Advises That Encl Draft PNL-5543,PNL-5544 & PNL-5545 on USI A-47 Submitted to Epri,In Response to B Reuland Request

ML20138J340
Person / Time
Issue date:	10/29/1985
From:	Szukiewicz A Office of Nuclear Reactor Regulation
To:	Kniel K Office of Nuclear Reactor Regulation
References
REF-GTECI-A-47, REF-GTECI-SY, TASK-A-47, TASK-OR NUDOCS 8512170493
Download: ML20138J340 (221)
v • d • e

Text

/ 'o,, UNITED STATES 8 o NUCLEAR REGULATORY COMMISSION L E WASHINGTON, D. C. 20555

% 8

% ***** /

October 29, 1985 MEMORANDUM FOR: Karl Kniel, Chief Generic Issues Branch Division of Safety Technology, NRR FROM: Andrew J. Szukiewicz, Task Manager Generic Issues Branch Division of Safety Technology, NRR

SUBJECT:

PNL DRAFT REPORTS FOR USI A-47 In response to a request from Mr. Bill Reuland (EPRI), I have provided EPRI the following PNL draft reports.

Effects of Contral System Failures on Transients, Accidents and Core-Melt Frequencies at a Westinghouse Pressurized Water Reactor (PNL-5543, dated September, 1985).

Effects of Control System Failures on Transients, Accidents and Core-Melt Frequencies at a B&W Presurized Water Reactor (PNL-5544, datedSpetember,1985).

Effects of Control System Failures on Transients, Accidents, and Core-Melt. Frequencies at a General Electric Boiling Water Reactor (PNL-5545 dated, September,1985).

A copy of this memo and these reports are being submitted to the Public Document Room'.'

c/htLl/@

zukiewicz, A r . [skManager e i sues Branch ivision of Safety Te nology, NRR

Enclosures:

As Stated Above Lcc PDR w/encls: ,

cc w/o encls:

N. Anderson A-47 File .

C512170493 851029 PDR QTECI GSYA

I NUREG/CR PNL 5545 EFFECTS OF CONTROL SYSTEM FAILURES ON TRANSIENTS, ACCIDENTS, AND CORE-MELT FREQUENCIES AT A GENERAL ELECTRIC BOILING WATER REACTOR W. E. Bickford

A. S. Tabatabat September 1985 Pacific Northwest Laboratory Richland, Washington 993 S 2 f5 [

' i j C#1 g- O Yt p

( /

== -

n s

SUNIARY This draft report examines control system failures identified for a representative General Electric Boiling Water Reactor, and presents the results of a probabilistic analysis of the potential for these failures progressing to core-mel t. Estimates of associated public risk are also made. This study is part of the a value-impact analysis of the issues associated with the Unresolved Safety Issue (USI) A-47.

~

Control system failures similar to those postulated in this report have occurred in operating BWRs. However, there has been no known progression of such failures to core damage and subsequent release of radioactive material.

The accident sequences developed in this report are therefore speculative, and subject to all the uncertainties and limitations surrounding the use of probabilistic risk assessment (PRA) for predictive nuclear safety. Median and upper bounds for the frequency of initiating control system failurer are given and propagated through the accident event trees used here. However only best estimates for failure probabilities of other systems (i.e., other than control systems) were used. This was done so that direct comparisons could readily be made with dominant core-melt sequences found for GE BWRs in existing PRAs.

The reference plant used here is the BWR/4 Browns Ferry class of General Electric BWR. The control system failures analyzed are those identified by Idaho National Engineering Laboratory (INEL) in their examination of Browns Ferry for the USI A-47 program. These include: 1)' failures which initiate

- feedwater overfill and also defeat the high level feedwater trip, 2) a failure of the condensate booster pum;i which results in increased flow to the vessel and produces an excessive cooldown of the vessel, and 3) an inadvertent actuation of the low pressure coolant injection system (LPCI) which also produces an excessive cooldown.

The low pressures and temperatures involved with the overcool scenarios (270 psi at 1 percent power) were not considered sufficient to have any credible

potential for, producing thennal shock-induced failure of the reactor vessel.

Condensation of the large steam void present in all BWRs makes it physically

- . unlikely that the concurrent high pressures and cooling necessary to induce

vessel damage will be present in BWRs.

I The primary hazard to plant safety was detennined to be the potential for water spilling into the steam lines, inducing water hammer, and producing a main steam _line break (MSLB).- BWR piping performance has been and is currently the subject of intense review in the industry. Although water hammer and steam condensation have occurred on plant startup and main steam isolation valve lift, no such failures of main steam pipes have ever been observed in plant operation.

However, to be conservative this analysis assumed that the probability of MSLB was essentially 1 given sp111over of water'into the steam lines while at power.

The potential for operator intervention in tenni~nating the sequences was also considered. For sequences involving feedwater overfeed while on automatic control which generate conflicting level indicator readings and annunciators /

alanns,'the probability of operator error was put at approximately 50 percent.

This conforms to the subjective views of licensing examiners on the potential iii

for operator error. If lower power settings on manual feedwater control or

- unambiguous instrumentation / alarm readings are assumed, the error probability is thought to be lower.

The core-melt frequency predicted for the 3 sequences is approximately 2.5E-06/py, or 1% of the total core-melt frequency calculated in the Browns Ferry PRA of 2E-04/py. The risk for the 3 sequences is approximately 18 man-rem /py. This is again primarily due so the MSLB scenario, with 80 percent of the risk associated with BWR release category 2 and 20 percent with release category 3. In the Browns Ferry PRA, 20 percont of the dominant transient risk was associated with release category 2 and 80 percent with release category 3.

However, the man-rem / event associated with these release categories are similar enough (7.lE+06 versus 5.1E+06 man-rem / event) to indicate that the public risk predicted for control system failures is also on the order of 1 percent of overall plant risk.

Finally, the control failures must be considered in terms of their potential for generating transient shutdown signals. Those transients that disabled the power conversion system (1.73/py) were found in the Browns Ferry PRA to represent approximately 78 percent of the overall plant core-melt frequency of 2E-04/py. A conservative estimate of the impact of control system failures leading to such a transient shutdown resulted in an initiating frequency on the order of 0.001 of that observed for such transients in the Browns Ferry PRA.

The final results are summarized below in Table S.I. The additional consideration of control failures initiating transients increases the total predicted core-melt frequency only slightly to 2.76E-06/py, which is still approximately 1 percent of the overall core-melt frequency of 2E-04/py given in the Browns Ferry PRA.

The upper bound on the initiation frequency was not propagated through the calculations. Using the INEL mean value for an initiating frequency, a best estimate of . propagation to core-melt has been made here by PNL, giving a net best engineering estimate of the frequency of core-melt due to the particular control failure.

Value/Tmonet To analyze the value/ impact associated with this issue, it was necessary to postulate a number of possible design changes to alleviate the control system failures identified by INEL. Due to the significant interaction of the operator with control systems, training and procedures directed at the operator could be expected to possibly reduce the progression of simple control system failures to more serious accidents. This role of the operator was estimated in the core-melt calculations presented above. However, it is thought that task action items set up specifically to deal with operator actions during transients are better geared to deal with the potential for reducing operator error in general and will not be addressed here.

The fixes postulated were directed at reducing the rate of control system failures as identified by INEL. These are shown in Table S.2, along with the estimate for reduction in core-melt frequency, public risk, cost, and the resulting value/ impact.

iv

TABLE S.I. Summary of Control System Failure Induced Core-Melt

' Frequency and Public Risk for the GE BWR PNL INEL Accident PNL Public Initiating Core-Mel t Risk Frequency Frequency Estimate median upper best estimate best estimate

(/oy) (man-rem /oy)

Secuence Initiator (/ny)

Reactor Vessel Overfill Sequence 6.5E-03 2.40E-06 16.2 Number 1 Reactor Vessel Overf111 Sequence 8.2E-05 2.01E-09 0.01 Number 2 Reactor Vessel Overf111 Sequence 3.6E-03 1.20E-07 0.81 Number 3 Overf111 Initiated Transient Shutdown 3.16E-02 With PCS Available 3.40E-04 7.49E-10 2.7 2 E-03 2.3 8 E-07 1.31E+00 Without PCS

• 2.38E-07 1.34E+00 TOTAL 2.76E-06 18.4 As can b.e seen, the addition of another level transmitter (LT) in a 2-out-of-4 trip logic was' found to be the most cost-effective measure to

' - counteract the control system failures identified by INEL for feedwater overf111. This assumes that a new configuration would be twice as reliable in preventing the overfill, with implementation costs held to $150,000. Real considerations indicate that a 2-out-of-4 configuration in fact will not achieve such improvements in reliability, costs could easily exceed $1,000,000 if substantial modifications are required for the level transmitter change. Both uncertainty factors drive the resulting value/ impact ratio down significantly.

Modifications to the instrument piping itself to reduce welding or piping ruptures and low level indications are less ef fective due to the lower initiation frequency for such scenarios and the high cost of annual welding inspections.

The fixes to condenser and LPCI overfill are significantly less cost effective, primarily due to the engineered features already built into the plant to prevent false pump actuation signals or shorts. This is reflected in the low initiation frequencies for these failures. Modifications to these systems may also have negative impacts on the reliability of feedwater delivery during normal operation or LPCI operation during LOCAs.

Y

~

TABLE S.2. Proposed Modifications to GE BWRs and Estimated Value/ Impact I' Reductions in

! Core-Mel t man-rem Value/ Impact )

Imnact ligy_ 30 ves Cost. 1 man- rem /11000 l Modification Instrument Line Reduce weld 1.18E-08 2.4 113,000 0.02 Weld Integrity failures Reduce pipe 8.89E-08 18 32,220 0.56 New 316 SS Instrument Lines failures 4

Reduce high 6.96E-07 1 23 150,000 0.82 New Level i Transmitter, trip 2-out-of-4 trip failures 7

logic Modify Isolation Isolate flow 2.05E-09' O.3 8,810 0.03 Logic for from failed 1 Condenser Flow valve Add LPCI Trip Isolate flow 1.20E-07 24.3 69,060 0.35 l,

i on High Vessel from LPCI Water Level pump short i

j Note that the PNL core-me t frequency and' public risk estimates are 'best j engineering estimates' based on he INEL median initiating frequencies. The costs likewise represent a 'best engineering estimate'. A certain amount of judgment is therefore needed to interpret the value/ impact ratio. However, the 1

j; development of these accident initiators to core-melt is thought to reflect a conservative approach to estimating the impact of these failures on plant engineered safety systems. Cost estimates likewise tend to underestimate the  :

true cost of nuclear plant modifications. These factors, when combined,

!! indicate that the methods used tend to overestimate the value/ impact ratios.

This is a conservative approach when the information is being used in the

~

regulatory process.

Possible plant modifications to reduce the frequency of overfill can be .

j bounded by comparison to the proposed Safety Goal benefit / cost guideline of

$1000/ man-rom averted. Assuming a 30-year effective plant life, the total .

i possible risk reduction is (18.4)(30) or approximately 552 man-rem / reactor. If l

the costs of potential corrective features are compared .to the benefits on the basis of $1000/ man-rem averted, then an upper bound of approximately $552,000 l can be placed on the costs of corrective features.

Areas of L1kalv Conservatism ,

i Again, a 'best engineering estimate' of failure probabilities was used

- whenever possible in the analysis of core-melt and risk for the control l

l vi l

l

- , , , - - , _ , _ _ , _ , . ~ , , , . , . . . , , . . , - . . , _ _ . , . , , , ,y..._,,.....,7%,m,. e,,. ,,.

failures identified. Some uncertainty does exist however in several factors, '

with the analysis carried through using what is thought to be a high failure probabil ity. This in turn would weight the estimated core-melt frequency and public risk to higher values. These include:

a) Operator Error - The probability assumed for failure of the operator to i diagnose and terminate the scenarios ranged from 0.5 for scenarios with misleading or conflicting information or rapid progression (i.e. overfill in several minutes) to 0.1 for scenarios with non-conflicting information and al arms. Operator response may be better than this, particularly in plants with simulator programs stressing proper diagnosis of failures.

b) Steam Line Break - The probability of main steam line break given spillover into the steamlines at power was assumed to be 1.0, decreasing to 0.5 for spillover after shutdown. although several sp111over events have occurred to date in US commercial plants resulting in support damage, no steam line failures have occurred. Break location was further assumed to occur above the MSIVs, making isolation impossible. Further information on the probability of break for various overfill scenarios and the break location could significantly reduce the resultant risk.

c) Transient Shutdown - The initiating event would cause a transient induced plant shutdown, with loss of the power conversion system (PCS) representing a serious precursor to core-melt in BWRs. The probability of loss of the PCS was assumed to be approximately 0.9 here, but contributed insignificantly to this analysis due to the low initiating frequency.

d) Release Categories - The WASH-1400 release categories most representative of the core-melt scenarios in this analysis were used to estimate risk, with the risk per event as outlined in the Value-Impact Handbook (NUREG/CR-3568).

Ongoing evaluations of the source terms for various core-melt scenarios indicates that the WASH-1400 release categories may overestimate risk by up to several orders of magnitude. This will then result is lower risk being attributed to.each scenario.

- e) Costs - Estimates of the costs associated with modifications in nuclear plants typically underestimate the final costs, even when accompanied by an extensive engineering-cost study. Higher than expected costs would further lower the value/ impact ratios estimated here for proposed modifications.

^

This calculatio'n is provided only for perspective. The Nuclear Regulatory Commission has established the safety goals for evaluation during a two-year period, but not for regulatory use during that period. "Furthermore, the proposed benefit-cost guideline, even if adopted, would not be the sole or even t

the principal basis for decisions on safety improvements; rather, it would be one consideration in such decisions. This report presents only the preliminary analysis of the costs and benefits associated with possible design features to correct control system failures. The purpose of these preliminary estimates is to assist in screening and assessing the options. It is suggested that a more detailed analysis into the possible negative impacts on control system performance would be required before and such modifications as postulated here could.be implemented in existing nuclear plants.

vil

[____________ _ - - - _ _ , - - _ _ _ _ ,_ . . _ ,

CONTENTS P

iii SU MMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.1

1.0 INTRODUCTION

2.1 l 2.0 APP ROACH . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

LEVEL INDICATION AND HIGH LEVEL TRIP FAILURE .... 3.1 3.0 SEQUENCE 1.

3.1 3.1 SYSTEM CONFIGURATION .................... 3.1 3.2 DISCUSSION OF SEQUENCE 1 A . . . . . . . . . . . . . . . . . .

3.3 3.2.1 Failure Rate Information for Sequence 1.a ...... 3.3 3.2.2 System Response to Sequence 1.a ........... 3.4 3.2.3 Sequence Results for Sequence la . . . . . . . . . . .

3.5 4 3.3 DISCUSSION OF SEQUENCE 1.B .................

3.5 3.3.1 Failure Rate Information for Sequence 1.b ......

3.7 3 .3 .2 System Response to Sequence 1.b ...........

3.9 3.4 DISCUSSION OF SEQUENCE 1.C ................. 3.10 3.5 DISCUSSION OF SEQUENCE 1.D ................. 3.12 3.6

SUMMARY

OF SEQUENCE 1. OVERFILL INITIATING FREQUENCY , . . .

~

4.1 4.0 SIGNALS AVAILABLE TO THE OPERATOR ................

4.1 Operator Response to Sequence 1.a . . . . . . . . . . . . . . 4.1 4.2 Signals Available to the Operator for Sequence 1.b ..... 4.2 4.3 Operator Response to Sequence 1.b . . . . . . . . . . . . . . 4.4 5.1 5.0 SEQUENCE 1. ACCIDENT PROGRESSION TO LOCA ............

CONDENSATE BOOSTER PUMP FAILURE . . . . . . . . . . . 6.1

. 6.0 SEQUENCE 2.

INITIATING FREQUENCY . . . . . . . . . . . . . . 6.3 1 6.1 SEQUENCE 2.

ACCIDENT PROGRESSION TO LOCA . . . . . . . . . . 6.4 6.2 SEQUENCE 2.

LPCI FAILURE .................... 7.1 7.0 SEQUENCE 3.

INITIATING FREQUENCY . . . . . . . . . . . . . . 7.2 7.1 SEQUENCE 3.

ACCIDENT PROGRESSION TO LOCA . . . . . . . . . . 7.3 7.2 SEQUENCE 3.

8.1 8.0 BROWNS FERRY LOCA EVENT TREES TO CORE ELT . - . . . . . . . . . . .

9.1 I 9.0 TRANSIENT SHUTDOWNS INDUCED BY CONTROL SYSTEM FAILURES . . . . . .

9.1

9.1 INTRODUCTION

........................ 9.2 9.2 CONTROL SYSTEM FAILURE CONTRIBUTION TO TRANSIENTS . . . . . .

' 9.3 CORE-MELT AND RISK REPRESENTED BY CONTROL SYSTEM 9.3 INDUCED TRANSIENTS .....................

viii i

. . . . . . 10.1 10.0 VALUE/ IMPACT ANALYSIS OF POTENTIAL. CORRECTIVE FEATURES 10.1 10.1 SEQUENCE 1. HIGH LEVEL TRIP FAILURE . . . . . . . . . . . .

. . . . . . . . . . 10.7 l 10.2 VALVE FAILURE CAUSING FEEDWATER INCREASE 10.8 10.3 INADVERTENT LPCI ACTUATION . . . . . . . . . . . . . . . . . 10.10 10.4 VALUE/ IMPACT

SUMMARY

11.1 11.0 CONCLUS ION S . . . . . . . . . . . . . . . . . . . . . . . . . . . .

R.1 REFERENCES . . . . . . . ........................

W e

i .

6 J

iX l

i I,

. . . . - . . - - , - - ~ . ~ - - . - - - - - , . . -- - .

FIGURES 3.1 BWR/4 Reactor Vessel Instrumentation . . . . . . . . . . . . . . . 3.2 4.1 Human Reliability Analysis Event Tree for Feedwater Ov e r f i l l . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.3 4

5.1 Sequence 1 Overfill-Induced LOCA Frequency . . . . . . . . . . . . 5.5 6.1 Sequence 2 LOCA Event Tree . . . . . . . . . . . . . . . . . . . . 6.5 8.1 LOCA Systemic Event Tree for Large Steam Line Break (Browns Ferry) . . . . . . . . . ................. 8.2

' 8.2 LOCA Systemic Event Tree for Intermediate Steam Line Break (Browns Ferry) . . . . . . . . . ................. 8.3 8.3 LOCA Systemic Event Tree for Small Steam Line Break (Browns Ferry) . . . . . . . . . ................. 8.4 i

I 9

9 4

+

X

' ~ '

,.,+,

i i TABLES t

S.1 Conclusions for Control System Failure Induced Core-Melt l v 1

Frequency and Public Risk for the GE BWR . . . . . . . . . . . . .

