Nonproprietary RESAR-SP/90 Westinghouse Pwr,Pda Module 16, Probabilistic Safety Study, Vols 1 & 2

ML20128L809
Person / Time
Site:	05000601
Issue date:	06/28/1985
From:	WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML19304B194	List: ML20128L802 ML20128L809 ML20128L838 ML20128L847 ML20128L858 ML20128L887 NRC-85-0343, Forwards Proprietary & Nonproprietary Westinghouse Advanced PWR RESAR-SP/90,PDA Module 16, Probabilistic Safety Study, Vols 1 & 2
References
NUDOCS 8507110465
Download: ML20128L809 (412)
v • d • e

Text

- -

O l RESAR-SP/90 l 0 PROBABILISTIC SAFETY STUDY WESTINGHOUSE

.g ADVANCED PRESSURIZED U WATER REACTOR O

^ '@ =  ;

i O -

O O STANDARD PLANT DESIGN P"in mm, PDR

1 f

i J

i l

i i

i 1

1 1

I i

4 3

1

.l

.i 1,

l l,

i 1

i i.

1 i

W APWR-PSS June, 1985 59660:10

TABLE OF CONTENTS Section Pace 0.0

SUMMARY

OF PLANT COREMELT ANALYSIS 0-1 1.0 INTERNAL INITIATING EVENT ANALYSIS 1-1 1.1 INTERNAL INITIATING EVENT CATEGORIZATION 1-2 1.2 INTERNAL INITIATING EVENT FREQUENCY QUANTIFICATION 1-17 2.0 ACCIDENT SEQUENCE MODELING 2-1 2.1 EVENT TREE GUIDELINES 2-1 2.1.1 EVENT TREES 2-3 2.1.2 EVENT TREE NODE DEFINITIONS 2-3 2.1.3 EVENT TREE SUCCESS CRITERIA DEFINITIONS 2-5 2.1.4 COREMELT CATEGORIZATION 2-6 2.1. 5 N0DE SUCCESS CRITERIA DEFINITIONS 2-8 2.1.6 CONSEQUENTIAL FAILURE MODEL 2,12

, 2.1. 7 PLANT SUPPORT STATE MODEL 2-12 2.2 EVENT TREE MODELING 2-31 2.2.1 TRANSIENT EVENT TREE 2-31 2.2.2 LOSS OF 0FF-SITE POWER EVENT TREE 2-40 2.2.3 STEAM GENERATOR TUBE RUPTURE EVENT TREE 2-51 2.2.4 LARGE SECONDARY SIDE BREAK EVENT TREE 2-69 2.2.5 SMALL LOCA EVENT TREE 2-79 2.2.6 LARGE LOCA EVENT TREE 2-87 2.2.7 ANTICIFATED TRANSIENTS WITHOUT SCRAM EVENT TREE 2-95 2.2.8 INTERFACING SYSTEMS LOCA EVENT TREE 2-107 d 2.2.9 VESSEL FAILURE EVENT TREE 2-115 2.2.10 TOTAL LOSS OF AUXILIARY COOLING EVENT TREE 2-118 3.0 PLANT SYSTEMS ANALYSIS 3.1-1 3.1. AC POWER ON-SITE EMERGENCY POWER 3.1-1 3.2 INTEGRATED PROTECTION SYSTEM 3.2-1 3.3 SERVICE WATER-COMPONENT COOLING WATER SYSTEM 3.3-1 ii M APWR-PSS June, 1985 59660:10

TABLE OF CONTENTS (Cont)

