (CCM1. CCM2. CCM3)
A LOCA by definition results in' loss of reactor coolant inventory that must be replaced in order to prevent core damage.
The emergency core i
2-5 l
l
= _
- ~ ~ - _ - - -. _ _ ~ ~ - - -. - - - - -
f n
il cooling (ECC) systems are designed to provide cooling water to the core from an external source or from the suppression pool. This cooling water passes through the core, removing heat and transferring it to the vapor suppression pool.
If the original source of water was external, the ECC systems would be realigned to take suction from the suppression pool to form a continuous circulation loop for cooling ths core upon' high level in the suppression pool or low level of the source.
Eventually, the stored heat in the suppression pool must be transferred to the ultimate heat sink.
Non-emergency related systems are also capable of injecting water from external sources into the vessel during a LOCA..
However, these systems are not capable of recirculating water from the suppression pool.
CCM1 represents failure of the injection systems before CHR failure, CCM2 represents failure of the_ injection systems af ter CHR failure but before containment failure, and CCM3 represents failure af ter ' containment failuro.
Failure of the coolant makeup function will result in loss of core cooling and core damage.
Success of this function must be followed by removal of heat stored in the suppression pool.
Containment Heat Removal (CHE.).
In the later stages of a LOCA,.the heat buildup in the suppression pool can reach the pool's scorage capacity.
If this storage capacity is exceeded, the suppression pool will boil and evolved steam can cause overpressurization and rupture of the containment.
The containment heat removal (CHR; systems transfer heat to the ultimate heat sink from the suppression poc.1 via heat exchangers. The containment heat removal systems during a iDCA are aligned to take suction from the suppression pool, pass the water through heat exchangers, and inject it into the core (low pressure coolant inj ec tion, LPCI, mode), into the drywell (containment spray, CSS, mode), or back into the suppression pool (suppression pool cooling, SPC, mode).
l' If the containment heat - removal-and core coolant makeup function are successful, the plant is stabilized and core damage is averted. The LOCA is thus mitigated and no other functions are required.
Failure of the containment heat removal function can have a feedback effect that results in failure of the core coolant makeup function. This failure can come about either before or af ter containment venting or structural failure of the-containment from overpressure created by-the failure - to remove decay heat.
As the containment-pressurizes, the l-containment. pressure, temperature, and suppression pool temperature all l
increase.
High containment pressure can result.in isolation and failure of the reactor core isolation cooling (RCIC) sys te n.,
Low prassure i
l injection systems will fa.1 to-inject when the automatic depressurization l
system (ADS) valves reclose and the reactor pressure, vessel (RPV)-
repressurizes (this is not important for LOCAs where the RPV will remain depressurized from the break _ itself).
Very high pressures and 2-6:
{-
temperatures can result in direct failure of the ADS valves which are not-
- designed for such environments.
High suppression pool-temperatures can-result in failure of systems pusping such high temperature water-or from loss of net positive suction head (NPSH) when the pool _becomes saturated (e.g.', high pressure core. spray, HPCS; low pressure core: spray, LPCS; and LPCI).
After containment venting or-failure,-high temperature steam may be blown into. the reactor building depending upon - the location of the failure (failure to the refueling. floor will not. blow steam' into the-reactor building).
This blowdown will create severe environments in the reactor building well-beyond the harsh _ environments usually evaluated.
Most systems have components in the reactor building that would be subj ect to such environments and failure of the ECC and other systems after containment failure due to these environments would' result in core-damage with an already failed containment.
n Seauence Descrintions
~
A brief description of each sequence on the IDCA functional event tree is-provided below.
Sequence 1:
All of the functions work as required.
The core is kept cooled-and'the containment is intact. No core damage results.
Sequence 2:
All the funccions succeed except for containment heat removal.
The core will be-kept cooled until the heat transferred to the e ntainment exceeds.
the suppression' pool's heat capacity (hours af ter the initiation of the LOCA).
The suppression pool water will-boil,. causing-overpressurization-and finally either venting or structural failure of the containment will-The core coolant makeup function does_not fail before containment occur.
venting or failure and does ' not. fail: after - containment venting - or.
failure.
Core damage does not occur;_the sequence results-in success'ful shut down of the reactor with a failed containment.
Sequence 3:
The containment heat ~ removal function fails but the - core -_ coolant _- maka.up function continues until after containment venting or ! failure.
The-injection systems then fail due to the. severe environment in the reactor building and core damage results with an already_ failed containment.
Sequence 4:
The containment. heatL removal function fails and the _ core coolant makeup -
~ function fails before the. containment is vented or fails.
The ' inj ection systems. fall from conditions in_ the _ containment and core -damage-results-in an Intact containment.
2-7
Sequence 5:
The initial core coolant makeup function fails - and core damage resultu from the loss of all injection in an it. tact containme.at.
Sequences 6-10*
The reactor is shutdown, but-the early containment overpressure protection function fails initially, resulting in overpressurization of the containment. Core damage could result depending on subsequent system and containment behavior.
These sequences are similar to sequences 1-5 but with much shorter times (depending on MCA size and bypass-location and size) and different system success criteria.-
Sequence 11:
The reactor fails to shutdown following initiation of the MCA.
Systems are available to mitigate LOCA with failure to scram accidents. However, since such sequences have their own characteristics, they are transferred to the ATUS event tree.
2.3.2 Transient Functional Event-Tree The transient functional event tree represents the general plant response to a transient event.
Following a transient - (T), it is necessary to shutdown the nuclear reaction (reactor suberiticality, RS), to protect the reactor pressure boundary from overprersurization if the normal heat removal path is unavailable (RCS integrity, RCS ::NT), to transfer steam to the containment for condensation (early containment overpressure protection if there is a MCA or transient-induced MCA, i.e.,
a safety relief valve, SRV, stuck open), provide makeup water to the. vessel-(core coolant makeup, CCM), and to - remove heat released to the containment durint *he transient (containment heat removal, CHR).
As with - a. MCA, the function of removing radioactivity released to the containment will' be addressed in the accident progression event tree.
The functions. discussed above and their interactions following - a transient are shown in the event tree illustrated in Figure 2.2.
Each of the functions is discussed in more depth in the following paragraphs.
React f Suberiticality (RS)
Following a transient, it is necessary to limit the core heat generation-by shutting down the nuclear reaction.
This is normally done by innerting the control rods into the-core.
Backup systems and procedures are - available for reducing core power given a failure to insert' the control rods.
Failure to reduce core power following a-transient can result in boiling off-of the core coolant much quicker than. if only decay heat is available.
Since the - turbine bypass capability is. only 25 percent of full power, the normal heat removal system (if available) would'not be 2-8
RCS SEQ END T
RS CCM1 CHR CCM2 CCM3 INT STATE 1
OK 2
OK 3
CD 4
CD 5
CD 6
(1) l 7-(2)
(1) Transfer to LOCA tree Figure 2.1, after RS success.
(2) Transfer to ATWS Tree, Figure 2.3.
Figure 2.2 Transient Functional Event Tree.
2-9
capable of removing all the,eenerated steam.
Excess pressure would be relieved to the containma.t through the safety / relief valves.
Containment and core damage are possible if the operator fails to reduce cc a power.
Sequences involving failure of the reactor suberiticality f.netion are transfered to the ATWS event tree and evaluated there.
Successful suberiticality must be followed by removal of heat from the reactor.
Ps_CS Interrity (RCS INT)
Given successful reactor suberiticality, the decay heat in the core will continue to produce steam. The RCS integrity fur.ation allows the reactor coolant system pressure to be relieved by the opening of the safety / relief valves and the transferring of the steam to the suppression pool if the normal heat removal path (power conversion system, PCS) has failed.
Even if the turbine bypass is available, the transient offects of the reactor shutdown may require the opening of some SRVs.
Multiple openings of the relief valves will occur if turbine bypass is not available.
Failure of the relief valves to open will result in overpressurization and possible rupture of the reactor vessel.
In this analysis, it is assumed that the vessel rupture will result in the equivalent of a large LOCA and would transfer to the LOCA event tree.
The rupture is most likely to occur at the omega seal on the reactor head.
Successful operation of the injection systems could mitigate this event.
It has been assumed in some previous studies that all of the check valves on the t
injection lines would freeze shut from the high pressura and would not be able to reopen af ter pressure decreased from the LOCA.
This assumption seems much too severe given the proof testing pressure of the valves and vessel.
The pressure rise is not instantaneous but que.si-static and would result in slow pressurization of the RPV from a mechanical standpoint.
Also, after pressure decreased, the injection systems would tend to force water back into the vessel.
In any case, failure of
[
sufficient SRVs to open is an unlikely event and these sequences are probabilistically negligible and not developed further.
If overpressure protection succeeds, the pressure in the vessel is reduced but coolant is lost from the vessel to the vapor suppression pool.
It thus becomes necessary to provide coolant to the vessel to keep the core covered.
Once the prersure in the vessel is relieved, the safety / relief valves should reclose to minimize coolant loss.
If one or more of the valves fail to reclose, a continuous flow of steam from the vessel to the suppression pool will occur.
Such an occurrence would require that the suppression pool remain intact, that makeup water be supplied to the vessel, and that the heat transferred to the suppressien pool be eventually transferred to the environment.
These sequences transfer to the LOCA tree because they have an unmitigated loss of primary coolant from the RPV.
They are not equivalent to a LOCA because the flow is 2-10
directly to the suppression pool instead of to the drywell. - They are called transient-induced IDCAs and will be evaluated separately.
Successful reclosure of the safety / relief valves must be followed by decay heat removal from the vessel.
l Eal y Containment Overnressure Protection (VST Given failure of the RCS integrity function, heat from the vessel is transported to the suppression pool either directly through a stuck open SRV or via a large IDCA to the drywell and then through the downcomers.
Failure of the suppression pool to condense this steam will result in overpressuritatien and failure of the containment within a very = short time (30 see to 15 min). ' Overpressurization of the -containment can fail the equipment required for emergency core cooling and containment heat removal, thus leading to core damage and a ra:lioactive release.
Thus failure of this function is assumed to result in the core being
....nerable to damage.
Sequences with. failure of - the RCS integrity function are transfered to the LOCA tree and evaluated there.
-This
-function does not, therefore, explicitly appear on the transient tree.
Successful vapor suppression operation must - be followed by makeup of reactor vessel coolant and removal of heat released to the containment.
Core Coolant Makeuo-(CCM1.-CCM2. CCM3)
TH emergency core cooling (ECC) systems are designed to provide cooling water to the core from an external source or from the suppression pool.
This cooling water passes through the core, removing heat and transferring it to the vapor suppression pool.
If the original source of water was external, the ECC systems would be realigned to take suction from the suppression pool to form a continuous circulation loop for cooling the core L on high level in the suppression pool or low level of the source.
Eventu T1y, the stored heat-in the suppression pool must be transferred to the ultimate heat sink.
Non-emergency related systems ape also capable _ of injecting water from external sources into the vessel during a transient.
However, these systems are not sable of recirculating water from the suppression pool.
CCM1 represent; _ allure of the injection systems before CHR failure, CCM2 represents failure of the injection systems after CHR -failure but before containment failure, and CCM3 represents failure af ter containment failure.
Failure of the coolant makeup function will result.-in-loss of core cooling. and a core damage.
Success of this _ function - must be followed by removal of heat _ stored in the suppression pool.
Conrainment Heat Removal (CHR).
If the normal heat removal path is unavailable for removal of residual heat following reactor scram, residual -heat is transferred _ to the 2-11 l
,. - ~
4 i
containment.
Eventually this heat must be' removed or containment failure will occur.
Containment failure-can potentially result in core damage.
Failure of the containment heat removal function can have a ' feedback -
effect that results in failure of the core coolant makeup function. This failure can come about either before. or af ter containment. venting or structural failure of the - containment from overpressure created by - the failure to remove decay heat.
As the containment pressurizes,. the containment pressure, temperature, and suppression pool ' temperature all increase.
High containment pressure can result in isolation and failure-of the RCIC system.
Low pressure injection systems will fail to inj ect j
when the ADS valves reclose and the RPV repressurizes.
Very high pressures and temperatures can result in direct failure of.the ADS valves 4
which are not designed for such environments.
High - suppression pool temperatures can result in failure - of systems pumping - such Lhigh l
temperature water or from lost of NPSH when the pool becomes saturated.
After containment venting or failure, high temperature steam may be blown; into the reactor building depending upon the location of - the -failure (failure to the refueling _ floor.will not blow steam into the reactor y
i building).
This blowdown will create severe environments int the reactor-building well beyond the harsh environments usuelly evaluated.
Most systems have components in the reactor building that would' be ~ subject - to 4
such environments and f ailure. of the ECC and othcr systems ~ after containment failure due to these environments would result in core damage with an already failed containment.
Successful residual heat removal can result in core' stability if core coolant makeup continues to be available.
Secuence Descriptions l
A brief description of each sequence in the transient functional event tree is provided below.
Sequence 1:
The reactor scrams,. safety / relief valves open to relieve pressure and' successfully reclose, core coolant makeup is provided and the! containment.
heat removal systems function to removel residual heat.
No core' damage and containment is intact.
Sequence 2:
All the functions succeed except for containment heat removal.
The-core
. vill be kepe. cooled.until the heat transferred ' to the - containment from the SRVs exceeds the suppression': pool's capacity ; (houn after the transient initiation).
The suppression pool'. water will boil,- causing-
- overpressurization and finally either venting' or structural failure of the containment will occur.
The core coolant makeup function does' not j'
fail before containment-venting or Mailure (CCM2) and 'does not. fail after containment venting or failure _(CCM3).
Core damage does not occur;_the L
2-12
sequence results in successful shutdown of the reactor with a failed containment.
Sequence 3:
The containment heat removal function fails but the core coolant makeup function continues until after containnant venting or failure.
The injection systems then fail due to the severe environment in the reactor building and core damage results with an already failed containment.
Sequence 4:
The containment heat removal function fails and the core coolant. makeup function fails before the containment is vented or fails.
The injection systems fail from conditions in the containment and core damage results in an intact containmen'.
Sequence 5:
The initial core coolant makeup function fails and core damage results froru the loss of all injection in an intact containment.
Sequence 6:
ellowing the initiating event, the reactor is successfully scramed, but one RCS integrity function fails.
Steam from 'the vessel is released to I
the containment.
This sequence becomes a large LOCA, if.the SRVs have failed to open, and a small, medium, or large LOCA if-1, 2, or 2: 3 SRVs fail to reclose, and transfers to the IDCA tree - for evaluation.
Sequence 7:
The reactor suberiticality function fails following a transient.
'A separate ATWS event tree is used to depict the sequences of - events following failure of the reactor subcriticality function.
Transfer to ATWS event tree.
2.3.3 ATWS Functional Event Tree The ATWS functional event tree represents the general plant response to any transient or LOCA event followed by failure to render the reactor suberitical using the reactor - protection and 1 alternate -rod insertion systems.
Following an ATWS transient, it is necessary to shut down the nuclear reaction using alternate means such as the standby liquid-control (SBLC). system (reactor subcriticality, RS),. to - protect the reactor
-pressure' boundary frcm overpressurizstion if the normal heat removal path is unavailable (RCS integrity, RCS ' INT), to. transfer steam. to the containment - for condensation ' (early - containment overpressure ' protection if there is a IDCA or transier.t-induced LOCA, i.e., an SRV stuck open),
provide cakeup. water to the vessel - (core coular.1 makeup, CCM), t and to remove heat released to the containment during the transient (containment
-heat removal, CHR).
As with the ' LOCA and transient trees, the function i
2-13
=
- ~
of removing radioactivity raleased to the containment will be addressed in the accident progression event tree.
The functions discussed above and their interactions following a transient are shown in the event tree illustrated in Figure 2.3.
Each of the functions is discussed in more depth in the following paragraphs.
l Reactor Sube riticality (RS1)
Following an AWS event, it is still necessary to limit the core Isat generation by shutting down the nuclear reaction.
This is normally done 1
by inserting the control rods into the core; however, for'ATVS scenarios, normal mechanisms for inserting the control rods into the core have already been assesswd to have failed.
The most likely reason for failure i
to scram given the existence of the alternate rod insertion system, which makes electrical failure to scram probabilistically small, is mechanical failure of the rods to insert.
Backup systems and procedures are available for. reducing core power given a mechanical failure to insert the control rods.
Failure to reduce core power following an ATWS transient can result in quickly. boiling off the core coolant until - the reactor-water level has stabilized due to the balance between the amount of water being injected into the core and the-amount of water being boiled off.
If turbine trip also does not occur and the reactor continues as before, then no accident j
results.
If the. turbine trips, since the turbine bypass capability is only 25 percent of full power, the normal heat removal system (if available) would not be capable of removing all the generated steam early in the sequence'.
The.vcssel pressure would increase rapidly due to the high energy generation rate which would equilibrate at a rate consistent with the particular inj ection system being used or at the decay heat level, if no injection was available.
Excess pressure would be relieved to the containment through the SRVs.
Whether or not reactor suberiticality is successful, energy will continue to be produced either at some equilibrium power level consistent with the injection rate or at the decay heat level.
The RCS integrity function allows the reactor coolant system pressure to be relieved by the opening of a sufficient number of the safety / alief valves and the - transferring of the steam to the suppression pool if the normal heat r_emoval path -
(PCS) has failed. Even if the turbine bypass is available, the transient effects of the reactor shutdown may require - the opening of some SRVs; Multiple and/or continuous openings of the - telief valves will occur. if turbine bypass is not available.
Failare of the relief valves 'to open will result in - overpressurization and possible rupture of the reactor vessel.
In this analysis,' it is assumed that the-vessel rupture will result in the equivalent of a large 2-14
SEO END T
RS1 CCM1 CHR C C h'2 CCM3 RS2 STATE 1
OK 2
OK 3
CD 4
CD 5
CD 6
OK 7
CD 8
CD 9
CD 10 OK.
11 CD 12 CD 13' CD 14 CD Figure 2.3 ATWS Functional Event Tree 2-15
LOCA.
The rupture is most likely to occur at the orte ga seal on the reactor head.
Successiul operation of the inj e c t i on systems could mitigate this event.
It has been assumed in some previous studies that all of the check valves on the injection lines would freeze shut from the high pressure and would not be able to reopen af ter pressure decreased from the LOCA.
This assumption seems rauch too severe given the proof testing pressure of the valves and vessel.
The pressure rise is not instantaneous but quasi-static and would result in slow pressurization of the RPV from a mechanical standpoint.
Also, af ter pressure decreased, the inj ection systems would tend to force water back into the vessel.
Failure of sufficient SRVs to open is an unlikely event and these sequences are probabilistically negligible ano not developed further.
If overpressure protection succeeds, the pressure in the vessel is reduced but coolant is lost from the vessel to the vapor suppression pool. It thus becomes necessary to provide coolant to the vessel to keep the core covered.
If reactor suberiticality succeeds then, once the pressute in the vessel is relieved, the safetf/ relief valves should reclose to minimize coolant loss.
If one or more of the valves fail to reclose, a continuous flow of steam from the vessel to the suppression pool will occur.
Such an occurrence would require that the suppression pool remain intact, that makeup water be supplied to the vessel, and that the heat transferred to the suppression pool be eventually transferred to the environment.
The lACA aspects of these sequences do not affect'the event tree because the systems used to mitigate an ATWS event can uitigate LOCAs of any size and, for sequences without reactor suberiticality, the ADS valves will be open anyway to transfer the energy to the suppression pool.
For the above reasons, this event does not appear explicitly on the ATWS functional event tree.
