Chapter 2 of Westinghouse RSAR, Accident Sequence Modeling

ML20128L847
Person / Time
Site:	05000601
Issue date:	06/28/1985
From:	WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML19304B194	List: ML20128L802 ML20128L809 ML20128L838 ML20128L847 ML20128L858 ML20128L887 NRC-85-0343, Forwards Proprietary & Nonproprietary Westinghouse Advanced PWR RESAR-SP/90,PDA Module 16, Probabilistic Safety Study, Vols 1 & 2
References
NUDOCS 8507110473
Download: ML20128L847 (121)
v • d • e

Text

2.0 ACCIDENT SEQUENCE MODELING This section contains the accident sequence modeling by use of event trees for each of the initiating events developed in Section 1.0.

2.1 EVENT TREE GUIDELINES Event trees used in this study are based on a generic event tree logic as O

shown in Figure 2.1-1.

T' e availability of the essential support systems is h

placed insnediately following the initiating

event, followed by the availability of the. needed short te nn cooling.

The reason for this arrangement is to simplify the analysis of the event tree, since in the absence of the support system and the short tenn cooling, early core melt is assumed to take place, thus eliminating the need to proceed further down into the tree.

Modeled af ter the support systems are, in progression, short term cooling, operator actions, containment cooling and long term recirculation cooling.

Notice in Figure 2.1-1 that there are three branchings at the node for the support system. The top branch represents that both trains of support systems are available, labeled as SS2 in this study.

The middle branch, SS1, represents that only one train of the support systems are available, causing its associated front line systems to be inoperable.

The bottom branch, 550, represents the failure of.both trains of the support systems such that all front line systems dependent on the development of the support system are inoperable. See Section 2.1.7 for further detail on the support states.

The next node is the availability of the required short term cooling.

This funct'on is normally carried out by either secondary cooling or the Integrated Safeguards Systems (ISS) when primary integrity is lost.

Following the short term cool'ing node is the node for. operator actions (OA). The types of actions are different for different initiating events, and are described in detail in the event tree Sections, 2.2.1 through 2.2.10, inclusive.

W APWR-PSS 2-1 June,1985 5928Q:10 8507110473 850628 PDR ADOCK 05000601 K

PDR

The last two types of model the containment safeguards function, and long term cooling (LTC).

Containment safeguards include containment spray, which quenches steam released to containment and scrubs radionuclides from the containment atmosphere, and Containment Fan Cooling, which provides an alternate path for removing reactor decay heat.

Long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the Loss of Of fsite Power.

Long term cooling is typically O

supplied by the Residual Heat Renoval (RHR) system.

In the APWR design, however, the safety injection pumps might also be used if the primary system 2

is breached.

Thus,1 primary coolant would circulate from either the hot leg (RHR) or the EWST (ISS), through the CCW-cooled heat exchangers, and back to the cold legs.

The LTC node encompasses all operator actions and equipment availability needed to perform this function.

Due to shared functions and the operation of other systems, this node is divided into three states as follows:

LTCl - This node comprises a normal cooldown of the RCS by use of the auxiliary feedwater system to cold shutdown conditions.

LTC2 - This node represents long term core heat removal following a consequential small LOCA.

Due to successful safety injection and containment fan cooler (CFC) operation, success is limited to continued feed and bleed cooling. Other methods of heat removal include auxiliary feedwater and use of the RHR heat exchangers, but these methods are not modeled.

LTC3 - This node represents long term core heat removal following a consequential small LOCA and a failure of the containment fan coolers (CFC).

Heat removal is accomplished by continued safety injection with component cooling water flow aligned to at least one RHR heat exchanger.

Detailed definitions of the nodes for a particular initiating event are given in the section concerning that initiating event. The core melt definition are given in Section 2.1.4.

A total of ten initiating events have been investigated in this study, and are listed in Section 2.1.1.

In Section 2.1. 2, the definitions of the nodes used throughout the event tree analysis are presented.

W APWR-PSS 2-2

. lune, 1985 59280:10

1-2.1.1 EVENT TREES An event tree has been constructed for each of the following initiating events:

EVENT TREE #

SJY_MBOL INITIATING EVENT CATEGORY REPORT SECTION 01 TRA TRANSIENTS 2.2.1 02 LSP LOSS OF OFFSITE POWER 2.2.2 03 SGR' STEAM GENERATOR TUBE RUPTURE 2.2.3 04 SSB LARGE SECONDARY SIDE BREAK 2.2.4 05 SLO SMALL LOCA <6" 2.2.5 06 LLO LARGE LOCA >6" 2.2.6 l

07 ATW ATHS 2.2.7 08 ISL INTERFACING SYSTEMS LOCA 2.2.8 09 VEF VES$l_L FAILURE 2.2.9 10 LCl

- TOTAL LOSS OF AUXILIARY COOLING 2.2.10 l

The time frame for modeling of events is restricted to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the initiating event.

The support states will be explicitly modeled in the event trees.

l 2.1.2 EVENT TREE NODE DEFINITIONS The following event tree nodes are used in the accident sequences.

Refer to Table 2.1-2 for a detailed breakdown of system requirements for operation.

O W APWR-PSS 2-3 June,1985 5928Q:10

SC1 EMERGENCY FEEDWATER FOLLOWING LOSS OF OFFSITE POWER OR SAFETY INJECTION: EVENTS SLO, LSP, LC1 SC2 EMERGENCY FEEDWATER FOLLOWING EVENTS INVOLVING A FAULTED STEAM GENERATOR: EVENTS SSB, SGTR SC3 EMERGENCY FEE 0 WATER FOLLOWING ANTICIPATED TRANSIENTS WITHOUT SCRAM O

SC4 START-UP AND EMERGENCY FEEDWATER FOLLOWING TRANSIENTS

'l SIl INTEGRATED SAFEGUARDS AVAILABLE FOR SLO, LSP, TRA, SGR, and SSB SI2 INTEGRATED SAFEGUARDS AVAILABLE FOR LARGE LOCA EVENT AND ISL CSP CONTAINMENT SPRAYS AVAILABLE CFC CONTAINMENT FAN COOLERS AVAILABLE LTC LONG TERM COOLING AVAILABLE OFB OPERATOR ACTION: FEED AND BLEED OPERATION OST OPERATOR ACTION:

STABILIZE RCS PRESSURE OR ESTABLISH FEED AND BLEED COOLING ORT OPERATOR ACTION: MANUAL REACTOR TRIP OLT OPERATOR ACTION: LONG TERM SHUTDOWN LCO CONSEQUENTIAL LOCA DOES NOT OCCUR SLL SEAL LOCA DOES NOT OCCUR REC RECOVERY OF AC/ SIGNAL BEFORE COREMELT FOR TRANSIENT EVENTS W APWR-PSS 2-4

~

June, 1985 5928Q:10

-=

l t

ACR AC POWER RECOVERY AFTER 40 MINUTES AND BEFORE CORE MELT ACC ACCUMULATORS AVAILABLE PRR ATWS PRIMARY PRESSURE RELIEF OCCURS i

CON ISL EVENT OCCURS IN CONTAINMENT 2.1.3 EVENT TREE SUCCESS CRITERIA DEFINITIONS In each event tree,'certain criteria are established that must be satisfied in order to prevent core melt. These criteria deal with system functions to: 1) maintain primary inventory control; and 2) remove reactor decay heat.

Thus, following all initiating events that do not include a breach of the primary l

coolant boundary, seal injection from either the charging system (normal) or i

from the back-up sesl injection system (blackout or loss of offsite power) and the back-up feedwater systems, start-up feedwater or emergency feedwater, are required.

If a loss of primary coolant occurs from either an initiating event (LOCA, SGTR) or from a consequential failure following an event, then the Integrated Safeguards System high head injection is required.

Long term cooling may be provided by either: 1) continued emergency feedwater flow; 2) ISS injection through the RHR heat exchangers; or 3) ISS injection l

with decay and sensible heat removed by the containment fan coolers.

O O

O W APWR-PSS 2-5 June, 1985 59280:1D

2.1.4 CORE MELT CATEGORIZATION

(

The event tree analysis presented in this report identifies the results of events affecting reactor and turbine-generator availability and subsequent failures of safeguards systems. To preserve core integrity, certain functions must be achieved following an event:

shutdown of the reactor and reactor decay heat removal.

Multiple systems and methods are available to carry out these functions, and these systems are explicitly analyzed by the event tree.

However, when dif ferent systems fail, it is possible that core damage will oscur.

For this analysis, once conditions have been identified by an event tree sequence that might yield core damage, core melt is postulated. Neither recovery of systems nor use of emergency non-essential safeguards methods that hypothetically could be attempted by the operators are addressed.

Four dif ferent nodes of core melt are modeled:

Small LOCA (S) -

this category is comprised of core melt following a small break of primary system piping, where a release path directly to the containment atmosphere exists.

Transient (T) -

this category is characterized by release of primary inventory through the pressurizer relief and safety valves to the Emergency Water Storage Tank.

This release path mitigates the containment pressure response and provides very efficient scrubbing of radionuclides from the primary coolant.

Laroe LOCA ( A) -

this release category is characterized by a

rapid depressurization of the RCS, core uncovery and melt, such as could follow a rupture of large coolant piping or the reactor vessel.

V Seouence (V) -

this release follows an interfacing systems LOCA outside containment.

O W APWR-PSS 2-6

. lune, 1985 5928Q:10

, _ __ _ _ _.~

SGTR Release (V2) - this release category is also a bypass of containment, with primary coolant being discharged from steam generator relief or safety valves.

O The timing of the core melt is also addressed, reflecting the effects of decay on the core inventory of short-lived radioisotopes. Two times are modeled:

Early Melt (E) -

occurs within the first four hours following the initiating event.

Late Melt (L) -

' occurs between four and twenty-four hours following the initiating event.

Finally, the availability of containment safeguards systems, containment sprays and containment fan coolers, is addressed to model containment response and the availability of radionuclide scrubbing from the containment atmosphere.

Containment Sorav (C) - containment sprays available.

Containment Fan Coolers (F) - fan coolers available.

The release categories developed with the above defined parameters are summarized on Table 2.1-1.

O i

O O

M APWR-PSS June,1985 2-7 5928Q:10

l 2.1.5 NODE SUCCESS CRITERIA DEFINITIONS i

In this section, success criteria for each event tree node, as defined in Section 2.1.2 are summarized. The success criteria are used in Section 3.0 to O

establish the failure criteria for fault tree analysis. Table 2.1-2 presents a complete set of the success triteria, operator action requirements, and system dependencies for each node defined below.

NODE SUCCESS CRITERIA EMERGENCY FEEDWATER SYSTEM AND SEC0h3ARY COOLING SCl At least one out of four Emergency Feedwater System (EFWS) pumps delivering flow to at least one steam generator and secondary cooling.

This node appears in the LSP, SLO and LC1 event trees.

SC2 At least one out of four EFWS pumps delivering flow to at least one steam generator and secondary cooling.

This node appears in the SSB and SGTR event trees.

SC3 At least two out of four EFWS pumps delivering l.

flow to at all four steam generators and secondary cooling.

This node appears in the ATWS i

event tree.

I SC4 The Start-up Feedwater System supplying all four steam generators, or the emergency feedwater system (1 pump of 4) ' feeding at least one steam generator.

This node applies to the transient event.

O W APWR-PSS 2-8 June,1985 5928Q:10 l

PRIMARY COOLING SIl At least one out of four SI pumps delivering flow to one RCS leg O

SI2 At least five out of eight trains of combined CRT-ISS pumps delivering flow to at least one intact RCS leg ACC Successful discharge of two-out-of-three accumulators into the three intact RCS loops CONTAINNENT COOLING CSP One-out-of-four containment spray pumps delivering flow to the containment CFC One-out-of-four fan coolers shift to low speed operation LONG TERM COOLING LTC Long term cooling of the RCS is maintained

, through either:

1.

maintaining secondary cooling for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />; 2.

One SI pump and RHR heat exchanger cooling; 3.

One SI pump and fan cooler cooling POWER RECOVERY ACR Recovery of off-site power af ter 40 minutes and before core melt O

W APWR-PSS 2-9 June, 1985 5928Q:10

AC/SIG RECOVERY REC Recovery of off-site af ter 40 minutes and before core melt or operator actuation of Engineered O

' Safety Features systems after failure of the IPS.

v OPERATOR ACTIONS i

0FB Operator actions for feed and bleed cooling of the RCS depends on the initiating event, and is generally required only following a loss of secondary cooling.

To initiate this cooling,

~

node, the operator need only open one or more of the pressurizer PORV or the hot leg vents.

ISS, if not previously actuated, will be automatically started on low pressurizer pressure.

OST Following a SGTR the operator terminates the RCS leak through a series of actions that include cooldown of the RCS via SG steam release, isolation of faulted SG, and depressurization of the RCS.

1 ORT Manual generation of reactor trip signal and the insertion of the controls rods within one minute 1

following an anticipated transient without scram.

OLT Operator actions to start and maintain long term shutdown, bringing the core subtritical within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> with any one of the following:

a) De-energize rods or drive them into the core with CROMs b) CVCS boration for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> c) ISS boration for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> This action is necessary only when the reactor is not shut down by manual reactor trip or automatic boration.

M APWR-PSS 2-10 June,1985 5928Q:10

ANTICIPATED TRANSIENTS WITHOUT SCRAM PRR Probability that the pressurizer pressure relief is sufficient in preventing RCS pressure from exceeding 3200 psig.

Opening three safety valves and all PORVs.

PLANT SUPPORT STATE S01 Support State Systems availability for Transient IE 502 Support State Systems availability for loss of offsite power,and interfacing systems LOCA IEs.

503 Support State Systems availability for steam generator tube rupture, secondary side break, large LOCA, small LOCA, ATWS, vessel rupture, and ISL IEs.

i 504 Support state systems availability for loss of auxiliary cooling IE.

OTHERS LCO Consequential LOCA does not occur.

This event is O

used in the event trees for TRA and LSP.

This LOCA is usually referred to the opening of a PORV that does not reseat coincident with failures of the PORV block valve to automatically close, or to a stuck open pressurizer safety valve, or to a reactor coolant pump seal LOCA.

1 i

M APWR-PSS 2-11 June, 1985 5928Q:10

1 d

SEAL LOCA DOES NOT OCCUR SLL One positive displacement back-up seal injection pump delivering flow to the seals of each of the Os four reactor coolant pump seals is assumed to prevent seal damage.

If seal injection fails, seal LOCA may occur j

CON The event that any breaks are within the 2

)

containment.

This event is used in the interfacing systems LOCA event tree.

2.1. 6 CONSEQUENTIAL FAILURE MODEL In this section, the consequential failures following an initiating event are discussed as modeled in the event tree.

LCO:

This event tree node represents the consequential small LOCA following a transient or a loss of offsite power event. The probability of such a small LOCA is dominated by stuck open pressurizer PORV and block valve, stuck open pressurizer safety valve, and reactor coolant pump seal LOCA events.

LSS:

This node represents.the consequential RCP seal LOCA that may follow a loss of all seal injection flow (from both charging and back-up seal injection) and loss of component cooling water flow to the thermal barrier coolers.

2.1.7 PLANT SUPPORT STATE MODEL The failure of major support systems such as AC power, SWS, CCWS, etc. would lead to unavailability of all front line system trains associated with the l

failed support system train.

The following systems are identified as major support systems.

l W APWR-PSS 2-12 June, 1985 5928Q:10

\\

1.

Offsite AC power 2.

Ons'ite AC power 3.

Actuation signal (IPS) l 4.

WS i

5.

CCWS An event tree is constructed to classify the failure of one train (or 1 I

division) of these major support systems as plant support states. The event I

tree is given by Figure 2.1-2.

v Three major plant su'pport states are defined from the event tree as follows:

SS2:

All major support systems are available.

SS1:

One train of any one of the major support systems has failed; thus one train (division) each of the associated front line systems is not available.

SSO:

Combinations of failures of trains of support systems occur such that no front line system associated with the support systems is available.

For conservative modeling purposes, 551 is similar to loss of one main emergency AC bus, out of two.

This would lead to a loss of all front line system trains fed by that bus. 550 is similar to loss of both main emergency AC buses.

The following event tree nodes are defined for support state modeling.

SSM:

Initiating event occurred 0FP:

Of fsite power delivered to front line systems ONP:

Emergency onsite power delivered to front line systems W APWR-PSS 2-13 June,1985 l

59280:10

4 0FR:

Offsite power recovered within 40 minutes ONR:

Onsite power recovered within 40 minutes l

SIG:

Actuation signal delivered to front line systems S/C:

Service water and component cooling water cooling available The support state event tree classifies the plant states in the following manner.

SS2:

All support systems are available SSl:

SS12 Only one train of front line systems are supported jtut AC power is present at both emergency buses.

(Signal or cooling failure)

SS11 Only one train or front line systems are supported and AC power is present at one emergency bus.

SSO:

5502 No SI actuation signal to front line systems; or no cooling for front line systems but AC power on both emergency buses S501 No SI signal or cooling for front line systems but AC power on one emergency bus i

SS00 No SI or cooling or AC power for front line systems The effect of each of the above support states on front line systems is sumarized. in Table 2.1-3.

4 W APWR-PSS 2-14 June, 1985 5928Q:1D

TABLE 2.1-1 COREMELT CATEGORIES SYMBOL COREMELT CATEGORY IDENTIFICATION SEFC SMAU. LOCA - EARLY COREMELT - BOTH CFC AND CSP AVAILABLE SEF SMALL LOCA - EARLY COREMELT - ONLY CFC AVAILABLE SEC SMALL LOCA - EARLY COREMELT - ONLY CSP AVAILABLE SE SMALL LOCA - EARLY COREMELT - NO CONTAINMENT SAFEGUARDS SLFC SMALL LOCA - LATE COREMELT - BOTH CFC AND CSP ARE AVAILABLE SLF SMALL LOCA - LATE COREMELT - ONLY CFC AVAILABLE SLC SMALL LOCA - LATE COREMELT - ONLY CSP AVAILABLE SL SMALL LOCA - LATE COREMELT - NO CONTAINMENT SAFEGUARDS TEFC TRANSIENT - EARLY COREMELT - BOTH CFC AND CSP AVAILABLE TEF TRANSIENT - EARLY COREMELT - ONLY CFC AVAILABLE TEC TRANSIENT - EARLY COREMELT - ONLY CSP AVAILABLE O

TE TRANSIENT - EARLY COREMELT - NO CONTAINMENT SAFEGUARDS AEFC LARGE LOCA - EARLY COREMELT - BOTH CFC AND CSP AVAILABLE AEF LARGE LOCA - EARLY COREMELT - ONLY CFC AVAILABLE AEC LARGE LOCA - EARLY COREMELT - ONLY CSP AVAILABLE i

M APWR-PSS 2-15 June, 1985 5928Q:10

TABLE 2.1-1 (Continued)

SYMBOL COREMELT CATEGORY IDENTIFICATION 4

==_- _

O AE LARGE LOCA - EARLY COREMELT - NO CONTAINMENT SAFEGUARDS ALFC LARGE LOCA - LATE COREMELT - BOTH CFC AND CSP AVAILABLE O

ALF LARGE LOCA - LATE COREMELT - ONLY CFC AVAILABLE ALC LARGE LOCA - LATE COREMELT - ONLY CSP AVAILABLE Al LARGE LOCA - LATE COREMELT - NO CONTAINMENT SAFEGUARDS V

INTERFACING SYSTEMS LOCA - EARLY MELT - CONTAINMENT BYPASS V2E SGTR - EARLY COREMELT - CONTAINMENT BYPASS O

i V2L SGTR - LATE COREMELT - CONTAINMENT BYPASS O

O s

4 O

W APWR-PSS 2-16 June,1985 5928Q:10 1

~.

O O

O O

O O

O TABLE 2.1-2

$ l'C j

E$

9 g

EVENT TREE TOP N00E SUCCESS CRITERIA 1

5 4

M i

1 1

Top Event System l

Description Success Criteria Operator Action Interactions Run-Time 1

)

Emergency Feedwater and Secondary Cooling J

L SCI 1 of 4 EFW pumps to None

1) IPS System (Signal 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 1 of 4 SG.

Actuation)

2) Electrical Power 5

3) Main Steam System l

l

4) Component Cooling

5) Essential Service i

Water System 4

i SC2 1 of 4 EFW pumps to Manual

1) IPS System (Signal 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> a

1 of 3 intact SG.

isolation Actuation)

~

of

2) Electrical Power meg affected

3) Main Steam System SG.

4) Component Cooling i

5) Essential Service 1

j Water System I

- -.. ~

. -.. - -. = -

i O

O O

O O

O O

TA8LE 2.1-2 (Continued) m is 8

EVENT TREE TOP N00E SUCCESS CRITERIA E

z T'

l a

c' l

Top Event System j

Description Success Criteria Operator Action Interactions Run-Time l

l i

l SC3 1 of 4 EFW pumps to None

1) IPS Sy~ stem (Signal 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> i

2 of 4 SG.

Actuation) 1 1

2) Electrical Power

3) Main Steam System j

4) Component Cooling

5) Essential Service cn Water System i

j SC4 SUFW to all 4 SG, or None

1) Main Steam System 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> l

1 of 4 EFW pumps to

2) Offsite AC Power l

1 of 4 SG.

3) IPS

4) Essential AC Power

5) Component Cooling E-Water s

?

6) Essential Service Water m

i

_m.. _...

O O

O O

O O

O TABLE 2.1-2 (Continued)

IE EVENT TREE TOP N00E SUCCESS CRITERIA Ei i,

v Top Event System Description Success Criteria Operator Action Interactions Run-Time i

Integrated Safeguards System (ISS)

SII 1 of 4 high head ISS None

1) IPS 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

.L pumps to 1 of 4 cold legs

2) EWST l

3) Essential AC Power

4) Component Cooling Water

5) Essential Service Water 512 5 of 8 trains of high None

1) IPS 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> i

head ISS pumps and Core

2) EWST Reflood Tanks injecting

3) Essential AC Power to 1 of 3 intact cold

4) Component Cooling 5

legs Water I

5) Essential Service l

cn l

Water l

5928Q:1D l

l

O O

O O

O O

O TABLE 2.1-2 (Continued) in' EVENT TREE TOP N00E SUCCESS CRITERIA E

=

b, u

Top Event System Description Success Criteria Operator Action Interactions Run-Time Containment 1 of 2 normally aligned None

1) IPS 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Spray System pumps to spray header.