Section Pace 3.4 INTEGRATED SAFEGUARDS SYSTEM 3.4-1 3.5 CONTAINMENT SPRAY SYSTEM 3.5-1 3.6 CONTAINMENT FAN CC3LER SYSTEM 3.6-1 3.7 SECONDARY COOLING 3.7-1 3.7.1 STARTUP FEEDWATER SYSTEM 3.7-1 0 3.7.2 EMERGENCY FEEDWATER SYSTEM 3.8 BACK-UP SEAL INJECTION SYSTEM 3.7-9 3.8-1 3.9 STEAM GENERATOR OVERFILL PROTECTION SYSTEM 3.9-1 3.10 GUIDE TO FAULT TREE DEVELOPMENT 3.10-1 3.10.1 FAULT TREE GUIDELINES 3.10-1 3.10.2 FAULT TREE CONSTRUCTION 3.10-5 3.10.3 COMMON CAUSE MODEL 3.10-28 3.10.4 HUMAN ERROR MODEL 3.10-35 3.10.5 TEST AND MAINTENANCE MODEL 3.10-37 3.10.6 SUPPORT STATE MODEL 3.10-41 3.10.7 DATA BANK 3.10-43 3.10.8 UNCERTAINTY GUIDELINES 3.10-50 3.11 SCREENING MODEL FOR OPEPATOR ACTIONS IN EVENI TREES 3.11-1 3.12 LONG TERM COOLING 3.12-1

, 4.0 COREMELT QUANTIFICATION 4-1 4.1 QUANTIFICATION OF EVENT TREE NODES 4-1 4.2 QUANTIFICATION OF COREMELT 4-18 4.3 ANALYSIS OF COREMELT CONTRIBUTORS O 4-20 4.4 SENSITIVITY OF PLANT COREMELT FREQUENCY TO SYSTEM RELIABILITIES 4-26 4.5 CONSERVATISM IN COREMELT STATE CLASSIFICATION 4-50 t

l 5.0 CORE AND CONTAINMENT ANALYSIS 5-0 0

6.0 SITE CONSEQUENCE ANALYSIS 6v0 7.0 ASSEMBLY OF RISK 7-0 O iii W APWR-PSS June, 1985 59660:10

LIST OF TABLES 1.1 -1 APWR INITIATING EVENT CATEGORIES 1.1 -2 ANTICIPATED TRANSIENT INITIATOR LIST 1.1-3 UNANTICIPATED TRANSIENT LIST O 1.1 -4 TRANSIENT INITIATING EVENT CLASSIFICATIONS 1.1-5 SECONDARY SIDE BREAK INITIATING EVENT CLASSIFICATIONS

1. 2-1 PROBABILITY DISTRIBUTIONS FOR INITIATING EVENT OCCURRENCE FREQUENCIES 1.2-2 PWR POPULATION EVENT DATA 1.2-3 PLANTS AND OPERATIONAL YEARS INCLUDED IN PWR DATA BASE 1,2-4

SUMMARY

OF STEAM GENERATOR TUBE EXPERIENCE 1.2-5 TUBE RUPTURE EXPERIENCES

SUMMARY

2.1 -1 APWR COREMELT CATEGORIES 2.1 -2 EVENT TREE TOP NODE SUCCESS CRITERIA 2.1 -3 EFFECT OF SUPPORT SYSTEMS ON FRONT LINE TRAIN AVAILABILITIES

3. 3-1 HEA1 LOADS TABLE FOR SW-CCW 3.3-2 LIST OF COMPONENTS FOR SW-CCW 3.3-3 SW-CCW COMPONENT FAILURE PROBABILITIES 3.3-4

SUMMARY

OF RESULTS FOUR SW-CCW 3.3-5 DOMINANT CUTSETS FOR SW-CCW 3.3-6 DOMINANT CUTSETS FOR SW-CCW, LOSS OF ONE BUS

3. 4-1 ISS FAILURE PROBABILITIES FOR SMALL LOCA 3.4-2 ISS FAILURE PROBABILITIES FOR LARGE LOCA -

3.4-3 COMMON CAUSE CALCULATIONS FOR 1-HOUR MISSION TIME

3. 4 -4 COMMON CAUSE CALCULATIONS FOR 3-HOUR MISSION TIME 3.4-5 COMMON CAUSE CALCULATIONS FOR 24-HOUR MISSION TIME 3.4-6 INPUT 3ATA FOR 1-HOUR MISSION TIME FOR SMALL LOCA 3.4-7 INPUT DATA FOR 1-HOUR MISSION TIME FOR LARGE LOCA O- 3.4-8 QUANTIFICATION OF ACCUMULATOR AND CRT UNAVAILABILITIES 3.4-9 CALCULATION OF ISS FAILURE PROBABILITIES FOR LARGE LOCA (ONE DIVISION SUPPORTED) 3.4-10 DOMINANT CURSETS FOR SELECTED CASES FOR ISS 3.5-1 SYSTEM COMMON CAUSE CALCULATIONS I