Successful reclosure of the safety / relief valves must be followed by decay heat removal from the vessel.
Early Containment Overpressure Protaction (VS)
Given failure of the RCS integrity i: unction, heat from the vessel is transported to the suppression pool either directly through a stuck open SRV or via a large iDCA to the drywell and then through the downcomers.
Failure of the suppression pool to condense this steam will tesalt in overpressurization and failure of the concainment within a very short time (30 see to 15 min).
Overpressurization of the containment can fail the equipment required for emergency core cooling and..ontainment heat removal, thus leading to core damaae and radioact. re release.
Thus failure of this function is assumed to result in the core being vulnerable to damage.
Sequences with failure of the early containment overpressure function are probabilistically negligible and not developed on the ATWS functional event tree, o
2-16
Successful vapor suppression operation must be followed by makeup of reactor vessel coolant and removal of heat released to the containment.
Core Coolant Makeun (CCMI. CCH2. CCM3)
The emergency core cooling (ECC)-systems are designed to provide cooling Later to the core from an external source or from the suppression pool.
This cooling water passes through (ae core, removing heat and transferring it to the vapaz suppression,sool.
If the original source of water was external, the ECC systems would be reali ned to take suction 6
from the suppression pool to form a continuous circulation loop for cooling the core upon high level in the suppression pool or low. vel.of the source.
Eventually, the stored heat in the suppression pool.aust be transferred to the ultimate heat sink.
Non-emergency related systeu are also capable of injecting water from external sources into the vessel during a transient.
However,. these systems are not capable of recirculating water irom the suppression pool, CCM1 represents failure of the injection systems before CHR failure, CCH2 represents failure of the injection systems after CHR failure but before containment ' failure, and CCM3 represents failure after cor.tainment failure.
Failure of-the coolant makeup function will result in loss of core cooling - and a core damage.
Success of this function must be followed by removal of heat stored in the suppression pool.
l-
[9ntainment Heat Removal (CHR)
Even if the normal heat removal path is available for removal of energy being generated after failure of the reactor suberiticality function, the the reactor power level will be in the range of 9-17% depending on the systems operating, which is much higher than the capability of the RHR system (about 3%).
The energy being generated in the vessel' will be deposited in the suppression pool via the'SRV discharge lines or direct?y to the drywell if a 1DCA exists.
The excess energy,-over and.above the RPR system's heat removal capacity, will result in rapid containment.
pressurization.
Given failure of the reactor - suberiticality function and ' failure of secondary means to render the reactor - suberitical in time to prevent containment venting or structural failure, a feedback effect can oc,:ur that results in failure of the core coolant makeup function.
This failure can come about either before or ~after containment venting or structural failure of the containment.
As the containment pressurizes, the containment pressure, temperature, and suppression pool temperature all. increase.
High containment pressure can.. result ' in failure of the RCIC system and low pressure injection systems when the ADS valves reclose.
Very high pressures and temperatures can. result in direct failure of the ADS valves which are 'not designed for such environments, liigh suppression pool temperatures - can result in failure of systems ptr ping such high temperatura water or from loss of NPSH when the pool becomes saturated.
After containment venting oV failure, high 2-17
temperature steam may be blown into the reactor building depending upon the location of the failure (failure to the refueling floor will not blow steam into the reactor building).
This blowdown will create. severe environments in the reactor building well beyond the harsh environments usually evaluated.
Most systems have components in_the reactor building _
that would be subject-to such environments and failure of the ECC and other systems after containment failure duw
+o these environments would result in core damage wit'a an already failed ontainment.
If only low pressure injection systems are working and RHR works, LTAS2 calculations (described.in Section 2.6.3) show that containment pressure-will equilibrate near une ADS reclosure pressure.
The low pressure systems inject when the ADS valves open as the reactor goes subcritical.
When injection stops, the RHR system reduces _ containment pressure below the reclosure pressure, and the ADS valves reopen.
The low pressure _
injection systems stop injecting as the containment pressure rises due to the energy generated when the core is reflooded, the ADS valves reclose,-
and the RPV repressurizes.
If venting occurs, or both RHR and venting are successful, the containment pressure will equilibrate above the vent pressure but below the ADS reclosure pressure.
Low pressure inj ection will go on and off as the RPV pressure goes below_ and above the low pressure injection pumps shutoff head. These scenarios correspond to the cases where injection does not fail from the severe environments produced in the reactor building af ter venting orf irom the valve cycling in the injection lines as the RPV pressure varies.
Successful residual heat removal can result in core s tability if.~..
coolant makeup continues to be available.
Secuence Descriutions A brief description of each sequence in the transient functional event tree is provided below.
Sequence 1:
l The reactor is successfully shutdown using alternate means, core coolant j
makeup is provided, and the containment heat removal systems function to l
remove residual heat. While the containment will pressurize more than in a normal transient or LOCA due to the energy generation rate initially being higher than - what can be removed by the containment heat removal system, once the reactor is shutdown the containment heat removal systems l
will begin to reduce containment pressure.
A stable end Estate is reached, core damage is averted, and the containment is Lacact.
l Sequence 2:
l Alternate.means of shutting down the reactor succeed but containment. heat removal-fails.
The core will be kept cooled until the. heat transferred to the containment from the SRVs exceeds the-suppression pool's capacity (from about a half hour af ter the transient initiation to many hours, t
2-18
. ~
5 depending on when reactor suberiticality succeeds), The suppression pool' water will boil, causing overpressurization, and finally either venting or structural failure of the containment will occur..The core coolant makeup fun,
- a does not fail either before or after containment venting
~
or failure.
Coro damage does not occur;. the sequence results in successful shutdown of the reactor with a failed containment, Sequence 3:
The reactor is successfully shutdown'using alternate means, injection is initially successful, containment heat removal fails, but the core coolant makeup function continues until after containment venting or i
failure.
The injection systems then fail due to the severe environment in the reactor building and core damage results with an already failed containment.
1 Sequi. ace 4:
The reactor is successfully shutdown using alternate means, injection is initially successful, containment heat removal fails, and the. core coolan* makeup function fails before the containment is vented.or fails.
The injection systems fail from conditions in the containment and core damage results in an intact containment.
Sequence 5:
The reactor is successfully shutdown using a h eti -.e means but the initial core coolant makeup function fails and core damage results from the loss of all injection in an intact containment.
Sequence 6:
The reactor is not successfully shutdown. using alternate means, core coolant makeup ' is provided, and the containment. heat removal systems function to remove some energy from containment.
The containment will continue to pressurize until one of three things occurs depending upon -
the injection systems available: (1) if low pressure systems are being used and the containment is vented, the pressure equilibrate-st-a level-
.ightly higher than the vent pressure and injection con'
.es ; -- (2). if
_ow pressure systems are being used and the containment not vented, the reclosure of the ADS valves on high containment pressure results in oscillation of -the containment pressure near - the ADS reclosure pressure and in oscillatory opening and closing of the ADS valves and use of-the low pressure systems; or (3) if high pressure systems are being used, the
~
containment' pressurizes until containment venting or failure occurs.'The.
inj ection systems continue to work both before. and after containment venting or failure and a quasi-steady state is reached Ultimately the reactor is shutdown and core damage is. adverted with - a failed containment.
2-19
Sequence 7:
that ultimate shutdown is This sequence is identical to sequence 6 except not achieved.
For this study, the sequence was assessed to go to core damage with a failed containment.
The sequence is probabilistically lov and further development was felt to be unwarranted.
Sequence 8:
This sequence is also similar to sequence 6 except that the inj ec tion systems fail after containment venting or fallute ano core damage results with a f ailed contaimnent.
Sequence 9:
that the injection systems This sequence is similar to sequence 6 except f ail before containment failure and core damage occurs with an intact injection fails, the reactor power level drops containment; since, once quickly to within the range of the operating containment heat removal system.
Sequcace 10:
The reactor is not successfully shutdown using alternate means, core coolant makeup is provided but the containment heat removal systems fail.
one of two things The containment will continue to pressurize ' until occurs dependin; upon the inj ec tion systems available: (1) if low the containment is vented and pressure pressure systems are being used,a level slightly higher than the vent pressure; or (2) if equilibrates at high pressure systems are being used, the containment pressurizes until containment venting or failure occurs. The injection systems continue to work both before and af ter containment venting or failure and a quasi-steady state is reached.
Ultimately the reactor is shutdown and core damage is averted with a failed containment.
Sequence 11:
This sequence is identical to sequence 10 except that the reactor is not ultiinately shutdown.
For this study, the sequence was assessed to go to core damage with a failed containment. The sequence is probabilistically low and further development was felt to be unwarranted.
Sequence 12:
This sequence is similar to sequence 10 except that the injection systems fail af ter containment venting or failure due to the severo environments in the reactor building.
Sequence 13:
The reactor is not successfully shutdown using alternate means, core coolant makeup is provided using low pressure injection systems only, and 2-20 s,
4-the containment heat removal-systems fail.
The containment continues to pressurize and the low pressure systems fail before containment venting or failure occurs.
Core damage occurs in an intact containment.
Sequence 14:
The reactor is not successfully shutdown using alternate me ar s,. core coolant makeup fails initially, and core damage occurs in an intact contai.nment.
s 2.4 Systerr.s Available to Perform Recuf red Functions The front-line systems available at LaSalle for mitigating MCAs and transients are presented in Tables - 2.1 and 2.2 respectively.
Detailed descriptions of the systems listed are given in the corresponding fault tree analyses chapters presented in Volume 6 of this report.
Some information on the svstems is also presented in the following section on system success criteria.
Additional informatio'n can be found ir. the LaSalle FSAR.3 2.5 Success Criteria In order to construct the event trees and front-line system fault trees, it is necessary to define the front-line system success _ criteria.
The front-line system success criteria specify the minimum number, of subsystems (trains) or components whose operation is - required to successfully perform one of the functions used in - the functional event trees.
As such, the complement of the system success criteria also defines the system failure criteria which is the ' top event of the corresponding fault tree.
The system success criteria are different for ' LOCA, transient, and LOCA or transient with failure ' to scram (ATWS) initiators.
.The success criteria for each function required. for MCAs, transients, and.ATWS are delineated in the following sections..
The success criteria are summarized in Tables 2.3, 2.4, and 2.5.
2.5.1 LQCAs (L)
A' large LOCA is defined as a break in the reactor coolant boundary sufficient to cause rapid vessel depressurization.
The size of such a LOCA is 2:0.3 fta for both a s. team and liquid break. -This result is based on calculations reported in Reference ~ 4.
In particular, a case involving a reactor isolation event - with failure of high pressure injection and successful ADS for a BW.6 indicates that the' opening of 3 SRVs is sufficient to depressurize the RPV fast enough that low pressure injection systems can mitigate the transient. The flow area of 3 SRVs is approxircarely O'.3 f t,
Thus, a steam break of this size or larger is 2
2-21
Table 2.1 LOCA FUNCTION / SYSTEM RELATIONSHIP Function Systems Reactor Suberiticality Reactor Protection System (RPS)
Recirculation Pump Trip (RPT) j Alternate Rod Insertion (ARI)
Standby Liquid Control System (SBLC) i Early Containment Overpressure Vapor Suppression System (VSS)-
Protection Core Coolant Makeup (High Pressure)
High Pressure Core' Spray (HPCS)
F Reactor Core Isolation Cooling-(RCIC)
Control Rod Drive (CRD).
(Low Pressure)
Automatic Depressurization System (ADS)
Low Pressure Core Spray (LPCS)
Low Pressure Coolant Injection' (LPCI)
Condensate System (CDS)
Containment Heat Removal Residual Heat Removal System (RFR)
Suppression Pool Coolin5 (SPC)
Containment Spray System (CSS)
Shutdown Cooling System (SCS) 2-22
~
i Table 2.2 TRANSIENT FUNCTION /S'ISTEM REIA?IONSHIP Function Systems-Reactor Suberiticality Reactor Protection System (RPS)
Recirculation Pump Trip (RPT)
Alternate Rod Insertion (ARI)-
Standby Liquid Concrol System (SBLC)
RCS Integrity Safety / Relief Valves (SRV). open SRV Closure Early Containment Overpressure Vapor Suppression System (VSS)
Protection Core Coolant Makeup (High Pressure)
High Pressure Core Spray (HPCS)
Reacto-Core Isolation Cooling (RCIC)
Contrt. Rod Drive (CRD):
(Low Pressure)
Automatic Depressurization System (AD5)
Low Pressure Core Spray (LPCS)
Low Pressure Coolant _-Injection (LPCI)
Condensate System (CDS) l Diesel Driven Fire Water (DDFW)
Containment Heat Removal Residual Heat Removal System (RHR)
Suppression Pool Cooling (SPC)
Containment Spray-System (CSS).
Shutdown Cooling System (SDC)
Power Conversion System-(PCS) 2-23
Table 2.3 LOCA STJCCESS ULITERIA React-Early Conteirunent Core Contatriacct Accident Initiator Suber celity Overpressure Coolant Best Protection Makeup-Romeval Large LOCA
<S adjacent rods Steam rolessed from 1PO W pmp 1/2 R!!R in 2
fail to insert and break is directed and 1/4 condensate suppresrien pol Liquid Break 2 0.'ft2
<30 rods fati to to vapor suppression transfer troias coolins or Steam Break 2 0.3 ft or containment insert pl EC oprey modes or LICS or 1/3 LPCI or if e cortdensete trains Intenwflate LOCA Same as above Same as above 1 PD N pep and 1/2 EER in 1/4 condensete suppressten to trains pol coolans b
or or containment e
Liquid Break EPCS sprey inodes 2
> 0. 00 5 to < 0. 3 f t or AOS (3/7 SRTs Steam Broek outo or eenval) 2
> 0.1 to < 0.3 ft and LPCS or 1/3 LPCI or
(
1/4 condeesate trein l
8
- _8 I "s,i, e
D*8BR m:
E s*
1 "1
" h ~u~ g.B.
Y 8a-a w
e E
E 18 3
gE 2
I L.
y at.:
8s1 88 1
.t a
uuelo:
i n-t.
e Sam M
n a
1R 2.
3g J :.g sv 8
a4 o f.e.
,I, m:se v
~
M-u W
ut
.3 St 3
N j
a d
L d
M 1
11
.y i
j S
a a
3 3
d
-I 5
2 25
.~
L---_______-
Table 2.4 TRANSIENT WITH AUTOHATIC REACTOR SCRAM SUCCESS CRITERIA Function System Reactor Suberiticality
<5 adjacent rods fail to insert and
<30 rods fail to insert RCS Integrity 12 of 18 SRVs open All open SRVs recloor 1 open small LOCA 2 open intermediate LOCA 3 or more open large LOCA i
Early Containment Overpressure Steam released through SRVS condensed in supprossion pool Core Coolant Makeup 1/3 FV pumps and 1/4 condensate trains or RCIC or ilPCS or ADS (3/7 SRVs) and LPCS or 1/3 LPCI l
or 1/4 condensate trains Containment lleat Removal 1/2 RHR in any mode or PCS l
l 1
t I
f Table 2.5 TRANSIENT WITHOUT AUTOMATIC SCRAM SUCCESS CRITERIA me --
Function Systern Success Criteria i
Reactivity Control RPT 'and ARI or RPT and Manual Scram or RPT and 1/2 SBLC and Manual Level Control and ADS Inhibit or RPT and Manual Level control and ADS Inhibit
- RCS Integrity 16 of 18 SRVs open as required Early Containment Overpressure Vapor. Suppression System
?
Pratection Core Coolant Makeup 1/3 W pumps and 1/4 condensate trains or-HPCS or ADS (3/7 SRVs) and LPCS or 1/3 LPCI Hsat Removal 1/2 RRR in any mode or PCS
- When PCS is available i
2 27
4 i
ast.essed to result in rapid vessel depressurization.
A liquid break of this size is ase.essed to result in a faster depressurization rate.
A medium 1DCA is defined as a break of a size such that RCIC :s not sufficient to mitigate the accident alone and is not large enou6h to depressurize the RPV fast enough for the low pressure injection systems to prevent core damage if the high pressure injection systems have l
failed.
Calculations discussed in Reference 4 indicate that RCIC is sufficient to j
keep the core covered during a loss of feedwater transient with one stuck j
open relief valve (SORV) in a LVRS.
Steamline breaks greater than 0.1 ft 2 (flow area of one SRV) are thus too larBe for RCIC.
Other calculations performed for a BWR4 and BWR6 indicate that RCIC will 2
Similar maint.n the core cossted for liquid breaks less than 0.005 ft.
1 results are expected for a IWRS. The upper boundaries of the break sizes
]
correspond to the lower limit for large MCAs.
Thus the break sizes for i
medium LOCAs are:
1 Steam:
0.1 ft2 < A < 0.3 ft3 j
Liquid:
0.005 ft2 < A < 0.3 ft2 4,
A small 1DCA is defined as a IACA where RCIC alone can maintain the core-1-
j-As mentioned previously, calculations performed in Reference 4 covered.
j indicate that RCIC can successfully mitigate steam breaks up to and 2
including 0.1 fta and liquid breaks up to 'and including 0.005 ft.
Plant specific calculations described in Section 2.6.1 - confirm this
- result, t
^
Blaptor Suberiticality tks) f Reactor suberiticality using the reactor protection system (RPS) or the alternate rod. insertion system (ARI) would not be accomplished for any size IDCA if more than 5 adjacent control rods fail to insert or more than 30 control rods fail to insert.$
i 4
-Early Containment Failure (VS)-
u is successful if the steam / water released to the b
Vapor suppression drywell from the break is transported from the drywell to the suppression f
l pool where it is condensed.-
The: transport is conducted throu6h downcomers connecting the drywell and suppression pool.
i Vacuum breakers are provided to allow. a ' return flow path for noncondensibles from the suppression chamber to the drywell. ' Opening of the vacuum breakers is - required to prevent pressurization of the suppression chamber, Subsequent reclosing of the vacuum breakers is also i
t required to prevent backflow of - gas from the drywell to the wetwell bypassing the suppression pool.
l
[
i 2-28 i
The steam released to the drywell during a LOCA can bypass the suppression pool if a downcomer ruptures in the wetwell air space or if vacuum breakers fail open or cb sed.
The exact bypass flow area which would result in containment overpressurization and failure is calculated in the LaSalle FSAR3 as a function of break area.
The maximwn allowable leakage area is approximately 0.05 ft 2 (a 1.5" diameter hole).
In the Reactor Safety Study,s failure of the VSS during a large iDCA was found to lead to containment rupture by overpressurization within 30 seconds.
Since a similar short period is assumed for the Mark 11 containment, no credit can be taken for use of other containment pressure reduction features such as suppression pool sprays or drywell sprays.
For smaller LOCAs and transient induced LOCAs with failure of the SRV discharge line in the wetwell airspace, up to 15 minutes or more could be available depending on the amount of bypass.
Core Coolant Makeun (f4M),
Core coolant makeup following a LOCA can be accomplished with the motor-driven feedwater train (MW), with water supplied to the pump suction by a single condensate / condensate booster pump train.
The motor driven feedwater - pump i-capable of operating at 40% of reactor rated steam flow; automatic startup and control on reactor vessel water level occurs if the turbine driven feedwater pumps trip.
On depletion of the condenser hotwell, makeup from the condensate, storage tank is limited to 1800 gpm.
The turbine driven feedwater pumps are not available following a LOCA due to low steam preasure and/or mainsteam isolation valve (MSIV) closure which stops steam flow to the pump turbines.
