Text

Shutdown DHR Analysis,Point Beach Case Study, Draft Rept
	ML20127E755
Person / Time
Site:	Point Beach
Issue date:	02/28/1985
From:	Cramond W, Ericson D, Sanders G; SANDIA NATIONAL LABORATORIES
To:	; Office of Nuclear Reactor Regulation
References
	NUDOCS 8506240645
	Download: ML20127E755 (938)
	v • d • e

.

s J. AFT. INFCP>AAL AND PRELIMINARY AND AS SUCL' -

MAY CONTAIN ERRORS NOT YET CCRRECTED, Fr T

. IN.HCUSE PRIVATE DISTRIBUTICN AND NOT FCh EXTERNAL RELEASE WITHOUT CONSENT OF AUTHCRS.

i SHUTDOWN DECAY HEAT REMOVAL ANALYSIS POINT BEACH CASE STUDY Dea'fC Report February 23, 1985 Wallis R. Cramond, Principal Analyst

, David M. Ericson, Jr.

"J Gary A. Sanders Prepared for the

Generic Issues Branch l Division of Safety Technology j Office sf Nuclear Eaactor Regulation

! U. S. Nuclear Eegulatory Commission l

l DRAFT. fN."-ORMAL AND PREUMtHARY AND AS SUC'A

.%AY CCNTA!N ERRORS NOT YET CORREC*ED. FCR IN . HOUSE PRP/ ATE DISTRICUTICN AND NOT PCR EXTERNAL RELEASE WITHOUT CONSENT OF AUT-4C4S.

! koj620645850228 -

P DOCM 05000266 PDR t 1

1 ACKNOWLEDGEMENTS J

Major portions of the study were done by other Sandia Staff Members and supporting subcontractors. These people are listed below and again on the applicable Appendicies.

Michael P. Bohn, 6412 Sharon L. Daniel, 6414 Donald R. Gallup, 6414 Wallace T. Wheelis, 6447 Steven W. Hatch, 6414 Sandia Nati5nal Labaoratories John B. Mulligan John G. Simon et al United Engineers and Constructors, Inc.

Leslie Cave William E. Kastenberg University of California at Los Angeles John W. Reed Jack R. Benjamin and Assoc.

William'J. Galyean Walter L. Farrell Science Applications International Corp.

James J. Johnson

Brian J. Banda NTS Structural Mechanics

, TABLE OF CONTENTS -

Pa.g1

1.0 INTRODUCTION

. . . . . . . . . . . . . . . . . . -.' 1-1

. 1.1 Objectives . . . . . . . . . . . . . .. . . 1-1 1.2 Background . . . . . . . . . . . . . . . . . 1-1

'l. 3 The Point Beach Nuclear Plant . . . . . . . . 1-2 i 1.4 The Shutdown Decay Heat Removal Analysis . . 1-3 2.0 INTERNAL ANALYSIS - METHODS AND RESULTS . . . . . 2-1 i 2.1 Analysis Methods . . . . . . . . . . . . . . 2-1 2.1.1 Modeling . . . . . . . . . . . . . . . 2-1 2.1.2 Accident Sequence Analysis . . . . . . 2-4 2.1.3 Vulnerability Identification . . . . . 2-4 2.1.4 Containment System Integration . . . . 2-5 2.1.5 Interface with Accident Phenomenology. 2-6 2.1.6 Value Analysis . . . . . . . . . . . . 2-6 2.1.7 Example . . . . . . . . . . . . . . . 2-6 2.2 Core Melt Probability Results . . . . . . . . 2-8 2.3 Potential Internal Vulnerabilities and Modifications . . . . . . . . . . . . . . . .* 2-10 l 2.4 Summary of Internal Analysis Modifications . 2-18

, 3.0 SPECIAL EMERGENCY ANALYSES - METHODS AND RESULTS . 3-1

3.1 Seismic Analysis . . . . . . . . . . . . . . 3-7 3.1.1 Analysis Methods . . . . . . . . . . . 3-7 3.1.2 Seismic Vulnerability . . . . . . . . 3-11 3.1.3 Potential Modifications . . . . . . . 3-11 3.2 Fire Analysis . . . . . . . . . . . . . . . . 3-15 3.2.1 Analysis Methods . . . . . . . . . . . 3-15 3.2.2 Fire Vulnerability . . . . . . . . . . 3-17 3.2.3 Potential Modifications . . . . . . . 3-20 3.3 Internal Flood Analysis . . . . . . . . . . .. 3-21 l

3.3.1 Analysis Methods . . . . . . . . . . . 3-21 3.3.2 Internal Flood Vulnerability . . . . 3-23 3.3.3 Potential Modifications . . . . . . . 3-25 3.4 External Flood Analysis . . . . . . . . . . . 3-26 3.4.1 Analysis Methods . . . . . . . . . . . 3-26 3.4.2 External Flood Vulnerability . . . . 3-29 3.5 Extreme Wind Analysis . . . . . . . . . . . . 3-33 3.5.1 Analysis Methods . . . . . . . . . . . 3-34 3.5.2 Extreme Wind Vulnerability . . . . . . 3-36 3.5.3 Potential Modifications . . . . . . . 3-39 1 3.6 Lightning Analysis . . . . . . . . . . . . . '3-41 3.6.1 Analysis Methods . . . . . . . . . . . 3-41 l 3.6.2 Lightning Vulnerability . . . . . . . 3-43 i

\. .. 3.6.3 Potential Modifications . . . . . . . 3-46 3.7 Sabotage Analysis . . . . . . . . . . . . . . 3-46 3.7.1 Analysis Methods . . . . . . . . . . . 3-47 3.7.2 Sabotage Vulnerability . . . . . . . . 3-47 3.7.3 Potential Modifications . . . . . . . 3-49 i 3.8 Summary of'Special Energency Modifications . 3-51 v

s

\

4.0 DEDICATED SHUTDOWN DECAY HEAT REMOVAL SYSTEM . . . 4D 5.0 ALTERNATIVE SELECTION AND INTEGRATION . . . . . . 5-1 6.0 ALTERNATIVE IMPACT ANALYSIS . . . . . . . . . .-[ 6-1

,. 6.1 Methodology and Approach . . . . .. . .. . . . 6-1 6.1.1 Objectives . . . . . . . . . . . . . . 6-1

!* 6.1.2 Approach.. . . . . . . . . . . . . . . 6-1 3 1 6.2 Results . . . . . . . . . . ... . . . . . . . 6-2 7.0 ALTERNATIVE VALUE ANALYSIS . . . . . . . . . . . . 7-1 7.1 Core Melt Probabilities . . . . . . . . . . . 7-1 7.1.1 Base Case Probabilities . . . . . . . 7-1 7.1.2 Alternative Probabilities . . . . . . 7-1 7.1.3 Summary of Probabilistic Core Melt Estimates . . . . . . . . . . . . .. 7-5 7.2 Publi.c Risk Estimates . . . . . . . . . . . .

- 7-6 7.2.1 Base Case Estimates . . . . . . . . . 7-7 7.2.2 Alternative Estimates . . . . . . . . 7-12 7.2.3 Summary of Probabilistic Risk Estimates . . . . . . . . . . . . . . 7-13 7.3 Non-Quantifiable Values . . . . . . . . . . . 7-13 7.3.1 Reductions in Residual Risk . . . . . 7-13 7.3.2 Effects Upon Equipment Qualification . 7-17 7.3.3 Effects Upon Plant Availability . . . 7-17 7.3.4 Regtlatory Issues . . . . . . . . . . 7-18 7.3.5 Summary of Non-Quantifiable Values . . 7-18 8.0 UNCERTAINTY AND SENSITIVITY CONSIDERATIONS (to be provided later) 9.0 INTEGRATED VALUE-IMPACT ANALYSIS . . . . . . . . . 9-1 9.1 Methodology . . . . . . . . . . . . . . . . . 9-1 9.1.1 Value and Impact Analysis Variables- . 9-1 9.1.2 Value-Impact Analysis Measures . . . . 9-4 9.2 Resulta . . . . . . . . . . . . . . . . . . . 9-8 10.0 SPECIAL ISSUES . . . . . . . . . . . . . . . . . . 10-1 10.1 Feed and Bleed . . . . . . . . . . . . . . 10-1 10.1.1 Value of Feed and Bleed . . . . . . 10-1 10.1.2 Impacts Associated with Feed and Bleed . . . . . . . . . . . . . . . 10-4 10.1.3 Operational Issues . . . . . . . . 10-7 10.1.4 Environmental Qualification

Concerns . . . . . . . . . . . . . 10-7 10.1.5 Summary . . . . . . . . . . . . . . 10-9 10.2 Secondary Side Blow-Down . . . . . . . . . 10-9 10.2.1 Value of Secondary Blow-Down . . . 10-9 10.2.2 Systems. Required for Successful Depressurization . . . . . . . . . 10-10 i 10.2.3 Summary . . . . . . . . . . . . . . 10-13

/

i i

I m- -- , - - , , - - - - , - - - , --,---n- - - , , - -

1 11.0

SUMMARY

. CONCLUSIONS. AND OBSERVATIONS . . . . . 11-1 11.1 The DHR Assessment . . . . . . . . . . . . 11-1 11.1.1 The Internal Analysis . . . . . . . 11-1 11.1.2 The Special Emergency Analysis .. 11-1 11.1.3 Base Case Results . . . . . . . .'.' 11-2

, 11.1.4 The Alternatives and Revised Core Melt Probabilities . . . . . . . . 11-2 11.1.5 The Value-Impact Summary . . . . . 11-2 i 11.1.6 Discussion of Results . . . . . . . 11-3 11.2 The Add-on Decay Heat Removal System . . . 11-3 11.2.1 Non-Quantifiable Valse Issues . . . 11-3 11.2.2 Comparison with European Practice . 11-5 11.3 Observations From the Case Spudy . . . . . 11-6 REFERENCES APPENDICES: .-

A. System Descriptions and Simplified Fault Trees B. Internal Analysis C. Seismic Assessment D. Fire Analysis *

. E. Internal Flood Analysis F. External Flood Analysis G. Extreme Wind Analysis H. Lightning Analysis

I. Sabotage Analysis (under separate cover)

J. Impact Analysis K. Consequence Extrapolation L. Methodology for Value-Impact Analysis W

= ,

G

1.0 INTRODUCTION

1.1 Obiectives The objectives of Task Action Plan A-45 are to evaluate the safety adequacy of decay heat removal (DER) systems in existing light water reactor nuclear power plants and to assess the value and impact (benefit-cost) of alternative measures for improving the overall reliability of the DHR function if

, required. To meet these objectives a program was developed which assesses the adequacy of DHR system reliability in r existing plants, establishes the feasibility of potential measures to improve DHR, and provides a value/ impact analysis of the most promising of such measures.

1.2 Backcround Because Unresolved Safety Issue A-45, Decay Heat Removal Requirements encompasses the entire industry, the population of nuclear power plants to be considered for analysis started with approximately 173 units. Seventy units were excluded from study because: 1) they were of special types (e.g., HTGR) or included in the Safety Evaluation Program, 2) there are sufficiently similar units included in the remaining base, or

3) the units were not far enough along in the design /construc-tion process to have information readily available. The remaining 90 plus units formed the base of the TAP A-45 study.

The initial steps in assessing the adequacy of DHR were to:

1) characterize the. units in terms of their physical parameters, i.e., number and location of safety pumps, number of redundant emergency power trains, etc., and 2) develop a set of qualitative screening questions against which the plant characteristics could be compared. This set of qualttative screening questions was based upon a thorough review of existing guidance such as the Standard Review Plan and the various Regulatory Guides, previous Probabilistic Risk Assessments, special topical studies such as the Auxiliary Feedwater Studies, etc. The intent was to establish a set of questions which would reveal potential deficiencies in DER capabilities for both Design Basis Events and for beyond Design Basis Situations. After review and reduction, some 135 questions remained for use in the qualitative screening process. There are four possible outcomes of such a qualitative screening: the plant meets or does not meet the postulated condition: there is insufficient plant information in the data base to evaluate the design: or the question does

! not apply to that plant. It must be remembered that the sole purpose of this qualitative screening was to highlight

' ootential DER vulnerabilities for further study. Because each plant has a unique configuration, an inability to meet the conditions of a particular question at one plant may be more or 1

less serious than a similar inability at another plant. For

. 1-1

A example, consider the case of a single valve iIn a DHR water supply line. There is a screening question designed to identify such valves which, if closed, would fail the system.

If this valve is in the line from the only source of water, it may be a potentially serious single failure mode. However, if there exist redundant sources of water, redundant. lines, or other systems which perform the same function, the single valve may be of little concern. Such differences can only be established by detailed analysis. Nevertheless, the qualitative screening serves as a tool to focus program resources and direction. -

On the basis of the initial qualitative screening, approximately twenty plants, which included all vendor types, were potential candidates for further study. From this group seven plants were selected. This selection process was subjective and .took into account other issues in which a particular plant might be involved, operational status, utility willingness to participate, and similar concerns. The Point Beach Nuclear Plant was one of those selected for more detailed study.

1.3 The Point Beach Nuclear Plant Point Beach is a two unit site.using two Westinghouse closed-cycle pressurized water nuclear steam supply systems of '

the so-called two-loop class. Each unit is designed to produce a thermal output of 1518 MWt with a gross- electrical output of

_ 524 MW, and a not output of 497 MW. The major structures on the site are the two reactor containments, the auxiliary building, the pumphouse, the tu'rbine building (including the control building), and the service building.

The containments house the reactors, steam generators and reactor coolant pumps. The auxiliary building houses the safety-related systems including high and low pressure safety i

injection, containment spray, and component cooling water. The 1 low pressure safety injection pumps also provide residual heat removal. Rad waste processing and spent fuel storage are located in this building. The turbine building has the two generators and related equipment. The control building, which is inside the turbine building, includes the control room, electrical switchgear rooms, auxiliary feedwater pump room, and emergency diesel generators. It also,provides a seismically rated platform for the condensate storage tanks. Technical support, including engineering and health physics, is located in the service building.

Several aspects of the plant and equipment layout are presented in more detail because of their relationship to DER. As noted above, the condensate storage tanks are located on the Seismic I control building structure in the turbine building. These tanks and associated piping are accessible on the Intermediate /

I-L .

i j . . . . . _ . _ . . _ . . _ _ _ _ . . . . _

j . . . . . .. .

I f

Floor level (E ev. 26'). Also, in the. control' building the plant common 4160 V electrical switchgear room and in turn the 480 V and cable spreading room may be entered at the i

Intermediate Floor level. An internal staircase in the cable spreading area provides access to the control room (see Figures 1.1 and 1.2). The control room may be entered on the Operating Floor level from either Unit 1 or 2 side (see Figure 1.3). The i emergency diesel generator rooms, the 4160 V emergency switchgear and DC battery rooms, the auxiliary feedwater pump room, and the air compressor room are all accessible at the Ground Floor level (Elev. 8') (see Figure 1.4).

In the auxiliary building, safety related pumps (safety injection, containment spray, and component cooling) are located in a common area on the Ground Floor level (Elev. 8')

(see Figure 1.5). The component cooling water heat exchangers

are located on the Operating Floor level (Elev. 44'). The low pressure injection pumps (whfch also serve as the residual heat removal (DHR) pumps) and RER heat exchangers are located below grade at the west end of the building. Normal access to these

areas is through the control point in the Service Building.

! The service water pumps and fire pumps are located in a common room at grade level.in the pump house.

I, j These plant design features are discussed in varying detail in the various special emergency analyses. Additional details may

, also be found in Appendix I.

I j 1.4 The Shutdown Decay Heat Removal Analysis

. As noted above, the Point Beach' Plant was idontified in the e initial qualitative screening as having sufficient potential 4

vulnerabilities to warrant additional study. This initial j screening and then subsequent identification and evaluation of alternatives for improving DER are the subjects of this report. Some potential accidents which could result in core i melt have not been analyzed. Since the purpose of this program is to study the adequacy of shutdown decay heat removal systems, large LCCAs, reactor vessel ruptures, interfacing I system LOCAs, and anticipated transients without scram (ATWS) are excluded. Furthermore, special issues being studied in depth elsewhere, such as pressurized thermal shock, are also j ' excluded.

The flow of the analysis and value-impact assessment are illustrated in Figure 1.6. The internal analysis proceeds 1 along the well-documented approach used for other probabilistic j risk assessments (PRA). The potential accident initiating i events are identified and combined with required functions in

event trees. Then using Bo,olean solutions to the fault trees l describing the safety systems required to perform the safety l functions combined with the initiating events, accident sequences are defined which can lead to situations resulting il either in safe conditions or core melt. The probability of '

a l-3

l 1-t ise suj ., '

T f. . . . . O

-] - Utili 2 l- --.-

as v*

l

,,Js- w- s* ls3 a 4. 'hr y?' 2E-f 24 f .1URBillE _. ,, ' ;

M 2005g'-]N't#

i.e ye-u

,,__e s twoc M 6 vn 0; j ~~ '

-- ##41L. . - M JV ' .

d'. ' *

) ...u-. Tmw -rn - -

U

- #Tr. .

hvan .,

O

1. caiu an e'amt

'V'- - I j */ gg g- 4:s4.

i 1

3 f r-i, 8

. - 3.uo y,

= a-cisi o 3)l la.c ss p . Va* ~ ' ' ' ** am .

I l

F( -h. ,m --

m. .! .

g =a _

4

( b i d t . 2 g.f*M - '

@ sio5 *

-G.s css j ,

l K.l l

. 2 480W VliAl. sWGR i

r s 4, '2 1* __

f F

-Et

'--- I- "jcMD' $E.is o,( . . _ ia a- _

l 1

l 7" L ,&

i -

_p-i_ c n ( ,

-- +i -'a' c

% e t

+4 J -

u / II . -- - -- .

s.

ll -...-- 7 h

=l . !? _ .. r cen b oitou Lj.ovoi e-ci>> f,

]I' < Acttss 10 si i ' -

ccw a cs sws if' -

1 g hp a cis

I po, I ;- T /'Ta4m. ' l\' ,,,,D -

e sanw i

4

.b. fi,t* h OLeig Aos j {g . .; g wiso '

G, -

j

[- .

. s _ 3 enas am ', g;, _ ;

*(~

.s r

i _ _ , ,

t>

W- il tus .c ,

,I ( *

EE % H l

I -

. d L'

- ' x/ "'"

I I_ bi

i. cia '

t-

-d

'"#: "

F- E a

'i+N/is***

g' J (

mm 5*$ '

,, ,y' ColeEllSATE -

i

,: T-- l - 11 .] ,

g-j n - . -

C I' f., - - - - STORAGE +--e j . g- .

l

'~4--

u . . .. "" one 5> E - igencs . 4

)_r q r. at lkg. .,, @

i " l* a

' 0'E '

Mg : -

-(;i t]T]m. 38 s.'a' .3 E

' ' 8850 9 l P".. - (v ], ite i . as .

E 4.t s e I***""o

-) E*f fp i ana O.

- . ' ri4 4 l i

4I/ i-=vos a ,' .,

I

_#f 1"* I e naov vilAL swGR I sao, ( l.: ' j (Wi1A -l '

, q 3*- g s ,,3 o,,'

u -a ,

._}

.1 4 di go'$ca._)

se-i DI .; 58

.3 L._._ v s

b,HsGSA *s I Q*',*f' ','c',E( l}I O h h N'CsV,Q=F Y ? I h nht,Luit r -- g:- "Q' T5' , ,2 *** i

..m. . .: . L_ :**"

.- Q- -yl [ ,l.-

i i

Y

-- m 31 . - - - -

I ~~~ ~ ' ~

y 7.- ,

I i ' l f, li t i::uEl&#LH F.14 .

l T I -: ' '***** *42 8 * ~ ~ % u:-- l 'N . i 1

10 SERylCE BLDG -

soetes N o gg,g.g unica f. i -

l g .is i AttEss COlilROL l'0Illi g l -

N, +.

j 1

- -ui y ,em. p hn'

ro* ' 's.ec :

.,t3 . uana sieau

i. g a "

l g

f

.' N, UNIT 1 TURBINE !

~ }. ***1C 84 _ ! ' -

I OCARDREADER MCCie4' _ _. a . . -

6 I.

CollIROLLED DOORS 7 .

~ A *,(- f c _

Y. i

' N.r . :

' , I ,,a.. _, ;

- [ ., , .- -_. . _ . - l g ----4--._._-.---- .

l 3 6 'o'. , ( . _ _

anow -

.. j _

j .

j, pl,s.ers,i. c n.

i l Figure 1.1 Intermediate Floor Level (Elev. 26')

i

'i.

i

i l _. l f> sw a %. .

vi .

__.q.

1 lj,jls-- . - u !.

. y ..

_ _ . .. .. _- _ 7 _ __ ,

zes I_

i

.r k. .__.o._/

,- j/. .

\ ,/

N/ / N f_.

/ .

4s i

__ A_ _ _ _ ___,

i

-- 3y} L @ i.

- a i __ _ . Tg[_) -,

g 3__g g s .- g i

l

,I

\ '

) t pf[

**** Ei7td1 j ,,,,,,,d_

I\l n a y.. -]- ? acanoa anonkenues g ,

) '

-l '. n 66*62 LE-'^*_, -_. -l co euna noe. ***"" _ ,,, l,

' i . ,

i sesos sa e.a's cama ,

[

! __ --_ , LQs t l - 'I'"#Y n Go'd CWF m .

j

'j j l ,

--- i l

J Pas ila; ., isc E

.m . . .

l m .

camt a ca t w ie- E+-l.

I 7y w. c .. . t=4 i __

1 w .a i a.-

g 3 3 . ___ _.

l I

k yil-El'T.;"wiza- 5 3 t _O N YN I r l .,I 40'

o. d Ta4' A d . fidi 9 i EiaJ Lismix , _ _ , . _ _ .

l -

_ ., j l

i. k}t9-).

i

~-.

~

.1 _ _ _ . . . . . .._.' g_-a- s 1. ,

l COISENSATE STORAGE TAIRC

'j _' .,,,,, ,

) omCA8tE SPRIADING J

-* st ' .ima ;

[. ,

l.h 8 ass / I i gnus o.

i

me : aon e

= > -

! tf t jrse , 8-

,t _',ne,7g d '" y 7

i s' g' k e T sa mg ../,n , I[f '74 I}!t l .E M-- I .!A DllJ l i -T a- s ..

.o a q .-g-- r uw-). _T1J i i -

l '

4 ..

-lggyg

<i ri -- .__

\

j gg-y }ya'/ : T.., e

' g -_..-- --

(-- 1 -

l i I fp:/ies%Riii,3 -

'"? !"""

j

- =i4 4 i-pua, t sawa; rus -

E

,.d, f , , g.'-j

M m .p, -J 7 --

7 :

h b bb !I b '

l . . _h-1 .JbI_ , _ , f15 [J_ !u .i ;

CDNIAll0 0 T ,,,,,,,

JE 10N S

TOR !u" ;

SPRAY i ;

l 1 *

- i, l Figure 1.2 E-W Elevation - Control Building / Auxiliary Building i I

-- .. - _= . . . .. _.

., a :

(:-)

(h?@

)\

=

50

)

!=\

.~% .

X '

.e ?)# .' 9 .22 ' .e .93 .,

3 i r- QMn -

c - n.

-n 5 . _ __

- ==. c s ,.

..1 e '

1%4 '

(

e-1 . . 3 6l r*[,ad.

4 ,.

, i

..r

~ a. ; t, as < ' '

J _. .

. i i n

,i!

3 : e' ! : \ 7 , lh.i -

l ___.L

\

L J. . h., _y i l' vi .N, l / P -

]

I '

- I D5. i lll z *

[

~8 -

s l,.

g

.s .t. i .r se " f,

, n

, :.e:,.1 s .a wE p .

g ,

j% ,

l'

t e g

y=

. . . . eamus== L

, [ l , ;l av sis e..

' f '

W i

j' t U

M l *~

e g h) -

~2 g. .o . .

'l

l. sisi5-

'+ 3 d

(- 0 %- ! l h_; - -

5e ;

e em $

Is i 3

3- .-

e

, ; .,+,

,; g#g g

u. .s.

u o

p., .

sp a s

- . r a, l-lg.y.

i

~ 7 ,-} g u , ,, m.ess>

o -bz a+;

s o ,,

s'5 cinns=)rd ,.1 va -

=in e, 1g~. .D ~s

. 5

. s.: ; ao

. is e. v 8 ur

, \i,- ye- -

- i .spee.es. - ,

u as e

t ua+ s-

-f y- -- -

.~ a e

' ( z, .j. :4 0

, .4.c.a

%\ . a s

-e e

in o

o c.

.= c i 4, i .~ -

.,,,.,, m,.m,

-~~ - s.o a=: o

,,s !~ .,

Ta,'. ;

in !!.m R !! 9 tm,,,, ~l.<e a s-T

.3 ish sD-b .s es!!on aA .i .s.,hc 4~g n n ! !

a-d d5 s 3 .J iv r.li! M : .%@;*' t .- v 2,2 it 2 @ k %n5r;i .y a.x- 8.

. ho -

3_ . -tw .

rry' o .,,,i . I.e .el z<

- 3 ./=,

i ,,' n

, m., r4 - ,, s

t. , -. ,

g u & * *"

H W Q l. ,

. Gy

+- - , .

.._+ 1;

< +; .,=. g l= ,, , .

u. a, e g.,,,

,I.. , -

t. .-

, ,a , u.. -

. , w.

v-

., u. - .

j-

~j;o 1

, o. .s .

- '-.+-w q .

( g Vlp q

.l. ..;)ijj e -[ Q y, :'

1 -4,

1 Ull I 2 -.

, .v .- i s .- ' _f- Fi' wi' . ___.E1* 1" . ,.

w

'e syrn, g r e

.-ac> M-13 &lM?007 5

4 "

.>-*'** .** *"_ __ ~ _ _ _ _

3". n a am u- n '

m m- -m O'- N -

,-- M-l l p , , f +-+-U] ]-j , _ _ __--,- {

afr i. . '

,. * -" I l* ' ld ja6 oos 'h4 E 2.o. g g n~

g<.cI< g

= .

/ p.u

~ '

1

. _ l 4 .

3.r. 7,,

4 1 . ,

a nnq,y > ; - ""

~

\~ L

, g t m.> co, 6- F .

f, X' f .a (

y

- - 1 = t 1

'(

D ji l i 'i' 6 g I'

i,l l l 90* CE f . ; O ;

}Q, os , '*

,9 ,

h AI *a

. ' ~

8 FILA '4- ,._ s*fd $ l g eau N 06 f e j 33 '

j - I, _.

t- -

_l i T.-~ ' ' ~ %~ ,[fIi

.:. . _ . , . y 4 -

1-J5

,;. ,N(4rcinb g., ig - ~ --.'~ N . $.--'T

~[ - ,((j{A 18.)

__T-f , g.

._ b a sans penso , g g

,, - Ct.s[II-~ }lM

, ,, , g(y I !*. E6' T."*r if - ~I -- -

Ik l a. -

e t

HHLgf)

I

,t

,U > 1gy.3.l 4

h g

iAos ses P g

-:f'*7/H8558

~

j. g.. l g

e-p 9.,us. t y

i e - t a r i ,

T '

-I I bolff l Is "

L'{ V .nAuxILIARY -

78 4

'L_ l 'N I ID - O.h( 6 O'3'*I 81 5 #

3 ---P FEIMIER ~-I g j. i 1 4 a .o, no.

0 . = _ - . . . .

,M i- _ _ . . - -

. .Q I

4bl~

s,

_ +}it l

t 1 >

g i

... .- .m eaa. T

, g

,,J __a._ -

c,,j,,,354l

_o- .g t, . ,

aute, i-]h l

- aT .

8 88 3% .A, l g 4 -

W ... .. .t -

-f .l. , 'R).- 8 tip.ms je f e i i i ...,isuJ {r .L 7;,, .a x e u., ;

r - s***

g g

i i 3.1s i

._ ar _. c isa. . c l,v-- .

wsensur T

E'[iN

'Q N.

I

{p ,}

l{.CF4j ltna ? y

~ T E T-~- C1-~ 5* ,- ~ , n i, . .

f y .*" -

W_1 - - .- -am= <- - - - -

-- 81st l 3* 7 g s --

- y - .- k -- .; ~

87-pl ' l i mm , e e

,- ,. . eO.,f, m,,,- '.- '.-m,.r dil h,.. _ - &

9. ,_,

iggte

]* W it Suf'1"tv **

MMMN ix\ T24A4th a >

, .pp ,' '.

s g.p g,g a g g- (M8 I \ LE*Id &

, OstRFtOW e naase

-l . .. A um. . ,, A((($$ coon o

CARD READER 5 Coll 1 ROLLED Ifl - **"'~~

D008%

s DOOR ,-

tali 1 : s.iu .awasuo:w -

- Figure 1.4 Ground Floor Level (Elev. 8')

s I

* * * * . - t*t. - . . . . . .. -. . v --

._ _ _ _ _ J. g ji - i:,_ _ _ _ _.1 _ .

. w

-w* . q _ _. _ _4_ _:u t, ,

3 '

.,.: .y ,.o .s.,

u l.o ,.u g , ,a.. .

i1~ 2 S:+; l~ 2_ -

sr s i a

y.*

lle= = - +- t

=s.ms *T'J Til ""29 L

- .i . . .

,, I

{J *y Q'y{

ig_g

h.3 74__- _j 1 .

t L - .

.. i_,

a

p. .u..a* _s .

.p i ,i ... . .=

Tr *l s .M. a . . x a,m

. i- !

=

. , 8, a. _v i 3 -:. _

.2; s f;-C..

L e .yy _cm .g 4-*'* 4 %, n, c.

.I u -

.u m, -

&c ,:

r g .

a ->

-f--- 1-@ - -

'/r N, &

l91 ' !.!h h?,jp* .. ire' . = i a -

.,, w f

.==7 E;c e ) - .48 e

1 i .-

.5

" g '

' ?'

su L,"ps * *-

_E. r'

. }\

l -

,.i. se!g I 11 it, 'W aje .L.,

r. - P

.' ~2 @%$- ']A f L

e 'A 5g - - m,5 ' . W,fi I ~=7 a $ el 5 2 :

E a,5 i wvg 1 @y :: * :n =gy. . O m ,z,

.h~4 i -) >

{ ,

.ii i

e

g. j'i ,.

~~

I 's:

E ~a '

5 ',$'"' G

. ~ '

e 5

,. 2 ,;. -g~'

I n+' ~'-(, r=. c. =

3 -

,g

%ji

- - _ .. 6

- sw.u- l y

@ Ig F

.. jmg = l ,in~. -

n .

g ,.. c.

g 5 <8 a ,.

MM,, k"': .; jhi. Mrr ll ,*' . +

g l -

h- *I e

Tg* !",j!

8

!.)

e t. ni,- n-

,, n ' p $ $..

_. =

l'! 3 ' e r 4 s 3 n.

ky _

Nb

.._. . , ~ _

h* l

,7 4 s, e.in ri&=in <. %lis., ;,5 .

n s .-]

~

k q.t P- C

~4i.J:' 2., .e6 . c l - - -- -

*w x n..

{ !

e .

', . g u':: ~

... - ~

e

$ i ~6 p'g 8%llE'-m *^ $ ;r.n$

d- :s

>d ; ;'s y s * '8 '> .

8 1%.

i, W

i .s "d

W 5jii s

._ v, f .-u.Jit Ki %

...3 tr" -.e - E _d y.

. -2 , .. .

.0 3 . e < t',,'

M . . , ... d =

.s .1 .i

-~I ni I .w .

'TfI , b[f0*'

'M $r:r- . .

b -

I j 'I . I l-e .

- a . _ _ _ _ _ - .-.e _

5

" ' ' "-********e-- , m, , , , _, .

M-M agy ,

e h

a 5

. a.mh g 4

a s$

WW aga X =

2-1 1>,

A 4

4 4C WC ga a ya og o.

G 2

h e

0 3

- a 3

25 o~ g 0

me t=

<=

3 - s

>= ud J".

M UU <

W e

M S

be

- 3 m

==e b

i MM .J W l " 4 W b

i

$ t W i

SE" *E3 l

'w 1 -9

- . - -.. . _ - - _ - - - - ,,-, _ ,-v,-, , . _ , ~ -,,..v7~~------__v-. , - - --w--

1 i

i those sequences occurring which result in core melt was "

quantified using available computational tools. This -

i quantification also identifies the specific random failure events (e.g., equipment failure, operator error) which contribute to the core melt and the magnitude of that i contribution. In addition, for core melt sequences the

performance of containment systems was also examined. Then

! using the results of past PRAs, these results are used to 1 determine the containment failure modes. This leads to '

delineation ot potential release category probabilities which can be used to establish public risk in terms of expected I

population radiation dose and other measures. The results of 5

the internal analysis are estimates of the probability of

. specific failures and their contribution to core melt and 1

public risk. This information can then be used to suggest

, modifications to equipment or procedures which reduce or eliminate those failures., This process is discussed further in

Section 2 and Appendix B. -

I The special emergency analyses proceed on a parallel and

, similar path although perhaps more qualitative than the internal analysis and certainly more dependent upon engineering i judgment. Generally the special analysis for earthquake, .

I flood .and high winds proceed by identifying the hazard and its frequency of occurrence. Then an assessment of the response of I

the plant to this hazard was established. A key aspect of this

assessment is an onsite inspection of the plant and its 1 l equipment. Once the response is established, individual i equipment fragilities are established. Then using the internal l event fault trees and events, the potential contribution of l specific failures to core melt probability were estimated.

! Using this information modifications were defined again to I

eliminate or reduce the effects of certain vulnerabilities. 1 The special emergency analyses for fire and internal flood proceed in a slightly different fashion. First, potentially

, significant fire areas are identified using the transient event l

! trees and system fault trees to establish the critical front i line and support systems. Second, the physical arrangements of

equipment and potential fire sources were verified by a site ,

visit. The effects of the special emergency were then '

j quantified based on historical fire occurrence frequencies, analytical models of fire growth, and fire suppression probabilities. In addition, randon failures and human factors were considered as applicable. Based upon these results, 4

modifications designed to reduce core melt can be proposed.

ThespecialemergencyanalysesarediscussedinSect(on3and Appendices C through I. - - -

1

! Based upon initial estimates of the possible reductions in core

, melt probability that might be achieved by the various

modifications, the modifications are combined into groups for l engineering evaluation of feasibility and impact. These I

. 1-l*

l

combinations are called alternatives. The alternatives are reviewed by the Architectural Engineer (AE) and the plant staff '

for feasibility and reasonableness. Based upon this initial review, the AE proceeds with conceptual design. After an onsite inspection to insure that the proposed designs could be

, implemented and to gather site specific cost and related data, the AE develops the impact data. This data includes, but is not limited to, capital costs for engineering and installation, radiation exposures incurred, maintenance and operational costs. Once the conceptual designs are reasonably well established, the internal and special emergency analyses are rerun for each alternative to establish their value in terms of reduced core melt probability and reduced public risk. These analyses are described in Sections 6 and 7 respectively. The impacts and values are then integrated into a value-impact analysis. This analysis is structured according to existing NRC guidelines. . Further discussion of this analysis is provided in Section 9. A brief uncertainty analysis is provided in Section 8 and an analysis of special issues (i.e.,

bleed and feed, and secondary blowdown mode of operation) is provided in Section 10. Finally, the analysis suqqests those generic insights or conclusions that might be inferred from the results for one plant (Section 11).

e

\ ,. .

I e

. 1 - 11

j 2.0 INTERNAL ANALYSIS - METHODS AND RESULTS 2.1 Analysis Methods I

. The internal analysis methods are described in this section using the pictorial respresentation of the internal analysis shown in Figure 2.1 as a guide. After the various tasks are explained an example will be given in the symbols that are typical of probabilistic risk assessments and of this analysis i for Point Beach.

2.l.1 Modeling e

{

i The process begins with the selection of the initiating events to be considered. Since the purpose of this program is to i study the shutdown decay heat renoval (SDER) function adequacy,

! large LOCAs, reactor vessel ruptures, interfacing systen LOCAs, and anticipated' transients without scram (ATWS) were excluded.

' Furthermore, special issues being studied elsewhere such as 4 pressurized thermal shock were also excluded. Thus, the l initiating events to be analyzed are:

i Small LOCA j Loss of Offsite Power Transients l Transients resulting from initial Loss of the Power i Conversion System (PCS)

Transients with offsite power and the PCS initially

! available In order to develop the event trees for each of these l initiating events, the success criteria for the systems contributing to the SDHR function were delineated using the I plant Final Safety Analysis Report and discussions with plant personnel as the sources of information. The objective was to define the success criteria and potential options to, address the various accident conditions realistically and not overly conservative. The front line systems that were considered are:

Auxiliary Feedwater System (L)

High Pressure Injection (D1) & Recirculation System (H1)

Low Pressure Injection (D2 ) & Recirculation System (H 2)

Power Conversion System (M)

Pressurizer Safety and Relief Valves (P)

Secondary Safety and Relief Valves ,

In addition, the support systems considered are:

Service Water Systen l

Component Cooling Water Systes

! Electric Power System ,

Emergency Safeguards Actuation Systen l Each of the front line systems or combinations of those '

systems, e.g., bleed and feed mode (E) using the high pressure s-2-l l ._ _ _

1

(~'.:.

(,

m.

ee

- . - - - - . . . . . . . , . . _ . . ._L _ l ' -

i

, T'(LA **3 e e-T loc 4 Ce t-TA a t+ le e a-T cet.7 A.ta e v4.T ,,.m.,,, },

GVece-T 7 MT Eu6FT Ttt Fe S 't pt tis F A et.w8t? hoe @1 l, a:% :v.T- Tit.(F e,

6 -

0 F- l A !l g

' p

cn

W I le gg g N !

sucscss n cA C-

~3b tT14Ta &*G ,

! (g hP#'" I I ;

t?we FT (re) 8 f'

U A tct 0M l ,

S 'T GEAt*5

t*N Co M CuaZ- t1i=tXl 0\%%-%&CW-Y N I Tt-Oute O t *( A HtrtX (c n) ca ereiteb W T co D6 pwint Ach o+T h

Acceee n seqw cn s w..cn i 2_ s 4 ru7 e4eci re m r.4.

IIIIIIII :

14*sT GW4*T Tswv Ret 4ASe CAWEise3 l I H e Ao s t* (- S I l I I cosm.t. . - oome <mson em ~ c,ss e !

h b Po1T- Ace e # eae T st A Os a 4em6e ry poeTt cc.9 co 9 # ;,

I I I v

giII O I

N 6 4.lc. (Lis t(

i i i %1.c. Hea wsw-s -

l st st w T - C o ast'ot t.T rasa.wafs forotAv 69

}

- Tov as-o b 4s Fiv++ Af* 4 ub A% AtLM34.eTy COSi#

I l o e& ai.et ....n_ -

b Su //adt T D ATA - l*^ t t u 8A*

syneh - se<tus w u a n s P A+64+;s t..n c s !

AC. Paw ift- ,

i Figure 2.1 Pictorial Representation of e Internal Analysis

1 4 . . . _ . . _ . _ _ _ . . . . . . _ . _ _ . . . . _. . . . _

system and pressurizer safety and power operated relief valves, i becomes a column heading or decision branch in the event trees. The event tree starts with an initiating event and successively asks whether or not the systems (in each of the headings) are successful or fail. In some branches previous l

1 success / failure answers make later decision irrelevant l resulting in an asynetric event tree that most simply i represents the sequence of events leading to the potential outcomes, success or core melt. A transient event tree is shown in Figure 2.1 in the upper lef t hand part of the diagram. A LOCA event tree is shown to the right of the l

transient event tree representation. LOCAs may be initiated independently or can result from transient induced LOCAs as depicted in the diagram. The final result in any of the cases, transient, transient induced LOCA. or LOCA, is an accident sequence made up'of the success or failure of events (i.e.,

event tree headings representing front line systems) leading to either success or core melt.

The accident sequences will be carried further into the i

~

analysis, but first it is important to look at the development of the event tree headings. These are modeled on fault trees such as the one shown in the lower left side of Figure 2.1.

Each fault tree is composed of all the components in the flow path's of the systems involved in an event tree heading. Often the event tree heading is simply one specific system.

sometimes more than one systen may be combined in a fault tree. In any case the fault tree represents all the potential failure combination that-could lead to failure of the system based on its system success criteria, e.g., flow from 2 out of l 3 pump trains. The component l's the key to the development of the fault tree. At the component level all the ways that component can fail are modeled including the support systems required by that component. Interactions between components and trains of a system are ialplicitly modeled by the.

step-by-step process of constructing the fault tree and identifying all the potential failures.

In this program the event trees are small and the fault tree medium in size which reflects the detail permitted by the scope of the program. This seemed to be the proper six to meet the objectives of the program.

The outcome of each branch of an event tree is an accident sequence such as S MLS1 P , where the initiating event is a small LOCA followed by lass af th. pcs, failure of th. auxiliary feedwater system, success of the high pressure injection system, and finally, failure of the pressurizer power operated relief valves leading to an early core melt.

The last part of the modeling task is to establish the data base to be used to quantify the accident sequences. Each !

initiating event frequency and basic fault tree event 1-3

..,..,.-~.-------.~,,,en__,,..ng_.-.---_ - _w m - - _np,,--e-.

- - . . . -__ -. - -- _ ~ - _ _ . - - - - - . - - - . . --- _ . - _

N probability must be derived from data or engineeri'nq judgement. The data used in this analysis is essentially

, generic in nature. Within the analysis some failure rates apply to many components. For example, the local fault (LF) of a motor operated valve (V) which is normally closed (NC) and i fails to open, i.e., fails closed (FC). VCC-LF is.3E-3 per i' demand. Thus CCW30-VCC-LF, CCW15-VCC-LF, AFW18-VCC-LF, etc.,

would all be assigned the same failure probability.

l The model then consists of event trees for each initiating event, fault trees for each event used in the event trees, and the data base (or value block in the computer program

terminology).

2.1.2 Accident Sequence Analysis

! The output of the 3DHR model_is a set of accident sequences in

. which each accident sequence is composed of the product of the l Boolean equation for each of the accident sequence events. In l the Point Beach analysis there were 44 distinct accident i sequences identified potentially leading to core melt. The i

SETS Boolean reduction computer code was run on each of these j accident sequences to obtain the core melt probability and the

] significant combinations of basic events that result in core melt. The Boolean reduction results in a sua of products of basic events. Each of these products is called a cut set such i as PUMP 1 times VALVE 7 times CPERATOR ACTION A.

i ;

Every accident sequence is made up of unmodeled and modeled ,

, events. For example, in the accident sequence 5 MLD P '

the 5 2M events are not modeled'but are assigned $ frkqbe,ncy l of 52 and a p::obability for M from the data base. The events t L53p3 are the Boolean part of the accident sequence leading to '

i the cut sets. The product of f(5,)*p(M)*p(LD P is the core j melt contribution for this accident sequence.y )he T sua of the

} core nelt probabilities for all 44 accident sequences is the l l

SDER core melt probability. However, there are recovery ,

! actions that can be taken which were not incidued in the basic l model due to the complexity that would have been incurred. i Thersfore, the next step is to apply the appropriate recovery i f actors to all the significant cut sets of the dominant ,

accident sequences (that is the accident sequences that l contribute the most to core melt - 90 + %). There were 16 accident sequences in the Point Beach analysis carried through the recovery analysis. Application of recovery results in a lower SDHR core melt probability.

2.1.3 Vulnerability Identification I The most significant cut sets of the d'ominant accident sequences after recovery has been applied are the basis for l identifying the potential internal vulnerabilities. When these l i

. 14

f i

cut sets are examined and grouped by types of failures a pattern develops in that certain basic event failures appear in

- the cut sets from several accident sequences. The outcome is a ranking of potential vulnerabilities, the cause of each

vulnerability and the contribution of each vulnerability to the total SDHR core melt probability. The objective i~s to identify those vulnerabilities which contribute something over 80% of the total SDHR core melt probability and then address possible modifications to reduce or eliminate them.

A further screening of the accident sequences is provided by the vulnerability identification resulting in only 11 accident i

sequences requiring further consideration. While the vulnerabilities were selected based on core melt probability, l

the input needed for the value-impact analysis is risk to the public. The risk measure chosen is population dose in

~

. person-rea. In' order to obtain population dose the dominant l accident sequences must be extended to include containment j failure, environmental transport, and consequence analyses.

2.1.4 Containment System Integration In past PRAs it ws assumed that failure of the containment resulted in sump flashing and subsequent failure of the

! emergency core cooling systems due to pump cavitation. Based upon discussions with several analysts and the Point Beach staff, this is an overly conservataive approach, thus in this i analysis core melt does not depend on containment systems. The containment systems event tree for Point Beach is depicted in ;

i Figure 2.1 on the extention of one of the core melt (CM) accident sequences. Each of the 11 dominant accident sequences i was rerun with each of the 6 Boolean containment systans event tree outcomes to establish the probabilities for the j containment systems outcomes or states. This is the input for l

the next stage of the analysis.

l l The containment systems considered are: ,

Containment Spray Injection (C) and Recirculation (F) System Containment Air Recirculation Cooling System (Y) l l Cutcomes of the containment systems event tree are success or failure of the containment overpressure protection function and l success or failure of the past accident radioactivity removal i function. These outcomes and the early/ late core melt state ;

decernine the release category assignment for each accident '

i sequence.

i After each of the 11 dominant accident sequences were run with i each of the 6 containment systems sequences, a further ;

1 i screening was performed resulting in only 25 sequences (vs 66)

for Point Beach as candidates for the next recovery analysis.

l Another recovery analysis is needed sinco previous recovery

- analysis could not be conveniently brought forward nor would it l -

. Q(

necessarily be applicable since the cut sets change in the new -

Boolean reduction. .

2.1.5 Interface with Accident Phenomenology The 25 sequences to be assigned to release categories each consists of an initiating event, a core melt' event sequence, and a containment systems event sequence. The results of past PRA accident phenomenological codes were reviewed for applicability to Point Beach and a table developed to map each contaminent system /early-late core melt state into a release category. This mapping assigns a containment failure mode and apportions the containment failure between these modes (the sua equals 1). The containment failure modes are:

a In-vessel steam explosion i 8 Containment leakage _

y Hydrogen burn overpressure 8 Ex-vessel steam spike 61 Steam and noncondensible gas overpressure c Base mat melt through The sua of the probabilities for the sequences placed in each release category is then combined with the corresponding results from the special emergencies. Finally, the CRAC I

consequence code was run for the Point Beach site providing a population dose factor (out to 50 miles radius) for each i release category. Thus the total population dose (out to 50

miles radius) equals the sum of the probability of release

category i

population dose i for i = 1 to 7. This is used in the value-impact analysis.

2.1.6 Value Analysis The core melt probability and population dose described in the previous subsections comprise the base case. The modifications propos.1d for eacn of the vulnerabilities identified can be grouped along with special emergency modifications to form Alternatives. The value of an Alternative is the decrease in core melt probability or the decrease in population dose from ,

i the base case. Therefore the entire process is repeated for each alternative. Fortunately, there are some shortcuts but essentially it is the same method. In the Point Beach analysis there were 5 alternatives but only 3 distinct alternatives affecting the internal analysis.

2.1.7 Example 4

It is instructive to follow one sequence from the initiating j event all the way through to the population dose and referencing the Tables or Figures in the analysis where each

! step occurs. This accident sequence is:

1 T McC5 H'H' - 20 F '-m 2 112 2

. 24 i

, This is a transient initiating event (T2 ) caused by loss of the power conversion system (M), with success of the auxiliary feedwater system (C), but failure of the pressurizer safety valves to reclose after opening although not demanded, which leads to a transient induced LOCA (see Figure B.2 branch 1).

The sequence then enters the LOCA event tree where the auxiliary

- feedwater system is successful (C). The high pressure injection system is successful (D1 ) but both the high pressure recirculation system (H t ') and the low pressure recirculation system (H 2') fail leading to a late core melt.

The primes on the H events indicate that the LPRS heat exchangers are not required according to the success criteria, since the AFWS is successful.

Given core melt, the containment system response in success of the containment overpressure protection function (Z), success

~

of the containment spray" injection system (52 ), but failure of the containment spray recirculation system (F'), where the prime again indicates that the LPRS heat exchangers are not required. Note that the containment spray recirculation system depends on the low pressure recirculation system for suction pressure from the sump. The containment event tree is given in Figure B.5 where Z is composed of the containment fans and sprays.

The core melt probability"is, p(T2MO)

PIC51 H{Hj)' = (1.4E-3) (3.2E-3) = 4.5E-6 where the multiplier frequency 'is found in Table B.1 and the Boolean accident sequence probability is found in Table B.ll sequence number 24 or in Table B.12 which is a summary table.

The probability of the sequence including the containment systems is.

p(T2MCC5 1 H{Hj - ZC 2 F')

= 4.5E-6 found in Table B.21. This is the same as the core melt probability due to the close coupling of the systems and the fact that the other containment systems states are negligible, i.e., p(20 2 F') " l-This is the end of the internal analysis but it is useful to carry the sequence through to its population dose. The sequence state is a late core melt, containment overpressure success (2) and a late containment spray failure (O F'). Table g' "

7.1 indicates that the a containment failure mode m3ps into release category 1 with a probability of 13-2. Thus the complete sequence probability is L-7

s s

p(T2MQH{Hj-F'-a) = p(T2MQH{Hj-F')*p(a) - -

= (4.5E-6)*(1E-2) = 4.5E-8 with the success events not shown as is customary. The corresponding population dose for the baseline source term case 3

(Table 7.5) is, (4.5E-8)*(6.6E+5) = 3.0E-2 man rea.

2.2 Core Melt Probability Results The Point Beach model started with 44 accident sequences and through several screening steps reduced to 16 accident

sequences that were important. These results are summarized in Table 2.2. The details of the analysis are found in Appendix B.

The vulnerabilities identified are described in Section 2.3.

These 16 sequences can be grouped according to the type failures leading to core melt.

a) S2 MH t'H 2 ' - small LOCA and. failure of ECC recirculation p = 6.4E-5 b) T I MLE T 2MLE T 3MLE - Transient with loss of auxiliary fedwater and 3 failure of bleed and feed _

p = 4.0E-5 l

c) TMQH'H' t 1 2

, T2MQH1 'H2' T3MQH 1 'H2 '

T3 CH1'H 2 ' - Transient induced LOCA and failure of,ECC recirculation p = 3.7E-5 d) T tMCD Dt2 i

T 2MCD Dt2 T 3MQD D12

'i T3QD Dt 2 - Transient induced LOCA and failure of ECC injection i

p = 3.7E-6 e) S2 MD Dl 2 - small LOCA and failure of ECC injection p = 3.4E-6 i

f) T MQLDL t

- Transient induced LOCA with loss of auxiliary T 3QLDL feedwater and failure of ECC injection p = 1.2E-6 u

l 1

. 1-#

s i Table 2.2 Point Beach Core Melt Accident Sequences Dominant Probability Probability Accident Before After Sequences Recovery Recovery 5 MH y 'H 6.4E-5 6.4E-5 2 2 TgMLE 9.9E-5 3.9E-5 T3QH1 ' H2 ' 3.2E-5 3.2E-5 .

T2MQH g 'H2 ' 4.5E-6 4.5E-6 S2MDg2 D 2.8E-5 3.4E-6 T3QDy2 D l'4E-5 2.2E-6 T gMQLD y 1.4E-6 1.lE-6 T 2MLE 1.9E-6 6.4E-7 TyMQH y 'H2 ' 4.7E-7 4.2E-7 T3MQH y 'H2 ' . E- 3.2E-7 T 2MQDy2D 2.0E-6 3.1E-7 T gMQDy2D 4.3E-7 1.9E-7 ,

T 3QLD 1 2.12-7 1.3E-7 T MLE 1.3E-7 4.5E-8 3

S MXD y 1.3E-7 3.5E-8 2

T 3MQDg2D 1.4E-7 2.2E-8 2.55E-4 1.49E-4 21

I x

g) S2MKD1 - Small LOCA with failure of ECC injection and

failure to achieve secondary blowdown p = 3.5E-8 The most important sequences are small LOCAs with ECR failure, followed by transients with loss of AFWS and,B&F, and transient

! induced LOCAs with ECR failure. Analyses described in Section .

2.3 will show that failure to switchover from injection to recirculation, failure of service water or component cooling I water, and failure of electric power dominate these sequences.

f 2.3 Potential Internal Vulnerabilities and Modifications 4 .

Six potential vulnerabilities were identified from the internal analysis for further consideration. Briefly the procedure was l to first examine the cut sets of the dominant accident l sequences generated from the fault tree models and generic failure data. A recovery analysis was then performed on all the significant cut sets to give credit'for normal operator j actions and emergency procedures. The significant cut sets remaining constitute the potential vulnerabilities described

! here for further examination and possible suggested f modifications. This procedure provides a screening process to focus attention on the most significant. cut sets and specific l

basic events in those cut sets.

I

The following descriptions first identify the cut set which may be one or more basic events and the accident sequences to which

that cut set contributes. Each accident sequence is made up of

events that were not modeled, called the multiplier, and a Boolean product of events that'were modeled. The Boolean i expression is made up of numerous cut sets. The probability of J each of these cut sets times the probability of the multiplier is a contribution to.the internal analysis core melt probability. The cut sets to be discussed below are those cut sets which contribute significantly to the overall core melt 4

probability in one or more accident sequences.

I I A cut set may appear in more than one accident sequence. A cut set probability is usually the same each time it appears (the exception being where it is dependent on an event in- the j aultiplier expression) but its contribution to the overall core !

melt probability is the cut set probability times the

! particular accident sequence multiplier probability. This contribution is given in the vulnerability descriptions to the right of each dominant accident sequence in which that cut set 1 appears. The sua of the contributions from each dominant i accident sequence in which that cut set appears represents the j

total effect of that cut set on core melt probability for the

plant based upon the internal analysis. A brief deceiption of j the accident sequence events is given in Table 2.3 as a ,

roterence. e o

! The description explains the basic events in the cut set and i

I .

! i i

t -t a .

1 .

Table 2.3 Accident Sequence Events Initiating Events S2 Small LOCA < 2 inch Diameter l T1 Loss of Offsite Power Transient T2 Loss of the Power Conversion System T3 Transients with Main Feed Water Initially Available System Events

M Failure of Main Feed Water .

Q Failure of SRVs or PORVs to Reclose Given That j

They Were opened L Failure of the AUX Feed Water System E Failure of Bleed and Feed Mode Di Failure of HPIS D2 Failure of LPIS -

Failure of HPIS Without RHR Heat Exchanger H{.

i Hj Failure of LPIS Without RHR Heat Exchangers l

l m

I i

%.y

' 2.-l f i

. . . - . - - . .1 N '

why it is important to core melt. The suggested modification - _

is the instruction to the architectural engineer for an impact analysis. This may have been modified during subsequent discussions regarding feasibility of the modification and validity of the problem identified. In general, the evolution of the modification during the impact analysis is described i here. An additional discussion is provided in son's cases with

! any further insights or information that support the reasoning behind suggested modification.

INTERNAL VULNERABILITY 1: Failure to switchover from Emergency Core Injection to Recirculation APPLICABLE CUT SET: SUMP-VCC-OE Dominant accident secuences affected and estimated core melt i

freauency contribution resultina from this vulnerability / cut set i

S2MH{Hj 6.0E-5 T2MQH{Hj 4.2E-6 ,

ll TQH{Hj 2.9E-5

] .

3

TgMQHjHj 3.9E-7 -

J T3MQH{Hj 2.9E-7 E = 9.5E-5

! DESCRIPTION: This is a common mode operator failure to switch from energency core cooling injection to recirculation. This event contributes significantly to three dominant accident sequences as a single failure based on the assumption that recirculation is necessary to prevent core melt. The event SUMP-VCC-CE involves the failure to open the four MOVs connecting the two low pressure pump suction lines to the containment sump. The common mode failure to open these four valves results in failure of the LPRS. HPRS, and CSRS since the HPRS and CSRS take suction from the LPRS discharge. However, it is the LPRS failure that dominates the three accident sequences. ,

MODIFICATION: The initial suggestion was to install automatic actuatiog of the switchover to open the four MOVs on a low RWST

level. This would be interlocked with a minimum sump level i sensor to preven't pump failure resulting from a low sump l inventory. The operator would still be considered as a backup using the applicable control room alaras. The frequency for i

failure of the operator to switchover, based on available /

! analyses and data, is 3E-3. It can be argued that the operator I is better than that since there is a long lead time before

! - tib 1

switchover is required. In fact, the operators are'will -

trained to watch the RWST level and are more likely to make a mistake in the changeover rather than to forget this ..

Procedure. Furthermore, it is noted that the operator should have reset the safety injection actuation within 2 minutes into the accident and will turn off the low pressure pumps in small LOCA situations. This means that when recirculation is required, the low pressure pumps must be restarted which would cause extra attention to be paid to the RWST/ Sump levels and i realignments.

In order to substantiate giving more credit to the operator for successful switchover to the sump for recicculation, the final suggestion f or internal vulnerability 1 was to add it more prominant alarm warning th'at the switchover is necessiry and eminent. _

~ DISCUSSION: To date n6 plant having a small LOCA Ja,q., stuck ~

open SRV or PORV, or dual LOCA) has ever had to go to sump recirculation. Typically the pressure can be lowered sufficiently to reduce the LOCA flow rate so that the RWST is adequate until closed loop RER cooling can.be established. -

However..there is no guarantee that this scinario applies and it is coasonable to assume the sump recirculation is necessary within th4,24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months pdriod we are modeling. Given a RWST capacity of 275,000 gal at Point Beach and an assumed LOCA initial flow rate of 400 gpm whicn averager 200 gym for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the RWST ' capacity would be %2ceedod requiring the sump.

i as a. water source. Furthermore, although we are only covering 52 Locas in this analysis, past PRAs have shown recirculation

'O is needed, especially for large and medium size LOCAs.

INTERNAL VULNERABILITY 2: Station blackout due to common mode

,q;, battery failure. ,

' * ~

w . .x .

APPLICABLE CUT SETS: GTF *' BAT-CM oc GTP

BAT-CM *'LOSP, s

Dominant accident seouence(j(fected and estimated core melt-1 frecuegev contributioc1paggliina from thi_s vulnerability / cut

' .\ 111 '

T MLE/ , 1.8E-5 ,

'l. .. . . - ,. , .

~ ,.

A ..."~ '

E.0E-7 TpLN T yMQLD 7, . . ,

4.2E-7

.s '

~

s y, - < .. .

- p

(" '

E = 1.9E-5. ..

DESCRIEllCN: ,'given loss of off-site power (TI) or Tp followed by LosP, these two tailures' lead to core-melt due to

_- loss *6f Dd iontrol power and thus loss"of AC vbwer(i.e.,

statf.on Elackout.) DC power nis needed to start the diesel me}

s 4

.1 ,

w ,.-- - - . , n--- - , . . . - , , , '

N generators for control and to flash the generator field windings. The gas turbine generator at Point Beach is the diesel generator backup but it is not a safety system and thus it is not considered appropriate to recommend improving its reliability. This is essentially a single failure due to the common mode loss of the batteries. .

The potential common mode failure of both batteries stems from the gradual degradation of the batteries due to over-charging.

Given a lE-6 hourly failure rate and a 5 year full load test cycle, the local fault failure probabilily in 2E-2. A common mode Beta Factor of 1/10 is assumed resulting in the frequency of BAT-CM being 2E-3. -i MODIFICATION: one potential modification to resolve this pr6blem is to have dedicated batteries for the diesel generators. This will be suggested later for another important cut set. However, an alternative approach is to perform regular full load tests (i.e., buses powered by batteries alone) by periodically rotating the three battery chargers between the two DC buses. This would provide an indication in the control room during the rotatica if the batteries have been degraded. If this test were performed quarterly, the frequency of BAT-CM would be reduced by a factor of 20 (20 quarters in 5 years) to 1E-4.

Since the two ba'tteries are' shared between units and one unit is always on line, full load battery tests are not easy or _

desirable at Point Beach. Therefore, the suggestion would be for dedicated batteries for the. diesel generators which will also be suggested by internal vulnerability 3. Furthermore, it is suggested that the same crew not maintain both batteries.

INTERNAL VULNERABILITY 3: Station Blackout due to battery and*

diesel generator failures.

I APPLICABLE CUT SETS: GTF

DESGENA-GEN-LF

LF-BATTB-D06 +

GTF

DESGENB-GEN-LF

LF-BATTA-DOS +

GTF

LF-BATTA-DOS

LF-BATTB-D06 l

l Dominant accident secuences affected and estimated core melt i t frecuency contribution resultina from this vulnerability / cut set

[

T IMLE 1.OE-5 T IMQLD1 3.0E-7 1.0E-5 DESCRIPTION: Given loss of off-site power, and subsequent loss of the gas turbine generator (GTF), the failure of one train of s diesel generator power and simultaneously the failure of the ')

other train of battery power or the failure of both batteries due to local faults leads to core-melt. DC power is needed to _

2-l4- .

start the diesel generators.

MODIFICATION: Install dedicated start up batteries to each diesel generator to eliminate the dependence of the diesel generators on the station batteries. These batteries would also be a backup DC source to close the circuit br'eakers between the diesel generators and the 4160 volt safeguard buses.

DISCUSSION: Other potential improvements include improving the reliability of the diesel generators and the batteries for local faults but this is not necessarily easy to accomplish.

Cross connecting the D01 and D02 buses would address the first and second cut sets but not the third which includes both batteries. Another possibility would be to provide DC power for the diesels from the new instrument batteries D105 and D106 or crossconnects from these batteries to the Dol and D02 DC buses. The primary objective is to assure the start up of the diesel generators.

INTERNAL VULNERABILITY 4: Failure of ECC Recirculation due to RHR pump cooling failure caused by a valve failure.

APPLICABLE CUT SETS: CCWXV30 XOC-UTM CCWXV30-XOC-LF Dominant accident secuences affected and estimated doce melt frecuency contribution resultinc from this vulnerability / cut set S2ME{Hj 2.4E-6 T3CH{Hj 1.2E-6 T2MQH{Hj 1.7E-7 .

T3MQH{Hj 1.23-8 T yMQH{Hj -

1.5E-8 E = 3.8E-6 DESCRIPTION: In LOCA or transient-induced LOCA accident sequences with successful auxiliary feed water and high pressure injection, subsequent failure of high and low pressure recirculation leads to core-melt. Both the high pressure recirculation and low pressure recirculation mode depend on the low pressure (RHR) pumps which in turn depend on component cooling water (CCW). Valve number 30 (plant ID number 1-783E, 2-T36) is in the output of the RER pump cooler branch of the CCWS. If this valve fails closed the RER pump fails due to overheating. Such a failure can be caused by Local Faults (LF) or Unavailability due to Test and Maintenance (UTM).

~

1-Il

s MQDlIICAT,J_QH: The initial suggestion was to install a parallel manual valve to XV30 and limit switches on both the manual valves which would be monitored in the control room and checked by procedure once per shift. In addition, both valves should be administratively locked. It was subsequently determined that there was adequate indication in the control. room (i.e.,

downstream flow measurement) so that the limit switches are not .

needed.

DISCUSSION: The failure frequency of CCWXV30-XOC-LF is 4E-5 which is derived from 1/2Xt where the failure cate 1 = lE-7 and t = 720 hours0.00833 days 0.2 hours 0.00119 weeks 2.7396e-4 months / month given monthly valve position checks.

The frequency of CCWXV30-XOC-UTM is 8E-5, which is the human error frequency of 1E-3 divided by 12 for the monthly checks.

The LF frequency becomes negl'igible with the addition of the parallel valve and the UTM frequency is reduced by a factor of 90 with checks during each shift, i.e., three shifts per day times 30 days per month. The net result is a two order of magnitude improvement in core-melt frequency for the accident sequences related to this valve.

It could also be argued that Railure of the RHR pumps could be circumvented by refilling the RWST and returning to the high pressure injection system. This argument could also be applied to the failure to switchover to recirculation internal vulnerability 1.

INTERNAL VULNERABILITY 5: Failure of ECC Injection due to CCWS failure caused by a valve failure.