3.5-2 CONTAINMENT SPRAY SYSTEM COMPONENT FAILURE PROBABILITIES 3.5-3 CONTAINMENT SPRAY SYSTEM DOMINANT CUTSETS l

O iv W

APWR-PSS June,1985 59660:10

LIST OF TABLES (Continued)

3. 6-1 FAN COOLER COMMON CAUSE CALCULATIONS 3.6-2 INPUT DATA FOR FAN COOLER SYSTEM FAULT TREE 3.6-3 CONTAINMENT FAN COOLER SYSTEM FAILURE PROBABILITY 3.6-4 DOMINANT CUTSETS FOR CONTAINMENT FAN COOLER SYSTEM

3. 7 .1 -1 INPUT DATA FOR START-UP FEEDWATER SYSTEM 3.7.1-2 DOMINANT CUTSETS FOR START-UP FEEDWATER SYSTEM 3.7. 2-1 INPUT DATA FOR EFWS O 3.7.2-2 3.7.2-3 EFWS UNAVAILABILITY EFWS DOMINANT CUTSETS

3. 8-1 INPUT DATA FOR BSI 3.8-2 BSI UNAVAILABILITY AND DOMINANT CUTSETS

3. 9-1 INPUT DATA FOR STEAM GENERATOR OVERFILL PROTECTION SYSTEM 3.9-2 DOMINANT CUTSETS FOR SG OVERFILL PROTECTION SYSTEM 3.10.2-1 COMPONENT IDENTIFICATION CODE 3.10.2-2 FAILURE MODES 3.10.3-1 COMMON CAOSE FAILURE TYPES

( 3.10.3-2 EQUATIONS FOR COMMON CAUSE CALCULATIONS 3.10.4-1 HUMAN ERROR DATA BANK FOR FAULT TREE ANALYSIS 3.10.5-1 SPECIALI7ED COMPONENT MAINTENANCE FREQUENCY DATA 3.10.5-2 PRIOR DISTRIBUTION FOR MEAN DURATION OF MAINTENANCE 3.10.5-3 MAINTENANCE UNAVAILABILITIES 3.10.6-1 SUPPORT STATES 3.10.7-1 MASTER DATA BANK 3.11-1 OPERATOR ACTION FAILURE PROBABILITIES 3.12-1 LONG TERM COOLING FAILURE PROBABILITIES s 4.1 -1 DATA USED IN SUPPORT STATE PROBAilLITY QUANTIFICATION 4.1 -2 SUPPORT STATE PROBABILITIES 4.1 -3 MAJOR CONTRIBUTORS TO SUPPORT STATES 4.1 -4 EVENT TREE NODE QUANTIFICATION 4.2-1 PLANT COREMELT FREQUENCY AND ITS CONTRIBUTORS

4. 3-1 DOMINANT ACCIDENT SEQUENCES 4.3-2 PERCENT CONTRIBUTION OF DOMINANT ACCIDENT SEQUENCES 4.3-3 IMPORTANCE RANKING OF EVENT TREE N0 DES v

W APWR-PSS June,1985 5966Q:10

LIST OF TABLES (Continued)

O 4 . 4 -1 SENSITIVITY ANALYSIS SUMMkRY 4.4-2 ACCIDENT SEQUENCES FOR CASE 1 4.4-3 COREMELT CONTRIBUTORS FOR CASE 1 4.4-4 O 4.4-5 ACCIDENT SEQUENCES FOR CASE 2 COREMELT CONTRIBUTORS FOR CASE 2 4.4-6 ACCIDENT SEQUENCES FOR CASE 3 4.4-7 COREMELT CONTRIBUTORS FOR CASE 3