Reopening of the MSIVs is possible but no credit is taken for such an action in this analysis due to violation of containment isolation and potential for radioactive release outside the containment.
HPCS has sufficient capacity for mitigating all sizes of thCAs.
The capacity of RCIC on the other hand is insufficient for coolant makeup during a large or medium iDCA but is sufficient for a small IDCA.
In any
?
the RCIC turbine would fail from low steam pressure for large and
- case, medium LOCAs.
Use of che low pressure large LOCA since the reactor vessel would be depressurized. systems can be achieve However, for small and medium LOCAs, reactor vessel depressurization would be required.
Reactor vesse. depressurization can be accomplished automatically ' through ADS. initiation or manually by opening SRVs.
-Successful depressurization requires that the vessel remain depressurized once low pressure injection is initiated (i.e... the relief capacity must be sufficient to remove the generated steam in order to prevent repressurization).
As previously stated in the discussion on the definition.of a-large LOCA, calculations reported in K 'erence 4 indicate that the opening of 3 SRVs will result in such a sustained 2-29 I
T~
depressurization.
Succeso is thus defined as automatic opening of 3 out.
oi 7 ADS valves o: manual opening of any 3 SRVs.
The single train of LICS can also be used to mitigate any size LOCA.
Calc ul a t i ons presented in Reference 4 indicated that the single LPCS train is sufficient sur flooding the core during a desir,n basic liquid in break in a BWR4 and following ADS initiation during an isolation event a BWR6.
Thase results are said to be applicable to a BWR5 such as LaSalle.
Plant specific calculations perormed for this analysis and reported in Section 2.6.1 indicate the adequacy of the LPCS by itself for mitigating a large LOCA.
A single train of LPCI can also mitigate any size LOCA.
A calculation LPCI train is sufficient presented in P.ef erence 4 indicates that a single to mitigate a DBA suction break in a bWR4.
Another calculation indicates in a BWR6, reactor depressurization followed that for an isolation event by injection from one LPCI train is sufficient for mitigation.
The results are said to also be applicable for a BWRS.
For very long term coro ecoling wh m the coolant in the RPV is subcooled, steam cooling will no longer be available to cool any uncovered portions of the core and one LPCI train may not be sufficient to keep the level in the core high enough tu pevent the upper portion of the core from reheating and going to core damage.
Two LPCI trains would be sufficient in this case.
A plant-specific RELAP57 calculation, reported in Section 2.6.1, for a recirculation line break with one train of LPCI shows LPCI can successfully mitigate a DBA suction break One train of condensate pumps is also sufficient for maintaining core level f or any size LOCA.
Iloweve r, the condensate system is not coolant automatically controlled and operator action would be required to control the system.
This system is normally operating and should be available, provided that coolant is available in the condenser hotwell.
As for feedsater, makeup from the condensate storage tank is limited to 1800 gpm.
Containment Hear Pemoval (CHR)
Containment heat removal can be accomplished following a LOCA by the RilR in three of its four possible opere. ting modes:
1.
Low Pressure Coolant Injection, 2.
Suppression pool cooling, and 3.
1;o credit is taken in this analysis for the steam condensing and shutdown cooling modes of operation since the break dumps heat directly to the containment and these modes of operation 1t
't remove the energy from the containment.
According to the LaSalle FSAR,3 one PJiR heat exchanger is sufficient for maintaining tr e suppression pool temperature below lu iting temperatures.
This is nssumed to be true in any mode of RER operatlen.
Flow from one of tso service water pumps is required to remove the heat from one b at exchanger.
The PCS is considered 2 30
_ _. _ ~ - -. -. -
unavailable since the MSIVs close upon a low low (Level 1) reactor vessel:
water level s'gnal.
Reopening of the MSIVs is possible and heat removal by the PCS may be. feasible; however, the preferred flow path will be out of the break directly to the drywell. The amount of energy that could be removed by the PCS would depend critically on the size of the break and the relative resistance of the two paths.
Also, af ter core damage has begun, radioactivity could be transported directly outside the containment.
We did not have the resources to ' calculate the range of conditions under which PCS would be a viable option for this scenario.
At best this would only slow down thh containment pressurization and at worst would be ineffectual.
2.5.2 Transients With Automatic Reactor Scrag The system -success criteria for most transients with automatic reactor l
scram is sununarized in Table 2.4, As indicated, the success criteria fo-
-the reactor suberiticality and core coolant makeup functicn are the same those previously listed for a small 1.DCA.
However, the core coolant as makeup function may have different success criteria depending on the initiator.
For transient -initiators resulting in, MSIV closure, the turbine driven feedwater pumps would only be available if the operator reopened an MSIV.
The RCS integrity function is required for most transients.
The most limiting transient for this function is an MSIV closure event.
With scram, approximately 12 of 18 SRVs must open.'
Since common cause j
failures would dominate the failurs probability of five or more valves to cpen, a more precise definition is not required.
All of the SRVs must reclose following relief of the vessel pressure.
Failure of one SRV to reclose (0.0 fta flow area) will result -in the equivalent of a small LOCA.
Failure of two SRVS to isclose will result in the equivalent of a medium LOCA, and fal kre of three or more to reclose results in the equivalent of a large LOCA.
The early containment overpressure protecti sa function has not in the past been represented on transient event trees.
However, during a transient, steam released to the containment is released via the SRVs to the suppression pool (during a LOCA, the steam - is released to the drywell).
Contaf.nment integrity during a transient can be challenged if' an SRV-fails-to reclose.and the fRV.line breaks in the wetwell airspace 8 causing steam to bypass the suppression pool. Success then requires that the SRV line associated with a stuck open SRV remain' intact The successful operation of-PCS for. heat removal. during a transient requires that one steam bypass line to' the condenser be available and the condenser be capable of condensing steam.
For many transient initiating events, portions of the PCS may not be avrilable but may be-recoverable.
For example, in an MSIV closure transient, the MS1Vs may be reopened.
2-31.
I
, ~
.,,-_.n.
-+
..n.-,.,.
-4
--,., a
____m l
Any one of three modes of RHR can generally he used for most i
No credit is tak.an for use of the steam condensing mode due to the l
complex actions required for its initiation.
Also, the shutdown cooling mode cannot be successfully used during an inadvertently open relief valve (10RV) initiator or a transient with an SORV since it does not remove heat from the containment, One of two RHR loops is required for most transients.
However some transients can potentially put a greater demand on the RHR system.
For example, an 50RV will not result in an immediate automatic reactor scrarn and therefore can result in a large heat load dumped to the suppression pcol.
The success criteria of the RHR for an SORV transient my require that it be initiated sooner than for other transients or both loops of the RHR may be required, depending on when reactor scratn occurs.
2.5.3 Trarmients Without Automatic Reactor Scram (ATWS1 The success criteria for a general ATWS event tree is presented in Table 2.5.
Reactivity control can be accornplished by any of several methods.
manual or automatic) is Recirculailon pump t rip -(RPT, both pumps RPT required in each method to reduce core power to between 30 and 50%.
and Alternate Rod Insettion (AR1) will result in successful power reduction if the control rods can be inserted.
ARI will not occur until approxirnately 10 - 30s after a normal scram would occur.
RPT would be required in this interirr period to reduce power.
RPT and a timely manual scram will also decrease power, The operator is directed by procedures to immediately try to manually scram the reactor by pressing the manual scram buttons or placing the mode switch in shutdown.
The tirne available to initiate inanual scram before core damage or containment failure occurs is not known, However, from the LTAS calculations described in Section 2.6.3, we see that it could take a long time to get core damage if the reactor is not shutdown depending on what systems are operating.
However, it-would seem to be prudent to shutdown the reactor as quickly as possible.
Certainly shutting down.me reactor befure venting os containment failure which would occur in about 40 to 60 minutes would be prudent.
RPT and timely. manual initiation of one of two SBLC pumps (43.gpm) will result in reactor shutdown if the operator takes two additional. steps:
(1) controls all coolant injectioti systems to _ maintain water-level at the top of the active fuel (TAF) and '(2) prevents ADS actuation. - The' flow rate is-adequate to inject sufficient boron to shut down the reactor within approximately 20 rninut e s.
The sys t ein is manually - initiated.
During the interiin period, the power must be reduced further by RPT and reductir.n of the vessel water level to the TAF.
LaSalle has implemented the version o'f the ATVS rule which requires an alternate rod insection system'and doubling the boron concentration.
Manual level control to the TAF in conjunction with RPT can reduce core power to approxirnately 15% at 1000 psig.
This heat load can be-handled-4 2 32
?
-.m-~-
,r_
- - ~ - - _. - - _ - -.
i by the PCS if available.
If the pCS is not a', a i l abl e. the heat load would be dumped to the suppression pool.
Since the combined RHR heat removal capacity is approximately 34, containment failura wot.1d occur.
A further rediction in power is possible by reducing system pressure.
Ilowever, no credit is currently being taken in this analysis for this action since control of power at low pressure is d i f f i a.ul t (power /pressute oscillations can occur if the level is allowed to deviate rnuch over the TAF) and the LTAS calculations show that level can not be maintained above about 2/3 TAF except with feedwater or condensate.
We assume in this analysis that ADS will occur in all cases even if high pressure injection by HPCS is working.
The requirement for PCS integrity during an ATVS is more severe than during a transient with scram.
Sixteen of 18 SRVs2 must open to relieve the RCS pressure.
The requirement for early containment overpressure protection is the same as for transients with scram.
The succesa criteria for core coolant makeup requires use of the high pressure injection systems or depressurization and use of low pressure injection syntems.
The RCIC systent cannot provide sufficient flow to keep the core covered.
Also, depending on the initiating event, MSIV closure may occur and the two turbine driven feedwater pumps would be i
initially unavailable.
l The heat removal function success criteria ate highly dependent on the initiating event and the actions taken If the initiating event results in the unavailability of the PCS, the entire heat load is dumped to the suppression pool.
The suppression pool heat load can range from 9% 17%,
if reactor suberiticality is not successful, to 1% twenty minutes after boron injection begins.
Operation of one RHR loop is assumed to be required to remove the integrated heat load after reactor suocriticality is succeesful, one RHR train will turn around the c onta intre nt temperature and pressure increases and begin to return containment conditions to normal.
Only the suppression pool cooling and contairmnt spray modes are assumed to be successful.
If reactor suberiticality is not successful, operation of a least one train of RHR can result in equilibration of containment pressure and temperatures at-levels c msistent with the the ADS reclosure pressure, if only low pressure injection systems are working, or slightly above vent pressures if high pressure injection and venting work.
Venting by itself will also result in equilibration of containment conditions at levels near the vent setpoint after venting occurs.
If. the PCS is available, the maj ori ty of the heat load will be transferred to the ' condenser.
However, for a period of time, the heat load in excess of the turbine bypass capacity (25%) would be transferred to the suppression pool.
This heat load is assumed to be below the heat capacity of the supp ession pool and heat removal is not required.
2 33
. ~ - - - -
l
- s s Res m 9 Event Trees 4
4 As stated previously, the three lhCA initiating events are evaluated on.a single 1.0CA eve nt tree, This is possible since the. general plant is similar for all three _ sizes of LOCAs.
However, the success response criteria for safety-related systems varies with the size of the LOCA.
The difference in the success criteria is accounted for by inclusion of the initiating events in the system fault r ees.
A description of the plant response for each of the three LOCA slees is 4
i presented in the subsequent paragraphs.
The LOCA event tree is then presented with descriptions for each event.
The initiating event interactions with the systems are discussed at this level.
A:
Larr+ LOCA A large LOCA is any break in the reactor coolant system piping which could lead to the loss of a sufficient amount of coolant-to result in a rapid depressurization of the reactor system.
A large LOCA demands that the reactor be scramed, coolant released _to the containment be condensed, coolant makeup be supplied to the vessel, and heat be removed from the contairament.
Following initiation of-a large LOCA, the - drywell pressure should 1
increase rapidly to the reactor scram setpoint of 1~. 6 9 psig.
In addition, the-reactor vessel water level should decrcase to the reactor scram setpoint (level 3, 12.5 inches). The HPCS, LPCS, and LPCI systems, and all diesel generators (DCs) are also signaled to start at the high drywell. pressure setpoint (1.69 psig).
The RCIC system should initiate upon a los reactor vessel water level si nal (Level 2, 50 inches). However, RCIC capacity is insufficient for F
a large LOCA.
Furthermore,- steam to the RCIC turbine is isolated when the reactor vessel pressure decreases to _ 57 psig.
-This should occur I
rapidly following a large LOCA.
The HPCS system and the HPCS D/G also receive ini tiation. signals to start upon a Level 2 ' si gnal.
The recirculation pumps are tripped.
t The water level in the; vessel continues to uecrease to the low-low level setpoint (Level-1)- of 129 inches which should initiate MSIV closure.
Closure of the MSIVs should result in loss of : steam to t.ach-turbine-driven feedwater pumps.
Automatic startup of the motor-driven pump will not. occur since the TDRFPs.do not-actu aly trip.
The LPCI and LPCS systems will. receive-a second signal to start at the Level 1 setpoint (i.e., in addition to the high drywell pressure).-- In addition, the ADS timer should begin its.105 s econd ; - run to begin depressurization.
(ADS-is not required because a largo break will i
depressurir.e-the vessel.) The reactor vessel pressure should decrease to f
2-34 y
e,,m.-rw,~,r,y,--h+ey-e-.-,,,,,,.,-m..,...,, em,,,.,g-pr,3-y n m. o,.
w
t the LPCS and LPCI injection valve opening setpoint of 500 psig.
Within 60 sec, the HPCS, LPCS, and '.PCI systems should all be injecting into the vessel.
After the reactor vessel level is stabilized, the reactor operator should initiate containment heat removal using the RHR.
(An interlock prevents flow through the RHR heat exchangers for the first ten minutes following LPCI initiation.)
S3 i Medium LOCA A medium LOCA is of a size such that rapid vesnel depressurization does not occur.
There fo re a high pressure coolant injection system is i
required or the vessel must be depressurized.
The size of a medium 1DCA is dependent upon location.
A liquid break between.0005 and 0.3 fta or a steam break in the range 0.1 to 0,3 ft2 will result in a medium 1DCA.
The sequence of events following a medium LOCA would be similar to those delineated far a large IOCA except ADS would be required to depressurize the vessel.
Sp Smell LOCA A small % CA is characterized by slow or no vessel depressurization and a gradual inventory loss from the vessel.
The high pressure coolant makeup systems including RCIC can be utilized to mitigate a small 1DCA. A small 14CA is defined as a liquid break less than or equal to 0.000$ ft2 or a steam break 50.1 fta, Immediately af ter a small break in the reactor pressure beundary, the vessel pressure may slowly decrease while the _ drywell pressure will increase.
The increase in drywell pressure will provide a scram signal to the RPS and will also initiate. the ECCS.
At this time, RPV pressure may increase, depending on the size of the small LOCA, due-to the imbalance caused by the turbine trip and some SRVs may open.
For_all small breaks, the feedwater capacity chould be capable of compensating for any reactor vessel inventory lost out the break.
Furthermore, HPCS will begin injecting water after initiation of a high drywell pressuro signal.
(LPCS and LPCI will also initiate.)
If the reactor vessel water level continues to decrease, a low water level (Level 2) signal will initiate RCIC and send a second initiate
. signal to HPCS.
A turther decrease to_the-low low ~ level (Level 1) will.
result in ' a second initiation signal _ to LPCI and LPCS and begin.the ADS 105 sec rundown. MSIV closure will also occur.-
MSIV closure - can also occur due to other signals _ related to the -
initiating event. These signals include main steamline high temperaturc, radiation, or low pressure.
Because of this norential for MSIV closure, the PCS is conservatively assumed mavailable for a small-LOCA.
2-35
.2...
2
The sequence of events f ollowity, a small 1.0C \\ are similar to those delineated for a medina LAA e m pt that 11 2 an provide adequate coolant trakeup The LTAS code developed at Oak Ridge National Laboratory (ORNL) was modified to represent the LaSalle plant.
The f ollowing modifications were inade by ORNL (1) passive heat sinks for the Mark-11 containment ittp rove d, and (3) a were added, (2) the RHR heat exchanger model was capacity to model small break LOCAs was added.
Additio.1al modifications made by SNL include (1) additional SRVs and LaSalle control logic were added, (2) all inj ec tion systems were add d with LaSalle specific head curves, control logic, and injection location, (3) capability to simulate enhanced CRD flow, (4) drywell venting capability, (5) stuck-open vacuum breaker capability, and (6) LaSalle-specific core characteristics.
The code was base-lined to a RELAP5 model used to evaluate transient response (see Section 2.6.2).
One RELAP5 calculation and twelve small break and three t.iedium break LTAS calculations were performed.
The following cases were run:
1.
A small LOCA with successful ADS but with no injection (0.6 and 1 i
in. diaracter breaks),
2.
A small LCCA with RCIC success, with and without ADS, 3.
A small LOCA, RCIC and 1 CRD pump' operating, no ADS or containment. venting, 4.
A small LOCA, MFW success, level controlled to TAF, no ADS, venting occurs, 5.
A small LOCA, HPCS injection fails when suppression pool temperature reaches 300 oF, no ADS or venting, 6.
A small LOCA, HPCS injection fails when suppression pool temperature reaches 300
'F, no ADS or venting, no late manual RPV depressurization, 7.
A small LO':.\\, RCIC and 2 CRD pumps working, start second CRD pump at 12,000 sec, n,
ADS or venting, 9.
A small LOCA, ADS,;.od LFCS work, 9.
A small LOCA, RCIC and 2 CRD pumps working, enhanced CRD flow when second pump started at 12,000 sec., two flow rates: maximum a
and 180 gpm,
_ _ _ _ _.. ~. _ _ _ _
- 13. REIAp5 recirculation line break with one LPCI train operating.
The event tree for a LOCA is shown-in Figure 2.4.
Each event is described subsequently.
1,_, - LOCA Initintqr - This initiator represents all different sizes of possible LOCAs.
A large LOCA is definer' as_a lc4ge steam line break or liquid line break sufficient to depressutize the reactor vessel so that low pressure injectf on systems can prevent core damage. A medium LOCA is.
j a steam or liquid line break _ which does not depressurize the reactor vessel rapidly enough to prevent core damage using low pressure injection systems without ADS operation. A small LOCA is a break small enough such that reactor vessel depressurization does not occur rapidly and RCIC is capable of supplying sufficient makeup.to prevent core uncovery.
(
RPS/ARI P,eactor Suberitical A ranctor scram signal should be j
initiated by a high drywell pressure signal and_ the control' rods should insert. A second scram signal should be generated upon low reactor water level.
Failure of any 5 adjacent -rods - to insert to notch position 06 or th!rty or more rods to insert to notch,ositior!06 will result in fsilure to scram.
Credit ~ is given for the alternate rod insertion system, electrical failures are assessed to be negligible and - only ~ rondom mechanical failures are used in the quantification of this esent.
-No fault tree was developed for this analysis.
The event was quantified as a single event.
Failure to automatically scram will transfer to the ATWS event tree.
l i
VS Vacor Sucoression - The steam released int'o the drywell during a i
LOCA must fic down into the vapor suppression pool-for cond)nsation in -
order to prevent overpressurization'of~the. containment.
As was assumed in the Reactor Safety Study,e the definition for failure of. this event is steam bypass of the suppression poo1 ~ (i.e., direct steam inflow into_ the wetwell airspace). This is_ assumed to occur if one downcomer ruptures in-the wetvell airspace, if two vacuum breakers rupture, or.if floor or -
penetrat!on seals between the ldrywell and watwell. rupturw.