2) EWST CSP

3) Essential AC Power

4) Component Cooling Water

{

5) Essential Service Water Containment 1 of 4 Fan Coolers shift None

1) IPS 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Fan Cooling to low-speed operation

2) EWST CFC

3) Essential AC Power

4) Component Cooling Water

5) Essential Service k

Water G$

Accumulator 1 of 3 Accumulators None None Injection inject to primary ACC system following a 59280:10

O O

O O

O O

O TABLE 2.1-2 (Continued)

C EVENT TREE TOP N00E SUCCESS CRITERIA E

m b,

u Tcp Event System Description Success Criteria Operator Action Interactions Run-Time Long Term One of two RHR trains Manually

1) Essential AC Power 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> Cooling cold shutdown mode wlth Align

2) Component Cooling LTC)

CCW to RHR HX System Water

3) Essential Service Water h3 b

LTC2 One of two SI pumps con-None

1) Essential AC Power 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> tinuous injection for

2) Component Cooling 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> Water l

3) Essential Service Water

4) EWST gr LTC3 One of two SI pumps and Operator aligns

1) Essential AC Power 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> l

5 CCW to RHR exchanger CCW to HX

2) Component Cooling Water O!

3) Essential Service Water l

4) EWST i

l i

5928Q:1D i

o o

o 0

0 0

0 TA8LE 2.1-2 (Continued)

{

p-EVENT TREE TOP N00E SUCCESS CRITERIA E

4 Top Event System Description Success Criteria Operator Action Interactions Run-Time ATWS Primary Three safety valves and None

1) Control Power' Pressure the PORV must open Relief PRR Seal LOCA The Back-up Seal Manual

1) Containment Isola-6 hours does not Injection pump must Alignment tion Valves I

occur provide flow to all SLL 4 RCPs f

Consequential Pressurizer valves do None

1) Pressurizer Pressure 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> LOCA does not not fail open and all Control occur RCP seals maintain l

LCO l'ntegrity E'

\\

a i

G l

5 l

f 5928Q:lO I

1 I

e i

O O

O O

O O

O TABLE 2.1-2 (Continued)

I l

EVENT TREE TOP N00E SUCCESS CRITERIA i

2 y

l a

un i

Top Event System Description Success Criteria Operator Action Interactions Run-Time i

Steam 1 of 2 solenoid operated None

1) Control Power-24 hours 4

Generator valves must open on high-

3) EWST l

Overfill high SG level I

Protection r

SOF j

l u

Interfacing Open path from RHR None

1) Residual Heat Systems return line isolation Removal LOCA occurs valves to the EWST

2) Containment Spray CON

3) EWST

)

j OPERATOR ACTIONS:

Feed and 1 of more valves open:

Operator recog-

1) Control Power 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

.S Bleed PORY or hot leg vents nizes that Sec-

2) EWST g

0FB ondary Cooling

3) IPS u,

5928Q:lD i

O O

O O

O O

O TABLE 2.1-2 (Continued)

EVENT TREE TOP N00E SUCCESS CRITERIA I

m b

w Top Event System Description Success Criteria Operator Action Interactions Run-Time OPERATOR ACTIONS (Cont.):

is not function-ing, and opens vent pathways.

Operators should i

m*

also either start the ISS pumps or verify automatic actuation Stabilize Reduce primary system Operator recog-

1) Control Power 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> RCS Pres-pressure to terminate nizes SGTR event, 2) PZR Spray, RCPs p

primary to secondary initiates rapid

3) Emergency Feedwater sure

,8 OST leakage following SGTR.

cooldown/depres-

4) IPS

[

Alternatively, if the surization by

5) ISS operator cannot reduce use of:

i l

i i

5928Q:1D

O O

O O

O O

O TA8LE 2.1-2 (Continued)

IE 2

EVENT TREE TOP N00E SUCCESS CRITERIA 4,

N Top Event System Description Success Criteria Operator Action Interactions Run-Time OPEK4 TOR ACTIONS (Cont.):

pressure, he may in'i-a) PORY tlate feed and bleed b) PZR spray I

cooling (if RCP available) 6; c) hot leg vents d) reducing set pressure on atmospheric dump valves on unaffected SG.

See also Fr:u and P'.~ed, i

e cp above.

5 E

ui Manual Reac-Manual generation of Actuate trip None tor Trip Reactor Trip Signal within the first ORT and insertion of minute of the control rods ATWS 59280:lD

O O

O O

O O

O TABLE 2.1-2 (Continued)

EVENT TREE TOP N00E SUCCESS CRITERIA o,

gg E

U $:

Top Event System Description Success Criteria Operator Action Interactions Run-Time OPERATOR ACTIONS (Cont.):

Long Term Manual Boration of Operator must

1) Charging 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> Shutdown primary system via align pumps with

2) IPS OLT charging or'ISS suction from

3) ISS borated water

4) EWST source to pri-

{

mary system m

AC Power Recover any source of Operator action

1) Essential AC Power 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> Recovery of fsite AC power to an depends upon

2) DC Power ACR essential bus cause, but may

3) Offsite AC Power entail offsite commuaications and onsite effort to restore equip-

{

ment 25

O O

O O

O O

O l

l TABLE 2.1-2 (Continued)

FVENT TREE TOP N00E SUCCESS CRITERIA

)

g M

9 E

G b 4

i Top Event System m

Description Success Criteria Operator Action Interactions Run-Time OPERATOR ACTIONS (Cont.):

i l

AC/SIG Recover offsite power Operator action

1) Essential AC Power i

Recovery or actuate ESF depends upon

2) DC Power REC uponlossdfIPS event, but may

3) Offsite AC Power include recovery of an off-site

?

power source and to N

manual actuation l

of equipment 1

L i

8 t

l I

l i

f l

i i

t TABLE 2.1-3 l

EFFECT OF SUPPORT SYSTEMS ON FRONT LINE TRAIN AVAILABILITIES 1

i i

I Front Line Systems

}H 11 S500 l

j l

~

EFWS 4 pumps 3 pumps 2 pumps l

ISS 4 pumps 2 pumps O pumps CFC 4 coolers 2 coolers O coolers l

CSP 4 pumps 2 pumps O pumps I

i l

l LTC 2 trains 1 train 0 trains l

ACC none none none 1

l SFWS none none none BUSI none none none I

i 1

l l

I j

J i

i j

l W APWR-PSS 2-28 June,1985 59280:10

-wwww+-ve-- - - - -ws-r-mm---.m----

w.---m-e-m--w-w w.'ww-h v w w.

@Wg-*,

.WW@.y-

FIGURE 2.1-1 APWR GENERIC EVENT TREE IE 55 SIC OA CC LTC seesessese, i e Cn m ee m m 4

s ees** m ese

LATE CMrWITs CC so m eese m ee m eses e

e

• • m eeee,

3 e CM e

seeeeeeeeee e

eeeeeeee m 4 LATE CR. O CC e

• • eeeedette m enee m e

$ NO CM s

e seessessees i

e e

e eeeeee m es 6 LATE CMiW!TH CC i

e sessessesse e

e e

e sa m m eet 7 NO CM e

e e

essessesses e

ee m ee m e see m e***.

8 LATE CM. % Ct e

e e

e memmmemem 9 EA5Lt C H ITN CC

.i e

seeeeeeeees e

m m m eeeee m m e 10 EARLS cms E CC l

e e

m eee m en 11 M CM i

e eseeeeessee e

a m eseseeee 12 LATE CM.WITH CC e

seeeeeeeeeeeeeeeeeene l

e e

e seeee m e,*

13 NO CM l

i seeeeeeen e

seee**eesee l

e a

memem 14 LATE CM 6 CC i

e m eee m e

• • • • eese m 15 NO CM

)

e e

m ee m ees e

e e

seee**ee m le LATE CM;WITH CC e

e seeeeeeeees e

e e

e e...eeee m 17 NO CM

?

e e

mmeme l

e sememee m m ee**e 16 LATE CM, W CC e

e I

e e

e m m

• m e m e**e

• 19 EA5Lt CM!alTH CC e

seeeeeeeeen e

m eeee m eteeeeee m 20 EAEi (M!O CC e

l so m e m en 21 NO CM e

e esessessesseseeeeeeeeeeessesees ememm etee m eees C LATE CMeNO CC e

m ie m m e m e m e m m m e****eeeeese 23 EAR f th>NC CC r

!E = INIT!ATING EVENT OCCUP5 t

55 s FLANT Ik A 61 Veli SUFFCA1 STATE Sit SHOFT TES:P C0 CLIN 6 AVAILAP.E DA OFEFA105 AC110NS SUCCESSFUL i

CC s CONTA!h"!N' CC0L!% avn!'.AILE I

LTC = L0h6 TEFR C0kl E AVAllahE l

W APWR-PSS 2-29 June 1985 5928Q:10 l

~..

FIGURE 2.1-2 SUPPORT STATE MODEL ssa OFP Ost 0FR De sll s/C D6C eeneeeeenseennees 1 $s2 e

enennunneeneennusene 2ssit e

e unnounnennunneneenunnun unenenunennu 3 $502 e

o e

nennennunnuununne 4 sst2 e

e unneunennune 5 ss2 e

e e

e nennene 6 ss12 e

seeeeeeeeeeeeeeeeeees e

e e

ueneueu 7 $$11 e

e e

uneennununnuneenue e

nunusee l $502 e

e e

seeeeeeeeee e

e e

ununen 9$s00 e

e e

e e

enenununnnenenunen to ss02 e

e unnuse e

u nneen u nunen 11 sst e

e e

e e

unununuenennuneuse 12 ss12 e

e e

e e

e neeenenunennu ununnununne 13 ss02 e

e o

e e

e e

unennunennuununen 14s502 e

o e

e e

e unnunununne 15 is2 e

e e

e e

e a

e eeeeeu n u 16 $512 e

seeeeessies esseeeeeeeeeeeeeeeeee e

e o

e e

enunun 17 $311 e

e e

e e

e e

e uneunn e

nesunne is$$02 e

a e

e e

seesseessee e

e e

e e

eennune 195500 eeeeeeeeees e

e e

e ununne euennunnennunenune 20 ss02 e

e e

e uunnueuunun 21 ts!!

e e

eeeeeeeeeee e

e e

e esennun 22 sSol e

seeeeeeene enseeeeeen a

e useneun 23 ssW e

e e

unnennennunenneesen 24 ssos e

uneeneeneeenesee 25 552 e

e e

e nunnuununununeun 26 5512 l

e e

e e

seeenennunnnn unuunnennun 27 $502 l

e e

e e

e eennunuounununnen 23 $502 e

a e

e uneuennunnen 29 ss2 e

e e

e e

e ununne 30 ss12 i

e e

seeeeeeeeeeeeeeeeeees ununne e

e unennu 31 ssil e

e e

e unnenu e

ununne 32 $502 e

e e

eteeeeeeeee e

e e

ununne 33 ss00 e

e e

e e

nununnununnenenne 24 ss02 e

o e

e eeneneeuunnene 35 5511 eeeeeeeeees seeeeeeeees e

e e

unnuou 36 $501 seesessesse eseessessee e

e nu.enees 37 s5%

e e

nonenneueuununennu 30 ss01 e

useeeeeeeeeeeeeeeeeeeeueueuseeenen. se ssa i

M APWR-PSS 2-30 June 1985 s

5928Q:10

.,...__._,y

.-,-.m. - - -, - - - -,,,,. - -.,,, _,.

-,__.__.--__--._,mw,

,,,-,- - w.-

,m,---,y

,m__

m..

.,..m.-

I A

O 2.2 EVENT TREE MODELING In this section and event tree for each of the initiating event categories is modeled and described.

2.2.1 TRANSIENT EVENT TREE This initiating event category comorises those transients that begin with an automatic or manual reactor trip other than those explicitly identified in the other event trees.

This event tree (Figure 2.2-1) uses the following symbols to identify system functions, operator actions and equipment:

TRA Initiating Event, Transients 501 Support State SC4 Emergency Feedwater Available LCO Consequential PORY LOCA SLL Seal LOCA Does Not Occur REC Recovery of AC/ Signal 0FB Operator Action, Feed and Bleed SIl Integrated Safeguards System Available

CSP Containment Spray Available CFC Containment Fan Coolers Available LTC' -

Long-Term Coo 1ing Available

~

i

2. 2.1. 2 ACCIDENT PROGRESSION j

The accident progression discussed here describes the normal plant response j

following a transient that results in reactor trip.

Reactor trip is the most l

insnediate and important plant response of any transient event.

The operator is expected to verify that shutdown has taken place or that necessary actions j

either automatic or manual are being taken to force shutdown.

Once shutdown j

has been verified, plant parameters must be controlled so as to prevent a return to criticality.

Finally, decay heat removal must be assured to prevent core overheating and damage.

W APWR-PSS 2-31 June,1985 5928Q:10

Core power generation continues by means of decay heat following a reactor trip when the plant has undergone operation at power prior to the trip.

If the decay heat were not removed the core could overheat and suf fer significant damage.

The first requirement for successful decay heat removal is reactor i

coolant flow.

The flow can either be forced flow or, when no reactor coolant pump is running, can occur by natural circulation of the coolant itself.

If possible, core heat removal by forced circulation is the preferred method over natural circulation.

Reactor coolant flow only insures that a heat convection path exists between the core and the steam generators.

This heat removal path must be continued i

on the secondary side of the steam generators through the release of steam to either the condenser or the atmosphere and by maintaining a feedwater flow which matches the steam generation rate.

Condenser steam dumping allows the normal maintenance of condensate quality feedwater inventory.

If atmospheric dumping is used, the feedwater that is lost must be made up from a conden' sate quality water source if possible, such as from the condensate storage tank.

Whatever the source of feedwater, it is important to note that failure to O.

provide it.results in an interruption of the core heat removal path.

If core decay heat is not removed from the reactor coolant, the resulting temperature and pressure increases in the primary coolant are a threat to plant safety.

Upon failure of normal feedwater systems, the emergency feedwater system is actuated to prevent core damage.

Automatic steam dumping to the condenser should follow a reactor trip.

However, if by any reason condenser dump capability cannot be obtained, steam generator power operated relief valves are automatically actuated.

If these do not open, the steam generator safety valves open to protect the steam system and permit core cooling.

In general, the control steam pressure is set at the no-load program value when the condenser dump is used.

For steam release through the safety valves the steam pressure is established. by the valve's set and reseating pressures.

M APWR-PSS 2-32 June, 1985 5928Q:1D h--

_--.__,,---.--,~.--.,r,--

w..

_,..-.m,w-,

r__

i i

l Steam pressure equilibrates near the value which corresponds to a reactor coolant temperature slightly above the progransned oc-load value.

Reactor coolant pressure is maintained at a value above 2000 psia.

These limits insure that core boiling or overcooling do not take place during the process of core decay heat removal.

Refer to plant response matrices for sequential actuation o'f the plant systems during the accident progression.

O 2.2.1.3 TOP EVENT DESCRIPTIONS The top events of the transient event tree are described in detail below to provide understanding of the system functions and operator actions involved.

The numerical calculations of each top event unavailability will be performed in the Plants Systems and Operator actions Fault Tree Analyses.

Success criteria hereaf ter discussed are generally based on the SAR analysis except when noted.

A summary of success criteria is provided in Table 2.1-2, with specific references.

All of these conditions must be met for normal plant operation, and plant trip due to almost all events categorized as Transient would normally not be expected to effect them.

EMERGENCY FEEDWATER AND SECONDARY COOLING (SC4)

The Start-up Feedwater system starts in response to an automatic actuation signal or in response to operator action.

The automatic signal is derived

\\

from low steam generator water level.

Emergency feedwater starts upon loss of start-up feedwater.

The Emergency Feedwater System success requires the starting of one of the two motor driven pumps or one-of-two turbine driven pumps, delivering a total flow rate of at least L 1 spm to one or more steam generators.

(m,e) i W APWR-PSS 2-33 June, 1985 5928Q:1D

The secondary cooling requires the automatic or manual opening of at least one O

relief or safety valve in the steam generator fed by Emergency Feedwater.

Given these conditions the reactor core will be cooled by forced flow to the steam generators or by single or two phase natural circulation.

O CONSEQUENTIAL LOCA (LCO)

A consequential LOCA is modeled to depict the failure of the pressurizer relief or safety valves to an open position.

Consequential seal LOCA is assumed to occur only upon loss of seal injection and cooling.

SEAL LOCA DOES NOT OCCUR (SLL)

The back-up seal injection system is required to provide flow to the RCPs in the event all power, and therefore Component Cooling Water, is lost (i.e.,

Support State 03). Seal LOCA may occur if the seal injection function is lost.

RECOVERY OF AC/ SIGNALS BEFORE CORE MELT (REC)

Recovery of offsite power to an essential AC bus is modeled between 40 minutes and the time when the core would begin to uncover and melt.

Alternatively, manual actuation of safeguards equipment will take place when AC power and cooling water is available but the IPS actuation of components has failed.

This facilitates recovery of core cooling and containment safeguards.

l l

OPERATOR ACTION FEED AND BLEED (OFB)

If auxiliary feedwater actuation and secondary cooling fail, it is necessary for the operator to start the safety injection pumps and nunually open PORVs, following the Emergency Procedures, to provide feed and bleed cooling.

Success for this branch requires the operator to determine that such an action l

V is necessary and to take the proper action, i.e.,

start at least one safety injection pump, delivering water through all four branch lines, and open all three PORVs.

M APWR-PSS 2-34 June,1985 5928Q:10 l

1

The EWST is required to provide the source of water for safety injection.

The depressurization induced at the opening of the PORVs would cause the block valves to close.

In order to prevent this, the operator has to disable block valve automatic closure and keep them in the open position.

CONTAINMENT SPRAY (CSP)

Containment Spray protects the containment from overpressure failure conditions if feed and bleed is requested, and scrubs the containment atmosphere of radionuclides.

It is very unlikely that the sprays will provide any useful function in avoiding core damage conditions.

However, these functions are important if core damage occurs because they reduce the chance 3

of containment failure and reduce the severity of release if the containment fails.

Success of containment spray requires either an automatic or manual actuation signal.

However top event CSP includes only succ essf ul generation of an automatic actuation signal (HI-3 containment pressure) and the setpoint may be i

reached only in the containment following degraded plant conditions.

Intermittent manual operation, although not modeled in the Event Tree, can be effective as long as water is available in the EWST.

The following success criter'ia applies to the Containment Spray System:

Success of CSB requires the operation of at least one pump (out-of-two),

connected to an available line from the EWST.

For simplicity in the node quantification, run-time for the pumps is conservatively assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

CONTAINMENT FAN COOLERS (CFC)

O Containment fan coolers provide long term cooling and pressure suppression for the containment atmosphere to prevent containment failure by

)

overpressurization.

W APWR-PSS 2-35 June,1985 5928Q:10

l O

In addition, the fan coolers provide an alternative heat removal path for long-term core cooling should heat removal via the RHR heat exchangers be unsuccessful.

On an "S" signal, the fan coolers shift to low speed automatically but even if O

this shift should fail there would be adequate time for manual actuation prior to any significant containment pressure increase, although this action is not modeled in the system analysis.

The success criterion for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

LONG TERM COOLING (LTC) long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the transient.

Long term cooling is typically supplied by the Residual Heat Removal (RHR) system.

In the APWR design, however, the safety injection pumps might also be used if the primary system is breached.

Thus, primary coolant would circulate from either the hot leg (RHR) or the EWST (SI), through the CCW-cooled heat exchangers and back to the cold legs.

The LTC node encompasses all operator actions and equipment availability needed to perform this function.

Due to shared functions and the operation of other systems, this node is divided into three states as follows.

LTC)

This node comprises a normal cooldown of the RCS by use of the auxiliary feedwater system to cold shutdown conditions.

O lO W APWR-PSS 2-36 June, 1985 5928Q:10

l O-LTC2 This node represents long term cure heat removal following a consequential small LOCA.

Due to successful safety injection and containment fan cooler (CFC) operation, success is comprised of continued feed and bleed cooling.

Other methods of heat removal include auxiliary feedwater and use of the RHR heat exchangers, but these methods are not modeled.

LTC3 This node represents long term core heat removal following a consequential small LOCA and a failure of the containment fan V

coolers (CFC).

Heat removal is accomplished by continued safety injection 'with component cooling water flow aligned to at least one RHR heat exchanger.

2.2.1.4 DISPLAYED FUNCTIONAL DEPENDENCIES a.

If auxiliary feedwater (SC4) succeeds and a Consequential LOCA does not occur, no further branching is necessary and the accident has been terminated.

O b.

If auxiliary feedwater fails the operator action of primary feed and bleed (OFB) is addressed to provide core heat removal.

c.

If operator action or SI injection (SIl) succeeds, successful mitigation is dependent on success of the long term heat removal function.

However, upon failure of long term heat removal from containment, the containment is assumed to fail, racirculation functions are assumed to fail and late core damage is assumed to result.

O Actually the option would exist to depressurize the RCS through the pressurizer PORVs and go on RHR prior te exceeding containment design pressure.

For simplicity and consistency, no credit is taken for this action.

l t

M APWR-PSS 2-37 June,1985 i

5928Q:10

O d.

Upon failure of operator action feed and bleed, early core damage is assumed and only containment safeguards are addressed to identify release categories.

2.2.1.5 SUCCESS CRITERIA In order to avoid degraded core conditions af ter a transient the top event

" Emergency Feedwater System" and long-term cooling must be available.

If the SUFW and EFW systems fail, then primary feed and bleed cooling and containment cooling "and long-term heat removal must be successful to avoid core dan. age.

2.2.1.6 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation are classified by the degraded core conditions that exist for each sequence.