APPLICABLE CUT SETS: CCWXVI-XO'C-UTM CCWXVI-XOC-LF Dominant accident secuences affected and estimated core scit frecuency contribution resultina from this vulnerabildtv/ cut set S2MDy2D 2.4E-6 T3OU120 . -6 T 2MQDy2 D 1.7E-7 E = 3.7E-6 DESCRIPTION: Our model assumed that makeup water from the CCW tank A (component cooling surge tank 1-T12) is needed to maintain CCW pump suction flow when the RER heat exchangers are automatically brought on line. In fact, the surge tank is needod throughout all CCWS' operation. If valve CCWXVI (1-774, 4-G32) fails closed the CCW pump could cavitate resulting in loss of all CCW functions and thus core-mel.t. ,)

MODIFICATION: Assuming that the CCWS will fail due to the lack 246 l

of makeup water, there are two possibilities. First the CCWXVI valve failure frequency could be improved with a parallel -

manual valve like that proposed for CCWXV30 in modification number 4. However, it appears that three other sources of water are available; the makeup water domineralizers, the emergency makeup water line, and a line from the o,ther unit.

These all connect to the CCWS flow path on the other side of CCWSV1 from the surge tank. In particular, the emergency makeup line is controlled by a motor-operated valve (1-815).

The most logical modification is'to provide water from emergency makeup, when required, based on a low discharge head indication in the control room. This needs to be in a prominent place in the emergency operating procedure. Thus, we do not feel any hardware modifications need be examined for this vulnerability.

DISCUSSION: In further examination with plant personnel it was determined that'the flow path ~to the CCW surge tank is not really necessary in emergency situations. First, the CCWS is initially water solid including the RHR heat exchanger lines that are normally closed. Second, in an accident the water in )

the CCWS will be heated and expanding. If this expansion overpressurizes the CCWS, the. result is excessive leaking but {

[

not system failure. Therefore, this vulnerability will be i reconsidered in the models and would not require any modifications.

I INTERNAL VULNERABILITY 6: Failure of ECC Injection due to CCWS failure caused by loss of cooling from the SWS through the CCW heat exchanger.

APPLICABLE CUT SET: CCWHXA-HTX-FB (see discussion below)

Dominant accident secuences affected and estimated core melt frecuency contribution resultino from this vulnerability / cut set S MDy2 D 3.0E-7 2

T3CDy2 D ~

T 2MODl2 D 4.2E-8 E = 6.3E-7 DESCRIPTION: In these accident sequences the scenario is a LOCA or transient-induced LOCA followed by failure of high and low pressure injection due to loss of pump cooling. Pump cooling is lost due to failure of CCW flow caused by blockage in the CCW heat exchanger connecting it to the SWS. This is a single line flow path in the CCWS, however, even with recovery considered, i.e., manual opening of valves to heat exchanger B, the vulnerability is still on the borderline of being

. , - significant. The failure frequency for CCWHXA-HTX-FB used in "l d7 l

the analysis was 3E-4 which is the failure of.an orifice to 'x remain'open per demand. -

DISCUSSION: Five normally open manual valves (SWSIVSO, SWSXV49, SWSXV48 CCWIV8, and CCWIV10 also contribute to core melt by potentially failing the exchange of heat between the CCWS and the SWS. This is found in accident, sequences 3, 40, and 26. The total contribution of these 5 valves in these 3 accident sequences is 1.17E-6. This added to the 6.3E-7 due to the CCWHXA-HTI-FB comes to 1.8E-6.

. MODIFICATION: The 2E-6 core melt frequency attributed to ,

failure of heat exchange between the CCWS and the SMS is on the borderline for considering a modification and in this analysis will not be carried further. Nevertheless, it is worth saying that a potential modification could have been the addition of a fourth CCWS to SWS heat exchanger so that each unit would have two dedicated heat exchangers with all,the associated manual valves normally open.

DISCUSSION: The Point Beach plant is adding a fourth CCWS to SWS heat exchanger for technical specification operability reasons. This would probably.be configured for 1 dedicated heat exchanger per unit and two swing heat exchangers.

However, unless the swing heat exchangers were normally open or more accessible (e.g., connected with motor operated valves) no additional credit could be given in our analysis.

2.4 Summary of Internal Analysis Modifications -

There were six potentially significant internal vulnerabilities identified but only four had modifications proposed. These are:

Internal Modification 1 - Add a more prominant alarm warning that switchover from injection to recirculation is necessary and eminent. -

Internal Modifications 2 and_3 - Install dedicated startup batteries to each diesel generator to eliminate the dependence of the diesel generators on the station batteries.

Internal Modification 4 - Install parallel manual valve to valve IV30 in the RHR pump component cooling water line and check the valve positions once per shift.

Internal vulnerability 5 was eliminated after further discussion and the model was changed accordingly. No modification was proposed for internal vulnerability 6.

t J

. 2 -I f

_ -. <.c .w -

3.0 SPECIAL EMERGENCY ANALYSES - METHODS AND RESULTS Task Action Plan A-45 has been developed to assess the' adequacy -

of decay heat removal in existing light water reactors in response to both " internal" and " external" challenges. While internal challenges ara generally defined as those prob-abilistic random failures normally analyzed in a probabilistic risk assessment (PRA), few PRAs have considered the' potential t contribution to core melt probability due to the " external" events. Since many of these " external" challenges actually occur inside a plant (e.g., fire, turbine-generated missiles, pipe whip), we call them all special emergencies to avoid confusion.

The list of special emergencies that can be postulated to occur l is quite extensive and a thorough analysis of each one would require resources beyond the scope of this~ program. However, reasonable rationale can be applied to exclude many special emergencies fron consideration in this program.

~

It should also be noted that combinations of special emergencies from different causes occurring simultaneously are not being analyzed here.

The PRA Procedures Guide (NUREG/CR-23OO) lists four bases for excluding special emergencies from detailed analyses. These reasons are listed below:

l 1) The event is of equal or lesser damage potential than the events for which the plant has been designed. This requires an evaluation of plant design bases in order to estimate resistance to a particular external event. For example, it is l

established that safety-related structures designed for earthquake and tornado loadings can safely withstand a 1-psi peak positive incident overpressure from explosions (USNRC, i 1978). Hence, if the PRA analyst demonstrates that the I overpressure resulting from explosions at a source (e.g., -

railroad, highway, or industrial facility) cannot exceed 1 psi, i

these postulated explosions need not be considered. It is assumed that the conditional frequencies of failure of t

l structures and components for overpressure of less than 1 psi are negligible given that the safety-related structures are designed for earthquake and tornado loadings. This screening -

criterion is not applicable to event.s like earthquakes, floods, l and extreme winds since their hazard intensities could conceivably exceed the plant design bases.

l l 2) The event has a significantly lcwer mean frequency of l occurrence than other events with similar uncertainties and

could not result in worse consequences than those events. For l example, the PRA analyst may exclude an event whose mean i frequency of occurrence is less than some small fraction of those for other events; the uncertainty in the frequency estimate for the excluded event is judged by the PRA analyst as not significantly influencing the total risk. Alternatively, the analyst may decide to compare event occurrence frequencies at some high confidence level (e.g., 95 percent). After the r

>l 1

_.....-.-r-.

total plant risk is estimated, the deleted external events may -s have to be reviewed to ascertain that a detailed assessment ____

would not reveal them as significant contributors to the total plant risk.

3) The event cannot occur close enough to the plant to affect it. This is also a function of the magnitude of the event.

Examples of such events are landslides, volcanic eruptions, earthquake-fault ruptures (seismic motion and its effects are treated under seismic events), and explosions. j

4) The event is included in the definition of another event.

! For example, storm surges and seiches can be included in external flooding; the release of toxic gases from sources external to the plant is included in the effects of either pipeline accidents, industrial or military facility accidents, or transportation accidents. ,

1 For the purposes of TAP A-45, two additional arguments have been developed to exclude certain special emergencies from further analysis.

5) The event does not directly effect the decay heat removal systems and, therefore, the proposed protection does not involve a modification to the decay heat removal system.

6. The e'ent v is slow in developing and there is sufficient time to go to cold shutdown, to eliminate the source of the ,i threat, or to prepare an acceptable alternative for the removal of decay heat. .

An event deserving further discussion is aircraft impact. Due .

to the solid construction of plant structures, only a large aircraft would be capable of damaging decay heat removal systems. Aircraft impact is a low probability event. In addition, in the never plants the separation (of redundant

, trains) used to satisfy fire, flood and sabotage concerns also serves to reduce the vulnerability to common mode failure due an aircraft crash. In some older plants, redundant trains may

not be as well separated, however, diverse systems (e.g.

auxiliary feedwater and high pressure injection) usually are separated so that it is unlikely that a single event would disable all decay heat removal capability. Certainly, the l addition of a dedicated decay heat removal system (in separate i buildings) to reduce the core melt contribution from those special emergencies which are found to be important contributors to risk, would also reduce the aircraft vulnerability. The impact from aircraft crash debris is similar to tornado missiles, the resulting fire from the crash i would be covered by the fire event, and any explosion would be

! similar to the explosion events. Therefore, aircraft accident l

analyses will not be pursued'further.

1

' l Applying the foregoing rationale to the other postulated special emergencies gives'the following results: l 3-2

Applicable Event Rationale Remarks - -

[

Avalanche 3 Can be excluded for most sites in the United States Biological Phenomena 6 Sufficient time- to prevent damage Co stal Erosion 4 Included in the effects of external flooding Dan Failure 4 Included in the effects.

of external flooding Drought 1,6 Exclude ~d under the assumption that there

- are multiple sources of ultimate heat sink or that the ultimate heat sink is not affected by drought (e.g., cooling tower with adequately i

. sized barin)

Explosions 1 Tornado missiles, tornadoes, and high winds govern External Flooding - Requires detailed study

~

Extreme Winds and - Requires detailed study Tornadoes Fire (internal) - Requires detailed study ,

Fog 1 Could, however, increase the frequency of man-made hazard involving surface vehicles or aircraft Forest Fire 1 Fire cannot propagate to the site because the site is cleared Frost / Freezing 1 Snow and ice govern i Hail 1 Other missiles govern High Tide, High Lake %% 4,.6 Included under external Level, or High River . flooding Stage

-- 3-3

.- ..--.,,,---,,.-n,-,~, . . . _ _ - . . . . , , . . _ - e,...e.. - - _ . - . , , . ..._,,,,-,.-n.....-.--_,_...-,n , ..-,--_.-,,-.---w.,.,, ,

_. ..- _ _ _ _ -_ __= - - -_ --

s

.g Applicable Event Rationale Remarks High Summer Temperature 1 Ultimate heat sink is designed for at least 30 days of operation, taking i ;- into account evaporation. *

drift, seepage, and other water-loss mechanisms

, Hurricane - Requires detailed study-partially included under external flooding: wind forces can be covered under extreme winds and tornadoes ,

Ice Cover 1,4 -

Ice blockage of river is partially included in flood Internal Missiles 4 Included under turbine-generated missile Industrial or Military 5 Included under explosions

) Facility Accident or toxic gas Internal Flooding - Requires detailed study I

Landslide 3 Can be excluded for most sites in the United States Lightning Requires study Low Lake or River 1 Ultimate heat sink is Water Level designed for at least 30 days of operation,'taking into account evaporation, i

drift, seepage, and other water-loss mechanisms Low Winter Temperature 1.6 Thermal stresses and embrittlement are insig-nificant or covered by

' design codes and standards for plant design: gen-er411y, there is adequate warning of icing on the ultimate heat sink so that

! remedial action can be j

taken Meteorite 2 All sites have approxi-mately the same frequency '

of occurrence 3-4 I

e

-~~.-~y, -- , , . , . - - , - , _ _ _ . _ - . . _ _ . _ , . - - -

.-_..-:... ..... _ __..._.= _ _ _ . - _ _ _ . . _ . . .

Applicable gyggg Rationale Remarks ..

Pipeline Accident 4.5 Included under explosions (gas, etc.) and toxic gas Pipe Whip ,

- Requires detailed study Intense Precipitation 4 Included under external and internal flooding

, Release of Chemicals 4.5 Included under explosions in Onsite Storage and toxic gas River Diversion 1.4,6 Codsidered in the evalua1 tion of the ultimate heat

- sink: should diversion become a hazard, adequate storage is provided Sabotage - Requires detailed study Sandstorm 1.5 , Included under tornadoes and winds Seiche 4 Included under external flooding Seismic Activity - Requires detailed study Ship Collision 2 - A loss of the crib house would not immediately threaten the core i Snow 1.4. Snow melt causing river 5,6 flooding is included under external flooding Soil Shrink-Swell 1 Site-suitability evaluation i Consolidation and site development for the plant are designed to preclude the effects of this hazard Storm Surge 4 Included under external flooding Transportation 4,5 Included under explosions Accidents and toxic gas Tsunami 4 Included under external flooding and seismic events

-- 1-r -

-- , - , - - - - - - ,_ - - - . _ . - -_ - - _ _ -. , . , _ . , , _ . . _ _ _ , . _ _ , _ _ - . _ , , , , , , , , , ._ _ _ , _____..._.,_-__.,__v. , - - . - - _ _ ,

o- - - - -.. , _ _ ,, g, gg,a ,___ ,_,%L;a .T_ ,, _

. A Applicable ,

s Event Rationale Remarks _

Toxic Gas 5 Does not threaten DER systems Turbine-Generated - Requires detailed study Missile Volcanic Activity 3 Can be excluded for most sites in the United States Waves 4 Included under external flooding Therefore, this rather formidable list of special. emergencies has been reduced on inspection to the following:

External Flooding Extreme Winds and Tornadoes Fire (internal)

Hurricane Internal Flooding Lightning Pipe Whip Sabotage seismic Activity x Turbine-Generated Missiles The methods for analysis of pipe whip and turbine-generated missiles are beyond the resouregs of this program. These subjects are considered in the Safety Evaluation Reports (SERs) for individual plants and were considered again in the Standard Review Plan evaluations. Therefore, they will not be considered in the A-45 study. This leaves eight potential special emergencies for further consideration. Each of these*special emergencies is addressed separately in this section. A brief explanation of the analysis methods, quantification of decay heat removal vulnerabilities to these events, and a description of potential modifications are given. The complete analysis details are provided in the referenced appendix.

It should be realized that the quantification of the special emergencies has large uncertainties in many cases. Since the state of the art is not very advanced in the analysis of many special emergencies, it was necessary to make assumptions in order to perform the calculations. These assumptions are documented in the following analysis summaries as well as in the appropriate appendices. Nonetheless, a residual risk may remain for such special emergencies as fire, flood, and earthquake.

3-c O

e

~~

.- . -- - . - ... . ax. . . .u , , , _ _

N .

3.1 seismic Analysis Seismic events have a wide range of factors which affect their threat to nuclear power plants. The location of the earthquake the magnitude of the ground accelera' tion.'the soil

~

transfer of energy. the elevation of plant equipment, and the seismic equipment supports are only a few of the factors to be considered in an analysis of plant vulnerabilities. However, the' fact that earthquakes in the United States have affected large portions of the country requires an analysis of the l probability and uncertainties of a resulting core melt.

Successful completion of this program required a simplified seismic risk assessment methodology which could be applied to j particular plants being studied in a far shorter time than 1

previohs PRA studie's. This section describes the procedures developed for the simplified seismic analysis and presents the results of the risk quantification for the Point Beach Nuclear Power Plant.

A more detailed description of the seismic analysis is presented in Appendix C of this report.

3.1.1 Analysis Methods There are seven steps required for calculating the seismic risk i at a nuclear power plant:

1

( 1) Determine the local earthquake hazard (Hazard Curve and Site Spectra). ,

2) Identify accident scenarios for the plant which lead to radioactive release (Initiating Events and Event Trees)..

3) Determine failure modes for the plant safety and support ,

systems (Fault Trees).

4) Determine fragilities (probabilistic failure criteria) for the important structures and components

5) Determine the responses (accelerations or forces) of all structures and components (for each earthquake level).

6) Compute the probability of core neit using the information from Steps 1 through 5.

7) Estimate uncertainty in the core melt probabilities.

Only the level of detail differentiates a simplified seismic ,

analysis from a detailed seismic PRA. The seven steps of the TAP A-45 simplified seismic risk analysis procedure are described below.

7-7 ,

r

,m _ . _

==== -.= == . eu see rs 4 -

=_ -

=== =adoes. a ma e -.- e . _ _

=- . - - - . .; _.._._,_.....

Sten 1 - Seismic Hazara charactorization - N a) If a seismic hazard curve exists for the plant (e.g., from the Systematic Evaluation Program (SEP) program or from an existing PRA or a nearby plant) it is used.

b), If no such curve exists, a hazard curve scaled tr an exceedance probability of 2.5E-4/yr at the safe shQtdown earthquake (SSE) will be used. The slope of the curve for higher peak ground acceleration (PGA) values is estimated from other hazard curves for the same broad seismological province, c) All plants west of the Rocky Mountains require site "

specific hazard curves due to the high levels of seismic activity, but most existing plants have hazard curves already available.

Sten 2 - Initiatina Events and Event Trees The scope of TAP A-45 includes only the initiating events associated with small Two loss of coolant accident (SLOCA) and transient events.

types of transients are being considered: those in which the power conversion system (PCS) is initially available (denoted Type EQ1 transients) and those in which the PCS is failed as a direct consequence of the initiating event (denoted Type EQ2 transients). The event trees derived for the internal event analyses for TAP A-45 are utilized.

The small LOCA initiating event frequencies are being computed based on the statistical distribution of small pipe failures computed as part of the NRC-sponsored Seismic Safety Margins Research Program (SSMRP) (Reference 2). The restriction to small LOCAs is not particularly limiting, because existing PRAs have shown that large and medium LOCAs are not major contributors to total risk of core damage.

The frequency of Type EQ2 transients is based This on the ,

will always probability of loss of offsite power (LOSP).

be the dominant cause of these transients (for the majority of plants for which LOSP causes loss of main feedwater). The Type EQ1 initiating event is computed from the condition that the sua of the initiating event probabilities considered must be I unity. The hypothesis is that, given an earthquake of reasonable size (3.75 magnitude Richter was used in the SSMRP).

l at least one of the initiating events'will occur.

Sten 3 - Fault Treer - Simplified systems f ault trees f or a number of example plants have been developed as part of TAP A-45, (for random failures only). These fault trees will be l

used, although they require some modification to include basic events for seismic failure modes and re-solving the trees for pertinent cut sets to be included in the probabilistic e

calculations. Probabilistic culling is used in re-solving i

l these trees to assure that important correlated failure modes are not lost.

T-R

. ~ . _ . _ _ _ _ ______ _ ____ ___ ____._

l I,

i i S' ten 4 - Component and Structure Failure Descriotions -

Component seismic fragilities are obtained both f rom a generic' --

i fragility data base and from plant specific fragilities derived for components identified-during a plant walk-down.

The generic data base of fragility functions for seismically-l induced failures was originally developed as part of'the SSMRP i (Reference 3). Fragility functions for the generic categories i were developed based on a combination of. experimental data, design analysis reports, and an extensive expert opinion

! survey. The experimental data utilized in developing fragility i curves were obtained from the results of component l manufacturer's qualification tests, independent testing lab failure data and data obtained from the extensive U.S. Corps of ;

i Engineers SAFEGUARD Sub-systen Hardness Assurance Program.

These data were then statistically combined with the expert opinion survey data to produce fragility curves for the generic

component categories. Inasmuch as four years have passed since i this data base was originally developed, the site-specific fragilities developed for some 20 PRAs performed in the interim were examined, and compared (Reference 4) against the original data base. This resulted in modifications of median fragility levels of 5 of the original 37 generic categories. For tipping l

and sliding of cabinets, and for dynamic analyses of tanks, l

graphical methods of analysis have been developed to greatly l simplify the required fragility development.

i Within the time scale prescribed, structural fragility l development is not possible, and could not be included for TAP l A-45. This is appropriate since it is the design requirements for decay heat removal systems which are being evaluated, and

{

not the structural design. However, the approach being d2 scribed here should prove widely useful in examining other generic and value/ impact issues not directly concerned with adequacy of power plant structures. ,

l Stoo 5 - Seismic ResDonse of Structures and ComDonents -

l Building and component seismic responses are estimated fron '

peak ground accelerations at several probability intervals on the hazard curve. Three basic aspects of seismic response--best estimates, variability, and correlation--are estimated. SSMRP Zion analysis results and simplified methods studies form the basis for assigning scaling, variability and correlation of responses.

In each case, SHAKE code (Reference 2) calculations are i performed to assess the effect of the local soil column (if any) on the surface peak ground acceleration and soil-structure j

j interactions. This permits an appropriate evaluation of the ,

j effect1 of non-homogeneous underlying soil conditions which can j strongly aff'ect the building responses.

I j Two situations are commonly encountered in developing structural responses. First, for many early plants, only A-t I _

l

design floor spectra are available from the design reports. 'n I

~

For this situation, the results of a detailed soil-structure interaction investigation (Reference 5) made as part of the SSMRP may be used to scale the computed design floor slab accelerations to best estimate values including the effects of the soil; and to estimate best estimate floor response spectra.

??

Second, one has the situation where fixed-bass mass-spring or -

j eigen-system descriptions are available for one or more buildings at the site. For this case, one can compute the floor slab accelerations using the CLASSI code (Reference 2).

Thisicode takes a fixed base eigen-system model of the structure and input-specified frequency dependent or independent soil impedances and computes the structural response (as well as variation in structural response if desired).

Variability in responses (floor-and spectral accelerations) is

) assigned based on the SSMRP results. The recommended uncertainties (expressed as standard deviations of the logarithms of the responses. 8) are shown below:

1 Quantity .

B random Peak Ground Acceleration 0.25 Floor Zero Period Acceleration 0.35 Floor Spectral Acceleration 0.45 Correlation between component failures is being included explicitly in TAP A-45. In computing the correlation between l

component failures (in order to quantify the cut-sets) it is necessary to consider correlations both in the responses and in l' the fragilities of each component. Inasmuch as there are no data as yet which show correlation between fragilities, the fragility correlations between like components are taken as zero and 1, and.the possible effect of such correlation quantified in a sensitivity study. The correlation between responses is assigned according to a set of rules given in Reference 1. These are applied to both BWR and PWR plants.

Sten 6 - Probabilistic Failure and Core Melt Calculations -

Given the input from the five steps above, the SEISIM (Referencethe calculate 2) and SETS (Reference required 6) codes areofused output (probabilities to failure core j

melt, etc.). Use of the SEISIM code for the final computation of accident sequences permits proper inclusion of seismically-induced correlation between component failures.

Sten 7 - Estimate Uncertainties - Unce,rtainties in core damage l estimates are being based entirely on upper and lower confidence limits for the harard curve. Generic t

recommendations for such limits are given in Reference 1. This simplification is appropriate since previous seismic PRAs have

! shown the hazard curve to contribute 70-90% of the total seismic risk uncertainty.

l

, 1 3*/0

~

l 4

.~. .. .

~

i

3.1.2 Seismic vulnerability The safe shutdown earthquak'e for Point Beach has an accelerati n l of 0.12 g, however TAP A-45 is examining the vulnerability of

! decay heat removal systems to initiating events which are beyond the design basis. Therefore, probabilities of seismically induced core melt were calculated for earthqu'akes in the ranges of 1-2 SSE, 2-3 SSE, 3-4 SSE, and 4-5 SSE. For the Point Beach

! site, the frequency of earthquakes of these magnitudes are estimated in Appendix C as follows: -

! SSE Level Frecuency/vr 1-2 1.57E-3 2-3 1.34E-4 3-4 1.49E-5 4-5 3.18E-6

~

j An earthquake may initiate a core melt scenario by causing one of i the following plant states: a small loss of coolant accident

(S2), a transient in which the power conversion is initially i

available (EQ1), and those transients in which the power ,

conversion system has failed as a direct consequence of the l initiatint event (EQ2). The frequency of Type EQ2 transients is l

based on sae probability of loss of offsite power since this will ,

always be the dominant cause of these transients. While the probability of a small LOCA or a loss of offsite power increase i

as the earthquake level increases, the probability of a Type EQ1 !

transient will decrease accordingly.

Since all of the plant systems feel the effects of an earthquake, the quantification of core melt' scenarios involves calculating component fragilities for the various earthquake levels and using these values in the fault trees developed in the internal event analyses. Table 3.1-1 summarizes the probability of each of the seismically induced initial plant states for the varying earthquake levels. Included in this table are the resulting core meit probabilities for each earthquake level and initiating plant state. The total core melt probability is calculated to be approximately 8.1E-4/Rx yr.

It can be seen that the major contribution to core melt comes in the three to five SSE cange. This is because Point Beach has an l SSE of only 0.12, which is roughly half of the design basis acceleration of most plants. Therefore, the range of .36 g to

.6 g is consistent with the ground accelerations where most components of this type are expected to fail. i 3.1.3 Potential Modifications :

The refueling water storage tank is located in the containment ;

facade. It is not anchored adequately to survive an earthquake l and is estimated to fail at the level of the safe shutdown ;

earthquake. Since refueling water is needed for both high and low pressure injection systems, the result is a significant

'~

contribution to core melt frequency. The proposed modification i

. 3.y t

I

. 1 I

t-6 I

, es I Table 3.1-1 Initiating Plant state Probab!!!Ly and Core Nolt Probabt!!ty -

. for Varying Earthquake Levole [

s b

s2 801 502 Total f.

Earthquake Initiating ' core Initiating core Initiating core core ,j nett state Melt state Melt Nelt .

Level (ssE) state Probab!!!ty Probability Probability Probability Probability Probability i Probab!!!ty -

l 1.68-3 1.1E-8 9.SE-1 7.1E-10 2.0E-2 6.0s-10 1.25-0 ; f 1-2 )* ll 1.28-2 8.8E-8 5.4E-1 4.3E-7 4.4E-1 7.6E-7 1.3E-6 2-3 2.4E-1 1.6E-6 1.1E-1 1.6E-7 6.58-1 1.1E-6 2.93-6 3-4 .

1.4E-2 2.3E-8 4.55-1 7.6E-7 3.9E-6 i 4-5 5.4E-1 3,15-6 ,

ma i S.1E-6 '

L ,

i .

N .

e t

. )

I t

t t

)

i, e

?

l l.

i

. _ _ _ _ _ . - . _ _ . - . - - - _ - - - - _ - _ ~ _ . _ - _ _ . _.

i

= - - - - ^

~

m provides a Seismic Category I backup water source that would survive an earthquake 4 times the SSE and allow the operator to '

rapidly valve water to the HPI or LPI systems. The new source i

would be the Spent Fuel Pool which..when providing the necessary 140,000 gallons, will have its level lowered approximately 11 feet. Use of the Spent Fuel Pool would

require pumps and piping to deliver the borated water to the The total seismically suction of the HP1 and LPI systems.

l induced core melt probability with this modification would be approximately 2.3E-6/Rz yr.

4

? A second modification would provide additional anchorage for the 4160V safeguards buses. 480V transformers and transformer j

buses, safety injection system pump buses, instrumentation power supply inverters, and battery chargers. An earthquake i

can currently either tip the buses over and shear the wiring, i l

or can walk the cabinets of f- of the pedestals. The 480V transformers and the instrument inverters could similarly be tipped over and seriously jeopardize the AC power supply to safety equipment. The battery chargers are anchored

! by 5/16 inch bolts which can easily break and allow these chargers to l tip over. Loss of battery chargers will eventually lead to a ;

,' loss of DC power and core melt. In addition, the battery racks are constructed of wooden battens and have inadequate wall l

anchors which should be replaced. An earthquake could knock these batteries over and cause loss of DC power to all safety systems. Therefore, this second modification would include l improving both the battery racks and wall anchors. The combination of all of these upgrades would provide sufficient i support and anchorage to the e,lectrical components so that their support systems will withstand loads greater than four

. times SSE seismic loads.

The final proposed modification to reduce the seismic contribution to core melt probability at Point Beach is to l provide a dedicated safety class instrument air system to operate the pressurizer power operated relief valves (PORVs).

Point Beach currently in containment has a backup nitrogen bottle and associated piping which is normally valved-out and used for low temperature over-pressure protection. The modification would require installation for each of the two PORVs, of an additional instrument air supply, consisting of a l Safety Class 3 nitrogen bottle, a Safety Class pressure reducing station and necessary valves, piping and hardware. ,

This will improve the capability of " bleeding" the reactor l

coolant system by remote manual means while simultaneously i feeding the reactor coolant system from the safety class The inability to bleed and i

Chemical-Volume Control System. !

4 6

feed under seismic induced LOSP conditions (Level 2 earthquake '

and above) has a core melt probability comparable to that for internal events given LOSP, however it is insuring the dominant sequence r

for seismic related events. Therefore, a water supply l l

(Modification 1) and providing a qualified means to open the PORVs effectively eliminates the sequence as a contributor to ,

risk.

2-is P

i a !

I / g 1

I l . .

k .

Table 3.1-2 Initiating Plant State Probability and Core Melt Probability ,

)

with Modificatione Implemented 502 i 82 EQ1 l

Total ,

Core Initiating Core Core .

Initiating Core Initiating

Earthquake Melt State Melt Melt State Melt State Probability Level (SSB) Probability Probability Probability ,Frobability Probability Probability 9.85-1 2.2s-12 2.es-2 2.28-12 3.1s-18 I

1-2 1.6s-2 3.1E-le 5.43-1 6.45-9 4.45-1 1.28-8 1.98-8 2-3 1.28-2 9.2s-18 .

1.25-8 6.53-1 8.1s-8 1.63-7 I

3-4 2.4s-1 7.2s-8 1.1s-1 5.3s-9 4.5s-1 1.75-7 7.5s-7 4-5 5.45-1 5.73-7 1.4s-2

[ 9.3s-7 i , l N 9 k E I

i T

3 I

1 i 1

I i / Table 3.1-2 presents the recalculated core melt probabilities j for the varying earthquake levels and initiating plant statei

if all of these modifications were implemented. The total core i melt probability with these modifications incorporated would be l approximately 9.3E-7/Rx yr.

i 3.2 Fire Analysis 7

Based on plant operating experience over the last 20 years, it

' has been observed that nuclear power plants will probably have three to four significant fires over their operating lifetimes I (i.e., on the order of one fire every ten years for a frequency i

of .1 fire /Rx yr). Previous probabilistic risk assessments have shown that fires are a significant contributor to the l overall core melt probability, contributing from 7% to 50% of the total core melt probability.

I Large strides have been made in the fire protection for nuclear

power plants in recent years. In particular, 10 CFR 50, j

Appendix R and Branch Technical Position 9.5-1 have led to improved fire protection measures at nuclear power plants. ;

However, even with these improvements, there remains a residual i risk from fires which has not yet been quantified with the l exception of those plants that have performed fire-related PRAs. The purpose of this section is to quantify the riska due 4 to fires at the Point Beach Nuclear Power Plant and to evaluate I I the value of potential modifications.

A more detailed description of the fire analysis is provided in

! Appendix D of this report. ,

j 3.2.1 Analysis Methods

! This analysis will evaluate the residual risk from fires that i could affect decay heat removal systems. In doing so, existing L

! procedures used in published fire PRAs will be employed, but simplifying assumptions will be made to allow the analysis to j proceed without requiring the level of detail required for j

these other fire PRAs.

Most of the simplifying assumptions are based on insights

gained from the previous PRAs or from the historical fire data base. These assumptions are as follows

] i l

a) only fires in a single area (room) will be considered since 1 only single areas have been seen to be significant contributors to core melt probability. Because no room to room issues are being considered, barriers between adjacent areas are assumed i to remain intact during a fire. l f b) Fire frequency and suppression reliability will be based on available industry data. The fire frequencies used will be the j

mean value of generic data collected from fire PRAs.

'~'

Suppression system data is based on American Nuclear Insurers i

data and on the HTGR fire methodology PRA.

3-/s*

i i e

.m---- - - - - ,

~ . . . . ..

c) Two transient combustible exposure fires are assumed to ,

bound all transient and electrically-initiated fires. A trash can size (30 gallons) container of refuse with an energy output of approximately 500KW for 15 minutes is one exposure fire used in the computer calculations. The other combustible is a 10 gallon spill of acetone spread over a square area with sides of 2 meters. This fire results in an intensity of 4.67MW for approximately three minutes. Electrically-initiated fires are '

not being explicitly evaluated, but it is assumed that the exposure fires postulated for this analysis bound any transient

' or electrically-initiated fire that might occur at a plant.

The worst case geometries are used in assessing fire growth and spread and the fire code COMPBRN is used to determine if the cables or components of interest would be damaged by the fire.

d) Point Beach transient event trees will be used to determins the systems components, from a success-oriented outlook..that need to be considered. Transient event trees are used in this analysis since it is assumed that a fire occurs independently of any initiating event and the operators will always insure that at least a transient will occur once they know that there is a fire (i.e. scram the reactor).

e) Components affected by a fire are electrical / active.

components in nature (e.g., cables, motors, switchgear, buses). Only temperature will be used to evaluate a components vulnerability to a fire. Passive components, such as pipes and manual valves will be assumed to be unaffected by a fire.

f) Random failures of those systems not directly affected by the fire at a particular location will be considered if applicable. .

g) Offsite power is assumed to be available during a fire unless the fire is capable of causing a loss-of-offsite power.

h) Fire growth and spread and suppression of fires are treated as independent of each other.

f i) No explicit core melt timing is evaluated.

j) Where exact locations of cables cannot be accurately determined, assumptions as to their locations are made.

l The basic approach used in determining the risk from a fire uses the following four basic steps:

I a) Initial screening for potentially important fire areas.

b) Plant visit for verification. ,

l

, c) Quantification of risk.

l 3-/C la----_ - _ ._- - _ - -

_ m.w - -n w .:.=u u ._c..:- :

1 d) Proposed fixes to reduce the fire risk in affected areas. -

l (

, The initial screening determines which areas of the plant ~

! contain enough front line or support systems in their

! boundaries such that fire damage could invalidate all of the success branches on the transient event trees. These transient

event trees identify the success criteria of the frontline

. systems or combinations of systems that prevent a core melt ,

scenario. The internal systems analysis is also used as a i starting point for the fire analysis to identify the success criteria for such support systems as cooling systems and the AC/DC power requirements. Plant schematics and piping diagrams

! supplement this information where appropriate. Available documentation then allows screening of fire areas to determine the small set of areas where a single fire could lead to a core

nelt.

i The plant is then. visited to see first hand what the physical arrangements are in each of the vital areas. The locations of i major fuel' sources and some estimate of the coordinates of l components and cables are obtained.

j In the quantification step, the deterministic fire code COMPBRN

is.used to ascertain if an expoduce fire could damage the I components / cables of interest in the area. An event tree is utilized to probabilistically estimate the risk of core melt

! from a fire in those areas not eliminated by the code calcula-tions. The basic elements of the event tree are as follows:

a) Fire occurrence frequency for the area of interest.

,I b) Suppression system probability (both for automatic and

! manual suppression). !

4 '

c) Operator error and randon failure of unaffected systems

i from a remote shutdown location.

l i

Eased on the quantification steps, engineering modifications l are proposed for those areas which have a fire-induced core melt probability contribution of greater that 1.0E-4. For any proposed modification, a new core melt probability is l calculated by modifying the event tree to reflect the fix.

l This new core melt probability indicates the "valua a of a i modification in terms of core melt reduction. '

I 1

3.2.2 Fire Vulnerability -

Using the transient event trees, the following systems and

! success criteria were identified as crucial to preventing core damage at Point Beach: '

a) Power Conversion System: 1 out of 2 trains I l

%s i i T*lY

. i

- ~ ~ - - = _

_.u..... ._

i b) Auxiliary Feedwater System: 1 out of 2 actor driven pumps s or

4 1 out of 1 turbine driven pump -

4 c) Safety Injection System: 1 out of 2 trains d) Residual Heat Removal 1 out of 2 RHR pumps Systen

. .,- l in series with SI. pumps and 1 out of 2 RER heat exchangers The support systems required for these frontline systems are:

1 a) Service Water: 1*SW pump per unit (6' pumps total) T i .

I b) Component Cooling Water: 1 of 2 pumps 1

. ' c) AC/DC Power ,

l The areas for which Point Beaoh-has requested Appendix R exemptions and the locations of the systems of concern are identified in the following matrix:

i i Fire Zone PCS AFWS SI RHR SW CCW PORV

1. (Unit 1 Motor Control Center) X

2. (Safety Inspection Pump Room) X X

3. (Component Cooling Water I X l Pump Room)

4. (Unit 2 Motor Control Center) X X X ' ,'

5. (AFW Pump Room) X X X

6. (4160 V Switchgear Room) X X X X X j 7. (Containment Spray Tank Area), X

8. (Cable Spreading Room) X X X X X X X X X X X X X X l

9. (Control Roca) i 10.(SE Containment) l 11.(SW Containment) j 12.(Fire ~and Service Water Pump X i Area) l 13.(RHR Pump Area) I

! 14.(Turbine Hall) X 15.(Circulation Water Pumphouse) I l

! In these cases, fire zones 1, 2, 3, 4, and 7 do not have any of j the power conversion system or the service water system (which j if it were lost could cause the loss of cooling to the main feedpumps and motor driven auxiliary feedwater pumps.)

Therefore two success paths out of three are left intact, and

! no further analysis of these zones is necessary. Fire zones 10 and 11 contain none of the systems of importance and can be eliminated. For the RHR Pump Area and Turbine Hall and circulating Water Pumphouse, a fire in these areas would i

j disable the RNR and PCS systems respectively, but would leave

) the AFWS intact. A fire in the Fire and Service Water Pump l

Area potentially could lead to the loss of all but the turbine 4 3-/ t

)

4

.- .-. . ,_=._c

_.._...m.4 i ... . . . . _ _ _ . _ _... . -. .

l driven AFW pump. however service water power cabling comes in

' via the floor in conduits. has a steel barrier separating _ '

groups of these pumps and essentially has no in situ fuel loading other than the lubrication found in the pumps and a '

very lightly loaded cable tray. In addition, the zone freely communicates to other zones, therefore hot gas layer effects would not be felt in this zone. Because the zone is large and f has an extremely low fuel loading, it was eliminated from i

further analysis since it was not credible that the fires postulated would be able to damage all the service water pumps

! in this zone.

Fire Zone 5: AuEiliary Feedwater Pumn Room - The generic auxiliary building fire frequency used in this analysis is 4.8E-2/Rx yr. Ts obtain the frequency of fire in the AFW pump room, we multiply the building fire frequency by the ratio of ,

AFW room insitu fuel load to the building fuel load (.0495). '

This produces an AFW pump roca. fire frequency of 2.376E-3/Rx yr.

Using the CCMPBRN fire code it was determined that an acetone i spill is expected to damage the redundant service water systea <

cables in 25 minutes and. therefore manual suppression must !

occur before then. The probability of failure of manual suppression in 25 minutes is estimated to be .2. and the probability of failure of the automatic Halon suppression 4

system is .2. An uncontrolled fire in the auxiliary feedwater '

! pump room at Point Beach could eventually cause the loss of all i service water pumps. the two motor driven auxiliary feedwater i pumps, all safety injection pumps, all component cooling water pumps, and ultimately all RHR pumps as well as the power j . conversion system. The only remaining system to prevent core nelt would be the one turbine driven AFW pump for each unit.

The failure probability of plant personnel to manually operate 1 the turbine driven pump is estimated to be .1. while randon failure of this system to operate is estimated to be 3.48E-2.

l These calculated probabilities produce a core melt probability j for this scenario of 1.25E-5/Ex yr.

l If. however the manual suppression occurred after the initial l damage and the manual suppression using hoses caused the turbine driven pump to fail, the probability of core melt would j rise to 4.76E-4/Rx yr.

! Fire Zone 6: 4160 Switehaear Room - The generic frequency of (

i fire in the auxiliary building (4.8E-2/Rx yr) sultiplied by the !

ratio of fuel load in this area (.1034) results in an area fire I frequency of 4.96E-3/Rx yr. The area contains two independent '

automatic Halon suppression system each of which has a failure l i probability of .2. Manual suppression is needed within one l

l' hour and the probability of failure of this suppression is ;

estimated to be .1. Given fire damage is this area, the i turbine driven AFW pump is again available to prevent core j melt. The failure of operator action to properly line up the i system (.1) and the probability of randon failure of the system ;

j ,

(3.48E-2) produce a core melt probability of 2.60E-6/Rx yr. i 3=/9

4 Fire Zone 8: Cable Screadina Room - The generic frequency of 'N s fire in the cable spreading room has been estimated-to be ~~

6.7E-3/Rx yr. The transformer oil is non-flammable and the cabling is contained in trays with solid bottoms and tops. In addition, a Kaowool fire' retardant blanket has been placed in the cable trays. The room cabinets are made of steel which would provide some protection from an exposure fire. -

~. ; -

The trash and acetone fire scenarios were analyzed using the COMPBRN code and.found to be insufficient to damage the room cables with a hot gas layer. For these reasons, further l quantification of this room was not necessary as a result of

fire.

i :

Fire Zone 9: Control Room - The generic frequency of fire L l occurrence for the control room is taken to be 4.9E-3/Rx.yr. l 1

However, the separation of cables for vital systems, continuous occupancy of the coon, and relative invulnerability of the i cables to a hot gas layer eliminates this room from further consideration. .

l i !

3.2.3 Potential Modifications -

l At Point Beach it appears that'only the AFW pump room fire zone

{ and the 4160V switchgear room would need improvements to the j fire protection options already employed to reduce the risk of i i core melt due to fire to less than 1.0E-6/Rx yr. .

l !

l The proposed modificat$on recommended for the AFW room would l consist of installing an automatic water suppression system of - '

the dry pipe, proaction type. In addition, the pumps and !

contrcl circuit boxes in this zone would be waterproofed to l

prevent circuit damage due to water. The failure probability i l of this additional fire suppression system was estimated to be !

! .04. When the fire event tree is modified to reflect this fix, j j the core melt probability is reduced to 5.0E-7/Rx yr. . i i !

Other options of modifications for this area were rejected for !

!' the following reasons: l I

a) Cable wrapping would prevent cooling of power cables and accelerate their material degradation.

4

) b) Installation of dividing walls.would require many (

) penetrations and rerouting of cable. ;

f; I c) Rerouting of cables from the area would be costly and

. tedious. !

f I

i d) Removing components from the room would require costly !

l Piping and cable rerouting. l 1

i e) Automation of the turbine driven AFW pump would not ,

i

eliminate its vulnerability to fire in this area. l l l

. [

7-20 ;

' l

- l

. ... - ~ _ - . .. .

For the 4160V switchgear room, the proposed modification would require relocation of the main battery distribution bus (Do-1 and its associated charger and inverter to another zone and ')

insuring that the cabling for this does not run through the 4160 switchgear room. The modified core melt probability was calculated to be 6.90E-7/Rx yr. since the turbine driven auxiliary feedwater pump will not require manual actuation. As before, modifications involving cable wrapping or c~onstruction of barriers were considered to be less prudent.

Details of this fire analysis are given in Appendix D along with the analysis event tree methodology.

3.3 Internal Flood Analysis operating experience at nuclear power plants has shown that the potential for damage to safety-related equipment as a result of internal flooding is of concern. Examples of experienced internal flooding initiators i'nclude operators overfilling water tanks, in-leakage of ground water, hose and weld ruptures, pump seal leaks, improper maintenance procedure, and various other circumstances. Several of these events resulted in damage to high pressure coolant injection systems, reactor building spray pumps, service water pumps, emergency feedwater l pumps, diesel generator control cabinets and other redundant and diverse safety-related components. Although to date, none of these floodings have led to a serious accident, there is still a risk that needs to be evaluated to determine what the chances are that an internal flood, despite a conscious effort to design the plant to withstand this threat, could lead to a i core melt scenario. The TAP A-45 program specifically I addresses these concerns including the vulnerability of the decay heat removal systems to equipment damage due to spray from ruptured water piping and the sections that follow will represent the methodology and assumptions employed to carry out I these analyses. The Point Beach vulnerabilities to this special emergency will then be quantified and modifications evaluated. More details regarding this analysis are provided in Appendix E.

3.3.1 Analysis Methods The methods used to analyze internal flooding in TAP A-45

follow the existing procedures employed in published PRAs.

( However, since a full-scope PRA is beyond the resources of this program, a number of simplifying assumptions have been made.

Most of these assumptions are based on insights derived from previous PRAs or by censideration of the physical constraints of a flood in a building. The major assumptions a;e as follows:

a) Internal flood frequencies, conponent damage thresholds, l and physical room considerations will be based on previous l industry wide data bases. The flood si:es have been grouped l

l 1-21 ,

f

'\

according to the flow rate from a flood source and estimates have been made for the room drainage and equipment volume based on the Seabrook PRA assumptions.

Point Beach transient event trees are used to determine the b) systems / components, from a success- oriented outlook, that need to be considered. Transient event trees are used in this analysis since it is assumed that an internal flood occurs independently of any initiating event and the operators will always insure that at least a transient will occur once they know that there is a flood (i.e. scram the reactor). LOCA event trees will not be examined since no scenarios could be postulated where an internal flood could result in a LOCA event.

c) Front line mitigation systems (such as high and low pressure injection) will not be considered as flood sources.

This simpliing assumption is based on the fact that these front lin. fstems, 1) have been designed to higher standards,

2) have controlled chemistry, 3) in general do not see large temperature gradients, and 4) have been involved in few castastrophic failures.

d) Flood barriers maintain their structural integrity.

)

e) Flooding via drains backing up into other areas will not be considered. .

f) only single flood sources will be analyzed.

g) Components will fail from submergence in water to a critical point or from direct spray from the flood source. It is assumed that switchgear and buses will fail if they are standing in six inches of water or more. An electric' motor will be assumed to fail when the water level reaches the bottom of the motor casing, h) Random failures of those systems not directly affected by the internal flood at a particular location will be considered if applicable.

1) Offsite power is assumed to be available during an internal flood unless the flood is capable of causing a loss of offsite power.

j) No explicit core melt timing is evaluated.

The approach used in d,etermining the risk due to internal flooding at the Point Beach Nuclear Power Plant uses the following four basic steps:

a) Initial screening for potentially important internal flood levels.

1-22

y --

,,. 7 ,m

- ~

g ; s m ,

v s

. . . . y ..

7,

% x g. - -

1 f"n y -

3 n . . -. a s a '

e ' b) ' Plast.visir for verification. ,

^

s

'cf Quantif,1 cation. 7 c . ~ , .

l d) Proposed.f5xes to reduce the rist due to internal tlood in I affected areas. - -

3 3

4

, .s 1 The' initial scraaning UnWWes usings t he trdiient event treeg

~ ,

to idenl,1fy the front line and support, systems needed to, s prevent c' ore melt a'nd their success criteria. On.ce the systems of interest are[ identified, 'all available documentation is Analyzed to determine those areas whsse enough components could .'

be dirsbled by;as incarnal flood so as to cause core damage. ,

.c

+ .. s.,

s A plant v'isit irthen conductec to see 'th2 physical arrangement of, equips, ant,NerityJthe' accuracy of documentation, and obtain the pir.:st, location coordinates of vital components.

m ,

The step of quantifying the codtribution to core melt begins

with examining whether a flood source costaJdamage the components of intecost and the time availabt.'a for operator mitigar. ion of tt@, event. With the flowrata." room volume, and cacicity for Watet_ removal ke.own, the tide to damage of f compchents may'be calsulated based on thi water depth in the 3 joom and the .2ssumptions govdrning hosponent damage s

! m i threstolds. Spray is considwrea whed a flobd initiates in a C

room and the critical components are in a direct line of sight with the flood source. An event tree is then constructed to ,

, quantify the area flood damage scenario following the folicwing steps: ,

4 r

i a) InternalfloodoccubrenUq.*fre'quencyforthearea.

L 9

g h)> Probability of detoed:ba of the flood.

~

_ 1 c)4 Isolation potential of >.he glood source. -

, u ,

d) Operator error and t-spdom f ailures of unaf f ected syst' ass. ,

Based.ou.the quantificatiya steps, engineering fixes are y propose 4 for these arns which have an internal' flood-induced -

core malt I.cobability contribution of greater thaa'1.0E-6. For any pcoposed fix, a modified core melt probability is then calculated (by modifying the event trees to reflect the'fix) to indicate how much the core melt probability could be reduced. %

3.3.2 Internal Flood Vulnerability , "

!. The Point Beach transient event trees were used to identify the[

decay heat removal system combinationr<which are needed to -

i prevent core damage. These systams add' chair success criteria .

t are summarized below:

.; ..,, s l

I w 3-n s .,

t .

>s ab r,e I $

- --~ ,

~_._ _ . . _ . - _ - _ _ _ . . . _ _ . , _ _ _ . . _ _ _ . . _._.... _...._, . . .. ,..,_ ,

a) Power Conversion System (PCS): 1 out of 2 trains ~ 3r b) Auxiliary Feedwater System: 1 out of 2 motor driven ,

pumps or 1 out of 1 turbine driven pump c) Safety Injection System: 1 out of 2 trains d) Residual Heat Removal System (in recirculation mode):

I 1 out of 2 RHR pumps in series with SI pumps and 1 out of 2 RHR heat exchangers -

Because the success criteria only requires 1 train or pump from each system to remove decay heat, then in order to invalidate the success criteria locations must be found in the plant where all of the redundant systems can be damaged by an internal flood. In addition, the support systems needed for successful operation of the front line systems are as follows: _

Service water: 1 SW pump per unit (out of 6 pumps total)

Component Cooling Water: 1 of 2 pumps AC/DC power:

A review of these critical systems, in conjunction with Appendix R submittals, produced the following matrix of component locations:

PCS AFWS SI RHR SW CCW PCRV

1. (#1 Motor Control Center) I

2. (Safety Injection Pump Ra.) X X

3. (Component Cooling Water .

Pump Room) X X

4. (#2 Motor Control Center) X

5. (AFW Pump Room) X X X X X

6. (4160 Switchgear Room) X. X X X , X

7. (Containment Spray Tank) X

8. (Cable Spreading Room) X X X X X X X

9. (Control Room) X X X X X X X l 10.(SE Containment) 11.(SW Containment) 12.(Fire & Service Water Pump Room) X 13.(RHR Pump Area) X 14.(Turbine Hall) X 15.(Circulating Water Pumphouse)X The areas which contain no systems important to decay heat removal (zones lo and 11) can be eliminated from further analysis. For the remaining areas listed above, this study examined the flood sources available for filling the room of I concern with water. Tanks were examined for volume and 3-2 Y

-- ~. _ _ . . _ . . .

+

probable flow paths along openings, stairwells, gratings where water could travel from room to room." It was found that no components were located under openings where cascading water '

i from a tank rupture could damage the equipment. It was also ascertained that the switchgear room, auxiliary feedwater pump room and control room and cable spreading rooms were physically in a separate building than the safety injection, component cooling water and RHR pumps. Because of this' physi' cal I separation, it was difficult for tank rupture flood waters to originate in one building and also be able to affect the other set of components in the other building. The RHR pump room could be flooded, however, the PCS and auxiliary feedwater systems would still be available. Therefore, tank failures do not appear to be a threat at Point Beach.

I The circulating water, service water, and fire main headers were then examined for flooding along flow paths into areas of concern to this analysis. Although components could certainly be damaged by rupture of any of these systems, it was deter-mined that.all postulated breaks were isolable and the diverse systems were physically separated sufficiently to preclude a

core melt scenario.

The final portion of this study focused on the damageability of equipment due to spray from a water source. The service water

, pumphouse was identified as the only plant location where spray i could damage enough redundant equipment to produce a core melt j scenario. The initiating event for such a sequence begins with a rupture of the fire main header which sprays water on the six

~

j l service water pumps as well as the electric driven fire pump j and the diesel driven fire pump. Since the fire pumps ars a l

backup system for the service water, this scenario would cause loss of primary and secondary cooling sources.

The frequency of an initiating flood in the service water pump area is estimated to be 2.2E-2/Rx yr (see Appendix E).. The probability that the pumps will fail due to high pressure spray impingement is estimated to be 1 in 10. The loss of the service water pumps is important because it leads to loss of the PCS system (lube oil cooling), component cooling water system, and eventual loss of the safety injection pumps, HER pumps, and the two motor driven auxiliary feedwater pumps.

This leaves the plant with only the turbine driven auxiliary fee'dwater pump which'has a random failure probability estimated to be 3.4E-2/ demand. This sequence then has a probability of occurrence of (2.2E-2 rupture /Rx yr)(.1 chance of pump failure)(3.4E-2 probability of random failure of the AFW turbine driven pump) = 7.66-5/Rx yr.

3.3.3 Potential Modifications Due to the fact that spray from a broken fire main in the service water pump room was the only concern in this area, only one fix was recommended for review. There currently exists a 3-2f ,,

-w--- -- - - , - -,.-.--~----,.---.--,v,------..-.---.-,-,.---,w- -

r-.--..-.,-ev.y-m-----------..-------,-r---. _w . - , - . . , , - - , - _-

partial height fire barrier which divides the room in half with s one fire pump and three service water pumps on.either side. Br___ S extending this wall to the ceiling, spray from a break would be prevented from impinging on all six service water pumpr. Since only one service water pump is required per unit when operating, the three surviving service water pumps would have the capability to handle the heat loads being generated. The reliability of each of these pumps is estimated to be approximately lE-3/ demand. If we conservatively assume that one pump is available for each unit, and one pump is undergoing maintenance, we would still be reducing the core melt probability for this scenario by the random failure probability of one pump. This modified core melt probability for an internal flood in the service water pump room with a spray shield installed would be approximately 7.66E-8/Rx yr.

3.4 External Flood Analysis Sources of potential flooding external to a plant are numerous for most plant sites because nearly all plants are located near large bodies of water. River bank overflow, snow melting, heavy precipitation, storm seiches, upstream das failure, and wave runup are examples of potentially large flood water sources. Flood waters can cause damage or failure to .

components located in the plant yard as well as damage to equipment inside buildings which may be penetrated by the water. In addition, the buildings themselves may not be designed to withstand the hydrostatic forces of flood waters, resulting in catastrophic structural failures. ,

However, unlike other natural hazards such as earthquakes and extreme winds, external flood hazards may not represent a hazard due to topographic or other physical conditions which preclude site flooding, or reduce the frequency of occurrence.

This is due in part to the fact that the design basis floods for nuclear plants are generally conservative. However, since the uncertainty in design floods was not considered, t'he likelihood of extreme floods and the contribution to plant risk is not known.

This section analyzes the potential sources of external floods for the Point Beach Nuclear Power Plant and then quantifies the contribution to core melt probability.

A more detailed description of this analysis is provided in Appendix F of this report.

3.4.1 Analysis Methods It is beyond the scope of the TAP A-45 program to perform an in-depth probabilistic risk assessment. Instead, the objective is to conduct an analysis that quantifies the significant 1-2:

-.-- ,,-- . - -, - _ v--

_ - _ _ - - _ _ _ - - . - _ - _ = _ -

j .. . . .-._ .._ . _ _ _ . . _ _ _ _

! . .. )

1

- threats to a plant. However, the procedures used to perfora !

> the flood analysis embodies the basic philosophy of a full '- ,

! scope probabilistic risk assessment.

! To evaluate the probability of plant damage due to external l flood events, the following tasks are performed: 1) plant 4

! familiarization, 2) hazard analysis, 3) fragility / vulnerability

! evaluation, 4) systems analysis, and 5) risk quantification.

Figure 3.4-1 shows the relationship of these elements.

! The' steps in the analysis are summarized below: l t T Plant Familiarization - The purpose of this task is to gather i' information on the occurrence of external floods hazards at a plant and on the vulnerability of the plant structures and l

equipment to flooding. Regional studies performed by the Army Corps of Engineers are combined with plant site studies to evaluate the flood frequency. 'In assessing the reliability of shutdown decay heat removal systems, a review of available i docuacntation (i.e., FSAR, plant drawings and topical reports) i and a walkdown of the plant are performed. Safety related

' components are visually inspected to verify locations and to i analyze for possible flooding via all possible pathways.

! Hazard Analysis - In the case of external flooding, the hazard analysis is conducted in two steps. First, a screening of the potential sources of flooding (i.e., upstream dams, local l

precipitation, storm surge, etc.) in the vicinity of the plant

is conducted. For sources of flooding that can impact the l Pl ant site, an analysis is conducted to evaluate the frequency j of occurrence of increasing levels of flood intensity (i.e.,

4 depth of inundation, hydrodynamic forces, etc.). An !

uncertainty analysis is also performed to assess the modeling or-engineering urcertainty in estinating the frequency of occurrence. .

Comoonent Fracility Evaluation - For structures and equipment '

items vulnerable to flood hazards the fraction of failure l

defined as a function of a flood hazard parameter (i.e., depth of inundation) or fragility curve, is assessed. This is done !

! by 1) identifying the flood protection devices, 2) estimating the depth of submergence necessary to fail a component, 3) determining modes of flooding a room, and 4) transforming local ,

i fragility values or critical depth estimates to a global flood l l

hazard characterization. The modeling uncertainty in the j evaluation is also considered.

i j systems Analysis - The decay heat removal systems analysis is l l

performed by developing event trees and fault trees with an d external flooding event as the initiator. The system success criteria are examined for common mode failure due to flooding

~

t which could lead to a core melt scenario. The ccmponent

fragilities are used as input to evaluate the conditional

~

1-n i

l

.. .,,,..n..... . .. .... . . . . . . . - . . . . . .

~ ~--- -

. \

E s v-s 4451uso 3 K25tigegoJd

.M 3 a w

e

.C I' $ 8

- ,,. .s.

b

= a li~

m 2 >

Asuonbaag , Q

- c

<, E 4 s xa

& 4 I 5 a:

t **

n b : -

. O EE ; 13

- :- i

/ 3 i

g. .

m -

. ==

w 52 3 - 8 2 =

? : I : E U asuepoesq 2 aanttej go E j g I go AsuonbeJ3 uopstad saltvineng E'gE 1

1 4

WM J. =1~ I

< XI *M I z.: 5 55 5 i =

- $13 I

z i

1 3-21 e e e

i fraction of failure of different safety systems as defined by the systems logic model. '-

, i

Risk ouantification - The quantification of the likelihood of j plant damage is accomplished by properly weighting the

conditional fraction of plant damage (i.e., fragility) over the entire range of flood intensities, by their frequency of

!' occurrence. By propagating the uncertainty in the frequency of "

flood hazards and fragility, the probability distribution on the likelihood of plant damage is evaluated.

t 3.~4.2 External Flood Vulnerability site Descrintion: The Point Beach Plant is situated on the

)l west shore of Lake Michigan, approximately 30 miles southeast of Green Bay, Wisconsin. The topography in the vicinity of the plant site is described as gently rolling. The local terrain slopes toward Lake Michigan, varying in elevation from 588 to 642 feet asi. The normal lake level is 578 feet IGLD

! (International Great Lakes Datum) and plant grade is 588.2. feet

! IGLD or 10.2 feet above normal lake level. Plant elevation O.00 feet is equal to 580.2 feet IGLD. The ground flood of the

! Turbine Building is +8.0 feet while the floor elevation of the Service Water Pumphouse is +7.7 feet.

L l

Two principle sources of flooding exist near the plant; runoff due to local precipitation and/or snow melt, and rising lake levels combined with wind wave effects and runup. Experience

, at the plant and in the surrounding area suggests that rainfall tends to run off due to the less pervious nature of the clay content of local soils and frozen ground conditions in the spring. Thus, ponding can occur in local depressions.

Experience at the plant indicates that some leakage into plant ,

l structures due to runoff does occur.

Eauiement Location: Safety-related equipment important to removal of decay heat at Point Beach is located in the i Pumphouse and the Turbine and Auxiliary Buildings. The service water pumps are located in the Pumphouse, while all other safety-related components are in the Turbine and Auxiliary i Buildings. A number of these items are located on the ground floor (Elev. +8.0 feet). These include the diesel generators, batteries, 4160 V switchgear, auxiliary feedwater pumps, safety injection pumps, and the containment spray pumps. The RHR pumps and heat exchangers are at elevation -19.0 feet. A l listing of equipment vulnerable to flooding is presented in l Table 3.4-1.

I Emercency Procedures: As part of plant operations, emergency l procedures have been established in the event of high lake water level. These procedures are designed to respond to wave runup that could occur near the Pumphouse and/or Turbine i

Building. The principle action called for is sandbagging i

-s ,

l F2P

-,,m,___ _ _ _ _ , _ , , , _

C 1.

Table 3.4-1 vulnerable structures and Equipment .. . . . . , .

j ;

.. I '.

Structures / Equipment Location Vulnerability Diesel Generator Rm East end of Turbine Bldg. Doorway is sandbagged during high ;

(Elev. +8.0 feet) lake level to 9's leakage and .

inundation greater than elev. 9' could flood this room. .

Battery Room In Turbine Bldg., along Doorway is sandbagged during high center wall with Unit 2, lake level to 9' leakage and (Elev. +8.0 feet) inundation greater than elev. 9' [

can flood this room. .

' I

4160 V Switchgear Center of Turbine Bldg., Doorway is sandbagged during high (Elev. +8.0 feet) lake' level to 9' leakage and .

- inundation greater than elev. 9' ,

y can fl,ood this room. .

[

~ .

" West side of Turbine Bldg., Doorway la sandbagged during high Auxiliary Feedwater Pumps (Elev. +8.0 feet) lake level to 9' leakage and ;

inundation greater than elev. 9' %

can flood this room. [

. E Containment Spray Pumps West end of the PAB, Flooding to an elevation greater , *g (Elev. +8.0 feet) than 8' can result in water ,

propagating throughout Turbine ;

Bldg. into the PAB. -

k Safety Injection Pumps West side of the PAB, Flooding to an elevation greater (Elev. +8.0 feet) than 8' can result in water -

' I propagating throughout PAB.

HHR Pumps and Heat Weut side of the PAB, Plooding to an elevation greater Exchangers (Elev. -19.0 feet) than 8' can result in water propagating throughout PAB and j downstairs. ,7, iI 6

I i Table 3.4-1 (cont.) ,

Vulnerable S'tructures and Equipment .' s - ' . ' -

. l. ,

Structures / Equipment Location Vulnerability Service Water Pumps Pumphouse, (Elev. 7 feet) Doorway and louvers are sand- i s bagged during high lake level to i l 9' leakage and inundation i greater than elevation 9' can flood this room, i

Pumphouse Lake Shore Storm water and snow can collect :

on the roof. I I

3 l

1 '

4 -

i l

I b

i i .

t t

s i

i

4 -

N doorways that are susceptible to leakage and are. locate.d at or '

i near critical areas. These include exterior access doors to the Turbine Building and the Pumphouse and interior doors to l

vital equipment areas in the Turbine Building. Sandbags are piled to add one foot of protection at the Turbine Building and t'wo feet of protection to the Pumphouse. .

et General Flood Considerations: On site flooding due to snow melt and rainfall was addressed as part of the plant design.

l, In addition to natural runoff, a storm sewer system, and a j series of drainage ditches were constructed to accommodate runoff on the site. In recent experience at the plant, leakage of storm runoff into the Auxiliary Building has occurred,

causing some localized flooding.

The possibility of a seiche on Lake Michigan was addressed in j the FSAR. Estimates of the maximum rise in lake -level was 1 to i 2 feet. Consideration of a storm surge due to a moving squall l line indicated that it did not exceed the estimate of the 1

maximum runup elevation of 8.42 feet. ,

I Ice build-up on Lake Michigan has occurred in the vicinity of the plant. As part of the plant. design, the water intake is situated 1750 feet offshore at a depth of 18 feet. It is j

implied in the FSAR that ice loads were considered in the design of the intake forebay and discharge fiumes. ,

system success criteria: The assumption is made that a simultaneous loss of offsite power will occur during an I external flood event. This is because of the large storms and i high winds that are required to cause water runup to the

! plant. Core melt would require failure of both the emergency

' coolant injection system and the secondary cooling system.

t j

The emergency injection system consists of the high and low pressure injection systems, while theFollowing secondary cooling system a loss of offsite is the auxiliary feedwater pumps.

l power, flooding of the diesel generator rooms would result in a loss of all AC electric power. Only the DC powered turbine I

driven auxiliary feedwater pump would remain: however, the battery room is at the same elevation and also likely to be r flooded.