For transient-induced LOCAs thac result from a stuck open SRV, failure of the-SRV dischargo line in' the wetwell air space.will produce' similar l
effects.e Failure of the vapor suppressinn system during a large-LOCA can result in containment failure in less than one' minute 8 Insufficient time would be available _ for the operator to : initiate drywell. or. suppression pool-sprayc, since he would be locked out for 10 minutes by t.he _ actuation logic, or_ vent the containment.
Containment failura, can potentially result __ in failure of the emergency core cooling' systems and s thus may g
result __in core damage.
For small and medium LOCAsiand transient-induced LOCAs, more time may be available to-initiate sprays given ste.m bypass of the suppression pool.
If. the bypa.ss level.L is sufficiently small, greater than;10 minutes n.ay be available and. containment sprays might be used to -mitigate the pressure ris3.
The e required-actions are proceduralized in LGA-03: " Containment = Control".8 t
2-37 i
~w__,.-
,,-x.~.-,,.4i-
,...,.o..,m.
I
..i uo. -
-u mu 9 7 u,o p t
o
.oc u. a. wo uo -
- a. -
r u.
~
s i
i I
4 e
su.
i
-3 3
a f
i.
i
--4
=
i:
I (4)
=
3 I:
=
1 f
i
?
(3, g
=
=-
c.
l i
i (g)
=
n.
P' I
(1) 1
=
n i
(s) a
=
n:
=
U l
--4
=
3 4
I
-4
=
3 l:
~~~
]
r.
"-C :
n..
l 1
1
=
=
n
=
n (4)
M 3
E.
(6)
.a.
l 4
-4
=
0 (4)
=
i:
-4
=
ll 2
i
=~
g I'
l
=
n l
(4)
=
ff c.
U 1
3 u
i m
a 5
(1) TRANSFER ntOM1RANS3NT S;':QUDKE # 103.
(E) TRANSF35t MtOM 1RANStrNT SEQUENCE f 102.
(3) ROC SUCCESS POSSIBI2 FOR SMAllthCA ONLY.
(4) CRD SUCCESS POSSIBIZ FOR SMAIL LOCA OR STEAM BREAK ONLY.
(5l FOR VERY IANG-1ERM SEQUDKXS WTIM A LAPGE IhCA WHERE 11IE CORE IS AT E3 TAT MAY GET SUB000 AND MELT THE1W OF 1HE CORE IF ONLY ONE IR3 PUMP IS OITRATING.
. (6) 1RANSFERS 10 (5). DOWHOOMER. VACUUM DREAKER. OR SRV DISQIARGE llNE FAILURE. S AME SYSTEM SU 3
CR11ERIA. SEQUENCE OOCURES IN SHOR1ER TIML (7) 1RAN3FER1D AT9rS 11 TEE, Figure 2.4 LaSalle LOCA Systernic Event Tree i
i ~
2 r r
r 1--,,
'.n-.,
,e m
n
.y
-y s
-m
,,,,'m---,_,,,,, -,
,, -... -- r t
r~
tiecause of the low probability of failure combined uth the low 144 !.
initiating event probabilities, these sequences were not developed further.
itwever, they vould evolve just like the sequences with VS success but with much shorcer containment pressurization times.
MFW Peedwater Available The turbine driven feedwater pumps would
}
coastdown following a LOCA since MSIV closure would occur.
Thus the motor driven feedwater pump must be manually started to supply coolant to the reactor vessel during a LOCA.
The capacity of this pump is sufficient for waintaining the reactor vessel water level for any size MCA.
Failure of this system is defined as failure of the feedwater flow path, the feedwater pump, or failure of all four condensate and condensate booster pumps to provide flow to the feedwater pump from the condenser hotwell.
For a feedwater injection line break, the avai'. ability of feedwater -is not known.
Depending upon the size and location of the break, it is possible that a sufficient a. mount of feedwater may be diverted out the break rendering feedwater insufficient by itself for maintaining the-rere w essel water level.
Since there are two injection paths, if the bceak in one is large enough to divert si nificant flow, the vessel would 6
be comp;etely depressurized and about half the flow should go to the vessel.
Even if less flow went to the vessel, it does not require a large percentage to be successful Siven the total feedwater flow rate.
After the depletion of the condenser hotwell when makeup flow limits the feedwater injection rate to 1800 gpm, the affected path can be isolated (i.e., isolate the injection path with the break, force water into the vessel through the other injection line, and then out the 'line with the break).
Operation of the feedwater system for providing makeup following a LOCA would be terminated following initiation of the RHR system for containment heat removal and recirculation back into the vessel.
lipCS - ((PCS Available The HPCS system has st,fficient _ capacity for maintaining the reactor vessel water level by itself for any size LOCA.
Failure of the HPCS system is defined as failure of the single motor-driven. pump to provide sufficient flow to the reactor _ vessel from the condensate storage tank.
Failure can also occur'if th) HPCS system fails to automatically realign to _ the suppression pool. when the condensate storage. tank level is low.
RCIC - RCIC Available.The single steam driven RCIC train has sufficient-capacity.for coolant makeup following a'small LOCA only.
Failure of RCIC la defined as failure of the_ single-pump co provide flow to the reactor-vessel-from.'the' condensate storage l tank.- Dilure can-also occur if the RCIC system fails to automatically realign to the' suppression pool' when the condensate storage tank level is low-.
- ADS ~ - Reactor Vepsel Depressurization-t'This event consista of either automatic or manual depressurization of the reactor vessel to -. allow inj ec tion from the low pressure ECCS during a small or medium IDCA.
2-39
- - _ _ _ ~... _ -- - _ _ _ _
Autrmatic depretsurization would occur by the ADS if the renctor vessel water level decreased to Level 1 due to failure of the high pressure systems.
Sulficient time would also be available for the operator to manually depressurize the vessel using the SRVs if the ADS failed.
In both cases, succestful depressurization requites the opening of 3 valves.
Note that for large LOCAs. reactor vessel depressurization occurs due to the initiator.
CDS - Co anante Availnble - Tht condensate system is designed to remain running even though the feedwater system may trip.
k'a t e r from the conde nsato pumps will flow through the feedwater control valves - to tha vessel.
One condensate /cous~nsate-booster train can provide sufficicht coolant to the vessel during a LOCA.
The coolan: is provided from the condenser hotwell, Makeup to.the hotwell must be provided by the condensate makeup system which is limitet. to 1800 gpe and,tpplies water from the condensate storage tank, Any one _of the three LPCI trains can be LPCI - LPC1 Availablg suecassfully_used to mitigate a large LOCA.
The pumps take suction from the suppression pool and initially bypass the RHR heat exchangers.
The single train LPCS system has sufficient LPCS Available LPCS capacity for coolant makeup following a large LOCA.
Failure of the LPCS system is defined as failure of the single motor driven pump to provido f
flow to the reactor vessel from the suppression, pool, SPC - Suppression Pool Cooling - The energy released during a LOCA will be transported to the containment where most of it should be absorbed by the suppression pool. The operator is directed by procedures to initiate suppression pool cooling when the pool temperature reaches 100 of.
If LPCI has been initiated, an interlock will prevent switching from LPCI to suppression pool cooling for ten minutes.
Containment Sp.ru - In the unlikely event that suppression pool i
CSS cooling fails, the primary containment pressure and temperature will
~
continue to increase. The operator is directed by procedures to_ initiate suppression pool sprays when the suppression chamber pressute exceeds 19.5 psig.
The operator is also directed.to _ initiate drywell sprays if i
containment prec ure can not be maintained below 60 psig.
Suppression pool sprays were not modeled as a separate system in this analysis.
Drywell sprays were used to represent both spray modec.
CRD2 - Intermediate Control-Rod' Drive'4 For small LOCAs; in those cases where the main feedwater.and HPCS systems have failed and-theLRCIC system
-is the only high+ volume highipressure system working.-if containment heat-removal ' fails; then RCIC will isolate when containment. pressure reaches 40 psia or may fail due to loss of DC. power (for station blackout-type sequeaces) or high suppression pool temperature _(i.e., greater than 250
- F).
By this time the decay heat ioad is low enough_that'the CRD system can supply sufficient makeup to ' maintain the _ core _ level _ high enough to prevent core damage if AC power is available and both pumps are working.
2 40
=
--. a
..a-
= -,.
a-.
ADS 1 - Intermediate Reactor Vessel Depressuritation For small LOCAs with initial LCIC success, this event consists of either automatic or manual dervessurization of the reactor vessel to allow injection from the low pressure ECCS when delayed RCIC failure occurs af ter about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
All other high pressure injection systems have failed and so the operator must depressurize and use low pressure injection systems to prevent core damage (vessel pressure may already be fairly low due to the initiator, ADS is needed to maintain low pressure when the high volume low-pressure systems initiate).
Autowatic depressurization would occur by the ADS if the reactor vessel level decreased to Level 1 due to failure of the high pressure systems.
Sufficient time would also be available for the operator to manually depressurine the vessel using the SRVs if the ADS failed.
In both cases, successful depressuri tion requires opening of 3 valves.
CDS I Intermediate Condensate Available For the small LOCA case, if all the high pressure injection systems have failed axcept RCIC and then RCIC fails after about 6 hourc, the operator will depressurize the - RPV and attempt - to use low pressure inj ection systems.
If AC. power is available and the system-statua has not been accounted for before in the analysis of the sequence, then the cond nsate system may be. used to maintain core cooling. Water from the condensate pumps will flow through the feedwater control valvas to the vessel.
One condensate / condensate-booster train can provide sufficient coolant to the vessel during = LOCA.
The coolant is provided from the condenser hotwell.
Makeup to the hotwell must be provided by the condensate makeup system which is limited to 1800 gpm and supplies water from the condensate storage tank.
LPCI I Intermediate LPCI Available For the small LOCA case, if all the high pressure injection systems have failed except RCIC and then RCIC fails after about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, then the operator will depressurize the RPV and attempt to' use low pressure injection systems.
If AC power is.
available anel the systcm has not been. accounted for before, then any one-of the threr LPCI trains can be successfully used to mitigate the lhCA.
The. pumps take suction from the suppression pool aad initially bypass the RHR heat exchangers.
LPCS I Intermediate LPCS Available - For the small IDCA case, if all the high pressure injection systems have failed except RCIC aui then RCIC fails af ter about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, then the operator will depre -nize the RPV and attempt.to use low pressure inj ection systeios..
If AC power. is available and the system has not been useu before, then the single train LPCS system has sufficient capacity to ci'~igatw the LOCA. -Failure of the LPCS system is defined as failure of the single motor-driven pump to provide flow to the reactor vessel from the suppression pool.
VENT - Containment Venting Af ter containment-heat removal f611ute, the containment pressure will continue - to increase due to the decay heat being dumpeo to the suppression pool.
1.
he containment heat removal.
systems can not be recovered, then when the. containment pressure reaches 60 psig, the operator is directed tu vent the containment through the 2 41 l
Containment senting can occur during any size LOCA if all containment heat removal systems fail.
If containment heat removal has failed G E1 - Late Control Rod Drive and the operator does not vent the containment '. shen containment pressure reaches 60 psig, then for the stall LOCA case, the CRD system may be used to maintain core cooling with only one pump operating.
For cases with only low pressure injection working, the ADS valves will close when containment pressure reaches about 85 psig due to inadequate differential pressure; however, since a LOCA exists, the RPV will not repressurize.
The low pressure injection systems (LPCI and LPCS) may fail due to high suppression pool temperatures that result in pu.n failure.
For the case of HPCS supplying high pressure injection, since the llPCS suction will be from the suppression pool by this time, a similar result may occur.
If the containment heat removal SRUP - Containment Failu_tc Mode function has failed and the containment is not ventea, then the containment pressure will continue to rise until structural failure of the containment occurs. This event asks, roughly, how large the braak in containment is, either a leak ( succ e r.s branch) or a rupture (failure branch),
For the purposes of this analysis, we need to know how fast the containment depressurizes, whether or not we can use any low pressure injection system to maintain core cooling af ter the containment failure, and how long tne containment blowdown will last in order to evaluate the severity of the reactor building environments produced by the blowdown.
A leak implies that the contaiturant pressure remains too hi h to use the b
ADS system to depressurize the RPV and the low pressure injection systems to prevent core damage; while a rupture implies that the containment depressurizes fast enough that successful opration of the ADS and a low pressure injection system will prevent core damage.
For LOCA initiators, the RPV will remain depressurized this late in the accident so low pressure inj e c tion can continue to be used through the containment pressurization and failure.
An expert j udgeme nt e11 citation was performed to generate probability distributions for the containment failure pressure, location, and size.
After containment failure, severe Iniection System Survival ER environments will be produced in the reactor nullding.
Many of the inj ec tion systems have components at various positions in, the reactor building and these components will be exposed to these severe environments.
Simple Boolean equations were generated ;o represer/ each system that had components that might be subj ec t to these environments and an expert judgement elicitation was performed for various component cypes and environments in order to quantify the failure probabilities.
2.6,2 Iransients With Scram The eight transient initiating event categories and ten special transient initiatin, event categories identified in this study are delit.aated in a single transient event tree.
The success criteria for the systems 2-42
required to mitigate each transient can vary.
This variation in the success criteria is accounted for by including the specific eficces of the initiator on the responding systems in the system fault trees in a manner that appropriately models the initiator's impact on the system response.
The sequence of events following each transient initiator is described in the subsequent paragraphs.
The transient event tree is then described with differences in the system success criteria clearl) delineated.
L: Turbine Trin with Turbine Bvnass Available A variety of turbine system malfunctions will initiate a turbine trip.
Some examples include moisture separator. and heater drain tank high levels, large turbine vibrations, and loss of control fluid pressure.
Only those turbine trips in which steam bypass to the condenser is still available-are included here.
Turbine trips without turbine bypass and loss of condenser are treated as separm.e events.
Turbine trips can occur at any power level.
For power levels less-than-25%, reactor scram is not necessary if the turbine bypass is available.
and sufficient makeup is provided to the vessel.
For power levels greater than 25% (the turbine bypass rating), automatic reactor scram should occur.
Table ?.6 Jelineates the events following a turbine trip from high power (i.e., 100% power).
The sequence of events for a turbine trip with bypass was determined in computer code simalations reported in Chapter 15 of the FSAR.3 The sequence of events is shown in Table 2.6 As indicated, a tubine trip is followed by automatic scram, turbine stop valve closure, and recirculation pump trip. The turbine bypass valves will open to regulate the pressure but opening of relief valves is also required to reiteve excess pressure.
Feedwater will continue to rui and the vessel water.
level vill swell to Level 8, at which point an automatic feet ter trip occurs.
The water level in the vessel will begin to drop and the operator is directed by LaSalle Procedure LOA-TC 0410 to maintain the reactor water level above Level 4 by using the feedwater system if possible.
The motor-driven reacter feedwater pump (MDRFP) will not automatically start on tripping of tLe turbine driven reactor feedwater pumps (TDRFP) due to the Level 8 signal.
If motor driven feedwater flow is not-established witnin 30 seconds, the reactor water level will decrease to Level 2 where hoth RCIC and HPCS would be automatically initiated.
MSIV ' closure is also indicated in Table 2.6 as occurring at Level 2.
However,.the MSIV closure setpoint was subsequently lowered to Level 1
.Thus the
_maining sequence of events shown in Table 2.6 is not applicable.
If sufficient coolant makeup is not provided in time, the reactor water level will continue to decrease to Level ' 1 where LPCI and LPCS would automatically initiate and MSIV closure would occur.
ADS would occur on 2-43
'l
.~._-
.__.~_ - - _ - -- - _ _
Table 2.6 SEQUENCE OF EVENTS FOLLOVING A TURBINE TRIP VITil BYPASS i
j Time (sec)
Event 0
Turbine trip initiates closure of main stop valves.
Turbine trip initiates bypass operation 0.01 Main turbine stop valves reacb 1
1 90% open position and initiate l
reactor scram trip.
Main turbine stop valves reach 90% open posittan and initiate a recirculation pump trip (RPT).
4 I
0.10 Turbine stop valves closed.
Turbine bypass valves-start to 1
open to regulate pressure.
4 i
0.19 Recircilation pump motor circuit 2
breakers open causing a decrease in core flow to natural circulation.
1.55, 1.69, 1.84, Relief valves actuated sequential-
{
2.02, and 2.30 ly by groups:
1, 2, 3,'4, and 5.
4.53 Feedwater trip on high water lever (L8).
- (Est) 5.2, 5.5,
' Relief valves close sequential-5 9, 6.2 and 7.0 ly by groups:
5, 4, 3, 2, and 1.
- [
30.6 Bypass valve begins to close on pressure signal.
32.2 (est)
Turbine bypass c1'osed.
38.67 Low levol trip;(L2) initiates a main steamiline isolation.
l Low level trip (L2) initiates RCIC and HPCS (not simulated).
39.23 Turbine byp--i reopens on pressure-Increase at turbine inlet.
l -.
2 44
,n-_-es,--
,%c--:--
.qr e-wqya
-g-
+yn
-wr--
--s e
71" T'W 4
w**~PPamT
'w--'t e
-'W- - -
- T-"'iW ER T N
P low low level and E minute confirmatory low level.
It would take approximately six minutes for the water level to decrease from Level 2 to Level 1.*
During this time period, the operator could manually try to initiate HPCS and RCIC and, failing to do so, manually depressu ice the vessel and use low pressure injection.
l Subsequent to MSIV closure, the reactor can be de isolated to provide access to the main condenser for containment heat removal.
This can be performed if the RHR system fails.
12L, Turbine Trio With Turbine Bvonss Unavailabit A turbine trip without bypass it a turbine bypass initiator coupled with a failure of the turbine bypass valves to cpen.
This combinacion or events results in the unavailability of the PCS for decay heat removal.
The sequence of events for a turbine trip withort bypass was determined in computer code simulations and was reported in the FSAR.3 The sequence of events is shown in Table-2.7. As indicated, the sequence of events is similar to that of a turbine trip with bypass with the difference being in the repeated ' opening of safety relief valves.
With the PCS unavailable, periodic relief valve operation is required to reduce the pressure.
Is*
Total Main Steam isolation Valve Closure Inadvertent MSIV closure can occur due to manual action, spurious. signals such as low reactor water level or low condenser vacuum, low steamline l-pressure, or due to MSIV failure.
Closure of one MSIV will.not initiate l
a reactor scram.
The main s*:eamlinos are sized to carry full rated steam flow with one line closed.
Closure'of three or more MSIVs will initiate a reactor scram. The following discussion delineates the sequence of events follodng closure of all MSIVs.
The sequence of events following an MSIV closure event was determined'in computer code simulations and reported in Chapter 15 of _ the LaSalle FSAR 8 The sequence of events is shown in Table 2.8.
As indicated, MSIV closure results in periodic pressure. increases.. requiring relief valve operation.
Flow from the turbine-driven feedwater pumps is lost due to the loss of steam flow to their turbines.
Actual tripping of the.
turbine-driven feedwater pumps - (and thus starting-af the.sotor-driven' feedwater pump) does not occur.
The water level in the vessel : will drop.- to ' Level 2. and automatically.
initiate RCIC and HPCS, If RCIC and HPCS fail to automatically initiate, the ' operator can try to manually initiate these systems _ or. initiate -
-motor driven feedwater manually.. If these actions fail, the water level will continue to decrease and the low pressure-ECCS will automatically initiate.
ADS will occur on low-low level and confirmatory low level.
The operator may manually depressurize the_ vessel to allow injection from the low pressure systems if ADS fails.