O with As described in Section 2.1.4, classification is based on time of core damage respect to injection or long term cooling, type of scenario and containment spray / containment fan coolers conditions.

i All transient plant damage states are assigned classification according to Table 2.1-1.

j 2.2.1.7 SYSTEM INTERACTIONS l

l l

Most dependencies caused by systems interactions have already been discussed as displayed dependencies in the event tree, other significant interactions are those coming from support systems.

The most important of these are the integrated protection system, the electric power system and the service and component cooling water system; however, these systems are explicitly contained within the support state model.

Table 2.1-2 explicitly depicts all system and operator interactions.

W APWR-PSS 2-38 June, 1985 5928Q:10

,O%

'*s

)

.o g,

i i

>~~J-4-w -

TRA 501 -

501 LCD SLL REC DFB

$11 CSP CFC LIC esessesse 1 NO CM sieteeseeeeeeeeeeeeeeeeeessesseeeeeeeeeeeeeeeeeeeeeeeeees e

seessesee 2 TLFt e

enessesse 3 NO CM e

seseesese e

e seesessee 4 TLFt seesesses e

teasesses o

e senseesse 5 k0 CM e

seeeeeees e

e e

a e

seesessee 6 TLC essessene e

e e

e essesseee 7 NO Cn e

a e

e sessenese e

e e

e e

sessnesse 8 TLF e

e e

esessesse e

e e

e enesseene 9 NO CM e

seneassessesseesseessesseessessee e

essesseen e

e seesseees 10 TL e

a e

e einessessessessee il TEFC e

seneseses e

e e

neeeeeeeeeeeeeeee 12 IEC e

e seesesses seesesses e

seessessessessese 13 IEF e

e eseeeesse e

e seessessessessese 14 IE e

a e

e eseesseee 15 NO CM e

e eesseseen e

e s

seesessee 16 TLFC e

e senessese e

a e

e esseeeees 17 NO CM e

seessesse e

e a

e e

sessenese 18 TLC seesessenesseesse e

e e

e a

e seesessee 19 NO CM e

e e

a sessenese o

e e

e e

esseesese 20 TLF e

e e

enessesse e

e einesenes 21 NO CM e

eiessenessessessessessessessessee e

sessesses e

e asesessee 22 TL e

e e

e seassessesseessee 23 TEFC e

e sensesses e

e sneessessessenese 24 IEC e

e esseessessessesse e

e asessesseessessee 25 IEF e

seassenes e

esesseesseessesse 26 TE e

e stessesse 27 NO CM seasseeeeeeeeeeeeeeeeeeeeeeeeeeesseseassessenesesseesenee e

e e

e sensessee 2B TLFC e

a e

e esseessee 29 NO CM e

e eseessess e

seasseees 30 TLFC a

e.

enessenes e

e e

e sessessee 31 NO CM e

seessesse e

sesessess e

e e

e e

a e

essensene 32 TLC seesessee e

e e

e e

seessessa 33 NO CM e

e e

o e

seessenes e

a e

a e

e esteessee 34 TLF e

e e

e esseesses e

e e

e e

seesssene 35 N0 EM e

a essessessessessasercommnmcmr

e

~

e a

eneenn 36 TL e

useues e

e e

e eennesensueu 37 TEFC e

unsuu e

e e

e eenauenennen 38 TEC e

e i

unune use;ene e

uneenneensee 39 TEF uesuus e

e eueesensusene 40 TE euenen 41 NO LM annun e

esseseees 42 rtrt esesseees e

e unsuse 43 h0 CM l

e unsuese e

su nsees 44 TLC

}

e sen usseusessee e

e seesseees 45 NO CM e

e neuenu e

e a

esseque 46 TLF e

esseeuu e

e esueuse 47 NQ CR e

eensuennuuseseeensueense uneus sessene 40 i<

stessessessessene 49 iErC.

e eensessee s

e unneueussees 50 TEC

)

e eneceuseusene e

u n neuen uese 51 TEF usenen eennusunene 52 TE e

e enesene 53 ho CM e

usuuseensueuesuuseusennuusupuun e

e eensene 54 TLFC e

e e

e e

enunee 55 NO CM s

i

~ ~

e e

steeeeeeeeeeeeeeeeeessese e

esueuennuise

>e-unessee 56 TLFC.

i l

e e

e e

e e

e eenseenneenu esenunnennu 57 TEFC e

e e

e e

steessees e

e e

e e

e ennennusuu 58 TEC e

e e

e unsuus e

e esueun e

enununneen 59 TEF e

e e

unsun e

a e

annununun 60 TE e

e e

essene ne unenesseseessusunusennesunnesseessesse 61 TE e

e q

nuesne 62 WO CM s\\

g 4e sesseeeeeeeeeeeeeeeeeeeeeeesseese e

e eseessess 6,,<,C O trJ e

usassene senesenesesnu 64 TEFC e

e e

secessies

%q e

e e

e nennunenne 65IEC g

a e

usenuenseene S

ensupueseannessous e

ensenessnesene 66 IEF C

c.

e uneeuee e

seassessessesseen 67 IE 4

e l

C usenessensunneenseeneussuunnuseouse 68 TE ts FI5tJRE 2.2-1.

WAPWR TRANSIENT EVENT TREE.

)

D W APWR-PSS 2-39 June 1985 e

~ _.

a 2.2.2 LOSS OF 0FF-SITE POWER EVENT TREE This event tree applies to those transients that begin with a loss of off-site power.

The mitigation of the event requires a reactor trip to shutdown the nuclear chain reaction, and the removal of heat through the secondary side, by emergency feedwater, or, as a backup, through the primary side by safety i

injection plus the opening of pressurizer PORVs.

This transient is analyzed considering that the condenser is not available for steam dump.

The event tree of Figure 2.2-2 fuses the following symbols to identify sys' ems functions, t

operator actions and equipment:

LSP I.*tiating Event Loss of Off-site Power 502 Support State SC1 Emergency Feedwater Available SLL Seal LOCA Does Not Occur ACR AC Power Recovery 0

0FB Operator Action, Bleed and Feed CFC Containment Fan Coolers Available i

CSP Containment Spray Available SIl Integrated Safeguards System Available LTC Long-Term Cooling Available 2.2.2.1 INITIATORS The loss of off-site power is initiated by a loss of grid power of any duration from the high voltage distribution lines serving the station.

The Diesel Generators are started on low voltage on the ESF buses, and emergency loads are sequenced onto the buses.

2.2.2.2A ACCIDENT PROGRESSION - ONSITE AC AVAILABLE O

I The accident progression discussed here describes the normal plant response that would follow a loss of off-site power event in which at least one DG is available.

M APWR-PSS 2-40 June, 1985 5928Q:1D i

b._,. - -_

..-...1 -.

O Reactor trip would be the most insnediate and important plant response of any transient event.

Failure to shutdown the reactor for this initiating event is an abnormal plant condition which could possibly lead to core damage if not i

corrected.

The operator is expected to verify that shutdown has taken place or that necessary actions are being taken to force shutdown.

Following reactor trip, core power generation continues by means of decay heat.

If the decay heat is not removed promptly, the core can overheat 'and suffer significant damage.

The first requirement for successful decay heat removal is reactor coolant flow.

In this accident no reactor coolant pump is running O

and flow can only occur by natural circulation.

Reactor coolant flow insures that a heat convection path exists between the core and the steam generators.

This heat removal path must be continued on the secondary side of the steam 4

generators through the release of steam to the atmosphere and by maintaining

-(c,c) emergency feedwater flow of at least [350] gpm to one or more steam generators.

Condenser dump capability is unavailable and steam generator power operated relief valves are expected to be automatically actuated.

If these do not open, the steam generator safety valves would open to protect the steam system and permit core heat removal.

For steam release through the safety valves, the steam pressure is established by the valve's set and reseating pressure.

Steam pressure equilibrates near the value which corresponds to a reactor 1

c201 ant temperature slightly above the progransned no load valua.

Reactor coolant pressure is naintained at a value above 2000 psia.

These limits insure that core boiling or overcooling do not take place during the process of core decay heat removali Water inventory that is lost to the atmosphere from SG relief valves is made up from the condensate storage tank.

If by any reason auxiliary feedwater is not available it is still possible to mitigate the transient removing the decay heat by the operator manually starting safety injection and opening pressurizer PORV's to remove heat from the Reactor Coolant System by venting steam to the pressurizer relief tank.

Long-term cooling would be established by operator actions to align the RHR system and align CCW coolant flow to the RHR heat exchanger.

W APWR-PSS 2-41 June, 1985 5928Q:1D

2.2.2.28 ACCIDENT PROGRESSION - ONSITE AC UNAVAILABLE The accident progression discussed herein does not consider the restoration of At power and thus is not the normal accident progression that would follow a loss of off-site power.

O This discussion will focus only on the response of the plant process variables to a postulated complete loss of AC power event.

Other plant symptoms such as loss of control room lighting and emergency bus low voltage alarms, which O

might occur, are not discussed.

i At the onset of a total loss of AC power situation, the response of plant process variables would be essentially the same as would occur innediately after a plant blackout, i.e.,

loop fMw coasting down due to RCP trip, decreasing neutron flux due to reactor trip, rapidly decreasing steam

}

generator level due to collapsing steam voids, pressurizer level decrease due to loss of heat load, etc.

However, the subsequent plant response could be considerably different.

Because the steam dump system and potentially the

~

steam generator PORVs would be disabled by the loss of AC power, secondary pressure would no longer be limited to the no-load steam pressure but would continue to rise to the secondary safety valve set pressure.

Following the initial perturbations caused by the trip, the increase in steam temperature in conjunction with the loss of forced reactor coolant flow would l

tend to return plant average temperature and, accordingly, pressurizer level, to about their normal full load values.

The Back-up Seal Injection System will be operated to prevent degradation of the RCP seals, and the j

turbine-driven EFW pump will provide cooling flow to the steam generators.

O However, with a total loss of AC power, there could be seal leakage if the 8USI fa' sed, and as a result, pressurizer level will not stabilize but would begin ta fall.

The rate at which the level decreases would depend on the magnitude of the seal leakage.

Should the seals remain intact such that leakage rates would be only several gallons per minute from each pump, the level drop may only be noticeable over a period of hours. Conversely, should the seals deteriorate rapidly due to the loss of seal cooling, leakage rates M APWR-PSS 2-42

. lune, 1985 5928Q:10 l

9 v.*m e-v7 t-w e

-c'e-n-w-w-y ywy mvwww v

-Wve+-e----' - ^ ~ * * ' - -

WTeWW-'-W'--w w 1mp'em-*N"

-V

==**'FN

- ' ~ * " ^ " ' ' ' ~ "

~

could increase to several hundred gallons per minute, and the pressurizer could empty in ten minutes or less.

In fact, as long as all letdown paths f rom the RCS are isolated, the pressurizer level response would be the best indicator of RCP seal conditions available to the operator.

The decrease in pressurizer level would also be accompanied by a decrease in RCS pressure.

Without the benefit of charging or safety injection pumps and pressurizer heaters, the loss of coolant through,the seals would deplete the inventory of hot water in the pressurizer, causing the pressure to decrease.

This trend would continue until the pressurizer is empty, at which time flashing would occur' either in the head of the reactor vessel or in the hot leg piping.

At this point, the rate of pressure decay would be reduced due to the larger volume of hot water available for flashing in either of these locations.

In the very unlikely event that AC power is not restored, the depressurizaticn will continue until eventually the entire RCS would be saturated at approximately the setpoint pressure of the steam generator safety valves. The time history of the pressure decay, like the pressurizer water level transient, would be controlled by the amount of leakage from the RCP seals.

Once the entire RCS saturates, assuming that the turbine-driven EFW pump is operating, cooling via the steam generator safety valves would maintain RCS pressure and, therefore, R.CP leakage at essentially constant values.

Seal leakage would continue to deplete the RCS inventory, ultimately draining the upper head and causing steam voids to form in the steam generator U-tubes.

Voiding in the U-tubes would stop natural circulation through the coolant loops, and reflux boiling would exist between the core and the steam generators to remove decay heat.

If AC power is still not restored, this situation would continue until enough inventory is lost to uncover the core to the point where core damage may occur.

The scenario just described is predicted on the assumption that subsequent to the total loss of AC power, heat is removed only through the steam generator safety valves, and that Back-up Seal Injection fails.

Without the ability W APWR-PSS 2-43 June, 1985 59280:10

i O'

to replenish water lost through the RCP seals, this situation would eventually result in saturation of the RCS and a stabilization of temperature and pressure at values slightly above the conditions in the steam generator.

If the operator does nothing to change this situation, the possibility of core w

damage would be greater than if actions were taken to reduce RCS pressure and temperatures below these conditions.

This benefit would derive from the reduction in RCP seal leakage that would accompany a reduction in RCS pressure i

Reducing seal leakage would extend the time necessary to O

and temperature.

uncover the reactor core and, therefore, increase the time available to restore AC power before a potential inadequate core cooling situation could develop.

In addition to reducing the amount of water lost f rom the RCS, reducing RCS pressure and temperature would also reduce the differential pressure and the temperature to which the RCP seals are exposed and thereby would reduce the rate and potential magnitude of seal degradation.

Finally, decreasing system pressure via cooling would allow injection of the water in the passive low pressure accumulators and core reflood tanks to replenish some l

of the lost RCS inventory.

Thus, there would be advantages to having an cperator take prompt action to cool the RCS in the event of a complete loss of

[

AC power. Cooling below the safety valve setpoint conditions is assumed to be accomplished by coordinated manual control of the steam generator PORVs and the turbine driven EFW pump.

Credit is not taken for these actions in the event tree.

2.2.2.3 TOPEVENTDESCRIPTf0N The top events of the loss of off-site power event tree are described in detail below to provide understanding of the systems functions and operator O

actions involved.

The numerical calculations of each top event unavailability will be performed in the Plants Systems and Operator actions Fault Tree l

Analyses.

l A sununary of success

'c rite ria is provided in Table 2.1-2, with specific references.

W APWR-PSS 2-44 June, 1985 5928Q:10

~

AUXILIARY FEEDWATER ACTUATION AND SECONDARY COOLING (SCl)

The Emergency Feedwater System starts in response to an automatic actuation signal or in response to operator action. Thc automatic signal may be derived f rom low-low steam generator water level.

Emergency Feedwater System success requires the starting of one-of-two (C c) turbine-driven pumps and delivering a total flow rate of at least [

] gpm to one or more steam generators.

Secondary cooling requires the automatic or manual opening of at least one relief or safety valve in the steam generator fed by emergency feedwater.

Given these conditions, the reactor core will be cooled by single or two-phase natural circulation.

CONSEQUENTIAL LOCA (LCO)

A LOCI resulting fr0m the plant transient is modeled. A LOCA may result from l

failure of a pressurtzer PORV or safety valve to the open position.

SEAL LOCA DOES NOT OCCUR (SLL)

If normal cnd backup AC power is lost, normal charging is lost, and component l

cooling vater to the RCP coolers will be unavailable.

This necessitates operator action to start the BUSI system to protect the seals. If this fails, a seal LOCA may occur.

If BUSI is successful, however, a consequential seal LOCA is assumed not to occur.

AC POWER RECOVERY (ACR) AFTER 40 MINUTES Recovery of AC power up to 40 minutes into the event is already modeled in the support states.

If all AC power is lost, the recovery of either a diesel generator or any offsite source after 40 minutes and before coremelt is modeled with this event tree node.

W APWR-PSS 2-45 June, 1985 59280:10 i

OPERATOR ACTION, FEED AND BLEED (OFB)

If emergency feedwater actuation and secondary cooling fail, it is necessary for the operator to start high pressure safety injection and manually open PORVs, following emergency procedures, to provide feed and bleed cooling.

Success for this branch requires the operator to determine such an action is necessary and to take the proper action, i.e.,

start at least one high head safety injection pump, and open all PORVs.

The emergency water storage tank is required to provide the source of water for safety injection.

The depressurization induced by the opening of the PORVs would cause the block valves to close.

In order to prevent this, the operator has to disable block valve automatic closure and keep them in the open position.

CONTAINMENT SP, RAY'(CSP)

Containment Spray protects the containment from overpressure failure conditions if feed and bleed is requested, and scrubs the containment i

atmosphere of radionuclides.

It is very unlikely that the sprays will provide any useful function in avoiding core damage conditions.

However, sprays are important if core damage occurs because they reduce the chance of containment failure and reduce the severity of release if containment fails.

Success of containment spray requires either automatic signal or manual actuation.

However, top event CSP includes only successful generation of an automatic actuation signal (HI-3 containment pressure) and the setpoint may be reached only in containment during degraded conditions.

CONTAINMENT FAN COOLERS (CFC) 2 Containment fan coolers provide long term cooling and pressure suppression for O'

the containment atmosphere to prevent containment failure by overpressurization.

W APWR-PSS 2-46 June, 1985 V

59280:10

p In addition, the fan coolers provide an alternative heat removal path for V

long-term core cooling should heat removal via the RHR be unsuccessful.

L On an "S" signal, the fan coolers shift to low speed automatically but even if this shift should fail there.would be adequate time for manual actuation prior to any significant containment pr, essure increase, although this action is not modeled in the system analysis.

I The ' success criterion for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

i LONG TERM COOLING (LTC)

Long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the Loss of Offsite Power.

Long term cooling is typically supplied by the Residual Heat Removal (RHR) system.

In the APWR design, however, the safety injection pumps might also be used if the primary system is breached.

Thus, primary coolant would circulate from either the hot leg (RHR) or the EWST (SI), through the CCW-cooled heat exchangers, and back to O

the cold legs.

The LTC node encompasses all operator actions and equipment availability needed to perform this function. Due to shared functions and the operation of other systems, this node is divided into three states as follows:

LTC) '- This node comprises a normal cooldown of the RCS by use of the t

auxiliary feedwater system'to cold shutdown conditions.

The RHR system is then aligned to provide decay heat removal, utilizing one pump in the closed i

loop circulation mode with CCW supplied to the RHR heat exchanger.

.LTC2 - This node represents long term core heat removal following a consequential small LOCA.

Due to successful safety injection and containment fan cooler (CFC) operation, success is limited to continued feed and bleed 1

cooling. Other methods of heat removal include auxiliary feedwater and use of the RHR heat exchangers, but these methods are not modeled.

l l

W APWR-PSS 2-47 June,1985 5928Q:10 l

l

LTC3 - This node represents long term core heat removal following a consequential small LOCA and a failure of the containment fan coolers (CFC).

Heat removal is accomplished by continued safety injection with component cooling water flow aligned to at least one RHR heat exchanger.

2.2.2.4 DISPLAYED FUNCTIONAL DEPENDENCIES a.

If onsite AC Power is supplied and Auxiliary feedwater (SC1) succeeds and O

consequential LOCA does not occur, no further branching is necessary and the accident will be terminated.

b.

If onsite AC Power is supplied and auxiliary feedwater (SC1) fails, the operator action of primary feed and bleed (OFB) is addressed to provide core heat removal, c.

If operator action (OFB) succeeds, and Fan Coolers (CFC) or Containment Spray (CSP) and Long-Term Cooling (LTC) succeed, no further branching is required.

Actually the option would exist to depressurize the RCS through pressurizer PORVs and go on RHR prior to exceeding containment design pressure.

For simplicity and consistency, no credit is taken for this action.

d.

Upon failure of operator action feed and bleed, early core damage is assumed and only containment safeguards are then addressed, to identify release categories.

e.

If onsite power fails, then back-up seal injection and emergency feedwater (SCI) must function.

If either of these systems fail, then prevention of core melt will be predicated upon recovery of AC power and actuation of safety injection.

O W APWR-PSS 2-48 June, 1985 5928Q:10

/

2.2.2.5 SUCCESS CRITERIA If auxiliary feedwater actuation and secondary cooling fail, then primary feed and bleed cooling and Long-Term Cooling must be successful to avoid core damage.

2.2.2.6 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation are

)

classified by the degraded core conditions that exist for each sequence.

u

\\

As described in Section 2.1 classification is based. on time of core damage with respect to injection or Long-Term Cooling, type of scenario and containment safeguards.

All Loss of Off-site Power plant damage states are assigned classification according to Table 2.1-1 2.2.2.7 SYSTEM INTERACTIONS O

Most' dependencies caused by systems interactions have already been discussed as displayed dependencies in the event tree, other significant interactions are those coming from support system.

The most important of these are the Integrated Protection System, the Electric Power System and the Essential Service and Component Cooling Water Systems; however, these systems are explicitly contained within the support state model. Table 2.1-2 displays systems and operator interactions.

O O

M APWR-PSS 2-49 June,1985 59280:10

j

.{

k. _,

s. s,. s w

L5P 502 SCI LCD SLL ACR DFB S!!