Risk ouantification: Flooding due to rain or snow melt would l

i be slow in initiating, and recovery from the localized seepage l

penetration would make a core melt scenario unrealistic. Also, based on initial review, the natural drainage, and a storm sewer system appear to be deterrents to significant ponding in the vicinity of plant structures.

{ The water level required to flood the Service Water Pumphouse, Turbine Building, and Auxiliary Buildings is estimated to be 590' mean sea level (ms1). This is due to the fact that all ;

I l

z-rz

[

l

i

\ buildings would be sandbagged to 589' and could be sandbagged,,

i higher if necessary. In addition, the slow initiation and long,'

lead times would allow additional measures to be taken. If no sandbagging above 589' was performed, it is conservatively assumed that flood levels which crest one foot higher than the initial sandbags will be sufficient to supply. water.which will l penetrate all subsequent doors and reach a room depth that will

! fail the diesel generators, batteries, 4160 V switchgear, auxiliary feedwater pumps, containment spray pumps, safety i

injection pumps, residual heat removal pumps, and service water pumps. The mean frequency of occurrence of a lake level of 590' is estimated to be on the order of 10-15/yr. This frequency is considered negligible. However, it was also assumed that a lower lake level combined with large wave runup r could impound water between the Service Water Pumphouse and the Turbine Building. If the stora drains were clogged with debris, it was calculated that-waves would have to runup to 5968 in order to impound water two feet high on the site.

Again, it was assumed that the water must be two feet high in order to top the one foot high sandbags with enough water to flood all rooms to a depth which would fail the safety equipment. The frequency with which the lake level would reach a high level from which excessive wave runup would be present I to flood the buildings is calculated to be 1.9E-8/yr.

1 As noted earlier, a flood of this magnitude would have long l

lead times in which additional flood protection measures could l be taken. However, given the extent of simultaneous equipment i damage, the frequency of a flood of this magnitude is assumed to result in core melt. Therefore, the conditional probability of core melt as a result of flooding is equal'to one, and the l

frequency of a flood of sufficient magnitude to exceed the flood protection (590' asi) is calculated to be 4E-15 +

1.9E-8 = 1.9E-8/R2 yr. ,

j This low probability contribution to core melt does not warrant additional plant modifications.

3.5 Extreme Wind Analysis i As part of the Task Action Plan A-45 analysis of the response i of decay heat removal systems to internal and external

' initiating events, a study was performed for wind hazards for i the Point Beach Nuclear Power Plant. Both straight winds of excessive speed and tornado winds with their associated pressure differentials pose potential challenges to specific plant components. In addition, high winds can generate missiles with sufficient impact to penetrate doorsk, louvers, and metal buildings and severely damage water storage. tanks, diesel J generators, pumps, and other safety related systems.

l These combined and potentially simultaneous threats of high wind

force and wind generated missiles will be quantified briefly in

< - this section. A more detailed description of the methodology, 2- 73 a- . ~ , , - . . ,,_..,--mn, -.,-.,-.enn,.n_-n .n,, _-n,,-._a_n_---,--._n-- - - . - . - - - - - . . - - - . - ~ . - - - - - -

hazard analysis, component fragilities, and quantification will '

be presented in Appendiz G of this report.

3.5.1 Analysis Methods To evaluate the probability of plant damage due to1)external plant wind events, the following tasks are performed:

familiarization, 2) tornado and straight wind hazard' analysis, ,

3) tornado missile and wind pressure fragility analyses,

4) systems analysis, and 5) risk quantification. Figure 3.5-1 shows the interrelationships of these elements.

Plant Familiarization - The purpose of this task is to gather. ,

information related to the occurrence of external wind hazards at a plant and the vulnerability of plant structures and In assessing the reliability of equipment to wind effects.

decay heat renoval systems, a review of available documentation (i.e., FSAR, Plant drawings and topical reports) and a walkdown of the plant are performed. Potential missile population at the site, missile pathways, tank locations, equipment exposure, and building design are all visually evaluated for use in later

. analyses. Previous studies of structural. design capacities and regional high wind frequencies pre obtained as well as emergency operating procedures.

Nazard Analysis - Mean wind hazard curves.for tornadoes and straight winds were developed by the Meteorology and Effluent Treatment Branch of the USNRC for use in the TAP A-45, program.

The purpose of the hazard analysis is to develop the uncertainty in the hazard curves. Independent tornado hazard analyses are conducted which include consideration of the uncertainty in the tornado plant

strike model, site size, tornado analysis data, tornado damage area and length variation, and Fujita F-scale intensity / wind speed conversion.

The resulting curves are scaled so that the resultingAnmean analysis frequencies of exceedance equal the USNRC values.

of straight winds is conducted to develop Uncertainty the uncertainty in a in the similar manner as was done for tornados.

wind speed data bases, applicability of recording station to the site, and terrain roughness differences are considered.

Tornado Missile and Wind Pressure Fracility Analyses - A tornado missile analysis was performed to develop the conditional probability distribution of missile impact on exposed equipment and on structures containing equipment which could fail due to missile penetration or by secondary impact from spalled concrete. The analysis considers the occurrence i frequency of tornados, number of available Results of past tornado tornado missiles, target exposure, and target area.

t missile impact studies which were based on detailed missile

simulations of mass, terminal velocity, deformation characteristics, and angle of impact are used. For structures and equipment vulnerable to wind pressure harards, the T -2 9 O l 1

i I

.. g .

1 t.* a r

' - ; y 446tue0

. 5 Alltl448Jd -

T 2

i 1 m I l

$ e 2 -

a g a

n $;b

e. .a.

f4 I m

AsuonbeJJ .

. $a E 4 o ~

E J w e g m.

e 5

2 "

m .2 % =

== 22 # *

~

. t:,t:

=O2" n

/ s

! T . .

l5 g 1 I --

Tm

= a n

I T w- -*N T 2 2 : E 1 2 O asuspeenr3- I santtej ;o I Ej @ t E Jo Asuonbeag unn:vJJ sA ptt w o g o

s wA

-. e .

4

.2 jMl i

II 3 i - gm z. .

i

= $ 5 5 }.1). Ee

' e 4

'1 -1:'

,--.m--- gn- .,--,,-m--,--,_.,,_nn--- ---n,-.---- + . - - . . . - - , - . _ - - - - - - - - _ - - - - -

i 1

-a =

-~_ _ . , _ , , , , , , , . . , _ , . . _ , , , ,

l

. j i l

). cumulative fraction of failure defined as a function of the '

i windspeed,~ called a fragility curve, is assessed. . l 1

Due to uncertainty, multiple fragility curves are determined i for each component. l j

l systems Analysis - The decay heat removal systems analysis is performed by utilizing the event trees and fault trees 1 l

j developed in the internal analysis to determine which systems are needed to prevent core melt. An event tree is then !

7

developed in which wind generated failures are an initiating (

l event with a simultaneous loss of offsite power due to the ,

l severity of the storm. The component fragilities and missile !

l impact factors are used to evaluate the conditional probability l of failure of different safety systems.

! nisk ouantification - The quantification of the likelihood of plant damage is assessed by properly weighting the conditional' . ,

l fraction of plant damage (i.e., fragility) over the entire -

l range of wind intensities by the frequency of occurrence of (

l wind hazards. Recovery actions for each sequence are given !

credit for where appropriate and, by propagating the uncertainty in the frequency of wind hazards and fragility, the l

)

probability distribution of the likelihood of plant damage can l

) '

be evaluated. :

l I i 3.5.2 Extreme Wind Vulnerability I

Vulnerable structures and Eauinment - In general, most ;

lL safety-related equipment are contained within and protected by l i

! concrete structures which are at least 18 inches thick. f

! Exceptions are listed in Table 3.5-1. Safety related ~

i components which are vulnerable to both wind pressure effects and tornado missiles were analyzed and probabilistic [

descriptions of their capacities determined. l It was assumed in the development of the list of vulnerable structures and equipment that concrete walls and roof slabs i j greater than 12 inches thick provide adequate protection l against tornado missiles. Hence, openings in the structures i for doors and exhaust stacks were found to be vulnerable areas for tornado missiles.- The roof of the Pumphouse is only 5 l j

inches thick, thus, it also was analyzed. j s

j possible paths through the metal siding of the Turbine Building !

and containment Facade were also considered. Doors to the control room and diesel generator room, the condensate Storage j Tanks (CSTs), and the Refueling Water Storage Tanks (RWSTs) are also potentially vulnerable to missiles. The diesel generator j j i room door, which is similar to other doors to the Class I !

structure in the Turbine Building at elevation 8 feet, is reasonably well protected, and a conservative analysis of r i missile impact produced an annual probability of 2.5E-8; thus, !

i these doors were excluded from further study.

i j . :

l 1-24 f

i . <

t E_.___._-_..______.__..__________.__._. ._ __

i _

i i Y

. i * . .

I.l

.i TABLE 3-5.1 , , ,, , , , ,

, -- ... . /

VULMERABLE ST9tDCTURES AIID EQUIP 9 TENT ik

' a i

a Y

? f r-m.et I Structure / Equipment Locatles . !- ? -

l . U Wulper dle to Tornade .

f' .

l Pumpheuse - Elev. 29'-P' '

Service Mater Pumpheuse Missiles

+

l I 8 Roof (5 inches thick) -

Vulner dle to Tornado ll .

Pumpheuse - Elev. S' '

I!

Doors in elde of Missiles Service Water 7_ .': .= -

l!

h l: 4 l Turtlee Smilding - Elev. 44' Welaerdle to Tornado IIIssiles j opentags la Centrol Iloes ,

ll;. .

e Walls i k ;

i Turblee Building - Elev. S' .te Vulner dle to both wind f

I E Blesel generator exhaust -

pressere and tornado missiles ,

4 stacks top of building I

q

.l.

Vulner dle to both wind 'I Ceedensate Storage Tads Turblee Buildlag - Elev. 26' pressure and tornado missiles ,

t.

S r

.(

li 1 Vulner dle to both uled i l ;

Refuelleg Water Storage Tanks Caetainment Facade - Elev. S'

pressere and tornado missiles t i

i !

/

w l .

l j -- ; l

t

{' l I

J I

! i

x Missiles could also penetrate the doors or louvers in the west side of the Pumphouse but a 12-inch thick barrier walt ~ protects -

the service water pumps. Two side doors into the Pumphouse provide a direct path for tornado missiles. Although this event is relatively unlikely to occur, it was also analyzed in this study. .

Wind pressure effects were considered for the diesel generator exhaust stacks, CSTs, and RWSTs. Based on the FSAR, the Class I concrete structures have windspeed capacities greater than 300 mph. Thus, the wind pressure capacity of the Class I structures was considered to be adequate, and wind-induced failure will not contribute significantly to the frequency of core melt, i Wind Mazard - Point Beach is located in Region I of the USNRC tornado risk regionalizacion scheme given in WASH-1300. This region has the highest tornado-hazard of the three USNRC regions. The mean values of wind speed frequencies are as j follows:

Tornado Straioht Wind Wind . Wind Mean Speed Mean Speed (Tch) Value (mnh) Value 74 5.38E-4 95 1.00E-2 i 93 3.20E-4 101 5.00E-3 I ' 134 1.04E-4 110 2.00E-3 2.19E-5 114 1.00E-3 182 ,

234 3.95E-6 123 5.00E-4 i

6.30E-7 132 2.00E-4 290 349 7.33E-8 138 1.00,E-4 i

153 2.00E-5 140 1.00E-5 1

175 2.00E-4 182 1.00E-4 secuence cuantification - Only the condensate storage tank, ,

refueling water storage tank and diesel generator exhaust stacks were found to be vulnerable to wind pressures at Point Beach. However, the CST and RWST were not calculated to fail i

until the wind speeds reached approximately 350 mph. Straight winds will not reach these speeds, and tornado winds of this magnitude oc. cur with frequencies of about 7E-8.

The diesel generator exhaust stacks were calculated to collapse shut at wind speeds of 160 mph. Straight winds of this speed 3-21 t

-.________n__=_ --

have frequency a frequency of 1.0E-5 while 160. mph tornado winds have aCollapse of these of 5.OE-5/yr.

fail the operability of the diesel generators (DG). Since the initiating event was assumed to be wind damage with simultaneous loss of offsite power. loss of the diesel generators would result in loss of all ac electric power. Core melt would not occur until the batteries depleted (four hours) or within 30 minutes if the remaining de powered turbine The driven auxiliary feedwater pump failed (3.4eE-2/ demand).

probability of nonrecovery of offsite power within 30 minutes is 0.8 and the probability of nonrecovery within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is 0.38. If the turbine driven AFW pump works, the diesel generators may still be recovered by cutting off the collapsed stack. This recovery is given a probability of 0.1.

Therefore, the calculated core melt probability ist (Frequency of 160 mph winds) (Probability of DG failure)

(Probability of loss of offsite power) x ((Probability of failure of turbine driven AFW pump) (Probability of nonrecovery of offsite power in 30 minutes) + (Probability of nonrecovery of offsite power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months )(Probability of nonrecovery of diesel generator exhaust stacks)) = (6.0E-5)(1)(1) x

((3.48E-2)(.8) + (.38)(.1)] = 3.'95E-6/Rx-yr.

The probability of component damage due to wind generated missiles is the product of the frequency of a high wind velocity and the probability of the component being hit given The the high wind. These values are given in Table 3.5-2.

frequency of wind speeds is listed in the first column, with probability of failure due to missiles given across the top.

The failure of the component due 'to wind pressure is represented by a 1 across from the appropriate wind speed.

It should be realized that both the emergency coolant injection and the secondary cooling must fail in order to cause core damage. Therefore, a scenario leading to a core melt sequence would require failure of 1) the CST and RWST. or 2) the CST and service water system, or 3) the control room, or 4) the diesel generators and random failure of the turbine driven AFW pump.

These calculated probabilities are extremely small.

3.5.3 Potential Modifications The only wind vulnerability contributing greater than 1.0E-6/Rx-yr to the probability of core melt appears to be the collapseThe of the diesel generator exhaust stack due to wind loading.

stack currently exits the diesel generator room at ground level, makes a right angle turn, and travels up the side of the building to extend beyond the roof. Construction of a wind barrier, provision for' sturdier supports. or a design that ensures that the stack breaks free yet allows air flow would all reduce the vulnerability. The dominant remaining core melt probability wou'.d be contributed by a missile entering the control room (probability of 0.45E-8/Rx yr).

1-37

1 4

Table 3.5-2 Tornado Wind and Missile Hazard / Fragility .

For Equipment / Structures, Systems, and Functions for Point Beach , . . . . . . , '

[

Failure Probabilities Functional Failures ** ECI/ ECI/ {

- secondary Secondary Secondary ECI Cooling Cooling Cooling RCI ,

a ,

Diesel Equipment / Structures / Control Generators ,

System Failures ** SWS Room (Both) CST RWST .

l Mph Frequency * ** l 74 5.38E-4 4.01E-4(1 1.57E-4 4.58E-S 2.40E-3 4.30E-3 ECI= Emergency ,

u 93 3.20E-4

' Coolant -

[ ~

Injection 1.04E-4 Y 4 134 .

SWS= Service Water U 160 SE-5 1 System 182 2.19E-5 CSTs= Condensable 200 2E-5 Storage Tanks -

234 3.95E-6 'I I f RMST= Refueling Water 290 6.30E-7 349 7.33E-8 '

t 'r I 1 1 Storage Tank j -

i

Frequency of Exceedance (1) Probability of Missile Impact e

D s

I i-

I l '

i j 3.6 Liahtnina inmivais i

i Each year at nuclear power plants lighting strikes occur which result in reactor tripe. loss of offsite power, and equipment i failures. The uncommonly high frequency of this special emergency requires an analysis of the consequences a,nd potential j

contributions to core melt probability.

This section will present an overview of the methodology for evaluating the vulnerability of a power plant to lightning .

strike as well as quantification of the resulting probability 1

of core damage for the point Beach Nuclear power plant.

Further details of analysis methods as well as a compilation of i relevant Licensee Event Reports are presented in Appendia E of ,

t this report.

i l 3.4.1 Analysis Methods l I The evaluation of plant vulnerability to lightning strikes and i i

subsequent determination of potential contribution to core melt !

j probability performed in the tap A-45 program utilizes the

i following stepet 4

i a. calculation of the lightning frequency of the site.

b. calculation of the percentage of "damaginga strikes. ,

l c. evaluation of plant lightning protection. l 1

d. evaluation of critical compo'nents.

4

e. evaluation of core melt probability contribution.

I The calculation of lightning frequency is determined partially i f

by the number of thunderstora-days each year for a region and l'

then by the number of cloud-to-ground strikes for a particular i site latitude.

The number of thunderstora-days per year will be taken from a figure provided by the U.S. Meteorological l Service and included in Appendia H. Several correlations exist to calculate the number of cloud-to-ground strikes for various regions of the United States. For this study, the relation-l

ships to be used are Ground Flash Density (ka-2yr-1)

! Location c.117 j Northern U.S. 0.177 l

Southern U.S. !

where T is the number of thunderstora-days for the locality of J

interest. To confirm this correlation and to obtain the range of pcssible values, a second correlation developed by pierce l

will be used as follows: f

~

' 7-4/

i i . !

I

-- m = . ....n--. . . . . .

....? _ _

l I

f Cloud-to-groundglasg.

(0.40t0.20)T ka yr-density =(0.1+0.35sinlatitude)x -

l t

The percentage of these ground strikes which can damage a plant l r

are highly plant specific and dependent upon the adequacy of lightning protection systems. NRC recommendations suggest that f plants be designed to withstand a strike of up to 200 kilo- l asperes (kA). Since it is beyond the scope of this program to !

verify the successful operation of these devices, it will be ;

assumed that existing plant lighting protection is adequately designed and maintained. Studies indicate that between one out i of one hundred and one out of every thousand ground strikes escoeds 200 kA in current. In this program, we will estimate.

the probability of a lightning strike being powerful enough to f exceed the protective features to be .01. That is, one strike out of every hundred will have a current greater than 200kA and l l

will be able to damage the plant. ~ i The evaluation of plant protection will be extended only to a ;

literature review, a site visual confirmation, and discussions l with plant personnel. The literature review will be limited to i studiss performed by the plant or information provided in the !

Final Safety Analysis Report which describe the lightning protection and ground grid system. A site visit is then f conducted where the air terminals, earth shield wires and ring conductors are visually confirmed. Additional discussions are held with plant personnel to fill any informational gaps concerning the ground grid system or past lightning occurrences, j i

The evaluation of critical components is performed in conjunction with the internal analysis of transient initiated :

events. This approach allows the analyst to identify the i

success criteria of front line and support systems needed to assure decay heat removal following a reactor trip, loss of .

offsite power, or other transient which could be caused by a !

lightning strike. If multiple systems, or multiple trains of a !

single system, are available for decay heat removal, their .

sources of water, electric power, instrumentation and control, ,

etc., must be investigated for common mode failures. Again, ;

use of the internal analysis fault tree methodology allows a straight forward approach to this analysis. This approach results in a concentrated list of front line systems and i necessary support systems which will prevent core melt if protected against either simultaneous lightning initiated failures, or a lightning strike in conjunction with any number of random system failures. ;

I The calculation of the probability of failure of decay heat :

removal systems following a lightning strike is the final step in quantifying the contribution to core melt. Given the ;

frequency of lightning striking the site with a current greater I than 200tA, estimates must be made concerning the probability of striking a critical system. If a single system must be hit to lead to core melt, the assumed probability of such a 3=4:

l l

_ _ _ _ _ __ _ _ _N

l 2

. . . . . .. .. . l l

! s

! critical hit, given all of the available targets on the plant site, is very conservatively assumed to be one in tes-(0.1).

However, if a second independent train is available for success '

, ful operation, then the probability of either a second lightning i

strike or a random system failure must be multiplied by the initiating system failure probability. Multiple systems would .

likewise require multiple lightning strikes et multiple randos {

j, failures according to the following equation: ,

! Core Melt Probability = T [( )(A)(Pgg)(Phit)3 IIII*

(Rg )(T)(( )(A)(Pgg)(Phit}

IIII+* * **

i (3g )(2 2) * *

IIn-2)IIn-1)T gg )gg)gygg)gyhit))gyg) i I !

! where T = Number of thunderstora-days per year for the !

j region l l

i Ng = Number of lightning strikes per km2-year i A = Area of the plant site in km2 Pgg = Probability that the lightning current exceeds l the design basis ;

I P hig = Probability that lightning hits a critical l

component -

i [

~

NR = Probability of nonrecovery (0.1) l

a . Number of independent. redundant trains !

available to prevent core melt !

t l Rn . Probability of randon failure of the nth !

train 3.4.2 LiShtning Vulnerability 1

l j

Using the U.S. Meteorological Services chart of thunderstorm-i days in the United States (see Appendix H) for Point Beach. it j is estimated that the site would expect approximately 38 ,

t thunderstora-days each year (T). The correlations for ground .

i

! flashes (Ng) for the northern U.S. derived by Horn and Ramsey !

E

) is Ng=0 11(T). This correlation predicts 4.18 ground flashes

! ka-2y r-1 for this northern U.S. site. Point Beach is j located at latitude 44*17.0'N which. using the equation derived !

by Pierce, predicts a ground flash density range of: -

, e l Ng = (0.1+0.35 Sin latitude)(0.402.0.20)T ka-2yg-1 i l . or Ng = 2.41

7.84/km2y r.

3 42 l

y This will be taken to be the range of. ground flash densities for Point Beach while the value of Ng = 4.18 v peri'bsed as.a -

r pointestimateofthenumberofstrikesperkmg11b yr.

It is assumed from the literature review, site inspection, and discussions with plant personnel that the plant was designed according to NRC recommendations that the plant be ,able to with-stand a lightning strike of 200kA. The probability of exceed.

ance of this current is taken to be 0.01 as seen in Appendix H.

Figure H-2. Therefore, the probability of lightning strikes in the Point Beach region wnich will excegd the design basis is l

estimated to be (4.2)x(0.01) = .042/kmayr. To simplify .

calculations, the Point Beach site will be conservatively estimated to be 1/4 square kilometer in size.

The transient event trees developed for Point Beach in this program show that either the auxiliary feedwater system gg the bleed and feed mode will successfully remove decay heat following a transient. The auxiliary feedwater system consists of multiple trains such that the probability of randon failure of all trains is exceedingly small and a single lightning strike cannot fail all of the independent trains. Likewise, the high pressure injection system has multiple trains which are very unlikely to independently fail. However, electric power is i

needed for the starting and running of pumps, operation of valves, and instrumentation and control. Therefore, the limiting core melt scenario would require loss of both DC electric power trains to cause damage to both units. Both units would be damaged because they share the two DC power trains.

Each DC bus can receive power from offsite power, the gas turbine generator, the associated diesel generator, or the batteries dedicated to that train, however, theThe diesel generator scenario where requires the DC batteries in order to start.

both DC power trains fail due to random or common mode failures is part of the internal analysis of Chapter 2. In this section, the postulated transient involves either two lightning strikes l

hitting the two DC buses, or a single lightning strike hitting one DC bus while the other DC power train randomly fails.

l These sequence probabilities are calculated as follows:

CoreMeltProbability=T((E{)(A)(Pgg)(Phit)) (NR) +

T((Uf)(A)(pgg)(Phit)) (NR)(Rg) where T = 38 thunderstorm-days /yr

.Ng = (4.2 ground flashes /km2 y r)(1/4 km2) , t,og flashes /yr

2. ve t 9

A = 0.25 km2 PkA = 0.01 P hig = 0.1 NR = 0.1

.- l It should be noted that the term denoted hP it is a 111r conservative assumption that one out of ten lightning strikes greater than 200kA will damage a DC power train. This assumption is probably too high. however, it is beyond the scope of this analysis to trace the pathways of lightning pulses and then assign probabilities to these pathways. The use of a value of 0.1 for Phht will yield an upper bound for the damage of a DC power traan.

Random failure of a de power train would either require failure of the DC bus (3E-5) or loss of the power supply from the battery (.02) and the gas turbine (.5) and the loss of offsite power. (The failure of the battery will cause failure of the emergency diesel generator to start.) Failure of the battery due to test or maintenance (8E,-5) is included in the number given for loss of the power supply from the battery.

The Licensee Event Reports (Appendix H) indicate that loss of offsite power is a fairly common occurrence during a powerful thunderstorm. Therefore, it will be assumed that offsite power is lost one half (.5) of the time when lightning storms effect the plant.

The calculation for random failure of a DC train of power, then, is as follows:

Rt = (DC bus failure) + (Loss failure)x(Battery failure) of offsite power) x (Gas* Turbine Rt = (3E-5) + (.5)(.5)(.02) = 5.03E-3 The probability of core melt is then calculated to bet I

Coremelt=T((Uf)(A)(Pgg)(Phit}I I )

T((Uf)(A)(PkA)(Phit Il(" }( 1}

=38((SyfA)(.25)(.01)(.1)]I(.1)+

30 ((1yf1)(.25)(.01)(.1)] (.1)(SE-3) l

= 2.9E-9 + 5.20E-7 = 5.3E-7/Rx yr l

2- vr

3.6.3 Potential Modifications It can be readily seen that all assumptions are extremely conservative in this simplified analysis. Nonetheless, even the worst case lightning scenario does not contribute In addition, signifi-cantly to the ovocall coce melt probability.

proposed internal analysis modifications for Point Beach include a dedicated diesel generator battery which will lower the random failure probability even more.

It was impossible in this program to analyze the subtleties of lightning strikes damaging the control However it room would be and then highly assess the recommended possible consequences.

that this building be adequately protected against all lightning strikes according to the Lightning Protection Code NFPA 78.

The high incidence of lightning strikes suggests that adequate protection is imperative. .

3.7 Sabotace Analysis Prior studies have suggested thatcan unauthocized be a major source of activities by insiders (i.e., Plant vulnerabilities.i.c 9, personnel)Such AO acts may include deliberate valve misalignment, impropec set point adjustments, physical damage to small diameter cooling lines (e.g., oil and bearing cooling on safety pumps and diesel generators), improper installation of beatings oc couplings and so on. Many such acts, in and of themselves do not cause core melt or a significant radiological release, but given an initiating event such as a loss of offsite power, the failure of theseItsafety should components can lead to an increase in public risk.

be noted that in these investigations This was the use of explosives by based upon the earlier insiders was not considered.

studies 10 which suggest that there is such a variety of ways an insider can disable equipment that explosives ace not really required. Also, it is presumed that current security measures will prevent the introduction of conmercial explosives into the plant.

For purposes of this program, direct overt actsThe on evaluation the of part of an outside group are not considered. It site security is outside the scope of these investigations. the requirements is presumed here that those plants which meet of 10 CFR 73.5511 are capable of adequately dealing with the external threat. Further, the emphasis on these insider activities is directed toward the potential system vulnerabilities and what can be done to reduce or eliminate them. The analysis takes note of existing administrative and security policy and procedurcs as appropriate >. including their potential influence upon insider activition, but it does not examine in detail the effects of changes in such procedures.

The following sections outline the methodology used in the-sabotage analysis, some conclusions drawn and modifications recommended. A moco detailed description of the effort is presented in Appendir I.

1-vc

1 . .. .- . _

, .. . _a- ,

3.7.1 Analysis Methods This analysis uses existing information to the nazimum possible estemt and builds spea earlier studies related to insider sabotage. .

Identifientian af centiaal syntama. Earlier' systems studies 12 have generated genezue lists of equipment important to the -

preventies et eere molt. This was supplemented / revised based upea the plaat speettie event trees and system fault trees developed elsewhere la this study. The results et the internal and special emergemey analysis were used to identity speettia vulnerabilities (if any esist) that might be emploited by as insider. Esisting vital area analyses were also reviewed to sostica the imelusies et particular itene in this study.

Identifiantian ei! saaeifia Vulnerabilithan. In addition to systen vu;,aesabloities previously identatied, individual sospensats were essaised for vulnerabilities that might be used .

to create unasseptable conditions.

Davala rrat af Prasaduras. Damien chaneas er Madifientiana ta maduce vuinarahiittian. The results of prior studies were used to suggest design changes that could reduce vulnerability.

Comeurtently, meditiestions being proposed in other portions of the program were aussiaed to establish their influence, it any, upea sabotage vulnerabilities. Although the tosus was en potential hardware changes, procedural changes which could aff ect vulnerabilities were also seasidered.

"Quantufientiana af sahataea caatributtaa ta care Malt prohahx11tv. previous studies related to sabotage protection have set attempted to put sabotage into a probabilistie saleslaties. The results of the internal analysis and other special energesey analyses are used to attempt to do so here.

Although some insights were obtained, in general quantification in the usual sense was not achieved.

Davalaement af famaat af Franaamd MadLfientiana. Some specific obanges which appeared to have potestaal for improving protection and reducing the probability of core melt were submitted to the architeet-engineer for eoseeptual design, easting and evaluation. la some instanees, these were the modifications proposed to handle other issues, value."naaet manamanent. This evaluation tellos fairly heavily on engsneering judgment and experience because of the major

%,... dif ficulty in quantifying core melt probabilities f rom sabotage.

3.7.2 Sabotage Vulnerability As reported in Section 2 and Appendix 3. the probabilistic assessment of system reliabilities and contributions to core melt P&7

e i l

- i s

established six potential vulnerabilities as major l eentributors. These aret I

1) Failure to switch over from injection to recirculation l

2) station Riaskout due to common mode battery failures j i)' station Blackout due to battery and diesel generater i failures , (

4) Failure of ECC recirculation due to RNE pump cooling failure caused by valve failures

5) Failure of ECC injection due to CCWs failure caused by '

valve failures

4) Failure of ECC injection due to CCNS failure caused by lose of seeling from SMS through CCW heat exchanger.

The contributing out sets (component failures, operator errors and maintenance outages and combinations thereof) were examined j for vulnerabilities or failures that might be esploited by an ,

insider. l The potential vulnerabilities identified in the internal analysis (failure of operator to switch systems, over-charging r or battery failures, aisalignment of valves) are reasonably ; l subtle in terms of causing core melt. At least one other ' '

event, an initiating event, must also be asused. In several '

instances the modifications proposed to reduce randon failures (e.g., added alarma, more frequent load tests) also effectively j inhibit internal sabotage. Other modifications (e.g., parallel r flow path), although effective against random failures, would not preclude deliberate valve misaligaments or valve damage.

The special emergency analyses for the natural phenomena, earthquakes, external floods and winds did not reveal any vulnerabilities which might be initiated or exploited by an insider. Da the other hand, some events associated with fires and water spray, especially fires, may be exploitable. The j analysis of potential fire vulnerabilities revealed two areas ;

of concerns

- Auxiliary Feedwater pump room fires l

- 4160V Switchgear room fires.

In the pump room there is potential vulnerability because of close cable spacing and possible failures of detection and suppressior.. This vulnerability is reduced with added fire suppression. Fires in the 4140V switchgear room are a concern i because of the potential for common mode failure of multiple i

trains. otviously this is also a concern in terms of deliberate acts, bacause a fire has the potential to be the !

. 1=99 l

]

l !

1 i

Ii initiating event and concurrently disables required response systems. The modifications proposed to reduce vulnerability to -

l randes events should also decrease the attractiveness of these areas as targets. Additional review of the plant layout and equipment has revealed other, although related vulnerabili-ties. There are locations la which valve misaligaments can be <

set up and/or valves damaged to prevent prope's operation, other I locations in which switehgear can be disabled and other !

, locations where basis equipment may be tampered with or '

disabled. Bewever, it must be stated again that the majority .

et these vulnerabilities is sad et themselves do set lead te (

sete damage er oore melt sit %ations. These vulnerabilities do

~

play a significant role, bewever, it an initiating event oceurs

- which leads to reaeter'serasiand requires safety display I response. Beesuse the opportunity for adverse action is so ,

I prevalent, some possible meditisations to reduce l l

vulnerabilities are sug'gested, ,

l 1 3.7.3 potential Meditiestions !

J Modifications to reduce or eliminate the types of vulnerabili- l

) ties described above may be characterised as procedural, !

equipseat or layout modification or substitutional. !

Procedural Modifientions. procedural steps to reduce ,

, vulnerability to adverse insider #gtivities have been discussed !

I at some length La other research.LU An obvious technique to j i

~

prevent covert sabotage by a single insider is to institute administrative procedures that prevent any single individual !

tros having aseoas te vital equipment, such procedures may'be i implemented via two-person ruled, soeurity watches, or remote i i

ccTV surveillaase. These approaches have been referred to elsewhere as ateam soning.* The underlying concept is that ;

each member et a two-person team has the opportunity to observe '

j or deteet unauthorised actions by the other. It remote .

I surveillance is used, the individual performing the surveillance has the opportunity to detect unauthorized actions l

(

by the person actually pertorniaq the inspection or !

l maintenasee. The potential detection of unauthorized activity I thus serves as a deterrest.

mauinment or Layout Modifientions. It is possible to examine !

I each individual piece et equipment and suggest specific meditiestions, however, that is not done here. There are several reasons for such an approach. First, it appears to be a generally held view (shared by the authors) that the knowledgeable insider can, by definition, cause harm it he so That is, regardless of how a piece of equipment is desires.

changed, someone, sometime, must maintain and service it.

Thus there is always an opportunity for access. Second, l design changes may reduce or alter component vulnerabilities, j

i but they cannot eliminate all of them. Third, the potential ausber of modifications is substantial, even it one only l

i attempts to address some traction of the vulnerabilities.

~

1-49 i !

i 1

i, . ..

i 1

f l

1 f

Therefore, no specific modifications are discussed.bere N ,

l although a variety of types are considered in a generic way in' - i i

Appendix 1, including some discussion of their value.

1 l

substiuutionah Modification. To address the full spectrum of

, potentaal sodafications for reduction of DNR vulnerabilities, i an add-on train of' auxiliary feedwater and primary. makeup is i

{ It should be noted that this approach t [

proposed.

sabotagehasbeendiscussedforanumberofyears.g*gountering The ;

' system is described in more detail in Section 4.0 and Appendix ;

- \

Ideally, the add-on train would have independent penetrations i to containment to provide as much separation and independence l l as possible. However, it is recognized that on most plants

i spare penetrations of sufficient size are unlikely to be l available. Therefore, it is acceptable to provide these additional feedwater and mateup tie-ins outside of containment I if necessary at Point Beach. Feedwater lines pass from the j auxiliary building to containment at Elevation 488 Although they are not enclosed in a pipeway, they are protected from

!. exposure to weather by the general structure which surrounds containment. A similar situation exists for the steam lines (atmospheric dump valves). The designs for such add-on trains

{ .

I previously proposed included a separate line and dump valve, but it may be necessary to use the existing steam lines, at {

least in part. Safety injection and primary system makeup lines enter containment via a valve gallery and pipeway at . [

Elevation 8' from the auxiliary building. If space j

) penetrations are not available, it may be possible to provide 2 the tie-ins to seal injection and safety injection in the pipeway. It is recognized that system independence may be compromised to some extent without separate penetrations for l

the add-on.

As a first priority, the addition of a single add-on train of feedwater and primary makeup, housed in a seismic 1 structure j l' compatible with existing containment, should be examined. The The r structure should have a minimum number of access points.

j second priority would be to consider the addition of two l

trains, which may be housed in the same structure so long as 1 train independence is maintained. A third alternative that may j

be considered is the addition of a single train in which the active components (pumps Move, etc.) are redundant but the 4

}

connections to the ses and pcs are not.

i l

\ .

l .

I 1 ,

I i

i 1*TO f t

i

- , - ~ , - - - , . m,.w,--.m -

_ , _ - - - _ ~_-~_...-.m _

f -

4

! 3.8 Su===rv of Soecial Emercency Modifications s.

Table 3.8-1 presents a compilation of the Point Beach dominant.

vulnerabilities for each special emergency analysis performed in this study. The table lists the initiating event and then identifies the vulnerable area or specific component (s). The core melt probability is given both before and aft'er any proposed modification. In the case of the seismic analysis, since the entire plant " sees" the ground acceleration, only a total core melt contribution due to an earthquake is listed.

Sabotage vulnerabilities are not explicitly shown on Table 3.8-1. But, as noted in Section 3.7, a number of the special emergency vulnerabilities have sabotage implications, so that sabotage conderns are implicitly in'cluded. .

\

f 4 ,

s > + s a D k

4 9

w.

O O

s 3-5*/

.i e

I e

,a..o. ,

s* . L. e - . .

Table 3'.8-1 summary Table of special Energency Modificatione s

! t.

Vulnerable core melt modified core Welt l l

3attlettag Event Area / component probability /as yr Proposed modification probability /gs yr ,

setemic Refuelleg water Use opent fuel pool as a selenic category I i storage tank backup water source for CPI or Lal Electrical cabinete Provide aJJitional anchorage for the 4160 V and battery rache safeguards buses, 400 V trameformere and tranatormer buses, si pump buses, lastrumentation <

power supply inverters, battery chargere, and battery racke %

poaV instrument Install an additional safety class 3 mitrogen *>

air system bottle ayates for each posV setemic Total = solemic risee =

8.is-6 9.38-7 Fire ArW Pump room 1.35-5 Instatt an automatic dry-pipe proaction type water suppreselon system and waterproof 33 pumps and control circuit besee in the goom S.es-1 4 .

I (let switchgear 2.65-6 pelocate mais batter distribution bus DO-1 6.98-7 b8 . and its charger and averter in another fire some .

Internal riood service water 7.75-5 Estead dividing ws!! between pumps to the 7.75-0 '

pump room ce!!!ag

~~---

Enternal flood Turbine, Auaillary 1.95-8 Nome l and SW be!!dinge satreme Wlad DG eshaust etache 4.0s-6 None -----

i Lightalag De bue 5.38-7 None -----

e i

l l .

. 8 s

1 i

e

'\- /

k ,_. .

j

? ,::b.;#.'

~*% 9*3:ys:;.:*w:v .

plll:lll:p;b?4:.

.p":yN

< ':: s

g : ,: $p

+**

?:

<::::,9

~

s

iib!ci!!!.l5ih, !$*:*?

+9:*<

5::.

!E9:

~i;*

5' :#%,ll.f"*:'*;# #*Ilil555! 6:-

%}:ij,,!!:)N:$l:r

~

% !*> ,c

5

<%,5l{:ll::p,'

c t>: ::

4li!g!!!r "'

e. ,e:!!s, E"*%:le.t.

!:5it;,. 4:?'??y::;;p,;j;g %;*

f:s s ,c;;p. c,.y > > +

l+

%:!lif::$:.:*i>>:."'%.>:5,s,,

ggj.".,: p. ~~

$ 5

,<.h+hi$5:!'i?';$5*5$il:g.?5

.s 4>y.

> w,c.s 2.:.ssN:r.p:.:::::<:

p. p>.<:.

n p. 7 s s c ,9

- "*0ll!<.,

~*%<*i*~f%. *ll.:llr:: $5 N:$!!,:!!f:!!:g:l;e

. ^

'~:::4, 4.<c

{

l l

,F', (O. f. .. ..s, 31i fMR.

A ' .h.....l '

gr RW W / '*

j

) 2.0,000 )J 'RB t 2. 3 4- T G ~1 1 8 9 l c=

b4 i D:1 c '

N :><^,

a N "

i '

Lo Lo Lo to gp g NAwue whe- pu h e I

i Q .

- %V l f I

i O O .'

4 i+ I S' lb i 17 ff 19 ss ss A m. J1 84hn%I to

.= i t -

I

/

A \ Avr CST I 1

200,000 )A l V V 11 12- 13 1

g hF v3 u to St GFW l l PJhP i ., i 124 0 '37^ go 2.l 22. I 1.') 24- 2.f

d h

l

_m 94 I

WWs IA

'.h .

e p o.sr v%.* Aoo- m i u n m e:,m-, ne w e.c Tr<nwis l (NMawe P4+c /ca.- 2 st 3 !

O Ase 2_-16, Fi6 uns 6'95/ e' -%

i

" ~

Figure 4.1 Simplitled Schematic for Dedicated Add-On With Emergency Feedwater and flic" essure Make-up Water .

-f ,

l

Each of the components shown in the system diagram (Figure 4.1) is depicted in the fault tree (Figure 4.2). If there are .

I multiple failures for the component, these are simply shown

below the event box. The acronyms used in the event names are

F.ailures : OE Operator Error ,

. l f LF Local Fault (hardware) ,

TM Test & Maintenance * '

i; P Plugging I Event Names: ACT Actuation RWST Refueling Water Storage Tank CST Condensate Storage Tank MV Manual Valve I MOV Motor Operated Valve AOV Air Operated Valve CV Check V.alve HPMP High Pressure Makeup Pump EFWP Emergency Feedwater Pump DG Diesel Generator BAT Battery TRANS Transformer CB Circuit

Breaker LOSP Loss of Offsite Power Several assumptions were made in the fault tree model, quantification, and subsequent use in the value analysis.

These are:

1) All the equipment and the structure containing the equipment are designed to withs'tand all special emergencies.

2) All the equipment is designed to standard safety equipment specifications.

3) There are no common mode interactions between the redundant discharge legs of the emergency feedwater subsystem.

, 4) Rupture of the add-on system piping has an insignificant

failure probability and thus is not modeled.

5) Offsite power directly from the switchyard will be used to power the add-on system whenever it is available.

6) The system will be automataically actuated with backup actuation by the reactor operator.

Since there are no dependent or common events between branche(

of the fault tree, the quantification can be accomplished

directly from the fault trea without any complicated Boolean

manipulation. The event failure probabilities are given in Table 4.1. The expression representing the fault tree is given below in equation form with each Boolean event and its associated probability; for example, ACT-OE/3E-3 means that

. 4 -3

e i ( f'.-

g in e :n.a, l .

FAltufM- of %* '

A00-op l WSTFM i f\

m 1 I I I FAttur34 10 Fait wre oF FAitua+ oF P Alcut 4 op.

AcTLA TE gp h4y4uP 6 h e f= *c.y EWclRic WA1WL Sv5 Fw Tyf Pows

A A a ,a .. !

+I -s i

+ .. . . - -

. . . . . . .._ . ~ . . . _ . ,

F6tWN OF P Alt-s it+ of FA n'~'5+ op OL %(> " ** oc PAnww on FAla v M oc '

Ata (twsr tpv 7 Hehp I "3 d* ' * **V hou? hug onises+ f f NT houl-LF n etW -LF- D [-P gs ov7 -LF tiu'l-l.F l how l - T ii MPif-Til hou?-Th hv9 -T h

I I I I l ;

FAltsN- of- Fook op Fait

oP FAnt ut4 oF P A n wit + op- WW

I hvi hv3 ,

h v4- A ob G cv / cvlo i I

e%-

tw a -t F ' hv 3 -L P hv4 -LF o cub -LF c u f - L F- CV lo 'LI~

hv i- T t1 hv3 -T h 12v 4 -TH Aou-TD

, I Figure 4.2 Point Beach Potential Add-On SDHR System

y [ *' ,

I {

'.e,.

l l '-

esiLu a oe

6hvnGN*V/ -

"[.#! !

lFW 1/5 l. ,

p i' D ,

,i l 1 ,

F'AILvN se FAltunG ik e e- e.nc se . ..-

TEG h e-F1- 3 EG heeJT' S , ,

n .

' ^

6 l

i I j

r%

I .

l+' ,

~

' l l l l ' '

~

FALL' N IH FWtun o p FAiu n+ oe 4 Fniwa+ or- edia.~o-, og I j hb7 CST gy g3 36l M.SecD* g L.s w ,

e gg g7 ,

Sesis et-T l 5'iG tit e-T C.ST *

Mv l2. -L P- hvi3-t F- gs Hull-TM hut 3 -T I) g g g 3 i FAlWA+ OF ' '

FAltvN OF F AIL-o+ oF PAncaM- op FAntv24 ob l 1109l1 t F* P4SP Aouif c v g-) MV 19 -

f _

..t - _

liob il - LF- epwp - [.F AoulftF C\sl7-L F- MV l9 ' LP-hou ll- TI) tF 6P - T r%. ,,,v g y ,T h -

l Mygg ytg (,nr PLuGcn.c oP PA .m o p r<ut.v9 oe-hem e-nor gjoy su cy ,g . ....

oaiFiA: l4

,z. _ . . ,

) Hou 8L-LF g jog 4 ,p ' h ov % -T 4 . CulF -LP '*

[

. ...s..-...._. .g ,

I Figure 4.2 Point Beach Potential Add-On SDHR Systela (continued)

~

N

. N . , _

i Lt! .

< 0 (r a E-ie

. 1T .

D

. M5- 8 <

r; o

2 1

>1 zz 4.

fs i 2}> ,e io

]ge j -

~

J J ,,

l if 44

(

Q

?

i lli<$

i -

! b

@+ 1 3a 3_ 3 , t 6 -

l

,- a.

4s k)u c.

o < %

u a

1

/< N C _

sf

>F*

J1 o

U 3gg 3

u yeI $ $ fl a Ta ;- g

$0 Q L N A kG R G

2,xk { s - 3 2 cz ( ;

-4 j. ) I a.

m

<ae b n,3 rs a cz

- J, =

o 9 e i ,Lc _

(V t/2 ag . 55 <

~

, t* $f

-s JJ

{2 e 1C j d- k

fI f d*e 619 n.$J U

S

~

M l '2 g30 ._ g 9

' % U J eqi T @

l 4 'l" e a ff C i,1

\

et

<to u <,

s- :

=

i l'. QO C, O L" d N L0 2, p _

J * <

2Aa 9

e l i <,* 1 E d (ec< c7 y w cc e ce k 'h /

-t x e ,

i I jotd m m$ eo4

{$r3 "3 t -

14 3D' b .J p t

_ ct i .

( :,1 '

eo cd i.i oo 5 b j -

4-6 . !

I

1 Table 4.1 ADD-ON SYSTEM VALUE BLOCK Failure Event Probability Source h-ACT-TE 3E-3 Ref. 13, Table 20-7, item 3, short list,

.4 no checkoff ACT-LF/TM SE-3 Ref. 14 Table BIO-2 RWST 0 No observed tank failures '

CST O No observed tank failures MOX-P 3E-4 Ref. 15. Table 5.1-1, item 4.4.1 EPMP-TM SE-5 Ref. 13. Table 20-7, item 1, failure to restore after T&M (IE-3)(1/12 monthly check)

EFWP-TM 8E-5 Ditto EPMP-LP 4E-3 Ref. 15, Table 5.1-1, item 1.1 (3E-3/d) +

(3E-5/h) x 24 hrs .

EFMP-LF 4E-3 Ditto CVX-LP 1E-4 Ref. 15 Table 5.1-1, item 2.4.1 MVI-LP 4E-5 Ref. 15 Table 5.1-1, item 2.1.2 (1/2) x(lE-7/h)x(720 hrs) monthly test interval ACVX-LF 4E-5 Ditto MOVX-LF 3E-3 Ref. 15,* Table 5.1-1, item 2.1.1, failure to open on demand MVX-TM 8E-5 Ref. 13, Table 20-7, item 1, failure to restore after T&M (IE-3)(1/12 monthly check)

AOVX-TM 8E-5 Ditto MOVX-TM 8E-5 Ditto DG-TM 8E-5 Ditto .

BAT-TM 8E-5 Ditto DG-LF SE-2 Ref. 15. Table 5.1-1, item 4.6 (3E-2/d) +

(3E-3/h) x 8 hrs allowing for possible restoration of offsite power

- BAT-LF 4E-3 Ref. 15. Table 5.1-1, item 4.9.1 (IE-6/h) x (1/2 yr test) x (8760 hrs /yr)

TRANS-LF 2E-5 Ref. 15, Table 5.1-1, item 4.5.1 (IE-6/L) x 24 hrs CB-LF 3E-5 Ref. 15. Table 5.1-1, item 4.1.2 LOSP 1 For LOSP initiated transients 0 For all other initiating events since the failure frequency of LOSPs already included as lE-3 X E variable depending on the component number

+ -7

I 3E-3 is the probability of the event ACT-OE, actuation operator error.

Failure of the Add-on System = the sum of

__ (ACT-OE/3E-3

ACT-LF/5E-3) + RWST/O + MVl-LP/4E-5'+ '

MVl-TM/8E-5 + MOV2-LF/3E-3 + MOV2-TM/8E-5 + MV3-LF/4E-5 +

MV3-TM/8E-5 + HPMP-LF/4E-3 + HPMP-TM/8E-5 + MV4-LF/4E-5 + *

,; MV4-TM/8E-5 + MOS-P/3E-4 + AOV6-LF/4E-5 + AOV6-TM/8E-5 +

MOV7-LF/3E-3 + MOV7-TM/8E-5 + CV8-LF/1E-4 + MV9-LF/4E-5 +

MV9-TM/8E-5 + CV10-LF/1E-4 + CST /0 + MOVil-LF/3E-3 +

MOVll-TM/8E-5 + MV12-LF/4E-5 + MV12-T'!/8E-5 + EFWP-LF/4E-3 +

EFWP-TM/8E-5 + MV13-LF/4E-5 + MV13-TM/8E-5 + (M014-P/3E-~4 +

AOV15-LF/4E-5 + AOV15-TM/8E-5 + MOV16-LF/3E-3 +

MOV16-TM/8E-5* + CV17-LF/lE-4 + CV18-LF/lE-4 + MVl9-LF/4E-5 +

MV19-TM/8E-5) (MO20-P/3E-4 + AOV21-LP/4E-5 +

AOV21-TM/8E-5 + MOV22-LF/3E-3 + MOV22-TM/8E-5 +

CV23-LP/lE-4 + CV24-LF/lE-4 + MV25LF/4E-5 + MV25-TM/8E-5) +

(DG-LF/5E-2 + DG-TM/8E-5 + BAT-LF/4E-3 + BM-TM/8E-5) *

(LOSP + TRANS-LF/2E-5 + CB-LF/3E-5)

After the probabilities for the basic events are summed the equation reduces to three, terms.

(1.87E-2)+(3.82E-3)*(3.82E-3)+(5.42E-2)*(LOSP+5.0E-5)

When the terms are multiplied out and combined, the equation further reduces to:

(1.87E-2)+(5.42E-2)"LOSP This indicates that the add-on system failure is dominated by five events in the first term (i.e., MOV2-LF, HPMP-LF, MOV7-LF, MOVil-LF, and EFWP-LF) and LOSP with DG-LF & BAT-LF. In other words, the probability of failure lies in the operating components and electric power. Finally, considering the two possible conditions for availability of electric power, the system failure probabilities become:

p(add-on system failure given offsite power is available,

= 1.9E-2 per demand and p(add-on system failure given offsite power is unavailable,

= 7.3E-2 per demand.

These values will be used in the value analysis outlined in Sectban-7.

4-8

5.0 ALTERNATIVE SELECTION AND INTEGRATION Twenty six individual potential vulnerabilities were identified during the initial internal and special emergency core melt _

probability analyses for the Point Beach Nuclear Plant. These vulnerabilities are given in Table 5.1 with the approximate -

core melt frequency attributed to each of them. Even though ~

the vulnerabilities and associated modifications described here were identified in a probabilistic type analysis,'the diversity of the modifications is such that many potential difficulties that might be envisioned are covered. Furthermore, as has been the experience in other programs, it is the support systems.

l not the front line systems which cause problems. Sabotage vulnerabilities are not explicitly shown in Table 5.1. But as noted in Section 3.7, a number of the special emergency vulnerabilities have sabotage implications so that it is implicitly included here. All of these vulnerabilities and the corresponding modifications are discussed in more detail in the appropriate subsections of Sections 2.0 and 3.0. Combinations of modifications will become~the basis for the alternatives.

In the early stages of the program during the safety criteria screening process, a number of insights regarding potential vulnerabilities were identified. These insights are listed in Table 5.2. Some of these early insights correlate well with the vulnerabilities found in the subsequent analyses. These are:

Initial Insights Internal and Special Emergency from Table 5.2 Analysis Vulnerabilities from Table 5.1 Item 2 Spray vulnerability Wind and Missile vulnerability #2 4 Internal Vulnerability #2 Internal Vulnerability #3 .

Seismic Vulnerabilty #3 Seismic Vulnerability 44 Fire Vulnerability #2 5 Fire Vulnerability #1 Fire Vulnerability #2 6 ' Fire Vulnerability #2

. 8 Seismic Vulnerability 48 To a degree this tends to validate the initial qualitative screening process.

While modifications were suggested for most of the vulnerabilities identified, only 14 modificatio'ns were carried Each of these modifications i

into the impact analysis.

l 5-1 -

__ _ __ .= . _

Table 5.1 -

Potential Point Beach Vulnerabilities a Approximate Contribution to

~' Core Melt Probability of Sequences Involv- i ing This Vhinerabilities Vulnerability

?

Internal 1 - Failure to switchover from 9E-5 ECI to ECR -i Internal 2 - Station blackout due to 2E-5 common mode battery failure Internal 3 - Station blackout due to lE-5 battery and diesel generator failures Internal 4 - Failure of ECC Recirculation 4E-6 due to RER pump cooling failure by a ,

valve failure Internal 5 - Failure of ECC Injection due 4E-6 to CCWS failure caused by a valve failure Internal 6 - Failure of ECC Injection due 6E-7 . . ,

to CCMS failure caused by loss of cooling from the SWS through the CCW heat exchanger Seismic 1 - Refueling Water Storage Tank 3E-6 Rupture -

Seismic 2 - 4160 volt Cabinets Fail 2E-6 (Seismic 2 through 6)

Seismic 3 - Battery Charger Cabinet Fail -

Seismic 4 - Battery Racks Fail -

Seismic 5 - 480 volt Inverter and Bus -

Cabinets Fail Seismic 6 - Instrument Air System Fails 3E-6 Seismic 7 - Fire Pump Batteries Short <1E-7 Seismic 8 - Diesel Oil Tank Rupture <1E-7 Spray - Fire Header Rupture Sprays on 8E-5 SW Pumps

~

. f-2

Table 5.1 (cont.) -

Potential Point Beach Vulnerabilities .

Approximate Contribution to

' Core Melt Probability of a

sequences Involv-

~

ing This Vulnerabilities Vulnerability Fire 1 - Auxiliary Feedwater Pump Room lE-5 Fire 1

Fire 2 - 4160 Switchgear Room Fire 3E-6 Wind & Missile 1 - Service Water Pump <1E-7 House Room Fails Wind & Missile 2 - Service Water Pump <1E-7 House Vents and Doors Fail Wind & Missile 3 - Control Ro'on Enclosure 9E-8 Fails Wind & Missile 4 - RWST Ruptured <1E-7 Wind & Missile 5 - CST Ruptured <1E-7

. Wind & Missile 6 - DG Exhaust Stack Fails 4E-6 Flood 1 - RHR Pump Room Flooding <1E-7 Flood 2 - Lake Michigan Floods Goveral <1E-7 ,

Rooms Lightning - Failure of DC Power SE-7 l

I w

ST-3

'y Table 5.2 N Initial Point Beach Insights 11 Remote Shutdown Panel Doesn't Meet Single Failure Criterion 2f Redundant Service Water Pumps. Safety Injection Pumps, and

,' Core Spray Pumps in Common Rooms 3.- Single Valve Exists Between CST and AFW Pumps

4. DC Batteries Serve Both Units

5. Redundant Safety Divisions occupy Same Fire Area

6. Fire Suppression Not Automatic in Cable Spreading Room and Switchgear Room -

7. Common Fuel Storage Tank

8. Diesel Generator Day Tanks Not Separated From Diesel Generators -

D

. 5-4

addresses a specific vulnerability and in a few cases more than one vulnerability. The dedicated SDHR system described in Section 4.0, however, applies to all of the vulnerabilities, internal and external, including sabotage. Combinations of modifications for specific vulnerabilities and/or the dedicated l SDER system are called alternatives. Five alternatives were l selected as shown in Table 5.3.

! As noted above, these vulnerabilities were identified on the l

b~ asis of core melt probability, but their scope is broad enough to include nonquantified events also. The total core melt probability for those initiating events covered in this program is greater than the sum of the individual vulnerability contributions due to the residual core melt probability that is attributable to internal accident sequences and cut sets that were not dominant and to special emergency events that were not i

quantified. The base case core melt probability is discussed l in detail in Section 7.1.1. The maximum potential value that

! can be obtained by a modification is the core melt probability of the vulnerabilities it addresses, i.e., to have a perfect modification which reduces that vulnerability to zero.

l The alternatives in Table 5.3 were selected to obtain a variety of potential benefits. Table 5.4 gives the preliminary estimates used in establishing the alternatives. In this stage of the assessment, a reliability factor of 0.1 was used for the dedicated SDHR system based upon earlier work.16 In Section 7.1.2 the failure rates with and without offsite power were used for the appropriate sequences. For purposes of the alternative selection the individual modifications were assumed to improve (reduce) the core melt contribution of any particular event by a factor of 3E-2.. This assumption was based on engineering judgment. The actual core melt probability improvement established by analysis after, the conceptual design was complete is used in the value discussions in Section 7.1.2.

Alternative one was selected to address the most important vulnerabilities that had been identified. Seismic was thought to be a more significant contributor in the original estimates. Based upon the above assumptions, alternative one improved the core melt probability by a factor of 3.

Alternative two also included the next two most significant internal vulnerabilities and the most significant fire vulnerability resulting in a factor of 7 improvement in core melt probability. Alternative three went one step further to include all the vulnerabilities with core melt probabilities greater than lE-6 except the wind and missile vulnerability number 6 which had a lower predicted contribution at the time of the alternative selection. This resulted in a factor of 10 improvement in core melt probability. These alternatives thus provided a good rango of potential improvements by grouping the suggested modifications by core melt probability ranking.

. T-T

ms Table 5.3 Point Beach Potential Alternatives

- Alternatives Modification: 1 2 3 4 5

. Internal 1 X X X X Internal 2 X X Internal 3 X X Internal 4 X Seismic 1 X X X X Seismic 2-5 X X X X Seismic 6 X X X X Spray -X X X X Fire 1 X X Fire 2 I r i Dedicated SDER .

System:

Single Train Add-on X -

X

, i All the Xs in a column combine into an alternative.

I l .

i l

1 1

~

. 5-fo

--n-,,m--w_ - . - _ _ _ . - - . , _ - - , . . - . - .

h Table 5.4 -

Preliminary Estimated Core Melt Probabilities Given Modifications Applied to Point Beach '

?

4 e J*

Total Core Melt Probability Before Modifications 2.6E-4 Alternative 1 7.5E-5 Alternative 2 3.6E-5 Alternative 3 2.9E-5 Alternative 4 2.6E-5 s

Alternative 5 7.5E-6 e

e d

I f

i e

i 5-7

1 N.

Alternative four considers the addition of a dedicated shutdown -

decay heat removal system by itself. It is assumed that this systen not only improves the core melt probability (a factor of 10 in the preliminary estimate) but also addresses certain unquantifiable vulnerabilities (e.g., sabotage) and aspects of the residual risk. Alternative five goes one step beyond to suggest combining the modifications from alternative one with th.e add-on system. The resulting predicted improvement in core melt probability for alternative five is greater than a factor J' of 30. This may be an upper limit on what might be desired relative to expected costs of the alternative.

In summary, the alternatives were defined assuming that

, individual modifications would reduce the contribution to core melt probability by a factor of 3E-2 where applied. This provided a group of alternatives of varying complexity and with predicted overall reduction -of core melt probability ranging i from a factor of 3 to a factor of 30. The impact analysis for these alternatives is discussed in Section 6 and the anticipated reductions in core melt probability based on the

analysis of the conceptual designs are presented in Section 7.

I e

l .

r 1

. S-8

6.0 ALTERNATIVE IMPACT ANALYSIS -

The impact analysis addresses the five alternatives identified in Section 5.0 which consist of various combinations of ten potential plant modifications including a dedicated shutdown

, decay heat removal system. Each of the modifications are first considered separately, then combined according to the alternative definitions to account for interactions between modifications during construction in an alternative such as scheduling or accessibility conflicts.

6.1 Methodoloov and ADoroach ,

6.1.1 Objectives The objectives of the impact assessment were to determine all the potential impacts resulting from the implementation of each J

alternative. These are: - -

1) Cost of equipment and installation of the modifications included in a specific alternative in 1985 dollars,

2) Cost of replacement power if required, in order to implement an alternative in 1985 dollars,

3) Cost of subsequent annual operation, maintenance, and in-service inspections that would be associated with the alternative in 1985 dollars, and

4) Radiation exposure involved in the installation of the alternative in person-rem.

It was also desired to obtain potential yearly changes to occupational radiation exposure due to the alternativ,es and replacement power costs if the alternatives would affect the i normal outage times. These two impacts could be positive or negative theoretically, however, they were both judged to be negligible for the Point Beach Plant.

6.1.2 Approach Given the vulnerability identification and proposed alternatives, initial design reports were prepared on each modification. These reports described the proposed design, interfaces with other systems and structures, the scope of work to be performed such as bill of materials and rip-out required, and major construction activities. A site inspection plan was prepared for each bo_dification which identified all the specific areas to be visited and questions to be asked in order l to properly estimate the impact of the alternatives. The preliminary design was done based upon drawings such as l building layouts and piping and instrumentation drawings that were obtained prior to the plant visit and the experience of s_- the architectural engineer from previous similar activities.

l - '

b-k

s 1

The next step was a plant visit to verify the design and to _____ '

collect further information to estimate costs relative to such factors as congestion, access, feasibility of equipment locations, and radiation levels. In practice the plant visit is essential and at Point Beach numerous improvements were made to the proposed modifications during the visit. Details that would be effectively impossible to obtain from available written material were obtained by observation and discussions with knowledgeable plant personnel.

Using the information collected during the site visit to improve the initial design, a final design was accomplished for each modification. Costs and radiation exposures associated with implementing the designs were then estimated using standard industry practices to produce the impact analysis.

Details of the design and costs are given in Appendix J. A

brief summary statement of the content of each alternative is

~

given in Table 6.1.

6.2 Results The results for the Point Beach Plant are based in a set of economic ground rules and assumptions shown in Table 6.2 for both generic and local factors such as labor rates, replacement power costs per day, remaining economic life of the plant, owner's costs, and contingencies. The details of these factors are described in Appendix J. However, one example is owner's costs which consider factors such as retraining operators, health physics, quality assurance, review of contractor design, interaction with the NRC, and preparation of procedure and manual changes. Much of the detail available in Appendix J is provided for completeness of the impact estimates and possible use in any follow-on analyses. The basic information needed for the value-impact analysis in Section 9.0 is summarized in Table 6.3 using the local basis costs which is consistent with the use of local values in the value impact analysis.

The value-impact analysis variables shown in Table 6.3 (i.e..

It, 13, and V3 ) reflect the fact that occupational dose is treated as a negative value rather than as a positive impact. Furthermore, the yearly occupational radiation dose (V4 ) is also treated as a negative value but is considered to be negligible in the estimates for all the Point Beach Alternatives. Similarly, the yearly replacement power costs (I4) are considered to be negligible for Point Beach. Thus, Table 6.3 contains the necessary information to perform the value-impact analysis.

Although the local cost basis was used in the value-impact analysis, it is appropriate to note the ratio of the generic to local engineering and installation costs which are:

6 '- 2.

I Generic / Local Alternative Cost Ratio 1 1.31 y-

} 2 . l . 31 -

j" 3 1.30

?

4 1.11 i

5 1.13 I These ratios show that the generic costs are about 30% greater for the alternatives including only modifications to the existing plant and about 12% greater for the alternatives involving the add-on dedicated shutdown decay heat removal system. (NOTE: If the valueq were computed for a generic site there would also be variations, but it cannot be stated a priori whether they would be greater or less.)

i I

l .

m w*^

G -3

N*

Table 6.1 Content of the Proposed Alternatives Alternative 1 combines the following modifications:

a) Refuelina Water Storace Tank (RWST) Level Alara 3 lacrovements - This modification provides a more prominent RWST low-low level alarm to warn the operator to change the plant '

operating mode from the safety injection mode to the containment recirculation mode following a loss-of-coolant accident. The purpose of this modification is to improve the probability of continued addition of water to the reactor coolant system and continued plant cool down by ensuring that the operator is made aware of the imminent loss of the RWST as a water source, b) Reactor Iniection Makeuo Water Source - This modification provides a seismic Category I source of borated water.as backup to the existing Refueling Water Storage Tank which is not designed to withstand seismic loads. The new source is the Spent Fuel Pool which, when providing the necessary 140,000 gallons, will have its level lowered approximately 11 feet.