I .. vi l S.2 Proposed Modifications to GE BWRs and Estimated Value/ Impact .

3.3 3.1 Pipe Failure Rates . . . . . . . . . . . . . . . . . . . . . . . .

3.3

3.2 Assumed Failure Rates for BWR Instrument Lines . . . . . . . . . .

s-

' 3.3 INEL Initiating Frequency for Level Sensor and Switch Failure .. 3.6 l

i' 3.4. Modified Initiating Frequency for Level Sensor and Switch Failure 3.7 l

i 3.5 Assumed Contribution of Level Sensor and Switch Failure to 3.8 Initiation of Overfill Transients ................

j 3.6 . Assumed Annual Initiation Frequency of Dominant Failure 3.9

, Modes for Overf111 Transients ..................

3.7 Assumed Annual Initiation Frequency of Dominant Failure Modes for Loss of High Trip ................... 3.11 1

3.8 Estimated Initiation Frequency for Sequence 1 Events . . . . . . . 3.12 l

4.2 4

4.1 Assumed Operator Error Information . . . . . . . . . . . . . . . .

6.2 j 6.1 . Sequence of Events for Overfill Sequence . . . . . . . . . . . . .

6.7 1 6.2 Sequence 2 LOCA Frequencies ...................

7.1 Sequence of Events for Reactor Yessel Overf111 Sequence 3 .... 7.2 l J

7.5

7.2 Sequence 3 LOCA Frequencies ...................

){ - 8.1 Browns Ferry Steam Line Break Frequencies ............ 8.6 i'

8.2 Assumed Distribution for Overfill Steam Line Break Frequencies . . 8.6 8.3 Core Melt Sequence Frequencies . . . . . . . . . . . . . . . . . .

8.7 i ... 8.8 j 8.4. Assumed Containment Failure Probabilities and Man-Rem / Event 8.5 Core Melt and Risk Due to Sequence 1 BWR Overfill-Induced LOCAs . 8.9 1

9.1 1 9.1 Browns Ferry Data on Transient Frequencies . . . . . . . . . . . . '

t 9.3 I' 9.2 Browns Ferry PRA Results for Transient Core-Melt . . . . . . . . . .

(

l 9.3 Core-Melt Frequency and Risk for Control Failure Induced .9.4 j

Transients . . . . . . . . . . . . . . . . . . . . . . . . . . . .

l xi

- , , , . . , - . . . _ _ _ . . _ . _ _ . , _ _ . . , . . . . . . . _ . . , _ . . _ _ , _ . . . _ , _ , _ , . . _ , . ~ . . . _ . . _ _ . - . . , ,,,._m_,____,..

4 10.1 P:ssiblo Crnfigurations for Level Transmittsrs (LT) ....... 10.4 10.2 INEL Estimate Feedwater Overfill Frequencies for Different Level Transmitter Configu rations . . . . . . . . . . . . . . . . . . . . 10.4 10.3 Proposed Modifications to GE BWRs and Estimated Value/ Impact . .. 10.11 11.1 Conclusions for Control System Failure Induced Core-Melt Frequency and Public Risk for the GE BWR . . . . . . . . . . . . . 11.4 e

t l

4 a

i xii

- . . . - .~ . - . - . . .. -- . - . - . . - - . . - . - _ _ _

i,

- CONTROL SYSTEM FAILURE AND TRANSIENT OVEPFILL IN BWRS T

d

1.0 INTRODUCTION

l The purpose of this analysis is to evaluate the risks of core damage or core-melt associated with control system failure and vessel overfill in BWRs, estimate the. effective risk reduction represented by possible design 4

4 modifications, and provide value/ impact ratios for these proposed modifications i to provide input into the NRC regulatory process for final resolution of the

A-47 unresolved safety issue (USI).

i To accomplish this, transient overfill sequences identified in a previous project-(S.J. Bruske et al., "Ef fects of Control System Failures on Transients and Accidents at a General Electric Boiling Water Reactor", FIN No. A6477, July 1984) have been examined'and incorporated into accident sequences which may impact the condition of the core.

J j

Because the INEL analysis stopped at onset of overfill, it was necessary to define possible scenarios for progression of the transient. Event sequences were defined that could lead to equipment damage and the potential for partial or total loss of function of selected safety systems such as the high pressure

[

- core injection .(HPCI) or automatic depressurization system (ADS).

f l

To be of major safety colncern, the trans. tent overfill accident must at some point make a transition from an overfill to an'underfill accident such as loss-of-coolant or main steam line break (MSLB) that could lead to core damage 7

or molting. The overfill transient must then be accompanied by damage or unavailability in systems that would be called on for reactor coolant supply,

1. depressurization, and/or decay heat removal.

The major damage mechanisms that could lead from overfill to a MSLB are j assumed to be associated with entrained water in the steam itnes leading to

!. possible water hammer, and pipe failures that could result from the static loads

- caused by water collecting in the steam lines. The water hammer and vibrations '

' of two phase flow might then interfere with valve operation or cause outright -

damage or pipe breaks.

f Given the uncertainty in the potential-for pipe damage in an overfill transient, a high probability of MSLB given overfill has been assumed for this +

report.. This can be updated as more specific information concerning the -

dynamics of overfill become available.

In addition, the overfill events have been treated as initiators for i

transient shutdown. Both the MSLB and transient initiators are carried through to core-melt.

Finally, several modifications have been postulated to correct for the identified control system failures. The cost of implementing such modifications is ' estimated, along with estimate of the reduction in plant risk associated with l

improved system perfonnance. The results are presented as a value/ impact ratio. '

' 1.1 I

t-

1

. 2.0 APPROACH Overfill transients are the initiating events of interest in this analysis.

Failure rates for the systems identified by INEL will be translated into failure frequencies on a per reactor year (py) basis.

Typically, no credit for operator recovery is given in the formulation of risk event trees. However, because the initiating events deal with control systems that are under the normal control of the operator, it is thought to be credible to include a consideration of the potential role of the operator in recognition of the transient and recovery. To accomplish this, consideration will be given to the indications available to the operator at initiation of the transient and as it progresses. This will include positive as well as conflicting readings that could lead to operator error. An estimate will then be made as to the probability of operator recognition and correct response.

The response of the reactor system to the postulated initiating event will then be examined in detail to determine the various reading, annunciators, and alarms available to the operator for interpretation of the transient.

MSLB Event Tree As mentioned above, the sequence must at some point make a transition to a loss-of-cooling event for this issue to impact public safety. The approach used here will be to use the dominant accident sequences and system response identified in the Browns Ferry PRA (Interim Reliability Evaluation Program, NUREG/CR-2802, July 1982) . This study concluded that the risks due to pipe break were dominated by breaks occurring inside of containment. Breaks outside of containment were assumed to have essentially the same occurrence frequency, but would then require independent failures of the MSIVs. In this analysis however, water in the steam lines might compromise the performance of the MSIVs.

The response.,of the MSIVs to water flow must, therefore, be examined here.

. Accident _Secuences of Interest The initiating events of interest for this examination are those developed by INEL (S.J. Bruske et al., " Effects of Control System Failures on Transients and Accidents at a General Electric Boiling Water Reactor," Fin No. A6477, July 4 1984, p.44) . These include the following:

Smauence 1. Level Indicator and High Level Trip Failure Causing Feedwater Increase Smauence 2. Valve Failure Causing Condensate Flow Sap % 4 L. False Start of the LPCI A more specific examination of the initiators for these sequences follows.

2.1

3.0 SEQUENCE 1. LEVEL INDICATION AND HIGH LEVEL TRIP FAILURE Sequence 1 identified by INEL will now be examined in more detail. The following initiators were identified by INEL as control system failures resulting in a feedwater increase to the reactor vessel and loss of high level trip:

Initiator a: A leak or rupture of the variable leg of the water level sensing line that is common to two of the three reactor vessel water level sensors.

Initiator b: A common cause failure of two of the three level sensors or sensor circyttry.

' Initiator c: Independent failure of two level sensors or sensor circuitry.

Initiator d: A failure in the control circuit that regulates the feedwater pump speed and failure of two out of three high level trips.

Note that the last two initiators involve independent failures, and were assumed by INEL to be negligible in comparison to the first two. The overall median frequency for sequence 1 calculated by INEL was 6.5E-03/py, with an upper bound of 3.0E-02/py.

3.1 SYSTEM CONFIGURATION  ; ,

For sequence 1, it was assumed by INEL that the plant is at 68 percent power, and the reactor level control is in automatic level control.

The BWR/4 can be operated under one element control using water level in the vessel, or under three element control using level, feedwater flow and steam flow as the major parameters, with level providing an error correction function.

It will~be further assumed that the system is in the three element control mode, with the control selection switched to the A channel. This is the typical configuration for automatic operation. The individual initiators will now be examined.

3.2 DISCUSSION OF SEQUENCE 1.a The feedwater system of a GE BWR/4 makes use of three level transmitters LT(A), LT(B), and LT(C), with LT(A) and LT (C) being op one 2-inch instrument line, and LT(B) being on a separate 2-inch line. This is in reference to the configuration shown in Figure 3.1.

l l

3.1

l n .

e f

LIS LevelIndicating Switch LITS LevelIrut.cas.ng Transmitting Sw sch LIS 3 56A - D Trip Recerc Pump. Close MStV'S

• LIS 3 58A - D Ineteate HPCL, RCIC, RHR, Core Spray Siar Diese! Generator, Ads Permessive 4

Las 3 203A - D Scam. Premary Containment isolat on.

HPCL and RCID Turbene Trip

. LIS 3-208A - D HPCL and RCtc Turtune Trip LT , og Condensmg

~

- Chambers -

3-55 599* [ Aunilsary Chamber Head

( -

Yarway A Temp. Compensateng Column w ( -

^

• E LIS H

ITS LIS LIS Las LlS LIS LtS LIS LI " 3 46 3-58 3-58 3 56 3-56 3 56 3 56 if

" L' A

te,,3 C

3 58 3 58 3 46 A D c -

3-46A 3-468 Vessel Zero Auto 8 lowdown interlock

• I LIS LIS LIS LIS LI LIS I I L 2p 2 203 203 32 3 53 18 3 18 g , 3-60 1 203 C

203 208 208 g D C D m FW / ,

$g7 s a . m Conteoss

{ 1 M Auto Blow- 366' f -- -+

g ,

M 52

- Li Down Interluck Fw { g

]

Controls tg LITS l LT LR 3 62 *

. 3 62 3 62 -

JP 6 JP16 3 62 3 62 93 Lower Tap 143 5'

- Lower Tap DPI je n se ;e e i

din vs FIGURE 3.1. BWR/4 Reactor Vessel Instrumentation .

A leak or rupture of the 2-inch instrument line for the variable leg of level sensors LT(A and C) could occur on the pipe run in the drywell, or on its further extension into the Reactor Building. Note that a rupture in the drywell could result in steam relene and a high pressure indication that could start HPCI. This would produce a reactor scram, but could also aggravate the overfill ,

transient by adding HPCI water flow to the feedwater flow. The HPCI high crips ._

are also located on the same instrument line asithe LT( A and C) sensors, and thus might also be defeated with line rupture.

A rupture in the reactor building or leak anywhere along the run,.however, may produce no immediate isolation signal. For the purposes of this examination, the failure frequency of both a pipe leak and rupture wili he considered, along with the system response.

3.2.1 Failure Rate Information for Secuence 1.a The failure rates of interest are then the pipe leakages or rupturcs, common cause and independent failures for two out of three level sensors, and ,

' i failure of the control circuit. ,

The failure rates given by INEL will be used hore. ,These are as follows, TABLE 3.1. Pipe Failure Rater Failure Failure Rate Error Factor source Weld Leakage 3.0E-09/ hr 10 Wash-1400 Pipe Rupture 1.0E-09/ hr -

10 NREP Data ,

The pipe rupture failure rate was further given as the. rate per' 12 foot' section of pipe, less that 3 inches in diameter. The errbr factor of 10 is assumed to apply directly to an upper bound estimate. Assuming 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> per day

and twelve welds (as did INEL) and 12-foot sections for the variable leg on the yarway back to the reactor vessel, the annual frequency then becomes

TABLE 3.2. Assumed Failure Rate for BWR Instrument Line Fail u re Frecuency Uoner Bound Freauency '

Weld Leakage 3.2E-04/yr 3.2E-03/ y r Pipe Rupture 1.1E-04/yr ' l.1E-03Ly.t Total 4.3E-04/yr 4.3 E-03/ yr 3.2.2 System Resoonse to Secuence 1.a The three level transmitters provide input into a feedwater trip logic unit that uses a 2 out of 3 indication. If the vessel level increaser to level 8 (+

55 in.), a trip signal is sent. In addition, a summation network compares the 3.3 -

, s 9 -. -

y y - - -

-r. - , .-

b (A-B), (B-A), and (B-C) signal s. A difference or deviation of 2 inches between the compared levels results in a level failure annunciator alarm in the control room.

The feedwater control system requires a signal selection from transmitter LT(A) or LT(B). This signal is used by the feedwater control circuit. It also provides an additional high water level alarm (level 7, + 40 in.) and low alarm l I

(level 4, + 40 in.), a low level 4 trip for the recirculation control system and feedwater pumps, and a low level 3 (+10 in.) signal to bring the recirculation pEmps to slow speed.

Sequence 1.a requires a leakage or rupture of the line with LT(A and C).

Line rupture would result in a loss of all pressure on the variable leg side of

' the level transmitters, resulting in the immediate loss of the high level feedwater trip function (2 out of 3 needed). Assuming that the steam condensation rate in the yarway column remained constant, a leak would also result in a falling level reading, and likely loss of the high feedwater trip rather than reaching a new equilibrium at a false low reading.

Leakage or rupture would then result in the following:

o Falling or off scale low readings for LT(A) and LT(C) on normal level range o Signal for increased feedwater flow o Loss of high level feedwater trips on LT(A and C) level channels o Signal for interlock on recirculation pump speed (less than 75 percent rated flow) on low levelichannel A

o. Scram signal on RPS channel A (half scram)' on low level from level indicating switches (LIS) 203-A and 203-B (note that logic requires 1 out of 2 twice, so no RPS scram occurs) o Loss of high level trip for HPCI and RCIC due line break and low signal from switches 208-A and 208-B.

Note again that line rupture in the drywell is possible, but is thought to result in scram and MSIV closure before overfill and any other associated system

, damage could occur. Steam flow to the feedwater turbine would also be

- terminated with closure of the MSIVs. Sequences which progress to sp111over without the initial MSIV closure signal are thought to present the more serious chance for steam line break, and are thus considered here.

3.2.3 Secuence Results for Secuence 1.a The net result for the estimated frequency of occurrence for sequence 1.a e , then becomes 4.3E-04/yr, with an upper bound of 4.3E-03/yr as was given in

' Tabl e 3.2.

/

3.4

(

3.3 DISCUSSION OF SEQUENCE 1.b As with sequence 1.a, sequence 1.b also deals with a common mode failure of two out of three indicators. In this case, however, shocks to the system that cause low readings and initiate feedwater flow are of interest. Note that in addition to the pipe leaks and ruptures discussed in 1.a other sources of common mode failure could include maintenance errors (valving out lines) and calibration errors. However, such errors would be detected during reactor startup with a high level of certainty, and thus are not likely to be of concern here. As a result, PNL agrees with the consideration ~ of shocks as the more dominant common mode failure mechanism (in addition to the pipe rupture considered in 1.a).

3.3.1 Failure Rate Information for Secuence 1.b The INEL report presented formulas for common failure from shocks, based on the information in NUREG/CR-3289, "Commen Cause Failure Rates for '

Instrumentation and Control Assemblies," May,1983. NUREG/CR-3189 presented values for the rate at which a specific set of size k assemblies would fail simultaneously in a population of assemblies. However, in the BWR/4 the sensors and switches are in pairs isolated on separate instrument lines. This was not modeled in the INEL calculations. It is uncertain if like sensors on a separate 2 inch instrument line are in fact part of the same population subject to the same shock rates. It is conservative to assume that the shocks are in fact common across instrument lines.

~

In the BWR/4 two level t ansmitters (LT) share one 2-inch instrument line, with another on a separate line. These are designated LT(A) and LT(C) on one line, and LT(B) on the other. LT(A) is the controlling feedwater level transmitter in automatic mode. As correctly modeled by INEL, only the LT(AB) and LT(AC) failures will result in feedwater increase and loss of the high level trip. An LT(CB) failure would cause loss of the high level trip, but would not

, initiate the feedwater increase.

~

! In addition, it is thought that the high level reactor scram, HPCI/RCIC, and isolation function associated with the level indicating switches (LIS 3-203 A through D) must be defeated if water is to spill past the MSIVs. This does not provide a feedwater trip directly, but early closure of thed MSIVs would block steam flow to the feedwater turbine, effectively ending the overfill sequence. In the Browns Ferry BWR/4 two LISs (A and B) operate on safety channel ' A' and share the same 2 inch instrument line with LT(A) and LT(C). The two other switches, LIS(C) and LIS(D), operate on safety channel 'B', being plumbed on the 2 inch instrument line shared with LT(B).. Failuro combinations that would defeat the one-out-of-two-twice trip function include LIS(AB),

LIS(CD), LIS(ACD), LIS(BCD), LIS(ABC), LIS(ABD), and LIS(ABCD). The INEL calculations considered four pairs of two sensors. However, only two pairs are associated with this scram. Another two pairs of LISs on the same instrument lines provide another high level trip for the HPCI and RCIC steam driven turbines. j 3.5 i

4 s<

i 4

1 i To initiate the sequence, the common shock must satisfy the following fault l t

, tree logic of failuress i [LT(AC) or LT(AB)] and LIS(AB) or LIS(CD) or LIS(ACD) or LIS(BCD) or LIS(ABC) or LIS(ABD) or LIS(ABCD). ,

The INEL report then gave the following estimate of initiating the >

feedwater transient with , loss of the high trip, and losing the i 1-out-of-two-twice high. trip from the level switches

TAntE 3.3. INEL Ntiating Frequency for Level Sensor

and Switch Failure (NUREG/CR-3289)

Camnonant Failure Mode Point Estimate Lioner Bound i s l Level Sensor Inoperable 2.6E-07/hr x 3.5

Reduce capacity 3.1E-07/yr x 5.2  !