CSP CFC LIC eseessees i NO CM eseesseeeeeeeeeeeeeeeeeeeesseeeesenesenessessesessesseeee e

enesessee 2 TLFC e

e sensesses 3 NO CM e

sensesses e

e esseessee 4 TLFC e

seassesse e

e e

sensessee 5 NO CM secessess e

asesseees e

e e

esseessee 6 TLC e

e essenesee e

e e

a sensessee 7 NO CM e

e a

e senseeens e

e e

e e

seeseesee 8 TLF e

e a

seessenes e

e e

e seesessee 9 NO CM e

sessessessesseessessessessessesse sensesses e

e seessesso 10 TL e

e e

e sessessessessesse 11 IEFC e

e seeeeeees e

e e

seessessessessees 12 TEC e

sensesses e

e esessessessessese 13 TEF seeessene seeeseies e

e seesseessessesjee 14 TE e

e e

e seesessee 15 NO CM e

e eenesesse e

e e

sensessee 16 TLFC e

e sneessess e

e e

e seesessee 17 NO CM e

e e

sesessess e

e e

seesessee IB TLC e

e esseesseeeeeeeses e

e e

e seesseste 19 WO CM e

e e

e sessessee e

e e

e e

eseessene 20 TLF e

e e

eessesses e

e e

e seessesse 21 NO CM e

eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees seseessee e

e sessessee 22 TL e

e e

a seessesseeessesse 23 TEFC e

e sensessee e

e e

enesesenesseessee 24 TEC e

seeeeeeeeeeeeeees e

e enessessessessese 25 IEF e

sensesses e

seesessessessesee 26 TE e

e essenesse 27 NO CM e

eiessessesseesseeeeeeeeeessesseseeeeeeeeeeeeeeeeeeeeeeese e

e essesseet 2B TLFC e

e e

e seesseese If NO CM e

a eseessees e

e e

esote6ese 30 TLFC e

e seessesse e

e e

e seessesse 31 NO CM e

sensesses e

seesseees e

e e

e seessesee 32 TLC e

e a

seessesse e

e e

e e

sessenese 33 NO CM e

e e

e e

sessenese e

e e

e e

e sesseeese 34 TLF e

a e

e seessesse e

a e

a e

seusene 35 NO CM

i i

e eeeeeeees 36 TL e

e a

e uesses e

e ensuousseesene 37 TEFC e

e e

esseesses e

e e

e unuunennes 3B TEC e

e seassesse e

e a

seuununeene 39 TEF essessese sensessee a

e unnesunnen 40 TE e

e e

a enseene 41 NO LM e

a esessenes e

e e

uneun 42 TLFC e

a esseesses e

e a

e oneesen 43 NO [M e

e e

seneseems e

e e

esse u see 44 TLC e

e sensessessesseese e

e e

e ususen 45 NO CM e

e e

e seeeeeeen e

e e

e e

neeense 46 TLF e

a e

seesessen e-e e

e osunees 47 NO CM

~

e seesessessesseeeeeeeeeeeeeeeeeees sesseness e

e neeseen 43 TL e

e e

e anuneenneen 49iEFC e

e unseen e

e e

sessunnuusee 50 TEC e

sensesseneesesses e

e sequesuususe 51 IEF e

seesseees e

ununeennese 52 IE l

e useusee 53 NO CM e

seeeeeeeeeeeeeeeeeeeeeeeeeessessessessessessessen e

e sensens 54 TLFC E

e e

e o

ensusee 55 NO CM e

a sesseessasseesnesessesses e

en nenennun - --- ---- e ---

--- - - enneeee-56 TLFE -

e e

e e

e e

e sneesenesessessee sesseessessessese 57 TEFC e

a e

e

~

e sesseness e

e a

e e

e ensecunnusee 58 TEC e

e a

e seassesse e

e seeseeau e

suunneuenne 59 TEF e

e e

senesene e

e e

neuunnenne 60 TE 6

'asseneeseeeeeeeeeeeeeeeeeeeeeeeeeeeeeessessessee eessass 6i iE e

unuus 62 N0 [M e

sensesseessessesseeeeeeeeeeeeeees e

e suunse 63 TLFC -

N

> 5' s

e N

• t: C e

uneun euenesunessee 64 IEFC G

O O's a g"<

a e

e e

sneensee e

e e

e usenuseeunee 65 TEC

>p e

sneesessenseneses qg g

nenneesseensenesesse e

seessassequeue 66 TEF e

sessesses O,

e eennunneene 67 TE M

1,

• seeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeen 6 TE 00 F16URE 2.2-2. H FNR LOSS OF 0FF-StiE P0uER EVENT TREE.

I W APWR-PSS 2-50 June 1985 e

~

2.2.3 STEAM GENERATOR TUBE RUPTURE EVENT TREE The steam generator tube rupture (SGTR) event tree (Figure 2.2-3) applies to the rupture of one or more tubes in one steam generator causing primary coolant to leak to. the secondary system.

The event tree model is used to calculate the conditional probability of various core damage states following a SGTR.

The event tree uses the following symbols to identify system and operator functions modeled within the tree as top events.

O SGR

- Initiating Event, Steam Generator Tube Rupture 503

- Support State SIl

- Integrated Safeguards System Available SC2

- Emergency Feedwater System Available OST

- Operator Depressurizes RCS with Secondary or Establishes Feed and Bleed Cooling SOF

- Steam Generator Overfill Protection CSP

- Containment Spray System Available CFC

- Containment Fan Coolers Available LTC

- Long Term Cooling Available t

2.2.3.1 INITIATORS The SGTR is initiated by random or consequential rupture of the steam generator tubes ranging from a small leak in a single tube just in excess of the normal charging system' capacity, up to 10 equivalent double ended tube ruptures.

p 2.2.3.2 ACCIDENT PROGRESSION O

This is a description of the expected plant response to a postulated steam generator tube rupture accident and the actions, manual and automatic, which may occur during recovery. System response and recovery actions with off-site power available and the effects of coincident station blackout are discussed.

As previously noted, the trends described are only representative since variations in manual actions or operable equipment as well as rupture size and l

specific plant design will result in different system conditions.

In the W APWR-PSS 2-51 June, 1985 5928Q:10 l

L

i l

discussion, a tube failure is assumed to be the initiating event and occurs when the plant is at full power.

Of course, if such a failure occurred at a lower power level, the initial response may be different.

However, the general long-term trends and recovery actions are expected to be the same.

Tube failures in combination with other events which require different operator responses are described in the Emergency Response Guidelines.

Specific actions are described in the background documents for ECA-3.1, SGTR With Loss of Reactor Coolant-Subcooled Recovery Desired, ECA-3.2, SGTR With Loss of Reactor Coolant-Saturated Recovery Desired, and ECA-3.3, SGTR Without PRZR Pressure Control.

2.2.3.2.1 SGTR fRANSIENT: OFF-SITE POWER AVAILA8LE A steam generator tube rupture event begins as a breach of the primary coolant barrier between the reactor coolant system and the secondary side of the steam generator, i.e.,

the steam generator tube.

Although this relatively thin barrier is designed with substantial safety margin to preclude bursting even when subjected to full primary system pressure, the secondary side environment V

may attack the steam generator tubes resulting in excessive tube wall thinning or cracking over time. Although improved secondary side chemistry has greatly reduced the frequency of tube failures attributed to chemical corrosion, foreign objects in the steam generator secondary have resulted in relatively rapid tube degradation and failure.

Improved surveillance and inspection techniques have been instituted to reduce the likelihood of tube leaks caused by foreign objects.

Since the primary system pressure (nominally 2250 psia) is initially much greater than the steam generator pressures (nominally 1000 psia) reactor coolant flows f rom the primary into the secondary side of the affected steam generator.

In response to this loss of reactor coolant, pressurizer level decreases at a rate which is dependent upon the size of the rupture and the number of failed tubes.

RCS pressure also decreases as the steam bubble in the pressurizer expands.

For normal

response, charging flow will automatically increase and pressurizer heaters will energize in an effort to stabilize pressure and level. However, if leakage exceeds the capacity of the Chemical and Volume Control System, reactor coolant inventory will continue to O

W APWR-PSS 2-52 June, 1985 59280:10

-. =

1 O

decrease and eventually lead to an automatic reactor trip signal on low pressurizer pressure.

Prior to this, normal letdown flow would isolate, and pressurizer heaters would turn off on low pressurizer water level.

f On the secondary side, leakage of contaminated primary coolant will increase the activity of the secondary coolant resulting in high radiation indications f rom the air ejector radiation monitor, blowdown line radiation monitors, and steamline monitors.

Although these alarms may lag indications of a loss of reactor coo.lant depending on the transport time to the radiation monitors, they have sounded nearly simultaneously during past tube failure events and generally provided t'he earliest diagnosis of a steam generator tube rupture.

feedwater flow is automatically reduced to compensate for increasing steam As primary coolant accumulates in the affected steam generator, normal l

I generator level.

Consequently, a mismatch between steam flow from and I

feedwater flow to the affected steam generator may be observed.

This l

potentially provides early confirmation of a tube failure event and also identifies the affected steam generator.

However, such a mismatch may not be noticeable for smaller tube failures because of the relatively large normal feedwater/ steam flow rates.

The water level in the affected steam generators may not be significantly greater than that of the intact steam generators and j

may be somewhat erratic prior to reactor trip as the normal feedwater control system automatically compensates for changes in steam flow rate and steam generator level due to primary-to-secondary leakage.

The time between initial tube failure and reactor trip also depends on the leak rate.

In most cases sufficient time will be available for the operator to perfonn a limited number of actions to either prevent or prepare for reactor trip. Such actions are likely to include starting additional charging pumps, energizing pressurizer heaters if not done automatically, reducing the load on the turbine, and possibly manual reactor trip.

These actions, with the exception of manual reactor trip, will tend to delay an autoer.atic trip signal.

In addition, reducing the load on the turbine can have a significant I

effect on the system response following reactor trip which may impact the longer term recovery.

As turbine runback proceeds, the mismatch between core power and turbine load causes the average coolant temperature (Tave) to O

W APWR-PSS 2-53 June, 1985 5928Q:10

increase until the rod control and steam dump systems actuate to restore programmed Tave.

Although the reference Tave decreases with turbine load, a period of time may exist when Tave is greater than nominal full power conditions.

If reactor trip occurs during this time, the cooldown of the primary system, when the steam dump system actuates to establish no-load O

conditions, is increased.

This may result in a significantly lower minimun RCS pressure following reactor trip which may exceed the RCS pressure criteria for tripping the RCPs.

In addition, the combination of delayed reactor trip and reduced steam flow due to turbine runback may result in a greater steam generator inventory when recovery actions are initiated.

This would reduce the time available to steam generator overfill.

Following reactor trip, core power rapidly decreases to decay heat levels, steam flow to the turbine is terminated, and the steam dump system actuates to establish no-load coolant temperatures in the primary system.

Shortly thereaf ter, the normal feedwater control system throttles feedwater flow in response to reduced steam flow.

The RCS pressure decreases more rapidly as sensible energy transfer to the secondary shrinks the reactor coolant and tube l

rupture flow continues to deplete primary inventory.

This decrease in RCS l

pressure results in a low-low pressurizer pressure SI signal soon after reactor trip.

Normal feedwater flow is automatically isolated on the SI l

signal which also actuates the Emergency Feedwater (EFW) system to deliver

(

flow to all steam generators.

Eventually, manual action is required to adjust I

auxiliary feedwater flow to maintain the steam generator water level on the narrow range span.

If water level increases in the affected generator due to large primary to secondary flow, the SG overfill valves will open (on high-high level) to prevent passing water into the main steam line.

O Secondary side pressure will s

increase rapidly after reactor trip as trip of the turbine momentarily stops steam flow from the steam generators. Normally, automatic steam dump to the condenser would actuate to dissipate energy transferred from the prima ry, thereby limiting the secondary pressure increase.

Since the intact and ruptured steam generators comunicate via the main steam header, no significant difference in pressures will be evident at this time.

Initially, SI flow and EFW flow will absorb decay best and W APWR-PSS 2-54 June, 1985 59280:10 l

l L

---

r-

+ - - -

decrease the reactor coolant temperature below no-load until EFW flow is manually throttled to maintain steam generator level in the narrow range.

EFW and SI will also decrease steam flow, and may cause the steam generator O

pressures to slowly, decrease-as the cold EFW condenses steam.

At low decay heat levels or for large tube leak rates the reactor coolant temperature may continue to decrease due to SI flow even after EFW flow is throttled.

O Pressurizer water level decreases more rapidly following reactor trip as the reactor coolant shrinks during the post-trip cooldown and primary-to-secondary leakage continues Sto deplete coolant inventory.

Although the minimum pressurizer level is. dependent upon a number of parameters, including initial pressurizer water level, initial power level, the size of the tube failure, operation of the pressurizer heaters, and pre-trip operator actions, it is likely that the water level will be offscale low when SI is actuated.

RCS pressure may momentarily continue to decrease to saturation until SI flow and EFW flow cool the primary system below the saturation temperature of the steam generators.

If SI flow exceeds primary-to-secondary leakage and coolant shrinkage, the pressurizer water level and pressure will increase.

The RCS pressure depends on the size of the tube failures, capacity of the SI system, a'nd cooldown rate of the primary.

Leakage from the RCS is a function of both pressure and temperature, no equilibrium pressure will exist until the reactor coolant temperature remains constant. Consequently, RCS pressure may continue to slowly decrease until reactor coolant temperatures are stabilized.

The pressurizer may refill to a relatively high water level if the tube failure is small.

However, in the more likely case, pressurizer water levei will return to within the instrument span but will equilibrate at a value significantly O

below nominal level.

As previously mentioned, the steam generator water level may drop out of the narrow range following reactor trip.

EFW flow, which is automatically actuated on an SI signal, will begin to refill the steam generators, distributing an approximately equal flow to all steam generators.

Since primary-to-secondary leakage adds additional inventory which accumulates in the ruptured steam generator, the level should return to the narrow range in the ruptured steam generator significantly earlier and will continue to W APWR-PSS 2-55 June, 1985 5928Q:10 tems

i i

increase more rapidly.

This response provides confirmation of a steam generator tube rupture event and also identifies the affected steam generator.

These symptoms will be evident very soon after reactor trip for larger tube failures; for smaller tube failures the steam generator water level response may not be noticeably different or may be masked by non-uniform EFW flows.

In the latter case,.high radiation indications may be necessary for positive identification of the ruptured steam generator.

However, the i

break flow would be less and, consequently, more time would be available for recovery prior to filling the af fected steam generator with water.

2.2.3.2.2 SGTR TRANSIENT: OFF-SITE POWER UNAVAILABLE j

The principle systems / components affected by a coincident station blackout are

}

the steam dump system, Reactor Coolant Pumps (RCPs), and RCS pressure control.

The ef fect of each of these on the system response and recovery is discussed below.

The steam dump system is designed to actuate following loss of load or reactor O

trip to limit the increase in secondary side pressure. Without off-site power available, the steam dump valves, which bypass the turbine to the condenser, Will remain closed.

Hence, energy transferred from the primary will rapidly increase steam generator pressures after reactor trip until the atmospheric relief valves lift to dissipate this energy.

Since the secondary side temperature is increased, sensible energy transfer from the primary side following reactor trip is reduced.

Consequently, RCS pressure decreases more slowly so that SI actuation and all attendant automatic actions, including EFW actuation, are delayed.

RCPs trip on a loss of of f-site power and a gradual transition to natural circulation flow ensues.

The cold leg temperature trends toward the steam generator temperature as the fluid residence time in the tube region increases.

Initially, the cross-core temperature difference decreases as core power decays following reactor trip and subsequently increases as flow coasts to stable natural circulation.

Without RCPs running, the upper head region becomes inactive and the fluid temperature in that region will significantly lag that in the active RCS regions.

In addition, subsequent actions to E APWR-PSS 2-56 June,1985 59280:1D

_ _ - _ _ _.._ _ _ _ _~ _._ _ _ _ _ _ _,_ _ _ _ _ _ _ _. _ _ _.-

O isolate the affected steam generator and cool down the intact RCS loops may stagnate the affected loop.

Consequently, the hot leg fluid in that loop may i

remain significantly warmer than in the active loops. Similarly, SI flow into the stagnant loop cold leg may rapidly decrease the fluid temperature in i

adjacent regions significantly below the rest of the RCS, as observed during O.

1 the tube failure event at R.E. Ginna in January, 1982.

2 2.3.2.3.

RECOVERY / RESTORATION TECHNIQUE The automatic protection systems are more than sufficient to maintain adequate core cooling even for multiple tube failures.

The system response to a steam generator tube failure before and innediately af ter reactor trip has been described.

From this description, the symptoms which identify both the tube failure event and the affected steam generators, including steam flow / feed flow mismatch, high or increasing secondary side radiation, and steam generator water level response should be evident.

These event signatures l

provide the basis for diagnostics in the Emergency Response Guidelines (ERGS) 1 which are used to direct the operator to the ERG, E-3 Optimal Recovery Guideline.

The objectives of the recovery restoration technique incorporated into guideline E-3 are to limit the release of radioactive effluents f rom the ruptured steam generators, stop primary-to-secondary leakage, and restore reactor coolant inventory to ensure adrquate core cooling and I.hnt control.

Although many other techniques may achieve any one of these gnis equally well, the guidance in E-3 presents the best approach for balancing all of these objectives for a wide variety of events.

Inherent safety features, such as unambiguous SI termination and reinitiation criteria, guarantee effective y

recovery actions for credible multiple failure events and proper remedial actions for misdiagnosis or error.

The following subsections provide a summary of the major categories of operator actions and the key utility decision points for guideline E-3, STEAM GENERATOR TUBE RUPTURE.

W APWR-PSS 2-57 June,1985 5928Q:10 i

f 2.2.3.2.4 HIGH LEVEL ACTION

SUMMARY

A high level summary of the actions performed in E-3 is given on the following page in the form of major action categories.

These are discussed in more detail.

Of f-site Power Available Identify and Isolate Ruptured SG(s)

Once a tube failure /has been identified, recovery actions begin by isolating steam flow from and stopping feedwater flow to the affected steam generator.

In addition to minimizing radiological releases, this also reduces the possibility of filling the affected steam generator with water by: 1) minimizing the accumulation of feedwater flow and challenging the overfill protection system; and 2) enabling one to establish a pressure differential between the ruptured and intact steam generators as a necessary step toward terminating primary-to-secondary leakage.

In the analysis results presented in the Emergency Response Guidelines, the operator was assumed to isolate the affected steam generator when the water level returned into the narrow range

(>_17 percent ). With steam flow and feedwater flow terminated, the affected 4

steam generator pressure will increase to saturation at the RCS hot leg temperature and slowly increase thereafter as primary-to-secondary leakage compresses the steam bubble in the steam generator. Although this response is not demonstrated in the aviilable analysis results reported in the Emergency

Response

Guidelines, actual plant experience exhibits this behavior.

Eventually a steam generator atmospheric relief valve would lift unless O

actions to stop leakage into the affected steam generator are completed.

l o Establish RCS Subcooling Margin i

Af ter isolation of the ruptured steam generator, the RCS is cooled to less than saturation at the ruptured steam generator pressure by dumping steam from only the intact steam generators. This ensures adequate subcooling in the RCS af ter depressurization to the ruptured steam generator pressure in subsequent actions. With off-site power available, the normal steam dump system to the M APWR-PSS 2-58 June,1985 5928Q:1D e

-~

.-,-a.

..,----,-e,an-,----.--w,

-um-,--v.,,,....,e.

....---,-.-,w-,,-

condenser provides sufficient capacity to perform this cooldown rapidly.

RCS pressure will decrease during this cooldown as shrinkage of the reactor coolant expands the steam bubble in the pressurizer.

For multiple tube failures, pressure may decrease to less than the ruptured steam generater pressure as steam voids, which were generated during the initial RCS O

depressurization, condense.

Reverse flow, i.e.,

secondary-to-primary flow, during this time would reduce the inventory in the ruptured steam generators and delay steam generator overfill.

o Restore RCS Inventory a

SI flow again increases RCS pressure when the cooldown is completed toward an equilibrium value where break flow matches SI flow.

Consequently, Si flow must be terminated to stop primary-to-secondary leakage.

However, one must first ensure adequate coolant inventory.

This includes both sufficient reactor coolant subcooling and pressurizer inventory to naintain a reliable pressurizer water level indication after SI flow is stopped.

Since leakage from the primary side will continue until RCS and ruptured steam generator pressures equilibrate, an " excess" amount of inventory, which depends on RCS pressure, is required before stopping SI flow.

To establish sufficient inventory, RCS pressure is decreased by condensing steam in the pressurizer using normal spray.

This increases SI flow and reduces break flow which 4

refills the pressurizer.

Note that although the cooldown of the primary side also decreased RCS pressure, the pressurizer may not refill since the net effect is reduced coolant volume.

Similarly, spraying the pressurizer to j

decrease RCS pressure concurrently with the primary side cooldown is not as l

effective in refilling the pressurizer.

For multiple tube failures, RCS pressure may decrease below the ruptured steam generator pressure before pressurizer water level returns to within the l

instrument span.

In that case, reverse flow thrcugh the failed tubes will supplement SI flow in refilling the pressurizer. Conversely, for smaller tube failures, pressurizer inventory may be sufficient for SI termination prior to depressbrizing the RCS.

W APWR-PSS 2-59 June,1985 l

5928Q:10 t

_.,, _ _ - - _. -. - _ _ -. -.,. _ ~. _ _,

o Terminate SI to Stop Primary-to-Secondary Leakage Previous actions were designed to establish an adequate secondary side heat sink and reactor coolant inventory to ensure that SI flow is no longer O

required. When these actions have been completed, SI flow must be stopped to prevent repressurization of the RCS and terminate primary-to-secondary leakage.

With SI flow stopped, residual break flow will reduce RCS pressure to equilibrium with the ruptured steam generator.

RCS temperature, p

pressurizer water level, and affected steam generator water level will stabilize, and no further uncontrolled releases of radiological effluent will occur.

o Off-site Power Unavailable Suf ficient instrumentation and controls are provided to ensure that necessary recovery actions can be completed without off-site power available.

Although system behavior is slightly different, the recovery is the same; however, the equipment used may be different.

The RCS is cooled using the Power Operated Relief Valves (PORVs) on the intact steam generators since neither the steam dump valves nor the condenser would be available without off-site power. Even with one steam generator out of service, these valves provide sufficient capacity to complete the initial RCS cooldown rapidly.

Note, however, that the hot leg temperature lags the cold leg and steam genera 1ior temoeratures since RCPs are not running.

Since RCPs would be stopped, normal pressurizer spray would not be availab1'e.

Consequently, RCS pressure must be controlled using pressurizer PORVs or auxiliary spray.

Although these systems enable more rapid RCS depressurization, the use of a PORV results in an additional O

Relief Tank (PRT).

loss of reactor coolant which may lift the rupture disk on the Pressurizer Auxiliary spray' conserves reactor coolant but may create excessive thennal stresses in the spray nozzle which could result in nozzle failure.

In addition, since the upper head region is inactive, voiding may occur in this region during RCS depressurization.

This will result in a rapidly increasing pressurizer water level indication as water displac.ed from the upper head replaces steam released or condensed f rom the pressurizer.

This behavior was observed during the Ginna tube failure event, following failure of the pressurizer PORV. However, the extent of voiding is. limited to O

W APWR-PSS the inactive regions of the RCS provided subcooling is maintained at the 2-60 June,1985 59280:1D

J core exit. Consequently, even without off-site power, the E-3 recovery scheme establishes sufficient secondary side heat sink and reactor coolant inventory to ensure SI flow is no longer required.