/' 4.4-8 ACCIDENT SEQUENCES FOR CASE 4

~4.4-9 COREMELT CONTRIBUTORS FOR CASE 4 4.4-10 ACCIDENT SEQUENCES FOR CASE 5 4.4-11 COREMELT CONTRIBUTORS FOR CASE 5 4.4-12 ACCIDENT SEQUENCES FOR CASE 6 4.4-13 COREMELT CONTRIBUTORS FOR CASE 6 4.4-14 ACCIDENT SEQUENCES FOR CASE 7 4.4-15 COREMELT CONTRIBUTORS FOR CASE 7 4.4-16 ACCIDENT SEQUENCES FOR CASE 8 4.4-17 COREMELT CONTRIBUTORS FOR CASE 8 l

O l

l O

l vi l

W APWR-PSS June,1985 5966Q:1D l t

LIST OF FIGURES 2.1 -1 APWR GENERIC EVENT TREE 2.1 -2 SUPPORT STATE MODEL

2. 2-1 APWR TRANSIENT EVENT TREE D 2.2-2 APWR LOSS OF OFF SITE POWER EVENT TREE 2.2-3 APWR STEAM GENERATOR TUBE RUPTURE EVENT TREE 2.2-4 APWR SECONDARY SIDE BREAK EVENT TREE 2.2-5 APWR SMALL LOCA EVENT TREE s 2.2-6 APWR LARGE LOCA EVENT TREE 2.2-7 APWR'5TWS EVENT TREE 2.2-8 APWR INTERFACING SYSTEMS LOCA EVENT TREE 2.2-9 APWR VESSEL FAILURE EVENT TREE 2.2-10 APWR LOSS OF AUXILIARY COGLING EVENT TREE 3.1 -1 FAULT TREE FOR ON-SITE EMERGENCY POWER SYSTEM

3. 3-1 SERVICE WATER-COMPONENT COOLING WATER SYSTEM DIAGRAM 3.3-2 FAULT TREE FOR THE SW-CCW SYSTEM 3.4-1 INTEGRATED SAFEGUARDS SYSTEM NORMAL VALVE ALIGNMENT 3.4-2 FAULT TREE FOR ISS SMALL LOCA 3.4-3 FAULT TREE FOR ISS LARGE LOCA

3. 5-1 CONTAINMENT SPRAY SYSTEM DIAGRAM 3.5-2 FAULT TREE FOR CONTAINMENT SPRAY SYSTEM j 3. 6-1 CONTAINMENT FAN COOLER SYSTEM DIAGRAM 3.6-? FAULT TREE FOR CONTAINMENT FAN COOLER SYSTEM

3. 7-1 START-UP FEE 0 WATER SYSTEM DIAGRAM 3.7-2 FAULT TREE FOR THE START-UP FEEDWATER SYSTEM

3. 7. 2-1 10 EMERGENCY FEEDWATER SYSTEM DIASRAM 3.7.2-2 FAULT TREE FOR EMERGENCY FEEDWATER 3.8-1 BACK-UP SEAL INJECTION SYSTEM DIAGRAM 3.8-2 FAULT TREE FOR BACK-UP SEAL INJECTION SYSTEM

3. 9-1 STEAM GENERATOR OVERFILL PROTECTION SYSTEM DIAGRAM 3.9-2 FAULT TREE FOR THE STEAM GENERATOR OVERFILL PROTECTION SYSTEM DIAGRAM 3.10.2-1 LOGIC MODULE MDP FOR MOTOR DRIVEN PUMP 3.10.2-2 LOGIC MODULE TDP FOR TURBINE DRIVEN PUMP b