Level Switch Inoperable 1.8E-07/hr x8 Reduce capacity 1.2E-06/hr x7 i

i These values will be used for comparison, examining the system configuration and response more closely. As correctly modeled by INEL, only the LT(AB) and LT(AC) failbres will result in feedwater increase and loss of the '

high level trip. As mentioned above however, LT(B) is on a separate 2 inch line, and not likely subject to the same shocks and thus the failure rate for a LT(AB) pair failure would be expected to be lower than an LT(AC) failure.

x Discussions with INEL (Corwin Atwood) in reference to assumed instrumentation I fault rates (NUREG/CR-3289) indicate that the rate of shocks across instrument lines could be an order of> magnitude lower. As a result, the LT(AC) failure i alone is likely dominant.

i .

8 The same argument applies to the level indicating switches. Of the i

failures given above that could cause loss of the one-out-of-two-twice scram,

only the LIS(AB) and LIS(CD) failures would be confined to a common shock in an instrument line. And of these two, only the LIS(AB) failure is on the same j ,

instrument line as the .likely . dominant LT(AC) failure.

l It fs thus thought that the formula and correction factors used by INEL to

. sstinata the rate of failure of this , trip (four pairs of two sensors) is likely i

high by a significant margin. The most frequent failure rate sufficient to i initiate the sequence of interest is then a common shock to the one instrument

! line causing failure of LT(AC) and LIS(AB). Other failures which initiate the *

,y sequence of interest are possible, but are thought to be significantly less (f likely. The LT(AC), LIS(AB) failure due to common shock will be used here to  :

arrive at a 'best estimate'lof the initiating event frequency, then corrected by

an appropriate factor to reflect the non-dominant sequences.

4 The data in NUREG/CR-3289 is given below for the failure rate of a specific j pair of sensors, corrected for lethal -shocks as in INEL FIN NO. A6477, p.49.

s 3.6 1

]

i

. TABI E 3.4. Modified Initiating Frequency for Level Sensor and Switch Failure (NUREG/CR-3289)

Cnmnonent Failure Mode Point Estimate Ucoer Bound Level Sensor Inoperable 1.58E-07/ hr 1.18E-06/hr Reduce capacity 2.75E-07/ h r 9.28E-07/hr Level Switch Inoperable 8.5 E-08/hr 3.9E-07/hr Reduce capacity 4.16E-07/hr 2.2E-06/hr A more detailed look at the possible failure modes of the transmitters and switches will now be necessary.

3.3.2 System Resoonse to Soeuence 1.b  ;

The above probabilities only give a gross indication of the possible failure combinations in the level control system. The level sensors can fail (inoperable) anywhere within its operating range as a result of shock. The system response is then very dependent on the false reading af ter failure. From the point of view of feedwater control, the level transmitters could become inoperable in any one of five conditions: failing as is, up scale, high scale, down scale, or low scale. Here, 'high' would mean above the high trip point (54 inches), and ' low' would mean'.below the low alann point (10 inches). The INEL analysis did not specify the failure mode of the level transmitters. However, it can be seen that the controlling transmitter (A) must fail in the down scale or low position to initiate a feedwater increase. Indications are from PNL experience with reactor operation and operator training that the transmitters can and do fail in any position.

For a common mode failure of two level transmitters LIS(AC), the 5 failure modes given above then result in 25 possible failure combinations. However as indicated above, only 10 combinations would result in feedwater increase (i.e.

LT(A) indicating down scale or low, LT(C) indicating anything). In addition a high L(C) indication would not defeat the 2-out-of-3 high level trip, as a high indication from LT(B) on overfill would provide the second signal for scram.

(Note that two low reading from the feedwater level transmitters would not initiate isolation or safety injection, this being the function of other level switches.)

As a result, only a portion of the possible inoperable failures for two level sensors would provide the necessary conditions for overfill and loss of trip function. If all failure modes are assigned equal probability, only 8/25 or 0.32 of the possible failures produce the desired results. The shock rate for initiating the sequence would then have to be multiplied by the 0.32 factor.

By the same argument, reduced capacity failures imply a scale drift to a faulty high or low readings which still changes with changing water level. For this to be an initiating event and knock out two high trips, both LT(A) and LT(C) must drift down scale. If LT(C) drifts up scale it will indicate a high reading earlier than normal, and with LT(B) would give the high scram signal.

3.7

In addition, the drift down scale must be of sufficient magnitude that a

, new high trip signal is not initiated as water approaches the steam lines. The difference between the water height at the steam lines (658 inches) and the high trip (+ 54 inches above the vessel instrument zero of 528 inches or 582 inches) is 76 inches implying that the down scale drift must be at least 76 inches for a reduced capacity failure to block the high trip before overfill occurred. This would require a level reading of 54"-76", or -22 inches below normal instrument zero. A low alann would sound, but no trip would occur with the level sensors al one.

If only the first order LT(AC) failure is considered, it is apparent that only one of four possible up/down scale failure combinations meets the above criteria: that is a down scale failure of both LT(A) and LT(C) with both reading at or below -22 inches. Assuming an equal probability between up and down scale drift and that a down scale drift would be to at least -22 inches it is thought here that the reduced capacity failure rate for the level sensors should be decreased by a factor of 0.25.

For the level indicating switches, inoperable failure implies loss of function. The rate given above neeas no correction.

For reduced capacity of the level indicating switches, they also could be subject to up or down scale drifts of the trip set point as their likely reduced capacity response to a common shock. Like the level sensors, it is thought that the drift must again be down scale (and by at least 76 inches) for the dominant LIS(AB) failure to defeat the;high trip functjon. The reduced capacity rates for switches could then also be reduced by a factor of 0.25.

The net result of this consideration for failure rates is given below in Table 3.5, incorporating the appropriate correction factors developed above.

The upper error bounds were left unmodif fed.

TABLE 3.5. Assumed Contribution of Level Sensor and Switch Failure to Initiation of Overf t11 Transient Cnmnonent Failure Mode Point Estimate Uoner Bound LT(AC) Fails Inoperable 5.06E-08/hr 3.78E-07/hr Down or Low Reduce capacity 6.88E-08/hr 2.32E-07/hr LIS( AB) Fails Inoperable 8.5 E-08/hr 3.9E-07/hr Down or Low Reduce capacity 1.04E-07/ hr 5.5E-07/hr To arrive at the conanon mode failure rate for both the level transmitters and switches, the values above cannot simply be multiplied together as with a logic 'and' gate, even though both failures are required for the sequence.

Because a common cause failure mode is assumed, the bounding case for the point estimate is to simply assume that the larger failure rate of the two represents the rate of the common mode failure. The larger upper bound will be taken as well. This is highly conservative, but will be used here as a first estimate.

3.8

This has been done below, and the rates have also been converted by an assumed (24 hrs / day)(365 d/yr) = 8760 hrs /yr to get the annual frequency.

TABLE 3.6. Assumed Annual Initiation Frequency of Dominant Failure for Overfill Transient Failure Mode Point Estimate Uooer Bound Inoperable 7.45E-04/yr 3.42E-03/yr Reduced capacity 9.11E-04/vr 4.82E-03/vr Total 1.66E-03/yr 8.54E-03/yr Again this failure frequency represents an estimate of the dominant sequence only, involving LT( AC) and LIS(AB). All other combinations of failures that could also initiate tne feedwater increase and fail the high level trips require shocks across separate instrument lines. These are again thought to be at least an order of magnitude less frequent. However referring back to the discussion of failure combinations possible, there are 13 cthers involving the level transmitters and switches that could achieve the necessary combination of failures. As a result, it will be assumed that the non-dominant failure modes contribute at least as much to the total common mode failure frequency as the dominant LT(AC), LIS(AB) failure. The estimates given above will then be multiplied by 2 to reflect this.

The final estimate for the common mode f'ailure of the feedwater level transmitters and level indicating switches in such a fashion to cause feedwater increase and loss of high level trips is then 3.3E-03/yr, with an upper bound of 1.7 E-02/yr.

3.4 DISCUSSION OF SEQUENCE 1.c Sequence 1.c is the independent failure of two level sensors or sensor circuitry. INEL indicated that the contribution from this term is likely insignificant. This is reviewed here.

The presentation of sequence 1.b gave not only the necessary level transmitter failure combinations, but also the failure modes necessary to lead to an overf111. In this case, the failure rates are assumed to be independent.

Independent failure rates for individual sensors are likely in the range of IE-06/hr to 1E-07/hr. Even if the highly conservative failure rate of IE-05/hr is used, the probability that one LT fails and then another fails within an eight hour window between calibration checks is highly unlikely. This can be quickly verified as given below.

If it is again assumed that LT(C) or LT(B) fails inoperable (anything but high scale, which is 4 out of 5 possible failure modes) or reduced capacity (low 3.9 i

l l

[

scale, or 1 out of 2 possible failure modes) and the probabilities for these failure modes are again assumed to be equal as in sequence 1.b, a highly conservative estimate of this failure rate is then 2 x (IE-05/hr)(8760 hrs /yr)(4/5 + 1/2) = 0.23/yr.

I However, the LT(A) failure (down scale or low) must then occur within an I The LT(A) eight hour window between calibration checks of the level indicator.

l

~

failure can then occur as inoperable (down scale or low, or 2 out of 5 possible modes), or as reduced capacity (down scale, or 1 out of two failure modes), for 2 a total frequency of (IE-05/hr)(8 hrs)(2/5 + 1/2)(2.28/yr) = 1.66E-05/yr In addition, the level indicating switch high trip must be failed, with the simplest independent failure being LIS(A) and LIS(B). This would further reduce '

the frequency above, making this contribution of independent failures to the l

overfill problem insignificant.

?

If a failure in the LT(A) transmitter is assumed to initiate the feedwater increase first, the available window for failure of LT(C) or LT(B) becomes even

~

shorter, on the order of minutes instead of hours. The likelihood of this would l

thus be less than that calculated above.

There are also independent failures that could cause loss of high trip given the failure of the feedqater control circuit, '

designated here as F(CC).

To get overfill, this would require:

o Failure of F(CC) and failure of LT(A) up scale or as is, and LT(B) or LT(C)

(inoperative: anything but high scale; reduced capacity: low scale), and loss of the high level switch trips: [ LIS(A and B) or LIS(C and D) or LIS(A and C and D) or LIS(A and B and C) or LIS(A and B and D) or LIS(A and B and C and D)3. ,

~

or

~

o Failure of F(CC) and LT(B) and LT(C), (inoperative, anything but high scale, reduced capacity low scale), and loss of the high level switch

> trips: E LIS(A and B) or LIS(C and D) or LIS(A and C and D) or LIS(A and 8

' and C) or LIS(A and B and D) or LIS(A and B and C and D)].

l l

Even if some of these failures were caused by the result of a common mode l

failure such as a pipe rupture or shock as was ' presented earlier, one independent failure would still significantly reduce the frequency of the i

j events. The entire sequence 1.c is thus thought to be insignificant compared to 1.a and 1.b.

3.5 DISCUSSION OF SEQUENCE 1.d Sequence 1.d calls for a failure of the control circuit that regulates the feedwater pump speed, and a failure of two out of three water level trips.

3.10

• _,m_w_. .,m, -,. _ ,

-- .u___ . - . -, _ . , , _ . _

,m., . . , , - _ _ , . _ . , . . _ _ w.,_,w  %,. ..,.,t -., m,-m,, y q-,.,,m

Letting F(CC) represent the failure of the feedwater pump speed control circuit, the following failures could initiate the sequence:

o F(CC) and common mode failures of 2-out-of-three LT and 1-out-of-2-twice LIS high level trips.

o F(CC) and common mode failures of the LT trips, and independent failures of the LIS trips.

o F(CC) and independent failures of the LT and LIS trips.

The first sequence given is likely the more important, requiring fewer independent failures than the other two. Note that the most likely common mode mechanisms for failing the LT and LIS have already been presented in sequences 1.a and 1.b. Given the F(CC) failure to initiate feedwater increase, other combinations of LT failure could now be included here as sufficient to cause loss of the 2-out-of-3-twice high level LT trip. This would now include LT(CB) failures which were deleted before, having no impact on feedwater control.

As before, the most important sequences would likely involve failure due to common shock on the same instrument lines. This again would be f ailure of LT(AC) and LIS(AB). Note however that given the feedwater control circuit failure, failure modes for LT(A) which were rejected in sequence 1.b as not causing feedwater increase can now be included here. For inoperable failures, LT(A) can now fail as is or up scale. Both LT(A) and LT(C) can still not fail high. This indicates that 16 out of 25 possible failure combinations for LT(A) and LT(C) are now possible. For reduced capacity of level transmitters, it is still thought that they must drift down scale to avoid eventually reaching a high level trip. Likewise, the consideration of failure modes for the level switches w wld not be modified from the discussion in sequence 1.b.

The new estimate for the rate of acceptable LT( AC) failures is then (from Table 3.2) (16/25)x(1.58E-07/hr), or 1.01E-07/hr with an upper bound of 7.55E-07/hr... Assuming as was done for sequence 1.b that the larger failure rate between the LT and LIS failures constituted the common mode failure rate, the 1 - assumed initiating frequency for the trip failures for this sequence then become as shown in Table 3.7 below.

TABLE 3.7. Assumed Annual Initiation Frequency of Dominant Failure for Loss of High Trip Failure Mode Point Estimate Unoer Bound Inoperable 8.86E-04/yr 6.62E-03/yr Reduced capacity 9.11E-04/vr 4.87E-03/vr Total 1.80E-03/yr 1.14E-02 3.11

Doubling this as before to account for non-dominant sequences then gives an estimate of the loss of high trip signals as 3.6E-03/yr with an upper bound of 2.3 E-02/y r. The failure rate for this portion of the required sequence is thus slightly larger than the whole of sequence 1.b.

This sequence then requires an independent failure of the feedwater control circuit. Assuming it is as frequent as 0.1/yr, which is considered conservative, the entire sequence frequency could be on the order of 1.8E-04/yr.

However, the control circuit failure or common shock causing the loss of the trips would actually have to occur during an eight hour window between calibration checks. One failure occurring first would also alert the operator to failures in the feedwater control, unless the LT failures were further confined to failures-as-is to avoid the level failure annunciator. The narrow time window actually available for the independent failures to occur would then give a feedwater failure rate on the order of (0.1/yr)/(1 yr/365x24 hrs), this being 1.1E-05/hr or a probability of 9.lE-05 in an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> window.

The frequency of the two required failures would then be en the order of (1.8E-03/yr)(9.1E-05) = 1.6E-07/py. As expected, sequence 1.d is thus thought to be insignificant compared to 1.a and 1.b.

3.6 SU M ARY OF SEQUENCE 1 OVERFILL INITIATING FREQUENCY The estimated frequency of occurrence for sequence 1 is then summarized in the following table. These values do not yet include the probability of operator failure to halt the sequence before overfill begins, which will be discussed in the next section.

TABLE 3.8. Estimated Initiation Frequency of Sequence 1 Secuence Freauency Unoer Bound Freauency Sequence 1.a 4.3E-04/ yr 4.3 E-03/ yr i

Sequence 1.b 3.3E-03/yr 1.7 E-02/yr 1

Sequence 1.c ,

Sequence 1.d - -

Total 3.7E-03/ yr 2.lE-02/ yr This r apares with the estimate made by INEL of 6.5E-03/yr, with an upper bound of 3. JE-02/yr. The PNL estimate of the initiating frequency is thus approximate :y 1/2 the INEL median estimate, even with a factor of 2 to account for non-dominant sequences. The difference is primarily due to the more detailed consideration of the specific failure modes required for the level transmitters and switches. However, the PNL estimate is well within the bounds given by INEL, and the agreement is considered quite good given the level of uncertainty. The INEL estimate will thus be used in tabulations to follow.

Note that this compares to the overall frequency of feedwater increase at power cf 0.2/yr experienced at BWRs (A/P-2230, Anticinated Transients without SCRAM (ATWS)r A Reanoraisal. EPRI, January 1982.) This is about 50 times the frequency predicted here for feedwater increase xith the loss of the high level trip. ___

f 3.12 i

f

4.0 SIGNALS AVAILABLE TO THE OPERATOR This chapter will examine the signals available to the operator, and estimate the probability of operator termination of f eedwater flow before a MSLB can occur The level f ailure is assumed to occur, and then the feedwater transient begins to fill the vessel with no automatic trip of the feedwater pumps or scram of the reactor. However, f urther Indications are available to the operator:

o Level failure annunciator in control room due to differential in level '

transmitter readings from A and B.

o Levels A and C Indicators will f all in unison, with recording of A.

i o Level indicator f or B will be in agreement with level indicators for Accident Range, Shroud Level Range, and Ref ueling Range indicators in d

control room.

o High/ Low level alarm on low reading f rom A and C.

As steam quality begins to degrade, the automatic load f ollowing capability of the plant will also provide changing readings in the control room. This will culminate in water pouring into the steam lines, very likely with water hammer.

The possible sequence of events af ter water begins pouring down the steam lines will be developed later.

i I

I 4.1 OPERATOR RESPONSE TO SEOUENCE 1.a The operator is thought to most likely respond in one of several ways under these conditions: do nothing allowing overfill, interpret the transient as a loss of coolant requiring safety injection and scram the plant, or recognize the The level control failure and switch the feedwater control over to channel B.

probability of a correct response can not be specified exactly, but it is thought that the system response and Indicators above make it possible to assign a reasonable probability to the operator response.

The feedwater system is one that the operator uses routinely during plant startup, and malf unctions of the system do occur. Feedwater increase transients are also used routinely in operator training and testing programs. As a result, the operator is very likely to respond in some f ashion to the Initiator long before plant conditions begin to deteriorate. Based on the Indications available, the operator will have a very good Indication of a failure in the f eedwater level transmitters. Utilizing the other displayed range Indicators should provide a reliable indication that the f ailure has occurred in channel A.

4 If the operator then switches automatic feedwater control to B, the transient will end.

The major sequence analyzed by INEL Involved a 125 percent feedwater overspeed with the reactor initially at 68 percent power, this increasing to 90 percent due to reactivity changes. This is assumed to be a worst case analysis.