Once SI flow is stopped, the plant response is similar with or without O'

of f-site power available.

However, if an uppe'r head void exists, normal pressurizer pressure control may not be as effective.

Flashing in the inactive regions may retard further RCS depressurization until the upper head void contacts the more active, subcooled upper plenum region.

In addition, rapid condensation of an upper head void when an RCP is restarted may decrease pressurizer pressure.and water level.

However, uncontrolled prima ry-to-secondary leakage and radiological releases from the af fected steam generators will not occur.

2.2.3.3 TOP EVENT DESCRIPTION The top events of the Steam Generator Tube rupture event tree are described in detail below, to provide understanding of the system functions, operator actions and equipments involved.

i The numerical calculation of each top event will be performed in the Plant Systems and Operator actions Fault Tree Analysis.

A sumary of success criteria is provided in Table 2.1-2, with specific references.

SAFETY INJECTION (SIl)

The Safety Injection System provides borated water to the primary system to:

1) keep the core covered and provide decay neat removal; and 2) add negative reactivity to ensure shutdown.

4 Safety injection is automatically actuated on an "S"

signal, which in turn is actuated by the low pressurizer pressure signal. Successful operation of the ISS requires at least one-of-four safety injection trains injecting water to the RCS through at least two-out-of-four injection lines.

This is a conservative success criterion for the entire range of steam generator tube j

ruptures considered, and was selected for consistency with the safety M APWR-PSS 2-61 June,1985 5928Q:10

injection success criterion used in other event trees.

In fart, one safety injection pump injection through any one of its four branch lines is sufficient.

For simplicity in. the node quantification, run-time for tne pumps is d

conservatively assumed to be 4 hrs.

Manual start of safety injection, although possible, is not given credit.

The Emergency Water Storage Tank is required to provide water for the integrated safeguards pumps.

Safety injection rates, in general, shorten the time for operator action.

Therefore, the time available for operator action in other top events was calculated based on the assumption that, if safety injection is available, all pumps inject through all four branch lines.

EMERGENCY FEEDWATER AVAILABILITY (SC2)

O Emergency feedwater availability is necessary for extended decay heat removal through the steam generators.

Normal recovery following a steam generator tube leak requires a supply of feedwater to the intact steam generators.

This can be supplied by either the Emergency Feedwater Systerr, the Start-up feedwater system, or the normal feedwater system. No credit for normal feedwater system operation is taken in this analysis.

The start-up feedwater system starts in response to an automatic actuation signal or in response to operator action.

The automatic signal is derived from low steam generator water level.

The emergency feedwater system will start on failure of the start-up feedwater system or an "S"

signal.

The emergency feedwater system success requires the starting of one-of-two motor driven pumps or one-of-two turbine driven pumps delivering flow to one of three intact SG.

W APWR-PSS 2-62 June,1985 59280:1D

With success of the Emergency Feedwater System, secondary system cooling is

)

achieved by releasing steam from the steam generator (s) being fed.

Steam is released by automatically or manually opening a relief valve (s) associated with the intact steam generators (if available), by the steam generator safety valves, or by steam dump to the main condenser. Heat removal f rom the primary j

O system can be provided by any one steam generator.

Given these conditions, i

the reactor core will be cooled by forced flow, or by single or two phased natural circulation, or by reflux steam condensation with the stear generators.

OPERATOR STABILIZES RCS PRESSURE OR ESTABLISHES FEED ANb BLEED COOLING (OST)

This node encompasses the manual and automatic actions necessary to stabilize the reactor coolant system pressure bel'w the steam generator safety valve set o

pressure. Success will terminate the tube leak, and leave the reactor coolant system in a stable condition.

Later recovery actions can be performed whenever convenient.

Recovery actions are modeled given that:

1. emergency feedwater has succeeded; and 2. emergency feedwater has failed.

1.

When emergency feedwater successfully operates, the operator takes steps to reduce primary pressure to stop break flow.

Pressurizer spray (if RCPs are available) or the PORV are utilized.

After equalizing pressures and stabilizing pressurizer

level, the operator will terminate safety injection.

5 2.

If emergency feedwater fails, the operator will initiate feed and bleed cooling by verifying safety injection flow and opening the pressurizer PORV.

If additional letdown flow is desired, the operator may open one or more of the hot leg vents.

By venting and reducing SI flow, primary and secondary pressures may be equilibrated, and break flow terminated.

STEAM GENERATOR OVERFILL PROTECTION (SOF)

I O

If the operator fails to terminate primary to secondary flow and steam generator level increases to the high-high level setpoint, the overfill protection valves will open.

The opening of either one of two parallel l

l l

W APWR-PSS 2-63 June,1985 5928Q:10

solenoid valves will prevent water from passing into the main steam line.

If the overfill protection system fails, Operator Actuation of feed and bleed cooling by opening the PORVs, thereby decreasing and finally terminating primary to secondary flow, is modeled.

Thus, this node is comprised of the failures of both the overfill system and the operator alignment of feed and bleed.

CONTAINMENT SPRAY (CSP)

Containment Spray protects the containment from overpressure failure conditions if bleed.and feed is requested, and scrubs the containment atmosphere of radionuclides.

It is very unlikely that the sprays will provide any useful function in avoiding core damage conditions. However, sprays are important if core damage occurs because they reduce the chance of containment failure and reduce the severity of release if containment fails.

Success of containment sprays requires either an automatic or manual actuation signal.

However, top event CSP includes only successful generation of an automatic actuation signal (Hi-3 containment pressure) and the setpoint may be reached only in containment during degraded plant conditions.

Intermittent manual operation, although not modeled in the event tree, can be effective as long as water is available in the EWST.

CONTAINMENT FAN COOLERS (CFC)

Containment fan coolers provide long term cooling and pressure suppression for the containment atmosphere to prevent containment failure by overpressurization.

In addition, the fan coolers provide an alternative heat removal path for core cooling recirr.ulation should heat removal via emergency feedwater and secondary cooling be unsuccessful.

W APWR-PSS 2-64 June,1985 5928Q:10

On an."S" signal containment fan coolers shift to low speed automatically but even if this should fail there would be adequate time for manual actuation prior to any significant centainment pressure increase.

This operator action is not modeled by the system analysis.

O The success criteria for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

LONG TERM COOLING (LTC) long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the tube rupture.

Long term cooling is typically supplied by the Residual H' eat Removal (RHR) system.

In the APWR design, however, the 5

safety injection pumps might also be used if the primary system is breached.

Thus, primary coolant would circulate from either the hot leg (RHR) or the EWST (SI), through the CCW-cooled heat exchangers, and back to the cold legs.

The LTC node encompasses all operator actions and equipment availability j

needed to perform this function.

Due to shared functions and the operation of other systems, this node is divided into three states as follows.

LTC)

This node comprises a normal cooldown of the RCS by use of the auxiliary feedwater system to cold shutdown conditions.

LTC2 This node represents long term core heat removal following a consequential small ~LOCA.

Due to successful safety injection and containment fan cooler (CFC) operation, success is comprised of continued feed and bleed cooling.

Other methods of heat removal include emergency feedwater and use of the RHR heat exchangers.

RHR O

cooling is modeled when containment fan coolers are unavailable.

j LTC3 This node represents long term core heat removal following a consequential small LOCA and a failure of the containment fan c.olers (CFC).

Heat removal is accomplished by continued safety injection with component cooling water flow aligned to at least one RHR heat exchanger.

W APWR-PSS 2-65 June, 1985 5928Q:10 i

2.2.3.4 DISPLAYED DEPENDENCIES The following relationships are displayed in the event tree:

A.

If the operator fails to depressurize the primary system by use of the V

secondary or by natural break flow (which may tend to equalize primary-secondary pressures) (OPA), then SG overfill protectien (SOF) is required.

B.

Feed and Bleed. cooling on depressurization is only addressed when Safety Injection (S11) has succeeded.

C.

If Feed and Bleed cooling is required, containment cooling and long-term recirculation cooling is modeled.

D.

If Safety Injection (SII) fails, success is dependent on successful isolation of the faulted steam generator and depressurization of the primary to stop break flow.

E.

Primary depressurization via secondary cooling (OST) is dependent unon the success of auxiliary feedwater (SC2).

2.2.3.5 SUCCESS CRITERIA In order to avoid a degraded core damage state af ter a SGTR, the following conditions should be met:

1) Following success of SIl and SC2, the sequence goes to success if the operator stabilizes the RCS either: a) by depressurization using the secondary; or b) by depressurization using the pressurizer PORV.

2) Following success of SIl and with no feedwater available (SC2 failed),

success is obtained only through successful feed and bleed cooling.

M APWR-PSS 2-66 June,1985 5928Q:10

3) Following failure of SIl and success of SC2, success is obtained if the operator stabilizes the RCS with the secondary and successfully isolates the ruptured generator, terminating break flow, long term cooling is affected with the RHR pumps.

t It should be noted that the conditions just listed lead strictly to the plant state NO CH.

O 2.2.3.6 PLANT DAMAGE STATE CLASSIFICATION Some plant damage states are particular to a steam generator tube rupture accident and are listed in Table 2.1-1.

1 O

i 0

t O

1 l

W APWR-PSS 2-67 June,1985 5928Q:10

O m

~~

s 56R 543 511 SC2 OST SDF CSP CFC LTC eseeeeeeees 1 NO CM seeeeeeeeeeeeeeeeeeeeeessessessessesseees e

seesessesse 2 TLFC e

e seesesseees 3 ho CM e

seeeeeeeees

=

e seeeeeeeees 4 TLFC e

seesseesses esseesseeee a

e sensesseees 5 MO CM e

a e

esseeeeeees e

e e

senseeeseee 6 TLC e

e eiseessenes e

e e

e seesesseees T NO CM e

e e

e seessessees e

e e

e e

eenesessees B TLF e

seeeeeeeees seessessees e

e e

sesseneseos 9 MO CM e

e sensesseees e

e seessesseee 10 TL e

e e

essesseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee !! V2L e

e eseesseeeee 12 NO CM seessessees seseeeeeees e

e e

seesseessee 13 TLFC e

e seeeeeeeees e

e a

e seesessesse 14 NO CM e,

e e

seassesseet e

e e

seessessess t$ TLC e

e essesseenesseessee:ee e

e e

e seeeessesse 16 NO CM e

e e

e seeeeeeeees e

r, e

e e

seeeeeeeees 17 TLF e

e e

eseessessee e

e e

e seesessesse 18 NO CM e

e a

essessessee e

e e

.senessenes 19 TL e

e e

e e

e senseeessee 20 NO CM e

esesseessee essessesses e

e a

sensessesse 21 TLFC sensesseees e

seessesesse e

e e

e e

seesessesee 22 NO CM e

e e

e seeeeeeeeen e

e e

e sensesseees 23 TLC e

e e

sensessenes e

e e

e e

seessessees 24 NO CM e

a e

e e

sensessenes e

e e

e e

a eseessessee 25 TLF e

e seesessesse seessessess e

e e

e seeeeeeeees 26 NO CM e

e e

sessessesse e

e e

essessessee 27 TL e

e e

e e

seesesseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 28 V2E e

e e

e seesseeeees 29 MO CM e

e inessesseessessessessessesseeseessesseees e

e sessessesee seessessees 30 TLFC e

e e

e a

senseessies seeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 31 V2E e

e e

seeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeessee 32 V2E e

e e

seesseeeees 33 NO CM seeeeeeesteesseeeeeeeeeeeeeeeeeeeeeeeeese e

e seeeeeeeees 34 TLFC e

e f_

-u r'u e

n e

e annuun 36 TLTC e

e seeeeIeeeee e

anunun e

e ununne 37 C3 Cn e

e e

e seeeeeeeees e

e e

e eueenene 38 TLC e

a e

senseeeeeee e

e e

a e

anuunee 39 NO CM e

e e

e e

seeessesses e

e e

e e

e eesu n n u 40 TLF e

e sessassesse senese uses e

e e

e sensesene 41 No LM e

e e

seeeeeeeese e

e e

sueueuse 42 TL e

e a

e e

ununensueuennusueennunun 43 V2L essessenes e

e e

nounsue 44 NO CM e

seesesseees essessessee e

a e

e seseannee 45 TLFC e

e e

seeseessess e

e a

e e

ununen 46 NO CM e

e e

e settesesses e

e e

e eenuseen 47 TLC e

e e

seasseessessessessees e

e e

e e

eenesseen 48 NO CM e

e e

e e

seeseessees e

e e

e e

e seeeeeeeees 49 TLF e

e e

e acessessese e

a e

e e

su neusse 50 NO CM e

e e

essessessee e

e e

e unensue 51 TL e

e e

e e

e e

e annusue 52 NO CM e

e seneseneses seessessese e

e e

e nennuse 53 TLFC enesessesse e

seesesseese e

e e

e a

unuusu 54 NO CM e

e e

e senseseeees e

e e

e enseessue 55 ILC e

e e

seessessese e

e e

usuneen 56 NO CM e

e e

e e

secessesses e

e e

e e

e usenune 57 TLF e

e seessessess seesessenes e

e e

e unennee 58 NO CM e

e e

seeeessesse e

e e

unuuese 59 TL e

e e

a e

oueuesseesessenesenuesseennunen 60 V2E e

e e

. e uneenue 61 NO CM e

-e seeessessessessessessesseesseesseeeeeeees w

e Te a:Heenue

@ e, utueuen 62 TLFC OM e

e e

> #:! He IT w:esenun unsunenusuusenannunennunununu 63 V2E e

e WMe y

n enuuuuuu u u u e e n n u o u u n u n e u u n une n n u 64 V2E -

o V

e N

sensusenessununeeuunnenusunneesseee 65 NO CM e

e usanuus nies emeine ee.

unnenusunneusennunnennusenneene 66 V2E g

a u nn eu sse euees ene se esu sess o us es enseens u eu..ne un 67 V2E FIGURE 2.2-3. NAPNR STEAM SENERAIDR TU8E RUPTURE EVENT TREE.

W APWR-PSS 2-68 June, 1985 1%

W

~

_Y

.- m

<t

,-s t

i e

s ita 503 SCI 0FI SIL CSP CFC LTC eseessessee i NO CM seneseseees e

sneeeeeeees 2 SLFC seesseeeees e

e eseeeeeeees 3 NO CM e

seeeeeeeeee e

eseeeeeeeee 4 SLC asseneseees e

e essessessee 5 NO CM e

e seeeeeeeeen e

e e

seeeeeeeeee 6 SLF e

seeeesseese e

e eseesseeees 7 NO CM essesseeeeeeeeeeeeees esseeeeeees a

e onessesseen 8 SL e

e e

e esseeeeeeeeeeeeeeeeen 9 SEFC e

e seeessesses e

e e

sensesseseesseeeeeese to SEC e

seessesseen e

e eseeeeeeeeeeeeeeee*** 11 SEF e

eseessesses e

seeeeeeeeeeeeeeeeeeee 12 SE e

e esseeeeeese 13 NO CM esseeeseses esseesseees e

e e

asenessesee 14 SLFC e

e seesessesse e

e a

e seesessesse 15 NO CM e

e e

seeeeeeeees e

e a

senseessees 16 SLC e

e esseeeeeeeeeeeeeeeens e

e e

a esseessesse 17 WO CM e

e e

e sensesseese e

e e

e e

sneesessese IB SLF e

e e

esseeesseen e

e e

e seesessesee 19 NO CM e

seesessesse sneesessies e

e seeeeeessee 20 SL e

e e

e sneeseeeeeeeeeesessee 21 SEFC e

e eseeeeeeeee e

e e

seeeeeeeeeeeeeeeeeees 22 SEC e

seeeeeeeeeeeeeeeeeese 23 SEF e

e seeeeeeeeeeeeeeeeeese e

eesseseeses e

seeeeeeeeeeeeeeeeeeet 24 SE e

e seesseessee 25 ho CM e

senseeeeees n

n

e e

e a:eueeene 27 O CM e

e seeeeeeeees e

e unnoun 2g SLC e

seesseeeees e

e a

seneeense 29 0 CM e

e e

seeeeeeeees e

e e

e ununen 30 SLF e

e seessessees e

e e

ununne 31 M CM e

senesesse ssessessenes -

seeeeeeeees uneune e

e enneeuee 32 SL e

e e

a e

e e n u u n u useee n n 33 SEFC e

e e

eseeeeeeees a

e e

e senesunenseeessee 34 SEC e

e sesseeseess e

e e

unnenuneennu 35 SEF e

e seeeeeeeees e

e unnennunuun 36 SE e

e e

e ununne 37 M CR enesee nese esseseeeens e

e e

seensueu 38 SLFC e

e e neassenes e

e e

e ununne 39 m En a

e e

seeeesseees e

e e

unennu 40 SLC e

e esseseesseessessesses e

e e

e weseenne 41 M CM e

a e

e sesseesseen e

e e

a e

ununne 42 SLF e

e e

seeesenesse e

o e

e sueeusen 43 M CM e

seesessesse seeeeeesses e

e unnoun 44 SL e

e a

e ueu uesu n usasue 45 SEFC e

e

-- - - - - en usuen e

e e

uneueusueuune 46 SEE e

sesseeeeeeeeeeeeesses e

a unuunuunune 47 SEF e

eeeeeeeeeen e

ennennuneseene 48 SE e

a seeeeeeeeeeeeeeeeeese 49 SEFC e

seseeeeeeee e

a seeeeeeeeeeeeeeeeeees 50 SEC eueeseeeeeee.eeeeeeeeeeeeeeeeees neuse e

unenseesensesseie si SEF u seeeeeese u.seeeeeeenuneen 52 SE FI6URE 2.2-5. WAPWR SMALL LOCA EVENT TREE.

N 2-86 June' 1985 W APWR-PSS

~

>G

• t$ C OM Q

W8 ei *>.

>= W e

O C

'p D<

..=

a 2.2.4.

LARGE SECONDARY SIDE BREAK EVENT TREE This initiating event category applies to those transients that begin with a steamline braak or with a feedwater line break.

Location of the break (inside or outside containment) is not considered important for this analysis, since plar,t and operator response will be similar.

The only dif ference will be availability of containment safeguards on ex-containment ruptures, which may require operator initiation.

1 The breaks considered herein include a line rupture of the most limiting size (double-ended).

For' the case of steamline break the limit is given by the effective area of the nozzles of the steam generators (1.4 square feet), which limit the maximum steam flow for a break at any location.

Plant response to spurious openings of safety and/or relief valves, which can be seen as small steamline breaks, is similar, with the timing of events extended.

Plant response to these small secondary-side bre' ks is similar to transient, af ter a

isolation of the ruptured loop.

Therefore, analysis of these small breaks is included in the transient event tree, ET-01.

The event tree of Figure 2.2-4 uses the following symbols to identify system functions and operator actions modeled with the tree as top events:

SSB Initiating event, Secondary Side Break 503 Support State SIl Integrated Safeguards System Available SC2 Emergency Feedwater Available OFB Operator Action, Feed and Bleed CSP Containment Spray Available CFC Containment Fan Coolers Available LTC Long Term Cooling Available

' O 1

\\

W APWR-PSS 2-69 June, 1985 59280:10

.r

,.,,..,.__,,,,,r

,,r,..,

,m__

,.._.,,__,..,.,_.,._c

_._-,_~-_.,-.,,-,e__,,.,___,m,,,E._.~.,,,.._-_-

1 i

l 2.2.4.1 INITIATORS Various initiating events and dif ferent initial conditions are enveloped by the event tree and the success criteria of systems and operator actions will satisfy the requirements of each specific case.

Steamline and feedwater line breaks ranging from intermediate to large size are modeled by the tree.

l Moreover the tree envelopes two different power conditions:

hot standby and O

full power.

In a steamline break, the hot standby condition maximizes the cooldown ef fects, because of the absence of decay heat.

On the other hand, the full power condition challenges the decay heat removal systems, once the initial transient 1s over.

Failures in these systems could lead to core damage.

3 l

2.2.4.2 ACCIDENT PROGRESSION j

.The normal accident progression following a secondary side break varies depending upon break size and location, initial power level, safety systems operation or failure.

' O For the steamline break case the limiting event is, as described above, a double-ended rupture.

Following the

break, the faulted loop will depressurize. The steam generator blowdown will eventually cause the loop to be at atmospheric pressure. The excess energy removal from the primary system i

causes a reduction of coolant temperature and pressure.

l l

Because of the negative moderator temperature coef ficient, the cooldown will i

produce a reactivity increase.

If the most reactive rod cluster control assembly (RCCA) is assumed stuck in its fully withdrawn position after reactor j

trip, it is possible (toward the end of core life) for the core to become l

critical and return to power.

The core will be ultimately shutdown by the boric acid delivered by the safety injection system.

Reactor trip and main steamline isolation are caused by low steamline pressure.

i The same signal will also actuate the "S" logic, which starts safety injection and prepares the secondary system to remove decay heat.

W APWR-PSS 2-70 June,1985 T

j 59280:10

As soon as Ine 1nitial transient is mitigated, success will be reached if the V

decay heat is removed.

Emergency feedwater or, alternatively, feed and bleed are available to perform this task.

As long as heat removal is, not terminated, adequate core cooling will be maintained.

For the feedwater line break case, the limiting event is a double-ended rupture of the largest feedwater line.

Following the break, the affected steam generator will empty.

In the first seconds the primary system will heat up, because of the reduced feedwater flow. The reactor will be tripped by the low water level signal in the steam generator of the faulted loop.

The transient may change to a cooldown if the rupture is downstream of the MFWIV and the evaluation of the event will be similar to the case of a steamline break.

Coolant temperature will fall and reactivity will increase.

the low steamline pressure setpoint is reached in the faulted loop, the steamline will be isolated, safety injection pumps will start and the O.

cooldown will be terminated.

L If the break is outside containment, then recovery af ter steamline isolation

]

will proceed ac if a transient with Loss of Main Feedwater had occurred.

Again, decay heat removal systems and containment safeguards will be utilized in order to bring the reactor to a safe and stable condition.