2 45
.~
..__.__..___..._.._._____._.._______m.._
~
Table 2.7 SEQUENCE OF EVENTS FOLLOVING A TURBINE TRIP WIT 110UT BYPASS Time (sec)
Event 0
Turbine trip initiates closure of main stop valves.
Tur6ine bypass valves fail to operate 0.011 Main turbine stop valves reach 90% open position and initiate reactor scram trip and a recirculation pump trip (RPT).
0.1 Turbine stop valves closed 0.19 Recirculation pump motor circuit.
breakers open causing decrease in core flow to natural circula-tion.
1.13, 1.24, Relief valves actuated sequential.
1,36, 1.50, ly by groups:
1, 2, 3, 4, and 5.
and 1.65 5.98 L8 trip.nitiates a feedwater pump trip.
(Est) 7.3, Relief valves close sequentially 7.7,.8.0, by groups:
$, 4, 3, 2, and 1.
8.3 and 9.2
' Through 25 Re-actuation of relief valves (one or two) to relieve pressure.
26.70 Low level trip (L2) initiates a main steamline isolation.
- Lov level trip (L2) initiates RCIC rn/ HPCS.
h 2 46
-.u no,.,-,
v.
4_,
Table 2.8 SEQUENCE OF EVENTS FOLIDWING AN MSIV CLOSt'RE Time (sec)
Event 4
0 Initiate closurc of all main steamline isolation valves (MSIV).
0.3 MSIVs reach 90% open 0.3 MSIV position trip scram-initiated.
1.6 Loss of feedwater begins as turbine loses steen supply.
2.42, 2.51, 2.60 Relief valves actuated by groups 2.70, and 2.80 1, 2, 3, 4', and 5.
3.0 til main steam line isolation valves closed.
4.47-Recirculation runback on low level alarm (L4) and feedwater flow <20%.
Est. 6, 9, 7.3, Rclief valves reclose by groups 7.6, 7.9, and 8.8 5, 4, 3, 2, and 1.
10.35 Croup 1 relief valves re actuate on high pressure.
10.90 Croup 2 relief valves-re-actuate on high pressure Est. 15.9, 17.2 Relief valves reclose by groups 2, and 1.
t
(
18.7 Vessel water low leve11 trip (L2) initiates recirculation pump trip.
Vessel water low level trip-(L2) initiates RCIC & llPCS (nt' simulated).
20.84 Croup 1 relief valves cycle open and closed'on pressure.
2
- _. ~. _ -. _...... _ _ _ _. _ _. ~... _ _ _ _.
4 I
With the MSTVs closed, the PCS is unavailable and decay heat must be removed by the RHR system in one of its operating modes, Reopening of j
the MSIVs is not considered possible since the reason for the closing may preclude quick recovery.
L Loss of Normal Condenser Vacuum 1
A loss of condenser vacuum can occur due to some single equipment failures.
The vacuum decay rate is a function of the specific cause of failure.
Some failures and the estimated decay rates are listed below.
Cause Estimated Decay Hate Failure or isolation of steam
< 1 inch Hg/ min.-
jet air ejectors
' Loss of sealing steam to shaft 1 to 2-inches Hg/ min.
gland seals Opening of vacuum breaker valves 2 to 12 inches Hg/ min.
Loss of one or more circulating 4 to 24 inches Hg/ min.
water pumps The sequence-of events following
- a. loss of condenser vacuum was
.j determined in computer code simulations reported in Chapter 15 of the LaSalle ' FSAR.8 The calculated sequence of' events for a scenario involving a vacuum decay rate of 2 inches Hg/sec is shown in Tabl4. 2.9.
As indicaaed, once the condenser vacuum decreases to 21.6 inches Hg, the main steam stop valves and the TDRFPs trip.
Reactor scram.is initiated s
by the main steam stop valve closure.
The main steam stop valve closure also initiates turbina bypass valve opening but the continued loss of vacuum (7 inch Hg) resu.cs in their closure as well as MSIV closure.
The turbine driven feedwater pump trip can result in automatic initiation of the motor-driven feedwater pump.
The MDRFP should be up to spaad within 5 seconds (note that the MDRFP was not. modeled in the Chapter 15 analysis) and' should maintain the reactor vessel water level' abo _ve the Level 2 setpoint.
If,-however, the MDRFP fails to start, RCIC and HPCS should te initiated when the reactor vessel Water level reaches Level. 2.
If all the high pressure coolant systems' fail to - operate, the: reactor waterElevel will continue to decrease.
At a Level!I setpoint, LPCS and LPCI-will automatically initiate-and ADS.will occur-on low low level and-confirmatory -low level.
If ADS ~ f ail s,- the operator can manually -
dcpressurize.the vessel.
Flow from the condensate. system through the feedwater system to the vessel. can also occur - once the -vessel is depressurized.
- With the reactor vessel isolated due to MSIV' closure, the - decay = heat in the core following scram will be removed by periodic. opening of the 2-48'
.w.
.. ~...-.... - -. -.. -
Table 2.9 SEQUENCE OF EVENTS FOLLO' JING A LOSS OF CONEENSER VACUtM I
Time (sec)
- Event O
Initiate simulated loss of condenser vacuum at 2 inches Hg/sec.
5.00 Low condenser vacuum main turbine trip initiated.
Turbine trip initiates feedwater trip.
Main turbine trip initiates turbino
-bypass valve operation.
5.01 Main turbine stop valves reach 90%
open position and initiati reactor scram trip and recirculation pump trip.
(RPT)
Turbine stop valves closed and turbine bypass valves start to open to regulate pressure.
5.14 Recirculation pump motor circuit; I
breakers open causing decrease in core flow to natural circulation.
6.65, 6.81, Relief valves automatically 6.98, and 7.18
'actuata by Group; 1, 2. 3, and 4 10.00 Low condenser vacuum initiates turbine bypass valve closure and main steamline isolation valve closure.
Est. 10.3
. Turbine bypass valve (s) close.
Est. 11.0, 11.3, Relief valves reclose by-11.9 and 12.7
. Groups 4,'3, 2, and 1.
13.42 and 13.85 Pressure relief valves reopen by Groups 1 and 2.
Est. 20.1 Group 2 relief valves close.
t Est. 23.8 Low vessel level (L2)-trip initiates j
Est. 32.2
. Group 1 relief valves close.
40.85 Group 1 relief valves cycle open and closed on pressure.
2 4 a
.m m---w
-w
--..,ww
,w+-
---r-~.-c.
w
---ww.-
1-cr
-..v..,+
r w-
The decay heat will be transported to and stored in the suppressian pool.
The deay heat n.us t be ult inately rernoved by use of one of the operating modes of the TUIR sys tein.
Na credit for reopening of the HSIVs or use of the PCS-is taken since it is dependent on the severity of the transient initiator.
13 and T,;
Total Loss of Feedwater and Partial Loss cf Feedwater A coruplete or partial loss of feedwater can occur from pump failures, condensate system failure, interruption of driving steam flow, feedwater controller failures, operator error, or a spurious hib, reactor vessel water level signal.
Some of these initiators U ll not only trip the turbine + driven feedwater - pumps but will also prevent startup of the motor. driven feedwater pumps.
The sequence of events following failu. of one feedwater pump is t
different from the seqvence of events following loss.of all feedwater Both initiators are discussed in this section with the differences in events clearly delineated; A loss of complete or partial feedwater results in a decreased subcooling in the core and a subsequent reduction in core power and pressure. The water level in the core drops to Level 3 initiating an automatic scram.
Following scram, the tutbinc 'oypas s valves would open and begin controlling the reactor pressura.
When only one feedwater pump fails, the other two should be availablo for cooh nt inj ec tion.
However, if all the feedwater pumps fail, the reacter water level would drop to Level 2 initiating RCIC and HpCS and tripping the recirculation purnps.
If both RCIC and HPCS fail, the reactor water level would continue to i
decrease to Level 1.
LPCS and LPCI would automarically initiate and MSIV closure would occur.
ADS would occur on low in level and confirmatory low-level.
If ADS fails, the operator could manually open the SRVs to depressurize the reactor and allow 1+w pressure coolant injection.
Subsequent to HSIV closure, the reactor can Le de-isolated to provide access to the main condenser for heat removal.
I7 - Inadvertent Openirm of a Safetv/ Relief Valve An. inadvertent open relief valve or 10RV is 'different from a transient with an SORV in that an. immediate reactor scram does-not occur.
Thus generated steam flow would be released,to the approximately 6% of the f
suppression pool.
The suppression pool temperature'would increase at a rate of approximately 2 *F per minute.3 An IORV may be detected by any one of numerous-indications in the control room.1 These include SRV open alarms. - suppression pool level or te'mperature indications, or an _ SRV-downcomer piping - temperature indication.. Once detected, the operator is direcGd'to try to close the valve.
.If he cannot close the valve :within two minutes or the suppression pool temperature is 110
- F, the : operator is to scram the
. reactor.
2 50i
- - - -,.. -. ~
~.
. a.,-.-
~
If the operator fails to manually scram the reactor, the continued blowdown will increase the suppression pool temperature and drywell pressure.
Failure to manually scram ' the reactor before the suppression poci temperature exceeds 110 *F can lead to condensation instability due to localized effects around the quencher.
It is expected that the drywell pressure vould increase to 1.69 psig and result in an automatic reactor scram signal.
It is expected that high containment pressure would occur approximately 20 minutes into the transient and would result in high suppression pool temperatures (135 of at 20 minutes).
Following reactor scram, the reactor vessel pressure would decrease to the MSIV closure setpoint.
It is assumed that the operator is unable to inhibit the low pressure closure in time by turning the reactor mode switch to SHUTDOW.
MSIV closure results in loss of steam to the turbine-dr!ven feedwater pumps and a pump coastdown.
Actual tripping of the turbine driven feedwater pumps will not occur and thus automatic initiation of the motor-driven feedwater pump will also not occur.
U The water level in the vessel will drop to Level 2 resulting in a..: auto t
start to both RCIC and HPCS. _ If both these systems; fail to previde sufficient flow to the vessel, the operator may try to manually initiate the motor driven feedwater pump.
-If he does not, the reactor - vessel water level will drop to Level I resulting in automatic initiation _ of LPCI and LPCS.
If the drywell pressure _i s high, automatic depressurization of the vessel will occur.
If the high dryvell pressure signal is not available, then low low level with confirmatory. low level should result in ADS initiation.
If ADS fails, the operator could manually depressurize the vessel to allow low pressure system. injection.
Following an 10RV initiator with-MSIV closure assumed, all the decay heat would be dumped to the suppression pool.
Operation of the-RHR would be required to remove this heat. No credit is currently taken for the steam condensing mode of RHR for this initiator.
L - Loss of Of fsite Power Loss of offsite power is an event which affects. the balance of plant systems operation.
Initiation of the diesel generators should occar 3
automatically to provide power to required safety systems.
The sequence of events following a loss of offsite power event was determined in computer code simulations and. reported in Chapter 15 of the LaSalle FSAR.8-The sequence of events-are'shown in Table 2.10.
The_ loss.
of power results in a load-rejection and turbine trip.. Main steam stop valve closure initiates a reactor ; scram.
All balance.of plant systems
~
requiring AC power trip off.-
This includes the-condensate circulating water system, and the recirculation pumps.'
The -loss of circulating-water results in a subsequent loss of condenser vacuum which-initiates MSIV closure.
The_ turbine-driven feedwater pumps stop - due _ to the ' loss of rteam flow and also trip due to a loss of 2 51'
Mb Table e.10 SEQUENCE OF EVENTS FOLLOWING A LOSS OF OFFSITE POWER Time (sec)
Event Approx - 0.015 loss of grid causes turbine generator to detect a loss of electrical load.
O Turbine trip initiated b) loss of generator load.
Turbine-generator PLU trip initiates main turbine control valve fast cloaure.
Recirculation system puAp motors trip off.
Condensate and condenseste booster pump trip.
Turbine stop valve closure initiates reactor scram.
Electric feedwater pump motor is tripped.
0.01 Turbine control va(v.s closed, e:.
0.10 Turbine steam bypass valves open to g
)
regulate pressure.
I 1.61, 1.76, 1.92, Relief valves actuated sequentially 2.12 and 2.56 by Groupa 1, 2, 3, 4, and 5.
Est. 5.1, 5.4, Relief valves reclose sequenti.
5.8, 6.0 and 6.9 by Groups 5, 4, 3, 2, and 1.
30 Loss of condenser vacuum initiates MSIV c')sure and turbine steam bypass valve (s) clos.ure.
32.4 Reactor vessel low Level 2 trip initiates HPCS and RCIC (not simulated).
50 plus Group 1 relief valves automatically cycle to regulate pressure.
2-52
condenser vacuum trip.
The reactor vessel-water' level decreases to the Level 2 setpoint wher' RCIC and HPCS are initiated.
If both RCIC-and HPCS fail, the reactor vessel water level vill continue to decrease to Level 1 - resulting in automatic initiation of LPCS and LPCI.
ADS will c ur on low low level and confirmatory low level.
The operator could manually depressurize the RPV should auto-depressurization fail.
9 3
Decay beat removal would be achieved by the RHR system in one of its operating modes.
The main condenser would be unavailable following a loss of offsite power initiator due to loss of the circulating water system.
In the case of complete loss of AC power (i.e., station blackout, loss of offsite power and failure of the diesel generators), coolant makeup can still be provided by the steam-driven RCIC system.
However, RCIC requires DC power for control of the system and room coolinF for the pump.
DC power is provided by a dedicated battery in case of a station blackout and is designed to provide the neceasary 1 -i - for a period of about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
If AC power is not restored durires th.
period-or other
%covery actions taken, RCIC will fail on DC powei
'.. re.
1 i
The RCIC pump room cooling syst+m requires AC power for operation, o
however, the high temperature trip is inoperative.if-both train A and B of onsite AC power have failed.
In ' thic case, the RCIC system can operate without room cooling.
However, upon loss of off-ite power, the RCIC steem line is isolated if onsite AC power'is restored using the DGs.
This is due to a sneak circuit which results in an isolation signal on the train to which onsite power 10 restored.
If onsite power continues to work, the operator can reopen the isolation valves'and restore RCIC operation.
However, if the DC"2A" (train B AC power) fails quit.kly (e.g., the DG cooling water-has failed so the DC runs-for several minutes then fails), then the inboard isolation valve, F063, which closed on power restoration u n not be reopened until power is restored.
If train A or B of onsite power is operatins;, then RCIC high room temperature trip will trip RCIC in abou:. 30 minutes if the'RCIC room HVAC is not working-(which is on train A only, so train B. AC-power only will result. in.
isolation; if AC power then fails; the inboard isolation valve.cou'.d-not-be reopened)-
This isolation can be restored by the. operator, if AC power does not fail in the mean time or is recovered in time to-prevent core damage.
The RHR system cannot function without AC power.
Therefore, the containment pressure and temperature would increase duringx a stion-blackoat.
However, containment integrity would not be-challenpa for approximately 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> (the containment was initially assessed to fall at-100 pisg, this was lat :. revised to 190 psig by the expert panel-and' the time to failure woulo be about 50 - hrs. ) given no - containment heat removal.
RCIC would fall to inject into the core lcng before this time
- resulting in core dam ge.
H Recovery of offsite power
'.s not included in the event tree as a. separate-event but will be treated as a recovery action and applied to the 2-53 H
. appropriate sequence cut sets.
Without of f site power, - the PCS, the-
~
condensate system, and the feedvater system would be unavailable.
The eveat tree for a transient initiator is shown in Figure 2.5.
This event tree was developed by referring to the accident analyses reported in Chapter 15 of - the FSAR,3 LaSalle operating ' procedures, ' generic BWR operating procedures,13 and generic-transient thermal hydraulic calculations.'
In addition LaSalle specific calculations were performed with RELAP5,7 LTAS,2 and MELCOR12 for various accidea sequences, The LaSa11e' RETRANi3 deck was obtained from the utility and converted to a RELAPS model.
The LaSalle FSAR was reviewed and modifications were
- possible, Plant specific made to the model to make it as accurate as data was obtained from Commonwealth _ Edison for steady state operation and two-transients (a turbine ' trip and an MSIV_ closure),
The model - was modified to accurately represent this infc mation.
Three calculations were performed to examine transient response:
1.
MSIV closure with no injection, 2.
MSIV closure with'RCIC only, and 3.
MSIV-closure with normal ECCS response.
As mentioned in Section 2.6.1, _ the LTAS code was mooifled to represent the LaSalle plant and five transient calculations were performed:
1.
Modified Station Blackout with a stuck.open SRV, RCIC operacion, and one CRD pump, 2.
Long-term containment heat removal f ailure, _ MSIV - failure, HPCS, J
RCIC, 1 CRD pump, and LPCS available,-containment venting at 147-psia and 60 psic.,
-3.
Station Blackout with ADS, no injection,
-4.
Station Blackout'without ADS,.nu injection, and 5.
Station Blackout without ADS, no injection, t,nd a -stuck open SRV.
In additioni an integrated model-was constructed Ifor - use with the ' MELCOR code.
MELCOR calculations. beginning at reactor. trip, and progressing _
through core; damage', melt, vesselzbreach, containment _heatup and-failure-(may be before core damage (for long-term loss of containment heat removal failure)i-and' release of radionuclides to the em ironment were performed.
The following.' calculat;ons were performed mt. inly-for the level II accident progression.and. source. term analysis:
-1.
Short-term high - pressure station blackout, < a.sitivities ifor
- containment failure in _ the drywell head,_ dry well', and, vetwell,-
and for leaks, intermediate ruptures, _ and ruptures,; and _: various
.-hydrogen ignition limits, 2-54 L
lE lE!
l YlYlYl I
1 I
i i
I
=
l i
n
=
i C
?,.,
E, I
=
i 9
e.
=
ll g.
E
<4 g-M
~
M 3
~
I ll~
- a.
=
1 i
w en en
=
3, o
=
E
(
I
=
.5 -
t
$. h! -
=
=
=
.-g a
a w. <---
.=
5 hl
=
=
i
=
I
=. m3 Ej
=
I M
~
m O
i I
a.
1 I
- ==es.
N.
30 j
=
_g i
El
= "
~
,H
=
=.,.
l i
an
.o
- b..
_ b. hl
=
M 0
i I
I.
'**'m
=
0.
=
I
=
ca m
=
= E!
-o so 1
l*
5
=
m.
t (1) USED TO *2 SOLVE CORE DAMAGE RECOVERY LOW PRESSURE SYSTEMS FAIL ON ADS CLDSURE AT ABOUT 86 PSIC,BORDFF AND CORE DAMAGE OCCUR BEFDRE CONTAINMENT FAILURE (MEAN VALUE,196 PSIG).
(2) TRANSFER 10 IDCA '11 TEE (1 SRV FT = SMAIL IDCA. 2 SRV FTC = MEDIUM IDCA, AND
.. >= 3 SRV FID = LARGE LOCA).
(3) 1RANSFER 'ID IDCA 11 TEE ( OVERPRESSURE GEATES IDCA. PROB. OF 18 8 RV 17) NEGLIABLE).
(A) 11tAdSFER1D ATWS TREE, Figure 2.5 LaSalle Transient Systemic Event Tree
.2-55 L-,.
Short-term low pressure s.tation blackout, sensitivities for pedestal reflooding on core-concrete it.teraction, failing pedestal wall, wetwell leak only, 3.
Intermediate-term station blackout, wetwell leak only, and 4.
Long-term loss 01 c o n t a i t ur e n t heat removal sequence with containment failure in wetwell, injection failure from severe environments in reactor building after containment failute.