The modification only requires the addition of piping and valves between the spent fuel

cooling loop and the RHR pump suction. A sufficient level of water will remain above the stored spent fuel to provide necessary shielding for personnel. The handling of spent fuel will be administratively prohibited under such conditions.

c) Improved Seismic Anchorace of Electrical Eouioment - This -

modification will provide additional anchorage for certain electrical components, namely. the 4160 V Safeguards Buses, 480 V transformers and transformer buses, Safety Injection System pump buses, instrumentation power supply inverters, and battery chargers. In addition, battery racks will be replaced. The modifications will provide sufficient support and anchorage to those electrical components so that their support systems will withstand loads greater than four times SSE seismic loads.

d) Backuo Air System for Pressurizer PORVs - This modification will provide a dedicated Safety Class instrument air system to operate the Pressurizer power operated relief valves (PORVs).

This will improve the capabaility of " bleeding" the Reactor Coolant System by remote manual means while simultaneously feeding the Reactor Coolant System from the Safety Class Chemical-Volume Control System. This additional instrument air supply for each of the two PORVs, which consists of a Safety Class 3 nitrogen bottle, a Safety Class pressure reducing i station and necessary valves, piping and hardware, will back up the normally used non-Safety Class instrument air system to j operate the PORVs.

3) Intake Structure Shield Wall Extension - This modification j is intended to improve the reliability of the supply of service i

water to both units in case of a break in the fire protection l

. G-+

. . . . . . . .- - . . =. - .

I - . -._. .... _

i

, Table 6.1 Content of the Proposed Alternatives (continued) piping in the vicinity of the Service Water Pumps. The modification consists of the erection of a wall with a 3-hour fire rating between the Unit 1 and Unit 2 Service Water Pumps.

l The wall will be from floor to ceiling and will prevent water i from a failed fire main from causing failure'of the Service i Water Pumps' motors on the opposite side of the fire / splash

! wall. Since Unit 1 and Unit 2 Service Water Pumps are headered

! through two valves, should sono unit's pumps fail, service water can be supplied.to that unit by the second unit's pumps.

Alternative 2 includes all the modifications described in i

Alternative 1 plus the following:

a) Dedicated Diesel Generat'or Batterv'- This modification involves the addition of a dedicated battery and battery

charger for starting and control of each of the two emergency diesel generators. Presently the diesel would be lost as a i source of power if its associated existing DC source, the battery, is lost since the diesel's starting and control circuits are fed off the battery bus. This modification will eliminate this dependence on the existing DC bus and thus it is i expected to increase the reliability of the emergency power required for decay heat removal.

i b) Auxiliary Feedwater Pumo Room Fire Protection -

Modification 810 increases-the reliability of certain emergency

_ and normally operating components by protecting them and their power and control cables by the extension of the existing plant fire suppression system. Specifically, the additional components to be protected by extending dry sprinkler system coverage are the Auxiliary Feed Pumps, and the power and control cables to the Service Water System, and Safety l Injection and Component Cooling Water Pumps. -

Alternative 3 includes all the modifications described in Alternative 2 plus the following:

a) Redundant RHR Puno Cooler Cutlet Valves - This modification provides a redundant manual valve in parallel with the outlet valve in the Component Cooling Water System return line from 1 the Residual Heat Removal Pump oil coolers. Both valves are normally open, one valve being capable of passing full flow in case of failure and blockage of the other valve. Blockage of this cooling water line would cause the loss of both RHR Pumps.

l b) Separation of DC Emercency Power Supolies - This modification is intended to increase the reliability of the plant electrical system by. separating the components of two electrical trains presently located in the same area. Battery Charger "B" and DC Distribution Panel "B" will be relocated I from its present position in the 4160 V Switchgear room to an I adjacent room beyond a concrete wall and some 50 feet'away. A

~ G -S i

__ . -...-- - - - _ - = . - ._ . _ -___ _- . _ - _ - . - .

l i

Table 6.1 Content of the Proposed Alternatives (continued) __

F cable fire in the 4160 V Switchgear area will therefore not cause failure of the Train "B" Battery Charger and DC

! Distribution Panel. y-

! kiternative4-Add-onDecayHeatRemovalSystem-Thepurpose of this modification is to improve the reliability of the decay heat removal function by adding additional, protected redundancy. It involves the addition of a new, complete, and dedicated Decay Heat Removal System to assure core cooling and reactor coolant makeup following a loss-of-coolant accident;or external events such as fire, flood, tornado, and earthquake.

one of its subsystems will supply emergency feedwater to the plant's two steam generators. Decay heat would be removed by releasing steam through new steam generator atmospheric steam dump valves. The other of its subsystems provides makeup to the Reactor Coolant System in' order to maintain inventory.

Both of these subsystems are powered from a dedicated diesel and fed from a dedicated water supply.

This " Add-on" Decay Heat Removal System (ADHR) is housed in two new seismic Category I buildings designed to resist tornado

missiles. The ADHR building contains the following components: Alternate Decay Heat Removal Pump, Alternate Service Air Compressor Alternate Diesel Generator and Associated Tanks, Alternate Makeup Pump, heating and ventilating units, valves, instruments and controls. The other l new building contains the Borated Water Storage Tank, Alternate -

l Condensate Storage Tank. Tank Circulation Pumps, valves,

instruments, and controls. .

t

! The Alternate Decay Heat Removal Pump takes suction from the Alternate Condensate Storage Tank and discharges into the

, existing auxiliary feedwater piping inside containment. The i Alternate Makeup Pump takes suction from the new Borated Water Storage Tank and discharges to the safety injection header at a 4 location inside Reactor Containment and then to the Reactor Vessel.

Alternative 5 combines the modification included in Alternative

I with the add-on Decay Heat Removal System described in Alternative- 4.

t 1

1 i

I F

l TABLE 6.2 ECONOMIC GROUND RULES AND ASSUMPTIONS

-. FROM APPENDIX J ,

GENERIC LOCAL

~

PARAMETER

1. Plant Location Eastern Northern Pennsylvania Wisconsin

2. Remaining Economic - 19 yrs 16 yrs Life (Yrs) -

3. Inflation Race (%) 6 6

4. Discount Rate (%) 10.5 11.5

5. Fixed Charge Race (%) 17.0 18.6

6. O&M Levelization Factor 1.47 1.46

7. Replacement Power Costs 550(1) 240 (S/MW(s) - Day)

8. Average Refueling Shutdowsi langth (Days)

PWR 60 60 l

l Bw"A 70 -

f 9. O&M Labor Rate (S/Hr)(2) 22.80 19.80

10. C&M Labor / Materials Ratio 40/60 40/60

11. Ownsr's Coses (%) 10 10 i

12. Contingency (%) 25 25 l

Note: (1) MAAC Power Pool Aversge (2) Includes employer's social security and workman's compensation contributions 9

t

Table 6.3 Point Beach Impact Analysis Results \

Engineering and Operations and Installation Maintenance Occupational

__ Costs in 1985 Cost in 1985 Dose During J- Dollars Dollars Installation Alternative $ x 10-3 3 x 10-3 in person-Rem

1 1 4325 3 14 2 6350 11 14

i 3 7419 11 17 4 59047 -

379 486 5 64027 _

411 500 Value-Impact Analysis It 13 V3 Variable

.

The occupational dose for alternatives 1 through 3 is substan-tially less than that for alternatives 4 and 5 because there is no need to enter containment to make the modifications.

6 9

. G -8

f 7.0 ALTERNATIVE VALUE ANALYSES This section will describe the core melt probabilities and public risk estimates for the base case before any suggested modifications are applied and the improvements resulting from aach alternative, i.e. combination of modifications. -

i 7.1 Core Melt Probabilities b . ~1.1 Base Case Probabilities -

i The core melt probability is the sum of the probabilities from the internal analysis and each of the special emergency analyses except for sabotage which is as yet not quantifiable. -

- The following list gives each probability and the section of this report where it was derived.

~

Core Melt Probability Reference Section Internal 1.5E-4 App. B. Sec. 6.1.2, Sec. 2.2 -

, Seismic 8.lE-6 App. C. Sec. 7.0, Sec. 3.1.2

' Spray 7.7E-5 App. E,-Sec. 6, Sec. 3.3.2

, Fire 1.6E-5 -

App. D. Sec. 7, Sec. 3.2.2 i Wind & Missiles 4.0E-6 App. G, Sec. 7.22, Sec. 3.5.2 External Flood 1.9E-8 App. F. Sec. 6.2, Sec. 3.4.2 Lightning 5.3E-7 Sec. 3.6.2 2.56E-4 base core melt frev2ency 7.1.2 Alternative Probabilities ,

The alternative probabilities are determined from the combination of internal and special emergency modifications included in that alternative. The value analysis for each modification is found in the applicable appendil. The results i are summarized below:

Base Core Melt Modification of Frecuency Core Melt Probability vulnerability Probability After Modification s

Internal 1 9.5E-5 3.2E-6 2 1.9E-5 3.8E-7 3 '1.0E-5 2.0E-7 4 3.8E-6 2.9E-9 Seismic 1-6 8.1E-6 9.3E-7 Spray 7.7E-5 7.7E-8 Fire 1 1.3E-5 5.0E-7 2 2.6E-6 6.9E-7 The special emergency and internal analyses are essentially independent in the Point Beach value analysis (there are impact

, dependencies). This is not a generic situation, but it is the 4

?-l -

---w - - -

case for Point Beach. Each of the alternatives will now be '?s discussed and evaluated.

Alternative 1 Core Melt Probability - Alternative 1 is the combination of internal modification 1, all the seismic modifications, and the spray modification. The final-alternative 1 core melt probability p(CM, a l.t . 1).given these modifications are made is the base case core melt probability -

p(CM, base) minus the change in core melt probability ap(CMl alt 1) resulting from the alternative 1 modification p(CM, alt 1) = p(CM, base) - Ap(CMl alt 1) where p(CM, base) = 2.56E-4, and ap(CMlait 1) = internal modification 1 improvement (9.5E-5)-(3.2E-6) = 9.lE-5 plus seismic modifications 1-6 improvement (8.lE-6)-(9.3E-7) = 7.2E-6 p.as spray modification improvement (7.7E-5)-(7.7E-8) = , 7.7E-5 1.75E-4 Thus p(CM, alt 1) = (2.56E-4)-(1.75E-4) = 8.lE-5 Alternative 2 Core Melt Probability - Alternative 2 includes all the modifications suggested in alternative 1 plus internal _.

modifications 2 and 3, and fire modification 1. The final alternative 2 core melt probability p(CM, alt 2), given the modifications are made, is the ' base case core melt probability p(CM, base) minus the change in core melt probability resulting from all the modifications.

P(CM, alt 2) = p(CM, base) - op(CMlait 2) ~

l where p(CM, base) = 2.56E-4 and ap(CMlait 2) = internal modification 1 improvenant (9.5E-5)-(3.2E-6) = 9.lE-5 l plus internal modifications 2 & 3 improvement

(* see explanation) = 4.lE-5 plus seismic modifications 1-6 improvement (8.lE-6)-(9.3E-7) = 7.2E-6 "This is the difference between the suas on Tables B.23 and B.24 which is more accurate than the base case melt probability improvement for the interna.1. vulnerabilities 2 and 3 due to the complex interactions of electric power in the accident sequence cut sets.

]-L t

7 q _. . _ . . . _ . . . _ . _ .

s plus spray modification improvement (7.7E-5)-(7.7E-8) = 7.7E-5 plus fire modification'1, improvement (1.3E-5)-(5.OE-7) = ,. 1.2E-5 2.28E-4 Thus p(CM, alt 2) = (2.56E-4)-(2.28E-4) = 2.8E-S' Alternative 3 Core Melt Probability - Alternative 3 includes all the modifications from alternative 2 plus' internal modification 4, and fire modification 2. The final alternative 3 core melt probability p(CM, alt 3) given the modifications are made is the base case core melt probability p(CM, base) minus the change in core melt probability resulting from all the modifications. .

p(CM, alt 3) = p(CM,_ base) - Ap(CMl alt 3) where p(CM, base) = 2.56E-4 and Ap(CMlait 3) = internal modification 1 improvement (9.5E-5) (3.2E-6) = 9.1E-5 plus internal modifications 2 & 3 improvement = 4.1E-5 plus, internal modification 4 improvement (3.8E-6)-(2.8E-9) = 3.8E-6 plus seismic modifications 1-6 improvement (8.1E-6)-(9.3E-7) =

7.2E-6 ,

l plus spray modification improvement (7.7E-5)-(7.7E-8) = 7.7E-5 plus fire modification 1 improvement -

(1.3E-5)-(5.0E-7) = 1.2E-5 plus fire modification 2 improvement (2.6E-6)-(6.9E-7) = 1.9E-6 35E-4 Thus p(CM, alt 3) = (2.56E-4)-(2.35E-4) = 2.lE-5 Alternative 4 Core Melt Probability - Alternative 4 is the addition of a dedicated shutdown decay heat removal system as described in Section 4.0. As noted in Section.4, the reduction in core melt probability from the add-on system changes depending upon whether or not offsite power is available.

Also, because the add-cn is an independent system, the improvement in core melt probability is simply the product of the add-on system unreliability and the base case probability.

The add-on system unreliability is 1.9E-2 if offsite power (OSP) is available and 7.3E-2 if offsite power is not available. Therefore, to properly apply the add-on system

~7 - 3

s unreliability the core melt probability for internal events must be split into that when OSP is available and that when OSP -

is not available. In special emergencies from spray. fire, wind, and lightning it is assumed offsite power is available.

For seismic it is assumed offsite power is not available. In the internal analysis situation the core mel.t probability is partitioned (from Table B.12 corrected for vulnerability 5) by the accident sequence applicability to offsite power availability. Alternative 4 with the add-on applied to the base case is as follows:

Base Case Add-on Alt 4 Cors Melt Probability Unreliability Probability Internal - OSP 1.05E-4 1.9E-2 2.OE-6 available Internal - OSP 4.OE-5 _

7.3E-2 2.9E-6 not available Seismic - OSP 8.lE-6 7.3E-2 5.9E-7 not available Spray - OSP 7.7E-5 available 1.9E-2 1.5E-6 Fire - OSP 1.6E-5 l.9E-2 3.OE-7 available Wind - OSP 4.0E-6 7.3E-2 2.9E-7 not available Lightning - OSP 5.3E-7 7.3E-2 3.9E-8 not available Thus p(CM. alt 4) =

7.6E-6 Alternative 5 Core Mele Probability - Alternative 5 combines the modifications making up alternative 1 with the add-on shutdown decay heat removal system described in Section 4.0 and used for alternative 4 previously. In order to properly apply the add-on improvement relative to offsite power (OSP) availability, the internal core melt probability must again be partitioned (from Table B.23 corrected for vulnerability 5).

Alternative 5 with the add-on applied after the internal.

l spray, and seismic modifications are made is as follows:

Alt. 1 Add-on Alt. 5 Core Melt Probability Unreliability Probability Internal - OSP 1.4E-5 1.9E-2 2.7E-7 available Internal - OSP 4.OE-5 7.3E-2 2.9E-6 not available Seismic - OSP 9.3E-7 7.3E-2 6.8E-8 not available Spray - OSP 7.7E-8 1.9E-2 1.5E-9 available Fire - OSP 1.6E-5 1.9E-2 3.0E-7 available ,

7-f -

9

-w- - = ~ ~ - ' ' -

.,-w-

__a.x--_-.....__.. .

j

\

Alt. 1 Probability Add-on Wind - OSP Probability Altr-5 Core Mel' Erobability not available 4.OE-6 Lightning - OSP 7.3E-2 5.3E-7 2.9E-7 not available 7.3E-2 i.9E-8 I

Thus p(CM, alt 5) =

7.1.3 3.9E-6

(

Summary of Probabilistic Core Melt E stimates The results of the five alternatives from the base value. core melt probabilities and change in co e melt probability t Change in Probability Probability of Factor of Alternative Core Melt from Improvement from

. of core Melt Base case Base Case Base case 2.56E-4 Probability 1

8.lE-5 2

3 2.8E-5

1.75E-4 2.28E-4 3 4 2.lE-5 9 5 7.6E-6 2.35E-4 !

3.9E-6 2.48E-4 12 2.52E-4 34 i 66 The core melt probabilities calcul estimates used in Section 5.0 to selectated compare well with t the alternatives. !

One way is to compare some desired probability. a the altern viewed tithe in several effect of ways.

1 ve core melt examine example the relative3 improvement over sA second approach is si alternative i

improvem,ent and alternative 5 i ome base situation. For magnitude improvement is approximately an order of magnitud e will be discussedfrom 7.2 in Sections the base value. 9.0 and

. . Further 11conclusions 0s approxim Eublic Risk Estimates In past early deaths PRAs several public risk mea The measure u, sed in this analysis is thearlyy(e.g.. injuries, laten damage).

resulting from the release of radioactive miles from theand atmosphere negative) plantsubsequent site. dispersion out te material to averted the offsite are considered inAll the other values (positive oro a radius of 50 impact analysis (S ection 6.0).

The internal avertedanalysis offsite and ea dose in dollars i i

these are seismic, spray,ch special emergency (for Point each Bs calcu m/

fire, and wind and missiles) ,

e

. 7-f

-er,-- -,--~n., - - , , , - -v- ,.x , , - _ - -r--,.,-a._ - - , - - , , , - _ - - - , _ _ - - - - - - -

7.2.1 Base Case Estimates ' ' -

The base case estimate of the public risk measure (population dose) is computed from the base case probabilities for each accident sequence including containment systems, the -

containment failure mode probabilities and release category assignments, and the consequences for each release category.

The base case internal analysis accident sequences with containment systems are found in Table B.22. The base case special emergency sequence probabilities are summarized from the various appendices in Table 7.1. The containment failure mode (CFM) probabilities and release category assignments for each type containment systems sequence are summarized in Table 7.2.

The results are tabulated in Table 7.3 and shown by dominant accident sequence in Table 7,4 in a format similar to that used in past PRAs, e.g., WASH 1400. The release category (RC) probabilities are then combined with the consequences determined in Appendix K to obtain the expected population dose in person-rea per reactor-year and cost in dollars (at $1000 per person-rea) in Table 7.5.. Three values are presented in Table 7.5: an upperbound for purposes of this study which is based upon WASH 1400 type source terms, our central estimate which we have defined as 0.3 times the WASH 1400 source term, and a lower bound which is defined as 0.1 times the WASH 1400 source term. This selection of source terms should not be i interpreted as an endorsement of any particular set. The "real" source term may be larger or smaller. These were selected in order to provide some indication of the sensitivity of these results to variations ~in the source term.

Two examples may be useful to show how the calculation was done. First, consider the internal accident sequence S

ik %'H'.

This is sequence number 1 found in Table B:22 where is keen that only the 20 F' containment sequence is significant. Its probabiliky is 6.5E-5, i.e.,

'p(S2MH{H 2 - 2C2 F')

= 6.5E-5.

This is a late melt sequence resulting from the ECH failure (i.e., H1'H2'). Going to Table 7.2 this falls in the third row of the table where 4 containment failure modes (CFM) are possible. As an illustration consider the most likely CFM which is Y,6 with a probability of 7E-1 and a release category 2 (RC2) assignment. }hus, p(S2 MH{Hj - 2C2 F' -

Y,5,) = (6.5E-5)*(7E-1) = 4.5E-5.

This sequence is placed in row 1 (S2 initiating event) column 2 (RC2) in Table 7.4. The initiating event segregation in 74

TABLE 7.1 POINT BEACH SPECIAL EMERGENCY ACCIDENT SEQUENCE PROBABILITIES INCLUDING

. CONTAINMENT SYSTEMS -

Containment Base Probability Special Systems case After Emergency Secuence Probability Modification Seismic 202 F' 6.OE-6 9.3E-7 Seismic 2C2 2.1E-6 0 Spray ZC2 7.7E-5 7.7E-8 Fire 1 ZC2 1.3E-5 5.0E-7 i

Fire 2 ZC2 2.6E-6 6.9E-7

~

Wind ( ZC2 4.0E-6 4.OE-6 O

O

=*

7 -7

' TABLE 7.2 POltif BEACil ACCIDENP SEQUE!K'E 'IO RELEASE CATEOCRY MAPPING

, , iI cowwwHe " o.n siee w r aiuns 1, o 0 E v> nu F 40 44 s tny i scecis t Ano ac cu <ee,w= town s i= ca rs.co n y (*)

gg WQue%" CA (s } ,7 g

?

-- 16 Ns) 7' -3 7 ? -l Se _,

ji i 2 Cy F, l 6 3 7 f

eoruy 30 ~4 '70 -3 7E 'l 3e-;

l E Cz.F h" l 4- 3 6 l:

"" i ~

) 1e '3 )e ~f 3#-'

E G F' I' # 1 4- 'L . t b y .

ll E if-L(b) 7e~3 'J e -1 3 s -;

I 4 1 G le -4 W -3 > e -i T e -i g gp, i f 3 6

,' - e,w Se 7e-3 7 e -; 3 e -i

'. % Ct F, hm I & 3 &

tw 16 70-3 y e -i 3 3_,

'a _C t F, isew

- l 4 1 3 j t e -4 le -5 ge ; 2.6-1 I + 1 3 l o.') e ev a.s e s o ne c.eva.n to e st p ai .s n + 15.e5 Pa.conia.orv 490 Res.easr env+a.ny L') Be 'o e *

is - 4 p- t=~ e * + n .n a is+ tr 24. DERM ss ea stso 3 0 er 4#sen s u k.s A La**e I OC4

, ( .

j

. -Q

,.g__. _. . . . . . .. .- . . . . _ _.

.9 ..

9

-s ~

1

~ ! ? _ i J. i 3

= s.- +

f% % *? to e

- a J u ,

d

'...',:s'

4

,. .c * *

. w

_ n. =. W a

e.