2.2.4.3 TOP EVENT DESCRIPTION The top events of the Large Secondary Side Break Event Tree (ET4), are described in detail to provide understanding of the systems functions and operator actions involved.

The numerical calculations of each top event unavailability will be performed in the Plant Systems and Operator Actions Fault Tree Analysis.

A sunenary on success criteria is provided in Table 2.1-2, with specific references.

W APWR-PSS 2-71 June,1985 5928Q:10

SAFETY INJECTION (SIl)

Safety injection provides high pressure borated water from the EWST to the primary system thus adding negative reactivity to ensure shutdown.

Safety injection is automatically actuated on an "S"

signal, which in turn is actuated by one of the following signals:

Low steamline pressure Low pressurizer. pressure High-1 containment pressure Successful operation of SI requires at least one-out-of-four safety injection trains injecting water to the RCS through at least two-out-of-four cold legs.

Success also requires opening of the accumulator check valves, since these check valves are in the SI flow path as well as the accumulator injection flow path.

Manual actuation of safety injection, although possible, is not given credit herein.

SI will not be actu.ted for.a Main feedwater Line Break upstream of the MFWIV, however, SI availability may impact later plant response.

It is felt that this model thus introduces some conservatism into the analysis, since failure will not necessarily lead to early core melt, as modeled.

O The Emergency Water Storage Tank is required to provide water for safety injection.

EMERGENCY FEEDWATER ACTUATION AND SECONDARY COOLING (SC2)

The Emergency F.eedwater System starts in response to an automatic actuation signal, derived from an "S" signal or from low steam generator water level.

O W APWR-PSS 2-72 June, 1985 5928Q:10

Water at a flow rate of at least [

] gpm has to be delivered to one of three (a.c) non -faulted steam generators (the faulted one is assumed to be isolated by the operacor following the ERG).

This ignores the availability of steam generators which have been successfully isolated from the break by MSIV and MFWIV closure.

O Secondary cooling requires the automatic opening of at least one relief (or safety) valve.

Given these conditions the reactor core will be cooled by forced flow to the steam generators or by single or two phase natural O

circulation.

Upon failure of the EFW system, primary feed and bleed is addressed (it should be noted that if EFW fails, the operator would probably try to restart either main or emergency feedwater before resorting to feed and bleed.

However, for simplicity and conservatism, nein and/or emergency feedwater recovery has not been given credit).

OPERATOR ACTION, PRIMARY FEED AND BLEED (OFB)

O j

Upon failure of the Emergency Feedwater System, the operator, following the Emergency Response Guidelines, opens all pressurizer PORVs and their block valves to remove decay heat through bleed operation.

Safety injection may already be running, if not, the operator must start at least one pump to provide feed to the RCS.

The operator will open and close the PORVs as needed.

^

CONTAINMENT SPRAY (CSP)

O Containment Spray protects the containment from overpressure failure conditions in the first phase of the accident and scrubs the containment atmosphere of radionuclides.

O W APWR-PSS 2-73 June,1985 5928Q:10

These f unctions are important if core damage occurs because they reduce the chance of containment failure and reduce the severity of release if containment fails.

Success of containment spray requires either automatic or manual actuation. However, top event CSP includes successful generation of an automatic actuation signal (Hi-3 containment pressure).

At least one pump out of two connected to an available line from the EWST is required for success.

CONTAINMENT FAN C00 ERS (CFC)

Containment fan coolers provide long term cooling and pressure suppression for

~

the containment atmosphere to prevent containment failure by overpressurization.

In addition, the fan coolers provide an alternative heat removal path for core cooling recirculation should heat removal via emergency feedwater and secondary cooling be unsuccessful.

On an "S" signal the fan coolers shift to low speed automatically but, even if this shift should fail, there would be adequate time for manual actuation prior to containment damage; however this action is not modeled in the system analysis.

The success criterion for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

LONG TERM COOLING (LTC) l Long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the pipe rupture.

Long term cooling is typically supplied by the Residual Heat Removal (RHR) system.

In the APWR design, however, the safety injection pumps might also be used if the primary system is breached.

Thus, primary coolant would circulate from either the hot leg (RHR) or the l

M APWR-PSS 2-74 June,1985 5928Q:10 I

I i

I EWST (SI), through the CCW-cooled heat exchangers, and back to the cold legs.

The LTC node encompasses all operator actions and equipment availability needed to perform this function. Due to shared functions and the operation of other systems, this node is divided into three states as follows:

O V

LTCl This node comprises a normal cooldown of the RCS by use of the emergency feedwater system to cold shutdown conditions.

O-LTC2 - This node represents long term core heat removal following a consequential small LOCA.

Due to successful safety injection and containment fan cooler (CFC) operation, success is comprised of continued feed and bleed cooling. Other methods of heat removal include auxiliary feedwater and use of l

the RHR heat exchangers, but these methods are not modeled.

This node represents long term core heat removal following a LTC3 consequential small LOCA and a failure of the containment fan coolers (CFC).

Heat removal is accomplished by continued cooling water flow aligned to at least one RHR heat exchanger.

'2.2.4.4 DISPLAYED DEPENDENCIES A.

If safety injection (SII) fails early core damage is conservatively assumed to result.

B.

If safety injection succeeds, the sequence can be mitigated if decay heat can be removed by either EFW or feed and bleed (OFB).

O C.

If emergency feedwater actuation and secondary cooling (SC2) fails and safety injection (SI1) has not failed, the operator action of primary feed and bleed (OFB) is addressed as a way to avoid core damage.

D.

If primary feed and bleed (OFB) fails an early core damage is assumed to result and only containment safeguards are addressed.

W APWR-PSS 2-75 June,1985 l

5928Q:10

2.2.4.5 SUCCESS CRITERIA In order to avoid degraded core conditions af ter a secondary side break, the following top events must be available:

O' A.

Safety Injection (SI2) 8.

Emergency Feedwater and Secondary Cooling (SC2) or successful feed and bleed (OFB).

C.

Long Term Cooling (LTC)

Should core damage occur, containment sprays are expected to reduce radioactive releases.

4 2.2.4.6 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation are classified by the degraded core conditions that exist for each sequence As described in Section 2.1.4 classification is based on the time of core damage with respect to injection or recirculation, type of

scenario, containment fan coolers and containment spray conditions.

All Secondary Side Breaks plant damage states are assigned classification l

according to Table 2.1-1.

O 2.2.4.7 SYSTEM INTERACTIONS I

Most dependencies caused by systems interactions have already been discussed in' the conditional top events and in the section of displayed dependencies.

1 Other significant interactions are those coming from support systems.

i i

W APWR-PSS 2-76 June, 1985 5928Q:10

O The most important of these are the Integrated Protection System, the Electric Power System, Essential Service Water System and Component Cooling Water System; however, these systems are explicitly contained within the support state model.

Note also that no system interactions have been assumed between the high energy line rupture and equipment needed to mitigate the event (emergency feedwater, steamline relief valves, etc.).

Table 2.1-2 explicitly depicts all systems and operator actions interactions.

t i

O~

I i

i i

!O i

I i

W APWR-PSS 2-77 June, 1985 I

5928Q:10

I~

e nonoun 2 TJ:

e e

neeeenee.

3 W: ;-

e seeeeeeeees e

e eneneeen 4 i>;

e eeeeeeeeeee e

e e

nee.unee 5 4: :.

uneinen e

neeene.n 4

e e

e enennen

. Td e

e eeuenen j

e e

e e

nueen ee 7 N:.-

e e

e e

seeeeeeeeen e

e e

e e

eennune B 10 e

e e

seeeeee**ee e

e e

e unennu 5 n:.:-

e seeeeeeeeen eeeeeeeeeen e

e ennuene 10 it e

e unennee e

nenneneeseeeeeee. 11 TE::

e e

e eene**eese s

e e

e enuneesennunee 1; ii.

.e e

n*nneees e

e e

neseeen n n neesen isTE:

e a

nuunne e

e neensenuneseene 14 TE e

e e

e nununnunnen 15 TE::

e e

eeeeeeeeen a

e e

annuneneeneeen 16 TE:

e seeeeeeeeeeeeeeeeeeeeeeeeeeeees e

e eenennununun 17TE:

e eseeesesses e

nunununeenne 18 TE e

e enenone 19 N *:-

e eeeeeeeeeeeeee.....eeeeeeeeeeeeeeeeeeeeee l

e e

enunun 20  :

J e

e e

e neseneee. 21 h: :P e

e unennes e

e e

nennon :2eg:

e e

eseeesseese e

e e

e n u n nee.

23 wi :-

e nennnn e

noneun j

nonnu e

e

_e nunnue 24 7..

e e

e uneen.se e

e e

e e

unennn 25 N: C' e

e e

eeeeeeeeeee e

e e

e e

e nueenen 2e 10 e

e a

e seeeeeeeeee i

i e

e e

e e

nunune 27 m: :=

l e

e nonenn euenenn

\\

e e

e neenenn 2e it e

e e

nn..neu e

eenonenennenn 29 t! :

e e

e see.......e

.e e

e e

en nen n eneen en e 30it; e

e seeeeeeeeee e

e e

nununununen 31 TE:

e e

eseeeeeeees e

e seennuennunen 32 'i e

e i

e e

unununnunne 33 TE :

e e

seienense e

e e

unennennenen. 34 TE:

e esseeeeeeeeeeeeeeeeeeeeeeeeeees e

e nununeneunne 35 it; e

seesesseees e

unnunununen 3e *.

en. un e s e e n nu...n e.....n.no..........ne..un en e n ene.eu..

3 Ti FIGU5E 2.2 4.

ba585 LASSE SECMM $!!! Etfi.* EVEh' '5!!.

l W APWR-PSS 2-78 June, 1985 l

5928Q:10

)

i

l 1

l I

2.2.5 SMALL LOCA EVENT TREE i

This initiating event category comprises those losses of coolant from small j

breaks for the mitigation of which the secondary side heat removal is required.

l i

The smallest break size herein categbrized is chosen for the identification of the generic transient employed to describe the accident progression of this category, however the success criteria of systems and operator actions l

identified in the event tree Will satisfy case by case the requirements of

]

each specific initiating event.

The small LOCA event tree uses the following symbols to identify systems functions, operator actions and equipment:

i l

LCA Initiating Event, Small LOCA 4

S03 Support System Availability SCl Secondary Cooling i

0FB Feed and Bleed Operator Action SIl Safety Injection System Availability l

CSP Containment Spray Availability f

CFC Containment Fan Cooler Availability LTC Long Term Cooling 2.2.5.1 INITIATORS The Small LOCA event tree (Figure 2.2-5) applies to all reactor coolant system j

ruptures inside containment with blowdown rates equivalent to breaks in the

{

pressure boundary less than 2

inches in diameter and greater than I

approximately 3/8 inches.

l This event also comprises reactor coolant pump seal LOCAs, failure of ray one l

power operated relief or safety valve, small LOCAs f rom ruptured control rod drive housing and instrument line failures.

l

}

}

W APWR-PSS 2-79 June, 1985 i

5928Q:10

2.2.5.2 ACCIDENT PROGRESSION For the break areas modeled by the small LOCA event tree, the CVCS cannot maintain Reactor Coolant System (RCS) inventory control.

The RCS will depressurize and an automatic reactor trip and an "S" signal will be generated when the pressurizer low pressure setpoints are reached.

To prevent core damage, emergency coolant injection by at least one high head safety injection train is required.

Initially more subcooled liquid volume will be leaking through the break than is being added.

The pressurizer continues to empty and pressure steadily drops.

Since the break is small and unable by itself to remove all the decay heat, another heat sink must be available for heat removal.

Secondary cooling by emergency feedwater operation is the preferred means of removing reactor heat, and, upon failure of this function, primary bleed cooling may be actuated (feed and bleed mode of cooling).

O As the core decay heat begins dropping off, reactor coolant pressure and temperature ' reduce and safety injection flow rises.

As long as heat removal and safety injection are not terminated, adequate core cooling will be maintained.

For long tenn recirculation two alternatives are possible:

high head pump recirculation or depressurization and low head pump recirculation.

l Long term containment pressure buildup can be prevented if containment cooling through fan coolers is successful.

2.2.5.3 TOP EVENT DESCRIPTIONS The Top Events of the Small LOCA event tree are described in detail below to provide understanding of the systems functions and operator actions involved.

The numerical calculations of each top event unavailability will be performed in the Plant Systems and Operator Actions Fault Tree Analysis.

M APWR-PSS 2-80 June,1985 5928Q:10

_ _ _ _ _ _ _ _ _ _ _ _ ~

I Q

Success criteria hereafter discus' sed are generally based on Westinghouse generic analyses, except when noted.

A summary of success criteria is provided in Table 2.1-2, with specific references.

EMERGENCY FEEDWATER ACTUATION AND SECONDARY COOLING (SC1)

The emergency feedwater starts in response to an automatic actuation signal or in response to operator action.

The automatic signal is derived from an "S"

signal or from a low-low steam generator water level.

The energency feedwater system success requires the startup of one-out-of-two motor driven pump or one-out-of-two turbine driven pump delivering flow rate of at least [

] gpm to at least one steam generator.

(a c)

The secondary cooling function requires that the automatic or manual opening of at least one relief or safety valve in the steam generator fed by emergency O

feedwater.

Given these conditions, the reactor core will be cooled by forced flow to the steam generators or single or two phase natural circulation.

It should be noted that,.if emergency feedwater fails, the operator would probably try to restart either the main or auxiliary feedwater before resorting to feed and bleed.

However for simplicity and conservatism, main and/or auxiliary feedwater recovery has not been given credit herein.

SAFETY INJECTION (SII)

High Head Safety Injection is automatically actuated on an "S" ' signal.

Successful actuation of an "S" signal depends on one of two possible input signals that would be generated following the small LOCA. These signals are:

O W APWR-PSS 2-81 June,1985 59280:10

1.

Low pressurizer pressure 2.

Manual actuation of the "S"

signal (this is not credited and therefore not modeled in the fault tree of this top event).

High head safety injection system is required to start upon low pressurizer pressure to provide inventory control and borated water to the RCS.

High head safety injection system takes suction from the EWST and injects O

water into the cold legs.

9 CONTAINMENT FAN COOLERS (CFC)

Containment fan coolers provide long term cooling and pressure suppression for the containment atmosphere to prevent containment failure by overpressurization.

In addition, the fan coolers provide an alternative heat removal path for core cooling feed and bleed and long term cooling, should heat removal via energency feedwater and secondary cooling be unsuccessful.

On an "S" signal, containment fans shif t to low speed automatically, but even if this shif t should fail there would be adequate time for manual actuation prior to any significant containment pressure increase.

This action is not modeled by the system analysis.

The success criterion for the fan coolers is two-out-of-four fan coolers O

operating in the emergency low speed mode.

CONTAINMENT SPRAY (CSP)

Containment spray protects the containment from overpressure failure conditions and scrubs the containment atmosphere of radionuclides.

,,)

W APWR-PSS 2-82 June, 1985 59280:10

It is very unlikely that sprays will provide any useful function in avoiding core damage conditions.

However sprays are important because if core melt occurs, they reduce the chance of containment failure and reduce the severity of release if containment fails.

O Success of containment sprays requires either automatic o manual actuation; however top event CS includes only successful generation of an automatic actuation signal (HI-3 containment pressure) and the setpoint may be reached in containment heat removal degraded conditions.

Intermittent manual 1peration although not modeled in the event tree, can be effective as long as water is available 1.1 the EWST.

LONG TERM COOLING (LTC)

Long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the pipe rupture.

Long term cooling is typically supplied by the Residual Heat Removal (RHR) system.

In the APWR design, however, the safety injection pumps might also be used if the primary system is breached.

Thus, primary coolant would circulate from either the hot leg (RHR) or the EWST (SI), through the CCW-cooled heat exchangers, and back to the cold legs.

The LTC node encompasses all operator actions and equipment availability needed to perform this function. Due to shared functions and the operation of other systems, this node is. divided into three states as follows:

LTC) - This node comprises a normal cooldown of the RCS by use of the emergency feedwater system to cold shutdown conditions.

D LTC2 - This node represents long term core heat removal following a consequential small LOCA.

Due to successful safety injection and containment fan cooler (CFC) operation, success is limited to continued feed and bleed cooling. Other methods of heat removal include auxiliary feedwater and use of the RHR heat exchangers, but these methods are not modeled.

W APWR-PSS 2-83 June, 1985 59280:10

t i

i t

LTC3 - This node represents long term core heat removal following a consequential small LOCA and a failure of the containment fan coolers (CFC).

Heat removal is accomplished by continued safety injection with component cooling water flow aligned to at least one RHR heat exchanger.

O 2.2.5.4 DISPLAYED DEPENDENCIES i

4 1.

Early core melt is assumed to happen if all trains of support system are not available.

2.

If Secondary Cooling (SCl) is available, then Safety Injection (SI1) must be available to avoid an early core melt.

3.

If Secondary Cooling (SCl) is not available, then the operator must perform feed and bleed (OF8) to the RCS to avoid an early core melt.

4.

Whenever Long Term Cooling (LTC) is not available, late core melt will be assumed to occur.

2.2.5.5 SUCCESS CRITERIA 4

1.

If AC power is available througtout the mission time, availability *of secondary cooling, safety injection and long term cooling constitute success.

2.

If AC power is available throughout the mission time, and secondary cooling fails, availability of feed and bleed operator action and long term cooling constitute success.

3.

If AC power is not available (503 not available) throughout the mission 1

time, early core melt is assumed to occur.

2.2.5.6 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation are classified by the core melt conditions that exist for each sequence.

O W APWR-PSS 2-84 June, 1985 59280:10

l As described in Section (2.1.4) classification is based on time of core melt

~

with respect to injection or recirculation, type of scenario, and containment 1

i safeguards.

j I

i All Small LOCA plant damage -states are assigned classification according to Table 2.1-1.

2.2.5.7 SYSTEM INTERACTIONS Most dependencies caused by system interactions have already been discussed in the conditional top' events and in the section of displayed dependencies; other i

significant interactions are.those coming from support systems.

4 1

The most important of these are electric power system, essential service water system and component cooling water system; however, these systems are 4

j explicitly addressed within the support state model.

l Table 2.1-2 displays systems and operator interactions.

i i

l

!O f

i

' O s

I W APWR-PSS 2-85

. lune, 1985 i

5928Q:10 i

2.2.6 LARGE LOCA EVENT TREE The large LOCA event tree models the behavior of the plant following a postulated reactor coolant system rupture, for the mitigation of which

]V secondary side heat removal is not required.

The size of the break is sufficient to remove the energy stored in the core and the decay heat. Safety injection is necessary to refill the RCS and cool the core.

O Reactor trip is not required since the nuclear reaction is shutdown quickly due to voiding in the core.

Continued shutdown is assured by the boron i

concentration of the' injection water.

The largest break size is chosen for the identification of the generic transient employed to describe the accident progression of this category; however, the success criteria of. systems required in the event tree will satisfy case by case the requir'ements of the worst case in break size.

I The event tree of Figure 2.2-6 uses the following symbols to identify systems functions, operator actions and equipment modeled within the event tree as

" Top Events":

Initiating Event, Large LOCA LLO S03

- Support System Availability for LOCA event ACC

- Accumulator Injection 512

- ISS/CRT Available for large LOCA event CSP

- Containment Sprays Available CFC

- Containment Fan Coolers Available LTC

- Long Tenn Core Cooling Available i

O W APWR-PSS 2-87

. lune, 1985 59280:10

j 1

i 2.2.6.1 INITIATORS The Large LOCA event tree (Figure 2.2.6-1) applies to all reactor coolant system ruptures ranging in size from 6 inches equivalent diameter to or double-ended circumferential cold leg break (the design basis accident).

Two other large LOCAs are considered in other initiating event categories:

a i

large LOCA that creates a direct path to outside containment (Interfacing Systems LOCA, ET 8) and a large LOCA beyond the capability of the Integrated Safeguards Systems (ISS) (Reactor Vessel Rupture, ET 9).

Reactor vessel 4

ruptures of a size and location as to be within the capability of the ISS are i

also categorized in'the large LOCA initiating event.

2.2.6.2 ACCIDENT PROGRESSION The Large LOCA is a severe event in which blowdown of the reactor coolant system occurs within a very short period of time; from seconds to a few minutes. The accumulators refill the reactor vessel downcomer and the safety injection (ISS) pumps together with the Core Reflood Tanks (CRTs) restore and maintain water in the reactor vessel.

Because of rapid depressurization, the nuclear reaction is quickly shutdown due to voiding in the core region.

Reactor trip is not critical in this sequence.

After the

reflood, sulcriticality is assured by the boron concentration in the injected water.

Alignment of the RHR Heat Exchangers in the recirculation path is automatic, when the water temperature reaches a set-level.

Hot leg recirculation will be manually aligned af ter at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from O

the event, therefore, it is not deemed to be a critical function within the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The containment pressure and temperature will rise sharply following the accident.

Containment pressure suppression and containment cooling will be provided by the containment spray system and containment fan coolers.

O M APWR-PSS 2-88 June,1985 i

5928Q:10 l

2.2.6.3 TOP EVENT DESCRIPTION The top events of the Large LOCA event tree, are described in detail below to provide understanding of the systems functions and operator actions involved.

O The numerical calculation for each top event unavailability will be performed in the Plant Systems and Operation Actions Fault Tree Analysis.

A sununary of success criteria is provided in Table 2.1-2 with specific references.

Note that, for only the core cooling function to be successful, both the accumulater.and safety injection success criteria described below

nust be met.

503 -

SUPPORT SYSTEMS AVAILABLE FOR LOCA This node addresses the availability of major support systems, such as AC power (onsite and of fsite)

Q Auxiliary Cooling (SWS and CCWS)

SI signal generation If all major support systems are available, all the front line systems will be fully supported.

If some of the major support systems fail, only one or none of the front line systems will be supported. As discussed in section 2.1.7, three plant systems with respect to major support systems are considered in the event tree:

SS1:

Plant Support State in which all major support systems are available.