vii W APWR-PSS June,1985 59660:10

LIST OF FIGURES (Continued) 3.10.2-3 LOGIC MODULE MOV FOR MOTOR-OPERATED VALVE NOT REQUIRED TO MOVE 3.10.2-4 LOGIC MODULE MV FOR MOTOR-OPERATED VALVE FAILS TO MOVE 3.10.2-5 O LOGIC MODULE SV FOR SOLEN 0ID-0PERATED VALVE NOT REQUIRED TO MOVE 3.10.2-6 LOGIC MODULE SV FOR SOLEN 0ID-OPERATED VALVE FAILS TO MOVE 3.10.2-7 LOGIC MODULE A0V FOR AIR-0PERATED VALVE NOT REQUIRED TO MOVE 3.10.2-8 LOGIC MODULE AV FOR AIR-0PERATED VALVE FAILS TO MOVE O 3.10.2-9 LOGIC MODULE CV FOR CHECK VALVE 3.10.2-10 LOGIC' MODULE XV FOR MANUAL VALVE 3.10.2-11 LOGIC MODULE HX FOR HEAT EXCHANGER 3.10.2-12 LOGIC MODULE TK FOR TANK 3.10.2-13 LOGIC MODULE TM FOR TRAIN TEST AND MAINTENANCE 3.10.2-14 LOGIC MODULE FTR FOR FAILURE TO RESTORE FOLLOWING TEST AND MAINTENANCE 3.10.2-15 ELECTRICAL FAULT SYSTEM BOUNDARIES FOR MOV 3.10.2-16 ELECTRICAL FAULT SYSTEM BOUNDARIES FOR SOV AND A0V 3.10.3-17

~

ELECTRICAL FAULT SYSTEM BOUNDARIES FOR MDP 3.10.3-1 COMMON CAUSE IN A FAULT TREE 3.10.3-2 PLACEMENT OF COMMON CAUSE AT COMPONENT LEVEL O

O O viii W APWR-PSS . lune, 1985 5966Q:10

O V

0.

SUMMARY

OF PLANT COREMELT ANALYSIS This module contains the plant coremelt analysis of the Westinghouse Advanced PWR (WAPWR) design. The point estimate (mean value) plant coremelt analysis is carried out for. internal initiating events.

O This module will be complemented by three more modules which will contain the

core and containment analysis, consequence analysis, and the plant risk and uncertainty analysis.

0.1 PLANT DESIGN FEATURES AND SYSTEM RELIABILITIES 0.1.1 PRIMARY SYSTEMS A. Reactor Coolant System The RCS of the APWR includes a reactor vessel with greater internal volume than standard W-PWR vessels. The increased quaritity of water above the core provides a longer period of time before core uncovery i

following both a loss of secondary cooling and a small LOCA.

B. Core Reflood Tanks Four tanks with low pressure nitrogen coverage that inject into the RCS vessel through high resistance lines assist the HHSI in reflooding the core following a large LOCA. These tanks eliminate the need for active low head SI pumps.

O C. ISS Four high head pumps that inject through their own RCS vessel connections provide emergency core cooling for the full range of LOCAs and provide RCS makeup and boration for all non-LOCA events. Only one of these four pumps is required for small LOCAs and " feed and bleed" 1

cooling. No valve realignment is required for initial injection or recirculation.

W APWR-PSS 0-1 . lune, 1985 5966Q:10

4

( D. Emergency Water Storage Tank

. The water supply for the Emergency Core Cooling System and Containment Spray System is located in the basement of the containment. Thus, no switchover fro.Yan injection mode to recirculation mode is required.

The EWST also provide's a means to reduce the containment cleanup resulting from discharge f rom the pressurizer relief ' tank rupture disc, the 'not leg vent path, or the SG overfill paths. The location r' ' inside the containment provides security and a higher minimum k temperature which reduces vessel thermal shocks due to SI.

E. Hot Leg Vents Two vent linc.s are provided on the RCS hot legs to provide emergency boration and ?,n alternate bleed path for core cooling and reactor coolant system depressurization. These lines vent into the emergency water storage tank.