g

. ~~,3 o ,~~

~~3 d~~

~~c c 4~~
c e e e c c c c m j 3 g *; ? + Y f n u v ? o n Y
= . ? %
+ 1- ,', *
~~4 ,' &~~
$ ,, 1 %- e e w . e e s n J 4 .e . _ ~ w w a r 0 &
= e 2 J J - , .
1 ; ~
- m l
m 4w
% n m b
n m
4 T' ?
~~. T T J u f ? I t g~~
,a 2 n e
4
>= 'a, e 4.-
T.
~
,f, .
1 .
a -. s a n - , !. a>
J d 4 w V W
= i. 4 % v v v
~~. 6 I w e~~
e A
%v %v %v 6 %. M f' ~~
l -
1 _
3-
%. J. i.s i Y. %. 0 1 A.
e, * .O * ,b T. is
~~8," 4,-~~
+
1.
~~p j J.~~
= ,, ,g, ab r
s $ Y @ T O A f%
,9 J 8 M !
a a .. a .
a 6 a a e a - ",.
~
6# '
g I I I I T T T I Y 3 I I I s.
2 c-g Y T i ? T Y W J h % 3 7 a,
w *
. 2 % 4 ; 4 4 4 .f S
%" a f o - Y r, t 4 e -
O e 4 t 1 s n N 4 J - N 4 m e H
% ^ *
~~6 l 4, . -~~
~~3 l u ,~~
v u 't w 8
% ~
d t ou
~~3 d s v i 2o1 e sm i~~
na y a tu
,u, u e y
.a y
s : m
{ +g g i w o . ., e *
, .o
.1, u
y <6 -
a
-2 2
< 4 s
< a < *
~~e, e i s 2 2 2 , . . 4 -~~
i
<r e.
- - - r e .$ !.- <- 2 5
w
: 2 2 5 .- + s i, H H u w M to .1 r1 4 ti. 3 l _.J s
~
1
'I g
, ..l t I, i; . . TABLE 7.4 POItfP BEAO! DOMIIIAttf ACCIDEfff SEQUENCES AND SPECIAL EMERGENCY COffIRIBtfrING 'IO BELRA8E CATEGORIES l
. 8 8
l . I i *
. RE LE A S ti C. AT E G O R I E S
.. I 2 3 4 5 6 7 . !
.. S .h t'e l-f *-.a 6.Se -7 1.M A'al t' 8 J. 4.s e -5 5.Mhe. e 'E.3 I.se 7 'i.H4la! **- P 4.se 7 f.e4D.D. - t i Se e- 1,hafil!-F'-6 LU 5 5 s Hl.t. -6 44e t
- 3. fit.0 3
4-p 6.s e *I I I St
!,'i;. 4ocA .
f
~~i I~~
3.DLt-ts.-4 1.64 f 1.tiL* a* 3.ie-3 T.HLE - t r6-p 414 7 T. hts-p 3.18 4 T. hte - t- 3 18-7 i T. "*'***a '"- ''* ' "-
i
e4th -4(s -Ja 3.86 7 T. * '
, l. 9 TRAP $te naf 8 0 j
0-2
l l ,
t til !
T 24d/d.'-r*4 4 5e-# islett /d.'-f
~~4. 5e l 14 + t.eas!s.' e~~
p 5.a d -( Tehte -9 8 4e-fd T.h.eelm.'-r -4 1.4 f 4 T6 hts -4r ).e.e-t ' 'i li,'. l' Ts. -
9
1. Mat.e.-4-p 6.) e t*
.t Q Ta nplie >T
!41: .
il
, it l-
l, i ST T3 4dlef-e*+ 3.19 4 Tignf af-t'-e,4 3.se-t vise n. af-e'.p s.ie -1 1 .es.A -p t. ge-a. iganfe!,*-e '7 se b Ta tt.t. + 7.se-# } i
. Il i- Ti * **'*-> 8 8 *-8*
. i l i
gj TRANSiebT"
('
l'*
e i
~~t. Z ,~~
1 ,
il l.
,...4 e ,. ! is esma- .4 em e -# raet ac.-J, 3. e-5 Pa8J8-4(a da 3 **
~~Fine t-tc.-p 9.se -t te r.rus - P 4.ne t tens ent -e- 8. Fe -4.~~
. :, i. ,,,,,,, e._..... . . . . -e . . ,e., ,e......, , ,e .
,, , . stear-ac.-4 ene-5 sesav-.4 -as 154 5 s t**v - t c. - p K4 e -1
;'g* thea66ptses -e.4 6-d C. -4 4 *e -8. we. ea.-tc. - 3a f 'e -7 *'**b-tc.-@ 3 fe-o f 9
. ,; w as to< % .r. g.se -a. sa.i ms-4, 0 4 a* + s ess ent -a c.-p s.se-r .s
[.;1 t t u r-ts.-Ja pe r jp
,. sus I u s. -<. i .w s - + 3.ir e .c i.u. e -c s.u e-a s. s-r 2. sp e , i t '!ij i '
l l n
.~II
, : ). - l
f TABLE 7.5 -
POINT BEACH VALUE OF OFFSITE POPULATION DOSE IN PERSON-REM l
FOR THE BASE CASE (person-rem / reactor-year Release ' Population Dose (PR) Probability of -
Catecory Within 50 Miles. D Release Catecorv. P DP Upper Bound Source Term (WASH 1400) l' 7.9E+5 1.1E-6 0.9 2 8.0E+5 1.8E-4 144.0 3 9.6E+5 3.1E-5 29.8 4 5.4E+5 1.7E-6 0.9 5 2.2E+5 5,25-8 0.0 6 5.3E+4 3.lE-5 1.6 7 2.6E+3 2.2E-6 0.0 177.2 PR
Baseline Source Tarn (0.3 times WASH 1400) 1 6.6E+5 . 1.lE-6 0.7 2 7.5E+5 1.8E-4 135.0 3 6.2E+5 3.1E-5 19.2 4 2.7E+5 1.7E-6 0.4 5 1.0E+5 5.2E-8 0.0 6 2.2E+4 3.lE-5 0.7 7 1.7E+3 2.2E-6 0.0 156.0 PR Lower Bound Source Tara (0.1 times WASH 1400) 1 4.4E+5 1.lE-6 . 0.5 2 5.6E+5 1.8E-4 100.8 3 3.7E+5 3.lE-5 11.5 4 1.3E+5 1.73-6 0.2 5 4.SE+4 5.2E-8 0.0 ;
6 9.8E+3 3.1E-5 0.3 l 7 1.4E+3 2.2E-6 0.0 113.3 PR i
4
\ % ,.
8 0
i A
s
. 7-11
~
Table 7.4 is not important for any reason except perhaps to '
make it easy to locate a sequence. This same procedure is repeated for every significant internal accident sequence.
Next consider a seismic special emergency sequence witlh the associated containment systems sequence ZC F.' . Its probability from Table 7.1 is 6.0E-6, i.e., 2 p(SEISMIC - 20 F') = 6.0E-6,.
2 In this case let us consider all the CFMs. These are, p(SEISMIC-25 F' - a) = (6.0E-6)*(1E-2) = 6.0E-8 RC1, 2
p(SEISMIC-20 P' ~ 8) 2
~~-(6.0E-6)*(7E-3) = 4.2E-8 RCS, p(SEISMIC-20 2 F'-y,8,) = (6.0E-6)*(7E-1) = 4.2E-6 RC3,~~
~~and p(SEISMIC-20 F'-c) = (6.OE-6)*(3E-1) = 1.8E-6 RC7.~~
2 When these are entered into Table 7.4, it is seen that seismic is the most significant sequence in.RCS and RC7, but also contributes about 5% to RCl and 10% to RC3. Again, the example serves to demonstrate the mapping of sequences into release categories. Actually, each sequence could also be carried on to the population dose but it is easier to combine all the sequences in the release categories.
7.2.2 Alternative Estimates The population dose estimates for the alternatives are determined by the same procedure used for the base case. The tables containing the information needed are:
Table Table i
Alternative 1 Internal B.26 Special Emergencies 7.1 Alternative 2 Internal B.27 Special Emergencies 7.1 Alternative 3 Internal B.28 Special Emergencies 7.1 Alternative 4 Internal B.29 Special Emergencies 7.1 Alternative 5 Internal B.30 Special Emergencies 7.1 In each alternative the applicable special emergencies must be considered:
Alternative 1 Seismic, Spray Alternative 2 Seismic, Spray, Fire 1 Alternative 3 Seismic, Spray, Fire 1, Fire 2 ,/
Alternative 4 Alternative 5 Seismic, spray.
7-12.
~
l '
t 1
4 i
I The results comparable to those obtained for the base case are '
l found in Tables 7.6 and 7.7.
i 7.2.3 Summary of Probabilistic Risk Estimates .
~~The results of averted offsite population dose per reactor year are summarized in Table 7.8 for the baseline source term and the upper and lower bounds.~~
7.3 Non-Ouantifiable Values
?
The previous sections have outlined the value of the potential alternatives based upon probabilistic considerations. 'As was ,
4 noted earlier, these alternatives were selected using the systematic PRA approach, however the scope of the modifications is such that they also provide value which is in many respects non-quantifiable. These potential values include such diverse areas as: the overall effect such alternatives may have on residual risk, the potential effect of at least some of them on equipment qualification issues and fire (Appendix R) concerns, and the possible effects on plant availability. Other issues which may well be affected are regulatory stability and decisions as to the need for changes to decay heat removal requirements. Of course, the primary objective of TAP A-45 is, in fact, to evaluate the adequacy of existing requirements.
These various areas are discussed further in the following subsections.
i 7.3.1 Reductions in Residual Risk It was noted in Section 5.0 that the actual total core melt probability, which would include large LOCAs and ATWS, is greater than the base case numbers shown for transients and SBLOCAs. For those events which are quantified there,is a threshold of probability that establishes a level below which events are "not counted". This procedure is dictated in part by the capabilities of existing analytical tools. However, many of these " uncounted" events may be affected by the support system vulnerabilities.such as are identified here. Therefore, improvements in support systems (e.g., emergency electrical
! power) such as t. hose provided in alternative 2 will (should) reduce core melt; probability even more than is shown here.
Furthermore, since many of the modifications address potential vulnerabilities in support systems, there also will be improvements in the response to other initiating events such as large LOCAs which have not been addressed here. Furthermore, any overall improvement in safety systems reliability will obviously reduce risk even though it may not be quantified.
It should be noted that the' add-on system has a significant effect upon residual risk, whatever the source of that risk.
This beneficial effect arises from the fact that the add-on is independent from other plant systems except for the required tie-ins inside containment. Therefore, the add-on is 7-13 t
-w-------- - - - . . - . , - - . , , . , . , . , _ . _ _ _ - - , _ _ . , _ _
.. l TABLE 7.5 POINT BEACli RELEASE CATEGORY PROBABILITIES (Probability per reactor-year)
RCl RC2 RC3 RC4 RCS RC6 RC7 Base Case 1.lE-6 1.8E-4 3.2E-5 1.7E-6 5.2E-8 3.lE-5 2.2E-6 i
Alternative 1 1.5E-7 5.3E-5 1.3E-5 4.7E-7 1.7E-8 3.7E-6 6.4E-7 Alternative 2 1.3E-7 1.58-5 3.6E-6 4.7E-7 1.2E-8 3.7E-6 4.3E-7 Alternative 3 9.3E-8 1.0E-5 3.2E-6 1.lE-7 1.2E-8 2.4E-6 4.3E-7 Alternative 4 3.3E-8 4.7E-6 1.3E-6 4.3E-8 3.7E-9 4.2E-7 1.5E-7 Alternative 5 3.3E-9 2.7E-6 9.3E-7 1.3E-8 9.9E-10 7.0E-8 2.0E-8
. I y .
t i
t e s 4
0 *p 9
e _/
l TABLE 7.7 POINT BEACH EXPECTED VALUE OF THE POPULATION DOSE WITHIN 50 MILES (per reactor year) . .,i Lower Bound Source Baseline Source Upper Bound Source !
Term (0.1 x WASH 1400 Term,(0.3 x WASH 1400 Term (WASH 1400 Source Term) Source Term) Source Term) l Base case 113.3 156.0 177.2 !
Alternative 1 34.7 48.2 55.5 Alternative 2 9.8 13.7 15.9 i i
11.4 Alternative 3 6.8 9.7 Alternative 4 3.1 4.2 4.9 ,
Alternative 5 1.8 2.6 , 3.1 sJ i
1.
1 J\
i l
l 5
'r- i I
I t
, N TABLE 7.8 POINT BEACH
~~SUMMARY~~
OF VALUES FOR AVERTED OFFSITE - _
POPULATION DOSE IN PERSON-REM PER REACTOR YEAR INCLUDING INTERNAL AND SPECIAL EMERGENCIES ,
Baseline ,
Lower Bound (Central) Upper Bound
,= Source Tara Source Ters' Source Tern Alternative 1 78.6 107.8 121.7 Alternative 2 103.5 142.3 161.3 -
Alternative 3 106.5 146.3 165.8 Alternative 4 110.2 151.8 172.3 Alternative 5 111.5 .
153.4 174.1
+
8 9
e 9
0 t
2-lu
f '
)'
l unaffected by any fires or floods which might occur'elsewhere in the plant. As noted earlier, the unreliability of the i add-on is a function of the availability of offsite power ,
)
(osP), and this unreliability becomes a multiplicative factor.
i.e., it reduces core melt probability. The single train i described here has unreliabilities of 1.9E-2.with -OSF .
! available, and 7.3E-2 without OSP. If a two train system were l used in which connlete independence between trains was
~~maintained, then these unreliabilities become 1.4E-4 and 5.3E-3 4~~
respectively, providing an even greater reduction in residual i risk.. However, there would be an accompanying increase in costs. t 7.3.2 Effects Upon Equipment Qualification l A subject of concern in many current discussions is equipment qualification. That is, is the equipment truly qualified to j i withstand the environments it may experience under accident conditions? The question arises, for example, if one considers primary system feed and bleed options for decay heat removal i (see Section 10.0). It also arises if one considers piping
, failures that might till a cope or compartment with high l temperature water or steam, or both. Similar concerns have been expressed by some with respect to inadvertant actuation of
! fire suppression systems that use water spray, some of the i modifications proposed in the above alternatives do deal with l equipment qualification issues. For example. the modifications designed to prevent accidental spray from the fire water header from service water pump actors insures that the actors do not see an environment for which they are not qualified. In a '
i similar vein, the seismic based modifications which provide I additional tie down of electrical cabinets or revision of .
battery racks to strengthen them are both intended to improve j system survivability in an earthquake environment. The add-on
~~system provides an alternative approach to dealing wi'th~~
! equipment qualification concerns. As noted above, a completely ,
independent train of equipment can be (and is, in this design) i i isolated from adverse environments that might occur in the l l various plant buildings. Also, the separation into a dedicated !
! building allows more stringent controls to insure that adverse ,
environments are not created within that building. The !
i dedicated system does not solve environmental qualification '
i problems, if they exist, but it does reduce their impact and i influence.
7.3.3 Effects Upon Plant Availability i
~~All the modifications proposed here have improvement of decay~~
~~! heat removal as the goal. It is clear that such modifications~~
~~could affect in-service plant availability in either a positive l~~
(improved) and negative (decreased)' manner. A modification j which adde equipment to a system could possibly lead to an i increase in the spurious secan rate, and thus decrease
{
'- availability, or in other situations, the addition of i
i 7 -17 I
equipment could lead to a situation in which failure of '
existing components with a similar function are covered by the added redundancy or diversity. Thus, in some situations, plant operation could continue without interruption, that is, technical specifications would be met while equipment was napaired rather than having to shut down while the work was being done. It seems self-evident that if the additional equipment is in the form of a standby system (e.g., the piping and valves installed to use the spent fuel pool as a backup to the RWST) the probability of spurious scrans should be small.
Certainly the frequency of those situations for which j i additional equipment could obviate a plant shutdown would be
~~dependent upon the design of the plant and the nature of the i added equipment. This area will be explored further in~~
, subsequent analyses.
7.3.4 Regulatory Issues It has been suggested that revisions to decay heat removal capabilities could result in relaxation of requirements and perhaps contribute to increased regulatory stability. These issues should be pursued as part of the overall TAP A-45 program. However, the proper. focus or agency for those
, evaluations is not as obvious. Certainly the technical analyses bear upon these issues, but they also require policy j and regulatory perspectives which are more properly the purview of the NRC. It is also apparent that these issues should not (and perhaps cannot) be resolved on the basis of one or even two plant studies. This question also will be pursued further in subsequent analyses.
7.3.5 Summary of Non-Quantifiable Values Based upon the work to date, it is quite apparent that the modifications being proposed can reduce risks beyond that quantified here. It is equally obvious that some alt'ernatives such as the independent add-on system provide another means to address equipment qualification issues. The effect of DER modifications upon plant availability will be plant specific but it is being pursued. Several regulatory issues can also be
{ affected by DHR modifications but definitive discussion requires added input in terms of plant analyses and NRC
! regulatory policy.
i
)
a
) *lY
9.0 INTEGRATED VALUE-IMPACT ANALYSIS -
In this section the quantitative value analysis (section 7.0) and the impact analysis (Section 6.0) are combined to form an integrated value-impact analysis. Unquantifiables are not treated in this section but are addressed in various other sections. The goal of this assessment is to provide measures that can be used by the NRC to make decisions on the adequacy of decay heat removal requirements (USI A-45). The methodology for the value-impact analysis is presented in Appendix L. In order to implement the value-impact analysis and illustrate the steps performed, the methodology will be reviewed briefly prior to summarizing the Point Beach results.
9.1 Methodoloav 9.1.1 Value and Impact Analysis Variables Each of the variables to be used as input in the V-I analysis is defined in Table 9.1 and characterized in several ways.
First, the costs and values may be incurred one time or on an annual basis. All recurring gosts or costs which might occur at any time during the remaining plant lifetime must be present valued. The present worth factor for Point Beach based upon 26 years remaining life is 14.4 at a 5% discount rate. Second, there are positive and negative values and impacts. For example, in the case of I4 and V4 the modifications could result in an increased or decreased value or impact. The modifications could require additional maintenance resulting in increased radiation exposure and/or longer outage periods and thus more replacement power costs. On the other hand, the modifications could make maintenance easier, thus reducing radiation esposure and/or replacement power costs. Third, costs or doses result from either the proposed modifications or an accident. Fourth, each variable may affect the utility, and the NRC, or the public. Last, the information for each variable comes from the architect engineer, the value analysis, or other, previously documented, analyses.
In addition to the value and impact variables, the change (reduction) in core melt probability (APa) for each l alternative from the base case core melt probability (i.e.,
without any modifications) is used.
Apa(j) = pm - pa(j), central value i
where pa = base case core melt probability, and .
Pa(j) = core melt probability of jth, the alternative. l These values are given in Section 7.1.3. The upper (U) or lower (L) bounds for the change in core melt probability are determined as follows: .
q_t
Table 9.1 Value and Iapact Analysis Input. Variables .
.l Source of I Symbol Description Results from Affects the Information l l
II Engineering and Installation Positive Modifications Utility Architect Engineer l Cost one time Impact l I2 Operations and Maintenance Positive Modifications Utility Architect Engineer i Costs / year - present worth Impact I3 Installation Replacement Positive Modifications Public Architect Engineer Power Coats - one time Impact I4 In-service Replacesent Positive Modifications Public Not available - but Power Costs - per year - or Nega- probably negligible present worth tive Impact-f p
IS Avertable Onsite Costs -
one time - present worth Negative Impact Accident. Utility Based on previous analyses 151 Replacement Power Costs 152 Insa of Investment Costs '
153 Site Cleanup Costs '
f I6 Other Costs - one time Positive Modifications Utility Not covered in this
( Impact & NRC program .
1 v1 Averted Onsite Dose over Positive Accident Utility Based on previous ;
Plant Lifetime Value analyses V'
1 Present Worth of Averted ' Positive Accident Utility Based on previous OnsiteDosee$1000/p-rem Value Analyses
.. .Y
t i
Table 9.1 value and Impact Analysis Input variables (continued)
.I Source of ,
Symbol Description Results from Affects the Information
?
V2 Averted Offsite Dose Positive Accident Public Frontvalue analyses !
Over Plant Lifetime Value V'
2 Present Worth of Averted Positive Accident Public From value analyses ,
l OffsiteDosee$1000/p-rem value ,
V3 Installation Dose - one time Negative Modifications Utility Architect Engineer Value i V'
3 Present Worth of Installa- Positive Modifications Utility Architect Engineer tionDose8$1000/p-rem Value a v4 In-service Operational Dose Positive Modifications Utility Not available e over Plant Lifetime or Negative v4 Value V'
4 Present Worth of Occupa- Positive Modifications Utility Not available tionalDose9$1000/p-rem or Negative , ;
Value ,
S e
9 1
e i
l q _
~
a, s
Upper bound Apa(j) = Apa(j) x5 -
Lower bound Apm(3) = opa(3) +5 The factor of 5 was estimated by using an error factor of 3 for the internal event sequences and an error factor of 10 for the special emergency sequences as shown in Table 9.2. When these error factors are applied to the central value or best estimate
, for each initiator, i.e., internal, seismic, spray, etc., and summed, the overall core melt bounds for the initiators
. considered in this program are 6.06E-5 for the lower bound and 1.51E-3 for the upper bound. While these bounds are not exactly symmetrical about the central value the range is
~~approximately 25 resulting in an error factor 5.~~
9.1.2 Value Impact Analysis Measures Impact Measures - Impacts 12 and 14 (refer to Table 2.1) must be multiplied by the present worth factor, 14.4 for, Point Beach assuming 5% discount rate. The present worth factor accounts for the reduced worth of the payments made or incurred at some future date. Therefoge:
Total Positive Impact of the alternative. TI(j) =It(j) +
24.4 12 (3) + 13(3) + 14*4 I4(3) + 14 4I4(j)*
This is the total of all the positive impacts. The negative j
impacts sua to the, Total avertable cost, Ig(j), =
Igg (j) I52 I3) + I$3 I3)
~~where Igg (j) = AP ,(j) x1 51 I5) 152(3) = op,(j) x1 52 I))~~
~~153 I3)~~
~~OPm II) *I 53 I3)~~
Upper and lower bounds are introduced at this point in the
! impact analysis summary using the error factor of 5 discussed previously. That is.
l Lower bound (L) If (j) = Ig (j) +5=I5(3) x op,(j) +5,
~~Central value (C) Ig(j) = Ig (j) = I S I))~~
~~OP (j), and m~~
! Upper bound (U) Ig(j) =
Ig(j) x5 =I S IS)
OPm II) * $*
T!se same is true for Igg ()) , Ij2(j) ,
and Ig3(j). Therefore, for tr.e jth alternative, i
, 8) - k
l l
Table 9.2 Point Beach Value-Impact Analysis Error Factor Core Melt Probability Analysis Lower Bound Central . Upper Bound l
Internal 5.0E-5 1.5E-4 4.5E-4
\ -
l . Seismic 8.1E-7 8.lE-6 8.1E-5 t
i , Spray 7.7E-6 7.7E-5 7.7E-4 Fire 1.6E-6 1.6E-5 1.6E-4 Wind & Missiles 4.0E-7 4.0E-6 4.0E-5 1 -
External Flood 3.0E-9 1.9E-8 3.0E-7 l Lightning 5.3E-8 5.3E-7 5.3E-6 i
! 6.06E-5 2.56E-4 1.51E-3 i
i 6'
m l
l l
l 9 -1
Net Impact = Total Impact - Total Avertable Impacts or N:s NI(j) = TI(j) - Ij(j) .
The discounted values for the negative impacts due to avertable onsite costs, conditional upon an accident, are from Appendix L are: .
151 = $4.2E+9, 152 = $2.8E+9, and
~~153 = $1.7E+10 in 1985 dollars.~~
Value Measures - The averted onsite dose (V1 ) for each alternative is estimated from onsite dose received during an.
accident. For purposes of this analysis, this onsite dose (51,500 person-ren) is assumed to be the same for any core melt accident as discussed in Appendix L . The o,nsite dose (51,500 person-rea) is multiplied by the Apa for the jth alternative and by the number of years of operation remaining.
Thus, V i(j) = (51500) x apa(j) x 26 .
i The present worth, V t '(j), of the above avertable onsite dose, valued at $1000 per person-rea is: 1, V 1'(j) = (51500) x $1000 x Apa(3) I 14 4 -
The offsite averted dose (V2 ) for each alternative is estimated from the avertable offsite dose per reactor year
! (given for each alternative in Section 7.0) multiplied by the remaining years of plant operation. Thus
~
V 2 (j) = (Averted doses from Section 7.0) x 26 .
~~In this case the apa is not required because the core melt~~
! probability is inherent in the calculations in Section 7.
The present worth V 2 '(j) of the avertable offsite dose valued at $1000 per person-ren is:
V 2'(j) -
(Averted doses from Section 7.0) x $1000 x 14.4.
The totals of the positive values (onsite + offsite) for averted dose and costs are:
V12(3) = Vl (3) + V2 (3) i V12'(3) *Vl'(3) + V2 '(3) -
f The ratio of the averted offsite dose (V )2 from Table 7.8 and the base case dose from Table 7,7 is l
. 1-4
I Averted dose ratio, offsite E -
l V 2Ili)
ADR*
i Base Case Dose (i) x 26 ,
where i represents the lower, central, and upper bound values.
l Similarly, the ratio of the total averted dose (V12) and the total base case dose is Averted dose ratio, onsite and offsite E i
l V12(31)
ADR" Base Case Dose (i) x 26 + V g(j)
The negative values considered for the jth alternative included I the dose received during installation (a one time dose),
V 3 (j), and the in-service occupational dose received over the
! remaining plant life time, V 4(j). These doses can be i presented valued at $1000 per person-rea in a manner analogous i to that used for the positive values, thus, j
V 3 '(j) = V 3 (j) x $1000 i
V 4'(j) = (V4 (j)/26) x $1000 x 14.4 .
V3'(j) does not include the present worth factor (14.4) because it is a one time dose, whereas the dose associated with operations V 4 (j) is recurring. ,
The not averted dose, NV(j), and not averted costs, NV'(j) associated with each alternative can be calculated by subtracting the negative values from the positive. Thus Net averted dose = NV(j) = V t(j) + V2 (3) - V 3 ()) - V 4(j)
Net present worth = NV'(j) = V t'(j) + V2 (3) - V 3 '(3) - V 4(3) of averted costs at $1000/p-rea Value-Impact Measures - The v.alue-impact measures can be constructed from the variables defined above. Each of the value-impact measures is calculated with the central cost for the total impact (TI) and the central cost for the not impact (NI) as opposed to using the upper and lower bounds for NI.
The first measure considered is the a ratio of averted costs to impacts. This value-impacat ratio (VIR) ir calculated twice.
One ratio considers only the averted offsite costs and the total impact. Thus.for the jth alternative VIRO (offsite) = V 2 '(j)/TI(j) .
c)-7
---.,.---.p.n--,- -
a.. . ,,...w.
i l
N l The second ratio is the not value-impact ratio which accounted
i
~~for the not averted costs and the net impacts.~~
VIRn (offsite and onsite) = NV'(j)/NI(j) .
11milarly'there are two not benefit values. Thefirs$again 4 considers only averted offsite costs, while.the second uses not averted costs and impacts. So one has, NBVo (offsite) = V2 '(3)
~~TI(3)~~
, NBVn (offsite and onsite) = NV'(j) - NI(j) i l'
The final value-impact measure presented is the estimated cost 'i in dollars per person-rea of Dose Averted if the alternative is implemented. Again there are two values, one considering only
, the offsite averted costs, the second the not costs.
DPRo,(offsite) = TI(j)/V2(3) l DPRn (offsite and onsite) = NI(j)/NV(j) .
1
! A more complete discussion of the reasons for selecting'these measures is provided in Appendix L.
9.2 Results - The values, impacts, and value-impact measures defined in the previous section were calculated for the Point t Beach plant using the results of the internal analysis, special l energency analyses,'and the impact analysis. These results are tabulated in Tables 9.3, 9.4, and 9.5. It is important to note
! that the offsite population dose is an integrated dose out to a radius of 50 miles from the site and the conversion from dose to cost is at $1000 per person res. All present value
~~estimates are based upon a 5% discount rate. Each of these '~~
~~tables gives the upper (U), central (C), and lower (L) bounds ~~~
~~, when applicable.~~
~~l The symbols for the values, impacts, and measures are given at the heading of each column to avoid any possible confusion i~~
about the entries in the table or how the numbers were determined.
Table 9.3 summarizes the impacts for Point Beach by alternative. The four oositive inoacts are individually i tabulated and then totaled to obtain the Total Impact (TI) of l
modifications associated with each alternative. One time costs of installing the modifications and replacement power during
~~the installation are already in present worth dollars. The in i~~
service operations and maintenance costs and replacement power costs must, however, be multiplied by 14.4 to account for the I present worth of these. impacts. The installation of l nodifications at Point Beach can be accomplished during normal
! outages so that there are no replacement power costs. Although
replacement power costs due to in service maintenance were not I _
~~i i~~
~~9-8~~
. _ _ - _ - - . - , .__ - _ _ ~ _ __ . _ _ _ _- . . . - - - ._ , .
I i !
TMaf f 9.3 POIWf BEAOR - StetARY OP IWACTS (Based Upon St 1,imauunt) g
! MGATIVE IWACTS DER TO AVERTAetA 'g '
906ITIVE IltPACTS ASSCIA1ED WIM 800DIFICATIONS (Present Wrths) (DESIM 00STS (Present Wrths' tellity (bets change in Installa- Operations hapl W Power costa Baplace- Imes of Total
i Core stelt tion and and Mainten- In Service ment Invest . Site Avert- MT '
j Alternative Probability Engineer- a.se C(mts Instal- (FW) 10rAL Fwer ment Cleanup able IWACT ing Costs IIW) IstPACT Costa Costs Costa Costs
~~h. ICentral lation~~
] value] (i ul0) (4 ul0) ($ ul0' ) (i ul0-6, gg ,gg-6) ($ul0')(:)aloi)($u13 ) (i ul0-6) ($ ul0' ) ,
~~u, C,4 L vadueel Ap, I g~~
14.4 1 2 I 3
I4*0 I 4 TI I51 I52 I$3 I 5
"I mt L 0.15 0.30 .64 0.85 3.518 1 1.75E-4 4.325 0.043 0.0 Available 4.368 C 0.74 0.49 2.90 4.21 0.158 Probably U 3.68 2.45 14.88 21.01 -16.642 j l Negligible ;
i
~~L 0.19 - 8.13 0.78 1.10 5.408~~
! 1.028 2 2.288-4 6.350 0.158 0.0
~~6.500 C 0.96 0.64 3.00 5.48 i~~
! ,- U 4.79 3.19 19.30 27.36 -20.852 1-L 0.20, 0.13 0.00 1.13 6.447 3 2.358-4 7.419 0.15e 0.0
7.$77 C 0.99 0.66 4.00 5.65 1.927 l 19.98 28.21 -20.633 U 4.94 3.29 .
l J I i .
L 8.21 0.14 0.84 1.19 63.315
i. 4 4.22 5.95 58.555 l
~~'d 4 2.488-4 59.047 5.450 0.0~~
~~64.505 C 1.04 0.69 '~~
i U 5.21 3.47 21.08 29.76 34.745 e .
L .21 0.14 0.06 1.21 64.735
.i 5 2.52E-4 64.827 5.918 0.0
~~69.945 C 1.06 0.71 4.20 6.05 63.095 .~~
U 5.29 3.53 21.42 30.24 39.705 g
l1 .
! TI =It + 14.4 I2+33 + 14 4 I4 .
i 1'*351' 5 + 3 52' + 153' .
i lt NI = TI-I S' I
l.
l l
l l '
l l
l l- T
use em +
specifically estimated, our judgment is that 'hese t costs will -
have a negligible impact. It is obvious from the table that alternatives 4 or 5 will cost substantially more than alternatives 1, 2, or 3 due to the extent of these modifications. -
The necative imoacts result from the averted' onsite costs attributed to a potential accident. The costs are, of course, probabilistic. Thus the potential costs for I51 I52, and 153 in 1985 dollars must all be multiplied by the lower (L),
central (C), and upper (U) bound values for dpa. The net impact (NI) is the positive impacts minus the negative impacts. The lower the not impact the more favorable the alternative appears. In fact, in three cases (alternatives 1, 2, & 3 upper bounds) the net impact is negative whi'ch means that the averted onsite cost _s due to a possible accident at the upper bound change in core melt probability are greater than the cost of installing the modifications for those alternatives.
Table 9.4a presents the oositive values for each alternative.
These are onsite averted dose (VI ) and offsite averted dose (V2 ) due to a potential accidpnt. These are both probabilistic in nature, however, the calculation of offsite averted dose (V 2 ) does not explicitly include apa since it is implicitly included in the analysis to obtain V 2 -
Upper and lower bounds are given for V2 as derived from the risk analysis in Section 7 and based on the source term bounds assumed in Section 7. Both averted doses must include a factor to account for the remaining plant life which is 26 years in 1985. ,
The total averted dose (V12) is also given as are the present worth dollar values. Each of the dollar values is based on
$1000/p-tem and a 14.4 percent worth factor as described in Appendiz L.
The averted doses increases from alternative 1 through alternative 5 due to the increase in opm from alternative 1 through alternative 5 but there is little difference between the offsite and total averted dose ADRs.
Table 9.4b summarizes the necative values for each alternative. The installation dose (V 3 ) results from
radiation exposure to contractor personnel during installation of the modifications for any particular alternative. The V3 values for alternatives 4 and 5 are noticeably higher since those alternatives require entry into containment whereas alternatives 1, 2, and 3 do not. In-service occupational dose is considered to be negligible at Point Beach for the alternatives proposed here.. In each case the doses are converted to dollars by $1000/p-rem. V3 is already a present worth but V4 requires a 14.4 present worth factor. ,
S -lo
TAatz 9.4-a 301Nr seAas - sumMtY Or VAIBt:S (sened on 51ation Dose to 50 Milu, 58 9tecc=nt matel !
IOSITIVE VAIJ1ES l ,
Onsite of f et te total 8 Oiange in Present Wrth Averted Present math Averted Pr h -
Alternative Core Melt Averted of Averted Averted Dome 6 of Averted Averted Dose 4 Worth of No. Probability Duee Duse e pose saae case pose e Does Base Case Averted Does (central (p-res) 41000/p-res (p-ren) Duse $1000/p-ren (p-reel Does G$1000/p-res Value] ($ 310) ($ ule' ) ($ 310 )
' IU, c, & I. Valuesi IU, c, 6 L Valueel A.P Vg Vi V 2 "o 2 Y
12 #a Y52 f L 2044 .69 1.132 2270 .72 1.262 f 1 1.752-4 234 0.130 c 2003 .69 1.552 3037 .71 1.682 !
i U 3164 .69 1.752 3398 .70 1.002 L 2691 91 1.490 2996 .92 1.659
'2 2.28E-4 305 0.169 c 3700 .91 2.049 4005 .92 2.218 U 4194 .91 2.323 4499 .92 2.492 -
L 2169 .94 1.534 3084 .95 1.700 3 2.35s-4 315 0.174 c 3004 .94 2.107 4119 .94 2.281 0 4311 .94 2.300 4626 .94 2.562 ,
1 4
L 2865 .97 - 1.587 ' 3197 .M 1.771 4 2.488-4 332 0.184 c 3947 .97 2.186 4279 .M 2.370 i
) U 4400 .97 2.481 4812 .97 2.665 .
t L 2099 .98 1.606 3370 .99 1.067
' 4459 .M 2.470 5 3.525-4 471 0.261 C 3988 .98 2.209 u .98 2.507 4998 .M 2.768 4
4527 .'
i a vg = 51500 x Agg a 26 j Vg* = 51500 x 4pm x$1000x14.4 V2 = Averted Dose a 26
] V8 2 = Averted Dose z $1000 x 14.4 ,
1 ADRo =V2 4 (Saeecame Dose a 26) l .V12 *VI+V i
l g
V12
= Vg7 +eV' "VI aa w - Dose x 26 + Vg) 2
\
I
! s
]
]
1 i
i i
TABut 9.4-b POINF BEADI - SU4tMtY OF VAIJES (Besed on Pognalation Dose to 50 Mile, 54 Di-d mate) 8EGATIVE VAllES .
Installation operation Total Het M1M Change in Present In-Service Present Installa- Present Mortin Present i Alternative Core Nolt Install- ~ Worth of Opera- Wosth of tion and of Install. 6 Averted North of No. Prcadility ation Installa- tional In-Service ($eration- Qaer. Dose Does Averted Dose .
ICentral Dose tica Dose e Duee Oguer. Does al Dose G$1000/p-ren (p-ren) G$1000/p-ren
-6 Valuel (p-ram) il000/p-res (p-res) (4 x 10) ($ 310 ) (8 316 IU, C, 6 L Valuee' '
Ap, V 3
V 3
V 4
V 4 V3+V4 V3+P4 W W '
L 2264 1.244 1 1.75E-4 14 .014 Negligible 14 .814 C 3023 1.664
- 0 3384 1.060 ,
L 2902 1.645
~~2 2.2eE-4 14 .014 Negligible 14 .014 C 3991 2.204 U 4485 2.478 !~~
I L 3067 1.691 1 3 2.358-4 17 .017 Negligible 17 .017 C 4102 2.264 U 4609 2.545 t ,
. L 2711 1.205 4 2.488-4 486 .486 Negligible 486 .486 C 3793 1.884 O .
U 4326 2.179 4
L 2070 1.367 N 5 2.525-4 500 .500 Negligible 500 .500 C 3959 1.970
.. U 4498 2.268 V3' =V3x$1000 ,
V'4 = (V4 426)x$1000x14.4 '
NV =V1+V3-V3-V4
. NV' = Vg* + 2V ' - V3 ' - Vg' D
9 I
f 6 i
(
2 l
, n./
.l
The not value is the positive values V12 OC V12' minus the negative values for V3+V4 and V3' +V4' respectively. Upper and lower bounds are given for NV and NV' which result from the bounds from the positive values,only.
Table 9.5 is a summary of the Value-Impact ahalysis and as such several measures are repeated from Tables 9.3, 9.4a, and 9.4b.
These repeated measures are TI, NI, V 2e V 2', ADRn, and
( NV'. The value-impact measures derived from these measures are the Value-Impact Ratio (VIR), the Net Benefit Value (NBV), and l the Dollars per person-com (DPR) based on offsite costs alone l (subscript o) and based on offsite and onsite costs combined (subscript n). Upper and lower bounds are shown where applicable. Recall that the V 2e V 2', ADRn, and NV' value measure bounds are derived from the source term bounds discussed in Section 7 (that is approximately a i 3 error
~
factor). The impact measures TI and NI are central values even though upper and lower bounds are shown for NI in Table 9.3 to illustrate the range these onsite costs could have.
The results given in Table 9.5 show a large difference in value-impact measures (VIR, NBV, and DPR) between and analysis based on offsite costs alone and an analysis based on offsite and onsite costs combined, the later showing a more favorable advantage for the alternatives 1, 2, and 3. There is a relatively small difference for alternatives 4 and 5 (the add-on SDHR system). Negative not benefit values indicate that the present worth of the averted dose is less than the cost from the impact. In f act, all the not' benefit values are negative if only offsite costs are considered, whereas most of the not benefits for alternatives 1, 3, and 3 are positive when offsite and onsite costs are combined.
Table 9.6 is a further condensation of the results which show eight measures extracted from Table 9.5 for the central'value only. While apa and averted offsite dose (V 2) improves as the alternatives become more extensive (i.e., alternative 1
5) the reverse is true of the three value-impact measures (VIR, NBV, and DPR). In particular the dollars per person-rea are relatively favorable for alternatives 1, 2, and 3 if only offsite costs are considered compared to $1000/p-ren and very favorable, that is less than $1000 /p-tem if both onsite and offsite costs are the basis. Unfortunately the alternatives 4 and'5, which have many unquantifiable related qualities, do not hava favorable value-impact measures. However, this part of the analysis does not consider any of the unquantifiables, thus judgments are deferred to Section 11 of this report where the quantifiable results found in this section are brought together with the unquantifiables.
i w
. 1-13
t TAatA 9.5 POINF BBAOI - SUDetARY OF VAIAM-IWACT ANALYSIS (Based on Papalation Dow to 50 Miless 56 Discount Rate)
V-I ANALYSIS BASED GI OFFSITE G ErS V-I ANALYSIS BASED GI 0FFSITE Ale OSITE GW93 Total Present North masures of V-I Present Worth ' Blessures of V-I Alter- Om9e in Offette Averted Total of Averted list of Averted native Core Melt Averted Dose Issuct Doses $1000/ V-I Met Dollege Impost Does8$1008/ V-I blot Dollars Prchab!!!ty Dose e Base (central p-ren Ratio Denefit per (Central p-ren Ratio tenefit per No.
(p-remi case Dome costi tu,C,st valueel p-rem costi tu,C,st Valueel p-res i Iomitral
~~Valuel lu,c,sL valueel (4 min-8) (4 x 10) (4 x 10) (4 uno I (4 ul04) ($ ul0-0)~~
Ap, V 2 ADR, TI Vj VIR, NSW, DPR, NI NV' VIR, BWF, Dig '
L 2044 72 1.132 .26 -3.2 M 2137 1.248 7.90 1.090 70 1 1.75E-4 C 2803 71 4.368 1.552 .36 -2.816 1558 0.158 1.668 10.54 1.518 52 ;
U 3164 .70 1.752 .40 -2.616 1381 1.868 11.82 1.709 47 +
i
~~R' 2691 92 1.490 .23 -5.018 2418 1.645 1.60 0.617 345 I 2.14 1.176 258 !~~
2 2.288-4 C 3700 .92 6.508 2.049 .32 -4.459 1759 1.028 2.204 U 4194 .92 2.323 .36 -4.185 1552 2.478 2.41 1.450 229 i L 2769 .95 1.534 .20 -6.043 2737 1.691 .88 -0.236 628 ,
3 2.358-4 C 3804 .94 7.577 2.107 .28 -5.470 1992 1.927 2.264 1.18 0.337 470 ;
U 4311 .94 2.388 .32 -5.189- 1758 2.545 1.32 0.618 418 g i'
L 2865 .98 1.587 .025 -62.918 22515 1.285 .022 -57.270 21599 4 2.488-4 C 3947 .98 64.505 2.186 .014 -62.31S 16343 58.555 1.884 .032 -56.611 15437 U 4480 .97 2.481 =
.038 -62.024 14398 2.179 .037 -56.376 13536 L 2899 .99 1.606 .023 -68.339 24129 1.367 021 -62.528 22263 :
i 1 5 2.528-4 C 3988 .98 69.945 2.209 032 -67.736 17539 63.895 1.970 .031 -61.925 16139
-61.627 14205 y U 4527 .98 2.507 .036 -67.438 15451 2.268 .035 l
l VIRO - V2 ' e TI VIR. - w' e NI .
l l
NBV e " Y2 ' - TI SENN " W' ~ MI savo - TI e v2 DPHA " NI I W l
l i . !
s,e l
1 l
l 5
k
, i i
-x
~~f. ,iI u.#4 . . . . . . .. . ,~~
i
' , i e
i TAalA 9.6 IOltfr BEACH - SIMMARY W VAIAE-lMPACT Mk.ASURES (Catral Value)
V-I Analysis Based on V-I Analysis assed on Offette i Omge Offsite 'Ibtal Of fsite (bots and Onsite Comte in Core Avested Averted Dose V-I Met Dollars V-I Met Dollars Alternative Melt Dose Ratio Benefit per p-ren No. Prot e llity (p-res) Ratio Ratio Benefit per p-ten i
(4 x10' ) (i ul0~E l' Ap, V 2 ADR, m, M, M ., m, M, M, ,
0.36 -2.816 1558 10.56 1.510 52 1 1.758-4 2003 0.71 3700 0.92 0.32 -4.459 1759 2.34 1.176 258 2 2.288-4 0.28 -5.470 1992 1.18 0.337 470 g 3 2.358-4 3804 0.94
-62.319 16343 0.032 -56.671 15437 l 4 2.48E-4 3947 0.98 0.034 3988 0.98 0.032 -67.736 17539 0.031 -61.925 16139 5 2.528-4 i
l
. 1 o
A .
I i
f i
I O
1 I
. h!
s 10.0 SPECIAL ISSUES RELATED TO DECAY HEAT REMOVAL There has been considerable interest for many years in the use of feed and bleed (FSB) on the primary system as an alternative, essentially last resort, measure to remove decay heat from the reactor core. In addition, during the course of this investigation and other studies related to steam generator tube ruptures, questions have arisen related to the use of rapid secondary side blow-down to remove decay heat and depressurize the primary sufficiently to permit residual heat removal system cut-in. These two issues are discussed here, including some results from thermal-hydraulic studies on both subjects conducted on behalf of TAP A-45 by the Los Alamos National Laboratory.
10.1 Feed and Bleed .
Feed and bleed 'is used more De less generically to describe two similar though somewhat different processes. In some plants, primarily those designed by Babcock and Wilcox, the high pressure injection (HPI) pumps have sufficient head and capacity to lift primary safety relief valves (SRVs) in addition to the power operated relief valves (PORVs) and provide sufficient flow to remove decay heat. Therefore, they can literally feed and bleed with liquid only (no void in the primary). In other plants the HPI pumps do not have sufficient head to lift the SRVs and so the PORVs must be opened first to reduce' primary pressure to the point where HPI can provide adequate flow. In these plants the feed is liquid, but the bleed is usually steam or a two phase mixture, i.e., there will be some void in the primary. Detailed thermal-hydraulic analysis of feed and bleed phenomena and capabilities are reported elsewhere.18,19,20,21 In general, those studies support the concept of feed and bleed but they do point out that timing is a critical parameter in establishing whether or not primary feed and bleed can successfully remove decay heat.
10.1.1 Value of Feed and Bleed In the case of Point Beach Nuclear Plant, discussions with the plant staff revealed that feed and bleed as discussed in the Westinghouse owners Group Emergency Procedures Guidelines would be incorporated into the plant procedures in early 1985.
Therefore, in constructing the event trees (Appendix B) credit _
J was given for the capability. As reported in Appendix B, the j ability to feed and bleed can influence twenty-one potential l' accident sequences. If the plant cannot feed and bleed these twenty-one sequences reduce to eight sequences. The specifics of the sequences replaced are discussed in Appendix B. It is sufficient for this discussion to note that the combined core melt probabilities for the affected sequences before any recovery analysis are:
~_.
o
. lo -l
_ _~. _ _ _ - . _ _ _ _ . _ . . . _ . _ _ _ _
Pcm without feed and bleed 1.04E-4 ~~_ ,'
Pcm with feed and bleed 1.03E-4 Therefore, the feed and bleed capability reduces the estimated core melt probability for Point Beach by lE-6, a relatively insignificant effect. Applying a simplified recovery analysis !
reduces the probabilities to 3.88E-5 and 3.54E-5 respectively, so that the feed and bleed increment is 3E-6. It is noted that this result is consistent with other studies. In the investigation of the cost-benefit of adding PORVs to System 80 plants. Sandia estimated a reduction in core melt probability of 4.0E-622 and very preliminary results from the Turkey l Point analysis suggest a reduction of approximately 2E-6 when giving credit for feed and bleed.
Because of the broad' interest in primary system feed and bleed as a DHR tool it is approprLate to examine the reasons for such a modest benefit. This can be illustrated quite well with the following example. If we consider the single sequence, T MPQL, 1
we find that if feed and bleed is viabiw there are three possible sequences: T MPQ y L51t7P s , T MPQ 1
L5 7Py, T1MPQ LD t.
In the sequence Tt MPQL, the dominant contribution to core melt comes from electric power failures. If the individual cut sets are examined it is found that more than 80% of the estimated core melt probability is attributable to battery failures or battery failures in combination with diesel generator failures. If attention is turned to the three feed -
and bleed sequences, it is found that the first one.
T gMPQL5 P a , contributes a negligible amount to estimated core 1tt melt probability. This is due to the fact that it is, by definition, a path on the event tree which has significant system successes. Even though auxiliary feedwater (L) has failed, high pressure injection (D 1 ) and the power operated relief valves (P 1 ) succeed and only the late time failure of high pressure recirculation (H 1) becomes a factor. It should also be noted that success of Di and P4 also implies that in this sequence certain electrical failures cannot then occur in L. The second sequence, Ty MPQL5 7y P , does contribute to the core melt probability but only about 6%. For this sequence the failures are combinations of auxiliary feedwater pumps and battery failures. In the third sequence, T y MPQLD y, which con-tributes about 94% of the combined core melt probability, it is found more than 80% of the contribution comes from the same electrical power failures that appear in the sequence T MPQL. y Support system failures are-therefore controlling the failures of auxiliary feedwater and high pressure injection. Similar situations exist in the cut sets for the other sequences which are involved in the feed and bleed situation.
. l o - 2,
i Therefore, although adding the feed and bleed capability __
l reduces the estimated core melt probability, the reduction is only in the order 1 x 10-6 or less than 1% of the estimated core melt probability due to random internal failures.
In the special case of seismic initiated transient events a similar situation exists. At earthquake levels two to four I
times SSE the inability to feed and bleed contributes about 40%
(3.lE-6) of the base case seismic core melt probability (8.2E-6). Therefore, even eliminating the vulnerabilities completely and thus guaranteeing bleed and feed would only reduce the core melt probability by that 3.lE-6 or by .
approximately 1% of the overall base case core melt probability (2.56E-4). Nevertheless, because failure of the RWST under seismic conditions was a major contributor, and because it is also the water supply for other safety functions, it was deemed.
appropriate to recommend sodifications to counter the effects of such failures even though feed and bleed is not a major issue.
In this investigation the addition of a dedicated feed and bleed system was not pursued for several reasons. First, if a dedicated system were added without a separate power supply, then it would be subject to the type of electrical failures discussed above and there would be little reduction in core melt probability. This was illustrated in the results of the System 80 PORV Study.22 In that instance there was no -
benefit for response to LOSP transients. There was a benefit for SGTR and SBLOCA events because thee events were dominated i by local HPI f ailures which are countered by the added I
redundancy of a dedicated FSB system. Even so, the overall reduction in frequency of core melt in that study was only about a factor of 2.5. At Point Beach the small break accident sequences to which F&B applies involve failures after a transient initiating event and so one would expect on'ly limited if any improvement even with a dedicated system. (NOTE: In this TAP A-45 study tube rupture in a single steam generator is considered isolatable and therefore a transient initiating event. Simultaneous tube ruptures in both steam generators were not considered.) Second, the benefits of a completely independent feed and bleed system were not evaluated in the i System 80 PORV Study.22 However, the costs associated with I such a dedicated, independent system are substantial based upon l what was done in the earlier study. A rough extrapolation of l the available information suggests that an additional pump and associated hardware would cost in excess of $6 million if the equipment were located in an existing structure. It was also estimated that a dedicated emergency electrical power system could run $11 million. (This is consistent with current estimates of costs associated with adding an emergency diesel generator at Quad Cities.) There would be substantial added construction costs if the dedicated pump were housed in a new separate structure. All of this would make the cost of a fully independent feed and bleed system 3 to 4 times that of other lO-3
' )
viable alternatives and a significant fraction of those for the '
1 add-on auxiliary feedwater/ makeup system which removes decay I heat without contamination of containment. Third, the ADER )
study results23 indicate only about a factor of 2.5 '
improvement in core melt probability with an add-on HPI system that has a dedicated power supply. The add-on HPI was not as effective as an add-on AFW in reducing core melt probability at comparable cost. The add-on AFW system gave about a factor of 20 reduction in core melt probability. Given these earlier results and the results above, a dedicated F&B system was not considered a viable alternative for Point Beach.
10.1.2 Impacts Associated with Feed and Bleed In a situation such as that which exists at Point Beach where feed and bleed can be used without installing new equipment, there are no direct capital costs. However, there are other impacts or impl'ications of feed and bleed which need to be considered. '
Thermal-hydraulic Phenomenoloey - Because of the broad interest in feed and bleed as a last resort decay heat removal method, questions,have been raised regarding its actual viability in terms of the thermal-hydraulic phenomenology and potential environmental effects on equipment. Los Alamos. National Laboratory (LANL) has examined the phenomenological questions very extensively under NRC sponsorship. The LANL results have '
been reported in a series of draft reports (References 18 through 20). The objectives of the LANL work were to: ,
~~1) Evaluate success or failure of feed and bleed in specific reactors and for specific accident sequences.~~
~~2) Identify plant specific and generic insights.~~
~~3) Use insights to predict feasibility of feed and bleed for PWRs for which detailed analyses were not performed.~~
In conducting their investigations LANL used audited models of three specific plants. In this instance audited implied that all data is traceable to its source and that the input values are' generally accepted as being realistic. ,
Specific response calculations were made by LANL for Calvert Cliffs 1, Zion 1, Oconee 1 and H. B. Robinson 2 using the TRAC-PF1 thermal-hydraulics code. It is also important to bear in mind the underlying assumptions and success criteria used by LANL. In References A and B LANL assumed that the plant equipment needed for F&B was available and fully operable throughout the transient, that is, equipment environmental qualification issues were not considered; nominal performance was used. In Reference C LANL further assumed that individual i'tems of equipment were not functional, in one instance only 1 of 2 PORVs was used, in another only 1 of 2 HPI pumps. In l0-k .
d
1 j . _..
4 1
1
. those instances where the plant was being taken from reactor i trip to hot standby, success was defined as' attainment of stable RCS pressure above LPI and accumulator actuation levels, vessel mass inventory not decreasing and cladding temperature j
i below or near saturation. When going from reactor trip to hot shutdown, success was defined as controlled RCS' cooling and depressuriation to LPI or RHR cut-in conditions. -
A wide range of transient conditions was investigated by LANL including loss of feedwater, loss of offsite power, main steaa
~~line breaks, main feed line breaks, and steam generator tube~~
! rupture. These are described in detail in the referenced draft reports.
i l LANL concluded from this work that for the plants studied in
! detail, under the assumptions stated, feed and bleed would be successful if initiated no later than the time of steam generator dryout although the operating boundaries shift when less than nominal equipment is used. The actual time under i nominal conditions varies from about 8 minutes for Oconee 1 (low inventory, once through B&W steam generator) to about 40 minutes (large U-tube Westinghouse steam generators). Because Point Beach is a Westinghouse.2-loop unit, it is appropriate to consider the results for Zion and Robinson in somewhat more detail. In this regard the following has been adapted from Reference 19. For the Zion plant, three features: steaa generator secondary inventory, HPI delivery capacity, and PORV relief capacity have a significant effect upon the analysis.
The total inventory of the Zion 1 steam generator secondary is about 174000 kg (383000 lbs). This is the largest inventory per MWt of the plants studied 1n detail. For the base LOSP transient, steam generator secondary dryout occurs at about 4170 s. However, a steam generator secondary dryout occurs auch earlier for the LorW event (as early as 2400 sec) because the trip for this event follows the accident initiator by about one minute.
l The following conclusions about feed and bleed in the Zion 1 l Plant were reached.
I l 1) The HPI systen delivers sufficient flow at the PORV set point (feed mode) and lower pressures (feed and bleed) to permit successful control of Icss of feedwater transients. In feed mode in PORV opens on system pressure and can cycle; in feed and bleed the mode PORV is latched open by the operator early in event.
~~2) The feed mode procedure can be used at the plant to cause the transition from reactor trip to hot standby if initiated no later than the time of containaent overpressure. ,~~
~~3) The feed and bleed procedure also effects the transition from reactor trip to hot standby, even if the feed and bleed is initiated as late as the time of containment overpressure~~
.6
. lo -5
I signal. However, some voiding will occur in the primary system i because the primary rapidly depressurizes to saturation --
l conditions.
4) The feed and bleed procedure can also be used successfully to cause the plant transition to hot shutdown. There is sufficient HPI delivery and PORV relief capacity to cool and depressurize the plant using only the inventory of the RWST.
5) The early behavior of the combined MSLB/LOFW and MFLB/LOFW are dominated by overcooling of the primary. However, event timing prior to loss of9 secondary heat sink is only slightly accelerated (MSLB/LOFW) or mildly accelerated (MFLB/LOFW) as compared to the LOFW event. The early signature of the combined SGTR/LOFW is characterized by a primary-system depressurization. Feed and bleed is also effective for each of the combined transients. i The following comments are adapted from the H. B. Robinson study (Reference 19). A feed and bleed (FAB) transient in the three loop HBR-2 pressurized water reactor (PWR) for a complete loss of feedwater (LOFW) accident with a delayed reactor trip was calculated. The purpose of this analysis was to verify that Westinghouse three-loop PWRs with low-head safety injection (SI) systems can be successfully cooled and depressurized following a complete loss of secondary heat sink with delayed reactor trip. The Westinghouse Emergency-Response Guidelines for a complete loss of secondary heat sink were followed. A delayed reactor trip based on a steam generator control system malfunction was assumed, which caused the reactor to trip 52 s after LOFW. The LOFW analyses given in the Westinghouse Emergency-Response Guidelines assumed a reactor trip 16 s after LOFW. No high-pressure charging pump flow was present during the entire transient. The transient calculation was terminated at 4970 s when it was evident that cooldown to residual heat removal (RHR) conditions could be achieved.
For H. 3. Robinson it was concluded by LANL that a complete LOFW with delayed reactor trip can be cooled to RHR pressures with primary side FAB, provided it is initiated before or within a few minutes after steam generator dryout. Any delay between LOFW and reactor trip significantly hasten steam generator dryout, reducing the time that an operator has to detect and diagnose the type of accident and take appropriate action.
LANL did not have an opportunity in the course of this study to analyze a two loop plant such as Point Beach. Therefore, they have made no extrapolation of their results to such plants.
However, 1) comparing the key parameters for Zion, H. B.
Robinson, and Point Beach in Table 10.1, and 2) considering that feed and bleed procedures are being adopted, it is reasonable to conclude that feed and bleed can be successfully
, ] O -6
1 wS S
/ conducted from the phenomenological point of view.
\ ~
Table 10.1 Selected Westinghouse Plant Parameter Parameters Xian H. B. Robinson Point Beach Power (MWg) 3,738 2,200 1,518 SG Inventory (kg) 39,975 42,229 PORV Capacity gym S 1000 psi 64.6 95.5 75.9
(#/hr) 210,000 210,000 117,000 HPI Capacity gym S 1000 psi 490 390 '900 gym S 1600 psi 380 0 0 Positive Displacement Pump (gpa) - 231 180 32 40 SG Dryout Time (min) 4_5 .' 8 In summary, these analyses indicate that feed and bleed can be successful in Westinghouse plants provided the process is initiated early enough. The initiation time can be as little
' as 10-15 minutes into an event depending upon when reactor scram occurs. It would appear that this puts a considerable pressure upon the operators. A decision to open the primary must be made before there is really any time to establish reasons for other equipment not functioning.
10.1.3 Operational Issues Another aspect of the application of feed and bleed must also be considered. The Westinghouse owners group Emergency Response Guidolines direct the operator to attempt to restore feedwater to the steam generators until primary system pressurization and coolant heatup begins. Once the primary system pressure and temperature begin to increase following loss of the secondary heat sink, the operator is directed to quickly establish once through cooling using a feed and bleed procedure. However, it was pointed out above in the discussion of the value of feed and bleed that at Point Beach the dominant failures for both auxiliary feedwater and high pressure injection derive from electric power failures, AC and DC.
Therefore, there is a very strong likelihood that if auxiliary feedwater is unavailable, the high pressure injection will also be unavailable.
10.1.4 Environmental Qualification Concerns In addition to the questions related to the thermal-hydraulic phenomenology, there are concerns about equipment qualification, that is, will the necessary equipment function under the environments that may be created.
Using the LANL calculations to define the mass and energy released into containment pressure / temperature profiles were-
~.
. Io -7
l l
l t
^
developed by the NRC staff as a function of containment system performance. A large dry containment was used for the '
calculations. The general findings of that study as quoted in Reference 25 are:
"Following a feed and bleed transient if all the active containment heat removal systems fail, the containment pressure and temperature could axceed the design values, but would level off before the containment pressure reaches the ultimate containment strength of more than two times of design pressure. The containment pressure and temperature conditions following a feed and bleed transient are lower at the peak and at some later time (104 sec) than those following a LOCA.
The conditions from feed and bleed could be slightly higher than those from LOCA during a period of several thousand seconds and at very later time (104 sec) when the elevated pressure and temperature are not significantly higher than those during normal operating conditions. The implications of this period to equipment qualification, during which the containment pressure and temperature conditions of feed and bleed are slightly higher than those from LOCA, is plant dependent and instrument specific."
At this point in time the qualification profiles for specific pieces of equipment have not been examined, and there are some unanswered questions related to the differing pressure-time and temperature-time profiles. Those of the LOCA environments peak rapidly and then drop off,25 while the F&B environments, although lower in peak amplitude, exist for longer periods of time. The effect upon equipment performance has not been evaluated. .
There is another aspect of this question which should not be neglected. In the study cited above, various containment system conditions were examined. That has prompted a closer look at the analysis of containment systems performan'ce. These systems were modeled and included in the analysis to provide a tool for extrapolating core melt frequencies to risk (see Appendices B and K). If the performance of containment systems are examined the same electric power dependencies described earlier exist. For example, in the sequence T MfQLD where feed 7 1 and bleed is allowed if containment system failures are postulated, the sequence becomes T MfQLD 7 7 Z. The dominant cut sets contributing to failure are the same electrical power failures discussed earlier. Therefore, if auxiliary feedwater and high pressure injection have failed, which is the most likely situation, then containment systems also fail. But insofar as feed and bleed is concerned, the latter failures are "a moot point" since feed and bleed cannot be accomplished.
. f o -1
s 10.1.5 Summary From the foregoing discussions it is clear that at Point Beach l and similar plants, feed and bleed may be possible from a '
phenomenological point of view. However, it is equally clear that a feed and bleed capability does not significantly affect the probability of core melt. Further, this' Point Beach analysis indicated that the systems required to conduct a feed and bleed operation (HPI and PORV) are quite likely to be inoperable due to the same support system failures which created the need for feed and bleed. .
10.2 Secondary Side Blow-down In this Point Beach analysis, the tera secondary blow-down, is used to describe the use of the atmospheric dump valves to rapidly depressurize the secondary side of the steam generators. This action is accompanied by primary side depressurization due to the increased primary to secondary heat transfer and subsequent cooling of the primary. The goal is to reach low pressure injection set points or residual heat removal cut-in conditions so that the system can be put on closed cycle cooling. .
There has been some discussion related to the use of pressurizer sprays in conjunction with the rapid secondary depressurization to depressurize the primary after a loss of offsite power transient. In addition to an examination of the available literature on secondary side blow-down, Los Alamos l
National Laboratory (LANL) was asked to make some specific t
calculations. The LANL results are discussed here along with some insights from the probabilistic assessment.
10.2.1 Value of Secondary Side Blow-down In the internal event analysis of the Point Beach Nuclear Plant, the event trees were constructed to include the use of secondary side blow-down (see Section 2 and Appendix B). The success criteria included the use of both the atmospheric dump valves and the pressurizar sprays in this process. As shown in Appendix B, the use of secondary side blow-down influences 15 potential accident sequences.' If a secondary side blow-down capability does not exist, then these 15 sequences reduce to 5 sequences. The specifics of the sequences replaced are discussed in Appendix B. but some comments are included here.
The combined core melt probabilities for the affected sequencas, prior to applying recovery actions to these sequences are:
Pcm (without blow-down) 5.09E-5
, Pcm (with blow-down) 4.46E-5 1
On this basis the secondary side blow-down capability reduces the estimated core melt probability at Point Beach by 6E-6.
. l o -9
l l
This is a larger reduction than that attributed to the' feed and \ l bleed capability (see Section 10.1.1 above), but it is not a ,
major effect. A limited recovery analysis was applied to these '
sequences with the result that the core melt probabilities became 1.38E-5 and 5.98E-6 respectively, so that the difference is approximately SE-6, comparable to that without recovery.
The significant reductions in the estimated , core melt probabilities with recovery result from the virtual elimination of several failure modes (e.g., failure of SI actuation signals) by the available recovery actions.
In the case of feed and bleed the overall gain (-3E-6) was relatively modest because all the required systems with or without feed and bleed had common vulnerabilities in the
.. support systems. The improvement with secondary side blow-down is larger (-8E-6) because there are some differences in the required support systems with and without blow-down. This can
~
be illustrated by considering the SBLOCA sequence S M D y which 2
contributes about 63% of the core melt probability cited above.
If secondary side blow-down is feasible, there are hree possible sequences: S M 2 Dy Hj,,S MED12 2
""d S2M XD7 In all of these sequences the initiation of the SBLOCA (S2) is accom-panied by loss of main feedwater (M) but auxiliary feedwater is available (C). In the first instance the probability of core melt is influenced by the failure probability of high pressure injection (D 1). In the latter three sequences the combined probability of failure of: high pressure injection.(D 1 ) and low pressure recirculation (H2'); high pressure and low pressure injection (D12); and secondary side blow-down (X) and high pressure injection (D 1), respectively, are the issues of concern. The sequence2S My D Hj is a negligible contributor, while S MED 2 12 and S 2 M XD y contribute 98% and 2% respectively.to the combined probability. Therefore, the principal comparison is between sequences S " D and S 2" 0 1. In sequence S MED y 2 12 12' given the initial conditions S M , tw injecti n systems must 2
fail to cause core melt, while in sequence S mfd failure of 2 7 only the high pressure system is enough to cause core melt.
While these two situations have many cut sets in common, there are additional failures involving single valves which can cause failure of the high pressure injection. Therefore, having a secondary blow-down capability does improve the core melt probability by about 50% whereas the feed and bleed improvement was only about 2%.
10.2.2 Systems Required for Successful Depressurization Several years ago EG&G (INEL) investigated small break accident mitigation at Zion 1, assuming coincident failure of both I
. l o -lo
i charging and high pressure injection.26 The conclusions of that study were:
. "The largest break diameter which will prevent a l depressurization to the accumulator injection pressure is about 6 cm (2.4 cm). ,
1
~~l "The small break sequence with coincident failure of charging and HPI rapidly leads to a core uncovering but sequence timing is directly affected by break diameter.~~
"The opening of a single atmospheric dump valve is not effective in preventing core uncovering.
"The opening of all four ADVs at 10 minutes has been shown to l be an effective means of preventing core uncovering following 2.54 cm (1 in) and 5.08 cm (2_ in) diameter breaks."
In these INEL investigations for Zion 1 no pressurizer sprays were used. The atmos f
0.01015 m2 (0.1092ftgheriedumpvalveshadaflowareaof
) each, sufficient to pass 112.1 kg/S (247'#/s) of saturated steam at an upstream pressure of 7.72 MPa (1120 psia). .
Similar calculations were performed by Combustion-Engineering (CE) to address the question of how CE System 80 plants handle i small break LOCAs without PORVs.27 The calculations were performed for a 3410 MWt class plant. Aggressive secondary side cool down at 100*F/hr was initiated 15 minutes into the event. Results indicated that the Safety Injection Tanks (SIT) begin to inject at about 3500 s'aconds. SIT injection continues until the RCS pressure reaches 100 psi. The low pressure injection pumps (LPI) will begin to inject at 200 psi. Based upon inspection of the graphical results in Reference 27, LPI operation should begin between 6000-7000 seconds. The ADVs used had a capacity of 195.2 #/s at 900 psia with an effective flow area per valve of 0.108 ft2 There was one ADV per steam generator.
J. D. Harris of the Nuclear Operations Analysis Center at the Oak Ridge National Laboratory examined atmospheric steam dump systems for a number of PWRs.28 The specific Initiating events of concern are not spelled out in the Harris study, but the text implies that LOCAs and transients are considered.
Harris does specifically state that he is concerned about heat removal after Main Steam Isolation Valve closure after some Design Basis Event. Based upon his relatively simple analysis of 11 PWRs, Harris concluded that: 1) two plants (Indian Point 2 and San Onofre 2 & 3) could achieve RHR entry using available auxiliary feedwater: 2) three plants (Fort Calhoun, Calvert Cliffs 1 & 2, and Davis Besse 1) could not and: 3) six (Palisades, Salen 1 & 2, Crystal River 3, Beaver Valley 1, Millstone 2, and McGuire 1) could not if there were steam dump valve failures. Thus, the Harris approach agrees with the CE j a - 11 ,
j analysis that the 3410 MWt class can depressurize. Although s the previous estimates by both INEL and CE suggest that -
. existing ADVs are adequate to reach RHR conditions, the questions raised by Harris prompted further examination.
Los Alamos National Laboratory (LANL) was asked to' examine the l
question using the TRAC /PF1 thermal-hydrauli.cs code. The Calvert Cliffs plant model was used for this examination for several reasons. One, Calvert Cliffs was one of the plants Harris indicated could not reach RHR cut in. Two, this plant model has been used in several prior studies. Three, Calvert Cliffs was the reference plant for the cold shutdown investigations in TAP A-45.29 LANL examined the use of ADVs in response to a small break LOCA with failure of high pressure injection 30 and to a loss-of-offsite power transient.31 The major conclusions from the LANL work are as follows. From Reference 30 for the small break LOCAs:
"The primary system will cool and depressurize to the l low-pressure injection system operating pressure and design
~~temperature limits using only water supplies from the safety-grade condensate water storage tank.~~
~~"The procedure is successful e'ven with additional equipment failures such as the failure of one atmospheric dump valve to~~
open or the safety injection tanks to discharge. Such failures lengthen the time to start the low-pressure injection system. ,
"Because the depressurization rate is enhanced by the small ;
break, the cooldown rate defines the time to low-pressure injection system cperation. ,
" Doubling the auxiliary feedwater flow increased the cooldown rate but the increase was small to moderate.
l' "No calculation was extended to a low-pressure injection system operating temperature of 422 K (300*F). The cooldown from the i design temperature limit to the operating temperature was very
~~slow. Because the secondary-side pressure had reached a quasi-steady state it seems that further cooldown would track the decrease in decay power."~~
1 The LANL results for SBLOCA at Calvert Cliffs are consistent with the INEL Zion 1 study (Reference I). The depressurization i of the primary is " assisted" by flow out of the break and there is sufficient inventory available to adequately cool down. It would appear that a similar situation should exist at Point of i
Beach 1.33E6 because lbs/hr asthere compared the two to ADVs 1.74E6have lbs/hr a combined for Zion.capacity But. \ ..
detailed calculations have not been performed for Point Beach. -
i l
Similarly, from Reference 31 for the LOSP transient:
I "Cooldown and depressurization to RER entry conditions does not I -
I
. J o -12.
occur for the case where operator uses only existing plant ADVs and AFW.
"If the operator uses APS in addition to existing ADVs, j depressurization is improved, but RHR entry is still unattainable, because of secondary side cooldown and depressurization limitations.
" Doubling the ADV capacity still does not provide sufficient flow capability to bring secondary pressure and temperature down low enough to allow primary cooldown to RHR entry conditions.
"By increasing the ADV capacity to 400% (of nominal] the plant can reach RHR entry conditions within 3-1/2 hours from the l initiating event. A 500% flow reduces this entry time to about 1
3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months ." _
With regard to the LOSP transient, after it was ascertained by LANL that the APS was required for depressurization using only one ADV per steam generator, the APS was used in all subsequent
' calculations. Therefore, the ability to depressurize Calvert Cliffs with larger relief capacity but without APS was not addressed. However, to put some perspective on this question, f it is noted that the Point Beach LOSP sequences that can be affected by the secondary blow-down capability contribute only 1-2% of the core melt probability discussed in Section 10.2.1 above. This suggests that the response to the LOSP transient is not a major issue. It is our understanding from discussions with the Point Beach staff that they could not reach cold-shutdown with existing CST inventory given a LOSP, l however, they have backup supplies from the treated water and fire water systems which can be used.
10.2.3 Summary -
In summary, it appears reasonable to state that: 1) the secondary side blowdown capability only has a modest effect upon the probability of core melt: 2) given SBLOCA events with failure of HPI, aggressive cooldown using the ADVs will reduce the primary pressure to RHR entry conditions; and 3) for a LOSP transient, RHR entry conditions may be reached using a combination of APS and ADVs, but the situation is very plant specific. Successful cooldown to RER entry conditions using only ADVs after a LOSP transient has not been fully explored, but in the case of Point Beach this sequence is a minor contributor to the core melt probability.
e W
. I o -13
. - - - . . - _- . _ _ - . _ = . .- ___ _ - - - -
11.0
~~SUMMARY~~
, CONCLUSIONS, AND OBSERVATIONS This report documents the investigation of the adequacy of decay haat removal (DRH) at the Point Beach Nuclear Plant.
This particular plant was selected as an example plant for several reasons. One, the results of an initial q'ualitative screening process suggested that there were some potential DER vulnerabilities that deserved further study. Two, it is
" typical
of the layout and construction practices of a number of plants of similar vintage. Three, the utility management, Wisconsin Electric Power, expressed a Willingness to participate in this aspect of the USl A-45 investigations. The following sections highlight some of the findings and insights including non-quantifiables, discuss aspects of DER issues not addressed specifically, and finally make some generic observations. _
11.1. The DHR Assessments This program was not designed to conduct full-scope probabilistic risk assessments (PRA) of the plants being studied. However, it was established very early in the program that limited-scope assessments would be necessary to adequately address the issues. Because TAP A-45 is considering the full range of potential failure mechanisms, the study includes a PRA based examination of internal random and systematic faults and a simplified PRA based examination of special. emergencies.
\- This study uses the term "special emergencies" to describe those events such as fires, floods, winds, etc., which are i often labeled external events elsewhere. These latter investigations are characterized as " simplified" because many of the analysis techniques are still under development and
~~therefore, in some instances, have substantial subjective l engineering judgment included. .~~
11.1.1 The Internal Analysis The details of the internal analysis are presented in Section 2 and Appendices A and B. From this analysis it was established that the random internal failures (including recovery actions) had an associated core melt probability of 1.5E-4. There were six internal vulnerabilities identified, the effects of which accounted for 97% (1.3E-4) of core melt probability. Equipment and system modifications were proposed to correct or reduce these vulnerabilities.
11.1.2 The Special Emergency Analysis The details of the special emergency analyses are presented in Section 3 and Appendices C'through I. The special emergencies included in this study are: seismic events, fire, internal and l
external floods, extreme winds, lightning and internal sabotage. The seismic contribution to core melt was estimated
' to be 8.lE-6, 88% (7.2E-6) of which was contributed by six t
. 11 - 1
T I specific vulnerabilities. The fire contribution to the core'
melt probability was 1.6E-5 attributable to two specific !
vulnerabilities. Internal flood contributed 7.7E-5, all of which was attributed to a single vulnerability. Equipment, system and/or building modifications were proposed to eliminate or reduce these vulnerabilities. External f.lood.. extreme wind, and lightning contributed 1.9E-8, 4.0E-6 and 5.3E-7 respectively to the core melt probability. No modifications were proposed to counter specific vulnerabilities from these three initiating events. The sabotage analysis was not quantified, but modifications identified for several special emergencies will be helpful in countering potential sabotage.
11.1.3 Base Case Results When the results of the analyses are combined, the base case
, core melt probability is 2.56E-4 made Op of the following contributors:
Internal 1.5E-4 Seismic 8.13-6 .
Fire . 7.7E-5 Internal Flood 1.6E-5 External Flood 1.9E-8 Extreme Wind 4.0E-6 Lightning 5.3E-7
'3 2.56E-4
~
1.1.4 The Alternatives and Revised Core Melt Probabilities As noted above, specific modifi' cations were recommended for the most significant avulnerabilities identified. These modifications were combined in various ways to define five
,' possible alternatives which could be implemented at the plant (see Section 5.0). The impacts, costs, associated with implementing the alternatives were estimated using standard industry practices (see Section 6.0). The core melt probability was then reevaluated assuming the alternatives were in place (see Section 7.0) with the following results:
Probability of Core Change from Alternative Melt Der Reactor Year Base Case 1 8.1E-5 1.75E-4
2 2.8E-5 2.28E-4 3 2.1E-5 2.35E-4 4 7.6E-6 2.48E-4 5 3.9E-6 2.52E-4 1.1.5 The Value-Impact Summary The results of the core melt probability estimates were i combined with the results of an analysis of containment systems performance and CRAC-2 calculations of offsite consequences to .
\\-L r-.- . . , - -- - - . - - . , , _ , _ _ _ . , _ _ , , - - - _ - - - . - -i- r---------ey
1 4
establish estimates of public risk (s'ee Section 7.0). These estimates and the impact results were then combined in a value-impact analysis. Detailed results are tabulated and presented in Section 9.0. Table 11.1, which is the same as Table 9.6, summarizes the key results.
1.1.6 Discussion of the results There are a number of conclusions or observations based upon Table 11.1 which should be highlighted. l a) There appears to be a number of feasible modifications reflecting both internal and special emergency concerns which, if implemented, can significantly reduce the estimates of core melt probability: for example, those that are contained in
~~alternatives 1 and 2. This tends to confirm one of the original assumptions of the program, i.e., there are some DHR vulnerabilities in the existing plants and they can be countered.~~
b) The total averted population dose is modest in all cases, on the order of a few thousan4 person rem. However, the averted dose ratio indicates that the alternatives can be very effective in reducing population dose. For example, alternative 2 eliminates nearly 90% of the exposure predicted in the base case.
c) Considering only offsite costs the value impact ratio and not benefit measures both suggest that the alternatives lack cost effectiveness. Also. the dollars per person-rea measure exceeds the nominal $1000 per person-rea, but, it should be
, noted, by less than a factor of 2 for alternatives which could reduce the core melt probability by factors of 3 to 12. The latter point suggests that such alternatives may well. merit added consideration.
d) If the value measures include the onsite costs that can be averted (personnel exposure, replacement power, cleanup, and loss of investment) then for alternatives 1 through 3 all the value measures would suggest that they are worth implementing.
e) In terms of the quantitative measures alternatives 4 and 5, which include the add-on independent train, do not fare well because they involve significant (tens of millions of dollars) of capital expense. However, they do provide other non-quantifiable attributes (see Section 11.2) which must be considered.
11.2 The Add-on Decay Heat Removal System 11.2.1 Non-quantifiable Value Issues As noted above, the add-on system capital expense puts the system at a disadvantage in a simple quantitative analysis.
11-3
_--------,,,-______--,m - - , _ _ . . - , - - , . , , - _ - - _ _ _ , , - _ _ - . - - - - - ,
TABIA 11.1 POINT BEACH c 61MMARY W VAIAE-lHPACT MEASURES (Cer tral Value)
V-I Analysis Based ce Offsite Change Offsite Total V-T Analysis of Of fsite Onste and Onsite Cbsts in Core Averted Averted Alternative Melt Dose Dose V-I Net Dollars V-I Net Dollara No. Probability (p-rea) Ratio Ratio benefit per p-ram Ratio Benefit per p-rea
($ ul0' ) (i ul0'0) -
l AP, V 2 "n "o "o "o YI"n "n E n 1 1.758-4 2003 0.71 0.36 -2.816 1558 10.56 1.510 52 2 2.288-4 3700 0.92 0.32 -4.459 1759 2.14 1.176 258 3 2.355-4 3u04 0.94 0.20 -5.470 1992 1.10 0.337 470 4 2.485-4 3947 0.98 0.034 -62.319 16343 0.032 -56.671 15437 5 2.528-4 3988 0.98 0.032 -67.736 17539 0.031 -61.925 16139
~~1 l~~
+ -
i 4
- t O
l 1
h ges . $ ,, .
_j.
s . . - -
. . . . . ~ . . . . . - -. . - - . .-- . .
However, there are other attributes which must also be -
considered. The add-on system, because of its complete independence from other plant systems, will have a significant effect upon residual ri,sk.. It is unaffected by fires and/or floods which might occur in other plant buildings. Similar comments can be made about this system with respec't to equipment qualification issues. The add-on is protected from steam line breaks and high to medium pressure line breaks which could occur in the plant. Furthermore, since it provides the independent backup to other systems, a variety of potential failures of normal safety systems are covered. Because it is housed in a separate structure and interfaces only with the primary system inside containment, the add-on provides additional protection against sabotage. Since all the equipment is in standby status aad is a last resort backup to existing safety systems, added security (access control) is possible without a major impact upon routine day-to-day operations.
11.2.2 Comparisan with European Practice For simplicity in design and costing the details of the add-on system proposed here were extracted directly from prior work.16 Therefore, it is a single train system. In the earlier work this approach was adopted based upon the philosophy that it is a "last resort" system, and therefore a number of redundant and diverse systems would have to be failed before it is used. In contrast, in a number of European installations of a similar nature redundant trains are used.10 However, their approach must be viewed within the general context of nuclear safety in Europe. In their " front line" safety systems they usually adopt the N+2 philosophy as compared to the N+1 approach in the' United States. Therefore, they generally provide more redundancy. It should also be
! noted that in many instances their special energency concerns are driven by the higher population densities near the sites, and the higher frequency of some events, e.g., aircraft crashes.
4 There is no doubt that increasing the redundancy would increase costs. Because time and resources originally led this program to the use of an existing design, cost data for a multiple train system is not available. These aspects will be i considered in subsequent plant analyses for TAP A-45. Costs are also affected by the level of hardness selected for the structure housing the add-on system. The design here is for a Seismic 1 structure with limited access. Therefore, the add-on system will be available as long as the primary system it is designed to protect is available. This is generally consistent with the approach in Europe although there are instances there, notably in Switzerland, wher's the add-on is housed in a bunker with auch greater hardness than the rest of the plant. Such
~~bunkering may offer some advantage in coping with an external sabotage threat (which is not being considered in TAP A-45),~~
-- but does not appear significantly more beneficial in coping
)l- f
\
with insiders than the system proposed here. -
The design used here does not include provisions for putting the plant into the residual heat removal mode from the add-on system. Operators would have to take control of the usual plant systems either locally or from the con. trol room. A number of the European plants do have provisions within the add-on system building for taking control of the normal plant systems and proceeding to cold shutdown. In several instances this was simply based upon the philosophy that if you are having problems, cold shutdown is the safest condition to be in. Subsequent program investigations will examine the costs and design canifications associated with adding such a capability.
11.3 gbservations from the Case Study Although the objective of TAP A-45 is to resolve decay heat removal issues in a generic way, it is difficult to reach broadly applicable conclusions based upon one plant. However, there are a number of observations which can be made.
a) This study was consistent with other probabilistic risk assessments in that failures or vulnerabilities in support systems are the dominant mechanisms, not direct failures of frontline systems, b) Emergency electric power availability again appears to be a key issue, particularly in older plants where there are fewer redundant trains. This again emphasizes the close ties between USIs, e.g., A-44 and A-45. Other plants with minimal AC and DC systems are likely to benefit from modifications similar to those proposed for Point Beach.
c) Older plants in which separation of redundant trains often does not include compartmentalization can have significant vulnerabilities. However, this initial case study suggests that there are some straightforward and effective remedies, although they are not necessarily inexpensive. In this j respect, as noted elsewhere in the report, the original premise l
of USI A-45 that there are vulnerabilities and that they can be l countered is substantiated.
d) Most of the vulnerabilities identified can be reduced by modifications which involve little or no radiation exposure to construction personnel. This reflects the fact that the important vulnerabilities are in the support systems which are predominantly outside containment. Of course, the independent add-on requires access to the primary system and thus l installation incurs some exposure.
I e) By careful planning and scheduling the sort of alternatives l proposed here can be implemented during normal refueling
~~outages, although the add-on might have to be spread across l several.~~
l . ll-b 1 . .- -_ . ._ ___-
f) This case study suggests that although feed and' bleed (or bleed and feed) on the primary system is often considered a last resort approach for removing decay heat, the ability or inability to do so has relatively little effect upon core melt 1 probability or risk. This result is consistent with other studies. Furthermore thermal-hydraulic studies conducted in i support of TAP A-45 raise serious questions as to the "last ditch" nature of feed and bleed. In order for it to be effective in preventing core recovery and melt, a decision to use it must be made quite early in the accident sequence.
A more general observation which may be premature until several plant studies are complete, is that the methodologies of PRA and systematic analysis of special emergencies'can be l combined effectively in short time scale to gain significant insights into nuclear plant DER reliability. It is believed that the techniques developed ~here to do a simplified seismic
~~analysis will have application beyond TAP A-45.~~
t 9
O
\
1
. 11 -7
. . - . .u. - - . - . - _ - _ . , _ - - - -
- 1 i
i N REFERENCES
1. " Recommended Procedures for the Simplified Seismic Risk i Analyses in TAP A-45." Draft Report, Sandia National Laboratories, M. P. Bohn, September 1984.
2. Anolication of the SSMRP Methodoloav to the Seismic Risk at the Zion Nuclear Power Plant, Lawrence Livermore National Laboratory, Livermore, CA, NUREG/CR-3428, M. P. Bohn et al, j 1983.
4 3. Handbook of Nuclear Power Plant Seismic Fracilities, I NUREG/CR-3558, L. E. Cover et al. December 1983.
i 4. " Review of Fragilities Levels," NTS Structural Mechanics Associates Contract Report NTS/SMA 12607.09. T. R. Kipp, -
, January 1985. -
~~5. "SSI Response of a Typical Shear Wall Structure," Lawrence i Livermore Laboratory Report UCID-20122, J. J. Johnson et al, April 1984.~~
~~l .~~
~~6. A SETS Users Manual for Accident Secuence Analysis, ,~~
~~NUREG/CR-3547, .D. W. Stack, January 1984.~~
7. Safety and Security of Nuclear Power Reactors to Acts of I Sabotace. SAND 75-0504, Sandia National Laboratories, March 1976.
~~8. Summary Recort of Workshon on Sabotaae Protection in Nuclear l~~
~~Power Plant Desian, NUREG-0144 (SAND 76- 0637), Sandia National Laboratories, February 1977.~~
~~9. Nuclear Power Planc Desian Concents for Sabotace_ Protection, NUREG/CR-1345 (SAND 80-0477), Sandia National Laboratories, January 1981.~~
~~10. A Review of Selected Methods for Protectina Acainst Sabotace By An Insider, NUREG/CR-2643 (SAND 82-7036) Sandia National Laboratories, August 1982.~~
11. 10CFR73.55, " Requirements for Physical Protection of Licensed Activities at Nuclear Power Reactors Against Industrial Sabotage," Part 10 Energy, Code of Federal Regulations, January 1982. ,
~~12. Rankina of Licht Water Reactor Systems for Sabotace Protection, SAND 82-7053, Sandia National Laboratories,~~
! July 1982.
t l 13. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Application. Final Report, NUREG/CR-1278, August 1983.
~-
e l - . - . . - - _ _ , - . .. _ . _ _ _ _ _ - _ _ _ . , , _ _ _ _ - _ _ _ _ _ _ _ _ _ _ . _ .
s
~~14. Reactor Safety Study Methodolo'av Acolications Procram:~~
~~Calvert Cliffs #2 PWR Power Plant, NUREG/CR-1659/3 of 4 May 1982.~~
~~15. Interim Reliability Evaluation Procram Procedures Guide,~~
~~,= NUREG/CR-2728, January 1983. .~~
~~16. Study of the Value and Impact of Alternative Decay Heat Removal Concents for Licht Water Reactors, NUREG/CR-2883 SAND 82-1796, Sandia National Laboratories, June 1983.~~
~~17. USNRC Letter, Trip Report - Foreign Travel in Support of USI A-45 and Generic Issue A-29 Programs, January 15, 1985, Proprietary Information.~~
~~18. Los Alamos PWR Decay Heat Removal Studies Summary Results and Conclusions, Draft Report, Los Alamos National Laboratory, March 6, 1984.~~
19. A Primary System Feed and Bleed Transient in a Three-Loop Pressurized Water Reactor Followinc a Comolete Loss of Feedwater with Delayed Reactor Trio. LA-UR-84-2101, Los Alamos National Laboratory, June 1984.
~~20. An Assessment of the Utility of Feed and Bleed Operatina Maos (Zion 1), LA-UR-84-0383 Rev. 1, Los Alamos National Laboratory, December'1984.~~
21. Decay Heat Removal Durinc a Total Loss of Feedwater Event for a C-E System 80 Plant, ,ANL/ LWR /NRC83-6 Argonne National Laboratory, July 1983.
22. Cost /Benef Et Analyses of Addinc a Feed and Bleed Cao'bility a to Combustnon Encineerina Pressurized Water Reactors, ~
~~NUREG/ CR-3 421' -( S AND83-1629 ) , Sandia National Laboratories, August 1983.~~
23. Study of the Value and Imoact of Alternative Decay Heat Removal Concepts for Licht Water Reactors, NUREG/CR-2883 (SAND 82-1796), Sandia National Laboratories, June 1983. ,
~~24. USNRC Letter, ' Study of Containment Response During a Feed and Bleed Transient " in Butler to B. Sheron, October 4, 1984.~~
~~25. USNRC Letter, " Equipment Qualifications for Long Term Decay f Heat Removal Operation Following Feed and Bleed in a PWR,"~~
~~1 K. Kwel to W. Butler, October 5, 1984.~~
~~26. Accident Mitication Followinc a Small Break with Coincident Failure of Charcina and Hich Pressure Iniection for the~~
' Westinchouse Zion I Pressurized Water Reactor, EGG-CAAD-5428, Idaho National Engineering Laboratory, April 1981. _
e 9
.7
. 27. Dooressurization and Decay Heat Removal Response to NRC Ouestions. CEN-239, Combustion-Engineering, Inc., June 1983.
~~28. "Cooldown Performance. Capability of Atmospheric Steam Dump system," Nuclear Safety, Vol 24, No 4. J,. D. Harris, ,~~
~~July-August 1983. .~~
~~29. Potential Benefits Obtained by Recuirina Safety-Grade Cold Shutdown Systems, NUREG/CR-xxxx, Sandia National Laboratories, To Be Published (draft dated February 1985).~~
~~30. Use of an Atmosoberic Steam Dumo Procedure to Cool and i~~
~~Depressurize Calvert Cliffs 1 Followine a Small-Break Loss-of-Coolant Accident with Failures of the Mich Pressure Iniection System, LA-UR-84-3860, Los Alamos National Laboratory, December 1984.~~
~~31. Cooldown to Residual Heat Removal Entry Conditions Usina Atmospheric Dumo Valves and Auxiliary Pressurazer Soray Followine a Loss-of-Offsite Power at Calvert Cliffs -~~
Unit 1, LA-UR-84-3947, Los Alamos National Laboratory, November 1984. -
W G
W l
'~
,/'
~
1
.~
APPENDIX A SYSTEMS DESCRIPTIONS AFD SIMPLIFIED FAULT TREES
~ ~
FOR THE POINT BEACH NUCLEAR POWER PLANT bY
~ William J. Galyean-Science Applications International Corporation and 1
Wallis R. Cramond Sandia National Laboratories l l
l 6
I l
TABLE OF CONTENTS Page
. 1.0 Introduction -
2 .,0 Auxiliary Feedwater System (AFWS) 3.0 High Pressure Injection and Recirculation System (HPIS & HPRS) e' 4.0 Low Pressure Injection and
. Recirculation System (LPIS & LPRS) 3 5.0 Containment Spray Injection and Recirculation System (CSIS & CSRS) 6.0 Pressurizer Relief Valves (PORV/SRV) 7.0 Containment Air Recirculation Cooling System (CARCS) 8.0 Emergency Safeguards Act'uation System (ESAS) 9.0 Component Cooling Water System (CCWS) 10.0 Service Water System (SWS) 11.0 Electric Power System-(EPS) e
=
e
~~1.0 INTRODUCTION~~
Each of the systems for which fault tree analyses were performed are described briefly in this appendix. A simplified schematic showing the significant flow paths and compon'ents is given when applicable with the support system dependencies identified. The corresponding abbreviated fault trees are shown to a segment level to illustrate the top logic and certain key events, such as operator failures, And unique components. The complete fault trees were used in the actual analysis and the plots are available for inspection.
Intermediate events on the fault trees are given abbreviated names while basic events and events referenced to other e~ vent trees are identified by their actual code names. The fault tree symbols used are given in Table A.l. The purpose of these abbreviated fault trees is to provide a general understanding of the logic used without reproducing the entire fault tree .
These fault trees, along with the schematics giving component designations and support system dependencies, are sufficient to understand the accident sequence cut sets.
Table A.2 gives a list of the' fault trees used in the analysis and the appendix section where an example can be found. Some systems have fault trees with more than one top event. Support systems are not shown as explicit fault trees but are only connected whenever applicable to the front line systems. Some main line systems have interrelationships such as the LPRS and HPES or CSRS.
~
In order to provide a guideline for the types of basic events and suppo.rt systems that apply to components in the segments shown in the abbreviated fault trees, some' typical examples are given in Figures A.1 through A.8 for the following components '
or groups of components: '
Pipe Segment Figure A.1
' Motor Driven rasp Figure A.2 Turbine Dr'3ta u T* 1p Figure A.3 l Check Val.t Figure A.4 Manual Val.a Figure A.5 Motor Operated Valve Figure A.6
( Pneumatic-Eydraulic Valve Figure A.7 i
Heat Exchanger Figure A.8 Each of these figures is a typical modular fault tree with some events excluded or deleted (indicated by diagonal line) because they are not applicable to the modeling technique used here.
Assumptions The following general and specific assumptions were made in the construction of the event tree and fault tree models:
. A-I
i l
l TABLE A.1 Fault Tree Symbols f OR gate
.. -s O AND gate Basic event - no further breakdown A Reference to an adjacent figure in the report that continues the fault tree A Reference to another fault tree in this Appendix that further develops this intermediate event A system. flow path segment identified on the O system schematic which contains one or more camponents and various failures ~for each component including support system dependencies O
ee A -L
.. . 1 Table A.2. System Top Event Names Section Systems Top Event Name Event Tree / Accident Secuence Symbol *
,.2.0 AFWS AFWF-10F2SG L
3.0 HPIS HPIF-10F2L D3 HPRS HPRF Hg HPRS HPRF-NHX H' y FNB FNBF E 4.0 LPIS LPIF-20F2L D2 LPRS LPRF-10F2L-NHX H' 2 5.0 CSIS CSIF-20F2L Cy CSIS CSIF-10F2L C2 CSRS CSRF-10F2L F CSRS CSRF-10E2L-NHX F' 6.0 PORV PORVF-20F2 Py 7.0 CFCU CCUF-40F4U Y 7
CFCU CCUF-20F4U Y 2
8.0 ESAS LOS-AFWACT-MP1 LOS-AFWACT-MP2 LOS-AFWACT-TP3 LOS-CPS-A LOS-CPS-B LOS-SIS.-A LOS-SIS-B 9.0 CCWS CCWP-FAIL-HPA CCWP-FAIL-HPB -
SY-CCWP-CSIMPA
_ SY-CCWP-CSIMPB FOP-OUT-CCW-F5 (LP Pump A)
FOP-OUT-CCW-F6 (LP Pump B)
FOP-OUT-CCW-F7 (RER HTX A)
FOP-OUT-CCW-F8 (RHR HTX B)
A -3
Table A.2 System Top Event Names (continued) -
Section Systems Top Event Name Event Tree / Accident Secuence Symbol 10.0 SWS FOP-OUT-SWS-DG1 .
. FOP-OUT-SWS-DG2 5
FOP-OUT-SWS-B5 (AFW MP1) _
FOP-OUT-SWS-B6 (AFW MP2)
FOP-OUT-SWS-B7 (CCW HTX)
FOP-OUT-SWS-B9 (FAN A)
FOP-OUT-SWS-BlO (FAN B)
FOP-OUT-SWS-Bil (FAN C)
FOP-OUT-SWS-B12 (FAN D) 11.0 EPS LOP-DCBUSA-Dol LOP-DCBUSB-D02 LOP-ACBQSA-1B03 LOP-ACBUSB-1BO4 LOP-ACBUSA-2B03 LOP-ACBUSB-2BO4 LOP-ACBUSA-1A05 -
LOP-ACBUSB-1A06 LOP-ACBUS'A-2A05 LOP-ACBUSB-2A06
, e' A-4 J
WNEMMWWM g __
. g 5 IeW -
2
9;
-:-g X
E Q- i; s..
!Q a ..
6-
-I a -
I 1
y 5-
.. . . ..... ~ ~
L EREQERRE .
m h _
l .
s, a
p E 8= 3 != g W
G w
]f E -]
I = m a
a w w e
> a i- .
=
M .i :
~~g5 -~~
~~s. - s~~
- g .
4 - g;. . 4 - gE- -i u
! I a sg I -I E 3 I
J i- t 8= e O
= -z
=
! e II :- 55 2 3
D
~~w. .I{s"- .~~
3 x
a w
o -
m 1;;3 3-- 3 g
e v, -=== - -
o m S : e a g -
23 .
4- -
Ig -v-5 C g n. _ = 0 w w & M 8 G
=1 -
w =. .I .$W I- &
a 1 =
t, .
=
o
- y 2 5
( ~ M 4
e
.E' j e 9 . =
gE- j =
3 g gg II r .- = W s
a.
g c i >=
g 4 S Y e
l j -
g = S gg #
w A
w .
c x gg I
=*
I s_ !
2.5 -
g y -
l
. . . ..... \
4 C' _
E
-- % 5%%g - -
=
I v
8 -
. .M
. =
3 1 5-M s na - M.
a 3
r; ES
~~g g~~
\
A -5
l
. ,i j
FAULT TREE N000t.E FOR A MOTOR-DRIVEN Pl#F 1
CSFIREE =
~~fMK =~~
eaves85n.esw.
(MI f M IS nee g, l p5iHRu ,as.s annua =
3 ,
. O .
i 4 I I - 1 Y ,
.I l
~~i.... .~~
, , I 3> seres.eanus per , ,= = i. = == i.
j <-= , , u ,, ,ses ..sc.use =>,;;- ,
peevier cams = ,.,..,..
p i.
mu c we sicci.e n t s su os
==a === une nit. a le, unnuu.n.
i i < -. . ,,..o -i e i i,4.;... ..i i ...u.:< -
o o
... i O
i c . . ,,...,, i , ,_..f.
o o o Local Fault
. NOARequired or Combined in Pump ,
Cooling i .
i .,
t t I Figure A.2 Motor Driven Pump Modular Fault Tree i t .. g
+
,r
~~8 a' ' , ' ,i! . . ; ' , .il;~~
. !l . .f ;l .. i '
i e
s e *
, s w wm s "aan O
s I 'e
. "ru e an a
'ai "t m
- .. 8im s n d
. g 5n e e "aus
'ma c I r
= = . = i N E g n u ;.
E I g a q nP i
r m
m - R e
e p
a a
C s .
r.
e n t r u s o T W
U "s si e.
a t
.O. N /
. * 'e P 1
" l
~~a e.~~
u N
E 0
"s
'in nt s
~~e. a V *ne v s o I~~
~~t F I *a~~
~~cm, sw e l R i u~~
t a u r D
" s t
e a a E
N I
B v
s '
s iu sa
' d m
e.
r r
a.
OF l a
l d
u o
c i
R is M es " v s
U un s a maa*
'm' o T ea a 5
' m I
L p A
sa nr s
'e "s s e
m u
R O
F es ma wm ss e
e.
m s
e a
"i e 5ne os 8" c e Sess,
/m w
a O P n
m
'eg i
sw eo (
'io "m o s
e s e E sc "n e v
us, me i i t
_ L a i
_ 0 t e r 0 si im e su n D fO 0 .u 4 H
. asws s e
~~e E i snso iigt s~~
n E e a v s
v R sa n neoen stwi i
T i e i b r
s ae i t T. m e u A
l A
F I
s ni s
ea sm iew i
m e
w a
Ol F u
a T
3 sin es e aee s l .
rts a a A
. c
~~o e L r u~~
J
(
i l
u e P e s wa m 'm I ni ase me esm a s
n i
w O .
ais mw e muo isc 7
[
b' 4
,1 1;l ,! ,! ii,l!
. . I i ' ,1 c
g E
N E I
P e M
0 e
[ r
. 7
/ e- t l s E ] bi l V t n aH u L
A St Ia m le t c d a V t t
s a
i ee F lbn iO i
4 K I E
M n
i m p o r C .
l f
m pti a E es Aot l l I4 p1 u
. l I (4 1 ni C 9At 9t (
tns d A
8Ai (Gl l oao o I
I NCp M R (
O 8i 5s
=M e e F 4E 9
j v N l E EI
( (
W l a
L 0 fW l
I
(( 8 V
0 I 1 0 t s k H e e c
lO g
~~tt E~~
l agg ' n e E
hag w h tgM C R tai w T at tsW aI t((
l t
T. l 4
X -
t A A F
e r
u g
i F
i
i%
]II ' e .
e1 lll t1!l e e I .e
1 e... .
l FAIX.T TREE H000LE FOR A MANUAL VALVE 1
I l
UllfiiEE =
mm us =w 22
~~gaelms II e~~
l teetm'a all l 1
I ' l y .
8 I I -
A asamenen ama suas e imaisisamis na se .av cae semi eme en se nam e um a erg ganos gaelms Illt to 8thlalthamC4
[ -(melig[Ja}fiq G a le s!!-utet l l gaysm'n.333_m 3 O O O a.
e i
t Figure A.5 Manual Valve Modular Fault Tree I
es g eesg,g,e e awd6ue seyg-$e+e 9 9 e wem-seeme-@& 4d W 4 q E M4 me a , og e
N is
% e o
I G
e
. i .
w .. -
niI - -
E
-A
- y e u
W
== I=I
- E e
a _ i!i -
h m ^
=
" 3
. w @
Sw g E g a 0 c x
~~I-!~~
n g
E '
h gEI 4 " -i' i R,
u >
g a nas
- m .e
=
! c m a .
a
s-a =
- tQ
$~
,8~ -
" t
- O h-
!!! " =
u a
!I, 35:=
i
~~Q "~~
o W
< I==- -
I -
.S m
" g N u 5 = 2 me
ZN
- -i .
!Eg a
/
vs- 8 m-8 s-e 0
A-lo
' ~ ,- , ,
/ /,
/ sf s .,
/
4*4 /
/
.v$$#
i .
J t g/
i
,g
,91 -
b, .
/
h
~,,
.-._----,,.------n .-.,---------.-.,-.4---.n---,,--.,, ,. - -- , . , - - - - - . -
i t
l FAlM.T TREE H000LE FOR A HEAT EXCHANGER
-l .
iI . r .rg l
carms-
, . .I g
.- ....s.cs i
UssiiiinIn ... ,
l 1
i l 11 J
~~l I~~
! n . . . .
.;i >, ....
o -
e - . .n , ... . : . .. . ,
l 1
- ~
I I /
=.=. =.:.
.... ...,u_n, n. = - :.r..
a ,
i *- a a m p n -
4 ,._,.......e , . .. . ...... . , . . _ . . . , , , _ , . . . . ,
e.
O -
O O O .
I
]! -
No T or M of IIeat Exchanger. 'rnere-l i
fore cannot be l Mispositioned .
,e- ~g y. , - , , , - - , , - - - - +, - ,
12) Containment failure does not imply core melt due to containment sump flashing as has been assumed in many past PRAs. This permits the containment systems to be shown in a separate event tree. ,,
~~13) TheAFWSissufficienttoremovealldecayheathithout the RHR heat exchangers during the shutdown heat removal phase, il. e . , to hot shutdown.~~
i 2.0 AUXILIARY FEEDWATER SYSTEM (AFWS)
The auxiliary feedwater system supplies high-pressure feedwater to the steam generators in order to maintain a water inventory for removal of heat energy from the reactor coolant system by secondary side steam release in the event of inoperability of the main feedwater system. The head generated by the pumps is sufficient to deliver feedwater into the steam generators at safety valve pressure set point.
The system (see Figure A-9) utilizes two actor-driven pumps and a steam turbine-driven pump (TDP). The steam for the turbine is supplied from either or bo$h steam generators. The TDP supplies 400 gpa of feedwater or 200 gpa to each steam generator. The turbine is started by opening either one or both of the isolation valves between the turbine supply steam header and the steam generators.
The motor-driven pumps are conson to both units and are capable ~
of obtaining their electrical power from the plant emergency diesel generators. This portion of the system has a total capacity of 400 gpa and feedwat'er can be supplied to either or both units.
The water supply source for this system is redundant. The main source is by gravity feed from the 45,000 gallon condensate storage tanks while the backup supply is taken from the plant service water system whose pumps are powered from the diesel generators if station power is lost.
The auxiliary feedwater pumps are automatically started on receipt of any of the following signals:
Stean-driven feedwater pump:
~~1) Low-low water level in both steam generators in one unit starts the corresponding pump.~~
~~2) Loss of both 4 kv buses supplying the main feedwater pump actors in one unit starts the corresponding auxiliary feedwater pump.~~
P Motor-driven feedwater pumps: !
. A-4
_ _ . ._ - - . _ .___ ~_ . __ _. ___ _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _
AC J W ( 4C.T)
~~sis se,s new, av l Hei e e it M.D. es v4Mav#40 f~~
~~w*,~~
A ^ *
-w
.- 4
^
4.n'. pests $ b .5+
4 e u ,, nsQ'ual a %'a,e u i
-a ee.v a.f m
as u
As
-n-N wwvn O
avnra u,u.
v gp wa e v
4 ur asuas a .
p .3 p.e.,u Sr,-
l h : j,8
~~~
~~L.s %a,,,*d *M!L u.en '*-~~
a Q
.' SQ i
l Xt...
arvxv77 ar#xv7f L .. .
@ ll i
l t... - ,,-s I
1 m
. r ., ,<> , .. ^w L" ;
I Xi..#. Xa le n @ " '
~~wn uenvn u a vus ;~~
l-
/s l
e3y est
% aa, N >v b i l g g awn smn aanas
.. , ,ava
@ ll l lSKMainvM(w.-nma _ ,_.
! 4rwaffo U
@ A x
Armixva7 h :
I AFW91d b5 l.#. 4Fhl)YIl G881) l g g7 e gv Point Beach AFWS (F ront FSAR Figure 10.2-5) M MVJg AFm/dV2' l Figure A.9
. o.m .) ;
!' l i
-_-- =. .- - _ - - - - - - - - - . . - _ - _ - . . . _ - - - -
l . __. ._... _ .
1 1 1) Low-low water level in any steam generator starts its
~
l corresponding motor-driven pump.
l 2) Trip or shutdown of both main feedwater pumps in one unit.
~~3) Safety injection signal. .~~
Auxiliary feedwater pump flow and direct flow indication for each steam generator is provided in the control room. Flow indication is also available locally at the discharge of each j pump.
i The system success criterion for the AFWS has been assessed to be one of three pumps (either motor-driven or turbine-driven) j feeding to one of two steam generators.
! The turbine-driven pump train- is completely independent of the AC electric power system. All operation is handled by the j- plant vital DC. Pump cooling of the TDP is via a diesel driven cooling loop independent of both service water and AC systems.
i The assumption has been made %n this analysis that the demands (if any) placed on the AFW system by Unit 2 are handled by the dedicated TDP. train. A simplified fault tree for the AFWS is shown on Figure A-10.
t b 3.0 HIGH PRESSURE INJECTION AND RECIRCULATION SYSTEM'(HPIS &
~~HPRS) l The High Pressure Safety Inject, ion (HPSI) system is provided j for Emergency Core Cooling (ECC) during a LOCA when the primary 4~~
BCS pressure remains high. The system can operate in either the injection (HPIS) or recirculation.(HPRS) modes and would also be used for Bleed and Feed (B&F) operations. The. system
, is designed to provide two independent flow paths that automatically inject water from the refueling water storage I tank (RWST) into the reactor vessel via the two RCS cold legs.
The HPSI system is a unit dedicated two train system designed l so that either of two pumps is capable of injecting enough j water into either of two cold legs to prevent core uncovery.
~~! Figure A-11 is a simplified schematic of the system as modeled~~
~~in this analysis. The two HP pumps are designed for a flow j rate of 700 gym at an RCS pressure of 1750 psig and temperature~~
of 330*F. The primary water source for all safety injection (low pressure. high pressure) and containment spray is the RWST j which has a minimum tech spec requirement of 275,000 gallons, i
The HPSI system is initiated automatically by the safety injection signal (SIS) which is generated by any of the following: -
l 1)' Low pressurizer pressure 1
l o
j . A -ka
1
' ~ ' '
_- Af m 6-twpt.S's -
i -- AFW fada.
I43 f3 .
I I AFW.S fA A r w.s fai l s
-G lea
~~. .fr A Al& A .S/cs. A i .~~
fandt f.A en F& Pk 2, ey .:n v@
d AL ~
4 As
() M de A 1.
m a l I
~~FM f.M,1, p.kJt u nM- %W a At f3 l~~
l . l Fm.xt'f>J.or, Fm t:r Pm Xe 0 W Mr W&
d rA 4 rs O n -
m m I I I I
\ H. Fa t ax t'.a t M YA fa faar.
A% fr#A @FK L 4-G3 ts + F3 GA f f\
v v l l l l
W. Fed;t- Fw th. W .F JX
.z. 4 *Y A%
W3 e4 5. f3
', d Figure A.10 AFWS Fault Tree A-17
. ....: _-- ____=. .:.-_..... -
~~.. _ . .._ : .._ . .. ~ - _ _ _:,,_.._~~
ts_ ...___..__.._ .. ; .,;:. :, .
g .
. i r' F.att t h f d&
5 7 -e /\ w' N
, r3 fl\ -.
i
> I i t ! M. femLK %. YW .
~~I. L M. *M' i f1 TA H. FaM~~
~~- A M.~~
~~fs lq v~~
~~I I p'c .t.. m_.3 ph.~~
~~h. YF3 h.?$~~
A F3 r
v I l l WM 4
M .W bf f& %. 1 f
W&m F A v. -
[\ .
4 fMLXfAirt py ax l
f\
t P I I f*~3X Pk
$s h-;
MFW k A.
_04 J' Q T
I .. d *
)
Figure A.10 AFWS Tault Tree (continued)
A -if
_ ._.: r . - : . .. u . . . .
1 l FAfnut ~
j
- saW' _-2 o '% :
1 .. -
T- I l
, Fwfa Fa tm
%WW
~
$w WW 4TA 4 11
[\ [\
v v I
i i l
%. HM
~ 4,YM
%. W M fa*L'C AA, u% *%-
GS IR G1 Il D
Figure A.lO AFWS Fault Tree (continued) f A-19
~- -
~~- :... _.= :. u _. : .- :. . : ..~~
. o M^ 8M ,..
6 g,, ,
- ryl4 sis- A c,tw s w%
thet- FASL-Mfn pyng5 O At- A At-A(414e)1 pitMCI 1 n Ses NEf#1 HtrACS NffCN# y (sisA strcva (
e 71-~u @ "'$rLA N-ksh *'D u' %_,g=> 4 an;pp om) (ma (d3 a m)
Ac- @ (8186 NfICVS b ner S 1 L I
~~M ,~~
NIIhf6 7 Ql:*: _p d . '
sticvf
~~UCVf' (estd @ko) prrevi si&6 g~~
y h (6226) @
O o
prAxV1E 4 h HrRcgV.1. t. tut A.
"*--N
~~31 #ffCOI L~~
i o esw . - v es A 'jc?gj'ir.f8 l M M- *"- JWAHWHi
"#0 N# N
~~etwr %~~
~
^ [ gqqg :
N W 'S i
M . '(assiA fHan6) 4_ ut. v.ccmi-Fr f318 CC*S %
sietsvn ]x __h
--.__.-r l x-A ret-ear-ccus-F f 3;pgxv37 hC ya risvL a
s.
gg y W 7"*
C^"i de (p) l JJe: As;;) me ;
a trrnr ;
I l sis-A otIt.v1 (PIxVl8 pp. @ ,
l HfAM/J7 e _
j Og gg ge'*a oa O O ccws A Fof-OnT-Ccgf-F6
,1.. . 11 e.i- e. - ,,e, m ees m .. .e ,1... 2-1, l
5es -85 l
r i l
l
1 i
~~2) High containment pressure~~
~~3) Low steam line pressure in either loop~~
~~4) Manual actuation.~~
When first initiated, the HPSI pump suction is aligned to a 2',000 gallon boric acid storage tank (BAST). This is to provide an alternate means of inserting negative reactivity into the core for reactor shutdown when there is a failure of i the normal reactor shutdown system. Although this injection of
! boric acid occurs automatically and prior to the injection of water from the RWST, itsis not modeled. The reasons this aspect of the HPSI syste's is not considered in this analysis are as outlined below.
i The primary purpose of boric -acid injection is for reactor shutdown, howev er this is not an issue in TAP A-45.
Additionally, the small size of the BAST results in an insignificant effect on the success of HPSI for core cooling.
Lastly, the success or failure of boric acid injection does not influence the initiation of injection of water from the RWST "
since the alignment of the SI pump suction to the RWST is automatic on either a low-low level in the BAST or the failure of BAST outlet valve to open.
Although the initiation of HPSI is automatic, the realignment to recirculation cooling from the containment sump must be i performed manually by the control room operators. On receipt i of a low-low level alarm from the RWST the operators are required to open the four sump valves (MOVs) and the two interface manual valves to direct the LP pump discharge to the HP pump suction. (NOTE:. the LP pumps were started at the same time as the HP pumps by the SIS.) The recirculation mode of operation typically utilizes the RHR heat exchangers for cooling the sump water before injecting it back into the core.
However, there are scenarios considered in this analysis where secondary side cooling of the RHR heat exchangers by the CCW system is not required (see Event Trees. Appendix B).
The final alternate mode of operation for the HPSI system is called Bleed and Feed. In this scenario, all secondary side cooling to the steam generators is lost following a transient.
l Core cooling is accomplished by bleeding primary coolant out of the pressurizer through the PORVs which reduces the RCS pressure below the HPSI pump shutoff head. This then allows coolant to be fed into the RCS by the NPSI system. This process is repeated as the RCS pressure rises and falls.
As discussed above, the HPSI' system is modeled to operate in four different modes. These modes correspond to headings on the event trees used in determining the accident sequences that were analyzed in this study. These headings are: D,i H,i
. A -ti
l
)
i 1 H',1 and E which represent HPIS, HPRS with secondary side -
cooling of the RHR heat exchanger (HX),'HPR without EX cooling and Bleed and Feed, respectively. .In all cases, the success criteria requires the operation of one of the two HPSI pumps injecting into one RCS cold leg. HPR requires that one of two RER Pumps be operating in series with the HP pump,for both the cases (with and without RER heat exchanger c6oling modes). In '
the Bleed and Feed mode the additional requirement is that two
~~of two PORVs be available for bleeding the RCS.~~
There were two assumptions incorporated in these models which require explanation. The first concerns Bleed and Feed operation. It is assumed that although procedures are not at this time in place, the operators are familiar with this mode
, of cooling and they will be able to perform the manual operations necessary with a reasonable probability of success (see Basic Event Frequencies, Appendix B. Section 3.2). The second assumption concerns the recirculation phase of ECC, which are the HPRS and LPRS modes of operation. The assumption was made that containment failure does not result in the loss of enough water in the containment sump to fail the RHR and/or SI pumps due to cavitation. The rationale for this is that although some water in the sump may boil away on containment failure, enough would remain such that recirculation cooling is unaffected.
l The simplified fault trees for B&F, HPI, and HPR are shown on Figures A.12, A.13, and A.14 respectively. The B&F fault tree
includes the success of the PORVs in the fault tree logic and incorporates the assumption that the PORV block valves are j normally closed and must therefore be opened for success of B&F.
4.0 LOW PRESSURE INJECTION AND RECIRCULATION SYSTEM (LPIS &
LPRS) i The Low Pressure Safety Injection (LPSI) system provides i Emergency Core Cooling (ECC) for those break sizes wherein the
! primary RCS depressurizes below the LP pump shutoff head (i.e.,
i 425 psig). The LP' system is also utilized during recirculation when water is taken from the containment sump passed through
! the residual heat removal (RHR) heat exchangers and fed to the l
HPSI pump suction (when RCS pressure remains high) for injection into the RCS or injected via the LP injection i
flowpath (when RCS pressure drops below the LP pump shutoff head). The LP system is also utilized during normal shutdown operations for removal of decay heat in the RHR mode.
4
! The LP system which is shown on Figure A.15, consists of two 1 independent trains each with one pump and one heat exchanger.
l The system is actuated automatically in the injection mode by the SIS system and will continue to operate until manually turned off or manually aligned for recirculation of coolant i from the containment sump. This system, like the HPSI system
/4 .. . . . . . . - .
)ff'
' ,' ! I i lI ! l ,
i
' [
N
-, . L I
-- r 4 i I
vPas, u
l
. e #c,4 h F' S i
t " '
s
_ 3l g
e 1 -
p
_ e MF r
e((~ \
._ r 1 I v ! .
aQ~
P "'
f T -
e u
ll f
aI S
0, e e
r T
f o t l
4s u L- d a f A 4u 4 or F
oo - Fe F
e aHL o S. 4 a
7-
\J vmge.
t G
t o
d e
e 9 B o t w / F J
t v9F A M w o $
ea d F ukc - c n Of s 4 a
- u ,t i e.
L d I
a ep l e
_ h e e Z p l t.
F o 5 B O
o F.
4 Z u 2 1
w F s A v
g u e s e s t r P vi u u g n ,,
l o
t r a L- w. M i p o 4- F P p 4
1 S
t
- \uAe
/wA Pw vT s M M =ev"
't P Tr F
6 I w
~~< F o~~
O. - t T
C F -
As P
]
p F
P O
O Q a
b
(
6 y
0 b
a
>.c#
f ' l ~ * ,* ':I'.
~~?l!tL. ;~~
l I l
.i I
~~i illl~~
~~ll .~~
,lL
(m.4 se r, u w s om ear x- fi T
I I .
~
(A fm wtw ve c
~~m see t.1~~
( h I
I I
F& PM w yy og f(,
() (h m m I I , I l
Fa fa cone w, M f" '
co up u en sec.st -recf su uc. m rrj o n v
o n v
I I I unepw uur M
.F A p%.
h ouses es FW PM n ~ ser G 2-DL sW O
Q O *A -
W. FW
, h%*
91
.i l b Lt f e
% ctM u PA 4 OM h
d6M e4 61
'. (T [h I '
i' T P l I
. cou p w,, cour W
. er ses f31 l e Im G L f..% 3 Rwtr rNM 3 O
O 9 Figure A.12 Bleed and Feed Fault Tree (continued)
- A - 2.+
M .. :.... . - -
- --- -- --~ - - -
H P.IF -loFL L _ .
~
HPff l of %
. n %
l .
i i
-? Fa.4-t ik Fa.o f.Nar -
Sr v.= ppt :r- W F q X
'J. . at L t. 4 L A.
i
'O
~
l hs L1 i
s**'"'S i
Fast fu W. f Je
% h =% %M i 4 Li L1
-( y.
I I I ,
Fa s t i n fa fu 4 3b
(
p I l l
%.FJ T.J:CfA W. F.J% f>w k <%* &W e A6 JtX n.ag fa $4 kt 4 GL K3 4 EL
( h b O'
! m m i I I I fa.JX Pb Fudx f5 %. Fult a%m. GL fadx a 4 em DL
>-$ 3Aem -
GL
-m.
b b T .
T I I I I H. Ye.Jx Fw TS H. Fa JX a-%,
p1 .
fr& ci W "s% a
( S
~
Figure A.13 HPI Fault Tree l
?
447 l
........._.....__..n.,,.........;;n....- - _ -.. _ _ _
(* ~ , pg fu
\.. ' .r, y -
46 r3 A L
..- l l 1 F.Jr th Fu.2x f.4,t fr d*Q &04
<bt + ba O O m e 1 I I I
( coq FW gw ST'
% FA 3D F1 6 Figure A.13 HPI Fault Tree (continued) -
')
l )
A-tc l .
t
<(.. . . . . . . - . . . - . . - . . -. .- .. .. . . - - . . -
RPRF .
HPRF l of %
L O I
i 1
~
fu (4 Fu f4 -
s as9-T
- ~. py4 4 LA
~~, d LL~~
~~
'(T h% L1 I
T I 14 la H. fa.Jg
~~t, h - X AhLL A L$~~
i I
l '
r>Jr in fa fu Y 3NiW O O
'^
m Ti l -1 I 1.uan W Fa.J% fJA Cm.F e -W' A Q h hg 1s.JJ Xe #M kL ::Gr 4 @G L K3 a EL f\
, v l l l -)
%, fwdx fatW FA94 Cn g. FA G et C, ',
+ C, _
f9 O O i .
P .
P '
I I 1 1
%M % %. .
M f Jx 12 a h ,, :Gr W M PM
~~, v4T Cr~4 F~.AX aM .~~
c,1. 4x 4R c, a.
b .
Figure A.14 HPR Fault Tree A4 7
~ * . . . . . - . . .
.. . . .. . a. -
ga 7 .
A c'..t;A . m i' '
e4 x T -
I l 3 ' .
W.Fadt FJ
-M- W,;Luy L_
1 - X 61 Figure A.14 HPR Fault Tree (continuod)
- 4 l
)
( ) .
s e
e e
.. s O
I A 48 l . . _ .
tat t -A g l' '
AC-6 Ac-A .. g c., l
~~d d.~~
,;. .. . - (,,,n ,
Ell M4. Lil i U< ' ! ',
,A-Eil g ec. .
M-
!i ,Jp 1- !
W: i ---p4 I
'l : ,
lli wmos . **#W % i j ! ie. sw viva -
,i i l
z,.alllg i ii. m....
..; a- i i _ . o
'u c,y;.'
(D & I lll I ,
. . . _ _ : l' eesst er em v
W 4 I i i- 'l
^ l\ l "gh3 '
0, . . _ .
wr sa- s p *,- ' -
yd ,=i.m
~~f;"f~~
<f,r,i P , LT4,
. a- wn v "
(g]) ,8' $4Q,)
g
~
l i gg .
, i rt q me j
,por - :;r.;; .
f& o ve m_.
N
~ '
i
{---- __ 4_._%
I
[ ' '4) ' ,i (3 l)1 m',
I
. 6s4 44 Ul 58 '40 ,8 ,*
~~b4 b~~
[1,3 k tjdMf7,Ml w ,;..
8 f a [7#6
'9t4 ' '
l @i
__ _ l 1 -
,,'m i
. ,i
.-g lr ,1,,}', i, i,,,,,,,!I,.I. p ,
1 4
,. -, 'I w s "
+-gc ;'. '
~~t,4,. . s <. 4.4 A% - .' , gh- 7vt uti ,~~
8 . r,si) e4- e-.- ba *"% ,
g I su' Md . j,
$548 ,82.' !
l
!gd I
h'i) (kJr
.x 1 ,
(f >5) m
, ( *-
i ,,,
,l
'2 k, g ,' ,,,
~~e i.~~
. '):
l L
il
~~r -~~
m. a . i l j., asa. ra., .,: .p. I .
u
,j
.ri
', g . .
s.- #st l , , , . harr.'
i .
~~8t. 4c .~~
3 e.. .
,g ;; l
.sl-! .lI
: . . : l- a WW 4 p' l .s .! ri
!g:.lI e1 e i 1
'l - r,- f,l' .,
.,l . l . a' j- -
-l M L id pge 8 =
. Ia l . .Iais p i) .
I '
Sh. 1)
Figure A.15 Point Beacti LPIS/LPRS (from Figure,110E018 l
l
,e . 1., t i \
g
is unit dedicated and not shared by the other Point Beach unit. Technical specifications require that both trains be operable when the reactor is at power. However, the following exceptions are allowable, one pump or valve may be inoperable for a period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and one RHR heat exchanger may be out of service for a period of no more than 48 h.ours..
~
U'on p receipt by the LP system of an SIS, system operation begins when the LP pumps P10A and P10B start, and motor operated valves 852A and 852B open. If the RCS pressure remains above the LP pump shutoff head, a minimum flow bypass line is provided on the discharge of the RHR heat exchangers to recirculate fluid back to the suction of the LP pumps. This mode of operation continues until the RCS pressure drops below the LP pump shutoff, head and the system starts injecting, or the operators either manually terminate LP operations or manually align the system for recirculation of water from the containment sump.
The fault tree models developed for the LP system result from the various references made to the LP system in other fault trees and to the two LP headings appearing in the ETs. There i are three fault trees for the LP system, each with a different success criteria; these are: Low Pressure Injection with 2 of 2 LP pumps (LPIF-20F2L), Low Pressure Recirculation (LPR) with one of two pumps in series with one of two RHR heat exchangers (LPRF-10F2L), and LPR with one of two pumps and no secondary side (CCW) cooling of the RHR heat exchangers (LPRF-10F2L-NHX). Shown on Figures A.16 and A.17 are simplified fault trees for the,LPI and LPR systems respectively. As explained in the HP system section the assumption is made that containment failure does not result in
~~LP recirculation failure.~~
5.0 CONTAINMENT SPRAY INJECTION AND RECIRCULATION ~ SYSTEM (CSIS & CSRS)
The primary purpose of the containment spray system is to spray cool water int'o the containment atmosphere in the event of a I loss-of-coolant accident and thereby ensure that containment pressure does not exceed its design value or 60 psig at 286*F (100% relative humidity). This protection is afforded for all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant pipe. Although the water in the core after a loss-of-coolant accident is quickly subcooled by the safety injection system, the containment spray system design is based on the conservative assumption that the core residual heat is released to the containment as steam.
l The containment spray system consists of two parallel trains, each with its own pump, piping, valves, and spray no::les (see Figure A.18. The CS pumps are designed to deliver 1200 gpm
,A -3 o .
. . . . . ~. -. --. . - . _ . _ . _ . . _ _ _ _
g p_ y pg,t. ..
LPr F 2 0F9 ~
~ p
- T
! .. l l '
~~FA fM FunIM x, WW~~
... x, c'K:n
,~
oh' G1- of Cr 3.
O M xe G1 P .. . _ _ _ .
M fd YW fa AM A G 1. +r .
h O '
n i I FJ re q, FW Kr FM .i % ,
I ch GL VL A O l l H. FadX F4 fu a %. AvM El S P 1.
~
h b m
I I FW fM H.
Ja VQ 6% FA e+ C1 'p 1 A O v .
- 1 I M fwdX F# PO u-%,
c.1.
sem at at Figure A.16 LPI Fault Tree
, k -31
. a n .r. v.ou ~ r.=. ra . - . = . - --- ~ -- - - . --- - . _ . - - - = - - ....:---....--
FsM W
.' .se e__ n..-r 4 0$ J
o
. R .
a r- T
, i l l M. Fe.J.K R tu .s f k '
6 FA1LS Figure A.16 ~ LPI Fault Tree (continued)
O
~-
e e
/
e
. A-3L l
L. p a.F - l o FL L.-
LPR F i of 9
. . .. . - r3 1
.- 1 I f4 W FuJ:C (M .
'i
.< c 1 ; -r
, n e 4' e G1 of G 2.
.bl+ds & GA T
I I H fast tw ra MM 3ec' Cr L. eV yF.
O n n
I l Fu tu %.FuJX
~~w eA E1 u %,~~
F1 m
I I
%. fa,JX F o d.k f M
~~3. .,% . Av&~~
E1 S PL -
O A n
I I FA fM H. Fa.Jx 7e 6 4 e4 C,1 6%
'P 1
. O h v
1 I l c -t F=ar W. Fa l L-%. . 69%. .
l ci l( O O Figure A.17 LPR Fault Tree ..
A,33 --
. CPS-A 7 CC NIA ch'hfI esIMvl , ,4c.4 GJi) c5TcV6 c,gryV7 !
Rul5T cs-IcVa CO-A c SIMf A miirl ,
g t.o.
~
N N Mg (3o4) (usa) o **4 - -- *
(870A) (859N d)@
(riqq "acCS1r1V4 A ,P M C PS'8 4c.g i estn/9 N c,$Tcv'l CM' pc-s c5Ttif6 h (f,wcT OWN c$ttV13 estxVJf L N' a- *. M N l 'cn.e g.s, OD (978 h (858 h g g kl16) Q r ,( d (9 O N (g W h ,!
v c b r n stjI y tstrtV3 y ' m d gg(esandse8l N cg i i Ar- A (87:A) A ecosc .!
" W NPA 3y.cggy.g$7 pggg ,[,
h .
T*,r f - ,,, .
I
' M Y- JifAWHI
"# **
~~8 Fof- euT- cco- F'8 IHallo) 1 M cews ac,%g, '(NAith __._ _~~
g hflPRAV37-l
__ _ _ _ . . 7 A(- A g At- A Fof-edT-cc+ F 6 letxVM l IIAM N l Y
lifR d4 (7ssh hjyf)
Ol
- s ,
(rioAl tPfcVL q, trov7 h04M-t.c.
> 7** "*"'*^- " '"' "**"" "' 8"* "
(,ja;; ($5b hm- Walcm4 (fr a FSAR Figure 6.2-1)
AC-B ; A otrt,vi sfrxV10 Or,.e%'n QI4 HttMV31 l'
! P1 ti e 1 .
j ( *li (85' trrntx > <7,o.)
' - - ~ ~ - -
$c-B c ,,,,9 ror-ons ccW-4 ,
At-6
~
i j
each to the containment spray nozzles. The containment spray -
system also utilizes the two residual heat removal pumps, two.
residual heat exchangers, and associated valves and piping of the low pressure safety injection system for the long-term recirculation phase of containment cooling and radioactivity removal. -
Thd spray injection is automatically actuated by the containment spray signal which is generated by high-high containment pressure sensors. This signal will start the two i
pumps and open the discharge valves to the spray header. The valves associated with the spray additive tank will be opened automatically two minutes after the containment spray signal is - - - -
actuated. Sodium hydroxide will flow to the suction of the -
spray pumps and mix with the refueling water prior to being dischacged through the spray nozzle into the containment.
After the containment spray signal is generated, the operator has the capability to stop the timer if he determines that the sodium hydroxide addition is unwarranted.
The containment spray system also operates in the recirculation mode after injection from the RWST has been terminated. In this mode, recirculation of witer from the containment sump is provided by the diversion of a portion of the recirculation flow from the discharge of the residual heat removal heat exchangers to the suction of the spray pumps.
The containment spray system appears in the event trees under four different headings depending on the operability of other systems and the mode of operation required. These fault trees were constructed for the CS system corresponding to the l headings shown on the event trees and the following success criteria: 1) 2 of 2 containment spray pumps operating in the injection mode, 2) 1 of 2 CS pumps during injection (this also requires 2 of 4 containment cooling fans to be operating), 3) 1 of 2 CS pumps during recirculation operating in series with an l RER heat exchanger and pump, 4) 1 of 2 CS pumps during I recirculation mode but without secondary side cooling of the l RHR heat exchanger.
l Simplified fault trees are shown on Figures A.19, A.20, and A.21 for the 2 of 2 CSI pumps, 1 of 2 CSI pumps, and 1 of 2 CSR pumps operating respectively. As discussed previously for the HPR and LPR systems, loss of containment does not fail the containment sump which would then lead to CSR failure.
i 6.0 PRESSURIZER RELIEF VALVES (PORV/SRV) l l The pressurizer relief valves (both Power Operated and Safety l
Relief Valves) are designed to maintain peak RCS pressure below 2735 psig or 110% of system design pressure. The Point Beach
~~pressurizer has two PORVs and two SRVs with pressure setpoints l of 2335 psig and 2485 psig respectively. The PORV design 1~~
A -31
CS.rF -Zee z. L
. C,5 r F
~
.. A. Of 1 --
r..' ()
m
~~. I I~~
~~?. Fu Pk faaFM~~
' 54 dW $FM
. fL 4ft 0
M .h $$-
I I W.Te -
f JLt te
.-k W g M k& -
51 4~E1 f3
+
Q /A Faalt fesA
&4 c'M p1
.Cr dM
.. a p5
'}
..:.. f\ f\ .
T T I l I __.
I
,Fm)%
H. FsJT % tt f.Aw%
k%* % drG t s 5 ca.g %
DL A OL D3 O n O P
l 1 F4 PM . fatt "y% *
"NEY c.1 T
1 I I H. fs.J2 RujS-f jD' falls.
O Q Q :
Figure A.19 CSI 2 of 2 Fault Tree A -34
g g y ,,, , , pg ._.
~ CSr F i
10f 2
~
~.
r3 i I l
, l FJ fk fu.tx fu
%4 d4 :C o' M i- #1 4El O
~
h.D Efi m
I I
%. h FauJLt /m 5W & W:^^ .
GL 4 E1 '
r3 e
i I Ym.bc fk f& PM
& a'4 2, d4 e4 PL A P3 v 1 v
I I- I q%
a
. FW
. E .tr f u
%(#pT N. Adr la- M-D3 DL & LL v
I I f utk W y.%JX 2,eg ap.
O h v
I I H. Fw Ry)S','
%D' f alt.a.
O O Figure A.20 CSI 1 of 2 Fault Tree A-37
.__..._...__s.o...-...- - - - . . . . . . . - . . - , , . - - . . . . _ _ - . . . _ _ .. _ _ . _ ,_ - _ _ _
CS (f.F- I o sr. L.
.i OF 2
' f3 l l .
I- Faul:t f4 fa,Jr fu
' ~
5obcW fL.
3 o M' 4ft O h.D si m
I I W. h h _Lsag' fa.Jr th
~~te W.;-M -~~
EL 4 E1 i
~
l I 5 It th Faadt fw/.
Sw W W :Cr WW e4 PL ob P $
O
()
P . P f I l W.Fatr Aufw. m F=de e
A%- -G # V M M-J_1 e4 f 1 93 .
O h m
I I F it Ph q.&ar pwx .; m .
4 5d 61 v N-l 1 l
. yg Fudt fa w%
a F1 .
54XvW J
o
~
G Figure A.21 CSR 1 of 2 Fault Tree , L p f g ,
/\-ye>n*>
A-38
4 t
includes a MOV type block valve between the PORV and the Pressurizer and although the SRVs are purely mechanical in l operation, the PORVs can be opened at pressures lower than
' their 2335 psig setpoint. Operating the PORVs requires both i electric power and instrument air.
l The PORVs appear both alone and in conjunction with the HPSI
! sysiten (together they comprise the Bleed and Feed system) with the success criteria for the PORVs assumed to be a two out of two requirement in both cases. The availability of the PORVs becomes important only when all secondary side cooling for the steam generators has been lost. The PORVs are then relied upon to keep the RCS pressure low enough (in either a transient or
small LOCA) such that the HPSI system is capable of injecting i water for ECC. Anytime the PORVs are called upon for aiding HPSI, it must be performed manually by the operators in the control room. There is no automatic actuation system associated with the PORVs except for their pressure setpoint.
! There are two events listed on the Point Beach event trees which refer to the SRVs. These events are not modeled with
! fault trees, as are the PORVs but are calculated directly as a
failure probability. These events appear under the headings of l P and Q, which are

SRVs fail to open and SRVs fai~1 to reclose, respectively. These events were attributed to the SRVs rather than the PORVs since in this analysis the PORV block valves are assumed to be normally closed at Point Beach.
The simplified fault tree for the PORVs appears as part of the Bleed and Feed fault tree in Section 3.0.
i -
i -
7.0 CONTAINMENT AIR RECIRCULATICN COOLING SYSTEM (CARCS)
The containment air recirculation cooling system (called containment fan cooling units in the fault trees) serves as an independent backup to the containment spray system for the removal of heat from the containment. The system is designed I
to recirculate and cool the containment atmosphere in the event
~~of a loss-of-coolant accident and thereby ensure that the~~
~~containment pressure cannot exceed its design value of 60 psig at 286*F (100% relative humidity).~~
The CARCS consists of four containment fan cooling units (CFCU) plus the associated piping and components for the component cooling water (CCW) system cooling of the unit cooling coils.
Each of the four fan cooling units is provided with two separate vane axial fans. The two fans operate in parallel, but are of different design. One fan (the accident fan) and motor are especially designed for the high pressure, temperature, and density following a loss-of-coolant accident.
! The second fan (the normal fan) and motor are designed for normal operation, and are not required to operate in the post accident atmosphere.
A-31
e .
e --
s During normal plant operations, all four of the CARC units are running to help cool the equipment which is operating inside containment. At this time the normal fans are running and flow through the cooling coils is maintained by the two normally
' running SW pumps. On receipt of an SIS, the accident fans start and the normal fans stop, increased SW flow is achieved by the actuation of the standby SW pumps. In this mode each cooler is designed to remove 5X107 BTU /hr from a saturated air-steam mixture at 286*F and 60 psig with flow rate of 38,500 o
cfa.
There are two fault trees for the CARCS depending on the success of the CSI system. The CSI system also provides cooling of the containment atmosphere both by itself and in'i combination with the CARCS depending on the operability of each system. The combining of the CSI and CARC systems to provide containment coolin'g results in the formulation of three sets of success criteria to be acdeled by fault trees and represented on the event trees. The success criteria for containment cooling is as follows: 1) 4 out of 4 CARC units operating in their accident mode, 2) 2 of 4 cooling units in conjunction with 1 of 2 CSI trains, or 3) 2.of 2 CSI trains.
The CARCS simplified fault tree is shown on Figure A.22. Both success criteria are represented, the 4 of 4 fan coolers and the 2 of 4 fan coolers.
8.0 EMERGENCY SAFEGUARDS ACTUATION SYSTEM (ESAS) .
The ESAS is the means by which the engineered safety feature systems (ESFS) are designed to receive automatic actuation signals whenever plant conditions warrant their operation. The ESAS monitors plant conditions such as RCS and containment pressure and when required it generates the appropriate signals which then starts the corresponding systems. .
The ESAS as modeled in this analysis is comprised of three parallel subsystems, each actuating a different set of components. These three subsystems are the safety injection signal (SIS), the containment spray signal (CSS) and the auxiliary feedwater actuation signal (AFAS). Each subsystem provides an independent link between the appropriate plant sensors and the components being actuated.
The SIS may be generated by any one of four sources: 1) manually, 2) low pressurizer pressure, 3) high containment pressure, or 4) low steam pressure. For the three plant conditions, signals are generated by a set of three parallel sensors upon reaching some pre-set limit. Each sensor is received by a signal corresponding to bistables with each bistable then passing the signal to two relay coils (1 for train A, 1 for tr.ain B actuation). Each coil actuates a set of relays in the actuation logic such that 2 of the 3 sensors are 4- 40
~~e. og o en e **e +eeg -e g e =we e + -~~
e
i
. CC(A F-4cF4tA. ., . .
l
%%. Fa 1
.Tr /A m m c(,r ._
L- 4 4 4 ti d b '
-t ;
1
$* l l l l
. I. (pJ 1- _
y %a6 %
%x & W um D sgu %
rs -
FA g FA . Fala.
% () $wk W .
se , sB se l I My In 6~ MY btu -
Sl$ - 0 f &
O O. O CctA.F 7 oF4 %.
% To, f.w l "Xe Phr.k wmr2.L a f 'I f .
l l l l ys u n. uJ. u%.
A,c - P 4 , 6 + C- 6,crP 436tv
dl #euJL Fu f. F'u.L W 6IJw sW
- F I W %
~
M$ ?
"J4 6 "J4 C
~~dk Fa.dA E%f.4 .~~
A\ A d ia.A h tr 8 tr 6 Figure A.22 CARCS Fault Tree ..
A-4i uw - - - . - - - _ _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ _ __ , - - - , - - - _ , _ _ , . _ _ _ , - _ . . , _ , - , , . _ _ , _ , ,_.,,.,_.,,.,.,,n
s required to generate a signal which then initiates safety-injection. The SIS system is dependent on the vital instrument AC power system for its electric power, however, the system is designed such that all components are normally energized and that de-energization (i.e., loss of power) produces an actuation signal. This means that a failure of the electric power system does not fail the actuation sys' tem but instead generates an SIS.
L The Auxiliary Feedwater Actuation system operates in the same manner as the SIS system in the configuration of the actuation logic components and the EP support. However, it does rely on sensors which monitor different plant conditions. Further, the AFAS is segregated by which portion of the AFW system is started. The turbine-driven pump starts on a low-low S/G 1evel in both S/Gs or a loss of voltage on one of the two 4160 volt safety buses. The motor-driven pumps are started on a low-low S/G level in either S/G, both main feedwater pump breakers opening, or an SIS. -
The third portion of ESAS modeled in this analysis is the CSS.
This system initiates the opegation of the containment spray injection system when a high-high containment pressure is reached. The CSS is configured as the previously described SIS and AFAS logic systems except for the dependence on electric power. Unlike the SIS and AFAS, the CSS logic is normally de-energized and requires the application of electric power for the generation of a start signal for the containment spray system.
Figure A.23 is a simplified fault tree for one train of the SIS and CSS systems. These fault trees are typical of those modeled in this portion of the study.
l 9.0 COMPCNENT COOLING WATER SYSTEM (CCWS) -
The purpose of the CCW system is to provide cooling water to specific components during both normal and emergency conditions.
l The CCW system is a closed loop system with one pump and one I heat exchanger normally in operation transferring heat from the i components being cooled to the service water system (SWS) which I in turn deposits the heat into the ultimate heat sink, namely
! Lake Michigan. The CCWS is shown on Figure A.24. The CCW system includes one standby pump and a standby heat exchanger.
The standby pump is kept aligned to the CCW flowpath and only i requires manual actuation from the control room. The standby l heat exchanger, however, is normally valved out of the normal l CCW flow path. This standby heat exchanger is shared by the l
CCW systems for both Unit 1.and Unit 2.
[
l As mentioned above, the CCW system is normally operating with one pump and one heat exchanger. For emergency operations the
. A -4 Z
3 _ g --- - - - -. .
~
w!".p w%
. jot M A ~
f\ -
6 .'e' #% .
. I I l l
'eM LD + LOP a% %M up g ep.s :, n 'L2 bM.3 uAa., g cP fwL?M n 7c, h Q
4 sot 4 ers h, -
b d
L,o s -T25- A D - D pWA 9
()
e I f IC/4 f*t M LFy,5% d,M w&+.
sr W +w+ .s %r .
i Figure A.23 Actuation System FT (typical) 0
. A -43
~
Yot M6 L f
t Y ' 8 "- M * - -
PA
-* ,,'A
~~g--N n + M- '~~
I
.~
g
~
. . . , Comf HX A- 88TW . . $,, , ,' !
. . ... caoso '
Ynsle(. J. LCu) usa s' gg 4 -. ; f g
~~. ocW4*tTrdAS . . - . .~~
8
~~, @ N~~
~
g . _ ?, .
~~
GI B-
~
. '. Cf WPlf 0 Ck1N M- .
~~m. . . % x.~~
. w.6
-T (4 T '
i y.
. 33 Q ,
t
. .. . ...... .. j l
,a .
m
~'.
4
~.14
-y
'3 h E ' ~l 3
h hPI A-PC-F0 .
l I I ' '
n
~
_ .. $ '..'... II .
[
. . . . . . . . y
~~l LPI A N t is~~
' g ag.pc -rg
' : 4 33
-W -
so
. , l*
' + , Ann runt .
g^ .],
g+Les og-ti-s
+g -
-w@ N w#fl#X a H 1.
6 3 4#4) i j
AWA HXs wg < ~
Mh rigure a.24 point neacii ccws (crom esna rigure 9.3-3)
M34 gg g g 6 h M
! l i
I
non-emergency, balance of plant (BOP) systems become isolated from the CCW system automatically, additionally the second pump is manually started from the control room, and the second heat exchanger is aligned to the CCWS of the affected unit by locally opening the manual valves in both the CCW and SW lines. ,
Akthoughnotrequiredduringnormaloperations,CCWflowis l maintained to the safety injection pump coolers at all times. l The RER heat exchanger has two normally closed motor operated valves which automatically open on an SIS.
Successful operation of the CCWS requires the operation of one pump and one heat exchanger to provide sufficient cooling of all emergency loads. A simplified fault tree for the example CCW cooling of the HP pump A is shown on Figure A.25. Other fault trees for the CCWS would be similar. ,
10.0 SERVICE WATER SYSTEM (SWS)
During emergency operations the service water system is designed to provide cooling water to the containment coolers, the auxiliary feedwater motor. driven pump coolers, the diesel l generator jacket coolers and the component cooling water heat excbangers. The system operates continuously Juring normal plant operations providing cooling water to a aumber of systems not required during emergencies. These functions are stopped automatically following an accident and are not addressed here.
The SWS, shown on Figure A.26, is shared by both Unit 1 and Unit 2. The loop header arrangiment provides a redundant supply of service water for essential services that can be maintained in case of failure of one loop section header.
i Six electric motor driven centrifugal pumps are provided as part of the SWS. During normal operation each pump has a capacity of 6800 gpm while during an accident each has a capacity of 5500 gym. The six pumps are connected to a total of four separate 480 volt buses which can be supplied by the
! emergency diesels in the event of a loss of all offsite power.
i Although the SWS is shared by the two units, two of the six pumps are capable of carrying the required normal cooling load for both units. However, during accident conditions three of six pumps are required for the successful cooling ~of all loads.
Should the supply of water from the condensate water storage tank fail for any reason or reach a low level, the emergency feedwater pumps can be supplied with water from the service water header upon remotely opening of motor-operated normally closed valves from the control room.
Of the six SW pumps, two are kept running during normal operations. However, the four remaining pumps are available for automatic actuation during emergencies by the SIS.
A -4 f
'~
! . Ct.,,u)$ FA
.9 M HP' .
~
PM A ~
(h s
. I . F H. FA F 4 t.xmL y FuJx
.i % . x, e ; - '- . v.g.,
~
Se V L G io
~~ -
F1 i O
m I I fgPe yu A L 18 8g -
4D DL (3
t I I W Lt P m . wth X< W Iv W
( ~,1 d et 461 n 'n ,
m- .v I I I I
% . % tx % .F w %, FA A %, 1.Atag, ,l., Jae g, 61 A 61 .
Figure A.25 CCW (typical of eight) 1 .
(:
l
+A i
A-44
~~" * * " * - - - - - .ee em anee emen .- e r--'-D+- m -~~
- a u -
o e 3
'Xi g _Xi Q <1 .. ,
4 3
.X w
r s.,
&@ *x .h@ , "
- cX 3
l'a w a 1[
77' H* w I HX l
$eK{e 3
- 2-51i.e X ea a
=
4 H & h 3
dhe*4 Q x y - s y a- Z_.
e X" - =
=
y I 3" .
l,' % $ 84 y$ 3 3 . SX cx 3 . . 4 3 8 g ~ s z a ,a "
e Ili h,X [ 4
~
K
@h ~
a 3
u -.
X !
=
=
4 ,,
4
' gX
~~4 K e 5x; "R @=y~~
@*3xg ;x1 *g ;X@
X , M X "
a+ a c 2 %g i 1 :
$Zt
@% 6C !
p ' (W k6
~
$Xs 2-
$exe 6 A sz ~
4 La-MR e h gHL.- 3
=
AfNd e N g
e
~~1X4 e~~
=
jVa '
G*gg**e a a .a a a a X4 X; Kt XA Z: X=
Z0 ,
Z4 , ZM -
1 Za Z \ Ze
. . . t e s 4
~~W w$ < 4 WId d1 g~~
%,k e *dai G es ca d c$ 'E
%,1 %-
~
1 %
rig a2
=
A -"' y i
= ta 2 {E 17 E =u G s,=4 e
,. . z g,6F ,s = g:t A -47 -
s An example of a simplified fault tree for the SW cooling of a ,
component is shown on Figure A.27 for the component ' cooling water heat exchanger. This fault tree configuration is typical of those generated for the loads served by the SWS.
11.0 ELECTRIC POWER SYSTEM (EPS) .
The electric power system provides both AC and DC power to the various components and instruments within the plant. The emergency or safeguards EPS, which is modeled in this analysis, is that portion of the EPS which provides both AC and DC electric power to those vital systems required to operate during an accident.
The EPS as modeled, is shown on Figure A.28. The primary source of power is the connection to the 345 KV bus fed by four separate transmission lines which are part of the offsite power '
network. The lower voltage buses are energized through a series of transformers. Alternate sources of power are provided by the emergency diesel generators (DG) and the gas turbine generator (GTG). Although the GTG.is not considered part of the emergency safety grade system, it is included here as a possible source of backup electric power. The EPS is a shared system in that a single emergency EP bus network is used for both Units 1 and 2. There are two diesel generators which can provide emergency power to the 4160 volt safeguard buses, with each DG rated at 2,850 KW continuous, 0.8 power factor, 900 rpm, 4160 volts, 3 phasa. 60 cycle. These diesel units ,
have an emergency capability of 3050 KW for a 30 minute period. The DGs are air started and DC controlled with the air being supplied by a dedicated supply tank sufficiently sized to provide at least 5 starts before being exhausted. The DC control power le supplied by the DC battery bus in the associated EP train. The two DC battery supplied buses are, like the DGs, shared by both units. Each bus has its own dedicated battery and charger with a third charger available as a swing backup to the other two.
The EPS operates during normal plant operations by virtue of its constant state of energization, providing power to all operating components. The system operates routinely as long as offsite power is available. However, if offsite power is lost the procedure is for the diesel generators to automatically start and connect to the 4160 safeguard buses through the closing of the DG circuit breakers. During this period when no AC power is available (after LOSP and before DGs start) emergency DC power is provided to the steam driven AFW train, the vital instrumentation and to the DGs by the b&tteries alone. As mentioned previously, the gas turbine generator has been included as a possible backup source of AC power. The starting operation must be performed manually by the operators at the GTG but communication between the nuclear units and the ,
GTG is routine.
WF- owT- Tw S-67 .
SW5 FM
%% ~
L: C.C.u) ,81- A
() .
+
I I T -
I
~~
CH, Fid.t FultPSA F6Jtx A k% GW su)S FM
~~6 7 .-Cr s7 ~~~
rm r m I I I I kak PW hJx f4+ FL%.u.4 Fat --A of
% c N' fac6't yM Y,JA 4 GL ob x1~l. JI4(o # 104 '
f\ [\
m --
l l l l Gn-t. Fcu.At Fau.it f4vt. W. EJi 6dtf h i
61%. *L .E1t~t a %.
XT 1. *ovXT e M's
\- ( 3 I I I l Fadt fM4. Fw fa q. Fadt NJ:r Ph KavQ4 & A gat .k N . frdQ e u4 4 G1 , x-rs a sa A
n Q I
v I l W(3 l cm.
,. huulx m .
%dkfu w c--
fast-ena xw .g.m.
ca.
fm G. L 4uA 1- t a- e z.
Q n.Q a%2_.n -r Q
% . gyg M -l
~~G L Figure A.27 SWS FT (typical of nine) s.~~
~~A -4 9~~
~~. -.i-.- - . . ._ . . _ _ . _ . . . . . . _ . .~~
s e.rs.x 3 b - '
- m + l l i ~
~~i' M- 'sar - r a:e x~~
%. F1 e .h%. FA l , 1 53 M+.91 F3 + FS l ^
rm . rm rm j i ' l l l l c t A zt A F1%- M. r ar a%.ra -
~~w. u l~ %- w%'~~
Far w.ra A4 x %a. F F1 - F3 F:L F3 i O O 4 Figure A.27 SWS FT (typical of nine) (continued) O e
~~} ""* e 5~~
ao I i . I i i A-S o l e _. .. A . e +ee.. u e%. . t ______=,._,,___.=____, _ _ _ _ . _ _ _ , _ _ _ _ __ __
., 7 ,. _ . - ,. - ... ._. . . .- - ~
~~yf .~~
-}lo .0FFSM ?* ***L. .. .y , qb 4> d> N il 1 -
~~34fkV . - G95 /I~~
~~~ /(~~
u.s a GTG sw5 tw m . s m
~~\3.[$V 4' ' '~~
i'
. guses = ^ .- v rev* l v e rr.d 2.
w t w .A, ? y /T " M y tY t> <> '
~~'"' o mssEI Os M,, Fwvoww owses~~
~~_ z tlbO V i s~~
~~& % s a s mi\~~
i l D s i saw DG{ l0 1s t. o W o 1a.1 ammmunne-s-mune TMwY it.am* i , o I -- g I o o Wh#3 8 ** ST et Y y4 , ap y JP a i om s,ase DGl lh
*" 414
~~V ho Sm., ann~~
~~,, f~~
~~Swf*5 w.as e n - -~~
.t to V . ,A 1 guses $9 ' d, h.
~~i h3 4 tc - A x a i V.__ V~~
,,[l o., 4 0 Y e~c w ^or Mnva.1 gr ~' .
~~c. e c' o.s 13 m a, A T L._ CIM't.r. ett.S(c) )~~
_y g t T- . oc ~, 4_ 4 .. , " t I (39773 <\p D c. L:2MS i Y V oc ovres co-w u os tors - t= 0 tL i' #t.1-y /b.s W o. AteMJ c,hs r+ h W e- A fe e th G ovr **,- 77 h seu.-r 4f cm a eo 6**.untt be c+ u,y ee carte .r-o A w r C No cettewei 4A w titwrv N 8 N t. ti1 Cw'T 4 % *="4 Y} w 're S Figure A.28 Point Beach EPS A-si
s An example simplified fault tree for the failure of a DC bus h shown by Figure A.29. The fault tree is typical in configuration to those developed for all emergency buses which supply EP to the various safety components. , d k l A -S L
Lo(' - OC 64f 4- Do l M 4 fm 12 Jc Lux [ i Toi t . 4 :
~~., r m --~~
i l - LOP :G. d,c 142 i i Tc 701 YT1 , (3 l . I l l l Q pu por bcP as y"n L EOS P I l P bo? a:C Ac h ( 907 F A L 603 . Q n v I I LP Lot aL A G b+us. AL % i 603 t i 40.f . v I I LcP .5- op 4 AG W A L bu 4-L40$ 1AoS
. ( 3 I i 1,of a-C 5.h44A. ~~
A C. % ?O (' TAO 3 A f& b h
~~- t Figure A.29 EPS (typical of ten)~~
~~A-F3~~
~a--==.----s- .. . .u-..... . . . . . : .n n .. . . . . . . ,. . . .. .....
A
~~a. .~~
d
~~. I Ace Su.s.~~
~~LAOS f -~~
~~m -~~
.: - I l LF of Lo? cec AC Au.A- A& W . ? 1403 1- 13.1T 3
m I I Lo? & LF of M. M Aca .truA. 1 - 13 8 1 - 13, 8 r3 I I l s* L0f 6 2b.M A C .bua- .4 w k Sef f.:h . m l l LF W. ! l AC s a We FM l l O O - Figure A.29 EPS (typical of ten) (continued) l . . { 1 .- l (! .- i i
~~. A -s+~~
m cwJr e..% . . _ _ .._. . . . .
I i s t ,/
~~t. - .~~
l 1 l , APPENDIX B l INTERNAL ANALYSIS FOR THE POINT BEACH NUCLEAR POWER PLANT l by Wallis R. Cramond < Sandia National Laboratories and William J. Galyean Science Application: International Corporation - e 2 l l l- 1
]
l< 6 i % 9" t
TABLE OF CONTENTS ' F.!agt
~~1.0 INTRODUCTION~~
2.0 EVENT TREES AND SYSTEM SUCCESS CRITERIA- - 2.1 Transient Event Trees 2.1.1 Transient System Success Criteria i 2.1.2 Tt - Loss of Offsite Power (LOP)- Transient Event Tree 2.1.3 T2 - Loss of Feedwater Transient Event Tree 2.1.4 T3 - All Other Transients
~~' ~ '~~
~~2.2 Small LOCA Event Tree 2.2.1 Small LOCA System Success Criterii '~~
~~' ~~~~
2.2.2 Small LOCA Event Tree 2.3 Containment Systeme-Event Tree and Success Criteria 2.3.1 Containment Systems Success Criteria 2.3.2 Containment Systems Event Tree 3.0 DATA BASE , 3.1 Initiating Events and Events Not Modeled 3.2 Basic Event Probabilities
4.0 RECOVERY ANALYSIS 5.0 ACCIDENT SEQUENCE ANALYSIS 5.1 Accident Sequence Delineation 5.2 Accident Sequence Quantification ,
5.3 Vulnerability Identification 5.4 Containment System Integration 6.0 VALUE ANALYSIS , 6.1 Core Melt Probabilities 6.2 Containment Systems Probabilities 'l REFERENCES i I 1 l l s_- I ____ _ ____ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ . . . _ . , _ . , _ _ , . . _ . - - . ._ ~ _ _ . _ - , . . . ,
L
~~1.0 INTRODUCTION~~
~~~~_ ,_~~
The internal analysis involves a number of sequential steps I which are described in'tnis appendix. Each step and the section where it is discussed in the appenLicies or the main report is shown below. "
~~, 1~~
~~1), Establish System Success Criteria (Appendixta$ Section 2.0)~~
~~J 2L) Construct Event Trees (Appendix B, Section 2.0)~~
3) Construct Fault Trees (Appendix A) 4). Establish Data Base-(Appendix B, Sections 3.1 and 3.2)

5) Visit Plant for System and Special Emergency Information (Appendix B, Section 5.0)

6) Delineate Accident Sequences (Appendix B, Section 5.1)

7) Perform Core Melt Analysis Using the SETS Computer Program Section 5.2)
~~(Appendix B, i .~~
8) Determine Core Esit Dominant Accident Seque.nces (Appendix B, Section'5'.2)

9) Perform Recovery Analysis on Core Melt Dominan.t Accident Sequences (Appendix B.,Section 5.2 and Section 4.0 of %3e Main Report) ,

10) Identify Individual ulnerabilities from'DominantIAccident Sequence Cut Sets (Section 4.0 of Main Report and Appendix B, Section 5.2)

11) Propost I Modifications for the Most Significant .
~~Vulnerabilic,ies (Section 4.0 of Main Report)~~
12) Integra'te Internal and Special Emergency Vulnbrabilities (Section 4.0 of Main Report) l

13) Determine Potential Alternatives (Section 4.0 of Main Report)
~~/ ri4) Communicate Alternatives to Architectural Engineer (Section 4.0 of Main Report)~~
~~_g, 15) Visit Plant to Verify Modification Design ("Section 4.0 of Main Report)~~
~~. ,.rt~~
~~16) Perform SETS Computer Program Analysis fot' Combined Core. '~~
Melt Dominant Accident Sequence and Containment Syster. ,f Sequences (Appendix B, Section 5.3) e 6 -1
~~, , - . - - - . .4. - - . - ., . ~ . . - ..n..--., , ..n,,- - - - - , - - , - , - - - . . , - . - ,a, -~~
~~d 4~~
~~17) Reapply Recovery Analysis to Include the Containment Systems (Appendix B. Section 5.3 and Section 4.0 of the Main_____~~
~~Report)~~
~~18) Assign Dominant Accident Sequences Including Containment System and Containment Failure Mode Probabilities (Appendix B, Section 5.4) .~~
~~l'9) ' Reevaluate Core Melt Probabilities for Each Alternative (Appendix B, Section 5.5)~~
~~20) Reevaluate Combined-Core Melt and Containment Failure Probabilities and Release Category Assignments for Each Alternative (Appendix B Section 5.5)~~
Section 5.0 of Appendix B-is the basic description of the internal analysis while Sections 2.0, 3.0, and 4.0 provide the necessary supporting information. 2.0 EVENT TREE AND SYSTEM-SUCCESS CRITERIA This Section of Appendix B describes the Point Beach event trees and the associated system success criteria. These event trees are related in the following ways. Those branches of the transient event trees that represent transient induced LOCAs, i.e., stuck open pressurizer relief valves, connect to the appropriate branch of the LCCA event tree according to the event successes and failures preceding the induced LOCA. Also, since core melt is not affected by containment systems, the - cotAainment event tree can be separate and simply attached to the end of each core melt accident sequence for either the transient or LOCA event trees. These two relationships greatly simplify the event tree presentation and will be discussed further in Section 5.1 as Accident Sequence Delineation and in Section 5.3 on Containment Systems Integration. , l 2.1 Transient Event Trees There were some transients which were not in the defined scope
of work for this program, e.g., anticipated transients without scram (ATWS) and pressurized thermal shock (PTS). Those transients which are considered can be represented by three fundamental event trees as defined below

T1 - Loss of Offsite Power (LOP) Transient T2 - Loss of Feedwater (LOF) Transient (offsite power is assumed to be available) T3 - All other Transients (ACT) where the power - conversion system is initially available (e.g., Turbine Trip) j . 6 -1
1
~
~~There are several features that are common to all the transient , event trees.~~
~~1) The " bleed and feed" (B&F) mode of primary system cooling is a viable option at Point Beach and will be included in their revised emergency operating procedures. This involves opening~~
, the PORVs to release steam and subsequent high pressure injection of RWST water for cooling and makeup. The " bleed" comes before " feed" since the high pressure (safety injection) pump shutoff head is substantially below the safety relief valve settings.
2) It is assumed that no containment overpressure protection i is required at Point Beach for the B&F mode. This was confirmed by plant personnel and is supported by the IREP ANO-1 study (Reference 7) which showed that it takes over 70 hours of B&F without containment cooling before the containment integrity is challenged. --

3) The Chemical Volume and Control System (CVCS), whose function is to cool the Reactor Coolant Pump (RCP) seals, is not included in the transient event trees. It is assumed that the RCP seals will not require cooling. This issue appears to be unresolved at the present time. Also, it is assumed that the CVCS will not be required for coolant makeup while cooling down to stable hot shutdown. -

4) The reactor protection system (RPS) is assumed to succeed in each transient event tree.-
2.1.1 Transient System Success Criteria l Each heading in the transient event tree relates to a system or i function with an associated success criteria. In a few cases the system is not fault tree modeled, but it is always important to understand what equipment in the system is required for success. Although the support systems are not shown explicitly in the event trees, the success criteria are also given below. System , Success criteria Power Conversion 1 of 2 trains (no fault tree System (PCS) -M model) Auxiliary Feedwater 1 of 2 Motor Driven Pump (MDP) Systems (AFWS) - L Trains or the Turbine Driven Pump (TDP) Train l Pressurizer Safety. 1 of 2 safety relief valves Relief Valves fail given the PORVs are blocked to open on demand f (SRVO) -P
~~\%.~~
6 -3 -
I
+
~~Pressurizer Safety It is assumed one safety relief N Relief Valve f ails to valve opens and thus must~~
'reclose given one has reclose when the pressure opened (SRVR) - Q decreases Power Operated 2 of 2 PORVs are required for .- Relief Valves (PORV) B&F mode og operation. This is ~
part of the B&F fault tree (E) i High Pressure Injec- 1 of 2 safety injection ~ pump tion System (HPIS) trains. This is part of the B&F fault tree (E). Operator initiation of the system is
-- assumed High Pressure Recir- 1 of 2 safety injection pump culation System, trains in series with 1 of 2 (HPRS) -Hi -
~~RER pump trains and 1 of 2 RER heat exchangers Service Water a) 2 of 6 SWS pumps when AFWS System (SWS) has succeeded~~
. b) 3 of 6 SWS pumps when AFWS has failed and HPRS is required Component Cooling 1 of 2 CCW pumps Water System (CCWS) 2.1.2 T1 - Loss of Offsite Power LOP Transient Event Tree The T1 event tree is given in Figure B.1 with the accident sequences and the core status: CK indicating success cr'no core melt, late core melt (LCM) or early core melt (ECM), and LOCA for those sequences which transfer to the LOCA event tree.
Only the core melt or transient induced LOCA accident sequences are numbered. Success of the RPS is assumed. Failure of the PCS results gives loss of off site power. Thus, the significant part of the event tree starts with the success / failure of the AFWS. Given success of the AFWS, the SRVs are not required to open but may inadvertently open and then be required to reclose. Failure to reclose results in a transient induced LOCA where L is successful (Sequence 1). Successful reclosing is an OK sequence., If the AFWS fails the safety relief valves will be challenged and failure to open causes a rapid RCS overpressure and an assured reactor vessel rupture without further mitigation options resulting in core melt (Sequence 5). If, however, the safety relief valves open, the pressure is relieved and the next branch is success or failure of the safety relief valves , closing. Failure of the SRVS to reclose results in a transient '
~~. 6-+~~
~~i , , i . ' ; ;lj ,, ,, i' ' , i ! l,.I; :! .~~
~~' ,i -ie ,l. !,~~
~~j . _ ' i l~~
~~;- .- i' , i s^ .~~
f
~~. e4 l z 3 4 !~~
~~fs _ a4 n HF i Q e,~~
~~+ o G t . TW e~~
~~c 4 t L L t h n n H h h H ho* i~~
~~i i~~
c, 5 T i T i T i T i T i T T e FS e n A A r o v- c r- i M h T CN 3 o L o o t c c t m c t L E d n e v E
~~, 3 g n p ' )~~
1 g T ( t n F e s N . i s n G . a r T tr r q v e t w
< o 3 P e - t o i P v t W f s
3 ei f O S S f o s f u T s L p
~~s A 2 t~~
~~o L S 1 w .~~
~~s. l B h c o e O .~~
~~r u g~~
. . i s F K e L
~~( i P T o - L i-~~
~~. 'M i !l >~~
induced LOCA where L has failed (Sequence 4). For successful ' SRV reclosure, it is then necessary to consider another method to remove decay heat since the AFWS has failed previously in this scenario. . Bleed and Feed (B&F) is the next choice with failure leading to core melt (Sequence 3). Success of the B&F mode requires subsequent long term cooling and makeup from the HPRS. While the high pressure components are the same, the changeover from injection to recirculation also requires the low pressure system (RHR) for suction from the sump and the cooling flow path through the RHR heat exchangers. Success of the EPRS rsults in an OK, no core melt sequence. Failure of the EPRS leads to core melt (Sequence 4). 2.1.3 T2 - Loss of Feedwatar. Transient Event Tree The T2 event tree structure i,s exactly the same as the T1 evett tree. The only difference is the frequency of the initiating event and various system failures because of the initial conditions. The discussion of sequences in Section 2.2.2 applies to the T2 event. tree. The T2 event tree is given in Figure B.2 for completeness. 2.1.4 T3 - All Other Transients This transient category is distinguished from Tt and T2 by the power conversion system being initially available. The T3 transient addresses a large number of transients where the initial conditions are essenti. ally the same, i.e., offsite power is available and the power conversion system is initially available. The event tree is given in Figure B.3. The discussion found in Section 2.2.2 for the T t transient is applicable except that the system failure frequencie's will be different and there is one additional branch. This branch starts with PCS(M) success and thus the AFWS is not called upon. If one of the SRVs inadvertently opens, failure to reclose results in a transient reduced LOCA (Sequence 6) which transfers to the LOCA event tree where a choice on L is required. Even though the PCS was initially available it is not needed at Point Beach for transient induced LOCAs. If the SRVs reclose, this becomes an OK sequence. 2.2 Small LOCA Event Tree The small LOCA (< 2" diameter break) event tree for Point Beach is shown in Figure B.4. It has two important features; a branch where credit is given for bleed and feed, and a branch where credit is given for secondary blowdown. These will be discussed further later in this section. The defined scope of the program excludes large LOCAs (A), small LOCAs (St), reactor vessel rupture LOCAs (R), 6-4
~~3 j i. ,' :j !i!f i' i!j l ! '~~
~~i , - . - 1~~
~~. l ;, li '~~
~~~ ~ e^* 9 l 2 3 4 l 61 *" n t Q P M "" F t L~~
~~. , a R L L L .~~
h h i D h H. g . o t H. a c e u t A'** T T E Y T 'T T i p' 9 n A c b ) M A M C"' o o L o O i c c I m C e e
~~.r L G E r T~~
~~i s t n H a n - e H v E~~
)
2 T F ( G w t G . n e i
. s n n q v a r
a T s r e t o - a v w P t A d r C e 3 S o e F 0 f s 0 o
~~~ To L p s s~~
A V o L S 2 s W . h c l B e A e r u g i s F K l e f s F T o L rI.
~~' O C " , ' l~~
~~- l 3 - i~~
~~[ ,, :~~
~~' , -,3 .~~
~~y j' ,l 'l j f~~
~~' n f ' . - , . lj l!! !!~~
~~p._ w^ e4 q4 6 l z 3 , 4 f wF i d e mW~~
~~e. 4 '~~
~~6 L s t h l t h H h i H a* h l~~
~~.c t 3 W 3 3 3 T~~
~~3 T 3 7 3 T 3 5 . T T T T T , nS K A c r- A~~
~~' n 4 h cNo 3 O o L~~
o L t o ( c 1 c 0 0 c-L s E t e 5 e g r n p T g t n e v F E s w ) G T 3
~~. t O q i~~
~~n i v i~~
~~"e s . n a~~
r o T P v t r ( 3 e
~~' h t~~
_ O S l w l L F A A 3 S . B W e K S. ( T r P A u g _ i F S r,. P L (
)
~~T 3 T C.. M , Gt% l~~
~~' .[! !~~
~~t!i . t 5 : .~~
~~;;hi 6.' c i l!! i . - ' ' - ,'s ! Ii , , i I9 .~~
~~i * ! . _w - 1 1 3 4 $ 7~~
~~.. (~~
~~b s i', n i _ t o i ' n i , ne 0, %i~~
~~% 'P L~~
~~D L~~
~~~ N H 0 D D 0 L L i~~
~~h H H H H M . a d M h 6 h~~
~~'n - g 1 t 2 2 t t t S~~
~~t hh~~
" T 7 7 3 3 7 T S n h n h t n h nc A. K K e W c c c o c c o
c O O L o b s e u E e I + [ 3 - ty
}}
~~r , t I 5 L e.~~
/
~~4 1 't H H H~~
~~l . e e~~
, S r 7' . T 0 P t L n e
~~v y(' . M E x 6 3~~
)
~~2 S y (~~
~~, V 7 e A P~~
I I t C I A p O ( L A S rw S
/
~~l l~~
+
I a A a D P t S e P S m h 3 o 2 4 p n t B L w T
h
( P e 6 r 94 u g he i
~~$ S t~~
F M P C ', A S F- O R A . . E W mia
interfacing system LOCAs (V), and double steam generator tube s ruptures. Single steam generator tube ruptures are considered-as part of S2 since that steam generator can be isolated. Small steam line breaks are also considered because they can either be isolated or will provide the secondary steam relief instead of the atmospheric relief valves or the turbine' bypass valves. , 2'.2.1 Small LOCA System Success Criteria i Each heading the the LOCA event tree relates to a system or function with an associated success criteria. In a few cases the system does not have -a fault tree model but success criteria are given below for all the systems implicitly or explicitly involved in the headings. System Success criteria Power Conversion 1 of 2 trains (no fault tree System (PCS) -M model) Auxiliary Feedwater 1 of 2 motor driven pump (MDP) System (AFWS) - L~ , trains or the turbine driven pump (TDP) train High Pressure Injec- 1 of 2 safety injection pump tion System (HPIS) - trains D1 . Power Operated Relief 2 of 2 PORVs are required for Valves (PORV) -P1 , B&F mode of operation Secondary Blowdown Normal pressurizer spray or Mode (SBM) -X auxiliary pressurizer sprays, and steam bypass valves or 2 of 2 atmospheric dump valves Low Pressure Injection 2 of 2 RER pump trains System (LPIS) -D2 High Pressure Recir- 1 of 2 safety injection pump culation System trains in series with 1 of 2 (HPRS) -H1 RER pump trains and 1 of 2 RER heat exchangers High Pressure Recir- Same as H1 except without the culation System RHR heat exchangers (HPRS) -H'1 Low Pressure Recir- 1 of 2 RER pump trains and 1 of culation System 2 RHR heat exchangers (this was , (LPRS) -H2 not used in the final analysist)
/
6 -Io
i 4 i Low Pressure Recir- Same as H2 except without culation System the RHR heat exchangers
~~(LPRS) -H'2 Service Water System a) 2 of 6 SMS pumps w'h'en AFWS~~
~~{ '~~
~~. (SMS) has succeeded -~~
! b) 3 of 6 SMS pumps when AFWS l* has failed and HPRS is required Component Cooling 1 of 2 CCW pumps l Water System (CCWS) 2.2.2 S2 -Saall LOCA Rvent Tree The core status outcomes in Figure B.4 are OK indicating success or no core melt, late core melt (LCM) and early core melt (ECM). i The event tree effectively starts with the success / failure of the AFWS since the RPS(K) is assumed to be successful and i PCS(M), i.e., main feedwater, will trip from a safety injection . signal and be isolated. If the AFWS(L) is successful, the next consideration is the HPIS (D 1). HPIS success then requires recirculation cooling to achieve adequate core cooling. Given either HPRS (H 1 ') or LPRS (H 2 ') success, this leads to an OK core status. Failure of both HPRS (H1') and LPRS (H 2 ') s' leads to a late core melt (Sequence 1). Information from the Point Beach plant indicates that sufficient water from an S2 l LOCA will be channeled to the s.uap to assure an adequate
recirculation water source. Furthermore, the RHR heat exchangers are not required since the AFWS is successful and is i adequate to remove all decay by itself.
~~The second major branch of the event tree occurs when*the AFWS(L) is successful but the HPIS(D 1 ) fails. In this case~~
! the option that would be selected in Point Beach emergency operating procedures is the secondary blowdown mode (SBM) labeled I in the event tree. This requires both pressurizer j sprays and secondary steam relief by steam bypass to the condenser or opening 2 of 2 atmospheric dump valves. The objective of this mode is to rapidly depressurize the primary so that the LPIS can be brought into service. Subsequent success of the LPIS and the LPRS later in the accident results e in an OK sequence. Failure to depressurize leads to an early 1 core melt (Sequence 4). Successful depressurization but 2
failure of LPIS also leads to an early core melt (Sequence 3). j Successful depressurization and LPIS but subsequent failure of j 1 the LPRS results in a late core melt (Sequence 2). ; The third major branch of the S2 event tree is where the
, AFWS(L) fails. Since bleed and feed is a viable option in l I transient situations where the AFWS fails, it is likewise applicable to the small LOCA. In fact, the water lost from the l
~~; . B -Il~~
1 small LOCA may not be enough " bleed" to reduce the_P_qRV(P1) criteria from 2 of 2 to 1 of 2 PORVs needed to be opened.- ! These PORVs must be remote manually opened by the operator. However, the safety injection signal will have isolated the containment and cut off the instrument air. This must first be restored in order to apply the bleed and feed mode. Th's HPIS gets a safety injection signal due to the LOCA so an operator initiated HPIS start is not required as it is for'a transient bleed and feed. i . To continue with the bleed and feed branch of the small LOCA ) event tree, failure of the HPIS(D 1) leads directly to early l core melt (Sequence 7). Given success of D 1, failure to open both PORVs(P 1 ) also leads to an early core melt (Sequence 6). Finally, even with success of Di and P1, recirculation phase cooling is required with the RHR heat exchangers since the AFWS has already failed. Thus, failure of Hi after success of Di and P1 leads to.a late core melt (Sequence 5). 2.3 Containment Systems Event Tree and Success Criteria Past PRAs have usually assumed that failure of the containment due to failure of the containment systems to protect against overpressure led to sump flashing and subsequent low pressure 4 (RHR) pump cavitation.. -At Point Beach, and perhaps most other PWRs, it is estimated that at most only a foot or so of sump water would flash before the sump water would cool enough to come into equilibrium with the containment environment. Thus, the containment systems can be separated from the core melt event trees and applied in tanden to each accident sequence. In practice it is only necessary to consider the containment
! event tree for core melt sequence, and further, only to dominant core melt accident sequences. This tends to simplify the analysis process. The containment system event tree is given in Figure B.S.
~~2.3.1 Containment Systems Success Cr.iteria~~
! Each leading in the containment systems event tree relates to a system or combination of systems. .Each system has a success criteria and a fault tree model. The success criteria are given below.
~~System success Criteria~~
. Containment Cooling 4 of 4 CCUs operating Units (CCU) -Yi i Containment Cooling 2 of 4 CCUs operating j Units (CCU) -Y2
~~Containment Spray 2 of 2 CSIS pump trains Injection System j (CSIS) -C1 1~~
- 6 -11 - -- _= -- - - ..-... ... . . .-
~~( I (N. >~~
~~,l t ! ... . ....._a ..~~
i Ch g c t, y- / Mus on sps op ,3 h e-{u cot-Tvn s hm_ o oyt heceo M co m+ swr l Sft'N'*4 Cof CSIS CSit s OW#*6 DUM' ! paar5=cp = ~ [CO @P)ev/n_ DI
~~M* D pegwwm .~~
~~4 t~~
~~. i Su c c45 ci;w e m S 3 Cg f:/ l t~~
~~S e e c.o s m = c-a, u a s et s .l . .~~
~~- 1 !~~
~~pees eaaw rm w w a c2P' '5~~
~~, I -~~
t . i r-en w(A" 'S vC'*2 f E C a F .l , t I g - . CflL uN (-AT\t Mat wit 8 . Q- C1f,. - pas tuttf eor W C-Al w C - t- C1 N , t f ; E = Y, ( c, t F ) [C 2. -t Y2 ) ' e I e 8
~
i Figure B.5 Containment Systems Event Tree
t Containment Spray 2 of 2 CSIS pump trains - Injection System (CSIS) -C2 Containment Spray 1 of 2 CSRS pump train and Recirculation 1 of 2 RHR pump trains with System (CSRS) -F 1 of 2 RHR. heat.exchangers l Containment Spray Same as F except without the i Recirculation RHR heat exchangers l System (CSRS) -F ' 2.3.2 Containment Systems Event Tree Figure B.5 gives the simplified containment system event tree (CSET) for Point Beach. This is not to be confused with the traditional containment failure mode event tree which will be discussed later. The purpose ~of the CSET is to establish the containment state which combined with the core melt accident sequence provide the complete systems accident sequence and the basis for mapping into release categories. It is not necessary to trace the containment event tree branch by branch since it is symetric*al and the status columns in Figure B.5 are self-explanatory. The first success / failure branch is on containment overpressure protection (Z). The function Z is defined as - Z=Yi (C1 +F)(C2 +Y2 ) - What this says is the containm,ent can be protected from overpressure by
1) 4 operating containment fan units, or