(Top branch in the node)

SS2:

Plant Support State in which one train of AC power, SWS, CCWS or SI signal fails, thus failing all front line systems associated h

with that support train.

(Center branch in the node)

SS3:

Plant Support State in which multiple failure of major support systems lead to failure of all front line systems.

(Bottom branch in the node)

W APWR-PSS 2-89 June,1985 5928Q:10

1 ACCUMULATORS INJECTION (ACC) 1 Success of the accumulators injection top event requires two-out-of-three accumulators on the intact primary loops to inject their inventory into the O-Reactor Coolant System (RCS).

Because delivery of accumulator flow into the ruptured loop may be ineffective (due to spilling out of the break), only three accumulators are considered.

Success does not require isolation of the accumulators following injection.

i Steam generator heat transfer is not required following a large LOCA, so nitrogen injection is not a concern.

LOW HEAD SAFETY INJECTION (SI2)

Safety injection is automatically actuated on an "S"

signal.

Successful actuation of an "S" signal depends on one of two possible input signals that would be generated following the large LOCA. These signals are:

1.

Low pressurizer pressure i

2.

High containment pressure The safety injection system is requested to start immediately af ter a large LOCA to provide inventory control by supplying borated water to the RCS.

Safety injection system tak'es suction f rom the EWST and injects water via the cold legs into the vessel.

Success criteria for safety injection following large LOCA depends on: 1) the O

availability of the EWST; and 2) the operation of 5 " trains" out of 8 " trains" which are composed of 4 CRTs and 4 safety injection trains.

O W APWR-PSS 2-90 June, 1985 5928Q:10

CONTAINMENT SPRAY INJECTION (CSP)

Containment spray injection protects the containment f rom overpressure failure conditions in the first phase of the accident and scrubs the containment atmosphere of radionuclides.

These functions are important if core melt occurs because they reduce the chance of containment failure and the severity of release if containment fails.

Success of containment sprays requires either automatic or manual actuation; however top event" includes only successful generation of an automatic actuation signal (HI-3 containment pressure).

t Success criteria for containment spray depend on the availability of EWST and one out of four pumps delivering water to the spray nozzles.

CONTAINMENT FAN COOLERS (CFC) i Containment fan coolers provide long term cooling and pressure suppression for the containment atmosphere and prevent containment failure by overpressurization.

In addition, the fan coolers provide an alternative heat removal path for core cooling recirculation should heat removal via the RHR heat exchangers be unsuccessful.

On an "S" signal containment fan coolers shift to low speed automatically but O

actuation prior to containment damage; however, this action is not modeled by even if this shift should fail, there would be adequate time for manual i

the systems analysis.

The success criteria for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

1 i O I

O M APWR-PSS 2-91 June, 1985 5928Q:1D 1

\\

LONG TERM COOLING (LTC)

Following injection of the EWST water into the reactor coolant system, long term recirculation is necessary to maintain RCS inventory and core cooling.

O This top event includes the availability of water in the containment sump and the availability of the valves and lines to the pumps.

Success criteria for long term cooling depend on the number of available injection trains and on the containment fan cooler. Two cases are possible:

1:

Following succe'ss of ACC, S12 and CFC, at least one train of safety injection is available and in this case, success of long term cooling can be achieved by maintaining recirculation from the sump to any available ISS train.

This conditional top event is addressed following success of conteinment fan coolers.

Long term heat removal via the RHR heat exchangers is not necessary for success of recirculation given that the containment fan coolers can provide the necessary heat removal as long as inventory control exists.

ii: This conditional top event is addressed following the success of ACC, ISS and the failure of containment fan coolers. The success criteria in this case are the same as above, except that automatic alignment of component cooling to the RHR heat exchangers has to be implemented, in order to provide the long term core heat removal function, together with proper operation of containment sprays. One RHR heat exchanger is suf ficient to provide cooling in this case.

O 2

O I

i O W APWR-PSS 2-92 June, 1985 l

59280:10 i

2.2.6.4 OISPLAYE0 DEPENDENCIES A.

If ACC or 512 fails, LTC is not addressed and early core melt occurs.

8.

If all support functions. fail, no f ront line systems are addressed; early j

core melt occurs.

C.

If LTC is not available, late core melt will occur.

{

2.2.6.5 SUCCESS CRITERIA In order to avoid degraded core conditions af ter the large LOCA event, success of the following systems must be considered:

i j

1.

At least one train of major support systems must be available; 2.

Accumulator Injection must occur; k

3.

Safety Injection must occur; 4.

Long term recirculation must be maintained; and 5.

Containment Fan Coolers or RHR heat exchangers must be available for 4

LTC.

Failure of any one of the above systems will result in early or late core i

damage.

j Failure of both CSP and CFC will lead to late core melt.

1 l

upon failure of containment fan coolers, heat removal function f rom the containment can be accomplished by containment sprays, if recirculation with 4

i proper alignment of the component cooling system to RHR heat exchangers is available.

i 1

W APWR-PSS 2-93 June,1985 l

59280:10 1

~__._

a 4

i 4

2.2.6.6 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation are classified by the degraded core conditions that exist for each sequence.

O As described in Section 2.1.4 classification is based on the time of core melt with respect to injection or recirculation, type of scenario and containment safeguards.

' O i

All large LOCA plant damage states are classified according to Table 2.1-1.

4 2.2.6.7 SYSTEM INTERACTIONS j

Most dependencies caused by systems interactions have already been discussed l

in the conditional top events and in the displayed dependencies section; other significant interactions are those associated with support systems.

The most important of these are the integrated protection system, the electric power system, the essential service and the component cooling water systems; however, these systems are explicitly contained within the support state model.

1 Table 2.1-2 displays all system and operator interactions.

l

.I lO

O i

i

!!O M APWR-PSS 2-94 June, 1985 j

59280:10

- -. - _ _ _... -. _. - _, _.... -. -, _ _.. _.. ~., -. _... _

i LLO 503 ACC 51:

CSF CFC L1C emmme I h) CM esee m m e e

m ee m m 2 ALFC mamme e

e emmem 3 NO CM e

e m eeeeses

. m e m ee.

sa m m ees 4 Att e

e j

e e

m eso m es 5 WO CM e

e eineeseases e

eseeeeee m es m eeseee 6 ALF essessionee e

e e

e m e m m eee m e m 7 AL i

e e

e i m m m m m es m 0 AEFC e

e m es m m e

e e

meemmmesmee 9 AEC e

ee m eeeene i

m eee m es e

esm m mesm me.

10 AEF l

e i

m m mee e

e e m m m ee m m m !! AE j

e e

f e

e es m e m m ee m esse 12AEft 4

e e

esesseseees e

e e

seeeee m m e m m e.

13Att e

e m m ee m seee m se 4

e a

momemmemm 14 AEF e

ese....eeee a

ee mememmem 15 AE e

4 e

e m m eee.

16 40 CM e

seeeeeeeeen e

see m m ee 17 ALFC e

emmem

, to NO CM e

e e

ememm e

e seeeeeeeeee

~

e mmeme memem 19 ALC i

e e

e e

e e

m m eesee 26h5CM emeem e

e sem m m e

e emmme mmme. 21ALF e

eeeeeeeeeee e

e e

e mmmmmmm 22AL i

e e

e e

e e

.. m m e e m e m m l3AEFC i

e e

e seeeeeeeees e

e e m m ee m m m m 24 AEC e

e eseeeeeeeee m m e eee

• e m m ee m m e m e 25AEF e

e eeeeeeeeeee l

e e

m ee m e m m ee m e 26 AE 1

e e

e e

e m ee m e m m ee m 27AEFC e

e eseeeeeeese e

e e

e m ee m m m e m ee 29AEC l

e eseeeeeeeeeeeee. eese e

e m e m ee m e m m e 29 AEF I

e m m ee m e

so m m e m m m ese 30AE l

m m e m e m e m esee m ee m e m m m e m ee m m e m m e.

31AE r

I i

I l

,u t :.3,.

..e., < u m. w m !.

f M APWR-PSS 2 95 June 1985 s

(

5928Q:10 1

I

2.2.7.

ANTICIPATED TRANSIENTS WITHOUT SCRAM EVENT TREE The Anticipated Transient Without Scram (ATWS) event tree (Figure 2.2-7) applies to those transients events for which failure to insert the rod cluster control assemblies into the core occurs following a reactor trip demand. The event tree is used to calculate the conditional probability of success and plant damage states following an ATWS event.

The following symbols are used to identify sys+. ems, operator actions and actuation signals modeled within the tree as Top Events:

Initiating Event, Anticipated Transient Without Scram ATWS Support System Availability 503 Manual Reactor Trip ORT SC3 Emergency Feedwater Actuation and Secondary Cooling Available ATWS Primary Pressure Relief PRR Operator Action Feed and Bleed 0FB Operator Action, Long-Term Shutdown OLT Containment Spray System Available CSP Containment Fan Coolers Available CFC LTC Long Term Cooling Available A

brief discussion of each top

event, including success

criteria, dependencies, conditionals and system interacti;as, is provided in the following subsections.

2.2.7.1 INITIATORS l

ATWS events encompass a wide spectrum of initiating events and ensuing plant transient progressions.

Based on WCAP-8330 and subsequent ATWS submittals, the reactor core will shut itself down (on the inherently negative moderator temperature coefficient of reactivity) prior to core damage following any anticipated transient without reactor trip.

However, prior to core shutdown,

' O i

l l

W APWR-PSS 2-96 June,1985 87730:10 l

O there is the possibility that system stress limits could be violated, with resultant possible loss of reactor coolant system integrity which could lead to core damage subsequent to reactor core shutdown.

For the purposes of this ATWS assessment, therefore, core damage is assumed to result if any one of the following occur:

1 1.

Maximum RCS pressure exceeds 3200 psig.

(This is the minimum pressure at which any RCS component would reach its allowable ASME stress limit for Service Level "C".)

2.

Inadequate RCS heat removal (either before or af ter the core is brought subcritical), such that insufficient reactor coolant remains to provide core cooling.

i 3.

The reactor core is not brought to subcriticality within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.

(With maximum emergency feedwater flow, sufficient feedwater condensate would be available for three hours to permit either plant cooldown to RHR or replenishing the condensate supply.)

WCAP-8330 and subsequent ATWS submittals demonstrate that the possibility of system overpressure exists only for transients involving total loss of normal feedwater early in the transient, and beginning from high power early in core life.

Therefore, it is convenient to group various anticipated transients into the categories shown below:

MAIN TRANSIENTS WITH NORMAL FEEDWATER AVAILABLE FOR ONE MINUTE Generator trip and turbine trip with normal feedwater Partial loss of feed

' O W APWR-PSS 2-97 June,1985 81730:10

-.. ~

t TRANSIENTS WITHOUT NORMAL FEED (NFW FAILURE) i Turbine trip without feed i

l II Increase in feedwater i

Closure of one M51V(2)

Loss of RCS flow (2) i Small RCS leak (2) l SI actuation (2)

Total loss of feed All other transients not listed above l

i g

l With the categorization shown above, success probabilities for many of the top j

i events can be determined from the frequency of initiating events (transients) based on operating plant data.

Notes:

(1) Causes turbine trip and loss of feed on high steam generator water level signal.

(2) Assumed to cause turbine trip and feedline isolation on an "S" signal.

2.2.7.2 ACCIDENT PROGRESSION i

An ATWS event would be composed of two different events, the first being an j

initiator that results in plant operation outside of the operating control l

band and second, the failure to insert the rod cluster control assemblies into i

the core following a reactor trip demand.

There are several mechanisms by which a plant may be shutdown following an ATWS event.

These include a manual I

reactor trip, initiation of safety injection, a normal CVCS boration, or (in i

the longer term) boration by the 8U51 plus xenon buildup. Should one of these j

actions succeed, the operator would be able to proceed with plant procedures i

for plant shutdown.

Sufficient feedwater would be available for plant

[

cooldown following shutdown via the emergency feedwater system.

l 2

i l

i 1

i W APWR-PSS 2-98 June, 1985 l

3 j

8773Q:10 l

I

A manual reactor trip signal is processed directly to the trip breakers as well as through the protection logic.

If this action should fail to deenergize the control rod drive mechanisms, the operator can trip the control rod power at the motor-generator set supply breakers to trip the reactor.

If O

the control rods are tripped, they insert into the core in approximately 2 seconds, inserting more than 4 percent negative reactivity.

If standard boration is used, borated water is supplied through the chemical and volume control system through the boric acid blender. 'If safety injection O

is used, borated water is supplied from the emergency water storage tank (EWST) through the h'igh head safety injection pumps.

Failure of the reactor to trip following a total loss of main feedwater would result in a large imbalance between the reactor core power generation and steam generator heat removal capability.

ATWS loss of feedwater events have been selected for the discussion below.

The secondary system could no longer remove all of the heat that is generated in the reactor core.

This heat buildup in the primary system would be indicated by rising reactor coolant system temperature and pressure, and by increasing pressurizer water level, which would be due to the insurge of expanding reactor coolant.

Water level in the steam generator would drop as the remain 11g water in the secondary system, unreplenished by main feedwater flow, would be boiled off.; When the steam generator water level falls to the point where the steam generator tubes are exposed, primary-to-secondary system heat transfer would be reduced.

Reactor coolant temperature' and pressure would continue increasing as the pressurizer fills and releases water through the safety and possibly the relief valves.

The peak pressure attained in the O-primary system would depend upon the ability of the pressurizer safety and relief valves to release the reactor coolant volumetric insurge into the pressurizer.

The volumetric relief capacities of these valves would be reduced when the pressurizer fills and water is passed instead of steam.

During an ATWS, the heat source and sink mismatch would cause the reactor coolant temperature and coolant expansion rate to increase.

Core power would drop due to the negative moderator temperature coefficient of reactivity.

W APWR-PSS 2-9g June, 1985 8773Q:10

All non-loss of main feedwater ATWS transients would result in a less than or similar power mismatch between heat source and sink.

Thus, a complete loss of main feedwater ATWS transient is considered as the bounding scenario and is the basis for the previous simplification statements made.

l 2.2.7.3 TOP EVENT DESCRIPTION This section addresses top events, event tree dependencies and conditionals.

The numerical calculations for each top event unavailability are performed in I

either Plant System and Operator Actions Fault Tree Analysis Event Tree Supporting Analysis.

A sumary of success criteria is provided in Table 2.1-2, with specific references.

INITIATOR (ATWS)

An ATWS event would t,e initiated by f ailure to shutdown the reactor following a reactor trip signal.

More precisely, an ATWS event would be a combination of an initiating event (that causes a reactor trip signal) and subsequent failure to insert the rod cluster control assemblies into the reactor core, MANUAL REACTOR TRIP (ORT)

Success of this top event requires that the operator manually initiate a reactor trip within the first minute of the ATWS condition.

If the reactor trip function failed because no automatic signal was generated, the operator may generate a manual trip signal directly to the trip breakers or through the protection logic to initiate a trip.

Also, unless the control rods are prevented mechanically from inserting into the core, the control rods could be d

stepped into the core under either automatic or manual c'ontrol.

EMERGENCY FEE 0 WATER ACTUATION (SC3)

This top event addresses the probability that sufficient emergency feedwater is supplied to remove adequate heat from the RCS to prevent both RCS overpressure and core damage.

Two EFW pumps must supply cooling flow to all four steam generators to prevent overpressurization i

W APWR-PSS 2-100 June, 1985 8773Q:10

ATWS PRIMARY PRESSURE RELIEF (PRR)

This top event addresses the probability that pressurizer pressure relief is adequate to prevent a peak RCS pressure in excess

.f 3200 psig.

The O

probability of success depends upon, a) time in core life (moderator temperature coefficient); b) number of pressurizer relief valves' (PORVs) available; and c) event and core power level.

The 3200 psig figure is a conservative lower bound at which any RCS component O

might reach the ASME allowable stress limit for Service Level "C".

Below this pressure, there is' assumed to be insignificant chance of an RCS leak developing that would lead to core damage.

Above this pressure, small LOCA early core damage is assumed for simplicity and conservatism, without further development of the tree or considerations which would mitigate the of f act of an RCS leak on the reactor core.

OPERATOR ACTION, FEED AND BLEED (OFB)

If emergency feedwater actuation (SC3) fails af ter success of manual reactor trip (ORT), the operator could start emergency procedures for feed and bleed to remove decay heat. To do so, the operator would have to start at least one high head safety injection pump and open pressurizer PORVs.

For the purposes of determining the probability of success, it is conservatively assumed that all three PORVs must be opened.

Also, the emergency water storage tank would be required to provide a source of water, if both manual reactor trip (ORT) and emergency feedwater (SC3) fail, core damage is assumed for simplicity and conservatism.

O OPERATOR ACTION, LONG-TERM SHUTOOWN (OLT)

If the reactor is not shut down during the early transient (as a result of manual reactor trip or automatic boration), there are several actions the operator could take in the longer tenn to shut the reactor down.

These actions include removing power to the RCCA rod drive mechanisms (by locally W APWR-PSS 2-101 June,1985 81730:10 l

tripping open the reactor trip breakers or by interrupting supply power to rod drive cabinets), or by borating using either the CVCS (either normal or emergency boration procedures) or the high head safety injection system (while decreasing RCS pressure if necessary by opening the pressurizer PORVs).

In addition to these - specific manual actions, initiation of the Back-up Seal Injection System would provide boration for core shutdown within two hours.

Success of OLT is defined as shutting down the reactor (sub-critical at hot zero power) within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of the ATWS event by inserting control rods or Os borating.

If the reactor is shutdown within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, there will be adequate EFW condensate supply-to either cool to RNR, or leave sufficient time for the operators to replenish the condensate storage tank.

CONTAINMENT SPRAY (CSP)

Containment Spray protects the containment from overpressure failure conditions and scrubs the containment atmosphere of radionuclides.

It is very unlikely that the sprays will provide any useful function in recovering from core damage conditions.

However, sprays are important if core damage occurs because they reduce the chance of containment failure and reduce the severity of release if containment fails.

Success of Containment Spray requires either an automatic or manual actuation signal.

However top event CS includes only successful generation of an O

automatic actuation signal (H1-3 containment pressure) and the setpoint may be reached in containment heat removal degraded conditions.

The successful operation of one pump, taking suction f rom the EWST, is required.

Intermittent manual operations although not modeled in the event tree can be effective as long as water is available in the EWST.

W APWR-PSS 2-102 June, 1985 87730:10

CONTAINMENT FAN C0OLERS (CFC)

Containment fan coolers provide long-term cooling and pressure suppression for the containment atmosphere to prevent containment failure by overpressurization.-

In addition, the fan coolers provide an alternative heat removal path for core cooling recirculation should heat removal via emergency feedwater and secondary cooling be unsuccessful.

Onan"$' signal,cbntainmentfansshifttolowspeedautomatically,buteve*

if this shif t should fail, there would be adequate time for manual actuation prior to any significant containment pressure increase.

The success criteria for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

LONG TERN COOLING (LTC)

Following successful injection of the EWST water into the reactor coolant system, the core cooling function must be maintained for the duration of the mission time.

This function would be automatically maintained since there is no switchover.

Only run failures of all pumps involved or valve closure failures would af feet the. flow.

The cooling will be maintained through fan coolers or RNR heat exchangers.

This to event includes also the availability of water in the containment sump and the valves and lines to the high head 155 pumps; success of the switchover O

to recirculation can only be reached by opening the valve in a line from the sump corresponding to a successful !$$ pump.

Long term core heat removal can be ensured by successful operation of the containment fan coolers along with RCS inventory control provided by high head recirculation.

W APWR-PSS 2-103 June, 1985 87730:10

2.2.7.4 0! SPLAYED DEPENDENCIES This section discusses the functional dependencies of the ATWS event tree.

~

A.

If the manual reactor trip (ORT) succeeds, only decay heat removal requirements need to be addressed.

(Neither RCS overpressure nor long-term shutdown represent potential concerns.)

Decay heat can be removed with either normal feedwater, start-up or emergency feedwater (SC3), or feed and bleed (0FB) with containment spray (CSP).

1. SC3 success leads to successful termination of the transient.

If SC3 fails, OF8 is addressed.

2. Long-term success of bleen and feed is assumed to require high head safety injection recirculation (LTC).

Therefore, failure of LTC is assumed to result in late core damage through a small RCS leak.

8.

If ORT fails, RCS overpressure is a possibility.

1. If PAR succeeds. (adequate pressurizer relief), no RCS overpressure occurs.

Heat removal and long-term shutdown are then addressed.

If PRR fails, transient early core damage is assumed.

2. Emergency feed (SC3) is always assumed necessary for decay heat removal.

No credit is taken for bleed and feed operation.

Failure of SC3 is assumed to result in transient early core damage.

3. Failure of long-term shutdown (LTC) is assumed to result in transient early core damage.

2.2.7.5 SUCCESS CRITERIA Successful mitigation of an ATWS transient requires that three conditions be met:

O W APWR-PSS 2-104 June, 1985 8773Q:10

(A 1.

Peak RCS pressure does not exceed 3200 psig.

This is the conservative lower limit at which any component of the reactor coolant pressure boundary could reach its allowable ASME stress limit for Service Level "C".

2.

Adequate heat removal from the RCS; and 3.

Reactor core brought to subtriticality in the longer term, such that eventual plant cooldown can be accomplished when convenient.

bb Failure to meet any of these conditions is assumed, for simplicity and conservatism, to result in transient early core damage. Therefore, event tree branches are not developed further past violation of any of these conditions except to assess the extent of containment safeguards available.

2.2.7.6 PLANT DAMAGE STATE CLAS$1FICAil0N All event tree sequences except those that result in successful mitigation are classified by the degraded core conditions that would exist for each sequence.

Classification is based on time of cor<* damage with respect to injection or recirculation, type of scenario and containment spray and containment fan cooler conditions.

All ATWS plant damage states are assigned classification according to Table 2.1-1, 2.2.7.7 SYSTEM INTERACTIONS Most dependencies caused by systems interactions have already been discussed as displayed dependencies in the event tree, other significant interactions Q

are those enming frem support systems.