The excess water input is thought to result in spillover into the steam lines in approximately I minute. At 100 percent power (1000 psig), such feedwater overspeeds would likely increase power and steam pressure to the high trip set 4.1 l

i r

e- e - ---, --- , ,-.-,ma--w-.,, ,.s ,.,,~,-,4es .e,---,w,,,-w,-w--wm,-,_,,-,.w---.-.,,m.,,.w--m,,-,--,a ,-m,- ,--e.w--,

l point of 1055 psig. Only lower feedwater overspeeds would then be credible, )

j thus giving more time available for operator action if the transient occurs at  ;

100 percent power. l In discussions with licensed operator examiners at PNL, the initial feeling is that a 50 percent probability of correct operator action in this sequence is a fair estimate. For the purposes here, this will be further quantified as to operator recognition of a problem, the correct Interpretation, and the correct action. The following guidelines were used in arriving at these values:

TABLE 4.1. Asstaned Operator Error inf ormation Assumed Operator Renuirement Error ProbabIIItv Failure to:

Respond Correctly to 1 Alarm 0.1 Respond Correctly to More Than 1 Alarm 0.99 Respond Correctly to 1 Annunciator 0.5 Correctly Interpret given no Conflicting Indicators 0.1 Correctly interpret given Preponderance of Accurate Indicators 0.5 Correctly Interpret given no Accurate Indicators 0.99 I -

Note that the probability of operator f ailure to correctly respond to an alann is assumed to be lower than for an annunciator. It was thought that with operator training, they would more iIkely respond in a correct fashion to an alarm when compared to a simple ennunciator. The failure probability is then increased if conflicting signals are present. Note that error rates assumed in previous plant risk studies for operator action under high stress (i.e. In a MSLB accident sequence) are typically on the order of 0.1 as opposed to the 0.99 assumed here. The numbers in Table 4.1 are thus assumed to be conservative.

The resulting estimate for operstor error is given in Figure 4.1, portrayed 4

in the form of a human reliability analysis (HRA) event tree. Totaling up the f ailure branches then gives an estimated f ailure probability of the operator of 0.571. This compares favorably to the previous qualitative estimate of 0.5 made by operator training personnel.

4.2 SIGNALS AVAILABLE TO THE OPERATOR FOR SEOUENCE 1.b' As with sequence 1.a, an annunciator will light up indicating level indicator failure for all of the failure combinations considered. In addition, a possible low level alarm will sound if LT(A) f alls low.

4.2

A = 0.5 a = 0.5 p B = 0.5 b = 0.5 C = 0.9 D = 0.1 E = 0.1 e = 0.9 h = 0.9 - '-- ,g = 0.99 G = 0.01 S ,. F ', , .F A - Operator faiIs to notice annunciator for level failure B - Operator sees annunciator, but incorrectly interpretes

! C - No operator action, letting feedwater continue D - Operator interpretes falling level indicators as j ,

LOCA, responds with HPCI I E - Operator fails to notice lack of response of vessel level to continued feedwater flow F - Failure and vessel overfill G - Operator fails to notice lack of response of vessel level to HPCI and feedwater flow H - Operator fails to switch feedwater level control to level transmitter B S - Success and vessel overfill prevented Lower case letters indicate correct operator action in corresponding steps above. I FIGURE 4.1. Human Reliability Analysis Event Tree for Feedwater Overfill 4.3 i

i

1 4.3 OPERATOR RESPONSE TO SEOUENCE 1.b f

- For the purposes of this examination, the possible operator responses will be assumed to be as was discussed for 1.a, and depicted in Figure 4.1. The probability of the operator f ailing to halt the overfill is then 0.517.

For the remaining sequences 1.c and 1.d, these were again considered negligible compared to those above.

e O

1 4.4

~- -

_ - . . ~. . - . .

5.0 SEOUENCE 1 ACCIDENT PROGRESSION TO MSLB j This accident scenario dif fers from a typical analysis of MSLBs in that the system initially suf fers an overfill bef ore the transition to a MSLB. The impact of the overf ill on safety systems and their ability to respond later in the accident must then be examined bef ore the Browns Ferry reliability values are used.

The first condition impacted by the overfill is degradation of steam quality. During the onset of the overfill accident, degrading steam quality will impact the perf ormance of the turbine / generator set. There is no doubt that if the accident were to progress to spillover, the turbine would eventually suf fer damage resulting in a turbine trip. However, the feedwater control logic is such that feedwater flow would still continue on the receipt of the low water level signal. Thus the turbine trip would not terminate the overfill scenario automatically.

The following observations concerning plant response can then be made:

1. Feedwater turbine damage and trip could occur due to moisture carryover bef ore water begins f alling into the steam lines, or shortly af ter. This would ef fectively end f eedwater flow for the f ailures outlined in INEL sequence 1.

2. Main steam turbine damage, could occur bef, ore water begins f alling into the steam lines producing a turbine trip and RPS SCRAM. Feedwater flow however would continue.

3. If water begins flowing down the steam lines during operation, the main steam turbine will be damaged causing a turbine trip and signal for closure of the stop valves. Feedwater flow would continue.

4. The potential exists for a MSLB to occur on the main steam lines due to water hammer at the same time as the turbine trip, or shortly af ter. The cooldown and collapse of steam is the major driving f orce for water slugs and hammer. A MSLB would generate an MSIV isolation signal on high temperature or pressure in the steam tunnel or drywell. This would generate another RPS SCRAM signal, if turbine trip has not already occurred.

5. It is thought that the potential for a water hanmer induced MSLB is lessened in the case where turbine trip occurs bef ore spill over begins.

The reduced steaming rates af ter shutdown could be assumed to reduce the severity of steam collapse and any water hammer when spillover occurs some time af ter shutdown.

5.1

6. If a MSLB did not occur relatively immediately on overf ill as in step 4), l J

the overfill would then progress assuming that the feedwater system is stiii operating. Static overfIi1 of the stem lInes could then cause a i 3

pipe break due to excessive load, generating an MSIV isolation signal with steam detected in the steam tunnel. However, the stem collapse and l cooldown experienced would likely first generate a low stem pressure ,

signal in the ste m lines (less than 825 psi). This is again an MSIV i isolation signal, but only when the reactor is in the 'run' mode. This  ;

would still be the case even following a turbine trip. The MSIV isolation signal is thus thought to likely occur bef ore a static Icad f ailure could occur, f urther reducing the water flow beyond the MSIVs and limiting the static load experienced by the down strem piping. In any case, pipe break or not, an MSlY isolation signal would be generated. Note however that this is inef f ective f or breaks above the MSIVs. This will be discussed further below under vessel isolation.

Feedwater Turbine The feedwater turbine in the reference Browns Ferry BWR/4 is a Terry Wheel Turbine, a one piece wheel specifically designed to be able to withstand water slugs that may occur during startup. However, operational experience indicates that the feedwater system is still among the most susceptible to damage (S.H.

Bush et al ., EPRI NP-2590-LD, p.S-3) .

Reviews of recent information published on water hammer applicable to the feedwater turbine are contained in NUREG/CR-2781, Evaluation of Water Hammer Events in Light Water Reactor 5 Plants, May 1982; NUREG-0993, Regulatory Analysis for USI A-1, Water Hammer, December 1983; EPRI NP-2590-LD, Water Hammer in BWRs, September 1982; and NUREG/CR-0927, Evaluation of Water Hammer Occurrences in Nuclear Power Plants, March 1984. Indications are that PWRs have historically had more feedwater problems than BWRs, but both call out the feedwater system as being susceptible. Most are caused by steam / water entrainment or steam bubble collapse, it is uncertain if moisture carry over would be suf ficient to cause feedwater turbine f ailure before water began spilling down the steam lines. At the point of spillover, damage would become more likely. Steam collapse and decreasing steam pressure would also impact the feedwater turbine performance.

For the purposes of this armlysis, it will be assumed that the probability of feedwater turbine damage before a MSLB could occur is on the order of 0.1.

This then gives a 0.9 probability of the accident progressing. The upper bound of course is a 1.0 probability of the accident progressing; i.e., no feedwater turbine damage before spillover occurs.

Main Steam Turbine The main steam turbine is more susceptible to damage than the simple feedwater steam turbine. The desire to protect the main turbine is well recognized in the plant design, and is one of the primary reasons for the high level feedwater trips. The turbine also has a protective trip for out-of-balance conditions that would indicate blade f ailures.

5.2

F The potential for damage increases greatly under conditions of degrading steam quality. This is particularly true when the water level reaches the ,

driers and moisture carry-over becomes significant. The INEL analysis Indicates i that steam quality could drop to the 60 percent region f or some scenarios bef ore  ;

spillover actually occurs.

As a result, the potential for preliminary turbine blade damage bef ore  !

water spillover begins is considered to be f airly high. In addition, the I f

potential for massive turbine damage and plant shutdown at the point of spill-over is assumed to be essentially 1. This is because the turbine blades are thought to be highly susceptible to damage from steam bubble collapse and  !

entrained water slugs. For the purpose of this examination, it will be assumed t

that there is a 0.1 probability that a turbine trip will occur bef oro spiil-over occurs. This is again based on engineering judgment.

Note however that the feedwater system would continue to attenpt feedwater flow as long as no feedwater turbine trip or damage occur. If the feedwater  ;

~

pumps are not tripped, the degrading steam quality associated with the filling steam lines would significantly reduce the perf ormance of the steam driven i feedwater turbine. This would slow progression of the accident, but not halt it. j Note also that in addition to the potential for turbine damage and trip, i other indications of changing plant conditions will be available to the operator during this period. Primarily, the automated load following controls for the j turbine and reactor will be required to respond to the changing conditions i caused by the overf ill. This ' includes reactor reactivity and power changes  ;

caused by a cool-down, and the turbine response to the degraded steam quality. l For the purposes here, it will be assumed that no operator detection or >

response to these accident Indicatcrs occurs with the plant in automatic  !

operation. Automatic operation is assumed to result in a more conservative estimate of the potential for operator Intervention than manual control. Manual control is thought to assure that the operator would at least be near i e appropriate panels, and would be more likely to see and correctly interpret the  ;

plant parameters displayed.

l Main Steam Line Break The next question is if a steam line break will occur. The major danage mechanisms are again assumed to be associated with entrained water in the steam lines leading to possible water slugs and hammer, or the static loads possibly caused by water collecting in the steam lines.

Although several events have been suspected of having overfill at power, there is no real experience for damage under these assumed f ull power conditions. Note however that several steam line water hanmer incidents have ,

occurred during startup (NUREG-0927, p.2-24). In these cases the MSIVs were opened before proper warmup or draining of steam lines, resulting in ,

condensation and liquid flow in the lines. In these cases the entrained water is thought to have impacted the turbine stop valve, resulting in water hammer.

Any water slugs f orming would then ilkely be expected to generate impacts at  ;

pipe elbows and restrictions, but the end of the run is likely to receive the brunt of the energy. In this case, this would again be the main steam turbine which would certainly suf fer damage and again cause a reactor trip, i

5.3 ,

__ -_ . _ - __ _ _ ~ _ _

For this particular scenario, the problem will be aggravated at the onset of overfill by water being entrained in the steam flow, and collapsing steam shocks. The question is if the pipes will suf fer damage f rom water hammer as the steam collapses and the lines begin to fill. A review of past experience in BWRs (S.H. Bush et al., EPRI NP-2590-LD, p.21) indicates that pipe leaks have been primarily restricted to those less than 12 inches in diameter. There have been however cracks detected in larger pipes, likely due to IGSCC, which

. Introduces a possible flaw subject to water hammer damage.

A consideration of the static loads was made for PWRs concerning the potential for steam line rupture on overfill following a steam tube rupture

' ( A.47 Review, ENCLOSURE 2, Responses to Additional Questions from the ACRS Regarding SG Overf ill, Draf t, July 27, 1984). The conclusion was that f or the

' plants examined, the static loads presented by steam lines f ull of water would i

not result in any failures. The stress levels would remain within the ilmits allowed by the ASME code. As a result, the conclusion was that the probability of f ailure of the main steam line due to overfilling and deadweight loading was not increased. Accordingly, the probability of f ailure was put at 1E-03/overf il l event.

The indications are then that once spill-over occurs, damage to the turbine is highly likely. The probability of pipe damage during steam collapse is not know n. If the accident progresses through this stage to one of simple over fill, the probability of pipe danage due to static load can be assumed to go down to 1E-03/ event.

Estimate of MstB InitIntion ; ,

Two cases are then considered to be important in the progression of the 4

accident: main steam turbine trip bef ore spill over of water occurs, and no initial trip followed by spill over, terbine failure, and strip. The logic to be used is depicted in Figure 5.1. The initiating event frequency is shown, along with the assumed probability of operator error. The probability of feedwater

> terhina f e!: ore ending the sequence is then given, followed by the branch for main turbine' trip.

For the first case where main turbine trip causes SCRAM sane time bef ore spIII over occurs, it will be asrmed that the conditions driving water hammer are reduced. For this assumed 160s severe case where early shutdown occurs, the I probability of a hammer Induced MSLB will be put at 0.5. The probability of a i static load f ailure due to continued feedwater flow is then put at 1E-03, f or a total MSLB probability of 0.50). Given the assumption of a 0.1 probability of an early turbine trip bef ore spill over results in an ef fective MSLB probability '

f or this case of 0.05.

For the second case, it will be assumed that the conditions driving steam collapse and water hammer will be more severe if spill over occurs while the plant is operating at full power. Th3 probability of a hammer Induced MSLB will then be assumed to be 1.C. This conservative assumption can be updated as more Information becomes available from Westinghouse. The contribution from static load Induced f ailure is then ignored. When coupled with the assumption of a 0.9 probability that the turbine would not trip until spill over occurred gives an t

ef f ective probability of MSLB of 0.9.

5.4

_ __ _ _ _ . . . - . ~ . . . - , - - . . _ , . , ,.,,o m.,. . , . , _ . , , ,,.,,.,._.3,___. ,,,m.,,__ ,,.,,w.,y,_.y,_,%~,9.n_r_...e,, ,q_r

The net MSLB probability for the two cases is then 0.95. The assumed initiating frequency of MSLB is then 2.87E-03/py as shown in Figure 5.1. As

- more information becomes available on the response of plant systems to highly degraded steam quality and the potential for water hammer induced MSLB, these ,

estimates can be updated.

1 1

i 1

t 1 r a

J l

5.5 4

• .1. ..- - .--. , , . - . . - . - . , - - ,.,,,..n , , , , , - - _.,y.--.. g

6.0 SE00ENCE 2. CONDENSATE BOOSTER PUMP FAILURE The second reactor vessel over' .il sequence identified by INEL dealt with Note that this sequence involves f ailures of the condensate booster pumps.

vessel overcool as well.

The three condensate booster pumps in the Browns Ferry reference design take suction of f the filter /demineralizer outlet of the condensate Failures involvingsystem and the pumps discharge to the low pressure feedwater heaters.

and discharge valves could align the system to deliver water to the reactor l vessel. These punps are motor driven, horizontal, centrif ugal pumps with a i capacity of 10,830 gpm each and a discharge pressure of 300 psig, and a shutof f head of approximately 350 psig.

The sequence Initiators identified by INEL as the cause of booster pump failure to maximum flow include the following:

Initiator a: Any one of three motor operated f eedwater pump discharge valves f alls open allowing an increased flowrate to the reactor vessel.

Initiator b:

The air operated startup feedwater bypass valve used to regulate flow f alls open causing an increased flowrate to the reactor vessel . .

Initiator c:

The condenser bypass air operated valve used to recirculate the excess condensate flow back to the condenser falls closed causing an increased fl w rate to the reactor vessel.

The INEL analysis of Initial plant response to these initiators assumed that the plant was in a startup mode, with the reactor power at 1 percent, reactor vessel pressure at approximat,ely 270 psia, and the main steam isolation This was done primarily due to computer modeling valves (MSIVs) closed.

limitations. With the MSIVs closed, mass flow in the system is severely restricted and the potential for water hammer and pipe breaks is thus highly unlikely. Breaks due to overcooling at such reduced temperatures and pressures are also unlikely.

For the purposes of this analysis, it will be assumed that the reactor power has increased to the point of opening the MSlVs, thus introducing The sequence of events a f or real potential for piping damage if overfill occurs. in Table 6.1.

reactor vessel overfill as postulated by the INEL is given below 6.1

~

TABLE 6.1. Sequence of Events for Overfill Sequence Time, see Event Descriotion 0.0 Startup operations. Reactor power is 1 percent, reactor vessel pressure is approximately 270 psia, and the main steam isolation valves (MSIVs) are closed. One condensate booster pump fails to maximum flow.

250.0 Steamlines begin to fill.

350.0 Steamlines are liquid full. Cooldown rate has exceeded 100'F/hr (cooldown limit) .

Ef fects of Excessive Cooldown and Thermal Shock Note that the failure of interest identified by INEL is not a steam line break directly, but that the cooldown rate of the primary system exceeds the technical specification limits. The question is then if this cooldown presents a significant potential for inducing vessel damage or rupture via thermal shock.

The INEL computer simulations of this cooldown scenario produced a cooldown rate on the order of 0.36'F per second, well in excess of the 100'F/hr allowed by the Technical Specificatio,ns. The INEL model was run with the MSIVs closed due to model limitations, with the implication .that cooldown rates may actually However, the be higher with the MSIVs open as would be the case during startup.

model also assumed constant reactor power where in fact the reactor would respond to the cold water injection with a power increase. Because of the conflicting effects on the cooldown, the INEL results will be assumed to be bounding until further information is available.

To model the potential for thermal shock induced failure of the vessel, a simulation code, VISA-A Cnmnuter Code for Predictino the Probability of Reactor

• Pressure Vessel Failure. NUREG/CR-3384 (Stevens, et. al.,1983), was run with the INEL cooldown parameters. This code was developedToforrun PWRs, but a vessel the code, conceptually can be applied to any pressure vessel.

beltline weld with 0.35% Cu and 0.65% Ni was assumed as representative, with a 1 MeV neutron fluence of 2.0E+18 neutrons per square centimeter. The code also contains assumptions on existing vessel flaws which may propagate during the scenario.

The code simply predicts a vessel failure probability of zero. Although the cooldown rates exceed Technical Specifications, the pressures involvedThe are significantly below the design limits so this answer is not unexpected.

real concern in thermal shock is the potential for overcooling while the vessel remains near its design limit (1250 psig operational,1536 psig hydrostatic test limit for Browns Ferry). In PWRs, this potential exists because the primary However, in a BWR, the system system can be hydraulically solid with wa .

operates with a large steam void in the upper regions of the vessel. Excessive cooldown rates, even while at higher power levels than the 1% used by INEL The here are thus also accompanied by steam condensation and rapid pressure drop.