2) 2 CSIS trains 'arly e and 1 CSRS train later with heat -
~~exchanger, or~~
~~3) 2 CSIS trains early and 2 operating containment fan units to cover the later time period.~~
Success of post accident radioactivity removal (PARR) requires early sprays (C2 ) and late sprays (F') although heat remove is not needed. While the event tree could have been drawn to show each system explicitly, this would provide no additional useful information. The success as well as failure events are shown in the containment system sequence column. Even the success cases are important since given core. melt the containment by definition always fails but it is the way it fails and the probability of failure that are important to risk to the public.
~~) . 6 -14~~
s 3.0 DATA BASE 3.1 Initiatina Events and Events Not Modeled Part of every accident sequence involves events that ar.e not quantified using a fault tree model. These events include the initiating event and certain events such as.the failure of the PCS or failure of the pressurizer relief valves to open. The - frequency or probability of the combination of non-modeled avents in a given accident sequence will be called -the multiplier frequency. An example would be the accident sequence TM23 g where T3 is the initiating event, M Q,.and I are the_other non-aodeled events, and CD y is the Boolead accident sequence. Thus, T 3 MQI is the multiplier expression and f(T 3MQX) is I the multiplier frequency. The non-modeled events are independent so that the individual probabilities can be multiplied together. Continuing the example, ! p(T 3 MQX) = p(T 3 )
p(M)