All of these calculations are described in detail ir the Level III report.'
Each of the events depicted in the event tree and the interactions with other events is described below.
T - Transient Initiators - A variety of plant malfunctions will initiate a transient.
The transients included here are:
turbine trip with and without bypass available, total MSIV closure, loss of condenser vacuum, total and partial loss of feedwater, inadvertently opened relief valve, and loss of offsite power.
In addition, these special initiators are included: loss of DC bus A or B, loss of ECC 4160 V AC buses 241Y and 242Y, loss of instrument air, loss of drywell pneumatic, loss of 100#
drywell pneumatic, complete toss of reactor vessel narrow range icvel s
indication, and loss of reactor vessel narrow ranga indication channels A and C or B and D.
RPS/ARI - Reactor Suberitical - After a transient initiator, an automatic reactor scram should occur for a variety of reasons depending on the specific initiator.
For turbine trips (with and without bypass), loss of condenser vacuum, and loss of offsite power transients; tain steam stop valve closure should initiate an automatic reactor scram, For MSIV transients, closure of three MSlvs will result in an automatic reactor scram signal. A low reactor water level (Level 3) signal will generate a reactor scraw signal during a loss of feedwater transient.
For an IOR" initiator, it may be detecteu early by one of many indication li hts and alarms, downcomer lights or alarms.
Included are SRV open 6
piping temperature measurements, and suppression pool level and temperature siarms.
Following operator awareness of an IORV he is directed by procedure ' to try to close the ICRV.
If he fails to close 1
the IORV, he is directed to manually scram the reactor. If the operator i
C.
J.
- Shaffer, L.
A.
Mille.r, and A.
C.
Payne Jr.,
" Integrated Risk Assessment For the LaSalle Unit 2 Nuclear Power Plant: Phenomenology and Risk Uncertainty Evaluation Program (PRUEP), Volume 3: MELCOR Code Calculations," NUREG/CR-5305/3 of 3,
SAND 90-2765, Sandia National Laboratories, Albuquerque, NM, to be published.
2-56
is unaware of the 10RV or fails to manually scram the reactor, the steam transferred to the suppression pool will increase the suppression pool temperature at a rate of approximately 2 - oF/ minute. Within approximately 20 minutes, the supp ession pool temperature would have increased by 40-
- F and local-condensation instabilities would be expected to have occurrod.
Steam would thus be released to the drywell' resulting in an f
increase in pressure. A high drywell pressure reactor scram signal (1.69 o
psig) would be expected to occur.
Failure to scrar the reactor results in an ATWS which is modeled in a-I separate event tree (see Section 2.6.3).
The sequences shown in Figure 2.5 include successful reactor suberiticality.
SRV O - Safety Relief Valves Open Closure of the main steam stop valves or MSIVs while at power will result in a pressure incroase which must be relieved in order to prevent reactor coolant pressure boundary failure.
Cycling of the safety relief valves may occur.
Failure of a sufficient _.
number of valves to open is assumed to result in a l a r p,e ructure of the pressure boundary.
The sequence involving failure of this event is transferred to the LCCA event tree for further evaluation.
These a equences are probabilistically negligible and are not developed any. -
further.
Relief valve openings-arc expected for all transients except for loss of feedwater and an IORV.
The 10RV will result in sufficient pressure reduction to preclude subsequent relief valve openings.
Following loss of feedwater, the reactor pressure will decrease and the safety relief val % s should not be demanded.
If however, MSIV closure occurs following.
loss of RCIC and HPCS, the pressure in the vessel would rise requiring an-SRV opening.
Failure of all the SRVs to open is assumed to result in a large rupture of-the reactor pressure boundary.
Ther-sequences are probabilistically negligible and are not developed any futther.
SAV C - Safety Relief Valves belose - The safety relief valves that open during the transient must reclose in order to prevent an excessive discharge of coolant from the reactor vessel to - the. suppression poo)
The sequence of - events following a stack - open relief valve - (S0"JJ' i
identica?. to the LOCA events with respect to the coolant makeup systems
_s and containment heat removal systems.
(The MSlVs are assuind to close on low p essure-rendering the PCS unavailable.)
Failure of one SRV to' reclose will behave like a-small - LOCA, two SORVs will behave like a medium LOCA, and three or more SORVs will result-in a sequence of events-similar to a large LOCA.
Transfers to the LOCA event tree are Lade following failure of SRVs to reclose, MFW - Feedwater Available - Depending on the transient, the feedwater I
system can be in ene'of five states.
bypass, - a high reactor water level signalFor turbine ~ trips with or without (Leuel - 8). would~be generated tripping the turbine driven feedwater pumps and preventing startup of the motor-driven pump.
Use of the feedwater system for - these transients requires that the operator ' start any one of - the three pumps once the Level 8 signal clears and is reset.
2 *7
)
Y
An MSIV closure transient results in coastdown of the turbine driven pumps.
The motor-driven pump does not start automatically since actual tripping of both turbine-driven pumps is required for this action.
The motor-driven pump must be manually started by either directly initiating the pump or by manually tripping the turbine-driven pumps.
No credit is taken for re-establishing steam flow to the turbine-driven pumps.
Note that closure of the MSIVs may result in loss of condenser vacuum and a subsequent turbine-driven pump trip which would result in automatic initiation of the motor driven purap.
Also, the operator may eventually close the TDRFP discharge valves in order to prevent an uncontrolled level increase resulting from condensate boost r flow through the TDRFPs.
Closure of these valves also would result in automatic initiation of the MDRFP.
However, both of these are not considered due to the potential delays in their occurrence.
For a loss of condenser vacuum initiator, the turbine-driven pumps will automatically trip and the motor-driven pump will automatically start.
For loss of feedwater and offsite power transients, all feedwater is est available.
The loss of feedwater initiator is defined as a loss of s,11 feedwater.
A loss of offsite power initiator would result in a loss of condenser vacuum and a subsequent turbine-driven pump trip.
Loss of offsite power would also render the motor-driven puop unavailable.
Following an IORV initiator, the reactor vessel pressure will decrease and an MSIV closure will occur if the operator fails to turn the reactor mode switch to SHUTDOWN as directed by proceduree If he turns the mode switch, both turbit.e -driven feedwater pumps would continue to operate.
If he fails to turn the mode switch, the result would be the same as an M.cIV closure event (i.e., the motor-driven pump would have to be manually iaitiated).
HPCS - HPCS Availabh - Failure of the feedwater pumps to operate will result in a reactor vessel level decrease.
A low reactor water level signal (Level 2) will automatically initiate the HPCS system within approximately 30 seconds.
If the system fails to initiate automatically, the operator can attempt manual initiation.
The system in available for all transients.
RCIC - RCIC Available - The RCIC system is also designed to start automatically upon receipt of a Level 2 reactor water level signal.
The 2
operator can also manually initiate the system.
The system is available for all transients.
/
ADS - Reactor Vessel Depressurization - In the event that the high pressure injection systems are all unable to maintain the reactor vessel coolant level, the reactor vessel can be depressurized so that low pressure injection systems can be utilized.
The preferred method of depressurization in through the turbine bypass valves to the condenser.
However, the reactor vessel it isolated for most transienes.
No credit s
for this method of depressurization is thus taken.
The n3xt method of 2-58 i
1 depressurization would be manual opening if three or more SRVs including the ADS valves.
Automatic initiation of ADS will occur if the reactor vessel level decreases - to Level 1 and either a high drywell pressure signal occurs or if ten minutes elapse.
CDS - Condensate Available - The condensate system is designed to remain running following a transient with feedwater trip.
Flow is recirculated back to the condenser while the reactor vessel is at high pressure.
When the reactor vessel pressure decreases, water from the condensate systen can flow through the feedvater pumps'. to the vessel or can be bypassed around the MDRFP to the vessel. In order to control the condensate-flow, the condensate must pass through the feedwater control valve located at the outlet of the MDRFP. The operator must close the TDRFP outlet valves and initiate the feedwater_ control valve or; single element flow control.
The condencate system is e.sumed unavailable.- for condensate system initiators resulting in loss of feedwater and also for a loss of offsite power transient.
LPCI LPCI Available The Low Pressure Coolant Injection mode of the RHR system is also designed to automatically initiate if the reactor vessel level reaches the Level 1 setpoint.
The -operator can also manually initiate LPCI.
Water injection will-only occut if the reactor vessel pressure _is in the LPCl operating range.
The system is available for all transients.
LPCS - LPCS Available - The' Low Pressure Core Spray system.is designed to automatically initiate upon a low reactor water level - si,nal- (Level 1).
t The operator may also manually initiate LPCS.
Water injection, however, will not occur unless the vessel pressure is in its operating range, The system is available for all transients, PCS s
PCS Available Following _a turbine-trip with ' bypass, loss 'of feedwater, or IORV transient; steam should be directed to' the main condenser via the turbine bypass valves.
This-flow path should prevent a large release of steam to the containmer.t through successive openings.of the SRVs.
The PCS'may become unavailable due to subsequent failure of -
the condenser or due to MSIV closure.
MSIV closure vill occur if L the steamline pressure. decreases below B50- psig or the reactor vessel level decreases below the Level 1 setpoint. The operator is. instructed by the scram, procedure to prevent ' the former signal from closing the _ MS1Vs
'during cooldown by. placing ' the.. reactor mode - switch out. of the. RUN position.
The Level.1_ signal is assumed to occur following failure of
'all high pressure inj ec tions systems _ and _ subsequent" vessel depressurization.
1he PCS-is unavailable _ for turbine trips without bypass, loss of condenser vacuum, l'SIV closure, and loss of offsite power.
SCS Shutdown Cooling - Once lthe RPV pressure :has been decreased - below the shutd.:wn cooling interlocks, procedures direct the operator. to initiate the' shutdown cooling mode of the RHR. With the shutdown cooling.
mode initiated,. no - further heat would be released to the containment.
2-59
k'ith f ailure of the suppr2ssion pool cooling nade t '.. e operator would be directed to depressurjat-the n vc se! and initiate shutdown t
cooling. The mode of RHR operation is applicable fc. all transients.
SPC - Suppression Pool Conling - If the saiety/ relief valves are repeatedly opened to relic'e reactor vessel pressure (as in the case where PCS failure occurs) or are opened manually by the operator to depressurize the vessel, steam will be released to the suppression pool, k' hen a suf ficient amount of steam is released, the suppression pool water temperature will reach 100 oF.
At this t en:pe ra tu re. the operator is required to initiate suppression pool cooling.
This mode of RHR operat;on can be used to mitigate all potential t ransients.
CSS - Containment Spray - In the unlikely event that suppression pool cooling fails, the primary containment pressure and temperature will continue to increase. The operator is directed by procedures to initiate suppression pool sprays when the suppression cha.aer pressure exceeds 19.5 psig.
The operator is also directed to initiate drywell sprays if containment pressure can not be maintained below 60 psig.
Suppression pool sprays were not modeled as a separate system in this analysis.
Drywell sprays were used to represent both spray modes.
This mode of operation can mitigate all potential transients.
CRD2 - Intermediate Control Rod Drive - In those cases where the main feedwater and HPCS systems have failed and the RCIC system is the only high volume high pressure system working; if containment hect removal fails, then RCIC will isolate when containment prc9sure reaches 40 psia or may fail due to loss of DC power (for station b'ackout type sequences) or high suppression pool temperature (i.e.
greater than 250 *F).
By this time tne decay heat load is low enough that the CRD system can supply sufficient makeup to maintain the core level high enough to prevent core damage if AC power is available and both pumps are working.
f ADS I - Intermediate Reactor Vessel Depressurization - For sequences where RCIC is the only high pressure injection system available, this event consists of either automatic or manual depressurization of the reactor vessel to allow injection from the low pressure ECCS when delayed RCIC failure occurs after about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
All other high pressure injection systems have f ailed and so the operator must depressurize and use low pressure inj ec tion systems to prevent core danage.
Automatic depressurization would occur by the ADS if the reactor vessel lev decreased to Level 1 due to failure of the high pressure systems.
Sufficient time would also be available for the. operator to manually depressurize the vessel using the SRVs if the ADS failed.
In both cases, successful depressurizatioe requires opening of 3 valves.
CDS I - Intermediate Condensate Available - If all the high pressure injection systems have failed except RCIC and then RCIC fails after about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the operator will depressurice the RPV and attempt to use low pressure inj ection systems.
If AC power is available and the system has not been accounted for before, then the condensate system may oe used to 2-60
maintain cole cooling. Vater from the condensate pumps will flow through the feedwater control valves to:the vessel.
One condensate / condensate booster train can provide sufficient coolant tog the vessel.
The coolant is provided from the condenser hotwell, Makeup to the hotwell must be provided by the condensat. makeup system which is _liraited to 1800 gpm and supplies water from the condensate storage tank.
LPCI I - Interwediate LPCI Available If all the hi h pressure inj ec tion B
systems have failed except RCIC and then RCIC fails after about 6-hours, the operator will. depressurize _ the RPV and attempt. to use low pressure injection systems.
If AC power is available and the system has_not been accounted for before, then any one of the three -- LPCI trains can be-successfully used to mitigate the transtent, The pumps take suction from the suppression pool and initially bypass the RHR heat exchangers.
x LPCS I - Intermediate LPCS Avnilable
-If all the high pressure injection systems have failed except RCIC and then RCIC fails after about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the operator will depressurize the RPV - and -attempt to use low-pressure injection systems.
If AC power is available andLthe system has-not been used before, then the single train LPCS system has sufficient capacity _to mitigate the transient, Failure of'the LPCS system is defined as failure of the single motor-driven pump - to provide flow - to the reactor vessel from the_ suppression pool.
VENT - Containment Venting After containment heat removal failure, the containment pressure will continue to - increase due_ to ~ the _ decay heat being dumped to the suppression pool.
If the containment heat removal systems can not be recovered, then when the containment pressure reaches 60_psig, the operator is dira.cted to vent the containment through the Standby _ Cas Treatment System.
Containment venting can occur during any transient if all_ containmont heat removal. systems fail as' long_ as AC power is available.
CRD1 - - Late ' Control Rod Drive - If containment h' cat remeval has : f siled and the operator does-not vent the containment when containment pressure reaches 60 psig, then the CRD system may be used to maintain--core cooling with only one pump-operating; - For cases with-only low pressure. injection working, the ADS valves will close when containment pressure.- reaches about. 85 psig due to inadequate - differential pressure resultin6 in the inability of all '.ow pressure _ injection system to inject enolant into the The low pressure injection systems (LPCI and LPCS) may fait due to core.
high suppression pool temperatures that result in pump-failure.
For the--
D case of HPCS supplying. high _ pressure injection,. since. the HPCS suction will be from the suppression pool by this time, a similar result - nay occur.
SRUP - Containment Failure Mode - - If ' the - containment heat remova1L function has failed and the containment is-not vented, then the containment pressure will continue to rise until ' structural. failure of the containment occurs. This event asks, roughly, how large the break i.n containment is, either a leak (success branch) _ or a rupture (failure 2-61 l
a i
i 1
branch).
For the purposes of this analysis, ~we -need to krow how fast the containment depressurizes, whether or not we can use any low pressure injection system to maintain core cooling af ter ti.e contaitunent failure, and how long the containment blowdown will last in order to evaluate the severity of the reactor building environments produced by the blowdown.
d l
A leak implies that the containment pressure remains too high to use the ADS system to depressurite the RPV and the low pressure injection systems to prevent core damage; while a rupture implies that the containment depressurizes fast enough that succespful operation of the ADS and a. low j
pressure injection system will prevent core da:nage.
An expert judgement J
clicitation was performed to generate probability distributions for the containment failure pressure, location, and size.
H]L - In j ec t ion System Survival - Af ter containment failure, severe j
environments will be produced 'in the reactor building, Many of the inj ection systems have components at various positions in the reactor l
building and these components will be exposed to these severe
{
environments.
Simple Boolean equations were gsnorated to represent each aystem that had components that might be subject to these environments and an expert judgement elicitation was perforaed for - variour component types and environments in order to quantify the failure probabilities.
~
2.6,3 ATVS Event Tree i
Because of the unique characteristics of the ATUS ev nts, the differances among the various initiating events in their effect on the accident progression are judged to be suall. One general systemic ATUS event tree j
i has been constructed and the effects of the various-initiators will-be inserted into the systetu fault trees for those systems that are affected.
i Individua'. ATWS trees for each initiator were constructed to determine if l
any differences were significant enough to warrant separate trees, There were none.
The LaSalle 2 - ATVS procedure was revised to correspond to the BWR Emergency Procedure Guidelines-(EPGs) Revision 3."
The EPGs address an ATWS situation in Contingency #7 " Level / Power Control".
The EPGs were used in guiding the construction of the AWS-event tree.
The EPG strategy for dealing with an ATWS can be summarized ^ as follows:
2 (1) attempt manual scram, (2) begin manual insertion of control rods and l
initiate SBLC.if me.nuall scram fails, (3). rsduce core power by taking manual control of the rea: tor vessel injection systems 'and lowering the reactor vessel t ater level to the top of the core (which increases the core void.' fraction but also prevents boron mixir g),. (4) once sufficient sodium pentaborata has been injected, increase. th( rate of reactor vessel injection so that - normal reactor vessel water _ level is. restored to promote. natural circulation flow. and boron mixing, and (5) bring-the reactor to cold shutdown.
i.
L
-A study performed at Oak Ridge as part of the SASA program of ATWS -
l
-sequences fo: - Browns Ferry IInit onen indicates that the " instructions i-2 ;
r 1
.provided-by - the EPGs, if-properly interpreted and _ implemented - by the operators, would provide a satisfactory reactor shutdown - and accident termination". of the MSIV closure ATWS enalyzed la, the study.
.However,
'the1 0ak Ridge. study also indicated same _ potential _ problem areas.
The t
most important of ther.e is that the operator can be-directed _to manually.
l reduce reactor-pressure during an ATWS.
(This is to. ensure that the j
thermal energy released during a LOCA can be condensed in a suppression pool.
As the suppression pool temperature increases above 165
- F, the operator is to depressurize the vesse,1 according to a supplied. graph,)
+
i The calculations performed indicate that manual depressurization during i
an ATWS is very tricky.and, depending on the situation, can result in j
react'or power and vessel pressure fluctuations.
tie recommndations from' i
this study were to eliminate such a manual depressuriza. ion during an l
ATWS.
!~
According to the EPCs, if the reactor cannot be _ shut down during a
- transient, if the suppression pool tcmperature reaches 110 SF, and if the ~
drywell pressure is above 1 69 psig, then the operator -is to lower the RPV water level by terminating and preventing all 1 injection into the' RPV except from the SBLC. The operator is to maintain the water lavel'at the-
~
l-top of the active - fuel (TAF).with a high pressure injection system until the boron has been injec:ed and the control rods have been manually ~
1 inserted.
Feedwater would' be the first choice of. inj ection s, stems ~ for some transient initiators since it should. be' automatically _ available. _ The high temperature of the feedwater is also desirable since'it results in i
less reactivity than the relatively cold water contained a in the condensate storage tank.
RCIC and CRD are assumed insufficier.
for-j maintaining the water level at the TAF.
The Browns Ferry Study indicated.
that the two systems could maintain 2/3 of-- the core covered with the i
remaining 1/3 cooled by steam flow.
This reduced level has the benefit-.
i of further reducing core powen
.However, the LaSalle RCIC~ system-- is -
I' different than the system at_ Browns' Ferry.