6.2

b 9

two conditions necessary for thermal shock f ailure of the vessel, i ishigh pressure and rapid cooldown, are thus not present at the same time and the scenar o not of great concern in BWRs.

For this reason, the potential for generating a core-melt path tdirectly as a result of vessel failure given the excessive cooldown must be set to zero a this time. Note however that a f ailure probability on the order of IE-still be significant. Given the low resulting core-melt frequency may be low compared to an overall core-melt the resulting core-melt frequency from Sequence 1 chapter.

The potential for inducing a steam line break given the overfill scenari will be considered below.

RFOUENCE 2. INITIATING FREQUENCY 6.1 The initiating f requency of this sequence and its subsequent d f or progressio i

a main steam line break (MSLB) As a result, are expected to be lower than that founit is fe Sequence 1 examined previously. For the examination of the initiating f requency of this sequence is justified. be purpose of this analysis, the original frequencies calculated by used as a starting point.

enough, a more detailed examination of f ailure mechanisms can then be The initiating frequency of This the overall sequence was put at 8.2E-05/py, was not broken down by the three with an upper bound of 5.6E-03/py. It is assumed, however, that this value is initiators above in the INEL report.

primarily based on the accepted rate f or This f ailure-to-open-given-closed, applies to air- and or f ailure-to-close-given-open of 3E-07/hr.When the 192 hr/yr window for startup and sh motor-operated valves. considered, the predicted f ailure rate becomes (3E-07/hr)

' 5.76E-05/yr.

' Note, however, that for Initiator a, the feedwater discharge valves Theare normally closed during startup, with flow provided by the bypass valve. This proposed f ailure then requires a normally closed valve to f all open.

i f ailure frequency is lower than that assumed above, implying as it does an inadvertent control signal to open, or an Internal rupture of the valve.

For Initiator b, the feedwater regulating bypass valve fLoss or the of BWR/4 air is an air-operated valve with an air-to-close/ spring-to-open feature.However, the air supply pressure could be assumed to cause the valve to open.

l incorporates a lock-up feature in case of loss of signal to the voltage / pneumatic converter (less than 1 ma), or loss of air supply (less 75 psig). Elther case will doenergize Air lock a solenoid valve which vents the air valves in each line to the valve header of the valve positioner.

operator sense the loss of pressure and lock the air The Loss of air pressure then locks the valve as is.

in the operator operator The to valve movement.

must reset the system af ter restoring the proper con 1 failure.

6.3 .

_ . -~______ __. _ _. ____ _ _ _ . _ . _ -._. _ _ . _ _ _ _

i .

For Initiator c, a condenser bypass valve failure may Initially increase j the ef fective pressure from the booster pumps all However, andflow through to thethe front-end vessel heater is still trains to the bypass control valve. If the pressure increase is initially through the bypass control valve. reflected As a as an increase result, additionalinfailures flow, the control cir l

bypass valve will call for decreased flow.

would be required in the control circuit to cause an overfill, and the f requency of this sequence is also thought to be lower than a simple valve failure.

1 4

Note, however, that this frequency includes an estimate of the time per year that the reactor is at or under the output pressure of the con booster pumps.

startup.

Once vessel pressure exceeds 350 psig, the booster pumps do not have sufficient pressure output to put water into the vessel, and the accident is no longer credible.

6.2 EEOUENCE 2. AOCIDENT PROGRESSION TO MKLB The event tree to be used in modeling this scenario and the plant response As with Sequence 1, it is assumed that to the overfill is given in Figare 6.1 An this accident must make a transition to a MSLB to be of saf ety con challenge of some safety system to represent an accident in ECCS systems is seen. The specific steps in the event tree and the assumed f ailure probabilities are discussed further below.

Onorator Action This scenario is postulated to take place during normal startup, at a tire l

' when vessel fressure is still low enough to allow Input from the condensate

- booster pumps. The failure is then assumed to occur when flow iscontinues This mode from the condensate booster pumps via the startup bypass valve.

until system pressure reaches 350 psig, with a transition to the main feedwater system. - Level control with flow via the bypass valve uses 1 elem only (i.e., level can be in automatic or manual operation.

During ascent to power, the operator attention will typically The operator wouldbe befocused able to on vessel w:ter level and f eedwater perf ormance.  !

recognize an overfill condition by the reactor vessel high water level alarm, reactor vessel level Indication (strip charts and meters) and incre f eedwater f low.

the case in Sequence 1 where level failures had occurred.

The time available to the operator for diagnosis and action is also estimated by INEL to be on the order of 5 minutes before spillover could occur.

This.ls a minimum estimate, with time available for operator action increasing as vessel pressure approaches 350 psig and the pump output goes to zero.

t 6.4 1

f

6 7 8 9 .

3 4 5 1 2 2 2 2 2 2 _

2 2 2 2 s s s s s e o e e e ct o o e o N Y Y Y N Y N Y ri N om Ce

)

A C

e O L ip( 5 0 Pk 1 a .

0 1 e

r 0 B

7 e, 7 0 Vr u 0 -

I Ss

- E E

MlCo 1

1 .

. 1 1 e e

r

- T

- - 5 t 0 n m - e a E v r 0 c E S 3

. A C

O L

l r 2 e a n 5 t

ag 0 e i

c SWS I

L E

n e

hgve l

0 u

e 1 q ie e HL S r l.

o no t 6 ar ec it 3 E pA R 0 U O G

. I F

. y

- p g /

nt 5 it n 0 a e iv t E E

in i

2 8

?*

l )i!  ;

The operator can terminate this transient by either tripping the condensate booster pump or shutting any of a number of isolation valves between the reactor and the reactor booster pump discharge depending on the lineup at the time. It is thus thought that the operator has a real potential for recognizing and terminating the overf ill scenario before spillover occurs.

In Sequence 1, a 50 percent probability of operator f ailure to identify a feedwater level failure at 100 percent power was used. The error rate here is thought to be much less due to the lack of conflicting signals and duties of the operator at ascent to power. A probability of 30 percent that the operator will not be able to identify the real problen in time to end the transient will be used here. Note that this is considered highly conservative, with values on the crder of IE-03 more likely.

LfS Hfgh Water Levei Signal The reactor vessel level Instrumentation was shown in Figure 3.1.

Referring back to that figure, the LIS 3-203 A through D switches will generate a 1-out-of-2 twice signal on high water level for reactor SCRAM, HPCI, turbine trip, and MSIV closure.

Sequence 1 assumed that f ailures had occurred in the reactor water level Indicating switches (LIS). The probability of LIS failure during an eight hour window between shif ts would be on the order of IE-05 (8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> x 1.2E-06/hr).

It must, therefore, be assumed in this sequence that the high level LlS trip signa:s will be generated in this case as the vessel fills. The MSIVs In will therefore be demanded, which at low power would likely end the sequence.

this case, however, the potential for a MSLB will still be assumed.

Reactor SCRAM The Browns Ferry PRA estimates the SCRAM f ailure to be 3.0E-05. It is

- thought that this scenario will not Impact the reactor- SCRAM f unction in any fashion.

MSIV Closure The Browns Ferry PRA puts the probability of MSlY f ailure to close at 1.1E-07. This sequence is not thought to change the valve perf ormance, as the isolation signal comes well bef ore overfill occurs. This is in contrast to Sequence 1, where spilI over and subsequent MSLB were necessary to generate the isolation signal. Closure of the valves is again thought to significantly reduce mass flow In the system and thus reduce the probab!!!ty for Inducing pipe breaks.

MSLB-Pine Break The probability of inducing a pipe break is then assumed to be a f unction of the mass flow in the system at the time of overfill. If SCRAM f ails, the probability is assumed to be 1.0, if SCRAM occurs but MSIV isolation fails, the l

probability is assumed to be 0.5 as wi th Sequence 1. If SCRAM and MSIV Isolation occur, the probability of MSLB is assumed to be 0.1. This is  !

considered conservative given the low system pressures at the time of overf IlI.

6.6 l

l Resultina MSLB Seouence Freauencies 9

Referring back to Figure 6.1, the sequences that result in MSLB are I

summarized below.

2.3, 2.5, 2.7, 2.8 and The MSLB sequences are identified to be Sequences

- 2.9 Application of the assumed failure probabilities in the model even't tree gives the probabilities shown in Table 6.2 for a MSLB with an initiation frequency of 8.2E-05/yr.

This estimate is approximately 2 orders of magnitude smaller than the MSLB frequency estimate obtained in the previous analysis of Sequence 1 with feedwater overfill. The impact on core-melt and public risk is also considered to be 2 orders of magnitude smaller, making the contribution from this sequence insignificant to the overall contribution to plant core-melt and risk from transient overf111.

1 TABtE 6.2. Sequence 2 MSLB Frequencies

[

i.

MSLB Seouence F reauency. 1/ oy j

Best Estimate Sequence',2.3 , 2.46E-06 Sequence 2.5 '1.35E-12 Sequence 2.7 7.38E-10 Sequence 2.8 8.12E-17 Secuence 2.9 2.46E-10 Total MSLB '

Frequency 2.46E-06 l {. .

I 6.7 i ,

7.0 SEQUENCE 3. LPCI FAILURE The third reactor vessel overfill sequence identified by INEL dealt with false starts of the low pressure cooling injection (LPCI) systm while at low reactor vessel pressure. Note that this sequence also involves vessel ov-rcool as well.

The LPCI system in Browns Ferry is a mode of operation of the Residual Heat Removal System pumps to flood water into the core. The core spray system starts from the same signal of low water level in the reactor or high pressure in the containment drywell and operates independently to achieve the same objective.

The isolation valves for these two systems are opened when reactor pressure is less than 500 psig, but injection flow does not occur until the differential pressure across the check valves permits. This occurs when the RPV pressure is less than 300 psig.

The sequence initiators identified by INEL as the cause of false LPCI injection include the following:

Initiator a: Local LPCI pump switch shorts to power causing the pumps to start.

Initiator b: Remote LPCI pump switch shorts to power causing the pumps to start. ,

Initiator c: Shorts in pump control circuits (four pump control circuits) causing the LPCI pumps to start.'

Initiator d: Short in 1 out of 2 taken twice logic circuit for reactor level resulting in LPCI initiation due to a false low-low level signals.

Initiator e: Short in 1 out of 2 taken twice logic circuit indicating a false high drywell pressure resulting in LPCI initiation.

~

Initiator f: Two drywell pressure switches fail closed due to common cause and initiate LPCI pump start.

Initiator g: Two reactor vessel low water vessel switches fail closed due to common cause and result in LPCI pump start.

Initiator h: Two independent (fail closed) f ailurt i of drywell pressure or reactor vessel water level sensors caJsing LPCI initiation.

As with Sequence 2, the INEL analysis of initial plant response to these initiators assumed that the plar.t was in a startup mode, with the reactor power at 1 percent, reactor vessel pressure at approximately 270 psia, and the main 7.1

This was done primarily due to computer steam isolation valves (MSIVs) closed.

modeling limitations. With the MSIVs closed, mass flow in the system is severely restricted and the potential for water hanmer and pipe breaks is thus highly unlikely. Breaks due to overcooling at such reduced temperatures and pressures are also unlikely.

For the purposes of this analysis, it will again be assumed that the reactor power has increased to the point of opening the MSlVs, thus introducing The sequence of. events a real potential for piping damage if overf ill occurs. in Table f or reactor vessel overfill as postulated by the INEL is given below 7.1.

TABLE 7 1. Sequence of Events f or Reactor Vessel Overf ill Sequence Number 3.

Time. see Event Descriotton 0.0 Startup operations. Reactor power is 1 percent, reactor vessel pressure is approximately 270 psia, and 1he main steam isolation valves (MSIVs) are closed.

0.05 Loss of condensate booster pumps occurs.

1 25.0 Steaml i nes begin to f il l . ,

17 5.0 Steamlines are liquid f ull. Cooldown rates has exceeded 100 F/hr (cooldown limits).

Effects of Excessive Cooldown and Thermal Shock As with the previous sequence, the f ailure of interest identified by INEL

- is again not a steam line break directly, but that the cooldown rate of the primary system exceeds the technical specification ilmits.

It is again the position of PNL at this time that the potential for vessel damage and loss of coolant is negligible at the pressures, initial temperatures, and cooldewn rates given. A probability of pressure vessel rupture is put at zero, if more inf ormation becomes available, this conclusion can be updated.

In any event, to be conservative the potential for inducing a steam line break given the overfill scenario will be considered below as was done with the previous sequence.

7.1 SEOUENCE 3 OVERFILL INITIATING FREQUENCY As with Sequence 2 just examined, the initiating frequency of this sequence and its subsequent progression to a MSLB are expected to be lower than that f ound f or Sequence 1. As a result, it is felt that a less detailed examination 7.2 i

f .

~ _.

.s of the initiating frequency of this sequence is justified. For the purpose of \

this analysis, the original frequencies calculated by INEL vill be used as a starting point.

If the resulting core-melt frequencies are high/ adough, a more detailed examination of failure mechanisms can then 'be made.

The INEL estimate of initiation frequency for falseFor start of the LPCI is this analysis, the put at 3.6E-03/py, with the upper bound of 7.7E-03/py.

best estimate value of 3.6E-03/py will be carried through to MS!B.

Note that as with the booster pump f ailure in Sequence 2, this frequency includes an estimate of the time per year that the reactor is at or under the This occurs for only a output pressure of the RHR pumps used for LPCI. Once vessel pressure exceeds relatively short period of time during startup.

350 psig, the pumps do not have suf ficient pressure output to put water into the.,

vessel, and the accident is no longer credible. T 7.2 SEQUENCE 3 ACCIDENT PROGRESSION TO MSLB '

The event tree to be used in modeling this scenario and the plant response to the overf111 is given in Figure 6.1, this being the same as with Sequence 2. .

It is again assumed that this accident must make a transition to a MSLB to be of safety concern. An overcool in itself is not a serious accident, requiring a pipe break, valve lift, or challenge of some safety system to represent an accident initiating event. Considering this as a transient initiator, no dam _ age or impairment of RSS or ECCS systems is seen.. The potential for core damage If would be very small given the transient initiating frequency of 3.6E-03/py. ,

is thus thought that the consideration of a MSLB as indicated in Figure 6.1 will bound the estimate of core damage from this sequence.

The specific steps in the event tree and the assumed failure probabilities are discussed further below.

Ooerator Actton ,

i- This scenario is postulated to take place during a normal startup, at a time when vessel pressure is still low encJgh to allow input from the RH,R pumps in LPCI mode.

The operator would be able to recognize this abnormal occurrence by i_ ' _

indications that RHR system has started in the LPCI< mode. This includes valves -

repositioning, pump run indication, and pump dischar,ge pressure and flow increasing.

During ascent to power, the operator attention will typically be. focused on vessel water level and feedwater performance. The' operator would be' able to recognize an overfill condition by the rsector vessel high water level alarm, reactor vessel level indication (strip charts and meters) and increased reactor feedwater flow. All level indicators would also be in agreement on the overfill, as with Sequence 2. -

N 7.3 l _

l ~

i

u LV h

The time available to the operator for diagnosis and action is also estimated by INEL to be on the order of 2 minutes before spillover could occur.

Thist is a minimum estimate, with time available for operator action increasing as vessel pressure approaches 350 psig and the pump output goes to zero.

The operator can terminate this transient by simply tripping the RHR pumps.

It is thus thought that the operator has a real potential for recognizing and tsrminating the overfill scenario before spillover occurs.

In Sequence 1, a 50 percent probability of operator failure to identify a feedwater level failure at 100 percent pcwer was used due to conflicting signals. For Sequence 2, this was reduced to a 30 percent failure rate due to likely operator awareness of vessel level during startup, and the time available to correct the problem. In this sequence the operator is still likely to be closely monitoring vessel water level during startup, but slightly less time is available. ' Operator termination is again thought to be very likely, but a highly conservative failure probability of 40 percent will be assumed here.

Initial Svstan Resoonse to Overfill The initial response of the reactor systems to the overfill scenario are expected to be as developed previously for Sequence 2. This includes the LIS High Water Level Signal, the Reactor SCRAM, and the MSIV Closure functions. The progression of the accident is again not thought to impact the performance of these systems.

MSLB- Pine Break As with Sequence 2, the probability of inducing a pipe break is then assumed to be a function of the miss flow in the system at the time of overfill.

If SCRAM fails, the probability is put at 1.0. If SCRAM occurs but MSIV isolation fails, the probability is put at 0.5 as with Sequence 1. If SCRAM and S]. '

MSIV isolation occur, the probability of MSLB is put at 0.1. This is considered conservative given the low system pressures at the time of overfill.

Resultino MSLB Seouence Frecuencies Referring back to Figure 6.1 with the operator action probability at 0.4 instead of 0.3, the sequences that result in MSLB are summarized below.

The MSLB sequences are identified to be Sequences 2.3, 2.5, 2.7, 2.8 and 2.9.

Application of the assumed failure probabilities in the model event tree gives the following probabilities for a MSLB initiation:

9 J

7.4

TABLE 7.2. Sequence 3 MSLB Frequencies MSLB Secuence Frecuency Sequence 2.3 1.44E-04 Sequence 2.5 7.92E-11 Sequence 2.7 4.32E-08 Sequence 2.8 4.75E-15 Secuence 2.9 1.44E-08 (less than)

Total MSLB '

Frequency 1.44E-04 +

This MSLB frequency estimate is thus estimated to be approximately 10 times smaller than that estimated for Sequence 1 with feedwater overf111. As a result, the impact on core-melt and public risk is also considered to be 10 times smaller.

i

'i e

O

,4 N

7.5 l

I I

J

8.0 BROWNS FERRY MSLB EVENT TREES TO CORE-MELT i l

l

\ As discussed previously, the accident progression will generate an MSIV y isolation signal given a MSLB as the result of sensors in the main steam tunnel l i . Jor dry well. In addition, sufficient condensation of steam in the main steam

"' lines to below 825 pst will also produce an isolation signal. It is thus thought that the probability of an isolation signal is 1.0.

, Pipe breaks downstream of the MSIVs would then require the MSIVs to close

. to successfully isolate the vessel . The Browns Ferry PRA considered the probability of failure of the two MSIVs to be 1.1E-07 (NUREG/CR-2802, Main Report, p.33), which would put the failure to isolate several orders of 1 magnitude less than that for ruptures, inside containment. A more conservative valve failure probability of 3.2E-03/ demand or 1E-05/ pair would still give a similar conclusion. The question remains, however, if the performance of the MSIVs is not affected in some fashion by the overfill transient.