F. Interfacing Systems LOCA The RHR/ CSS system piping has been arranged such that the frequency of a rupture of system piping outsitte containment due to exposure to full RCS pressure has been reduced.' The most likely cause of an exposure to RCS pressure 1,s the spurious failure of both series RHR letdown isolation valves. 'ihe system is arranged such that should the RHR isolation valves fail the RCS pressure would be relieved through the RHR puinp suction line back into containment. An ex-containment rupture is assumed if the nonnally open RHR pump suction isolation valve is inadvertently closed.

t G. Charging Pumps P

The APWR charging system is not used to mitigate design basis LOCAs.

However, it does have substantial RCS ma'ceup capability, it is ANS-3 with 1-E motors, and it is automatically loaded on the emergency diesels in the case of loss of offsite power without an "S" signal.

! O,' W APWR-PSS 0-2 . lune, 1985 59660:10 I

I l

i H. Back-up Seal Injection.

The CVCS contains a back-up seal injection pump which automatically provides RCP seal cooling in the event of loss of normal seal  !

injection and CCWS thermal barrier cooling. This pump is a control v grade positive displacement pump with a DC motor that receives power from a dedicated diesel motor /DC generator set. Power is also available from control grade DC system. The pump does not require AC or DC power (aside from its self-contained diesel generator set) or O support sys ens such as CCWS or HVAC.

I. Alternate Core Cooling Means In addition to normal alternate core cooling means (SFWS, EFWS) and their back-up (RCS feed / bleed with HHSI), there are several other possibilities. Examples of these are RCS feed and bleed with charging pumps, RCS depressurization and feed and bleed with RHR pumps, and SG feed by main feedwater or condensate pumps. For the most part these means are not considered in the WAPWR PRA analysis. However, for core l

cooling following a small 1.0CA with the failure of all four HHSI pumps

)

credit is taken for the operators opening the pressurizer PORY and aligning the RHR pumps to inject into the RCS. In this case the larger APWR RCS and accumulator volumes give the operator the capability of keeping the core from overheating during the '

depressurization to the RHR pump delivery pressure of < [ _

] psig. (a c) 0.1. 2 SECONDARY SYSTEMS O A. Emergency Feedwater System The emergency,'feedwater system contains four pumps, two electric motor driven and two turbine driven. Any one of the pumps is j sufficient to remove decay heat through the S.G. The turbine

- driven pumps start upon the opening of a steam inlet air-operated fail-open valve. This valve opens upon the loss of air supply or DC power to either of two solenoid valves. System actuation is ,

automatic upon receipt of an S signal or following a loss of W APWR-PSS 0-3 June, 1985 5966Q:10 i

e start-up feedwater system or is manual. The turbine driven pumps do not require any AC or DC power or any support systems such as CCW or HVAC.

B. Start-up Feedwater System

, A single non-safety' class pump driven by a 1E motor, taking suction from either the condenser hotwell or a deaerating heater, provides the , normal feedwater function following reactor trip.

The system bypasses the main feedwater control valves, but shares O the main feed isolation valving. Automatic actuation occurs upon low ste'am generator, level. The system is provided to minimize challenges to the Emergency Feedwater System and to minimize thermal transients on the steam generator and piping.

E C. Steam Generator Overfill Protection Each steam generator is provided with an automatic drain system to prevent high steam generator level and possible water passage in the main steam lines. Two safety grade parallel valves are opened upon indication of high-high SG 1evel, and closed on a lower level. The drain path is - into the EWST. This system greatly reduces the dependence on operator action to mitigate SGTR.

0.1.3 AUXILIARY SYSTEMS

. A. Diesel Generators Two essential service diesel geneators are provided for back-up emergency power to safeguards loads following a loss of offsite AC power.

B. Component Cooling Water System / Service Water System E

The APWR CCWS and SWS are two subsystem designs that are not interconnected. Therefore, for events such as CCWS or SWS pipe W APWR-PSS 0-4 . lune, 1985 59660:10

O breaks or excessive heat input post-large LOCA only one subsystem can be affected.