The most important of these are the Integrated Protection System. Electric Power System, Service Water System and Component Cooling Water System; however, these systems are explicitly contained within the support state model.

Table 2.1-2 explicitly depicts all system and operator interactions.

l W APWR-PSS 2-105 June,1985 v

87730:10

e i

.I w

i 55u 5 5

5 5u u

w Mu E B.3 E st R D E sf W W WW W$u g u

u W

WW W WW W $

'g n.,. n e e,.

a.

e w,

e.

f. c.NNMN 3,,

M, <

, 3, 4

4, q

d, 3

4 d

4,

,4,

<,.3,..,

0 d

,8 q

I d

4

,.g.,

,.g..,

p.

g ag :

d 4

(

E!

L El l

e E,

d, h.,

' l

.i ll.............

i 3

i

................,............... 3 M

W ll.........................c M.e t

f*

g I

f I

o I

l

o DO e

)

270 0 e

e

- DOC e

e j

e e

e

- 29 gg

)

e e

)

{

e e

- - - _ 333 e

e 3

e e

e e

23 ng e

e e

e e

e e

e

__ n a en e

\\

e e

e e

.: nu 4

e e

e e

l

?

?-

=

e e

e e

e

. nn e

e e

i e

e e

,,e e

e

_ te v ar 3

e e

.: um e

e

- -_.: um e

e e

e de e tu 4.

c e

e e

e e

e e

42 MC e

e e

e e

e e

e e

43 W e

e e

o e

e 44 W e

e e

e e

e e

e eeeeeeeeeeeeeeeseos 45 MFC i

e e

e e

eseeesesee e

e e

e e

46 MC e

e e

e e

- 47 NF

- : 40 W e

e 4,,,c e

e e

e e

- 54 MC e

g

- _ gg e

,4e00000

$2 M

)

___ gg i

NN nan :_:-7.== mutme manws uner som rer nu.

y ana-ess t

>[

4 2-m a

. ines q

Se

=, e m-C 1

E P

g l

^

.. -... -,.., ~ - - - - -. -

I 2.2.8 INTERFACING SYSTEN$ LOCA EVENT TREE This event addresses all primary system pipe breaks that can occur as a result of loss of the barriers between the high pressure piping and low pressure piping, leading to. failure of the low pressure piping.

The event tree (Figure O

2.2-0) contains the following nodes:

ISL - Initiating Event Occurs 503 - Support System Availability CON - Break Occurs within the Containment ACC - Accumulator Injection

$!! - Low Need Safety Injection C$p - Containment Sprays Available CFC - Containment Fan Coolers Available LTC - Long Term Cooling Available 2.2.0.1 INITIATORS O

The interfacing systems LOCA with uncontrolled release outside containment, twent V as described in WA5N-1400, is postulated for those large piping systems that connect to the Reactor Coolant System and also pass through containment. Such connections have the potential to cause a LOCA in which the containment and containment safeguards radionuclide protective barriers are bypassed.

In addition, there is the potential for those piping failures to render !$$ systems ineffective or inoperable since most of these piping connections involve 155 systems.

Three possible ISL-initiating scenarios were identified in section 1.2.7.

O These scenarios arer o

Disk rupture of the check valves in the vessel injection / recirculation lines.

O o

Disk rupture of the check valves and disc rupture or disc transfer open of the motor-operated isolation valve in the hot leg injection / recirculation lines.

W ApWR-PSS 2-107 June, 1985 47730:10

m o

Disk rupture of two series motor-operated valves in the suction piping of the Residual Heat Removal System.

As indicated in the discussion in Section 1, the RHR suction path sequence is the dominant contributor to ISL initiation.

s 2.2.8.2 ACCIDENT PROGRESSION For an ISL occurring inside containment, the accident progression is as O.

described for a small or large LOCA, depending on the size of the postulated break.

The limiting case is taken to be one with a break area equivalent to that assumed for a large LOCA.

These is no core melt as long as at least one ISS train functions initially and long-term core heat removal is available via the continued functioning of at least one train of the ISS or the operation of secondary side cooling systems.

However, if both trains of ISS fail to respond to the "S" signal, there will be core melt.

O If the ISL occurs outside containment and cannot be isolated (V1 sequence),

reactor protection and ISS systems would be expected function, but core melt is assumed.

s, 2.2.8.3 TOP EVENT DESCRIPTIONS The top events of the Interfacing Systems LOCA event tree are described here to provide an understanding of the system functions and operator actions involved.

The numerical calculations of each top event unavailability are described in the Plant Systems and Operator Actions Fault Tree Analyses, t

i Success criteria hereafter discussed are based on Westinghouse generic l

analyses, except where noted.

A summary of success criteria is provided in Table 2.1-2, with specific references.

O BREAK LOCATION INSIDE OR OUTSIDE CONTAl'HMENT (CON)

In some cases it is possible, due to valve. and' piping c'onfigurations, that C')

ISL-initiating events may lead to a break within the. containment rather than outside the containment.

Failure within the containdnt results in an event W APWR-PSS

,2-10'8 June,1985 8773Q:10 s

F-O similar to a large primary system LOCA, and this could be mitigated in the same manner as a LOCA.

Although no credit is taken in the analysis for mitigation of an Interfacing Systems LOCA inside containment provision for this occurrence is made on the event tree, for completeness.

ACCUMULATORS INJECTION (ACC)

Success of the accumulators injection top event requires two-out-of-three accumulators on the intact primary loops to inject their inventory into the O

Reactor Coolant System (RCS).

Because delivery of accumulator flow into the ruptured loop may be-inef fective (due to spilling out of the break), only three accumulators are considered.

Success does not require isolation of the accumulators following injection.

Steam generator heat transfer is not required following a large LOCA, so nitrogen injection is not a concern.

LOW HEAD SAFETY INJECTION (SI2)

O Safety injection is automatically actuated on an "S"

signal.

Successful actuation of an "S" signal depends on one of two possible input signals that would be generated following the large LOCA. These signals are:

1.

Low pressurizer pressure 2.

High containment pressure The safety injection system is requested to start insnediately af ter a large LOCA to provide inventory control by supplying borated water to the RCS.

Safety injection system takes suction from the EWST and injects water via the cold legs into the vessel.

Success criteria for safety injection following large LOCA depends on: 1) the availability of the EWST; and 2) the operation of 5 " trains" out of 8 " trains" which are composed of 4 CRTS and 4 safety injection trains.

W APWR-PSS 2-109 June,1985 8773Q:10

CONTAINMENT SPRAY (CSP)

Containment Spray protects the containment from overpressure failure conditions and scrubs the containment atmosphere of radionuclides in the event Os cf an interfacing systems LOCA inside containment.

It is very unlikely that the sprays will provide any 'useful function in avoiding core damage conditions.

However, these functions are important if core damage occurs because they reduce the chance of containment failure and reduce the severity of release if containment fails.

The sprays provide no mitigating function O

for V-sequence events.

Success of containment spray requires either automatic or manual actuation

~

signal.

However, top event CSP includes only successful generation of an automatic actuation signal (HI-3 containment pressure) and the setpoint may be reached in containment heat removal degraded conditions.

Intermittent manual operation, although not modeled in the Event Tree, can be effective as long as water is available in the EWST.

O The following success criterion applies to the Containment Spray System:

At least two low-head pumps (out-of-four) connected to available lines f rom the EWST are requireo for success.

For simplicity in the node quantification, run-time for the pumps is conservatively assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

CONTAINMENT FAN COOLERS (CFC)

Containment fan coolers provide long term cooling and pressure suppression for O

the containment atmosphere to prevent containment failure by overpressurization during an interfacing systems LOCA inside the containment.

In addition, the fan coolers provide an alternative heat removal path for long-term core cooling should heat removal via the RHR be unsuccessful.

The fan coolers provide no mitigating function during a V-sequence event.

W APWR-PSS 2-110 June,1985 87730:10

I On an "S" signal, the fan coolers shif t to emergency, low speed automatically, but even if this shif t should fail there would be adequate time for manual actuation prior to any significant containment pressure increase, although this action is not modeled in the system analysis.

O The success criterion for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

LONG TERM COOLING (LTC)

Long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the transient.

Long term cooling is typically supplied by the Residual Heat Removal (RHR) system.

In the APWR design, however, the safety injection pumps might also be used if the primary system is breached. Thus, primary coolant would circulate from either the hot leg (RHR) or the EWST (SI), through the CCW-cooled heat exchangers and back to the vessel injection nozzles.

The LTC node encompasses all operator actions and equipment availability needed to perform this function.

Due to shared functions and the O

operation of other systems, this node is divided into four states as follows.

LTC)

This node comprises a normal cooldown of the RCS by use of the auxiliary feedwater system to cold shutdown conditions.

The RHR system is then aligned to provide decay heat removal, utilizing at 2

least one pump in the closed loop circulation mode with CCW supplied to the RHR heat exchanger.

LTC2 This node represents long term core heat removal following an ISL or consequential small LOCA.

Due to successful safety injection and containment fan cooler (tFC) operation, success is limited to continued feed and bleed cooling.

Other methods of heat removal include auxiliary feedwater and use of the RHR heat exchangers, but these methods are not modeled.

O O

~

June, 1985 W APWR-PSS 2-111 8773Q:10

(

1 I

LTC3 This node represents long term core heat removal following an ISL or consequential small LOCA and a failure of the containment fan coolers (CFC).

Heat removal is accomplished by continued safety injection I

with component cooling water flow aligned to at least one RHR heat exchanger. '

L7C4 This node represents long term core heat removal following an ISL or consequential small LOCA and the failure of both ISS trains.

Heat removal is accomplished through use of the Emergency Feedwater System.

For a V-sequence event, the availability of long-term cooling will not mitigate the effects'of the accident. However, for breaks inside containment, long-term cooling may provide mitigation.

2.2.8.4 DISPLAYED FUNCTIONAL DEPENDENCIES a.

If at least one ISS train is available to inject emergency coolant during the initial portion of the transient, successful mitigation depends on the success of the other functions indicated on the tree.

If the ISS fails completely, early core damage is assumed to result.

b.

If the break occurs outside containment, there is no further branching, and a V-Sequence is assumed to occur.

c.

If either the fan cooler or containment spray systems succeed for an inside-containment

break, successful mitigation is dependent on success of long-term cooling.

Upon failure of long-term cooling, recirculation functions are assumed to fail, resulting in core damage.

2. 2.8.5 SUCCESS CRITERIA In order to avoid degraded core conditions, the ISL must occur inside O

l containment. AC power must be available to at least one ISS train (at least t

i one train must function), and long-term cooling must succeed.

If the containment top event is successful, there is no V-sequence.

M APWR-PSS 2-112 June, 1985 8773Q:1D

t i

f 2.2.8.6 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation of the event are classified by the core melt conditions as described in Section i

2.1.

Classification is based on the time of core damage. These damage states are suntnarized in Table 2.1-1.

i 1

4 i

~

i 1

j

~

[

t i

i i

i l

l i

l i

l I

O M APWR-PSS 2-113 June,1985 8773Q:1D i

15L S03 CON ACC 51; C5F Crc Lit

• • eeeeeee,

i ut c.

....ee.....

,eeeeee,*e*

Agr.

eeeeeeeeses e

e eeeee*,ee.

3 Nc. Ca e

e**eeeeeeen eseeeeeeee.

eeeeeeeeees 4 ALC e

6 e

e eeeeeeeeeen 5 NO CM e

e eseeeeeeeen

'e eseeeeeeee, eeeeeeeeeee 6 ALF seeeeeeeeen e

e

• • • • • eeeeeeeeeeeeense 7 AL e

e e

e e,**eeeeee.......seee 6 AEFC e

e eeeeeeeeeee e

e e

eseeeeeeeeeeeeeeee++,

9 AEC e

esteeeesee, esseeeeeeen e

seeeeeeeeeeeeeeeeeeee 10 AEr

t e

eteeeeeeese e

e eseeeeeeeeee***eeeeen 11 AE e

e e

e seeeeeeeeeeeeeeeeee s 12 AEFE e

e seeeeeeeeee eeeeeeeeeen e

e eeeeeeeeeeeeeeeeeeee. 13 AEL e

e easeeeeeeeeeeeeeeeeen e

e e

eeeeeeeeeeeeeeeeee+e+

14 AE e

e seeeeeeeees e

e enees**ee**eeeeeeeeee 15 AE e

a e

eseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee***eeee**eeeeee 16 y e

• • • ' ee e e+e.

17 NO Ca e

seeseeessee e

e eseeeeeeeee 18 ALFC e

seeeeeeeeen e

eesse ***ee 19 NO CM e

e eeeeeeeeeen e

eeeeeeeeeee seeeeeeeee. 20 ALC e

e e

e e

e eeeeeeeeeee 21 NO Cm e

e e

e e

eseeeeeeeee eeeeeeeeee. 2: AL; e

seeeeeeeeen e

seeeeeeeee e

e seeeeeeeeeeeeeeeeeeee 23 AL e

e e

e e;

e sneeeeeeeeeeeeeeeeee. 24 AEFC e

e-e eteesensies e

a e

'e seeeees***, eeeeeeee+ 25 AEC e

e essee......

e seeeeeeeeee e

eeeeeeeeeeeeeeeeeeeee 2e AEF e

e e

eseeseeeeee e

e e

seeeeeeeeeeeeeee. *** 27 AE e

e e

e eeeeeeeeeeeeeeeeeeee. 28 AEFC e

e e

eeeeeeeeee.

esee.e....e e

e eeeeeeee...ee.....ee+

29 AEC e

e e eeeeeeeeeeeeeeeeeee e

e e

eeeeeee........... ee 30 AEF e

e eie... een e

e

• • • • esee******eeeeee.

31 AE 4

e e

e e,ee..........eeeeeeeeeeeeeeeeeese***eeeeeeeeeeeeeeeeeeeeee. 3: y x

e seeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...eeeeeesse ****esee**

33 AE eseeeeeeees eseeeeeeeeee...eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee 34 v 3

FIGURE 2.2-0.

WAFWG INTERFACIN5 SYSTEPS LOCA EVEhi TFEE.

i M APWR-PSS 2-114 June 1985 8773Q:10

2.2.9 VESSEL FAILURE EVENT TREE Two classes of large LOCA that may be beyond ECCS capability have been identified; simultaneous rupture of two or more large pipes and a very large reactor vessel rupt'ure.

A vessel integrity failure is modeled as a breach of the vessel by failure of the shell, head, nozzles or bolting accompanied by a rapid release of a large volume of reactor coolant.

"Large" is defined as beyond the capacity of the ECCS System to keep the core covered or reflood the core after initial uncovery.

This section includes all challenges to vessel integrity during emergency and faulted plant conditions.

The following nodes are considered in the event tree (Figure 2.2-9) modeling the accident sequences.

VEF - Initiating Event Occurs 503 - Support Systems Available J

CSP - Containment Spray System Available CFC - Containment Fan Cooling Available Each event tree path results in core melt.

Containment safeguards are addressed for the proper quantification of release category f requency.

2.2.9.1 TOP EVENT DESCRIPTION The success criteria of the two systems modeled in this event tree are discussed below, and summarized in Table 2.1-2.

CONTAINMENT SPRAY (CSP)

Containment Spray protects the containment from overpressure failure O

conditions, and scrubs the containment atmosphere of radionuclides.

O W APWR-PSS 2-115 June, 1985 8773Q:10

_=-

It is very unlikely that the sprays will provide any useful function in avoiding core damage, conditions.

However, sprays are important af ter core damage occurs because they reduce the chance of containment failure and reduce the severity of radionuclide release if containment fails.

O Success of containment sprays requires either an automatic or manual actuation signal.

However, top event CSP includes only successful generation of an automatic actuation signal (Hi-3 containment pressure) after the containment pressure setpoint is reached.

Intermittent manual o'peration, although not modeled in the event tree, can also be effective as long as water is available in the EWST.

CONTAINNENT FAN COOLERS (CFC)

Containment fan coolers provide long term cooling and pressure suppression for the containment atmosphere to prevent containment failure by overpressurization.

On an "S" signal containment fan coolers shift to low speed automatically but even if this should fail there would be adequate time for manual actuation prior to any significant containment pressure increase.

This operator action is not modeled by the system analysis.

The success criteria for the fan coolers is one-out-of-four fan coolers operating in the emergency low speed mode.

2.2.9.2 PLANT DAMAGE STATE CLASSIFICATION All event tree paths of the vessel failure event result in early, large LOCA core melt.

Containment safeguards are addressed for analysis of source term magnitude and containment integrity.

Plant damage states are summarized in Table 2.1-1.

l O

W APWR-PSS 2-116 June, 1985 8773Q:10

I i

i

~

i r

i t

i l-i[e 1

t' O

i t

i i

VEF SC3 CSF CFC eeeeeeeeeen 1 AEFC nenunn j

e neonsen

AEC i

uneeeene i

e e

neeeeenn 3 AEF l

e nennnn r

e seeeeenen 4 AE e

e neseenees 5 AEFC j-eee n eseee neennen e

e neeeenen 6 AEC 1

I seeeeeeeeee i

e e

unnoun 7 AEF j

e unnune e

eseeeneen 8 AE l

e unenenennueenneneeeee 9 AE I

i i

I i

a i

FifM E 2.2-9 WAF b: VE55ELFAILUFEEVENTiFEE.

i i

i L9 1

1 i-

[

1 I

r W APWR-PSS 2-117 June, 1985

\\

1 8773Q:10 k'

I I.;,__

--- l

2.2.10 TOTAL LOSS OF AUXILIARY COOLING EVENT TREE This event addresses the loss of essential service water or corr.ponent cooling water system cooling capability.

It is conservatively modeled that all f ront line systems except secondary cooling and emergency seal injection system will O

V be unavailable due to loss of cooling.

This event tree (Figure 2.2-10) uses the following symbols for event tree nodes:

LCl - Initiating Event Occurs SO4 - Support Systems Available SCI - Secondary Cooling Available SLL - Seal LOCA Does.Not Occur LTC - Long Term Cooling Available 2.2.10.1 ACCIDENT PROGRESSION This event is initiated by a loss of either service water of component cooling water.

The resulting equipment heatup and trip in reactor and turbine auxiliary systems will result in reactor trip. Decay heat must be removed via secondary cooling, using the emergency feedwater system (SCl).

Due to the unavailability of the charging system pumps, the emergency seal injection system will be required to operate to protect RCP seal integrity.

This event tree does not model recovery of the cooling systems within the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the event.

It is assumed that emergency feedwater will be sufficient to provide core cooling under natural flow of the primary coolant for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

2.2.10.2 TOP EVENT DESCRIPTION l

The top events of the loss of Auxiliary Cooling Event are discussed below.

The numerical calculation of each top event is presented in the Plant Systems and Operator Action Fault Tree Analysis.

A surunary of success criteria is l

provided in Table 2.1-2.

i l

t W APWR-PSS 2-118

. lune, 1985 8773Q:10 l

t

EMERGENCY FEEDWATER ACTUATION AND SECONDARY COOLING (SCl)

The Emergency Feedwater System starts in response to an automatic actuation signal or in response to operator action. The automatic signal may be derived from low-low steam generator water level, or upon failure of the start-up O

feedwater system, which would be demanded upon reactor ^ trip but fail due to loss of cooling.

Emergency Feedwater System success requires the starting of one of two V,c) turbine-driven pumps and delivering a total flow rate of at least [

] gpm to one or more steam generators.

Secondary cooling requires the automatic or manual opening of at least one i

relief or safety valve in the steam generator fed by emergency feedwater.

Given these conditions, the reactor core will be cooled by single or two-phase natural circulation.

Successful operation of the system for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> will encompass long term core heat removal.

O SEAL LOCA DOES NOT OCCUR (SLL)

Normal charging is lost, and component cooling water to the RCP coolers will be unavailable.

This necessitates operator action to start the Back-up Seal Injection (BUSI) system to. protect the seals.

If this fails, a seal LOCA may occur.

If BUSI is successful., however, a consequential seal LOCA is assumed not to occur.

LONG TERM COOLING (LTC)

Long term cooling refers to the continued removal of reactor decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following the loss of cooling event.

Long term cooling is typically supplied by the Residual Heat Removal (RHR) system. However, if cooling water flow is not recovered, the reactor decay heat may only be effectively removed via the secondary system.

Since recovery of the cooling systems is not modeled, long term cooling is simply comprised of proper operation of the turbine driven emergency feedwater pumps for -24 hours.

The LTC node encompasses all operator actions and equipment availability needed to perform v

this function.

W APWR-PSS 2-119

. lune, 1985 l

4 l

2.2.10.3 SUCCESS CRITERIA i

Auxiliary feedwater actuation and operation for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, combined with j

emergency seal injection will be sufficient to avoid core damage.

2.2.10.4 PLANT DAMAGE STATE CLASSIFICATION All event tree sequences except those that result in successful mitigation are classified by the degraded core conditions that exist for each sequence. As j

described in Section 2.1, classification is based on time of core damage. The damage states are su' marized in Table 2.1-1.

m i

I i

i t

!O i.

O 1

O 4

W APWR-PSS 2-120 June,1985 8773Q:10

(..

i I

t f

1 t

J 1

L i

4 4

i i

1 l

'Y t

4 i

LC1 504 SCI SLL LIC esenessees.

1 ND CM noenneet t

u.seeenu us..eene 2 SL s

esene.eene uneeweeeeneesenn 3 !E c

e e

t e

neueneeeeeennuneenesene 4 TE e

eene une

$ NO CM e

neeeueen e

neeeeeeese

• • • e.eeeee s st e

e e

enuneesseeeeeeeee seenee,***eeeeeeene 7 TE e

e e

n u u eeee nseeen en eeeeeeee+

E TE i

e unneene 4 wa En i

e eene eeeee i

e n e e..... u seeeenene 10 5L i

e e

a j

neeenee*e uneeenneeenee...

11 TE e

i neennuenseeenennuente 1: TE 4

FI54! :. -10.

mMas. TOTAL LD55 0F AU11LIMi C00LIh5 EVENT TREE.

1 1

I l

r i

I f

W APWR-PSS 2-121 June,1985 87730:10 i

- - -. ~ -.