The four main 26 in. pipe runs exit the vessel and drop down to a level where they exit the drywell. The MSIVs are then located on either side of the drywell penetration. Upstream of these are the safety relief valves, and the

s steam flow restrictors. , This portion of the steam line then presents two 90 degree bends, but is otherwise relatively unrestricted. In the case of over i

fill, water hammer and vibrations of two phase flow could interfere with valve

!! operation or 'cause outright damage. This was discussed by phone with the I' chairman of the MSIV task ' force at TVA (Elvis Hollins, June 19, 1984). The overall impression was that some chattering may occur during closing, but that '

the hydraulic forces would actually tend to force closure and seating of the valve. Increasing this failure probability is thus not thought to be justified at this i time.

The event trees to be used in modeling the plant response to the overfill as developed in the 8rowns Ferry PRA are shown in Figures 8.1, 8.2 and 8.3.

~

j These represent large, medium, and small. steam 'line breaks respectively above the MSIVs. Pipe breaks downstream of the MSIVs are possible. However, two

f MSIVs must fail to close in addition to the pipe' break frequency to be of

! , concern. This is assumed to reduce the safety significance of such breaks to well below that of. breaks upstream of the MSIVs, given their apparent ability to

perform with water in the steam lines. As with the Browns Ferry analysis, it will therefore be assumed that the breaks occur upstream of the MSIVs. The appropriate system response for such breaks is then that depicted in Figures 8.1 through 8.3

{ The approach used.by Browns Ferry to model pipe bre'aks above the MSIVs is 1- therefore also thought to be the most conservative approach for the overfill j' analysis, and will be used here. However, the other systems on' the event trees must also be examined to see if the overfill scenario impacts the associated failure prcbabilities. 9 Reactor SCRAM j i .

The feedwater overf111 is not thought to impact the reactor SCRAM function in any fashionW The probability of SCRAM failure is then put at 3E-05/ demand.

i 8.1 1 < >-

5

_ _ .__ m _ . _ _ . . .. __

i X = Function failure DHR R s E 'D I i

Remarks

'EC ,

SID Cig Sequence SCCH SCI ' 4 LPCI Torus Cig i l R PB RS 2 CS toops ' 1 CS Loog '

1LPCI ' 88 HA  ;

Designator Core cooled CRO VS GD GC j Core cooled LOCA FB

^

~B T - F4 --

X Slow mett

^Ly 1

~LRRVBA Core cooled

, Core cooled Break Site (fl41.4 to 4.1 -

X Slow melt Legend:  ;

i -

1

_ -- tv pRRA B g X NfA Melt SID = Shutdown

- LyFG A g Core cooled C!g = Cool 6ng i- 1

~~

• Core cooled X Slow melt i ,

- LyFFRR A g g 4 X HlA Melt L

-- Ly FFGA g C X Core cooled L-X Core cooled m X X Slow melt

• -[ ,-

L- LyCRBRg X Core cooled N

X Core cooled X Slow men f- X

~ ' ~ LyCFA RgR g X X RA Men L_.

- LyCFgGD X Core coofed r -

Core cooled L- X t 7 X X Slow melt

- LyCFgFRR L f g B A p i- L X X N'A M*H

- LyCFgFG gC X t4fA NIA Mett

-- Ly8 Xl X , #A .NiA , Mett t

j

- LyBC s

.I INEL 21633 L T_

i . .

E i Break (Ly ).

LOCA Systemic Event Tree for Large Steam Line FIGURE 8.1.

i l

4 4

O

~ ~

X = Function failure ECl DHR R S E D RS SCI S C C H Remarks PB- Torus Cig SID Cig Sequence t CS Loop 1LPCI i i R CRD VS HPCl_ Rg RA Designator 60

~

LOCA_

ty ~B T D FB Core cooled 2

Core cooled Break Size (f t ): 0.12 to 1.4 y X Slow melt Legend: 3

- lyRR BA Core cooled SID = Shutdown f Cig = Cooling Core cooled l

From- - C ~' ]

' -fy0R RBA X Slow melt transient Core cooled l

systemic event trees Core cooled os '(Figures A 13 g X Slow melt

• and A 14) '

tyOF A RgRA X N/A Mell lyDFgGD X Core cooled y X Core coofed I ,

X X Slow melt fyCR RBA Core cooled X

' y X Core cooled X Slow melt i

X l yCDR RBA X Core cooled y X Core cooled n , X X Slow melt

• fyCOFB RgRA X X N/A Mett i

f yCDF GBD X NJA N/A Melt lB y

- tyBC X X N/A N/A Melt INEL 21635 LOCA Systemic Event Tree for Intermediate Stearn Line Break 9 (1 ).

FIGURE 8.2.

I l

I

X = Function failure DHR "

E61 PB RS SCI Torus Cig SlD Cig S Rwh 1

S en A t CS oop_

HPCl_

LOCA CRD_

Core cooted Core cooled

? 1 X Slow mett Break Sire (ft ): Less Than 0.12 -

SR RBA Core cooled ogend:

Core cooled SID = Shutdown j

._ X Slow melt Cig = Niing ' SDRgAA Core cooled Core cooled I Slow melt

' X SDFBRgRA Melt X N/A SDFgGD Melt

,00 X N/A SDE Core coofed A X

, X Core cooled i

X X Stow melt

-SCR RBA X Core cooled g X Core cooled i a X X Slow melt SCDR RBA X Core cooled X Core cooled X X Slow melt SCDFg RRg4 SCDFgGD X X NfA Melt SCDE X X NIA Melt X F11A N/A Melt SB

--SBC X X N/A N/A Mest 1

INEL 21636 FIGURE 8.3.

LOCA Systemic Event Tree for Small Liquid-Line or Steam-Line Break (

l Short-Term Containment intacritv (Vanor Sunnrassion)

Perf ormance of the vapor suppression function inThe theBrowns drywell Ferry and torus is f ailure

.' not thought to be af f ected by the overf ill scenario.

probabilities are thus thought to be appropriate.

RCIC/HPCI Resnonsa Adeounta f '

I The HPCI system in Browns Ferry Is a steam driven system, with the steam tap Inboard of the MSIVs. The approach used here will model small, medium, and large breaks, so the possible scenarios and required response are covered.

[

I However, the impact of the overfIII on the HPCI system must also be considered. In this accident scenario the reactor This isvessel again couldhighlyblow unlikely down af ter l MSLB, or Isolate and remain relatively full.

If given the loss of feedwater with MSIV closure, but will be considered here.

the vessel is still full, the steam delivery lines to the RCIC and HPCI However, maythere be solid with water or subject to steam collapse and water hammer.

would then be no initiation signal or flow in these lines while the vessel water i

level was still high.

The four LISs uses for safety actuation are not only distinct f rom those discussed earlier for ' feedwater f ailure, but they are also These again use a 1-out-of-2-twice signal on a separate 2 in. Instrument line.The vessel level must then actually drop to the low-low logic f or initiation. This can only occur trip point as indicated by the independent set of LISs.

through a period of system boll-of f and lif ting of the relief valves, starting The main steam line and RCIC turbine supply f rom an extreme vessel overf l{ i.

i line would then continue to drain andvessel If the boil of blowf 'as thebefore down waterisolation, level in the vesse dropped with actuation of the SRYs.

these lines would again be expected to drain accordingly.

The RCIC/HPCI steen driven turbines would thus still be isolated awaiting As a i an initiation signal from the vessel water level Indicating switches.

result, the f ailures discussed earlier for the feedwater f unction have in no way impacted the~perf ormance of this f unction.

The other possibility is that the pipe break assumed actually occurs along the piping serving the HPCI system. This possibility has been considered in the Browns Ferry PRA, with the assumption that 23.2 percent of the piping This is susceptible to Intermediate steamThe lineoverall breaksimpact being on HPCI piping.

assumed pipe break assumed to be appropriate here.

f requencies will be discussed f urther below.

As a result it is thought that at the point of RCIC/HPCI initiation, the steaming conditions in the vessel and supply line to the turbines will be as expected f or their operation. The failure probabilities for this function as developed in the Browns Ferry PRA are thus thought to be appropriate.

ADS /LPCI CS Rasnonna Adacuate j

The ADS /LPCI is typically considered a backup to the high pressure systems.

If the vessel remains pressurized but the HPCI f alls, the  ;

In ADS must the this case, depressurize dominant i

the vessel before low pressure systems can be used.

f ailure mechanism is the ADS f unction, where the valves f all to lif t properly.

8.5

l 1

l i

However, if the system is already blown down as is the case with isolation failure, or breaks within containment, only the electrically driven LPCI must function.

The LPCI is thus not thought to be affected by the overfill transient. I Water sources for this system are aligned initially with the condensate storage tank, then the suppression pool. Both are not thought to be affected. Thus, the Browns Ferry failure probabilities are again thought to apply here.

Long-Term Core Cooling The long-term core cooling function is not thought to be impacted by the accident sequence in any fashion. Power and water supplies for residual heat removal are not associated with the systems possibly subjected to water hammer damage during the course of the accident.

The net result of this consideration is that the Browns Ferry PRA approach is thought to be directly applicable here, with the only difference being the initiating frequency of the MSLBs assumed.

MSLB Frecuencies Adiusted bv Break Size The Browns Ferry PRA assumed the following distribution for pipe breaks inboard of the MSIVs:

TABLE 8.1. Browns Ferry Steam'Line Break Frequencies Break Size Frecuency Percent

(/py)

Large Steam Line Breaks (1.4 to 4.1 sq.ft.) 5.2E-05 4 Intermediate Steam Line Breaks (0.12 to 1.4 sq. ft.) 2.lE-04 17 Small Stemn Line Breaks (up to 0.12 sq. ft.) 1.0E-03 la Total 1.26 E-03 100 It will be assumed here that the same distribution applies to the pipe breaks under consideration here for the feedwater overfill transient. The total MSLB frequency of (2.87E-03 + 2.46E-06 + 1.44E-04)/py = 3.01E-3/py is assumed here. Dividing this up as per the above percents between large, medium, and small steam line breaks then gives the results shown below.

TABLE 8.2. Assumed Distribution for Overfill Steam Line Break Frequencies Break Size Frecuenev/ ov Percent Large Steam Line Breaks 1.21E-04/py 4 Intermediate Steam Line Breaks 5.13E-04/py 17 Small Stemn Line Breaks 2.38E-03/ov Ig Total 3.01E-03/py 100 8.6 1

Core-Melt Frecuenev i

The Browns Ferry results for core-melt are given below for large, medium, and small steam line breaks. These values have then been adjusted by the differences in assumed MSLB frequencies. Note that as discussed above for the HPCI system, pipe breaks that occur along the steam ifnes serving the HPCI steam driven turbine would effectively remove this system from service. The Browns Ferry PRA has taken this into account, assuming that 23 percent of the intermediate piping subject to MSLB would be associated with the HPCI system.

The PRA thus already takes loss of HPCI due to pipe break into account. The assumed 23 percent probability is also assumed to apply to the overfill transient.

Note that the variables given in the sequences below match the system failures assumed on the events trees shown earlier.

TABLE 8.3. Core-Melt Sequence Frequencies Laroe Steam Line Break t

Assumed A-47 BF PRA Frecuency oy Overfill Freccenev. oy Sequence

- less than lE-08 less than 2.33E-08

', Medium Steam Line Break Secuence BF PRA Frecuency/oy Overfill Frecuency/oy IV RB RA 1.6E-08 IV C RB RA 1.3E-08 -

IV C D RB RA 1.3E-08 IV C D FB RB RA 1.3E-08 IV C D FB GD 1.3 E-08 -

4 1 Total 6.8E-08 1.66E-07 Ema11 Steam Line Break BF PRA Frecuencv/ov Overfill Freauency/oy Sequence i

S RB RA S .3 E-07 i S D RB RA 1.2E-07 S C RB RA 6.0E-08 -

S C D RB RA 6.0E-08 S C D FB RB RA 6.0E-08 -

S C D FB GD 6.0E-08 SCDE 6.0E-08 -

SB 3.0E-08 -

Total 9.8E-07 2.33E-06 Total Steam Line MSLB Core-Melt Frecuency i 1.1E-06 2.52E-06 8.7 l

l t_

As expected, given the slightly higher assumed MSLB initiating frequency, this issue has a slightly larger frequency for core-melt via steam line MSLB as that calculated in the Browns Ferry PRA.

Public Risk Public risk was likewise calculated assuming the same probabilities for containment failure modes as used in the Browns Ferry PRA for MSLBs, as shown in Table 8.4. The man-rem associated with the releases are those as used in the Value Impact Handbook (NUREG/CR-3568). The final results are given in Table 8.5.

TABLE 8.4. Assumed Containment Failure Probabilities and Man-Rem / Event Release Category Probability Man-Rem / Event BWR 1 0.01 5.4E+06 BWR 2 0.8 7.1E+06 BWR 3 0.2 5.1E+06 TABLE 8.5. Core-Melt and Risk due to Sequence 1 BWR Overfill Induced MSLBs Containment Failure Mode Core-Melt Cause F reauency/ oy BWR 1 BWR 2 BWR 3 Large MSLB less than 2.33E-08 2.3 E-10 1.9E-08 4.7 E-09 Intermediate MSLB 1.66E-07 1.7E-09 1.3 E-07 3.3E-08 Small MSLB 2.33 E-06 2.3 E-08 1.9E-06 4 .7 E-07 TOTAL 1.49E-06 2.5 E-08 2.0E-06 5.1E-07 man-rem /py 1.4E-01 1.4E+01 2.6 E+01 Total Man-rem /py 100 .

The total predicted public dose due to overfill induced MSLBs is then 1.7E+01 man-rem /py. Note that if the core-melt frequency do to MSLB of 1.1E-06/py is simply ratioed with the new initiating frequency (1.79E-03/1.26E-03 ) and a worst-case release category 2 is assumed. This gives 1.11E+01 man-rem /py public risk with a core-melt frquency of 1.56E-06/py. A

. public risk of 17 man-rem /py will be assumed here.

I 8.8

l 9.0. TRANSIENT SHUTDOWNS INDUCED BY CONTROL SYSTEM FAILURES

9.1 INTRODUCTION

The transient shutdown represents the primary source for initiating a core-melt sequence in the Browns Ferry PRA. As a result, it will be necessary to examine the accident initiators identified by INEL for their contribution to the frequency of transient shutdowns.

The transients effecting Browns Ferry are divided up in the PRA study (NUREG/CR-2802) into the following:

T(LOFT) - transients due to loss of offsite power T(U) - transients with the power conversion system (PCS) unavailable T(A) - transients with the PCS available.

For the PCS to be available, the heat removal function must remain intact.

This requires that the condenser remain available, along with a continued delivery of water.

The transient frequencies that have been observed for the Browns Ferry plant are cited below in the following tables, along with the transient frequency for BWRs in general (from NUREG/CR-2802, page 18):

TABLE 9.1. BroEns Ferry Data on Transient Frequencies Event Frequency (events /yr)

Transients that cause the PCS to be Unavailable BF Hggs MSIV closure 0.58 0.24 i Loss of normal condensor vacuum 0.56 0.41

.I Pressure regulator fails open 0.0 0.24

. Loss of feedwater flow 0.51 0.17

.; Loss of offsite power 0.03 0.11 Loss of auxiliary power 0.0 0.03 Increased feedwater flow at power 0.05 0.18 Totals 1.73 1.39 Transients that do not cause PCS to be unavailable Electric load rejection 1.02 0.74 Electric load rejection with bypass failure 0.0 0.0 Turbine trip 0.58 0.77 Turbine trip with bypass failure 0.0 0.0 Inadvertent closure of one MSIV 0.0 0.10 Pressure regulator fails closed 0.0 0.11 Bypass / control valve fails causing pressure increase 0.05 0.25 Recirculation control fails causing increased flow 0.03 0.10 Totals 1.68 2.07 9.1 1

9.2 CONTROL SYSTEM FAILURE CONTRIBUTION TO TRANSIENTS INEL identified three sequences as a result of control system failures; one due to level control failure initiating a feedwater increase and defeating the high level trip, one involving condensate booster pump actuation at 1% power, and one involving false HPCI actuation at 1% power.

Note that the two overcool scenarios identified by INEL, and discussed in Chapters 6 and 7, are not considered to be of interest here for transient initation due to the low power settings. These deal more with startup transients, or overfills during shutdown.

Of interest will be the feedwater control failures identifed by INEL leading to overfill as developed in Chapter 1 in this report. These failures initiate the overfeed and also cause loss of the high level trip leading to overf111. Referring back to the earlier chapters, the initiating frequency for these failures was put by PNL at 3.7E-03/py with an upper bound of 2.1E-02/py after a review of the INEL report. The INEL estimate of 6.5E-03/py will however be used here.

Transients with the PCS Unavailable Again, we must consider transients with the PCS available, T(A), and those with the PCS unavailable, T(U). A T(U) transient is assumed to be worse, involving, as it does, the loss of the normal heat removal path. This could occur due to loss of the feedwater function, loss of the condenser, or loss of the steam path, or any combination of these. These three modes of causing a transient without the PCS available are discussed further below.

In the previous analysis, the steam driven feedwater turbine was assumed to be very immune to damage as the overf111 scenario progressed (probability of failure put at 0.1). This effectively weighted the analysis in favor of continued overfeed and potential steam line damage. Loss of feedwater function implies loss of the main and auxiliary feedwater sources. In th Browns Ferry Plant, the reactor core isolation cooling (RCIC) pumps serve this function.

This could occur, given an overfill and a trip of the MFW (defeated in this

, scenario) or failure of the MFW steam driven turbine, plus an independent loss of the AFW function.

The probability of failure of the MFW steam turbine was put at 0.1. Rather than speculate on the survivability of the MFW turbine, it will simply be assumed here that the MFW turbine fails. The probability used in the ORNL Precursor Study (NUREG/CR-2497) for failure of the AFW function and loss of decay heat removal of 1.1E-03 will then be used here. T,he accident scenarios identified by INEL have not specified any damage to the condenser, so it is assumed that an independent failure of the condenser would have to occur to cause loss of this function. With the assumed operator error probability of 0.517 for failure to terminate the overfill, the predicted frequency of this event would then be (6.5E-03/py)(0.517)(1.lE-03) = 3.7E-06/py.