p(Q)

p(X) .
l There are eight events and-one pseudo event (the PORV opening when not demanded) which are described below. In general we will use generic data to permit better comparison between plant types and to avoid any controversy regarding the latest or best plant specific data. Small LOCA (S2) . f(52) = 2.OE-2 per reactor year This comes from the IREP Procedures Guide NUREG/CR-2728, page 74, Table 5.3-1. It includes the frequency of 0.38" to 1.2" and 1.2" to 1.66" diameter breaks: no distinction is made between these two LOCA sizes in the TAP A-45 analysis. In fact, the S2 definition used here is a break less than 2" in diameter. Loss of Offsite Power Transient (T1) f(T I ) = 9E-2 per reactor year The frequency quoted in NUREG/CR-2728, Table 5.3-1, is 3.2E-1; however, later generic data is available in the EPRI NSAC/80 July 1984 report. In this report the data through 1983 indicate a frequency of 0.088 per site year, and for the last three years alone (1981-1983) a frequency of 0.027 per site f)=l$
year. While the latter number may seem to be the more 'N reasonable frequency to characterize the current situation, NRC i policy as stated in NUREG 1032 is that a 0.09 frequency will be j used for loss of offsite power.. ! Transient Initiated by a Total Interruntion of Main Feed- , water (T 2) 'T - (' f(T2 ) = 1.0E-0 per reactor year This is the frequency quoted in NUREG/CR-2728, Table 5.3-1, a' nd i thus will be considered as generic data. All Other Transients which do not Affect Front Line System , Significantly (T ) 7.- - 3 i F(T 3 ) = 7.lE-O per reactor year As the name implies, this -transient covers everything not i included in T1 and T2 . -Such transients occur frequently. The number quoted in NUREG/CR-2728 Table 5.3-1 is 7.1 ' , occurences per reactor year. 'In addition, it was determined
that no single failure of safety related power buses at Point Beach would result in a transient initiator, j Failure of Power Conversion System and Secondary Steam Relief )

IH1 -
. f(M) = 1.0E-2 per demand This is the failure of the PCS mode of removing decay heat given the PCS is initially available following the transient. l The 1.0E-2 number has been used in several PRAs starting with Wash 1400 (page V-39) and thus will be considered generic for l purposes of this study. 1 Failure of DeDressurization with Secondary Blowdown (X) i l p(X) = 3.7E-3 per demand I Given an S 2 LOCA or transient induced LOCA and AFWS success,. this mode is used to respond to the situation where HPIS fails. If the primary can be depressurized, the LPIS can then i provide injection. This depressurization is accomplished using pressurize sprays and secondary steam relief or dumping beyond that needed with the AFWS. Although secondary blowdown was not modele@(in. detail, a simplified fault tree was used to establish the failure frequency. The model is shown in Figure B.6. The model is relatively self-explanatory. The Boolean expression using symbols from the fault tree is ,
.\ . / . S-N * - - . . . . .. .. . . . , . , _ _ e .y . _ __ f _ _ _ _ _ __e. . _ _ .
t - A l t'*AILt.s M 00- gdt og ,=4 N11.ati , Sd.wie tes..tas.<..a ow-se .>
~~- 1 I~~
~~I I I~~
%As w F% d'3 05- i Fwww oc ; t> m ew+ Pa*SJ-4 *1 4 s h oaa-v i
~~ses s w aa > S tem! 1N%^~~
~~l3 Aet.enw~~
~~, . i '~~
~~I n ..-~1 . ,, ,-~ . g-t~~
8' h h

my T*3 speevs

l j f b b l .
O
. I I I _ .I r~n .ou ew-** , % -,u , y ~~e +
J.
1 3,c*v a..n spw wwr ag * ' **a-b **A g.c5 rehsj +46.-so ent l ca.>+, , 3,4 l i h') h .
.: . I Figure B.6 Simplitled Fault Tree for Secondary Blowdown l l, f ~'
~~li l l i~~
~~-De4 ge m-m M 6h em @ e>> h e em .m 6 6~~
e* = * *
~~i N~~
~~O }- e _ r~~
~~, s ; 4~~
9
+
a e 1 1 - D I ".a t p " g 4$ 0
~~~ /~~
fg st M;4 L[k l b1 t 1o 11 *a 2 = e a:g lln - 5 ppI i .
~~.k al >! 'O b - - t t E~~
~~c, 3}T-~~
~~.n D - ,~~
~~o Y u~~
- W ,, O e-(==)= .' l\ r-~~ r== , 4 21 - ,i l'$ . ,
i C * , - i d - 1-3s F u-tzi\K/ ye.{, w g u
~~14. h~~
~~- 54 -~~
~~1.,l = 2pt s e s~~
~~y f 318 l x .~~
O
~~. .s.1 7,'~~
e.} 3 1 2 9 {) - t o> I I:42, w a E e i W W e i 9 w 3 On
~~.o e I~~
~~m l~~
~~/*d o I 's l \~~
~~l t I e~~
~
~~i 6 -18~~
~~.g. m m e s e.e. . a,ee e e. WP em -e6 ee - J -aseemum re -m __.~~
g ;
X=X 1 + (X2 +I3 )(X4 +15 ) +I 6 II 7(I 9
~~+Ilo)~~
~~I IIll*Il2dd_* S Assuming these events are independent and the following event failure probabilities, .~~
p(X1 ) = 3E-3 typical operator error failure probability - i' p(X2 ) = 1 for loss of offsite power i = 3E-3 VCC-LF frequency from generic data table p(X3 ) = 1 for loss of.offsite power .
= 1E-2 estimate of pump unavailability p(X4 ) = 3E-3 VCC-LF probability from generic data table p(X5 ) = 2E-2 estimate based on typical system failure probabilities p(X 6) See analysis p(X7 - p(X 6 ) = lE-2 Kuman failure to be able to manually jack open these valves .. p(X9 ) = p(X11) = 2E-2 common mode failure of an electric power train p(Xi o) = p(X12) = 3E-4 failure of relief valve to open on demand; assume no common mode The probability of I can be quantified for two cases: loss of offsite power (LOP) for transient induced LOCAs deriving from T, 1 and all other initiating events (ACE). Substituting the probabilities from the list above, ,
~~f(Xl LOP) = (3E-3) + (1)(3E-3 + 2E-2)~~
+ p(X 6 )[(lE-2)(2E-2 + 3E-4) + (IE-2)(2E-2 + 3E-4)] = (3E-3) + (2.3E-2) + p(X 6 )(4E-4) if we assume p(X 6 ) = 1 to be conservative and since it does not. contribute very much, = p(Xl LOP) = 2.6E-2 per demand and, f(Xl ACE) = (3E-3) + ((3E-3) + (IE-2)]((3E-3) + (2E-2)] + p(X 6 )((1E-2)(2E-2+3E-4) + (IE-2)(2E-2+3E-4)) = (3E-3)'+ (3E-4) + p(X 6)(4E-4)
Again, if we assume p(X 6) " le s- f(Xl ACE) = 3.7E-3 6-19
I Frecuenev of the PORVs Onenina When Not Needed - In several i' branches of the event trees the pressurizer relief valves are not required to open to prevent overpressure but, nevertheless, may inadvertently open. Experience has shown that this occurs about ] 7% of the time. Thus this factor is used in all those cases to i account for the likelihood of the relief valves opening when it is subsequently asked whether the valves closed or not, i.e., event Q.
~
l j .. Failure of the Pressurizer Relief Valves to Close Given That They are Onen (0) ' f(Q) = 1.0E-2 i Given that a pressurizer relief valve is open, the likelihood j that it would not close or. stick open is 1.0E-2 taken from i NUREG/CR-2728, p 127, Table 5.1-1, section 2.7.2. Since there are 2 SRVs the frequency is.l.0E-2 + 1.0E-2 = 2.0E-2. l Failure of the Pressurizer Relief Valves to Onen When Demanded (P) ! F(P) = 1.0E-10 ~ There are two cases to be considered given the system has 2 PORVs and 2 SRVs. Each of the PORVs have block valves which may or may i not be closed during normal operations. Thus Case 1 is where the plant operates with the block valves open and Case 2 is where the plant operates with the block valves closed. The probabilities )
~~are taken from NUREG/CR-2728, page 127, Table 5.1-1.~~
~~j Case 1: l p(P) = p(PORV A fails to open) x p(PORV B fails to open)x~~
p(SRV A fails to open) x p(SRV B fails to open) 1 = (3E-4)(3E-4)(1E-5)(lE-5) = 9E-18 or essentially j 1 zero assuming no common mode .
I ! Case 2: 4 p(P) = (IE-0)(1E-0)(1E-5) (IE-5) = 1E-10 t The preceding discussion is the rationale behind the probabilities used to quantify the multipliers for the accident sequences evaluated in the Point Beach internal analysis. Table B.1 shows the multiplier frequency for each non-Boolean . Multiplier expression established by the event trees. In all cases the complement events (1, P, and Q) are close enough to one to be ignored. The probabilities given in the preceding discussion are rounded off to the nearest integer before l calculating the multiplier frequency. 3.2 Basic Event Probabilities The data used for the quantification of the Point Beach fault , h *2O J t . - - . . _ _ _ _ . --. . - - . - - . . - - . - . . . - . . - . , . . . - -
( Table B.1 Frequency of Initiating Events and Event Tree Headings Not Modeled Frequency
, PORVs Open " - . Multiplier S2 T1 T2 T3 M X P When Not 'Q Frequency Needed .
SM 2E-2 lE-0 2.0E-2 2 SyMi 2E-2 lE-0 2.0E-2 S y MX 2E-2 1E-0 4E-3 8.0E-5 . T 3ME6 9E-2 lE-0 9.0E-2 ; T y MP 9E-2 IE-0 IE-10 9.0E-12 , T gMQ 9E-2 IE-0 7E-2 2E-2 1.3E-4 , l T 3MQi 98-2 lE-0 7E-2 2E-2 1.3E-4 ! l ' T gMQX 9E-2 IE-0 3E-2 7E-2 2E-2 3.8E-6 T 3MEQ 9E-2 lE-0 2E-2 1.8E-3 . T ME 2 lE-0 lE-0 ,
~~! 1.0E-0 [~~
~~T 2 MP lE-0~~
~~IE-0 IE-10 1.0E-10 !~~
G e T 2MQ IE-0 IE-0 7E-2 2E-2 1.4E-3 , f T2MQi lE-0 lE-0 7E-2 2E-2 1.4E-3 T 2MQX IE-0 lE-0 4E-3 7E-2 2E-2 5.6E-6 T yMEQ IE-0 IE-0 2E-2 2.0E-2 T 3ME5 7E-0 lE-2 7.0E-2 i T MP 3 7E-0 lE-2 lE-10 7.0E-12' T 3MQ 7E-0 lE-2 7E-2 2E-2, 9.8E-5 T 3MQR 7E-0 IE-2 7E-2 2E-2 9.8E-5 T 3MQX E-0 lE-2 4E-3 7E-2 2E-2 ,'.0E-7 4 T 3MEQ 7E-0 lE-2 2E-2 1.4E-3 T03 7E-0 7E-2 2E-2 9.8E-3 T302 7E-0 7E-2 2E-2 9.8E-3 ', T30X 7E-0 4E-3 7E-2 2E-2 4.0E-5 T 3PQ 7E-0 2E-2 1.4E-1
~~. . . ~ . . . __.. _ _ _ _ _ _. ._ _ .. . _ _ ..._.._.~~
l trees was collected from a variety of references. Generally,. the IREP procedures guide was the source for most harduare - failure rates, the Station Blackout Accident Analysis (TAP-A44) was used f or most electrical f ailure rates and the Ruman Factors Handbook for most failures due to human e r r o r's .. The data in Table B.2 was used in the quantification of the Point Beach fault trees. The table lists the avant ID. a brief d'escription of the failure, the failure rate and the reference. This is generic data and was used to generate the SETS value
~
block in which probabilities are assigned to every fault tree basic event. For example, the event HPEMV38-VCT-LF is given an event frequency of 3E-3 found in Table B.2 under VCC-LF which is the mama 1.requency .far any actor operated valve that is normally closed and fails to open on demand, i.e., fails closed. Thus the table represents many more events than are actually shown.- Some failures are listed as having more than one failure rate. l This results from the consideration of the loss of offsite power (LOP) as an initiating event which in turn affects other components in the plant, specifically the component cooling water and service water pumps which are normally running. Since these pumps are kept running during power operations the normal f ailure rate consists of a f ailure to keep running. However, given loss of offsite power, these pumps stop and the failure rate becomes the sum of a failure to start and a failure to continue running. 4.0 RECOVERY ANALYSIS , The analysis for the application of recovery on the Dominant Accident Sequences (DAS) calculated for Point 5sach is a four step process. , First, the time available for recovery must be determined. This requires an estimate of the time interval between the initiating event and the point at which the core begins to uncover (i.e., the point of no return). This recovery time is based on the accidsat analysl.s. par *nr==^ 1.n the Ganaric ! Feedwater Studies which provided the basils for the verk Performed in the Accident Sequence Evaluation Program (ASEP). l Since the ASEP work was concerned with a limited number of sequences the ASEP results were extrapolated to cover all the dominant sequences analyzed for Point Beach (see Table 3.3). However, the thermal hydraulic accident analysis was not the , only thing that affected recovery time. In some specific cases l a particular cut set may extend the amount of time available for recovery. For example, a pump may fail due to the absence I - of room cooling which may take 30 minutes. This extends the recovery time since the actual accident sequence does not start until the pump has failed. I$. %1
s Table 3.2 Point Beach Generic Event. Data , Failure Fault ID Fault Descriotion Prob. Source VCC-LF MOV, NCFC (local faults) 3E-3 Raf. 1. Item'2.1.1 . VOC-LF MOV, 30FC 4E-5 Ref. 1. Item 2.1.2 (1/2) l (IE-7/hr) (720/ hrs) f' monthly test interval l CCC-LF Check Valve, ECFC 15-4 Ref. 1. Item 2.4.1
~~IOC-LF Manual Valve, BOFC 45-5 See VOC-LF PMD-LF Motor Driven Pump fails 3E-3 Ref. 1. Item 1.1.1~~
, to start ! FMD-LF Motor Driven Pump fails 75-4 Ref. 1. Item 1.1.2.1 I to run 24 hrs (3E-5/hr) (24 hes) ! FTD-LF Turbine Driven Pump 35-2 Ref. 1. Item 1.2.1 fails to start i SCC-LF Solenoid Valve. NCFC 15-3 Ref. 1. Item 2.2.1 NOC-LF Pneumatic-Hyd. Valve NOFC 4E-5 See VOC-LF WCO-LF Pneumatic-Hyd. Valve NCFO 1E-5 Ref. 1 Item 2.1.4 Catas-j trophic Leakage (5E-7/he) (24 hes) accident duration ICC-LF Manual Valve, WCFC 15-4 Ref. 1. Item 2.6.1 FAE-LF Cooling Fan 25-4 Ref. 1, Item 4.17.1 nor-mally operating, 1E-5/hr, assume accid nt duration 24 hrs. ! FNBPORVA-LF PORY fails to open 3E-4 Ref. 1. Item 2.9.1 j FNBPORVB-LF HTK-FB Heat Exchanger Flow 35-4 Ref. 1. Item 4.4.1 blocked Used # for orifice plus PC-F5 Flow blocked in pump 3E-4 As above cooler JC-FB Flow blocked in diesel 3E-4 As above generator jacket cooler 6 t3
~~.. . . . . . . . - ~. . . . .~~
~~Table B.2 Point Beach Generic Event Data .(continued) . _ 's~~
. Failure Fanuit ID Fault Description Prob. Source VOC-UTM MOV not restored af ter 8E-5 Ref. 2. Table 20-7, Item 1 T or M fail to restore valve to pr.oper position af ter T ,, or M. (IE-3) (1/12
aonthly check) i PMD-UTM 8E-5 As above IOC-UTM 8E-5 As above PTD-UTM 8E-5 As above NOC-UTM 85-5 As above NCO-UTM 8E-5 As above ICC-0E Operator opens wronE 5E-3 Raf. 2. Table 20-13, manual valve Item 3.
VCC-CE Operator opens wronE MOV 3E-3 As above HPRF-MANACT Op. fails to manually 3E-3 Ref. 2. Table 20-7, Item 3 initiate HPR short list, no checkoff OPF-MACT-FNB Op. fails to manually 3E-3 As above initiate Feed and Bleed 0FF-OPEN-FNB op. fails to manually 3E-3 As above open PORVs for F&B , OFF-SI-RESET Op. fails to reset SIS 3E-3 As above siEnsi
OPF-MACT-C3R Op. fails to manually 3E-3 As above initiate CSR OPF-MACT- Op. fails to annually 35-3 As above AN-TP3 start the AFW turbine driven pump OPF-MACT-HPA Op. fails to manually 3E-3 As above OFF-MACT-HPB start HPI pumps for F&B OPF-MOPEN-MOVA Op. falls to manually 3E-3 As above OPF-MOPEN-MOVB open MOV for F&B s
B-2+
Table B-2 Point Beach Generic Event Data (continued) Failure Fault ID Fault Descriotion Prob. Source LOSP Non-initiator loss of IE-3 Typical numbee ,used in offsite power (1.0)* past PRAs - LF-ACBUSX-345 AC bus failure 345 KV 2E-7 Ref. 1. Item 4.3.1
~~(IE-8/he) (24 hes)~~
LF-DCBUSA-Dol DC bus failure plus 3E-5 Ref. 1, Item 4.3.1 LF-DCBUSB-D02 CB failure (IE-8/he) (24 hrs) and 4.1.2 - DESGENA-GEN-LF Diesel Generator local SE-2 Ref. 1. Item 4.6,(3E-2) DESG UB-GEN-LF faults + (3E-3) x 8 hrs DESGENA-GEN-TM Diesel Generator T-or M 8E-5 Ref. 2 Table 20-7, Item 1 DESCENB-GEN-TM faults (IE-3) (1/12) LF-BATTA-DO5 Local faults of battaries 2E-2 Ref. 1, Item 4.9.1 (IE-6) LF-BATTB-D06 (5 ye test /2)(8760 hrs /yr) TM-BATTA-DOS T or M faults of baf.teries 8E- 5 Ref. 2. Table 20-7, Item 1 TM-BATTB-006 (1E-3) (1/12) DG-CM Diesel Generator conunon SE-3 1/10 (LF) Beta factor
~~node assumed BAT-CM Battery comunon mode 2E-3 1/10 (LF) Beta factor~~
~~. assumed INSTR-INV-LF Actuation Sys. Inverter 4E-4 ,Ref. 3 Table E-1 Item E.~~
(2E-6/he) (360 hrs /2) tested 2 weeks intervals REC-LF Local faults of battery 5E-5 Ref. 1. Item 4.10.1 charter plus CB failure (IE-6/hr) (24 hr) plus Item 4.1.2
~~...ACT-A-LF SIS logic train failure SE-3 Ref. 4 ...ACT-8-LF -~~
SI:IS-CM SIS Sensor Scoup comunon 3E-5 Ref. 4 mode failure LOG-CM-TM T or M common mode 2E-4 1/10 Beta factor (2E-3) failure of both logic logic train T or M trains failures, Ref. 4 HE-ACT-RKSET Conunon cause human erree 1E-3 Ref. 2, Table 20-7, Item 1 in resetting logic for RCS sensors
.
~~Value used for LOSP initiated sequences.~~
e -2. S
l l Table B.2 Point Beach Generic Event Data (continued) ^ i Failure Fault ID Fault Descrintion Prob. Source 20C-OE 0.0 No failures TNK-LF 0.0 No failures for tanks VCC-UTM 0.0 Receives signal to open i ICC-UTM 0.0 Must be opened regardless HTZ-UTM - 0.0 No fallures HTX-FM 0.0 No failures SCC-UTM _ 0.0 Receives signal to open . LOHT-SGA 0.0 No data LOHT-SGB 0.0 No data LOF-FCIRC-SGA 0.0 No data LOF-FCIRC-SGB 0.0 No data LCF-NCIRC-SC3 0.0 No data LOF-NCIRC-SCA 0.0 No data
...AFWTKT1 0. 0, No failures for tanks FAN-UTM 0.0 Wornally operating
~~C0C-LF~~
0.0 Check valve nor:nally open, normally with flow through TNK-UTM 0.0 No failures for tanks SWS-HW Independent Cooling Sys. 2E-3 Ref. 3, Table E-2 Item 4 Train Hardware failures SISACT-RESET- Failure of SIS logic to II-4 Assumed LF suto reset when returning to power SWS-UTM Independent Cooling Sys. 25-3 Ref. 3. Table E-3, Itaa 4 train test or maintenance failures GTF Cas Turbine Generator 0.2 Plant data of 10 failures fails in 38 attempts and assum-ins 25% of failures were short term BLKVLVA-LF PORV block valve, NCFC 3E-3 Ref. 1. Item 2.1.1 BLKVLVB-LF S -2. f.
w ~ e---_ _ . _ __-- - ,_ -,.-- ._ __ - - , - _ -_ . _ _ _ -- _ , _ _ _ - _ _ - , - , , , . - - - - , , , - -
[ , I
~~/, ~~~
~~4 Table 5.2 Point-Beach Generic Event Data-(continued) r !~~
, Failure Fault ID Fault Description Prob. Source LF-ACBUSA-1A03 LF of AC 4 KV bus plus 5E-5 Baf. 1. Item 4.3.1, 4.1.2
~~LF-ACBUSBd1A04 1 CB and 1 transformer- and 4.5.1 LF-ACBUSA-2A03~~
LF-ACBUSB-2A04 '
LF-ACBUS1-13-8 LF of AC 13.8 KV bus 5E-5 Ref. 1. Item 4.3.1, 4.1.2 LF-ACBUS2-13,-8 plus 1 CB & 1 transformer and 4.5.1 LF-ACBUSA-$303 LF of AC 480-bus plus 8E-5 Ref. 1, Items 4.3.1,'4.1.2 LF-ACBUSB-1504 2 CBs and 1-transformer and 4.3.1 , LF-ACBUSA-2303 , LF-ACBUSB-2BQ4 i LF-ACBUSA-1A05 LF of AC 4 KV burplus 6E-5 Ref. 1, items 4.3.1 and LF-ACBUSB-1A06 2 CBs 4.1.2 LF-ACBUSA-2A05 > LF-ACBUSB-2A06 HPIMP1A-PMD-LF NSFS , 4E-3 See PMD-LF, 3E-3 failure HPIMPIB-PMD-LF
~~to start plus 7E-4 i~~
failure to run 24 hours LPIMP1-FMD-LF " NSFS 4E-3 LPIMP2-PMD-LF CSIMPA-PMD-LF NSFS
~~, .4E-3 "~~
l CSIMPB-PMD-LF . ls' i AFWMP2-FMD-LF NSFS , 4E-3 " a
, AFWMP1-PMD-LF SWSMPC-PMD-LF ESFS 4E-3 ; SWSMPD-PMD-LF SWSMPE-PMD-LF SWSMPF-FMD-LF AFWIP3-PTD-LF NSFS 3E-2 Ref.-1, Item 1.2.1 CCWMPA-PMD-LF , NRFS 7E-4 Normally running but for CCWMPB-FMD-LP (48-3)* LOSP pumps are stopped and must be restarted SWSMPA-FMD-LF NRFS 7E-4 Normally running but for SWSMPS-FMD-LF (4E-3)* LOSP pumps are stopped , i
~~( ,, and must be restarted l .~~
~~Value used for LOSP initistad sequences.~~
~~l B-17 , l 1~~
~~. --. -..,,_ ,-.--,_-..., , , . _ - , . . - - - , - - . . . . , - . . . , , . . , .___,,,,__.-_,.---.c --,_..-4 .~~
_ , , , , - - - ~ , - . . - . . - -
Table B.3 Point Beach Dominant. Accident s Sequence Recovery Timing ~ Sequence Time Available '.. for Recovery Source f
~~,S MD y2 D 30-40 min.~~
2 ASEP S2D S2 MH'yH'2 2-4 hrs. S MD plus 3 hrs 2 12 for successful injection S MXD ' - 30 -40 min. 2 ASEP S2D T yMQDygD. 20-30 min. ASEP TMQD TyMQH'yH'2 2-4 hrs. TyMQD12 plus 3 hrs. T QLD y, 3 T yMQLD y 20-30 min. ASEP TMQD T MLE.T MLE, 2 3 T yMLE 60-70" min. . ASEP TML T2MQDy2D '
~
~~T3MQDy2 D 20-30 min.~~
~
~~ASEP TMCD T2 MQH y 'H 2~~
~~T3 MQH y 'H2 ' 2-4 hrs. T 3MQD 12 plus 3 hrs.~~
~~T3QDy2 D 30-40 min ASEP S D 2 T3QH'yH'2 2-4 hrs. T 3QD 12 plus 3 hrs. 8 -11 O~~
,i . . , D4 ) ' , , e .
~~The seco54 step in the recovery process is to. identify those~~
~~. ' - failures or basic eventgewhich are recoverable..'These - ~~~
~~potentially recoverable' failures are examined individually to determine if recovery is possible and by what method it can be accomplished. An entire range of events are considered (see~~
'/ . Table B.4) from recovery of offsite power to manually a'ctuating t- saf ety injection on a f ailure of the automatic actuation systes., Some events which may at first appear to be recoverable, in reality are not. For example, if a valve on the suction of an SI pump fails to automatically open, the pump could cavitate and burn up. Manually opening the valve locally 1 would not rectify the failure of the pymp which has already occurred.
~~The third step is tc. quantify ths, rec ~o'very actions by determining the non-recovery probabilities associated with each~~
~
action. It is the failure to recover probability which is multiplied with the cut set frequency to determine the reduction in the contributions to core melt. The non-recovery probabilities for electrical failures were taken from those listed in the Station Blackout Accident Analyses NUREG/CR-3226 and expanded in the Accident Sequence Evaluation Program (Ref. 6). The non-recovery probabilities for all other failures are based on the model used in the ANO-1 IREP analysis (Ref. 7). The final step in the recovery analysis is.to re-quantify the DAS. This is performed by" computer using the accident sequence in equation form with non-recovery factors included. The Boolean equation is inputed-to the SETS. computer code and new core melt probabilities are calculated. In the actual application of the' recovery methodology, assumptions were made about the operating status of the plant and the possibility of specific recovery actions. These assumptions are listed below. ,
1) Hardware failures are not directly recoverable, i.e., local faults of pumps or valves cannot be repaired.

2) Diesel generator jacket cooling and pump cooling failures extend'the time available for recovery, but are not, themselves, recoverable.

3) Pump cavitation faults are not recoverable.

4) Power conversion system (PCS) is recoverable only if electric power and service water are available.

5) The Q failures (stuck open pressurizer relief valve) are usually considered to be a failure of a PORV to reclose (which j is recoverable by closing the block valve) since PORV pressure setpoints are approximately 100 psi lower than for SRVs.
~~However, the block valves for Point Beach are assumed to be i v~~
~~- - - _ _ _ _ _ _ - _.,y.. -,~~
Table B.4 Point Beach Non-Recovery Probabilities- ._ A B C D E F G H 5-10 10-20 .20-30 30-40 40-60 60-70 70-120 2-4 Recovery of: min, min. min. min. min. min. min. hrs. i LOSP R&-1 0.8 0.8 0.8 0.6 0.5 0.5 0.4 0.3 PCS RA-2 1.0 1.0 1.0 0.9 0.6 0.4 0.2 0.2 Battery CM RA-8 1.0 1. 0~ 1.0 1.0 1.0 1.0 0.9 0.8 Battery LF RA-9 1.0 1.0 0.9 0.8 0.7 0.7 0.5 0.2 DG-CE RA-10 1.0 1. 0
1.0 1.0 0.9 0.9 0.9 0.7 DG-LF RA-11 1.0 1.0 0.9 0.8 0.7 0.7 0.5 0.2 Other Failure R&-6 0.3 0.1 0.05 0.03 0.03 0.01 0.01 0.01 (from Control .
~~Room) Other Failures RA-7 1.0 0.3 0.1 0.05 0.03 0.01 0.01 0.01 (locally) B -3~~
~~f normally closed so Q is a stuck open SRV which is not ____~~
~~recoverable.~~
6) Normally, credit is given for the operators to perform a single recovery action for each cut set. The only exception is the recovery of a loss of offsite power which is assumed to be attempted by someone other than the control room operators.
7)- Successful safety injection was assumed to extend accident iequence timing by approximately three hours over safety injection failure sequences. J 5.0 ACCIDENT SEQUENCE ANALYSIS i once the system success criteria was established and the event i trees constructed, the' fault tree construction addressed each' system or variation on a system that appears in the event tree headings. The data base for quantification was then established for every independent event found in the event trees or fault trees including the containment systems that are part of the separate containment systems event tree. The reason for the separate core melt and containment system event trees is that the potential apdifications ware based on core melt accident sequences alone, but the value/ impact analysis considers risk to the public which involves containment system performance and containment failure modes. The initial plant visit was to collect information for special emergencies and to discuss-numerous internal analysis concerns such as system success criteria, emergency operating procedures, safety system configurations, and in general any significant changes not documented in the FSAR. This plant visit could have come at any time from near the beginning before the fault trees are started to as late as after the DAS have been established and recovery analyses have been completed. In this case the preliminary event trees, fault trees, and data base were completed before the initial plant visit. The trip report included a long list of questions and answers, and observations which was later communicated to the utility for comments. While this is not part of the appendix, it did provide a means to verify a number of points that are used throughout this PRA. 5.1 Accident Secuence Delineation The first step in the quantification is the delineation of accident sequences. Each LOCA, transient or transient-induced LOCA accident sequence, is identified by a group of symbols representing events that together result in a possible core melt. A condensed version of the event trees found in Sections 2.1 and 2.2 is given in Figure B.7 which shows the connections between the transient and LOCA event trees. The core melt B-3)
s e ess a ae set u e u
.i a@ @ .I *) v) 'A AAA AAA .4 3 'a % = .sw
~~l S~~
~~Z ..~~
~~s z ., --~~
~~- . g T W, e s~~
~~W X~~
~~e, E~~
~~-3 *- . - ,5. ;~~
~~. _ w . .~~
~~E c", 7 % o w~~
~~-W 7, .d i g Ee @ ]~~
~~1 2 1 a u c '~~
~~< a , s s. . .~~
A A h 8 m 1 --- $ E J e a I W
~~$ 4 g >e U2 g / % / \~~
~~in i.,__.i i~~
/
r I I f a d I y l i n A l t u ' 8 i r - l -- - - - - T - - - - - - - - - , 3
~~, 4i. +t +1 m I~~
~~gmtM de'M a l h i~~
~~T _ d_"L,ll M_ _ _ 7 ** it c I Kr i er r g -~~
OI "' jy (N *" g )5 5 $ U g @v "l na 4 [ i i as i a auin . b G w L4.I
w we, mm -r, w g b 1- - @
g .-. . ._. . B c. h.- 2 W z cc i W m & $. H F F F B-3 L
l I I l sequences for each initiating event are numbered and designated as late core melt (LCM) or early core melt (ECM). One can trace through the branches of any event tree from the initiating event to end result of success or core melt.
~
The ! path delineates the success and failure of events (systems and functions) leading to core melt. (Note that we are not interested in the success sequences.) A list of definitions is given in Table B.S. An example of path from a transient event tree to the LOCA event tree leading to core melt would be T MLPg5 P H i.e., transient' event T3 SequenceNumber4trans$errinhkoLOCA Sequence Number 5. The bar over the symbols means success. In words, this is a transient with offsite power available and the i power conversion system initially available (T3 ) with subsequent failure of the Power Conversion System (M) and the Auxiliary Feedwater System (L) resulting in the safety relief valves opening successfully TP) but failing to close (Q) leading to a transient induced LCCA. This LOCA starts on the . LOCA tree where the Auxiliary Feedwater System (L) has failed and follows the path where the High Pressure Injection System (D1 ) and Power Operated Relief Valves (P 1) succeed, that is successful bleed and feed, but leading to a late core melt due to eventual failure of makeup *and cooling in the recirculation mode (HPRS with RHR heat exchangers) event H l. Typically, an accident sequence is stated in terms of its , failures which, for the example described above, would be l Nm T 3 MLQH 1, however, the success events must be considered in the quantification procedure. When every possible core melt accident sequence is traced, there are 44 distinct core melt accident sequences. These accident sequences are given in Table B.6. This table gives the analysis numbers 1 through 44, i the core' melt accident sequence numbers from the event trees (Reference number), the multiplier events, the Boolea,n events, the appropriate valve block (VB) to be used in the quantification, and the core melt " failure" accident sequence. The multiplier events are those events representing systems or functions that are essentially independent of the other events and were not modeled. These events were quantified in Section 3.1. The Boolean events are those events for which fault trees were constructed and must be analyzed using Boolean reduction techniques, namely, the SETS computer program. An example of a core melt accident sequence reference number is in analysis sequence number 35 where the 45 represents a T3 initiating event which becomes a transient induced LOCA (that is the 4) and then follows a LOCA branch to the LOCA core melt outcome labeled 5. The non-Boolean events are grouped in the " multiplier," and the Boolean events are shown spread out so the computer analyst can distinguish patterns to aid in~ constituting the most efficient 4 e6 EE-33
-r
Table B.5 Point Beach Event Tree / _ Fault Tree Definitions Ty Loss of offsite power transient - T;2 L ss f Power conversion system transient T, Transient with PCS initia117 avai1ab1e S 2 Small LOCA (< 2" diameter break) M Failure of 1 of 2 PCS trains L Failure of 1 of 3 AFWS trains P Safety or relief valves-fai'l to open Q Safety or relief valves fail to close E Failure of bleed and feed mode Py Failure to open 2 of 2 PORVs Dy Failure of 1 of 2 HPIS trains D 2 Failure of 2 of 2 LPIS trains ; Hg Failure of 1 of 2 HPRS trains with 1 of 2 HTXs H'1 Failure of 1 of 2 HPRS trains H 2 Failure f1 f 2 LPRS trains with 1 of 2 HTXs H'2 Failure 1 f 2 LPRS trains , Y 1 Failure of 4 of 4 CCUs Y Failure of 2 of 4 CCUs 2 Cy Failure of 2 of 2 CSIS trains C 2 Failure of 1 of 2 CSIS trains F Failure of 1 of 2 CSRS trains with 1 of 2 HTXs F' Failure of 1 of 2 CSRS trains E5 -3 4
~~----s --u+.am-c_l_C._*k_-___?__C=-e-*_%.a__.ea '~~
_d._- d__JE_n-2-_ _ - . _ _ _ _ ._ _La _ _ _ _ _ _
Table B.6 Point Beach Core Melt Accident Sequences ._ i l Booleen Events , Core Melt Anal. Ref. Failure No. No. Multiplier L E Dg Pg D 2 g H 2 VB , Sequence
~~'I 1 8E 1 H{ Hj 1 32Mbb ; 2 t -~~
2 2 SM Dg 5 2 Hj 1 SMDNj 2 y 2 3 3 SM D D 1 8 2MD g 2 7 2 4 4 3 MI J,D g 1 S MID y 2 2 l 5 5 3* 2 L 1 P y g 1 3 MLH y 2 I
6 6 SN L P 1 S MLP g 2 1 t 2 7 7 SM L Dg 1 S MLD y 2 2 l
~~l 8 2 T MPQ L i g 2 T gMLHg~~
~~'s _ 9 3 T MN L E 2 T MLE 10 5 T gMP L -~~
2 T gMLP 11 2 T 2MPQ L i g 3 T MLH g 2 12 3 T2MR L E 3 T MLE 2 13 5 T MP L 3 T ML# 2 2 1 2 T,e L i s 3 T, 1 is 3 T Mg L E 3 T MLE 3 i 3 l 16 5 TD L 3 Tm l 3 3 17 11 T yMQ E 5 1 y Hj 2 TMQHj 7 1
\,
18 12 TgMQi E D 5 Hj 2 TMQDHj 1 3 2 1 8-35
Table B.6 Point Beach Core Malt Accident. Sequences (gon_t.) Boolean Events Core Melt Anal. Ref. ' Failure No. No. Multiplier L E Dy P g D 2 g H 2 VB Sequence
~
19 ' ' 13 TgMQI E Dg D 2 2 T INQD 12 20 14 TgMQI E Dg 2 T2MQDg I 21 45 TgdQ L ,6 P g g 2 TMQLg 7 22 46 T dQ L
~~' ~6{ Pg 2 T yMQLP g 23 47 TydQ L D 1~~
2 T gMQLD g 24 11 T2"9 C ^E-l "i "5 3 T"9"li 2 25 12 T 2MQ 'D 7 6 2 H{ 3 TMQDNj 2 g 26 13 T2MQi D D 3 T 2MQD 7 2 12 27 14 T2MQI D 3 T 2MQD7X 3 _ 28 45 T 9 L P Hg 3 T 2MQLH y 2 1 1 29 46 T 9 L Py 3 T2N9L# 1 2 1
~
30 47 T Q L D 3 T 2MQLD 2 31 11 E 5 Hj 3 T 3MQ 3 H{ T3 9b5 32 12 T3MQi - E D 6 Hj 3 T3MDgHj 1 2 33 13- TM3 E D 7 D 2 3 9 12 34 14 T3 QI Dy 3 T3MQD7 I 35 45 T3 dQ L 5 7 F 1 H 1 3 T2 "9*1 36 46 T3 dQ L 6 7 Pg 3 T3MQU g l 1 8-% !
~~. l~~
.... _ . _ _ . - . ._._. _ . )
s Table 3.6 Point Beach Core Melt Accident Sequences (cont.) Boolean Events Core Malt Anal. Ref. - - - -
~~' Failure No. No. Multiplier L E-,D{ Pg D 2 g H 2~~
VB Sequence T@ 3;7 '47 3 L D 3 3 T 3 1 38 61 TQ 3 E -i g Hg Hj 3 T9 3 1k 39 62 T3Qi E D 5 1 2 b 3 QDHj 7
~~, 40 63 T3Qi E Dy D 2 3QD12 .~~
41 64 T3QI . D 1 3 T3QD 7Z 42 65 Th 3 L 31 Eg Hg 3 T9 3 1 43 66 T3PQ L 6g P g 3 TW3 3 44 67 T3EQ L D 3 T9 3 3 1 i L 9 e i S-37
ee v SETS runs. Table B.7 delineates the Boolean sequences to be run by SETS and numbered PTB #1 through 28. As a point of reference, the SETS code is used in this program but will not be discussed here since it is well documented elsewhere. When the fault trees.for all the systems are initially brought together, a value block is used that does not distinguish between the initiating events. The value block is a listing of avery basic event by its SETS code name and the assigned probability. When the accident sequences are run, minor adjustments are made to make the value block to fit the initiating event. These adjustuents are given in Table B.8. 5.2 Accident Sequence Quantification It was assumed.in the event Irees shown in Figure B.7 that the Bleed and Feed mode and the Secondary Blowdown mode were applicable at Point Beach. The first subsection described the quantification of the complete event trees as shown in Figure B.7. The next two subsections address,the quantification of the event trees if either Bleed and Feed or Secondary Blowdown had not been applicable. This will slow the apparent value of these two modes of operation. 5.2.1 Quantification including Bleed and Feed, and Secondary Blowdown The results of the SETS runs are given in Table B.9 using a 1E-8 truncation and before recovery was applied. The core melt probabilities are computed by the product of the multiplier frequency and the Boolean sequence probability. Note that several Boolean sequences, designated by the PTB#, are used with more than one multiplier. All of the accident sequences with probabilities greater than 1E-7 (marked with *) were carried forward into the recovery analysis. This amounted to 16 sequences which was 99.9% of the core melt probability The 16 sequences are given in Table B.10. The recovety analysis methods are given in Section 4.0. After the recovery factors were applied to the top 16 accident sequences, the core melt probability was reduced from 2.55E-4 tc 1.49E-4. The core melt probabilities are given in Table B.11 and summarized in Table B.12. The top 11 accident sequences include 99.7% of the core melt probability after recovery factors have been applied. These accident sequences are the basis for the remaining analysis. 5.2.2 Quantification given Secondbry Blowdown Not Applicable The purpose of this section-is to determine the effect of the secondary blowdown mode on core melt probability. To do this, first consider the way the accident sequences Would appear without secondary blowdown and what sequences in the original quantification would be replaced by the new accident 8-38
Table B.7 Point Beach Boolean Accident Sequences
/
PTB No. L E Dy Py D 2 Hy H2 VB 1 C 51 'Hj 1 H{ 2 C D 5 1 85 1 2 l 3 C D1 D 1 2 4 C D i._ 1 s L D P H 1 1 1 1 1 6 L Dy Py , 1 7 L Dy 1 8 L 1 9 C 5 Hi Hj 2 7 lo C D 1 52 Hj 2
~
11 C D 1 D 2 2 12 C D 1 2 l 13 L 51 Py Hg , 2 l 14 L 5 P 2 7 t 15 L D1 2 16 L E Hy 2 17 L E 2 18 L 2 19 C. Dg H{ Hj 3 2o C og 52 Hj 3 J 6 -31 9
--m-- , , . , , _ _ , n..,-,n , - - . . _ , , . . , , , . . ~ , , , . . , . , , _ . - . - - . - - - , . _ , . - ,,.,n-_er_.,,.e-,. , . - _
Table B.7 Point Beach Boolean Accident Sequences (cont.) s s PTB No. L E D Pg D 1 2 1 2 21 E Dy D 2 ' - 3 22 L D
~~- 1 -~~
3 i 23 L Dy Py Hy 3 24 L Dy Py 3 T 25 L Dg . 3 26 L f
~~_ Hy 3 27 L E 3~~
~~28 L 3 9 e e O e l t~~
~~/ /~~
53 - 4 o l _ . ,e eense em *
**=am *9 - ^ --N
Table B.8 Value Block Changes for Accident Sequence Runs ' t _ _ Change Value Block / Input as Follows: VB-1 . LOSP lE-3 SISACT-A-LF ~ . SE-3 CCWMPA-PMD-LF 7E-4 SISACT-B-LF SE-3 CCWMPB-PMD-LF 7E-4 SGSACT-A-LF SE-3 SWSMPA-PMD-LF 7E-4 SGSACT-B-LF SE-3 SWSMPB-PMD-LF 7E-4 MFWACT-A-LF SE-3 INSTR-INV-CM PHI MFWACT-B-LF SE-3 UVSACT-B-LF OMEGA UVSACT-A-LF OMEGA OPF-MACT-AFW-TP3 3E-3 VB-2 LOSP OMEGA SISACT-A-LF FE-3 CCWMPA-PMD-LF NC SISACT-B-LF SE-3 CCNMPB-PMD-LF NC SGSACT-A-LF SE-3 SWSMPA-PMD-LF NC SGSACT-B-LF SE-3 SWSMPB-PMD-LF NC MFWACT-A-LF SE-3 INSTR-INV-CM PHI - MFWACT-B-LF SE-3 UVSACT-A-LF SE-3 UVSACT-B-LF SE-3 OPF-MACT-AFW-TP3 OMEGA VB-3 LOSP lE-3 ' SISACT-A-LF SE-3 CCNMPA-PMD-LF 7E-4 SISACT-B-LF SE-3 CCWMPB-PMD-LF 7E-4 SGSACT-A-LF SE-3 SMSMPA-PMD-LF 7E-4 SGSACT-B-LF SE-3 SWSMPB-PMD-LF 7E-4 MFWACT-A-LF - SE-3 INSTR-INV-CM PHI MFWACT-B-LF 5E-3 UVSACT-A-LF CMEGA UVSACT-B-LF CMEGA CPF-MACT-AFW-TP3 , CMEGA 9
~~s - 41~~
---r- - - . , - _ , _ _ . _ , . , . _ _ , _ , . , , , , , , . . _ , . _ , , . , _ . , . , , . , , , , , , , _ . , . _ _ _ . _ , . , , _ . _ , _ _ . , , . , , , , ,,,
Table B.9 Point Beach Accident Sequence Frequencies Before Escovery (10-8 Truncation) N . _ ?- Core Multi- Boolean Core Melt Anal. Multi- Booleen PTB plier Sequence Malt Failure No. plier Events # Freq. Prob. Prob. . Sequence
~~'l SM 1{Hj H 1 2.0E-2 3 . 2E 6:4E-5~~
2 S2 Mkk i2 3M 2 .D6Hj g2 2 2.0E-2 8.0E-7 1.6E-8 SMDHj2 3 3M .Dg2D 3 2.0E-2 1.4E-3 2.8E-5

S MD 2 2 n 4 3 ME .D g 4 8.0E-5 1.6E-3 1.3E-7

S MID y 2 2 5 3M .L 11g #H 5 2.0E-2 4 4 3 MLHg

2 2 6 3M L IgP 6 2.0E-2 1.4E-7 2.8E-9 3 ML#
2 2 1 7 3M LD 7 2.0E-2 1.1E-6 2.2E-8 3 MLD y 2 1 2 8 TgMM LTD*g 16 9.0E-2 4 $ Tg g 9 TgMN LE 17 9.0E-2 1.1E-3 9.9E-5
~~T MLE )~~
10 TgMP L 18 9.0E-12 1.1E-3 9.9E-15 T MLP 11 TM 26 5.0E-0 $ $ 2 Tb 2 12 1M LE 27 1.0E-0 1.9E-6 1.9E-6
~~T MLH 2 2 13 T MP 2~~
~~L 28 1.0E-10 2.5E-6 2.5E-16 T MLP~~
~
~~14 T3MN 7.0E-2 4 $ leg 26 TN 3 15 T3MN LE 27 7.0E-2 1.9E-6 1.3E-7~~
~~TM 3~~
16 TB L 28 7.0E-12 2.5E-6 1.8E-17 TM 3 3 17 T gMQ U gH{Hj 9 1.3E-4 3.6E-3 4.7E-7
~~TMQHj g g 18 TgMQI I.D6Hj g2 10 1.3E-4 8.0E-7 1.0E-10 TMQDMj g~~
)
~~S - 4 1.~~
~~.__.,y~~
Table B.9 Point Beach Accident Sequence Frequencies Before Recovery (10-8 Truncation) (cont) Core Multi- Boolean Core Melt. Anal. Multi- Boolean PTB plier Sequence Melt .~ Failure No. plier Events # Freq. Prob. Prob. Sequence k9 TgMQI I.Dg2 D 11 1.3E-4 3.3E-3 4.3E-7
T gMQD g 9 20 TgMQI I.D g 12 3.8E-6 3.9E-3

1.5E-8 TyMODy 1 3 21 TgdQ L61gg PH 13 1.3E-3 $ 4 T gMQLH y 22 Tg dQ L5gg P 14 1.3E-3 4.9E-5 6.4E-8 T MQLP g 23 Tg dQ LD g 15 1.3E-3 1.1E-3 1.4E-6

T 3HQLD 1 24 T 2MQ H{Hj 19 1.4E-3 3.2E-3 4.5E6

THQHj g 25 T 2M9 "012j H 20 1.4E-3 8.0E-7 1.1E-9 TMQDHj g 2
~~26 T 2MQ .D D 21 1.4E-3 1.4E-3 2.0E-6~~
~~T 2MQD 12 2~~
~~27 T2MQI .D 22 5.6E-6 1.6E-3 9.0E-9 T2MQDg 1 3~~
~
28 T 2 9 L51g PH 23 2.0E-2 $ $ T 2MQLH 29 T 2 S L Ig P 24 2.0E-2 2.7E-7 5.4E-9 T2MQLP g 30 T 2 Q LD 25 2.0E-2 1.5E-6 3.0E-8 T 2MNLD 1 31 TM 3 U g yj 19 9.85-5 3.2E-3 3.2E-7
~~TMQHj 3 g 32 T3MQi 20 9.8E-5 I.D5"i 12 8.0E-7 7.8E-11 TMQDNj 3 g l~~
~~33 Td 3 UD 12~~
* ~ * ~
3 12 j 34 TMW ED 22 4.0E-7 1.6E-3 6.2E-10 T3 MD gI 3 1 35 T3 dQ dEH ggg 23 1.4E-3 4 $ TMp 3 3 36 T3 5Q dPgg 24 1.4E-3 2.7E-7 3.8E-10 T3MQM g I w B-+3
Table B.9 Point Beach Accident Sequence Frequencies Before Recovery (10-8 Truncation) (cont) Core Multi- Boolean Core
~~Helt Anal. Iktiti- Boolean PTB plier Sequence Melt -~~
Failure No. plier Events # Freq. Prob. Prob. Sequence 3[- T Q Dg 25 1.4E-3 1.5 E-6 2.1E-9 T 3MQLD 3 1 38 TQ E6ain; 19 9.8E-3 3.2E-3 3.2E-5
T3Qu 3 1 1; 39 TQ3 D6j 32 0 9.8E-3 8.0E-7 7.8E-9 TQDHj 3 g 40 T3 Qi EDg2D 21 9.8E-3 1.4E-3 1.4E-5

T3QD12 41 T3QI ED g 22 4.0E-5 1.6E-3 6.2E-8 T3QD1 I 42 T3FQ L5 F H 111 is 1.4E-1 *

T3QLug 43 T3FQ L51yP 24 .4E-1 2.7E-7 3.8E-8 T9 3 1 44 T3FQ LD 25 1.4E-1 1.5E-6 2.1E-7

1 T3QLD 1 All Sequences 2.5532E-4 -
~~Top 16~~
~~Sequences only 2.5505E-4 Baxt 28 0.0027E-4 O~~
e E3 - 44;
Table B.10 Point Beach Results Before Recovery (' Using IE-8 Sets Truncation - All Accident Sequences Greater Than lE-7 Core Melt PTB Boolean Analysis Failure Core Melt Event.S'equence
< Number Sequence Probability Number 9 T y MLE 9.9E-5 17 1 S2ME{Hj 6.4E-5 1 i 38 T3QH{Hj 3.2E-5 19 3 S2MDg2 D- 2.8E-5 3 40 - T3QDy2 D ~ * ~
1 24 T2MQH{Hj 4.5E-6 19 26 T 2MQDy2 D 2.0E-6 21 12 T MLE 1.9E-6 27 2 23 T yMQLD 1 1.4E-6 15 17 T yMQH{Hj 4.7E-7 9 19 T yMQDy2 D 4*3E-7 11 l 31 T ' 3 05$ * ~ 44 T 3 9b 1 * ~ 33 T 3MQDy2 D 1*# ~ 4 S.MXD 1.3E-7 4 g g 15 T 3MLE 1.3E-7 27. 2.5505E-4 Sum all 16 Accident Sequences Greater than 1E-7 E3 4f
l 1 Table B.11 Point Beach Accident Sequence Frequencies Afher Recovery - Multi- Boolean Core Core Melt Ana'1. Multi- Boolean PTB Plier Sequence Melt ' . Failure No. Plier Events # Freq. Prob. Prob. Sequence 1- 3M 1{Mj H 1 2.0E-2 3.2E-3 6.4E-5
~~2 S2 Mbk 1~~
3 2 12k 8 2 1k 3 3M .Dg2 D 'J - 2.0E-2 1.7E4 3.4E-6
~~S2MD 2 g 4 3 ME 2~~
.D g .4 8.0E-5 4.4E-4 3.5E-8 3 MED g 2 ~
5 3M L51gP g 5 SgMLH 2 6 SN L P 6 3 MLP 2 I7 2 7 3M LD y 7
~~3 MLD 3~~
8 TgMN LEHg 16 TgMLH 9 TMN7 LE 17 9.0E-2 4.4E-4 3.9E-5
~~T MLE 7~~
10 TgMP L 18 , TgMLP 11 TM 2 26 T MLHg 2 12 TM2 LE 27 1.0E-0 6.4E-7 6.4E-7*
~~T MLE 2~~
13 T MP L 28 T MLP 2 2 14 T 3 3 1-15 T@3 u 27 7.0E-2 6.4E-7 4.5E-8 TM 3 16 TM3 L 28 TD 3 17 T gMQ U yH{Hj 9 1.3E-4 3.2E-3 4.2E-7 TMQHf y 18 T gMQE I.D6Hj g2 10 TMQDHj I i M 8-% 1 1 ... . . . . . . . ... .
Table B.11 Point Beach Accident Sequence Frequencies __ After Recovery (cont.) Multi- Boolean core , Core Melt Anal. multi- Boolean PTB plier Sequence Melt
~
~~Failure No. plier Events~~
Freq. Prob. Prob. Sequence 19

TyMQi I.Dg2 D 11 1.3E-4 1.4E-3 1.9E-7 T gMQD 12 20 TgMQI I.D 12 TgMQDg x 3
21 TydQ L57yg PH 13 , TgMQW g . 22 Ty dQ dPyg 14 TgMQG g 23 TydQ LD 15 1.3E-3 8.64E-4 1.1E-6
~~T gMQLD y 1~~
~~24 T2nS 1{Hj H 19 1.4E-3 3.2E-3 4.5E-6~~
~~TMQHj g 2~~
~~25 T 2MQ .D6Hj g2 20 TMQDHj 2 g 26 T 2MQ .D D 21 1.4E-3 2.2E-4 3.1E-7~~
~~T 2MQD g 73 27 T2MQI I.D y 22 T2MQDg 1~~
~
28 T 9 L #M 23 T 2MQLH 2 111 29 T S L Iy P 24 T 2MQLP 2 30 T S LD 25 T 2MQLD 1 2 1 31 T 3MQ E gH{Hj 19 9.8E-5 3.2E-3 3.2E-7
TMQHj 3 g 32 T3 mi -w125 "i 2o TMQDH; 3 1 33 T3MQi wDg2 "' * - * ~
~~3 9 12 34 T3MQI -w 22 T3MQD1 x 1~~
~~~35 T3 dQ L61gg PH 23 T MQLH g 2~~
36 T3 dQ dPg1 24 T3MQG g 37 T3 dQ LD{ 25 T 3MQLD y a e-47
l l Table B.11 Point Beach Accident Sequence Frequencies _, After Recovery (cont.) malti- Boolean Core Core Melt Anal. Ralti- Boolean PTB plier Sequence Melt . Failure No. Plier Events # Freq. Prob. Prob. - Sequence 1 38 - T9 ly j 19 9.8E-3 3.2E-3 3.2E-5 *
, 3 T3 9bb 39 T9 12j 0 TQDHj 3 3 y 40 T3QE I.D D 21- 9.8E-3 2.2E-4 2.2E-6
~~T 3QD12 2~~
41 TQ 3 Dg ' _2.2, T3QD g I 42 TN 3 d5{gg 23 , T3QG 1 43 TN 3 dPgg 24 T3QU g 44 T 3PQ LD 1 25 1.4E-1 9.1E-7 1.3E-7 T9 3 1 All Sequences 1.486E-4 Top 11
~~Sequences only 1.842E-4 Other 5 Sequences 0.0042E-4 g-+8 .~~
_ . ~ -.n... _
Table B.12 Point Beach Results After Recovery - Top 16 Sequences Core Melt PTB Boolean Analysis Failure Core Melt Event S.equence Number Sequence Frequency Number
'.1 ' S2MH{Hj 6.4E-5 1 9 T g EE 3.9E-5 17 38 T3Q {Wj 3.2E-5 19 24 T2MQH{Hj 4.5E-6 19 3 S2MDg2 D 3.4E-6 3 . 40 T3QDy2 D . -6 21 .
23 T yMQLD y L.lE-6 15 12 T E , 6.4E-7 27 2 17 T gMQH{Hj 4.2E-7 9 31 T3M H{Hj 3.2E-7 19 26 T 2MQDy2 D 3.1E-7 21 19 T yMQDy2 D . 1.9E-7 11 l 44 TQQ 3 7 1.3E-7 25 15 T3 4. -8 , 27 4 S MID y 3.5E-8 4 2 33 TMDD 3 y2 * ~ l 1.486E-4 Sum of All 16 Accident Sequences 1.482E-4 Sum of Top 11 Accident Sequences l l %
~
~~l l~~
.m*
l s-49
l l i sequences. This is summarized in Table B.13.. In each of the Y five cases the new accident sequence replaces the three choices ' leading to core melt in the secondary blowdown branch by going directly to core melt, i.e., CDy X, CDy 1D , Dy 1522 H all reduce 2 to CD1 . , The quantification for each of the accident sequences without secondary blowdown and before recovery is given in Table B.14 along with the sum of the three sequences it would replace. The not difference is 6.3E-6. This analysis was rot carried further into the recovery analysis, however, recovery was about a factor of 1.5 improvement and would presumably be similar for the sequences with and without the secondary blowdown mode included. 5.2.3 Quantification Given Bleed and Feed Not Applicable l The purpose of'this section Is' to determine the effect of the bleed and feed mode on cors melt probaLility. This is accomplished by considering the way the accident sequences would appear without bleed and feed, and which of the original sequences would be replaced by the new accident sequences.
, This is summarized in Table B.15. In each of the first five cases (i.e., analysis numbers 50 through 54) there are three choices leading to core melt in the bleed and feed branch, i.e., LD L5 P and L5 P 's replaced by L alone. In the last threecake,swkibharesbllhtransients, that is no induced )
LOCA, the Boolean sequences LPQE and LPQfy are replaced by LPQ. This is essentially bleed without feed and would eventually lead to core uncovery while the pressure remains too high for safety injection but not high enough to result in reactor vessel rupture. This seems rather artificial since it is hard to imagine a plant not attempting to reduce the pressure using the PORVs and injecting which, of course, is bleed and feed! Nevertheless if the plant has insufficient l capability perhaps over the long term it could lead t'o core melt. The quantification for each of the accident sequences without bleed and feed and before recovery is given in Table B.16 along with the corresponding sum of the sequences it would replace. The not difference is 1.5E-6 which'is relatively insignificant overall. As in the case with secondary blowdown, this analysis was not carried further. 5.3 Vulnerability Identification First, the cut sets were examined to identify the specific l 6-So e
Table B.13 Point Beach Core Melt Accident Sequences Without Secondary Blowdown PTB Anal. Multi- Boolean Seq. Replaces Previou's' Sequence No. plier Events No. Analys.is Numbers 1 l 43 SM2 D 1 4 2, 3, and 4 1:- 46 T@y Dy 12 18, 19, and 20
'i 47 T 2MQ CD y 22 25, 26, and 27 48 TM3 ED y - 22 32, 33, and 34 49 T0 22 39, 40, and 41 3 1 e
~~8 e we' 8-s)~~
~~, - + - aw - , g,, n. , . , - - ,e, , - - , - - - .-n.,~~
Table B.14 Point Beach Core Melt Accident Sequences 'N Probabilities Without Secondary Blowdown ~
. . Sum of Core Melt PTB Boolean Core - Frequencies for Anal. Multi- Boolean Seq. Multi. Sequence Melt Sequences No. plier Sequence No. Freq. Freq. . Freq. Replaced 1
~~45 35 2~~
.D 4 2.0E-2 1.6E-3 3.2E-5 2.8E-5 46 T gMQ I.D g 12 - 1.3E-4 3.9E-3 5.1E-7 4.4E-7 i
47 T2MQ .D 22 1.4E-3 1.6E-3 2.2E-6 2.0E-6 48 T3MQ I.D g 22 9.8E-5 1.6E-3 1.6E-7 1.4E-7 49 TQ3 Ug 22 9.8E-3 1.6E-3 1.6E-5 1.4E-5
~~. Sun = 5.09E-5 4.46E-5 e~~
~~A. B-52.~~
,. e e agg ,, e e .m. g ..e #-* ** ***e #* *e -
e=e
Table B.15 Point Beach Core Melt Accident Sequences _ , Without Bleed and Feed
~~' ~~~
PTB . Anal. Multi- Boolean Seq. Rep-laces Prtvious Sequence No. plier Events No. Analysis Numbers 50 SM L -- 8 5, 6, and 7 2 51 T yMPQ L 18 21, 21, and 23 52 T2MfQ L 28 28, 29, and 30 53 T Q 28 35, 36, and 37 3 54 T 3EQ L 28 42, 43, and 44 55 Tymfd L 18 8 and 9 56 T 2MPQ L 28 11 and 12 57 T Q L 28 14 and 15 3 t 6-53
Table B.16 Point Beach Core Melt Accicant Sequence ' Probabilities Without Bleed and Feed
.Sua of Core Melt PTB Boolean Core Frequencies for Anal. Balti- Boolean Seq. Multi. Sequence Melt Sequences No ., plier Sequence No. Freq. Freq. Freq. Replaced 50 3M L 8 2.0E-2 2.1E-6 4.2E-8 2.5E-8 2 ? '
51 T7dQ L - 18 1.8E-3 1.1E-3 2.0E-6 1.5E-6 52 T 2 Q L 28 2.0E-2 2.7E-6 5.4E-8 3.5E-8 53 T@3 L 28 1.4E-3 2.7E-6 3.8E-9 2.5E-9 54 Th3 L 28 1.4E-1 2.7E-6 3.8E-7 2.5E-7 I
~~$5 T gMPQ L 18 9.0E-2 1.1E-3 9.9E-5 9.9E-5 56 T 2MPQ L 28 1.0E-0 2.7E-6 2.7E-6 1.9E-6 57 TM 3~~
L 28 7.0E-2 2.7E-6 1.9E-7 1.3E-7 Sum = 1.04E-4 1.03E-4 4 9 l l l 6-54 I l
l internal vulnerabilities, and then later these 11 accident sequences were combined with the containment systems event tlEEF' and thus extrapolated to public risk measures later in the analysis. . The specific vulnerabilities were identified.using Boo'l'ean event sequences derived from the SETS program. The top 11 ac.cident sequences result from 8 Boolean event sequences. The raw output for these 8 Boolean event sequences showing the cut sets is given in Table B.17 (these numbers are uncorrected for-a change in diesel generator failure probability made later in the process). _Each of the top 11 accident sequences were examined for the most significant cut sets. Table B.18 tabulates these cut sets-and their core melt frequencies with the residual core melt frequency for each accident sequence contributed by all the other cut-sets in that accident sequence that are not considered further. The next step is to sort'all the most significant cut sets identified for the top ll-accident sequences and sum the total core melt probability for each cut set over all the accident sequences to which it contributes. This is given in Table B.19. These cut sets are~the vulnerabilities described in Section 4 of the main report-and subsequently communicated to the AE and discussed at the second plant visit along with those vulnerabilities identified-for the special emergencies. The internal analysis started with 44 accident sequences with a
.' - total core melt probability-of 2.55E-4 before recovery was applied. The dominant cut sets accounted for 1.49E-4 of the total core melt probability. In order to figure the residual core melt probability that is not being addressed consider the following:
1) The initial core melt probability before recovery was applied for all 44 accident sequences was 2.5532E-4.