0.2 WAPWR PLANT ANALYSIS METHODOLOGY O The large event tree, small fault tree approach was utilized in this analysis. A major effort was expended on minimizing the complexity of the analysis in two ways:

a. Identification and standardization of component modular fault trees, allowing full. system fault trees to be compiled from a standard set of segments. This facilitates review of the fault trees and assures consistent treatment of like faults between systems and analysts. It also assures consistent use of the data base, with all fault trees developed to the same degree of detail,

b. Minimization of event tree sequences by both reducing the number of events analyzed and the number of sequences addressed by each event tree. Reduction in the events analyzed in the study was facilitated by the WAPWR design, which provides for similar plant response to different initiating events. For example, ECCS operational parameters eliminate the event Medium LOCA, which placed special requirements on older design systems. Similarly, analysis of plant transients includes all anticipated and design basis events that lead to reactor trip but not necessarily to generation of an S signal.

A further simplification was the minimization, where practical, of

, event tree sequences. It was the intent of this procedure to minimize i' '

• the number of sequences whose frequency was about five (5) orders of magnitude below the total frequency for each of the associated core damage categories. This method was not extremely effective, as some

-20 sequences with frequencies of 10 still result. Where simplification was possible, a conservative approach to categorization was taken, grouping the sequences with higher-consequence core damage

categories than might result if further analysis of the sequence were to be performed.

I W APWR-PSS 0-5 June,1985

59660

10 1

2

- * - ryw w w--, v w-w--,y-e-----

nw-e------9-,.e-- ,,-rww--**-----'-e +v*"

Further modeling methods and assumptions are described below:

0.2.1 SUPPORT STATE MODELING Engineered Safety . features systems have been divided into two groups for this study: front-line systems such as Emergency Feedwater and Integrated Safeguards, and Support systems. This latter group is comprised of the Diesel Generators and Class 1E AC distribution system, the Essential Service Water System, the Component Cooling Water System, and the Integrated Protection O System.

The availability of the support systems is explicitly modeled in the event trees. Three possible states are addressed: 1. Both f ront-line trains of equipment have electric power, cooling water flow, and actuation signals deliuered to active components: 2. Only one train of each front-line system i has every support system available; and 3. No front-line systems are receiving support f rom all support systems. Thus, the failure of any support system, be it electric power, cooling water, or actuation results in a plant state with reduced front-line systems available for accident mitigation.

These states are modeled by the second node in each event tree, which shows three branches. The event tree structure following each branch reflects the availability of front-line systems, and the reliability of those systems, which is a function of support state, is changed in quantification of the event tree.

0.2.2 RECOVERY OF AC POWER Recovery of AC power sources is modeled in both the short-term and in the O long-term. Short-term recovery is modeled as both restoration of offsite power sources and repair of the onsite diesel generators. Short-term recovery is modeled as occurring before dry-out of the steam generators following reactor trip, which is very conservatively assumed to be 40 minutes. If short-term recovery of AC power fails, then long-term recovery of offsite power is modeled. Recovery of the of fsite grid af ter 40 minutes but before core uncovery, which is roughly between two and three hours after reactor trip, will enable the safeguards systems to prevent core damage. Onsite W APWR-PSS 0-6 June,1985 5966Q:10

l t

recovery is not addressed in the long-tem. Furthermore, operator actions to depressurize the primary system in order to use the accumulators and core reflood tanks, thus delaying core damage, are not addressed.

0.2.3 RCP SEAL LOCA O

Upon loss of both RCP seal injection and thermal barrier cooling, it is assumed to be equally probable that a consequential seal LOCA resulting in core uncovery and damage will occur as not. This is a conservative assumption O since the chance of a seal leak of sufficient magnitude to uncover the core before recovery of offsite power is considered to be small.