The progression of the overfill scenario to steam line break will also cause loss of the steam path to the condenser. This will be via the break itself, or isolation with the MSIVs which close on MSLB. In the PNL analysis, it was again assumed that the MFW steam turbine and main turbine 9.2

tculd continua cperation (probability cf 0.9) to tha point of spillovar to enhance the potential for water hammer and pipe break. As discussed in Chapter 5, this resulted in an assumed probability of pipe break given spill over of 0.95. When operator intervention is also added, this gave a net frequency of pipe break of (6.5E-03/py)(0.517)(0.9)(0.95) = 2.72E-03/py.

As can be seen, the assumed high probability of steam line break .results in this pathway also representing the dominant mode for inducing a T(U) transient.

Referring back to Table 9.1, it can also be seen that any T(U) type of sequences postulated for control failures will be reduced by a factor of (2.72E-03/1.73) =

1.57E-03, or approximutely a factor of IE-03.

Transients with the PCS Available The T(A) transient would essentially be the above case where main turbine trip occurs as the overfeed progresses. Again, the probability of turbine trip was put at 0.1 versus 0.9 for continued operation to the point of pipe break assumed above. The predicted frequency of T(A) transients then becomes

( 6.5E-03/py)(0.517)(0.1) = 3.4E-04/py.

Again, referring back to Table 9.1 for the observed frequency of T(A) type sequences in Browns Ferry indicates that sequences initiated by such transients from control failures will be; reduced by a factor of (3.4E-04/1.68) = 2.02E-04.

9.3 CORE-MELT AND RISK REPRESENTED BY CONTROL SYSTEM INDUCED TRANSIENTS The dominant transient sequence contributors to core-melt frequency for the Browns Ferry PRA are given below.

TABLE 9.2. Browns Ferry PRA Results for Transient Core-Melt Release Category Probability Public Risk Secuence Frecuency BWR-1 BWR-2 BWR-3 ma n-rem / oy T(U)R(B)R(A) 9.7E-05 0.0001 0.2 0.8 T(U)B 5.1E-05 0.0001 0.2 , 0.8 T(U)QR(B)R(A) 4.1E-06 0.0001 0.2 0.8 Total T(U) 1.52E-04 6.20E+02 T(A)BM 3.7E-06 0.0001 0.2 0.8 2.04E+01 TOTAL 1.56E-04 6.40E+02 9.3

l Tho risk associat d otth ths rolcasa categ rias is based on 5.4E+06 man-rem  !

for BWR-1, 7.lE+06 man-rem for BWR-2, and 5.1E+06 man-rem for BWR-3. Only the totals for T(U) and T(A) transient sequences is given. The overall core-melt frequency for Browns Ferry is put at 2.0E-04/py, so these transients represent

] 785 of the overall plant core-melt frequency.

The core-melt contribution to transients from the control system failures would then be expected to be -reduced by a factor of 2.72E-03 for T(U) sequences,

and a factor of 2.02E-04 for T(A) sequences. This has been done below.

TARIF 9.3. Core-Melt Frequency and Risk for Control Failure Induced l Transients

. Core-Melt BF PRA PNL Estimated Pubite Risk, i

Transient F requency, Frequency,1/ py man-rem /py Sequences 1/py T(U) type 1.52E-04 2.38E-07 1.31E+00 T(A) type 3.7 E-06 7.49E-10 3.16E-02 1.56E-04 2.38E-07 1.34E+00 i<

The overall pubite risk represented by transient shutdowns as a result of control failures is then on th's order of 1.3 man-rem /py. The core-melt .

1 frequency is put at 2.38E-07/py. Again this is approximately three orders of magnitude smaller than the observed risk represented by transient shutdowns, j being dominated by the T(U) transtants where the PCS is not available for decay i heat removal.

With the transients considered representing approximately 785 of the core-melt frequency for Browns Ferry, the control system transients here would -

!I then represent approximately (78/5)(lE-03) = 0.0785 of the plant risk.

i i

L E

4 l

9.4 i

l i

10.0 VALUE/ IMPACT ANALYSIS OF POTENTI AL CCRRECTIVE FEATURES in this chapter, various corrective features will be postulated to correct the control system failures identified by INEL. An estimate will be made of the ef fectiveness of such fixes in reducing or eliminating the f ailure frequencies, and this will be translated into ef fective reductions in core-melt frequency and public risk. The cost of implementing such corrective features will also be estimated, and the net value/ impact ratio of man-rem saved per $1000 will be presented.

Again, the three sequences of interest are as follows:

Secuence 1. High Level Trip Failure Secuence 2. Valve Failure Causing Feedwater increase Secuence 3. False Start of the LPCI These will be discussed f urther below.

10.1 SEQUENCE 1. HIGH LEVEL TRIP FAlLURE Ref erring back to Chapter 3, the Initiators identified by INEL causing f ailure of the high level trip and f eedwater increase will be reviewed and possible fixes discussed.

initiator a: A leak or ruptu're of the variable leg of the water level sensing line that is common to two of the three reactor vessel water level sensors causing a f alse low signal and resulting in increased f eedwater flowrate.

Initiator b: A common cause failure of two of the three level sensors or sensor circuitry causing a false low level signal and resulting in an increased feedwater flowrate.

. Initiator c: Independent f ailure of two level sensors or sensor circuitry resulting in an increased feedwater flowrate.

initiator d: A f ailure in the control circuit that regulates the feedwater pump speed and f ailure of two out of three high level trips resulting in an increased feedwater flowrote and overfill of the reactor vessel.

Postulated FIxt Better Weld Intecrity on instrumentatten Lines Effect: this would impact Initiator 1.a only.

The weld points on the 2 inch Instrumentation lines were assumed by INEL to be the weak points subject to leteage or rupture. Better QA of welds (i.e.,

radiography or other NDE) could reduce the postulated f ailure rate. Due to stress corrosion cracking problems In BWRs, it is assumed that this would be required annually to be ef fective.

10.1

. Note that this fix will only impact the frequency of initiator 1.a. The reduction in weld failure is likely to be small, given the QA the pipes are now subjected to.

A reduction in weld failures of 10% will be estimated here.

Referring back to Table 3.2, the new predicted weld leakage frequency would then be (3.2E-04/py)(0.9) = 2.88E-04/py. The pipe failure frequency would remain the same at 1.lE-04/py, for a total frequency of 3.98E-04/py. The reduction in frequency is then (4.3E 3.98E-04)/py = (3.2E-04/py)(0.1) = 3.2E-05/py.

3 The reduction in core-melt frequency is rattoed from the total initiating frequency Sequence 1 of 6.5E-03/py and the total core-melt frequency of 2.46E-06/py giving (3.2E-05/6.5E-03)(2.40E-06/py) = 1.18E-08/py. This is then a 0.0049 fraction of the base case. This also equates to a reduction in risk of 8.0E-02 man-rem /py or 2.4 man-rem over 30 years.

NUREG-1061 puts the cost of NDE piping inspection at approximately

$3000/ weld inspected.

For such a small line that is not safety grade, much of the cost associated with QA will not be appitcable. This cost is reduced here to $500/ weld, divided between labor and QA/ records costs.

cost for 12 welds per instrument line, and 2 instrument lines is thenThe annual outage

$12,000/py.

of ($12,000)(9.43) At a 10% assumed discount rate over 30 years, this represents cost

= $1.13E+05 The value/ impact ratio is then (2.4 man-rem)/($1.13E+05) = 2.1E-02 man-rem /$1000.

Note that insitu heating stress improvement is not considered viable for such a small pipe diameter.

discussed below. The pipe itself would probably be changed, as Note further that NUREG/CR-1061 also predicts an occupational exposure of 0.8 man-rem per weld inspected for the large BWR pipes. This pipes also carry reactor coolant, but the radiation field would be expected to be significantly lower around the small pipe.

Postulated Fixt Hardened Instrumentation Lines Effect: this would impact Initiator 1.a only.

The pipe runs (probably 304 stainless steel) can be changed, using a material like 316 fix will again onlySSimpact that isinitiator more resistent 1.a. to stress corrosion cracking. This The 316 stainless steel piping would be expected to significantly reduce .

the frequency cracking. of weld failures due to the reduction in stress corrosion reduced by Ita is estimated of 75%.that the frequency of pipe weld leakage could be factor frequency would be achieved. It is uncertain that any reduction in pipe rupture then be (3.2E-04/py)(0.25) = 8.0E-05/py.The new predicted weld leakage frequency The pipe failure frequency would remain the same at 1.lE-04/py, for a total frequency of 1.90E-04/py. The reduction in frequency is then (4.3E-04/py - 1.90E-04/py)) = 2.40E-04/py.

i Referring back to Table S.1, this equates to a reduction in core-melt frequency l.8E+01 man-rom of 8.89E-08/py, and ,a reduction in risk of 6.0E-01 man-rem /py or over 30 years.

.i 10.2 i

1 i

instruments installation labor. is estimated at 4 man-weeks g of all per instru man-weeks of total of 12 man-weeks at $2270/ man-week or $27,240.The engineer

$5000

$32 240. for approximately 200 feet of piping and fittings, for a totalThe m cost of

- 4 man-weeks of engineering support at $2270/ week, or 59080

- 8 man-week of craft services at $2270/ week, or 518160 55000 in instrumentation and supplies.

The value/ impact ratio is then (18 man-rem)/($32.2E+03) = 0.56 man-rem /51000.

Postulated Fixt Changes Failures Causino Feedwater Increase and Loss of Trioin Instrumentation or more thoroughly, seven configurations for hardwar ogic ered for both the level transmitters (LT) and level indicating switches (LIS) summarized in Tables 10.1 and 10.2 below. .

Those are instrument high failures required to initiate the feedwaterIn addition, they indicate the level trips.

the Browns transmitters. Ferry plant is given in Table 10.1, vel Case 4 for the l Note that this again does not reflect the' fact that failures m was discussed in the eariter chapters.seale on theustLT(A) be low

, as control tra be restricted to specific failure modes if the high level avoided.

are totripsThe be other ins O

i 10.3

TABLE 10.1. Possible Configurations for Level Transmitters (LT)

Failures that Initiate Cagg Sensors Trio Locic Feedwater and Defeat High Trio 1 no trip A

O 1 1 1-out-of-1 A 2-out-of-2 A, A8 2 2 3 2 1-out-of-2 A8 3 2-out-of-3 AB, AC, ABC 4

4 2-out-of-4 ABC, ABO, ACD, ABCD 5

Hote that the modifications of interest to Browns Ferry focus on Case 5 above, that is a modification to a 2-out-of-4 configuration. INEL has mado some estimates of the expected frequency of the postulated overfill scenerio for several of the scenerios above, as given in Table 10.2. The estimate for the 2-out-of-4 configuration is based on the INEL estimate of 1.2E-07/hr and 2.7E-07/hr for reduced capacity and inoperab1'e failures in the controlling level transmitter and 2 others sufficient to drive the overfill and fail the high level trip. This gives a frequency of (1.2E-07 + 2.7E-07 = 3.9E-07/hr)(8760 hrs /py) = 3.4E-03/yr. No upper bound was given.

TABLE 10.2. INEL Estimate of Feedwater Overfill Frequencies For Different Level Transmitter Configurations Estimated Frequency of Overfill Fraction of

- Cagg Trio Logic and Defeat High Trio. 1/ov Base Case t

Median Uoner O no trip 1.0E-01 2.7 E-01 15.4 1 1-out-of-1 9.0E-03 5.4E-02 1.4 2 1-out-of-1 4.2E-03 , 1.0E-02 0.6 separate feed and trip transmitters 3 1-out-of-2 -

4 2-out-of-3 i 6.5E-03 3.0E-02 1.0 5 2-out-of-4 \g 3.4E-03 - 0.5

\ ,

N j 10.4 y . _

l i

The base case configuration for the Browns Ferry is again a 2-out-of-3 trip l with three level transmitters, and a 1-out-of-2-twice trip with four level switches. As can be seen above, the modification to a 2-out-of-4 configuration could be expected to possibly reduce the frequency of feedwater overfills by a factor of 2.

Note that a simpler 1-out-of-1 configuration with the controlling transmitter and high trip on seperate transmitters actually is predicted to have less frequent overfills. However, suprious trips also introduce the potential for inadvertent feedwater fluctuations. Any spurious shutdown would require an estimated 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore the plant to operation, with replacement power costs estimated about $300,000/ day. One spurious trip could then negate any perceived benifits of reduced f requency for overfills.

As can be seen, the lowest failure rate relative to the base case configuration is predicted to be Case 5 with four transmitters, using a 2-out-of-4 trip logic. This would require the addition of one level transmitter and changing the trip logic for the level switches. Note, however, that the current design is probably a compromise between providing the level of reliability deemed necessary without generating false trip signals. Going to

, the 2-out-of-4 logic may make the trip more reliable, but the price may be more frequent false trips.

The new failure frequency is seen to be approximately 0.5 of the base case of 3.3E-03/py from Table 3.8. The reduction is then (0.5)(3.3E-03/py) =

1.65E-03/py. Ratioing this to the total fregaency and core-melt predicted for Sequence 1 gives a predicted reduction in core-melt frequency of (1.65E-03/6.5E-03 )(2.40E-06/py) = 6.1E-07/py.

The reduction in pubite risk predicted is then (1.65E-03/6.5E-03)(16.2 man-rem /py) = 4.1 man-rem /py, or 1.23E+02 man-rem per plant over 30 years.

C2.4

~

The industry cost for adding one level transmitter on an existing 2 inch line is as follows:

engineering support - 4 man-weeks at $2,270/ man-week or $9,080 pipe fitters - 2 man-weeks at $2,270/ man-week, or $4540.

modifications to operating procedures - $0 level transmitter - $10,000 4 plumbing, supplies - $5,000 ,

modifications to logic circuits - $5,000 This totals $33,580. No license amendments are required for this modification. No annual costs are projected for this modification. Discussions with the NRC with GE concerning the addition of one level transmitter put costs at approximately $150,000 using existing penetrations through containment (electrical and pneumatic), as well as existing cable runs and cabinets.

Qualification of this equipment to safety grade would cost an additional

$100,000. The cost of the addition of the transmitter in a plant requiring a new penetration was put at $1,000,000.

10.5

The predicted value/ impact ratio can then range from on the order of 1.23E+02 man-rem /533.58E+03 = 3.66 man-rem /$1000 for the minimal cost estimate,

. to 1.23E+02 man-rem /$150,000 = 0.82 man-rem /$1000 for the more likely realistic GE estimate, to 1.23E+02 man-rem /$1,000,000 = 0.123 man-rem /$1000 for the case where new penetrations would be needed. The 0.82 man-rem /$1000 estimate based on the GE figures will be used here as the most likely best estimate.

Limitations and R'eal-World Considerations The indications are that real world considerations could easily overshadow theoretical calculations, particularly for level control instrumentation where the ability to test often carries more weight than calculated reliabilty.

Uncertainties in the failure data base for sensors could include hydraulic shocks which occur at different rates in separate instrument lines making some failure combinations of sensors more likely, or common mode failures of instruments due to faulty maintenance. The data currently available on component failure rates is not specific enough as to failure cause (i.e.,

shocks, faulty maintenance, etc.) and failure mode (i.e., inoperable low scale, drift low, etc.) to draw any firm conclusions or to rigorously support specific recommendations for a 2-out-of-4 configuration based on theoretical calculations for level transmitters.

As a result, the value/ impact ratto of 0.8 man-rem /$1000 for the 2-out-of-4 configuration is likely to be driven down by both possible higher costs and reduced effectiveness of any modifications to the level transmitter configuration.

No Trio The estimate by INEL is that the no-trip plant would be subject to the overfill transient approximately 15 times the frequency of the reference plant here, other factors being equal. It must be pointed out that any comparison between different level control and high level trips and other modifications is highly conditional on a number of factors, including basic hardware and reliability as well as operator response to system failures and the plant dynamics to failures. This can include plant-specific differences in and l- compensations for a number of factors, including:

- type of level control (three element, one element)

- power supplies

- back-up or alternate level displays

- instrument line plumbing configuration

- controlling level display ,

- controlling level record

- annunciators and alarms

- operator training and procedures.

- maintenance, general age and state of equipment.

If the theoretical estimate by INEL is taken as an upper bound on the initiating frequency however, the potential risk reduction in implementing a 2-out-of-4 configuration is then on the order of (15.4 - 0.5)(123 man-rem / plant)

= 1833 man-rem. Going to a simpler 2-out-of-3 configuration would give (15.4 -

1)(123 man-rom) = 1771 man-rem. In either case, the costs would likely approach 10.6

i or exceed the maximum GE estmates given above, or approxiately $1,000,000 due to  ;

the need to add instrument itnes and penetrations. The value/ impact ratto would '

then approach 1833 man-rem /$1,000,000 = 1.8 man-rem /$1000.

As such, the value/ impact ratto given above is more favorable for requiring

~ the additional level protection in the no-trip plants. However the uncertainties are thought to be even larger than those associated with the reference plant actually analyzed in depth by INEL, with the uncertainties in cost and risk reduction both again driving the resulting value/ impact ratio down. The two plants in question (Oyster Creek and Big Rock Point) have apparently made modifications to operating procedures to account for their '

specific designs. This is reflected in the operational history to date for Oyster Creek, which shows no record of increases in feedwater at power at Oyster

• Creek (EPRI NP-2230, January 1982, p. B-33) . Given the lack of specific design studies for A-47 on these plant, any recommndations would have to give consideration to the uncertainties in any recommendations for design changes.

10.2 VALVE FAILURE CAUSING FFFDWATER INCREASE Sequence 2 is again initiated by a condensate booster pump failure, as

?

discussed in Chapter 6. The three initiators are as follows:

Initiator a: Any one of three motor operated feedwater pump discharge valves fails open.

Initiator b: The air operated startup feedwater bypass valve fails open.

Initiator c: The condenser bypass air operated valve fatis closed.

The frequency of the overall sequence was again put at 8.2E-05/py, with an upper bound of 5.6E-03/py. It is assumed that this value is primarily based on

- a simple valve failure rate of 3E-07/hr, times 192 hours0.00222 days <br />0.0533 hours <br />3.174603e-4 weeks <br />7.3056e-5 months <br /> per year for startup and shutdown giving 5.76E-05 failures /yr.

I However, is discussed in Chapter 6, it is thought that the system as it is currently configured already has safeguards to prevent excessive condenser flow to the vessel via a simple valve failure. These are discussed briefly below.

. Pronosed Fheam for Initiator a As discussed briefly in Chapter 6, the feedwater pump isolation valves are normally closed during startup. The failure then requires the normally closed valve to fall open, implying a falso control signal (IE-07/hr) or short of the operator to power (IE-8/hr), or internal valve rupture that leaves the valve body intact (less than 1E-8/hr). If this failure provides excessive flow to the vessel, the control signal to the bypass valve will throttle flow via that pathway. If excessive feedwater flow continues via the failed valve, the train must be isolated manually using the additional motor-operated valve downstream of the feedwater pump.