2) There were 28 accident sequences not significant enough to apply recovery factors. This is a con-servative estimate of the first residual core melt 2.7E-7 probability.

3) The 16 accident sequences to which recovery was applied had a total core me)t probability of 2.5505E-4.

4) The core melt probability of these 16 accident sequences after recovery was 1.486E-4.

5) 5 of these accident sequences are not con-j sidered further. This is the second residual core melt probsbility. 4.2E-7

6) The top 11 accident sequences have dominant cut sets which became the basis of the potential di-ST
~~- - _ .-..-,-w.___-z. ..-.y.m .,__m_ ,. .._,_.m._ _, , - - ,___._,.__.-.7_~~
i C:..Ld.C -l. m - 5--_._____- . _ f : ~. ._ - -"- I f -~ ' 253. Table B.17 Point Beach Boolean Accident Sequences After
~~------ Recovery Has Been Applied TIEh1 a .~~
~~1 3.0000E-C3 SUFF-VCC-CE~~
~~FR +~~
~~; 2 9.C00GE-05 f. h~~
~~CCO.V30-ACC-UTP + .~~
~~i,3 ' 4. C 'J C C E-0 5 tR~~
~~CCaXi30-ACC=LF +~~
~~4 1.(C00t-05 t. A + L F IF P 2 -F F.C-L F~~
~~LFIFF1-FPC-LF +~~
~~5 1.200CE-r5 ta~~
LFIFF2-FMC-Lf

hPhPV36-VCC-LF + .
~~e 1.2000E-CS hn~~
LF1Pel-FbC-LF

HFRr.V5-VCC-LF +
*J 1.70COE-C5 fh
LF I

F 2 -F e,C-LF

hFnAV4-VCC-LF +
~~9 1.7000E-uS hR~~
L F 1 k F 1 -F F.C -LF

HFRFV36-VCC-LF +
~~9 9.CG0GE-06. 2. d~~
nFEFV4-%CC-LF

nFh*V3s-VCC-LP +
~~10 9.r ON E -06 tr~~
e 7 h.6 V,3 6 -) C C- L F

FFFFV5-iCC-LF +
~~11 9 . 0 0 0 9 5 - 0 f, r. A~~
F.F H V 3i,-V CC-L F

hP E F V 3 9-VCC-i.F +
~~1 27 9.( 000k-0 6 ?. h~~
cFhrv4-bCC-LP

resbi5-VCC-LF +
~~33 .1.1 , '. C F - C 6 iF~~
J 1.F1-F.C-Li

L F l* F 7-FC-F E +
4 1. 2 3 0 C r. r,. = Ip , gp15p;.F.C-Lt o' LFl*F1-FC-Fe Ini .*4x1 c= T F. '#. valet F C F- CCe Fui A11C N 1 15 3.GGC0C0000000E-03 1r. is ? v : f i,r : is 1_; iacoetcCCQE-011 (*.: ci e 1 D l l ! 4 . ! ? i I l 1 I S,-56 _- S'- u'D.
4 ..... . :. -.:--._. _
- _. , -. . a . . -. . . . . _ _ _ ~ - .+... - - . . ... -. . . . - . . .:- - = _:_.
~~.: =- --~~
~~'l '-- 222 Table 3.17 Point Beach Boolean Accident Sequences After' Recovery Has Been Applied (continued) i F*Be3 s 4~~
4, 1 a _ n .?, n 6 e a s u r.i e c c .n 1 -Y c.c.uT u + t , - 5 7' 4_e.. San c4 Nu o c r .i x v t - Y c c - t r + (*r-'.:Vs- 4 x-rp a ps-7r + g 1_ s a e rir e ;
~~. - 1 -~~
~~4 6 _ c .:.? c . - o s S!!LCt 1*V-13~~
~~HA-60 +~~
~~a J (rets_ r4 L)-7C~~
5 .. 51 *J 5 c -Y C C-U T

l E 4 t.0 0( v.- 0-4 #A-7C

C C'a X % 10 -X C C-01 W +
~~I 7 4 . 0 f. 607 - i' 6 E*-7r s 3.sxv4c-yCC.01v +~~
+
~~9 4.ctnO ee F1-7C~~
CCWX94-XfC-0T*
~~l 9 4.o:;ctt-t'- # EA-70~~
~~FaSXV481-YCC=U1V +~~
~~; r. 7 . r .i r r, p n 4 E;-70 * (_ C'c.A \ 1 (. - X C C - L P +~~
~~1 2.00CL,E-05 9;-7C~~
~~CC* Ave-XCC-.T +~~
~~l 12 r 2.ou,ci-ce RA-7C~~
~~So!Xt45-%CC-Lr +~~
\
~~.' ' U-7C~~
~~ScSAV50-XCC-LF +~~
~~! 12 i 2.cMoh-06 1.; 2.ti.,0(E-Co U - 7 f.~~
~~S r: S X-V 4 9-> C C-L F F c n *CC.-I l " I T ICh 13.rnennennens.,n.q IS 9.00C0C0000000E-05~~
~~! IbE PAX 16t* 7ELi , a u . s.~~
~~. . c6 .r _. r ,. c s n e . > ,..t e c .._~~
~~4 a~~
/*
~~. 4i. .~~
~~l , I C t o I~~
~~' . ./~~
~~6 -S7 4 i------w m ,- ,,. - , . _ .,. ,~~
~~. ~ . , _ . . .. .__~~
~~Table B.17 Point Beach Boolean Accident Sequencoo Aftor - -~~
+: . - Recovery Has Been Applied (continued) - . .7;c; ' I i
~~PTE i 4 s -~~
~~! 6.0000E-05 bd~~
~~CC'aXVic-XCC-UIM + .~~
~
~~2 R,0000E-05 hs~~
~~CC'aXV1-XCC-UIM + .. . .~~
t
~~'t 3 9.CC00E-05 NR~~
~~CCr.XV17-XCC-UIM + .~~
~~, 4 4.0000E-05 NE~~
~~CC4)Vio-XCC-LF + .~~
~~5 4.0040E-05 EF~~
~~CCe.XVI-XCC-LF +~~
~~6 4.cc00F-05 NF.~~
~~CC XV17-XCC-LF +~~
~~7 1.FCCOE-05 f:h~~
HFIFF1A-FPI:-LF

HFIFFIE-PFD-LF +
~~W 1.50COE-C5 CLi.nXA-h1_X-FE~~
~~RA-70 +~~
~~. 9 9.f.CCul-De. FA~~
ri F IP '. 2 4- i C C- L F

NFIHV25-VCC-LF +
~~10 F..(vevE-06 51SLCG-CE-Ta~~
~~KA-60 +~~
~~11 4 C00t!-Ou F A-7ts~~
~~Cr.SXV50-XCC-UIP +~~
~~+ ;2 4.000CF-Oc R A-it~~
~~CC=ANIC-XC.C-U1F~~
+
~~13 4.000LL-Ut- IG - 7 C~~
ShSXV49-XCC-UTP 1A 4 . c C o r.E - o t. F A 'i r

5..S X v 4 6 -X C C-UIV +
+
~~15 4.rLCGl.EC6 R.WiC~~
CCrXVE-ACL-UTA 16 2 . 0 C 0 v E - c. e H A -71.

CChxVe-XCC-LF +
~~2 7 2.0(0*i-Ce F/-70~~
CC'aX'.10-XCC-LF

3s C t,0 L f -f u Ra-70

5*FAV,6-XCC-LF +
~~19 2 . C ( CM - 0 6 Fei-7U~~
~~SaSXV5C-XCC-LF +~~
+
~~r 2.0y061-co FA-7C~~
SwiXV49-XCC-LF 21 1.2t GvE-ce Fr

nFIFF1A-FvL-LF

HP ir F :f-P C-F B +
~~2 *e 1.200cE-fe rF = cFJF12-erC=LF~~
~~nFIMFA-FC-FS 9.00CCC0000000E-05 i ta t FAX 1Fler TEF. > ait'h TE rCF'<:?~~
~~t CCrFJ1A11C. A s is 1 IS 4.h40rocccc00E-c41 r i t- . F hv rk i. e s 53'~~
=
~~b 5 f E * ~~ _ _ _ - __ l?... W C t. ._ . : ,~~
**d." P* Z Point Beach Boolean Accident Sequences After
~~' -~ 12;- Table B.17~~
~~;.- . -- - Recovery Has Been Applied (continued) s i~~
~~< PitR9 s 1 3.0000E-03 SUWF-VCC-CE~~
~~NR +~~
~~l t i 2 8.C000E-05 NR~~
~~CCwXV30-ACC-U7h + v-~~
~~! 3~ 4.000cE-05 NR~~
~~CC*XV30-aCC-LF +~~
~~4 - - 1.'6 0 0 t h - 0 5 ER~~
LFIFF2-F.st-LF

LP1PF1-PMD-LF +
~~I 5 3.20n0E-05 Eh~~
LP1FP2-F..C-LF -

HPsPV36-VCC-LF +
~~1 6 1.2000E-C5 hs~~
LFIFF1-FAC-LF

HPRPV5-VCC-LF +
~~7 1.2000E-05 Na~~
LF1>F2-F.v.C-LF

HPRPV4-VCC-LF +
~~'s 1.2000L-05 Mn~~
LFivF1-Eht-LF

FPRPV38-VCC-LF +
~~l 9 3.0000E-06 .U F~~
r.FRP'v38-vCC-LF

hfRFV4-VCC-LF +
~~Ac 9.C000i-Oe :. o '~~
rFl.P'v5-VCC-LF

hPRMV36-VCC-LF + ..
~~41 9.0c'CE-06 NR~~
hPkPV3n-VCC-LF

hPRPV36-VCC'-LF + .
~~12 9.0000E-Oe an~~
nFR>i5-VCC-LF

hPRPV4-VCC-LF +
~~l 13 1.440Cr-00 GIF~~
FA-lh

CESGENA-GEN-LF

LFIPP2-FMD-LF

RA-1 h +
r
~~- 14 1.449vt-C6 GIF~~
FA-lh

RA-11n

LESGENb-GEN-LF

LPIPP1-PPU-LF + _
~~15 1,200vF-Oc li f.~~
LFI>F2-FvC-LF

LPl>F1-PC-kB +
~~le 1.2000h-ce hk~~
LFIFF1-PhC-LF

LPIFF2-PC-FS +
~~17 1.00006-Oc Gir~~
PA-1F

CESGENA-GEN-LF

RA-11h

HPHnV5-VCC-LF +
~~13 1.05CCE-C6 GIF~~
FA-1H

FA-11h

CEEGENB-GEh-LF

HPEMV36-VCC-LF +
~~19 1. bon 6E-0c GIF~~
RA-lh

CESUEhA-gen-LF

FA-11h

HPRPV38-VCC-LF +
~~2C 1.Cb00E-Go Gif~~
FA-in

RA-11h

LESGENb-GEr.-LF

HPPbV4-VCC-LF l.E PA).*Lt itPr ' J il e PCF CCt.Fv7ATICh 1 15 3.0000C000000CE-03
~~# ** r F E L *- CF i 'r e it.* VAleF3 15 3.7296000C00COE-031 s - ~~~
~~4 . , 4 A NW 6- M . 3- _,.~~
-.w- . , ,.. , . . ..-. . . . , . . . . . . . . .. f. . . . _
~~..j . . _ _ ' _ __ ? .'~~ .? **l~* ~~~~
~~L = ? _, ;.-.-Q , A T'~~
~~- ** ~ , _ ,__ .- ; . .~~
~~w c . .e ~~~
~~/-~~ ?. _; Table B.17 Point Beach Boolean Accident Sequences After T5'"7J .-~~
~~Recovery Has Been Applied (continued)~~
~~~ ~ '~~
~~FIEN11 a 1 4.8000E-04 GIF~~
RA-1C

CG-CM

RA-10C +
~~2 1.2960E-04 GIF~~
DESGENA-GEh-LF

DESGENE-GEN-LF ,.* RA-1C

FA-11C +
~~1,8~~
~~CC*XV1-XCC-UIM +~~
~~3 ~_ 8.0000E-05 , 4 i 4.'CCCCE-C5 hF~~
~~CCvXV1-XCC-LF +~~
~~l 5 3.0000E-05 CChh.VA-h7X-FE~~
~~FA-7C +~~
~~t 1.7280E-05 GIF~~
C cSGF ri A-GE. N -LF

RA-1C

RA-11C

CCWMPB-PPC-LF +
~~7 1.7280E-05 GIF.* CESGinA-GEK-LF~~
hA-1C

RA-11C

HPIMP12-FMC-LF +
~~6 1.72n0E-05 .GIF~~
C~cSGine-GEh-LF

FA-1C

EA-11C

SWSMFA-PPC-LF +
~~9 1.72SOE-OS GIF~~
CESGEaE-GdN-LF

hA-1C

FA-11C

SwSMPB-PFC-LF +
~~10 1.72h0E-05 G1F~~
CESGENA-GEh-LF

HA-1C

PA-11C

SnSHFD-PFC-LF + __
~~11 1.72ROF-05 GIF~~
CLSG'ebA-Gih-LF

WA-1C

RA-11C

SaShPE-PPL-LF +
~~12 !.72EGE-05 GIF~~
CESGhi.E-GEh-LF

HA-1C

EA-11C

HPIFF1A-F>D-LF +
~~23 2.72 ELE-05 GIF~~
CcSGEc4E-GEN-LP

RA-1C

EA-11C

CCWMFA-PPC-LF i
~~14 1.6CouE-05 NR~~
CC spa-FFC-LF

CCn#F2-PF.D-LF + 1 25 J.296eF '15 GIF

EESGENP-GEN-LF

RA-1C

HA-11C

HPI/V25-VCC-LF +
~~16 1.2960E-05 GIF~~
CPSGENA-GEh-LF

RA-1C

PA-11C

HPIMV24-VCC-LF t
~~;7 1.15.9cE-c5 CIF~~
LF-hAITA-C05

BA-1C

hPIPPin-PPC-LF

RA-9C +
~~j 1+ 1.1520E-05 Gif~~
1!-cAI~b-CC6

RA-1C

hPl? PIA-PPD-LF

PA-9C +
~~14 1.152cE-03 GIF~~
LF-eA11A-C95

BA-1C

CCnXPh-FMC-LF

RA-9C +
~~2C 1.1520E-05 GIF~~
Lt==AI7h-C06

6A-1C

CC*FPA-PFC-LF

RA-9C +
~~11 1.0000E-Ch SISLCG-CP-13~~
~~RA-6C +~~
~~42 H.6400E-00 GIF~~
Li-iAT1a-C05

HA-1C

bP1FV24-VCC-LF

RA-9C +
~~h3 b.64t0E-ec - G7~~
Lt-: A17d-C06

RA-1C

hPIMV25-VCC-LF

BA-9C +
~~0. Cut 0E-04 Pn-7C~~
CCaxVn-XCC-GTF + g 24 25 9.00uvE-06 Fe-7C

5.SXk50-ACC-UIM +
~~EA-7C~~
~~S<!Abg6*XCC*Ul> +~~
~~4e A.CGCCE-OL G-Go g.., __4_...- _ __-.r._ _ _ _ .~~
~~. . , . . . . . y . . . 7. . _. . . . . _ . .. .. . J a= -s. ,-~~
i
~~! MM Table B.17 Point Beach Boolean Accident Sequences After Recovery Has Been Applied (continued) . ~~~
~~-- ~ ;~~
i N 27 9.0C00E-On RA-7C
~~CCnAi10-JCC-UTF +~~
~~29 , 8.0CCOE-C6 RA-7C~~
~~SaSXV49-XCC-U1.* 4 T' -~~
~~29 . .4.0000E-06 RA-7C~~
~~SnSXb50-XCC-LF +~~
~~aC t.0000E-On RA-7C~~
~~CChXV1C-XCC-LF +~~
~~^ 31 4.00COE-06 PA-7C~~
~~CC'aXV6-XCC-LF + .~~
~~32 4.0000E-Oc RA-1C~~
~~5.SXi48-XCC=LF + _-~~
~~33 4.00001-06 -kA-7C~~
~~SkSXV49-ACC-LF +~~
~~S4 1.5000E-06 - RA-6C~~
~~SIS-FCeSE AS-CD +~~
~~J5 1.2960E-06 GIF.* DFSCE:iE-GEA-LP~~
FA-1C.* FA-11C

HPI.MPA-PC-FB +
~~3e 1.29evF-Po GIF~~
CESbEn A-CEP.-LF

6 A-1C

R A-11C

DGE-JC-FE +
~~37 1.2960E-tie G"If~~
CE.sGEi.2-GEi.-LF

EA-1C

hA-11C

CGA-JC-FE +
~~38 1.2 %CE-06 GIF~~
Cc.SGE.A-GEN-LF

EA-1C

BA-11C

HPIP.PB-PC-FS +
~~! 33 1.2500E-Go Ra-cC~~
S15 AC I- A-LF

SIS ACT-h-LF +
+
~~40 1.2000E-ot GiF~~
CESGEuA-GEP-LF

EA-1C

SA-6C

SISAC7-B-LF 41 1.2009E-tie GIF

CCSGEhe-GEi-LF

EA-1C

RA-6C

SISACT=A-LF nE F AID M TEPM v A 1.t r. FCF CC.*Fv7ATICh 1 IS 4.80C0C0000000F=04
~~(*-. s e '.- c/ ne 16.9 sAr a s is t _ r. n lijis.C C.C QJL Q E - 0 31 i __~~
~
~~7 1 e n 6 -61~~
.g
~~A* .e e mee_e=..~~
~~-- S -___ ___ _ _' N_ . - _ _ _ . .~~
~~-L , ._ . .. . ' ~ ~~: ..~. :~ - . 7.' ' * -- . .. L E. ./3: ~~~
~~Table B.17 Point Beach Boolean Accident Sequences After~~
~~Recovery Has Been Applied (continued)~~
\
~~PIEh15 s i 1 3.200CE-04 GIF~~
RA-1C

EAT-CF

FA-8C +

2 E.6400E-05 G1F

CESGENA-GEli-LF

LF-EATTE-006

RA-1C

RA-9C + I 3n~ 'd.6400E-05 GIF

CESGEr.P-GEh-LF

LF-E ATI A-C05

R A-1C

R A-9C + 2 i
~~2 4' 3 5~.7c0CE-05 G7F~~
IF-BATIA-C05

LF-2ATIB-C06

RA-1C

RA-9C +
~~5 1.4400h-05 GIF~~
RA-1C

CG-CH

RA-10C

AFnTP3-FID-LF +
~~6 1.4400F-05 GIF * !.F-eAI1A-Cob~~
RA-3C

SISACT-E-LF

RA-9C +
~~7 1.1520F-05 GIF~~
LF cAITA-CG5

RA-1C

SkSMPE-FMC-LF

RA-9C +
~~8 1.1520F-05 G16~~
LF-hA12c=006

BA-1C

S*SMPH-FVD-LF

RA-9C +
~~, l 9 1.152CE-C5 GIF~~
I.r-EAIIA-C05

FA-1C

SWSs'PC-FMC-LF

RA-9C +
~~10 3.1520E-05 GIF~~
LF-hAIIe-C66

FA-1C

SWSFPA-FN.D-LF

RA-9C +
~~11 E.f400E-C6 GIF~~
Li-eA11A-LOS

nA-1C

UG-CM

RA-9C +
~~;2 6.c40CE-Oc Gl~~~
Li-EATI:-LO6

hA-1C

CG-CM

6A-9C +
~~43 3.5iriF-Os c G *e c * %.5 C E :. A -G i r. - L F~~
LESGe.h'-GEN-LF

RA-1C * .
~~.RA-11C~~
~~AFaIP3-PTC-LF _~~
~~I :->. .* A % 1 9 L F IEE P v ; :. I ?. rLn COcai AI1Cf. 1 IS 3.2000CG000000E-04 (tbF SLv ct i* -*r v t.L b ? 3 IS 6.4644900C0000E-04) i l O~~
~~? -~~
~~\ : B f. 2,~~
~~) ~ - - ;_ .a...- _~~
~~) . i :_: _ Te Table B.17 Point Beach Boolean Accident Sequences After [~~
- 7- Recovery Has Been Applied (continued) .=- .-- .- ' DT2517 z 9 7 _ e e a t.e - 0 4 CT: e phi-ce s p7-15 e pa-pc +
~~2 4_ SoccF os GTF~~
pace.rNp cys tr

LF-EAT 11-c05

RA-tF

WA.GF +
~~l .a~~
~~. 3~~
4.7CO*,r 05 CTF

CcCCEND-PEP.-L5 s LF=9fTin-E06

91-iF

RA-9F + .
~~Lp-galiA-crs s LF-GAT 19-Cc6~~
RA-1F

PA=9F +
~~4 -~~
~~7. goo 0F OS Gir a 5 a . j c005 -06 G1F~~
OG-CW

AFhiF3-FTC-LF

RA-1F

RA-10F +
~~6 5 . 6 0 c c t - n 6- GTC~~
fF-sSTTO-Coe

RA-1F

RA-GF

AFwwP7-FMP-LF +
~~T s:6cete-ce G.c 3 tv-satys-c06 a sksypF-pyr-LF s RA-tF~~
~~RA-GF +~~
~~b 5.6000F-e GIF~~
L F - E A T-1 A - C 0 5

ShSEFD-PhD-LF

RA-ir

RJ-3f +
~~9 5.6000E-c6 ' GTF~~
1r- n11A-005 s RA-1F

RA-9F

AFhmPi-FMC=.Lf +
~~+ _~~
~~IC 5.e000E-Co GIF~~
LF-dA'11A-CC5

SnSPPE-FMD-LF

hA-1F

RA-9k
+
~~11 5.6000E-Oo GIF~~
LF-sAlih-CCt

EWSPFA-Pr.D-LF

RA-1F

RA-9F __
~~4.20CCE-Oo GIF~~
tr-bAI1A-C05

CG-Cp

RA-1F

RA-9F + __
~~12 13 4.2000i-Co GIF~~
Li-i:;TTE-C06

CG-Ce

MA-1F

RA-9F +
~~( , 24 1.59001-Oe GIF~~
C cSGE a A-Gst.-L P

LESGENm-GEN-LF

AFwTF3-FIC-LF l

FA-1F

RA-11F 2.CCC0C0C00000E-04 ThE F4X3FLP 7-F6 lALUh ECR :s zuCC.v.Pesv1teA11Ch11siccericcccccr 15 cas
~~, e t. : c .- r :- -.~~
i
~
~~i r - i i e 6-43~~
*6 * ** em +re4 g e. . gs ...g ~~ ,
~~-----_y-~--.-..__ - - ., .: a- . ..~~
~~.,:- c ;_~~
~~.-+ . : .w- w _ . . =-e - .c.~~
v
~~=- -~~~
~~Table B.17 Point Beach Boolean Accident Sequences After~~
~~-~41 Recovery Has ileen Applied (continued) s PT*f 19 s --~~
~~? 3 ~. 0 0 0 6 F - 0 3 S o vr -V c c -riF~~
~~KR +~~
~
~~7 9.Or.00E-08 NE~~
~~cckyV10-icc-UTP +~~
~~3 4.n000F-05 P:F~~
~~CckyV30-XCC-LF +~~
~~i 1.mcooE-Ch te~~
LFIFP2-Fet-LF

LFl*F1-FMC-LF +
~~5 1.20 cue-05 f. b + LFIFF2-Fi4C-LF~~
~~HFEMV36-VCC-LP +~~
~~6 1.2000E-05 Gb~~
LFIFF1-FxC-LF

NFRNV5-VCC-LF +
~~7 1.200GL-05 46~~
LFIfF2-FMC-LF

hPEMV4-VCC-LF +
~~E 1.2000F-05 sh~~
~~LFIP F1-Enc-I F * *HFh? v 3 8-VCC-LF +~~
~~. 9 9.n000E-Ct' hh , puhuv4-VCC-LF~~
~~nFEMb36-VCC-LF +~~
~~l 10 9.0000E-06 FP~~
hPKrVJ6-VCC-LF

FEN 8V5-VCC-LF +
~~At 9.0000E-C6 f. F~~
n arev3o-VCC-LF

EFEFV3A-VCC-LF +
~~12 9.0C00E-C6 r. F~~
nFrFV4-VCC-If

nFh-V5-VCC-LT +
~~13 1.2(C05-OL An~~
LFitF3-FMC-LF

LF1FF7-PC-FB +
~~1' 14 1.200tE-Ce he~~
LFI*F7-Fr.C-IF

LFI."F1-PC-FB Ih2 GXI? LP T Ehi. ' Lt di FCH LC'4tuu11Ch11??? 3.00C00000000GE-03 15 cnconocor-nii t .: , t !. t . . r s is fi-e Seu - -e l
~~i a-I J G - (* +~~
~~-___._W _ JWe~~
g ,4 .. T n . - - , , , . , . ,, r- .=z 5--..T' Point Beach Boolean Accident Sequences After - Table 3.17 ~
~~':-"- Recovery Eas Been Applied (continued)~~
~~FISF21 s , 1 S.0000E-06 Nb~~
~~CCaAV1-XCC-UTF +~~
A
~~- 2 4.0000E-05 Nh~~
~~CChxvi-XCC-LF + f-~~
~~, .; 3. .3.0C00F=05 CCknXA-hlX-FE~~
~~FA-7C +~~
~~4 1.0000E-05 SISLCG-CP-la~~
~~HA-6C +~~
~~5 8.0uo0E-06 RA47C~~
~~S*SAV50-XCC-UID + .~~
~~6 6.0000E-06 EA77C'* CC'*XV10-XCC-UIM + 7 S.0000E-06 EA-7C~~
~~SbSXV49-XCC-UIN +~~
~~9 6.COC0F-Oc RA-7C~~
~~CCuXV6-ACC-UTM +~~
~~9 3.00CvE-06 PA-7C~~
~~SnSXV4E-XCC-UIM +~~
+
~~10 4.ccCCL-Ce RA-7C~~
CCnXV10-XCC-LP 11 4.CC00E-06 RA-7C

CCaA\e-ACC-LF +
~~. 12 4.GuccE-06 EA-7C~~
~~S* SAN 50-XCC-LF +~~
~~13 A.000GE-06 FA-7C~~
~~SnSXV46-XCC-LF +~~
~~KA-7C~~
~~S*SXb49-XCC-LF +~~
~~14 1.00005-06 15 1.5000E-06 na-cC~~
~~S1S-PC-SFhS-Cy +~~
~~16 1.2500i-Oc DA-eC~~
SlSACI-A-LF

SISACT-e-LF
~~$'n F FAX 1Puu IF.; te 'v A t u t FCh CCvFu1ATICh 1 IS 0.000000000000E-05 i-e TT v VatLEJ 15 2,217E00000000E-0,31~~
~~( T I: r 5 :J w CF i 1 C5- 4 i~~
~~;- _ _3.y - -~~
~.: ~. .:.. .. 1 ~: . .;.;; == - - - " - . . . . . . . .. .. Z '.C Table 3.17 Point Beach Boolean Accident Sequences After F_'-Z 3 Recovery Has Been Applied (continued)
~~PISR25 a 1 3.2000E-07 GIF~~
BAI-CM

LDSP

RA=1C

RA-WC + .;-
~~2 1.0000E-07 SAI-CM~~
RA-60

LF-ACBdS1-13-0 +
~~3 8.64004-08 GIF~~
LDSP

RA-1C

LT-BAIIA-DOS

DESGENs= GEN-LF

RA-lic +
~~4 9.6400E-08 GIF~~
LDSP

RA-1C

RA-11C

DESGENA-GEN-LF

LF-BAIIB-006 +
~~5 5.7600E-08 'GIF~~
LDSP

RA-1C

LF-BAITA-005 *-LF-SAIIS-D06

RA-9C +
~~0 2.7000E-06 LF-$ATIA-005~~
DESGENS-GEN-LF

RA-11C

LF-ACSUS1-13-8 +
~~7 2.1000E-08 5454PA-PMD-LF~~
LF-0CSUSo=002

NR +
~~4 2.1000E-06 SdSMP3-PMD-LF~~
Lf-DCSUSa-002

NR +
~~9 1.8000E-08 LF-SAITA-005~~
LF-BAIIS-006

LF-ACBUS1-13-8

RA=9C +
~~10 1,4403E-08 GIF~~
LDSP

RA-1C

AFWIP3-PID-LF

DG-CM

RA-10C Isi. F AXIMUM IER4 V ALUE FOR CD:WJIAIIDM 1 IS 3.200000000000E-07 (tie _S.)3 3r Nr Tsaa v u uss is 7 51sc00000000.E-07)
~~e. .~~
~~T i 4~~
)
~~I3 - 4 f= ..~~
~~-m . . m .e. O MN . eum que --e ea w. w, e . e .,~~
~~.~.~.~~
~~T. . ::= . '. f . - ..~t. . -~~
~~.=. .. -~~
CC . Table B.17 Point Beach Boolean Accident Sequences After j . Recovery Has Been Applied (continued) PISR27 s 1 2.00005-07 GIF 8 BAI-CM
LOSP

HA-1F

RA-8F +
~~i 2 1.2000E-07 NR~~
LF-DCSUSA-001

ArdMP1-PMD-LT +
~~3 1.0000E-07 BAI-CM~~
LF-ACSUS1-13-8

RA-8F +
~~l 1 i 4 4.200]E-06 GIF_* LOSP~~
LF=BAIIA-005

DESGENS-GEN =LF

RA-1F

RA-9F +
~~5 4.2000E-09 GIF_* LOSP~~
DESGENA-GEN-LF

LF-BATTS-006

RA-1F

RA-9F +
~~c 2.8000E GIF F LDSP~~
LT-BAITA-005

LF-BAIIS-006

RA-1F

RA-9F +
~~7 2.1000E-08 LF-BATIA-005~~
DE3 GENS-GEN-LF

LF-ACayS1-13-8

RA-9F +
~~d 1.40005-08 LF-3AITA-005~~
LF-BAIIn-006

LF-ACSUS1-13-8

RA-9F
~~! Id6 F.AXIMU1 IER4 VALUE FOR CD1PUIAIION 1 IS 2.000000000000E-07~~
~~(I46 5JM 37 IRC IERM VALUES IS 5.670000000000E-07) ,~~
~~w e~~
~~e 5~~
~~6-c7 1~~
~~.. . . . .__ ...- ...~ . ~~~
Table B.18 Point Beach Dominant Cut Sets ' by Accident Sequence Core Melt ' Cut Set Anal. Boolean Failure . Core Melt No. Event # Sequence Cut Set Description Probability
~~,1 1 S2MH{Hj SUMP-VCC-OE 6.0E-5~~
~~CCWXV30-XOC-UTM 1.6E-6 i CCWXV30-XOC-LP -~~
8.0E-7 All Other Cut Sets 2.0E-6 38 19 TQ{j -VCC-OE 2.9E-5 3 CCWXV30-XOC-UTM 7.8E-7 CCWXV30-XOC-LP 3.9E-7 All Other Cut Sets 1.0E-6 24 19 T2MQH{Hj ~ SUMP-VCC-OE 4.2E-6 CCWXV30-XOC-UTM 1.lE-7 CCWXV30-XOC-LF 5.6E-8 All Other Cut Sets 1.4E-7 31 19 TMQH{Hj . SUMP-VCC-OE 2.9E-7 3 CCWXV30-XOC-UTM 7.8E-9 CCWXV30-XOC-LF 3.9E-9 All Other Cut Sets 1.0E-8 17 9 TyMQH{Hj SUMP-VCC-OE 3.9E-7 CCWXV30-UTM 1.0E-8 CCWXV30-LF 5.2E-9
~~. All Other Cut sets 1.5E-8 -~~
~~9 17 T gMLE GTF~~
RAT-CM 1.8E-5 GTF

DESGENB-GEN-LF

LF-BATTA-DOS 3.8F-6 GTF

DESGENA-GEN-LF

LP-BATTB-D06 3.8E-6 GTF

LF-BATTA-DOS

LF-BATTB-D06 2.SE-6 All Other Cut Sets 1.1E-5 23 IS T yMQLD 1 GTF

BAT-CM 4.2E-7 GTF

DESGENA-GEN-LF

LF-BATTB-D06 1.1E-7 GTF

DESGENB-GEN-LP 1

LF-BATTA-DOS 1.lE-7 GTF

LF-BATTA-DOS

LF-BATTB-DO6 7.5E-8 All Other Cut Sets 4.0E-7 12 27 T 2MLE GTF

BAT-CM

LOSP 2.02-7 LF-ACBUSl-13-8

RAT-CM 1.0E-7 All Other Cut Sets 3.4E-7 6 -s8
~~" ~ ~ . - - _ . . , . . , ,-.-,-,..,.m..,. -~~
Table B.18 Point Beach Dominant Cut Sets by Accident Sequence (cont.) Core Melt Cut Set Anal. Boolean Failure - Core Melt No. Event # Sequence Cut Set Description. Probability 3 3 S2MDy2 D CCWXVI-XOC-UTM 1.6E-6 -
CCWXVI-XOC-LF 8.0E-7 i CCWHXA-HTX-FB 3.OE-7 All other Cut Sets 7.2E-7 26 21 T 2MQDy2 D CCWXVI-XOC-UTM 1.lE-7 CCWXVI-XOC-LF --
5.6E-8 CCWHXA-HTX-FB 4.2E-8 All Other Cut Sets 1.0E-7 40 21 T3QDy2D - CCWXVI-XOC-UTM 7.8E-7 . CCWXVI-XOC-LF 3.9E-7
~~CCWHXA-HTX-FB 2.9E-7 All other Cut Sets 7.2E-7 e~~
~~9 f 6 -69 e~~
~~-weyww- -+vw-- m-w--wm+g---e - - - - - __ - , , , , * - _- - - - - - . - -~~
Tanle B.19 Point Beach Dominant Cut Sets N Core Melt Probability Dominant Cut Sets Contribution ,, SUMP-VCC-DE 9'.5E-5 , i GTF
~~BAT-CM +~~
~~i GTF~~
BAT-CM

LOSP 1.9E-5
~~( GTF~~
DESGENA-GEN-LF

LF-BATTB-D06 +
~~GTF~~
DESGENB-GEN-LF

LF-BATTA-DOS +
~~GTF~~
LF-BATTA-DOS

LF-BATTB-D06- 1.0E-5 CCWXV30-XOC-UTM +
~~CCWXV30-XOC-LF 3.8E-6 CCWXVI-XOC-UTM +~~
~~CCWXVI-XOC-LF 3.7E-6 CCWHXA-HTX-FB -~~
6.3E-7 l l 6 -7c
t i . _ . . _ .. _.
~~.~. .. . _..~~
vulnerabilities identified and analysis in ' section 4. The other cut sets in these 11 accident sequences are the third residual core melt probability. 1.6E-5
~~7) Thus the total residual core melt probability that .~~
we did not address in this internal analysis is the l sua of these three residuals. 1.7E-5 The value analysis of the modofications for the six vulnerabilities identified (corresponding to the six groups of cut sets shown in Table B.19) determines the actual improvement in core melt probability. However, an estimate can be made~of ~ the lower boundary value of the internal analysis core melt probability if it is assumed that the core melt probabilities of the six vulnerabilities identified can be reduced by a 1 factor of 3E-2. Thus, the estimated lower boundary internal core melt probability would be the residual core melt probability = 1.7E-5 plus the vulnerability core melt probability of { l.31E-4 times 3E-2 improvement = 3.9E-6 which equals lower boundary of internal core melt probability = 2.lE-5 l The purpose of this exercise is to suggest lower baseline internal core melt probability for Point Beach. Intuitively this makes sense and says there probably is a threshold of core melt probability where further, improvements to existing systems may not be effective in reducing the overall core melt probability. 5.4 containment Systems Intearation In order to determine public risk measures, the core melt accident sequences must be expanded to include containment , systems and then analyzed for containment failure modes. assigned release categories, and propagated in a consequence analysis. Therefore, the next step was to apply the containment event tree to each of the 11 dominate accident sequences. , The containment systems event tree is shown in Figure B.5 in a previous subsection of this Appendix. Each of the eleven dominant core melt accident sequences had to be rerun with each containment system sequence. The outcomes of the containment I systems event tree cover all the combinations of succesd'or. failure of containment overpressure protection (COP) and post - l accident radioactivity removal (PARR). It should be noted that even the containment system success sequence 25 2 P' is important since the containment will fail by some means not identified by the containment systems event tree given a core melt. GL -71 i
l { The matrix of the SETS runs is given in Table.B.20.~-Each , distinctly different Boolean accident sequence (there are' 7) corresponding to the 11 dominant accident sequences was run with all the Boolean containment system sequences. This is necessary due to the dependencies between systems. F'or. example, consider the analysis sequence number 9 which
~~corresponds to PTB sequence number 17. The.aultiplier expression is T MPQ and the Boolean events are LE. Thus LE must be run wit each containment sequence, i.e.,~~
LEfC2 P' -- *
~
~~LE202 F' i LEZC - 2~~
~~LEZC2 P'~~
~~~ ~ ~~~
~~l LEzc 2 F', and~~
I LEZC

2 -
t
~~The corresponding probabilities would be p(T yMPQ)~~
~~p(LE20 P') '~~
etc. It would by incorrect to assume that 2 1 p(LE20 P') = p(LE)p(20 P')* 2 2 After the SETS runs were completed the resulting probabilities _
~~for the total accident sequence were screened to determine those sequences to be carried on to the recovery analysis and i placed into release categories. The. results before recovery i~~
are given in Table B.21 and after recovery in Table B.22. The next step in the analysis leading to public risk measures can be found in Section 7.2 of the main report. _ 6.0 VALUE ANALYSIS 6.1 Core Melt Probabilities The purpose of this section is to determine and present the estimated core melt probabilities for the alternatives selected to address the potential vulnerabilities identified n Section 5.3 of the appendix. Further discussion of the modifications proposed for these vulnerabilities is given in Section 2.3 of the main report. J 6-71 O e
9 Table B.20 Point Beach Containment Sequences % i 1 2 3 4 ,5 6 PTB # 202P ' 2C2 F' 2C 2 ZC2P ZC2 F' ZC
~~, 2 1 . . . . . .~~
2 3 * * * * *
~~4 5~~
~~6 7 -~~
~
8 9 * * * * *
~~10 l'1 ,~~
~~12 13 14 .~~
\._ 15 * * * * *
16 17 * * * * *

18 19 * * * * *

20 21 * * * * *

22 23 24 25
26 27 ** * * * *
28

Containment Sequences to be Run where Z = Y 1(Cy +F)(C2 *Y2 )
~~6 -,}~~
~~. - - , - . _ _ _ - - - , _ _ , _ . ,, ,__s_ , , . , , -~~
Table B.21 Total Accident Sequence Probabilities Including Containment . . . . , . . , Systems Failures Before Recovery Considered - Base Case - 4 Core Melt P1B Boolean Core Melt Containment System Sequences Accident Analysis Sequence Failure Sequence Nunber Nunber Sequence ZE2 F' fd2F' EC 2 Z 2 F' Zd2F' 2C 2 i SM2 H IjHj 1 1 S2MiljHj 4.5E-8 6.5E-5 3.4E-8 4 2.3E-9 4 ! S MLXDg2 2 D 3 S2MDg2D 1/8E-6 1.3E-8 2.0E-5 5.lE-6 4.6E-8 5.lE-7
\ i TyMINE 9 17 T yMLE 4.6E-6 6.6 W8 4- 2.5E-8 9 9.8E-5 T 2MI E 12 27 T2MIE 2.7E-7 4 4 4 4 1.6E-6 g T M0ih H'H' 17 9 T MOH'H' 3.5E-10 4.5E-7 2.2E-10 4 1.2E-10 3.0E-10 -
~~1 112 1 12 - M~~
~~+ T MLIOD y y 23 15 T 3MOLD g 4.0E-10 4 4 3.2E-10 4 2.0E-6 T2M0if)1H jHj 24 19 TM0HjHj 3~~
~~3.lE-9 4.5E-6 2.3E-9 4 1.6E-10 4 l~~
}
T2M0i2D32 D 26 21 T MODg3 3 D 1.2E-7 8.8E-10 1.4E-6 3.6E-7 3.2E-9 3.5E-8 TM013H;H; 3 1 31 19 TMOHjHj 3 2.2E-10 3.2E-7 1.6E-10 4 1.1E-ll 4 , T073,H;H; 3 38 19 T3@jHj 2.2E-8 3.2E-5 1.6E-8 4 1.1E-9 4 . T0HDD 3 32 40 21 T3@yD2 8.7E-7 6.2E-9 1.0E-5 2.5E-6 2.3E-8 2.5E-7 ' i e i I
~
* ~'
l e I Table B.22 Total Accident Sequence Probabilities Including containment l Systems Failures With Recovery Considered - Base Case Core Melt PTB Boolean Core Melt Containment System Sequences Accident Analysis Sequence Failure _ _ _ __ _ __ _ Sequence Number Hunber Sequence ZC F' 2C ZC F' IC i 2 ZCf' 2 2 2Cf' 2 i S"IHjHj 1 1 SMHjHj 3 6.5E-5 - 2 I S" UD 3 3 S2MD g3D 1.4E-7 4.3E-7 1.5E-7 1.1E-9 2.2E-7 2 12 TgMIJ68 9 17 T g MIE 8.4E-7 4 3.2E-5 , T2MII$E 12 27 T MIE 2 1.7E-7 4.88-7 Ty d HjHj g 17 9 Tg 6jHj 4.2E-7 i
@ T gM110D y 23 15 T gMQLDg 1.4E-6 T2 "0II'1H jHj 24 19 TMQHjHj 2
4.5E-6 , T2MQ DD g2 26 21 T 2MQDg2D 1.2E-8 8.2E-8 1.8E-8 1.3E-10 T3 6 HjHj 3 31 19 TMQHjHj 3 3.2E-7 T3 oII)gH jHj 38 19 T3 @jHj 3.2E-5 . 1 T3oIRD32 D 40 -21 T3oD32 D 8.3e-8 5.7E-7 1.3E-7 8.8E 4.3E-8 4 1 3 TOTAL 1.19E-6 1.02E-4 1.08E-6 2.98E-7 2.09E-9 3.40E-5 I . i i .
In the value analysis it is the change in core melt probability that results from an alternative that is most important. - Nevertheless, it is informative to note the anticipated change in core melt probability due to each individual modification. This is done in Section 6.1.1. , 6.1.1 Modification Values The core melt probabilities for each of the internal vulnerabilities after the proposed modifications have been implemented will be estimated and discussed in this section. Each of the six vulnerabilities are considered although one had no proposed modification,- another was eliminated af ter more information was received from Point Beach, and two were essentially combined into the same modification. Jnternal Vu.inerability 1 - Failure to Switchover from Emergency Core Injection to Recirculation. - This is a minor hardware modification and an improved operator error probability . resulting from a more careful evaluation of the human performance of the recirculation switchover task. .The operator error probability originally used was 3E-3 which is a somewhat conservative estimate of an operator's ability to perform a single task. Considering the importance of this task and the awareness of the operators, it would be reasonable to use the lower bound human error number of 1E-3. The minor modification is the addition of a specific, prominant alarm for the switchover task. This is in addition to the other related alarms such as RWST low level or sump low level that also contribute to the operator's awareness of the need to properly switchover or, if switchover is not feasible because the sump level is insufficient for some' reason, to chose another option such as refilling the RWST. It seems reasonable that this alarm would conservatively provide a further reduction in the operator probability of at least 1E-1. The net result is a reduction factor of (3E-3)+(1E-4) = 30. Thus the bare 9.5E-5 core melt probability attributed to the common mode operator failure to switchover from injection to recirculation is reduced to 3.2E-6. Internal Vulnerability 2 - Station Blackout Due to Common Mode Failure and Internal Vulnerability 3 - Station Blackout Due to Battery and Diesel Generator Failures. - These two vulnerabilities both consist of station battery failures that lead to failure of the diesel generators to start due to the lack of DC power. The modification proposed is a dedicated startup battery for each diesel generator. The IREP data base failure rate for a battery is 2E-2 (local faults and T&M) which can be applied to each of the applicable cut sets contributing to internal vulnerabilities 2 and 3. This results in the two core melt probabilities being reduced from 1.9E-5 and 1.0E-5 to 3.7E-7 and 2.lE-7 respectively. E5-7G, 1
i l . j Internal Vulnerability 4 - Failure of ECC Recirculation Due to i RHR Pump Cooling Failure Caused by a Valve Failure. - The modification suggested is the installation of another manual valve in parallel with the existing valve and routine checking
of the flow in this CCW pipe segment. Thus each manual valve i has a local fault probability of 4E-5 and a test and maintenance probability of SE-5 divided by 90 to account for t.he checks being made three times per day throughout the entire j month (the old number was for monthly checks). Using a beta factor of 1/10 for common mode TEM, the core melt probability improvement for the modificationis is as follows

Originally, with one manual valve, the failure of that valve is the sum of the local fault-(LP) and test and maintenance (TM) probabilities, i ~ ', ! p(LF) + p(TM) = probability of valve failure
~~(4E-5) + (8E-5) = 1.2E-4~~~
1
~~. With two manual values (called valves 1 and 2 in this~~
! calculation in parallel and the improved surveillance, the ! Boolean representation is-(LF 1+TM 1+CM)(LF 2+TM 2+CM) failure of the parallel i valves where CM is the common mode test and maintenance failure of both valves. After a Boolean reduction of this expression and
\.. application of the appropriate probabilities, the probability of the parallel combination of two manual valves becomes (4E-5)2 + 2(4E-5)( 90 U )+( CM) , J = 9.1E-8 90 )2 90 10 This is a factor of 7.55E-4 improvement. Thus the co.re melt probability of vulnerability 4 is reduced from 3.8E-6 to 2.8E-9 by Modification 4.
Internal Vu-Inerability 5 - Failure of ECC Injection Due to CCWS Failure Caused by a Valve Failure. - The original hypothesis for this failure was that the CCWS requires water from the surge tank via a manual valve in order to prevent cavitation of
~~. the CCW pump when the RHR heat exchanger segment is valved in.~~
This dependency was modeled in the fault tree but upon closer investigation and discussions with plant personnel it was , eliminated. Thus no modificatica is required and the vulnera-i bility disappears from the analysis. The result is a 3.7E-6 reduction in the base core melt frequency from 1.49E-4 to l 1.45E-4. I' Internal Vulnerability 6 - Failure of ECC Injection Due to CCWS Failure Caused by Loss of Cooling From the SWS Through the CCW Heat Exchanger. - No modification was proposed as part of an l i - Ei-77 1 i
i alternative for this vulnerability even though it was _ 4 recognized that the addition of a fourth CCWS to SWS heat exchanger would be a realistic modification. Actually, the
, plant is adding the fourth heat exchanger so that the,re will be one dedicated heat exchanger per unit and two swing heat exchangers that are normally valved out with manual valves.
This is an improvement for technical specification operations ! p.urposes but is essentially the same as the current situation for this analysis. If they had chosen to dedicate two heat exchangers per unit that are both valved in, then additional credit could have been given. Thus, there is no change in core melt probability for this-vulnerability. 6.1.2 Alternative Values-There are three combinations of internal modifications that are
~~, used in the overall alternative value analysis. These are:~~
3- . i Alternative 1 - Internal Modification 1 . Alternative 2 - Internal Modifications 1, 2, and 3 Alternative 3 - Internal Modifications 1, 2, 3, and 4 l The core melt probability value of an alternative will be calculated in Section 7 of the main report. The input to that
~~. calculation from the internal analysis is the base line core l~~
melt probability determined in Section 5.2 and the core melt probability given the modifications in the alternatives have been implemented which is the subject of this section. -
)
i Base Cote Melt Probability - The base core melt probability from Section 5.2 is 1.486E-4 including the six vulnerabilities identified, all the residuals and recovery. During the plant visit with the architectural engineer it was determined that internal vulnerability 5 was invalid and should be removed from the core melt probability. Thus, the corrected base core melt probability becomes (1.486E-4)-(3.74E-6) = 1.45E-4. "Each of the following alternative probabilities must also be corrected for internal vulnerability 5. Alternative 1 Core Melt Probability - This alternative only involves internal modification 1 and affects five of the dominant accident sequences (analysis numbers 1, 38, 24, 31, and 17). Table B.23 delineates the top 16 or dominant accident sequences for Point Bech alternative 1 after recovery has been applied. This compares to Table B.12 for the base case. The result is a core melt probability of 5.5E-5 for alternative 1. Alternative 2 Core Melt Probability - This alternative includes modification 1 and modifications 2 and 3 which are combined. Three accident sequences are affected (analysis numbers 9, 23, and 12). Table B.24 delineates the top 16 or dominant accident sequences for Point Beach alternative 2 after recovery has been applied. This compares to Table B.12 for the base case. The result is a core melt probability of 1.3E-5 for alternative 2. 2i-73
Table B.23 Point Beach Results After' Recovery - - Top 16 Sequences - Alternative 1 -
~
Core Melt PTB Boolean Analysis Failure Core Melt Event Sequence Number Secuence Probability Number 9 T gMLE - 3.9E-5 17 1 6.9E-6 S2MH7'H2 ' 1 3 S2MD D 3.4E-6 3 72 38 T 3 CH 1'H 2' - 3.4E-6 19 40 T3QD72 D -6 21 23 T gMQLD y 1.lE-6 15 12 T LE 6.4E-7 27 2 24 T2MQH 'H2 ' 4.8E-7 19 26 T 2MQD D 2 3.lE-7 21 19 T MQD D 2 1*9E-7 11 44 T3Ob . E-7 25 1 17 T7MQH7 'H 2 4.7E-8 9 15 T3MLE 4.5E-8 27 l 4 S2MID 3.5E-8 4 7 i 31 T C 3.4E-8 19 3 1 2 33 T 3MQD72 D * ~ { Sum of all 16 Accident Sequences 5.83E-5
~~.37R-5 Vulnerability 5 5.46E-5 \~~
h ~71
f Table B.24 Point Beach Results After. Recovery - Top 16 Sequences - Alternative 2 Core Melt PTB Boolean Analysis Failure Core Melt Even't- Sequence Number Sequence Probability Number
. 1 S MH y'H ' 6.9E-6 1 2 2 9 T y MLE 4.0E-6 17 38 '
T0 3 l 2 3.4E-6 19 3 S2MDy2 D 7.7E-7 3 40 T0 D 6.3E-7 21 3 12 _ 24 T2MQH y 'H2 ' 4.8E-7 19 19 T yMQDy2 D 1.9E-7 11 23 T yMQLD y 1.3E-7 15 12 T 2MLE 1.3E-7 27 26' T 2MQDy2 D 9.0E-8 21 15 T MLE 9.lE-9 27 3 17 T MQH 'H 2 4.7E-8 9 31 T3 0"l ' 2
~~' 3.4E-8 19 4 S MID y 2.5E-8 4 2~~
44 T 3Ob 1 6.9E-9 " 25 33 T 3 QDy2 D 6.3E-9 21 Sum of all 16 Accident Sequences 1.68E-5
~~- .372-5 Vulnerability S 1.31E-5 g .so~~
Alternative 3 Core Melt Probability - This alternative includes modifications 1, 2, 3 and 4. The same five accident sequences affected by modification 1 are changed by modification 4. Table B.25 delineates the top 16 or dominant accident sequences for Point Beach alternative 3 after recovery has been applied. This again can be compared to Table B.12 for the base case. The result is a core melt probability of 9.3E-6. - d.2 containment System Probabilities The same procedure done in Section 5.4 was repeated for alternatives 1, 2, and 3. The end result is three tables similar to Table B.22 which gives the probabilities of the most j significant core melt sequences combined with the containment - i system sequences. Table B.26 for alternative 1 was generated i from the base case Table B.22 by making corrections for internal modification 1. Table B.27 for alternative 2 had a complete and separate Boolean analysis and recovery analysis since the electric power interactions involved in applying modifications 2 and 3 were not as obvious to manually correct. Table B.28 for alternative 3 was derived from Table B.27 by applying modification 4. Although the add-on dedicated SDER system was not part of the internal analysis the tables for alternatives 4 and 5 are given here since they are derived from the same information by applying the add-on probability factor. Table B.29 for alternative 4 is generated by multiplying each entry of the base case Table B.22 by the add-on factor (1.9E-2 if OSP is available and 7.3 E-2.if OSP is unavailable). Similarly Table B.30 for alternative 5 follows'the same procedure starting with Table B.27. The Ti sequences are the CSP unavailable cases. This then provides the internal analysis calculation needed in Section 7.2 of the main report. I i 6 -81
~~- - - , - , , . .,_--.-.-._--..._..-_,_,,.-,._w,,,, -~~
v.m._ .-.y _,,-. . _ _ - , . - . - . _ . _ _ -
Table B.25 Point Beach Results After Recovery - Top 16 Sequences - Alternative 3 ~ Core Melt PTB Boolean Analysis Failure Core Melt Ev'ent Sequence Number Sequence Probability Number 1 S MH 'H ' 4.6E-6 1 2 1 2
~~, 9 T gMLE 4.0E-6 _~~
17 38 , T3QHg ' H2 ' 2.3E-6 19 3 S2MDy2 D 7.7E-7 3 40 T3QDy2 D 6.3E-6 21 24 T 2MQH1,H2 3.2E-7 19 23 T yMQLD y - 1.3E-7 15 19 T gMQDg2 D 1.9E-7 11 12 T2MLE 1.3E-7 27 26 T 2MQDy2 D 9.0E-8 21 15 T * "' 3 17 T MQHg 'H 2 3.2E-8 9 4 S MXD y 2.5E-8 4 2 31 T3MQHg 'H 2 * ~8 ' 44 T3QLD y 6.9E-9 25 33 T 0 6.3E-9 21 3 12 . Sum of all 16 Accident Sequences 1.30E-5 ,
~~- .372-5 Vulnerability b 9.33E-6 l~~
l l Rb- 8 L
i i Table B.26 ' Intal Accident Sequence Probabilities Including Containment : Systems Failures With Recovery Considered - Alternative 1 . Core Melt - PIB Boolean Core Melt containewstSystem a r Accident Sequence Analysis Nunber Sequence Number Failure , Sequeixe"' Late CM _' ZC Early CM EC __ _ZCf' 2Cf' 2 3Cf' 2Cf' 2 SMT5HjHj y g 1 1 SMHjHj y 6.86E-6 DD 3 1.35E-7 4.268-7 1.54E-7 1.NE-9 2.16E-7 S 2 g2 3 S2 *12 D . T 3MLE6E 9 17 T gMIE 8.39E-7 4 3.19E-5 j TyMIJUE 12 27 T MLE 1.20E-7 - 4.80E-7 . 2 , Tg 10fkHjHj 17 9 T2M0H'H' 4.'/IE-8 .
* ~
T gMf)QDy 23 15 TgMQfEg 1.40E-6 W T MOT 53 HjRj 24 19 TMQHjHj 2 4.79E-7 ', 2 T2MQ DD y2 26 21' T 2MODy2-D l.18E-8 8.22E-8 1280E-8 1.26E-10 TMai3H;H; 31 19 TMQHjHj 3 3.35E-8 . l 3 1 T3ar.5,H;R; 38 19 T3@jHj 3.35E-6 l T30i3Dj.n2 4f} 21 T3aDgyD 8.29E-8 5.75E-7 1.26E-7 8.82E-19 4.308-8 l . i tyfAL 1.19E-6 1.08E-5 1.088-6 2.988-7 2.09E-9 3.40E-5 f F
#4
' i Table B.27 Total Accident Sequence Probabilities Including Contairunent Systems Failures With Recovery Considered - Alt.ernative 2 . . Core Melt PTB Boolean Core Melt Containment System Sequences Accident Analysis Sequence . Failure Latie CM Early CM Sequence Nuuber l&nber Sequence _IC IC2 '
_ _ _ECf' ECf' 2 ECf' ECf' S3MII)3H jHj 1 1 SMHjHj 2 6.82E-6 SM DDy2 3 3 S2MDy2D 1.38E-7 4.25E-7 1.54E-7 7.20E-10 5.58E-8 2 TgMIK)E 9 17 TgMf2 1.61E-7 3'.648-6 l T2MI )E 12 27 T MLE 2 1.20E-7 3.748-7 ' TMQGHjHj g 3 17 9 T2 "00'" ; 23 15 T1 aD 1 - 1.48E-7 7 T 3MeoD 1 4 T 2"O I HjHj 24 19 TMQHjHj 3 e 4.77E-7 s T MC'LXDg2 D 26 21 T2MQDg2D 1.19E-8 5.64E-8 1.80E-8 2.83E-9 2 , T3 d HjH2 g 31 19 TMQHjHj 3 e 3.34E-8 T3 @ gH jHj 38 19 T3@jHj 4, 3.348-6 T DD g3 40 21 T3@gD2 8.34E-8 3.95E-7 1.26E-7 1.98 -8 3 ,
'IUPAL 5.14E-7 1.07E-5 8.76E-7 2.98E-7 7.20E-10 4.24E-6 's- t ,, g
.s s ~ -O , 4 -cs .
( i Tablo D.28 'Ibtcl Accident Sequence hubilities including ContJJnment l Systene Failures With Hecovery Considered - Alternative 3 i Core Melt PTB Boolean Core Melt Containment System SequeKeek
~~l Accident Analysis Sequence Failure __}}~~

ML20127E755

Contents

Text

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

1.0 INTRODUCTION

1.0 INTRODUCTION

1.0 INTRODUCTION

Navigation menu

ML20127E755

Text

1.0 INTRODUCTION

SUMMARY

1.0 INTRODUCTION

SUMMARY

SUMMARY

1.0 INTRODUCTION

1.0 INTRODUCTION

1.0 INTRODUCTION

Navigation menu

Search