The LaSalle _ sy' stem sprays _ at the top of the vessel while the Browns Ferry system 11njects into the:
1 downcomer.
The - spray system is assumed-not to be ~as ef fective. as cthe
~
injection system and thus 'no credit was taken for its operation.
5 For this ' study, the REL.AP5 model-used for'lthe transient analysis was-
[
modified to perform two-ATWS calculations.
The first w'as an ATUS with HNS inj ection only L and no ADS (L e.,. _ the vessel rema aed at high -
pressure).
The second was an ATWS with LPCS inj ection and ' successful -
depressurization of the vest i using the ADS system.
In'the first case,.
the level oscillatea between -140 and -160 in. (TAF) and_ reactor power-is-approximately 15%.
In the second case, level dropped temporarily : to about -315 in. then recovered. _The calculation was terminated when level began oscillating wildly necr the level 1:setpoint.
E In order - t.u p'erform more efficient calculations and to evaluate more sequences, the LTAS code developed and used by ORNL forfthe Brown's Ferry
}
study was - modified, as described in Section 2.6.1, to represent - the a
1 e
2-63
~
i j
i 5
l
-i LaSalle plant and base-lined to the RELAPS model.
A' REMONA-3B16 calculation was used for the power vs level correlation.
Nineteen different. ATWS calculations were performed using the 'LTAS code. to investigate different possible system success. criteria and-to evaluate
~
the accident sequence timing.
These calculations evaluated the e f fects '
of : (1) main feedwater being initially available or not, -. (2)- HPCS and 3
LPCS success or failure and failure.on dif ferent high suppression pool i
(300 or. 350
- F, the pumps use suppression pool water -to cool temperatures their bearings, LPC1 uses external cooling water and would - not be affected), (3) LPCI operability and number of pumps, I.4) containment heat removal (RHR) opcrobility, _ (5) ADS operation, and (6) venting tacess or failure.
Consider the following scenario: HPCS works, the vessel is at high.
pressure, RHR docs not work, and venting does not occur.
Then the calculations show that the vessel water level stabilizes at about 2/3 TAF with reactor power at about 94.
The-containment pressurizes until; HPCS fails on high suppression pool temperatare (after this analysis was done, expert alicitations were obtained for the Grand Gulf.and LaSalle.HPCS part ' of the pump sensitivity to his suyression pool temperatures as NUREG-1150 - analysis,17 sult was that the experts did not expect the-HPCS pumps to fail as u It of the etfects of seal leakage into the
,, amps - at LaSalle and Grand Gulf) or, if HPCS.
pump rooms for the typc v
does not fail, until the co ? " nment fails at 4 mean pressure of 191_psig (obtained _ from expert judgemene clicitations - also performed as partlof the NUREG-1150 expert judgement process).
. Af ter containment failure, severe environments uay be created in the reactor building depending upon the location of the failure and these environments ~ may result in injection system failure and core damage with a failed containment.
If HPCS continue.: to work, the containment pressure will stabilize'at 3 cme
-intermediate level depending on the size of the break.
In the actual runs, the HPCS and LPCS : systems were assumed to fail at-either - 300 or 350 oF for the - different : calculations.
If the systems-
- f ailed on temperature (which they did' not do _- in ? many,- o f o the calculations), these sequences then became - sequences 1with _ ADS and LPCI -
-working,- The.following variatione-on 'he' scenario _ presented above can be-evaluated from these calculations:
1,. HPCS works, RHR work 2, no. venting = ~- No -_ significant impact on accident progression due : to the fact that RHR' car. cnly remove the energy equivalent to 3% reactor _ power and the power leve1Lis 9%
Containment pressure increases until failure;.
2.
HPCS. works, No RHRf venting success - containment venting.
definitely will-. create severa - environments -in the -. re actor building and the sequence. timing z has containment failure at 60-psig,:not 195-psig,.so is-somewhat faster, Containment pressure equilibrates at 95 100-psia, with reactor power at 9,%;.
3.
HPCS works, venting and RHR success Similar to (2)_but pressure-stabilizes between 93 100 psia; 2-64
b l
4.
HPCS works, ADS success,-no venting - or RHR -- -reactor power = at about 17% until ADS recloses on. high dcywell pressure,- then decreases back to 9%,
Containment pressurizes until failure; 5
HPCS Worksi ADS and venting, success, no RHR reactor power initially at 17%, decreases to 9% wh n ADS recioses due to the lower inj ec tion rate of - coolant.
. Pressure-stabilizes between 95-100 psia, ADS recloses at 100 psia; 6.
HPCS works, ADS and RHR success, no venting - Similar to (1), no significant impact on accident ~ progression due to the fact that RHR can only remove the energy equivalent to 3%-reactor power and-the power level is initially at-17% decreasing to 9% when ADS recloses. Containment pressurizes until failure; 7.
HPCS works, ADS and RHR and venting success - reactor power
~
initially ot-17%, decreases to 9% after ADS reclo'sure.
Containment pressure oscillates between 95-100 psia; 8.
HPCS fails, ADS and LPCl work, no RHR or veating - reactor power at 17% until containment pressure results in ADS closure.
Enter oscillatory state with low pressure injecti'on working o'n=and off as containm ut m essure oscillates about ADS reclosure pressure; 9.
HPCS.- f ails, ADS and LPCI work, no RHR, venting success --reactor power at 17% until HPCS ft.ils, decreases to 9% on LPCI etartup.
Enter oscillatory state with low pressure injection working' on-a and off as preesure oscillates ~about ADS reclosure pr' essure.
After 20 minute delay from 60. psigi venting occurs, pressure drops to about 80 psia, and power level drops a percent; Some instability in the power level;
- 10. HPCS fails, ADS and LPCI work, ne venting, RHR success - reactor power, level,-and pressure oscillate. wildly. as : LPCI inj ects and then stops on high RPV pressure. The average power level is low, about 2.5% but t, pikes up. to 50% for short periods of time, RPV pressure varies from low' (200 psia) to high (SRV setpoint, 1150 psia), containment prersure at about 100 psia; 11 HPCS fails, ADS and LPCI work,. venting and RHR success - teactor pressure'at'about-250 psia -reactor power at 9%, and containment-pressure equilibrates at about 90100 psia.
In all of these calculations-the m er level stabilized near. 2/3 TAF.
From these calculations, it appears that-the operator will not have to terminate injection in order to reduce the level - to TAF and-the equilibrium power level will-be of the order of 9-17% depeding on the sys tems -. ope rating and - the ADS status.
.Only if -main feedwater or condensate. is working will the amount of cools.nt injected be so large-that deliberate reduction of-level vould be necessary.
o 2-65 L_
.- -~., --
-=
i.
The Browns Ferry ATVS study also indicated that the effect of one or two l.
SORVs on an ATWS sequence is negligible.
This is because several SRVs are open Juring th. early part of an ATWS sequence so that the occurrence of an SORV would not be recognized until the reactor power had decreased
]
to within the capacity of the SORV. This is also expected to be true for l
the LaSalle plant.
For LOCA initiators, these ATWS sequences act like sequences wit,i ADS operation and can be evaluated the same w n,
4 The general ATWS event tree is shown in Figure 2 6.
Each event is discussed below.
i T - Transient Initiators The transient may result in MSIV closure or the condenser being available.
For cases where the condenser is available, the reactor pc. wor can be reduced by lowering the reactor vessel level to the TAF and the heat can be dumped to the condenser.
Initiation of SBLC may not be necessary but nanual rad insertion would be eventually required.
If MSIV closure occurs, a large heat load would be i
dumped to the containment through the safety / relief valves. Actuation of SBLC or manual rod insertion and RPV level control would both be required to reduce the reactor power level. However, to reduce the power level to within the RHR capacity would require the level be reduced below 2/3 TAF j
according to our REIAP5 and LTAS calculations.
Carrent procedures do not account for this possibility.
Contairunent pressure will increase until containment venting or structural failure occurs.
LOCA or transient-induced LOCA initiators all result in MSIV closure.
They evolve similar to the transient F ~.tiators because, for cases where the reactor is not rendered suberU' 21, the SRVs will be open anyway simulating a LOCA.
The available systems that are modeled in the ATWS event tree can all mitigate a LOCA of any size and their response would bt basically the 3
- same, i
RTS/ARI - Reactor Suberiticality - An automatic reactor scram signal I
should be generated for most transients or LOCAS.,
The RPS ' sensor s,
logic, scram solenoids, and control rod drive mechanism function - as l
required.
The electrical portion of the scram function is backed up by ARI. ARI consists of an alternate set of sensors, logic and solenoid valves which provide a backup to the electrical portion of the RPS.
RPS i
de-energizes. to actuate while ARI energizes to actuate.
The addition of 3
an ARI system is assessed to reduce the probability of electrical failures to negligibly low levels.
Therefore, this event represents mechanical failure of the rods to insert and.is assumed not to be directly recoverable.
For this event tree, all sequences have RPS/AR1
- l failure.
MFV - Feedwater Available - The feedwater/condensnte system would bc the first; choice for maintaining the water level _ at TAF and later between 12.5" and.58.5".
Depending on the transient (and 'whether MSIV. closure occurs),. all three feedwater pumps may be available.
The operator may 4
eventually have to switch to a recirculation system if the suppression pool level increases above the load limit curve (a function of RPV l
pressure) or te maximum containment water level limit, i.
s 3
2-66
an M
3PC CBS VENT N1 3 R.J*
3pk UL733 ggg g 3 ;g 3 f{
m (m
(is) 407A'WJ t
DM N
l 8
M i
m i
4 on
'~
5 to 1
F t
I 3
m O
CD a
co 17 CU (S)
N
.l 94 CO 4
N 1
4 Co (0)
- 69. #
De y
P3. 9t OW F
g 9 5. W og q
+
N. O CD
- 23. to on I
b it. m 70 1
75 E Cet 75.97 CD F F, tA og j
F*. W 04 g
79.1G3 DM
_. q M 10' CD l
- 31. IW Da p I W 103 CO l
1 31.104 og l
34.1 2 CO g
M,1M CD R 107 De 3'.12 ow
- A ICH 04 g
39 110 "O
I a 1 CD g
I I
47.153 og l
- 43. I ts CD M ith ca 45, 198 CQ 46.11 F CD 4 F.114 ou 4 119 CD N
49 120 CD ag iri o<
g 56.972 CD S2.173 CD 811' e ou v
g 64,128 C3 g
15.118 C.O (8)
SL 17' DM 57.129 CD SA. 'PD CO (9)
SS 130 og M 13i CD
.3
=
St,132 CD W. n3 nw (5) g S3.134 64.1M CO (9)
E IM og 96, 137 0
,. sM co 0, 0) an. t M ou g
EE. 443 CD
, (II)
M 44' CO Ft $42 CD N
FP.143 pet 73.144 CD
- 74. 943 Co (g
75.146 og 414F CD
.t FF 946 CD F5. 649 04 g3) f Me co o
M 15' CO S3 0
81154 CO
- 8. SS Os (13) g E 156 CD i (11)
E iS7 CD 1
97.?S8 CO 88.160 cc b
99.1 %
CD i.i m
19 g)
B 9
9 Figure 2.6 LaSalle ATWS Systemic Event Tree 2-67
=-.
Figure 2.6
'aSalle ATVS Systemic Event Tree (continued)
- 1) If MFW succeeds, RPT failure will be negligible since it depends upcn the same pcter sources as MFW.
If pswer fails MFW, then it will also fail the RCPs.
If RPT does fail, either PCS will have succeeded in which case we have an ok sequence or, if PCS fails, M F. will behave as in note (3) and t h.
RCPs will fail on low suction pressure (the peak pressures w' i he below level D stress limits).
- 2) If MFW f ails, RPT is not relevant since RPV level cannot be maintair. id and the resulting low levc1 will resul t in RCP failure on low suction pressure.
Sequences transfer tc (4).
- 3) MFW con not continue to run for more than about 6 minutes without depleting the main condenser unless the operator controls level, The inj ection rat e must be controlled to s 1800 gpm, the makeup rate from the CST.
This means that RPV level will be below TAF.
- 4) Transfer sequences from (2).
- 5) Operators are instructed by E0Ps not to use inhibit switch for-ADS but to reset timer.
- 6) For cases where no choice is given, ADS success or failure C II not affect the sequence timing or end result significan*1y, If.
the operator opens the SRVs to bring pressure down or auto ADS occurs due to low level, power will increase from aoout_12% to bout 18%.
LTAS code calculations show that ADS and subsequent HFCS, LPCS, or LPCI injectien will not produce excessive power spikes.
Level will remain at about 2/3 TAF, the ' low pressure inj ecgion systems will inject _ enough to raise pressuro 1 above their shutoff heads, and, if HPCS is working, they will remain shutoff since the -pressure will not decrease back -below their shutoff heads.
If HPCS is not working then oscillatory behavior results (mild pressure variations).
- 7) Containment pressure increases'until containment failure occurs,
- 8) RER cnd Venting success - Containment-pressure remains below ADS reclosure pressure -(90 psia, 321 o F).
' Oscillatory - behavior.
results from RPV pressure' exceeding _ low pressure system shutoff-heads, injection valves cycle (16 times /hr.).
Containment ' pressure increases to-
- 9) RHR o0K and Venting' failure ADS reclosure pressure and then' oscillatory behavior resultr. (100 psia, 321 cF) from RPV pressure exceeding, low pressure system shutoff heads; injection valves cycle- (11 times /hr~ ).
2-68
r p.-
Figure 2.6.
LaSalle ATWS Systemic Event Tree '(concluded) 10)-RHR fails and Venting OK - Containment; pressure: remains below ADS reclosure pressure (90_ psia, 321 of).
Oscillatory behavior-results from RPV pressure exceeding-low. pressure system shutoff heids; injeetion valves cycle (16' times /hr. ).
- 11) RHR and Venting fail - ADS valves reclose at about 85 psig, RPV repress.urizes above LPCS and LFCI shutoff heads, boiloff and core damage occurs -long-before containment failure.
- 12) Upon containment leak or rupture to the reactor building.-severe environnients may tesult in equipment tailure.
i
- 13) Ultimate 9hutdown
-Requires alternate rod insertion or - boron inj ection by -some. alternate means.
O 2 69
,mu
..~
RPT - Pecirculation Punn Trio - Both recirculation pumps are required to trip during an ATWS. RPT is initiated by a turbine stop valve closure, a turbine control valve fast closure, high reactor vessel pre :sure, or a reactor vessel Level 2 signal.
The tripping of the pu.cs will reduce reactor power to approximately 30 to 50%.
tailure to trip the recirculation pumps will result in high reactor power and pressure beyond the safety / relief valve capacity, which is assumed to result in reactor vessel rupture and a large LOCA.
If main feedwater succeeds, then RPI-failure is unlikely since the power sources (DC) that RPT depends on are the same as those for feedwater.
If RPT failure occurs for reasons other than power, either: (1) PCS and MW will be working witn no scram having occurred, in which case the plant can continue operating normally or (2)
PCS will be failed and MFW will work.
In the second case, MW can work at most for 8 minutes before the condenser is drained, feedwater fails, and the recirculation pumps trip independently on low suction pressure.
If MW fails then RPT will be irrelevant since the low RPV level will result in recirculation pump trip on low suction pressure.
PCS - Power Conversion System - If the PCS is available following the initiating transieat and the plan
- has not tripped, then it is as if an event has not occurred.
The plant continues to run normally.
If feedwater is degraded (i.e., only the motor-driven pump is available),
then with successful RPT the PCS can remove the energy bein6 generated.
FWL - Feedwater Level Control - If PCS fails, then the RPV water level vill need to be reduced to lower reactor power and to stay within the makeup capability of the condensate makeup system which is only about 1800 gpm.
At this rate, water level can not be maintained above TAF.
This event was assigned a 0.5 probability of success.
SBLC - Standby Liauld Control System - The operator must manually initiate the SBLC if the reactor power is not reduced and the PCS is unavailable. One of the two trains must inject the contents of the boron injection tank Mto the reactor vessel.
The injection would take approximately 20 minutes.
Dcring this time, the operator must further control reactor power, pressure, level, and suppression pool cooling.
If SBLC is successful, then the sequence proceeds like a normal transient HPCS - HPC3 Availe_bh - The BWR Owners Group Emergency Procedures Guidel ine s11 recommends use of core spray systems for reactor vessel level control under ATUS conditions only if the level cannot be maintained by high-pressure injection systems, the condensate and feedwater systems, or by LPCI.
This is because of the unknown phenomenology associated with the spraying of large amounts of water onto the top of a partially uncovered cort under ATWS conditions.
Thus it is assumed HPCS will be used only af ter feedwater has failed. The HPCS flow cannot be throttled since the injection isolation valve can only c;o fully open or closed. Thus the operator must control the flow by Cully opening or closing the isolation valve.
RPV water level will equalize near 2/3 TAF with HPCS working.
2 70
Apj_- Automatie Deoressuriration System If SBLC succeeds but all high l-pressure injection has failed, then the water level will fall to level 1 and ADS will occur. The low pressure injection systems will then be able to inject.
If SBLC does not-succeed,_then even with HPCS operation, the operator will not be able to maintain the RPV level above the TAF according to the LTAS calculations and ADS will occur, LPCS - LPCS Available - The Low Pressure Core Spray system is designed to automatically initiate upon a low rea,ctor water level signal (Level 1).
The operator may also manually initiate LPCS.
Water injection, however, will not occur unless-the vessel pressure is in its operating range. The i
system is available for all ATVS events.
The LPCS injection pressure is-o slightly higher than that for LPCI ao it will come on first.
LFCI LPC1 Available The Low Pressure Coolant Injection mode of the RHR system is also designed to automatically initiate if the reactor vessel level reachea the Level 1_ setpoint.
The operator can'also manually initiate LPCI.
Water injection. will _only occur if the reactor vessel pressure is in the LPCI operating range.
The system is available for all ATWS events, SPC - Suonression Pool Cooling - For events where the PCS is unavailable, the generated heec will be duzrped to the suppression pool.
Removal of this heat must be accomplished by the suppression pool cooling mode of RHR.
For sequences with successful SBLC operation, the RHR system will be able to remove the heat being dumpd to the supprossion pool and maintain containment temperatures and pressures in the_ acceptable range.
If SBLC does not succeed, then reactor power will be in the 9-17% range and RSR will not be able to remove all the energy.
However, if venting occurs or if only low pressure inj ec tion systems are working, then successful RHR will result -in stabilization of containment pressure and l
temperatures at levels near the ADS reclosure pressure i or the vent pressure and prevent containment pressure from increas2ng into the range where structural failure o f_ the containment might occur J>150 p=ig according to the expert-elicitation).
).
-CSS - Containment Snr,,g - In the unlikely event that the. suppression pool.
cooling mode of RHR fails, the containment pressure and temperature would increase.
The contrinment spray mode of PHR can be initiated to remove some of the energy. The effects-of CSS are similar to SPC.
VENT - Containment Venting After containment heat removal - failure -in cases with successful SBLC or in all - cases _ wJ th SELC failure,_ the-containment pressure will continue to increase due to the decay heat or equilibrium power being dumped - to the suppression pool.
When the containment pressure reachs 60 psig, the. operator is directed to -vent the containment through the StanJby Cas Treatment System.
If tne reactor is ' shutdown, then containment ' pressure will decrease _ back.to near acmospheric.
In all cases with reactor shutdown failure but some injection, successful venting will. result in stabilization of containment pressure at some level above the vent pressure, L.
2-71
CRD1 - Late Control Rod Drive - If the reactor is shutdown, containment heat removal failed, and the operator does not vont the containment when containment pressure reaches 60 e sig, then the CRD system may be used to maintain ccre cooling with only one pump operating in the long term.