0.2.4 COMMON CAUSE FAILURE ANALYSIS The beta factor method was used to model conunon cause failure of redundant components. A mean value of 0.1 for the failure of a second component given that the first has failed was used for all active pumps and valves in all systems. In order to address the use of four redundant components in many systems, it was assumed that adding two active components in parallel to a i normal two component system would only decrease the unreliability of the j overall system by an order of magnitude. This method implicitly applies conditional failure probabilities of 0.2 and 0.5 to the third and fourth trains, respectively, i

0.2.5 TEST AND MAINTENANCE Test unavailability of systems was based on testing intervals and durations

(. peculiar to the system analyzed, drawing on technical specification requirements of other Westinghouse PWRs.

Maintenance unavailability was derived from previous operating experience at several Westinghouse PWR facilities. The mean frequency of maintenance of system components was assumed to be the average values achieved in these similar plants, thus reflecting differing component reliabilities and utility maintenance practices.

O M APWR-PSS 0-7 . lune, 1985

[ 59660:1D l

l

. - _ _ . = _ . _ . - _ - _ - - - - . - - - . -.

I l

l 0.2.6 ANALYSIS OF OPERATOR ACTIONS l A scoping study of operator actions was performed in this analysis, where the unreliability of the operator under any given set of circumstances was assumed

-3 to be no less than 5.0 x 10 . Due to the dominance of the failure to properly diagnose plant conditions, a detailed study of operator acts of omission and connaission was not perf orined. Based on stress levels extant during degraded conditions of the plant, operator unreliability increased with increased complexity of the actions and increased with decreasing time available to carry out those actions. It was also assumed that increased practice under simulator training and detailed procedural preparation would increase the reliability of the operator in certain actions, for example, establishing feed and bleed cooling. However, justification of a reliability in excess of 0.995 was not attempted. As a result, for this study an operator reliability of 5 x 10'3 is only assumed for opening the pressurizer PORVs to establish " feed and bleed"; all other operator actions are more complicated, have higher stress, or shorter available time and therefore are assumed tu

~

have a reliability of 1 x 10 .

0.3

SUMMARY

OF PLANT COREMELT QUANTIFICATION The breakdown of the total plant coremelt frequency by support states (availability of AC power, Service Water / Component Cooling Water Cooling, etc.) indicates that the loss of support sytems (mainly the AC power) contributes significantly to the coremelt frequency:

Suncort State Coremelt Contribution O Support Systems Available:

(c.e) Only One Front Line Train Supported:

No Front Line Trains Supported:

Dec ) The total plant coremelt frequency for the WAPWR is [ ']. See Section 4.2.

O M APWR-PSS 0-8 June, 1985 5966Q:10

1 0.3.1 DOMINANT ACCIDENT SEQUENCES  ;

The dominant accident sequences and their contributions to the total plant coremelt are given below:

1 Event Seouence 5 Contribution

~ ~

(a.e)

O i,

lO l

l O .

O W APWR-PSS 0-9 une, 1985 5966Q:10

1 1

1 1

1 i

1 i

Event Seouence 5 Contribution )

I I (e c) l

\

)

i i l l

1 i l

l '

t i

a i

I i

e 1

i 4

J i

A 4

I i

4 j M APWR-PSS 0-10 -

June, 1985 l

5966Q:10 4

.I

_ _ _ _ _ _ _ , _ - - _ _ . _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ , _ _ _ _ . . _ . - _ . _ _ . _ . , _ . ~ . . , _ s,.___,..__, _, _,_

.. .=_- --.-.- ..

Event Seauence  % Contribution (a,c)

O O

0.3.2

SUMMARY

OF SYSTEM IMPORTANCES The event tree nodes and support systems also ranked according to their contribution to the total plant coremelt frequency:

System Imoortance i ~

(a,c) i This importdnce measure can be interpreted as follows: in the abo e list, if the diesel generator failure probability can be reduced to effectively 0, then the plant coremelt frequency can be reduced by [49%) of its original value. (a,c) .

Note that this argument only holds for one system at a time; it does not hold

. for simultaneous changes in reliability o'f multiple systems.

W APWR-PSS 0-11 June,1985 l

59660:10 i

- - -- -.- -... . - _ - ,.._.- - - .-.- - . . - _ .--., ,, . , . , - - . , - - - . , , - - . . ,