CRD would not be usable in cases with liquid breaks below the level of the Core.
SRUP - Containment Failure Mode - If some high pressure injection system is working and either a) the reactor is successfully shutdown and the containment heat removal function has failed or b) if the reactor is not shutdowt., then if the containment is not vented, the containment pressure will ecntinue to rise until structural failure of the containment occurs.
This event asks, roughly, how large the break in containment is, either a leak (success branch) or a rupture (failure branch).
For the purposes of we need to know how fast the containment depressurizes, this analysis, whether or not we can use any low pressure injection system to maintain core cooling after the containment failure, and how long the containment blowdown will last in order to evaluate the severity of the reactor building environments produced by the blowdown, a leak implies that the containment pressure remains too high to use the ADS system to depressurize the RPV and the low pressure injection systems to prevent core damage; while a rupture implies that the containment depressurizes fast enough that successful operation of the ADS and a low pressure injection system will prevent core damage.
An expert judgement elicitation was performed to generate probability distributions for the containment failure pressure, location, and size.
SUR - Iniection System Survival - After containment failure, severe environments will be produced in the reactor building.
Many of the inj ection systems have components at various positions in the reactor building and these components will be exposed to these severe environmencs.
Simple Boolean equations were generated to represent each system that had components that might be subject to these environments and an expert judgement clicitation was performed for various component 4
types and environments in order to quantify the failure probabilities.
ULTSD - Ultimate Shutdown - For those cases where reactor shutdown has temporarily stable not occurred but the reactor has been brought to a last chance of shutting down the reactor is allowed. This can state, one A
be done by several different methods none usually considered in a PRA.
probability distribution for this e* ent was determined by in house expert t
elicitation.
2.7 References 1.
T.
D.
- Brown, A.
C.
Payne Jr.,
L.
A.
- Miller, J.
D.
- Johnson, D.
I.
Chanin, A. w. Shiver, S. J. Higgins, and T. T. Sype, " Integrated Risk Assessment For the LaSalle Unit 2 Nuclear Power Oat: Phenomenology and Risk Uncertainty Evaluation Program (PRUEP), Volume 1: Main Report,d NUREG/CR-5305/1 of 3,
SAND 90-2765, Sandia National Laboratories, Albuquerque, NM, July 1992.
7-72
4 J
W 2.
R. M. Harrington and L. C. Fuller, "BVR-LTAS: A: Boiling Water Reactor Long-Term Accident Analysis Simulation Code." NUREG/CR 3764~, ORNL/TM-9163, Oak Ridge National Laboratory, 0ak Ridge, TN, February 1985.
s.
Commonwealth Edison Company, "LaSalle County Station Final Safety Analysis Report," Commonwealth Edison Company, Chicago, IL.
4.
General Electric Company, " Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors," NEDO-24708A. General Electric Company, San Jose, CA, August 1979.
5.
Commonwealth Edison Comp'ny, " Transient with. Failure to Scram,"
LaSalle Procedure IAA-h_49, Revision 1, Commonwealth Edison Company, s
Chicago, I, January 14, 1982.
l 6.
U.
S.
Nucleat. Regulatory. Commission, " Reactor Safety - Study
.An 4-Assessment of Accident Risks in U.
S.
Commercial Nuclear Power Plants," WASH-1400 (NUREG-75/014),
U.
S.-Nuclear Regulatory i
Commission, Washington, DC, October 1975.
7.
"RELAN/ MOD 5 A Computer Program for Transient Thermal-Hydraulic Analysis of Nuclear Reactors and Related Systems User's Manual,"
ANCR-NUREG-1335, Idaho Nuclear Engineering Laboratory, Idaho Falls, ID, September 1976.
8.
- Economus, C.
et a l. -, " Postulated ~ SRV Litie Break in. the Wetwell I'
Airspace of Mark I -and Mark !I Containments A Risk Assessment,"
BNL-NUPEG-31940, Brookhaven National Laboratory, Upton, New York,
{
October 1982.
9.
Commonwealth Edison Company, " Containment Control," LaSalle Procedure LGA-03, Revision 5, Commonwealth Edison Company, Chicago, IL, January 25, 1984.
- 10. Commonwealth Edison Company, " Loss of Turbine Generator, Loa'd Greater-Than 25%," LaSalle Procedure. LOA-TG 04, Revision 0, Commonwealth Edison Company, - Chicago, IL,- January 9,j 1981,
- 11. Commonwealth Edison Company, "BWR Emergency Procedure Guidelines,"
Revision 3, Commonwealth Edison Company, Chicago, IL,~ December 1982.
I
~
- 12. R. M. Summers, R.' K. Cole, Jr., E. A. Boucheron, M. K..Carmel, S, E.
Dingman, and J. ' E. Kelly, "MELCOR 1.8.0: EA Computer Code for Nuclear Reactor Severe - Accident Source Term and Risk Assessment Analyses,"
NUREG/CR-5531, SAND 90-0364, Sandia National Laboratories, Albuquerque, NM, January 1991.
- 13. J. H. McFadden, et al., "RETRAN A Program for Transient Thermal-U Hydraulic Analysis of Complex Fliud Flow Systems, V.1: Equations and Numarics," NP-1850, EPRI, Palo Alto, Ca, 1981.
[
2-73
-a
- 14. Commonwealth Edison Company, " Stuck Open Safety Relief Valve,"
)
LaSalle Procedure IDA NB-02, Revision 6, Commonwealth Edison Company, Chicago, IL, November 14, 1983.
- 15. R. M. Harrington and - S.
A. Hodge, "ATWS at Browns Ferry-Unit One.-
l Accident Sequence Analysis," NUREG/CR-3470, Oak Ridge-National Laboratory, Oak Ridge, TN, July 1984.
l
- 16. W.
Wulff.
H.
S.
- Cheng, D.
J.
Diamond, and M, Khatib-Rahbar, "A
Descrip:
n and Assessment of RAKONA-3B Mod.0 Cycle 4: A Computer Code With Three-Dimensional Neutron Kinetics For ' BWR System
+
Transients," NUREC/CR-3664, BNL NUREG-51746, Brookhaven National Laboratory, Upton, NY, January 1984.
- 17. T.
- h. Wheeler, S. C. Hora, W. R. Cramond, and S. D. Unwin, " Analysis of Core Damage Frequency From Internal Events: Expert Judgment Elicitation," NUREG/CR-4550, Volume 2, SAND 86-2084, Sandia National Laboratories, Albuquerque, NM, April 1989.
d l
l 2-74
(.
r-Distribution James Abel Commonwealth Edison Co.
35 1st National West Chicago, IL 60690 Kiyoharu Abe Department of Reactor Safety Research Nuclear Safety Research Center Tokai Research Establishment JAERI Tokai mura, Naga-gun.
j Ibaraki-ken, JAPAN Bharat B. Agrawal USNRC RES/PRAB MS: NLS-372 J. Alman Commonwealth Edison Co.
LaSalle County Station RR1, Box 220 2601 North 21st Rd.
Marsielles, IL 61341 George _Apostelakis UCLA Boelter Hall, Room 5532 Los Angeles, CA 90024 Vladimar Asmolov-Head, Nuclear Safety _ Department I. V. Kurchatov Institute of Atomic Energy Moscow, 123182 U.S.S.R.-
Patrick W. Baranowsky USNRC-AEOD/TPAB' RHS: 9112 Robert A-, Bari Brookhaven National' Laboratories Building 130 Upton,-KY.11973 Richard'J. Barrett USNRC-NRR/PD3-2 MS: 13 D1 Dist-1
William D. Beckner USNRC-NRR/PRAB MS:
10 E4 Dennis Bley Pickard, Lowe & Carrick 2260 University Drive Newport Beacu, CA 92660 Gary Boyd Safety & Reliability Optimization Services 9724 Kingston Pike, Suite 102 Knoxville, TN 37922 Robert J. Budnitz Future Resources Associates 734 Alameda Berkeley, CA 94707 Gary R. Burdick USNRC RES/RPSIB MS: NLS-314 Arthur J. Buslik USNRC-RES/PRAB MS: NLS-372 Annick Carnino Electricite de France 32 Rue de Monceau 8EME Paris, F5008 FRANCE S. Chakraborty Radiation Protection Section Div. De La Securite Des Inst. Nuc.
5303 Vurenlingen SWITZERLAND Michael Corradini University of Wisconsin 1500 Johnson Drive Ma'ison, WI 53706 George Crane 1570 E. Hobble Creek Dr.
Springville, Utah 84663 Mark A.' Cunningham USNRC-RES/PRAB MS: NLS-372 Dist-2
~._
l 1
.G. Diederick~
l Commonwealth Edison'Co.
f, LaSalle County Station 12 RR1, Box 220
{
2601 North 21st Rd.
Marsielles, IL 61341 i
Mary T. Drouin Science Applications International Corporation 2109 Air Park Road S.E.
j-Albuquerque, NM 87106 Adel A. El-Bassioni j
USNRC NRR/PRAB MS: 10 E4 i-S. A. Eide p
Energy International Inc.
t 1
j-Robert Elliott USNRC-NRR/PD3-2 1
MS: 13 D1 8
j Farcar f b twila USNRC-REs,.iEB L
MS: NLN-344 i-t John H. Flack USNRC-RES/SAIB i
-MS: NLS-324 1
Karl-Fleming l
- Pickard, Lowe & Carrick 2260 University Drive Newport Beach, CA 92660 f
James C. Glynn USNRC-RES/PRAB..
MS: NLS-372 T. Hammerich I
Commonwealth Edison Co.
LaSalle County Station RR1, Box 220 7_
2601-North 21st Rd.
Marsielles,'IL-61341
~
U Robert A. Hasse I
USNRC-RGN-III MS: RIII 3
1 Dist-3
-m u
~
rs--
y
Sharif Heger UNM Chemical and Nuclear Engineering Department Farr' Engineering Room 209 Albuquerque, NM 87131 P. M. Herttrich Federal Ministry for the Environment, Preservation of Nature and Reactor Safety Husarenstrasse 30 Postfach 120629 D-5300 Bonn 1 FsDERAL REPUBLIC OF CERMANY S. Hirschberg Department of Nuclear Energy Division of Nuclear Safety International Atomic Energy Agency Wagramerstrasse 5, P.O. Box 100 A-1400 Vienna AUSTRIA M. Dean Houston USNRC-ACRS MS: P-315 Alej andro Huerta-Bahana National Commission on Nuclear Safety and Safeguards (CNSNS)
Insurgentes Sur N. 1776 C. P. 04230 Mexico, D. F.
hEXICO Peter Humphreys US Atomic Energy Au:hority Wigshaw Lane, Culcheth Warrington, Cheshire UNITED RINCDOM, WA3 4NE W. Huntington Commonwealth Edison Co.
LaSalle County Station RR1, Box 220 2601 North 21st Rd.
Marsielles, Il 61341 Brian Ives-UNC Nuclear Industries P. O. Box 490 Richland, WA 99352 D!.st-4
William Kastenberg UCLA Boelter Hall, Room 5532 Los Angeles, CA 90024
- c George Klopp (10]
Commonwealth Edison Company P.O. Box 767, Room 35W Chicago, IL 60690 Alan Kolaczkowski-Science Applications Int. Co rp.
2109 Air Park Rd. SE Albuquerque, NM 87106 Jim Kolanowski Commonwealth Edison Co.
35 1st National West Chicago, IL 60690
- E S. Kondo
-Department of Nuclear Engineering.
Facility of Engineering University of Tokyo 3-1, Hongo 7, Bunkyo-ku Tokyo JAPAN Jeffrey LaChance Science Applications-International Corporation 2109 Air Park Rd. S. E.
Albuquerque, Nm 87106 Jose A. Lantaron Cos'ejo de Suguridad Nuclear Sub. Analisis y Evaluaciones Justo Dorado, 11 28040' Madrid t
SPAIN.
Josette Larchier-Boulanger Electricte de France Direction des' Etudes Et Recherches
.30 Rue de.Conde 65006 Paris FRANCE Librarian NUMARC/USCEA 1776 I Street NW, Suite 400 Washington, DC-80006 Dist-5
Bo Lienang 1AEA A-1400
.wedish Nuclear Power inspectorate P.O. Box 2/106 S 102 52 Stockholm SWEDEN Peter Lohnberg Expresswork International, Inc.
1740 Technology Drive San Jose, CA 95110 Steven M. Long USNRC NRR/PRAB MS: 1" E4 11erbert Massin Commonwealth Edison Co.
35 1st National Vest Chicago, IL 60690 Andrma S. McClyment IT Dalian Corporation 1340 Sarntoga-Sur,yvale Rd.
Suite 206 San Jose, CA 95129 Jose 1. Calvo Molins llead, Division of P.S.A. and Human Factors Consejo De Seguridad Nuclear Justo Dorado, 11 28040 Madrid SPAIN Joseph A. Murphy USNRC RES/DSR MS: NLS 00 f Kenne th G. riu rphy, J r.
US Department of Energy 19901 Germantown Rd.
Germantown, MD 20545 Robert L. Palla, Jr.
USNRC NRR/ PRAE M3: 10 E4 Careth Parry NUS Corporation 910 Clopper Rd Caithersburg, 'hi 20878 Dist-6
G.
Petrangell ENEA Nuclear Energy ALT Disp i
Via V. Brancati, 48 00144 Rome ITALY Ing. Jose Anto "o Becerra Perez Comision Nacio Se Seguridad Nuclear Y Salvaguardias Insurgentes Sur 1806 01030 Mexico, D. F.
MEXICO William T. Pratt Brookhaven National Laboratory Building 130 Upton, NY 11973 William Paisin NUMARC 1726 M. St. NW c
Suite 904 Washington, DC 20036 D. M. Rasmuson USNRC RES/SAIB MS: NLS-372 John N. Ridgely 6
USNRC-RES/SAIB MS: NLS-324 Richard C. Robinson Jr.
USNRC RES/PRAB MS: NLS - 372 Denwood F. Ross USNRC-AEOD MS: 3701 Takeshi Sato Deputy Manager Nuclear Safety Engineering Section Reactor Design Engineering Dept.
Nuclear Energy Group Toshiba Corporation isogo Engineering Center 8, Shinsugita-cho, Isogo-ku, Yokohama 235, JAPAN Dist-7 j
-C
Martin sattison Idaho National Engineering Lab.
P. O. Box 1625 Idaho Falls, ID 83415 Louis M. Shotkin USNRC RES/RPSB MS: N13-353 Desmond Stack Los Alamos National Laboratory Group Q 6, Mail Stop K556 Los Alamos, NM B7545 T. G. Theofavous University e california, S. B.
Department of Chemical and Nuclear Engineering Santa Barbara, CA 93106 Harold VanderMolen [10]
USNRC RES/PRAB MS:
NLS-372 Magiel F. Versteeg Inspector Reactor Safety Nuclear Safety Department Directorate General of Labour Ministry of Soc.ial Affairs and Employment P.O. Box 90804 2509 LV Den Haag Anna van Hannoverstraat 4 Edward Warman Stone & Webster Engineering Corp.
P.O. Box 2325 Boston, MA 02107 Wolfgang Werner Gesellschaft Fur Reaktorsicherheit Forschungsgelande D-8046 Garching FEDERAL REPUBLIC OF GERMANY 7141 Technical Library [5]
7151 Technical publications (3) 6321 T. A. 4teeler 6400 N. R. Ortiz 6405 D. A. Dahlgren Dist-8
6411 D. D. Carlson 6411 D. M. Kunsman 6411 R. J. Breeding 6411 K. J. Maloney 6412 A. L. Camp 6412 S. E. Dingman 6412 B. D. staple 6412 G. D. Vyss 6412 A. C. Payne, J r. [25]
6412 D. V. Whitehead 6413 F. T. Harper 6413 T. D. Brown 6449 M. P. Bohn 8523 2 central Technical Files a
Dist 9 w%~1
s:.. :.g.
o s u a u s m.
"cs, c ess; -
ww.
u e,.
..,a
.,....a..-
..,~
s BIBLIOGRAPHIC DATA SHEET NUREG/CH-4832
<.. w
,c.,,,....,.
S 92-0537
' ' a c.
.c
- yol,
+
Analysis M the LaSalle Pnit 2 Nuclear Pwer Plant:
Risk 44, n r., --
Methods Integration and Evaluation Program (KMILP)
/,
i u
Initiating Events and Accidt it Sequence Delineation October 1992
- T,s Ec3i -7 6m --
A1386 7,., a :
t
.o;.uv-A.
C Payne, Jr.,
S. A.
Lide, J. C.
IaChance, D.
W. Whitehead Technical u si x ;. t u t ;
t 8',t 5' 8 C 6 C N L P L A N l a ' u - N A'/ t A s s A D L+ t h - W m.
- b.
- O ' s ' s A.*
v 5 % se e>
- ese ' y. cea *> r *
- f + 8 " as *v n de r, i s '. s
+,,a,,-,,n.,
Sandia National Laboratories Albuquerque, NM 871C5
- t. p o.s s: s m : a c a s : A.cs. r,uc t a u 4; s. t s:, s w.,. u~..,u,.
sco,..,,,,-c,a.cc..."
o" a.,e is
%,...a
.,v.c -. -
.-,.,-,,e, Division of Safety issue Resolution office of Nuclear Regula60ry Research U.S. Nuclear Regulatory Commission Washington, OC 20555 o; sa t vw a r.,
sr t s ss h e '. n A : 3 :, ; n s e. e c fhis volume presents the results of the initiating event and accidant sequence delineation analyses of the LaSalle Unit II nuclear power plant performed as part of the Level III PRA being performed by Sandia National Laboratories for the Nuclear Regulatory Commission.
The initiating event identification included a thorough review of extant data and a detailed plant specific search for special initiators.
For the LaSalle analysis, the following in!tiating events were defined: eight general transients, ten special initiators, four LOCAs inside containment, one LDCA outside containment, and two interfacing LOCAs. Three accident cequence event trees were constructed: LOCA, transient, and ATWS.
These trees were general in nature so that a tree represented all initiators of a particular type (i.e., the LOCA tree was cor cructed for evaluating small, medium, and large LOCAs simultaneously).
The effects of the specific initiators on the systems and the different success criteria were handled by including the initiating events directly in the system fault trees.
The accident sequence event trees were extended to include the evaluation of containment vulnerable sequences.
These internal event accident sequence event trees were also used for the evalustion of the seismic, fire, and flood analyses.
u w t s v. a os c t sc a n o st s u.c.y..
.,,4.
.,...+,,,,., -.<-,,-,,,,,
- i....m meun. e iw.
PRA Unlimited p
,. u w
- e. n.ss N.n.
LaS-lle Level 1 Unclassified n..,-
Unclassified a s m isc+# Acts it fps;t
%ai e w m ass
T c
Printed on recycled Paper Federal Recycling Program i
1 SMCAL FOURTH CL ASS T4 ATE UNITED STATES NSTAGE AND FEES PAO l
NUCLEAR REGULATORY COMMISSION l
WASH!rJGTON, D.C. 20555 0001 an,,,a no,o si l
I i
c ' r o A L E.u, '.ELS Pf ?4 A L. T Y F OR PR:v A TE USE. $ 3.>3 e
9 9
- s., 31
_,Y
, ^ ' '. -. g; 3+
. n.s
- s. r,
4 g
c, 7f
,?
,g) e <
t.
e
,e-n e
I
?
4 m__-__._ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _. __._ _ _. _. _.. ___ _. _.