10.7

The system already has high-level alarms and motor operated valves in Additional series that will allow the operator to isolate the failed valve.

safeguards put on the control circuit or to the valve operator may be possible.

However, this may also result in a decrease in the reliability of the valve to The most likely open on demand, thus impacting feedwater reliability.

modification is to simply change the valve logic for the valve downstream of the feedwater pump to provide isolation when not in use.

For initiator b, it was pointed out that the startup bypass valve already has a lock-up feature incorporated into the air supply system such that loss of air failure.

pressure will lock the valve in its existing position at the time ofThe and failure of the lock-up feature. Modifications to the control circuit to prevent false full open signals may also make the control of the valve less reliable.

For initiator c, it was pointed out that any failure of the condenser bypass valve would still result in flow to the vessel being regulated through the startup bypass valve, which can still be controlled to regulate vessel level . Multiple failures would again be required.

The core-melt frequency is put at 2.05E-09/yr, with a public risk of 0.01 man-rem /yr or 0.3 man-rem over 30 years. The contribution due to transients is very small, based on the ratio of its LOCA initiating frequency to the total of (2.4E-06/yr)/(1.67E-03/yr) which is approximately 0.1% or 7.9E-04 man-rem /yr.

The cost of any proposed modifications would have to be limited to several thousand dollars at most to represent cost / effective measures, which equates to approximately one man-week of effort. Any changes in the control circuitry for valve operators is likely to require a more substantial cost, plus the potential for reduced reliablity for feedwater delivery during operation.

At a minimum, the costs would be put at the following for changing the isolation logic of the motor operated valve downstream of the feedwater pump with no changes in the tech specs or safety studies or license amendments:

- 2 man-weeks of engineering support at $2270/ week, or $4540

- 1 man-week of craf t services at $2270/ week, or $2270

- $2000 in instrumentation and supplies.

This gives a cost of $8810, and a value/ impact ratio of 0.3 man-rem /$8810 = 0.03 man-rem /$1000.

10.3 INADVERTENT LPCI ACTUATION Finally, the third sequence identified by INEL dealt with the inadvertent actuation of the LPCI. The initiators identified included:

a) common cause failure of two drywell high pressure switches 10.8

l b) common cause failure of two reactor vessel low water level switches c) shorts in the pressure or level logic circuits causing pump start d) pump switch shorts to power.

The median probability of failure for this sequence was 3.6E-03/yr, with an upper bound of 7.7E-03/yr.

Note that the pump switch short to power is not considered sufficient to cause LPCI. The discharge valve for each loop of the LPCI system is normally closed, requiring a control circuit signal and a low vessel pressure to enable opening of the valves. The pump short to power would not generate the control signal, thus no water delivery to the vessel could occur.

Pronosed Changes For initiators a and b, the system, as it is already designed, has fully independent initiation circuits for the LPCI function. Again these are the drywell pressure switches or a 1-out-of-2-twice signal from LIS 58 A through D in Figure 3.1.

In addition the nuclear system pressure must be below 450 psig, where the LPCI discharge valves open allowing the pumps to actually inject water into the vessel. .

Note that the system is currently designed in such a way that once an initiation signal is received by the LPCI control circuitry, the system will operate until manually reset. The operator is thus currently expected to observe and control the operation of the LPCI function.

The obvious design fixes are to reduce the spurious initiation signals, or add trips for.the LPCI pumps or isolation circuits for the valves in the delivery piping. This would require a change in the design philosophy requiring

• operator action to terminate LPCI. However, this is not inconsistent with the use of high water level trips for the HPCI function.

The addition of a LPCI pump trip and valve isolation to the existing LIS-3-203 A through 0 high vessel water level trip for the HPCI and RCIC function would serve this purpose. This modification, then, would only involvo a change in the control logic allowing a pump trip and valve isolation on indication of high water level while in the LPCI mode. , Note, however, that it is uncertain if this design modification would detrimentally impact some long-term function of the LPCI that originally specified the operator shutoff feature. As a result, it is thought that further accident analysis would have to be funded to determine the advisability of this trip. This is reflected in the costs below.

10.9

The reduction in core-melt frequency would then be bounded by the

, 1.2E-07/yr estimate for this issue. The reduction in public risk is put at 0.81 man-rem /py, or 24.3 man-rem over 30 years. With a LOCA initiation frequency of 3.04E-05/yr compared to the total for all three sequences of 1.67E-03/yr, this sequence contributes approximately 25 to the transient risk of 1.34 man-rem /yr which is small compared to the 24.3 man-rem /yr for this issue alone.

Develonment Costs Because this modification changes the engineered safety system response to a design basis accident, this will also require accident analysis, modifications to the technical specifications, and a license amendment. The NRC may fund generic studies as well as requiring individual plant analysis. Note that for licensing amendments the NRC policy is now for full cost recovery, however, an

estimate is made here based on the previous schedule in 10CFR172.

These costs are:

$150,000 NRC generic issue evaluation (spread over 24 completed BWRs),

or $6250 per plant 6 man-months of utility time, or $50,000

$4000 license ammendment.

This gives a total of $60,250.

l Tmnla==ntation Cost ', -

Assuming that this fix is implemented during normal outages, it is estimated that the actual work will require approximately the following:

2 man-weeks of engineering support at $2270/ week, or $4540

- 1 man-week of craft services at $2270/ week, or $2270

$2000 in instrumentation and supplies.

'i ~ This comes to $8810. Once implemented, no recurring costs for the utility or

. the NRC are foreseen. The total is then $60,250 + $8810 = $69,060.

i' i Valua/Tmnact Ratig The best estimate of the value/ impact ratio is then l 19.6 man-rom /$69,060 = 0.29 man-rem /51000.

J j The upper bounds on the public dose (factor of 5), however, costs could also be underestimated, which tends to hold the above ratio near the value given here.

10.4 VALUE/ IMPACT SU M Y The fixes proposed for the accident initiators identified by INEL are summarized in Table 10.3 below.

l l 10.10 l

l l

l

[_

s TABLE 10.9. Proposed Modifications to GE BWRs and Estimated Value/ Impact Reductions in Core-Melt man-rem Value/ Impact Modification Imnact 1/pv 30 vrs Cost. 1 man-rem /11000 Instrument Line Reduce weld 1.18E-08 2.4 113,000 0.02 Weld Integriy failures New 316 SS Reduce pipe 8.89E-08 18.0 32,220 0.56 Instrument Lines failures Add new LT, Reduce high 6.10E-07 1 23 150,000 0.82 2-out-of-4 trip trip failures Modify Isolation Isolate flow 2.05E-09 0.3 8,810 0.03 Logic for from failed Condensor Flow valve Add LPCI Trip Isolate flow 1.20E-07 24.3 69,060 0.35 on High Vessel from LPCI Water Level pump short As can be seen, the addition of another. level transmitter (LT) in a 2-out-of-4 trip logic is thought to be the most cost-effective measure to counteract the control system failures identified by INEL for feedwater overfill. However, uncertainties in cost and any real world benefit of a 2

-out-of-4 versus 2-out-of-3 level transmitter configuration are thought to force this ratio down.

Modifications to the instrument piping itself to reduce welding or piping ruptures and. low-level indications are less effective, due to the lower initiation frequency assumed for such scenarios and the high cost of annual welding inspections.

The fixes to counter condenser and LPCI overfill are significantly less cost-effective, again primarily due to the engineered features already built into the plant to prevent false pump actuation signals or shorts. This is also reflected in the low initiation frequencies assumed for these failures.

Modifications to these systems may also have negative impacts on the reliability of feedwater delivery during normal operation or LPCI during LOCAs.

Note that the development of these accident initiators to core-melt is thought to reflect a conservative approach to estimating the impact of these failures on-plant engineered safety systems. Cost estimates, itkewise, tend to underestimate the true cost of nuclear plant modifications. These factors, when combined, tend to reduce the estimated value/ impact ratios as given above. The best estimates as given above are thus thought to reflect the relative importance of each accident initiator and proposed fix, and its overall importance to plant safety.

10.11

11.0 CONCLUSION

S This report presents the results of a probabilistic analysis of core-melt accidents that could potentially result from transient overfill scenarios in a BWR. This report uses the BWR/4 Browns Ferry class of General Electric BWR as a reference design. However, the dominant failure modes identified involve failurss in the feedwater control system which are considered to be applicable to all GE BWRs.

This report relied on the previous identification and examination by INEL of failure mechanisms causing overfill in BWRs. An extensive effort was mado to verify to the extent possible previous calculations for the frequency of initiating events. However, resources did not permit a re-examination of possible additional failure mechanisms causing overfill.

The sequences examined included feedwater control failure, condensate pump failure, and LPCI failure causing initiation of overf111. The latter two sequences result in cooldown rates which exceed the technical specification limits. However, no credible potential for vessel failure due to thennal shock was identified given the low pressures involved. Condensation of the large steam void present in the BWR makes it physically unlikely to create the concurrent high pressure and thermal cooling necessary for thermal shock to lead to vessel damage. As a result, the potential for steam line break given overfill was considered to be the dominant source of risk.

The PNL examination agrees with the INEL' conclusion that the feedwater control failure is likely the dominant failure mechanism due to a higher initiation frequency. The PNL examination of Sequence 1 arrived at an initiating frequency of 3.7E-03/py for feedwater overf111. This was approximately 1/2 that predicted by INEL, but is based on a more detailed examination of the failure modes required in the level transmitters and switches to produce the desired feedwater increase. This was also well within their error bounds. The other sequences were several orders of magnitude less likely and not examined in detail by PNL.

[~ The human reliability analysis performed resulted in the estimated probability that the operator would interpret these signals correctly and tenninate the sequence at slightly less than 0.5. Correct operator intervention during startup would likely be higher, but during operation the system would be on automatic control with operator attention not necessarily focused on the feedwater control. The inclusion of this factor in the analysis is justified given the presence of the operator and the extensive training received specifically for water level control.

Note that this human probability is dependent to some extent on the time available to the operator from the indication of level sensor failure or alann to when overfill would occur. The INEL analysis of 125 percent feedwater overspeed at 68 percent rated power is estimated to result in overfill in approximately 1 minute. Note that the initial reactor response to the overfill is a power increase to 90 percent, giving a not 35 percent excess in the fill rate. However, it is uncertain if a 125 percent feedwater overspeed could occur 11.1

Lt 100 p;rcint rated power without causing an overpressure trip signal. The maximum overspeed possible without a trip likely decreases as the reactor nears

, 100 percent time availablepower beforeand the net water excess would be reduced as well, giving more sp111over.

I The potential for steam line break and MSLB was then examined. A consideration of main turbine failure and plant shutdown before spill over was thought to reduce somewhat the potential for pipe break, but the final assumption put the steam line MSLB probability at 0.95 given initiation of tne overfill accident and failure of the operator to isolate feedwater. The net frequency of steam 1tne MSLB was then put at 2.87E-03/py due to over fill. Two g other overfill scenarios increased this to a total frequency of (2.87E-03 +

2.40E-06 + 1.44E-04) = 3.01E-03/py.

The use of the Browns Ferry event trees for large, medium, and small steam line breaks is thought to give a conservative estimate of the potential for core-melt in this analysis as it did in the Browns Ferry PRA. These event trees are developed for a steam line break upstream of the MSIVs, which is thought to represent a more severe accident to the plant than a down stream break. In the PRA, the break probability of up or down stream breaks was assumed to be equal, with the down stream breaks also requiring a double failure of the MSIVs to isolate the line. Thus, the upstream break was the more conservative of the two from a failure frequency consideration as well.

In this examination, consideration was given to possible reduced function of systems due to water hammer and entrained water in the flow. The MSIV and safety valves for the ADS system were thought to be particularly vulnerable.

However, the indications to date are that the valves will function with the same reliability, although they may be subject to added chatter. The MSIV valves in the flow. were thought to actually seat better under the hydraulic forces of particular The same reasons then exist to model the upstream breaks for the overfill induced MSLB as well.

The performance of other safety systems including the injection systems and depressurization performance du'esystem were also to the overfill examined for the potential for degraded event. Any water in the steam lines for the

~

hPCI system is thought to likely drain or flash to steam in the transition from overfill to MSLB before the system would be demanded.

EPRI data indicate that theimpacted.

be ADS salves would likely chatter in two phase flow, but reliability would not The SCRAM and RCIC functions would not be impacted. The net result was that the system re11 abilities predicted in the Browns Ferry PRA were thought to be directly applicable to this examination.

Using the Browns Ferry event trees for steam ifne MSLB induced core-melt, the result was a predicted core-melt frequency of 1.49E-06.

the steam itne break induced core-melt frequency of 1.1E-06/py in the BrownsThis compar Ferry PRA, which has a total core-melt frequency of 2.0E-04/py.

only approximately 1 percent of overall plant core-melt frequency.This represents The risk associated with feedwater overfill was estimated, assuming the same release categories as used for steam line induced MSLBs in the Browns Ferry PRA.

The risk associated with core-melt was put at approximately 16 man-rem /py.

l 11.2 t

transient initiators for inducing reactor shutdown. Finally, th3

' Browns Ferry PRA indicates that transientsAnrepresent examination of the approximately 80 the estimated overall plant core-melt frequency of 2E-04/py, and thus this' ?

contribution to core-melt could not be neglected.

of' transients where the power conversion system the removal of decay heat. or would With a predicted frequency of 1.79E-03/py, this compared to the observed rate of such transients in Browns Ferry of 1.73/py, giving a ratto of 1.79E-03/1.73 or approximately 1E-03.

tripped the feedwater turbine or main turbine were assu transients with the PCS available.

versus the observed frequency of 1.68/py in Browns Eerry, this repre approximately lE-04 of the risk associated with this type of. sequence.

is associated with sequences with loss of the PCS.An examinat ,

failures were assumed to result most itkely in this type of transientBecause , the control predicted for transients in the Browns Ferry PRA.resulting pre The resulting core-melt '

i frequency man-rem for control

/py public risk. system induced transients was then 2.38E-07/py with 1 .

The contribution ta core-melt and risk from transients was t approximately steam line break.an order of magnitude smaller than that predicted for over~f111 an Overall Core-melt and Pubi te Risk TableThe11.1.overall predicted core-melt frequency and public risk cre given in 2.76E-06/py. The total core-melt frequency was put at a best estimate of /,

The total public risk was then nstimated to be 10.4 man-rem /py Yaluen mnact ^

s Possible plant modifications to reduce the frequency of overfill can be Assuming a 30 year effective plant life, the total poss approximately 550 man-rem / reactor.

$550,000 per reactor for corrective features to prevent overfill.-Costs should th ranging from approximately $9,000 to $50,000, and ma years ranging from 0.3 to 123.

from 0.02 to 0.82 man-rem /$1000.The resulting value/ impact ratios thon' ranged appears to be the addition of one level transmitter for 4 total with eThe m 2-out-of-4 trip logic for feedwater on high vessel water level. Real 'wbrid considerations indicate however that the factor of 2 impravement in reliabi assumed for a 2-out-of-4 versus 2-out-of-3 configuration in preven 1ing af '

11.3 -

s 1 j

\

.. /

• tl e d g

\

ov:rf t11 may b3 v:ry optintsticC .

casumed, thus making any modifications e2ts does not tak cculd a procedures. o into account possible questionable improvements at this time. via

$150,000 operator and the fact that these aGiven thetraining operator highThisfailure also and pro control, improved operator trainin fruttful area for correcting pre systems normally considered er be operator undy i

g and procedures are likely to a IABI F 11 erceived control system deftetenci es.

more 1_.

Frequency and Public a Risk for thConclu ure Induced Core-Melt e GE BWR

'5 - Accident 8 Initiating PNL Frequency Core-Melt Pubite Frequency Risk Sequence Initiator median u

(/py) pper Best Estimate Reactor Yessel (/py) Best Estimate Overft11 Sequence (man-rem /py)

Number 1 6.5E-03 3.0E-02 Reactor Vesse1 2.4E-06 Overft11 Sequence 16.2 Number 2 8.2E-05 5.6E-03 Reactor Vessel 2.05E-09 Overit11 Sequence .01 Number 3 ', ,

3.6E-03 7.7E-03 Overft11. Initiated 1.20E-07 Transtant Shutdown 0.81 Without PCSWith PCS Available 3.40E-04 2.72F-01 1.57E-03 i

1.76E-07 7.49E-10

?s1AE-07 3.16E-02 TOTAL 2.30E-07 1.11E+00

~ 1.31E+00

\

2.76E-06 s

18.4 r

i f'

4 11.4

?

t

i REFERENCES I

Browns Program.Ferry Probabilistics Risk Assessm \

NUREG/CR-2802, July 1982. ent. Interim Reliability Evaluation Bruske, S. J.,

et al. NUREG/CR-4262, May 1985 Egflure Beactor, on Transfents and Accidents at a General ElEf fects FIN No. A6477, Idaho National Engineerin ectric Boiline Wate Bush, S. H. et al. g Laboratory.

Common NURFG/CR-3289, A Review of Past.Exneriences

_Cause May 1983.Failure Rates for Instrume t in B n ation and Control Assemblies.

Evaluation of Water Hammer Events NUREG/CR-2781, May 1982. in Licht Water Reactor Plant _q, 3 Eyaluation NUREG/CR-0927, of March Water 1984Hammer Occurrences in Nuclear P ower Plants.

Heaberlin, S.W., et al. 1983.

NUREG/CR-3568, Pacific Northwest a ory. Labor tA Handbook for Valve-Imna

- Reactor Safety Studv - An Assessment Nuclear Power Plants. c of Ac id Enculatorv Anal WASH-1400, NUREG-75/014, October 1975ent Ris yds for USI A-1. Water Hammen NUREG-0993 Mater Hammer in BWRs. , December 1983.

EPRI NP-2590-LD, September 1982.

Electric Power Research Institute.

Erecuenev of Antietoated TransientNP-2330, ATWS:

January 1982.A Reapora tsed. Part 3 r_

f-

'i R.1

PNL-5543 NUREG/CR EFFECTS OF CONTROL SYSTEM FAILURES ON

~

TRANSIENTS, ACCIDENTS AND CORE-MELT

' FREQUENCIES AT A WESTINGHOUSE PRESSURIZED WATER REACTOR

.n +

1 I

\

• 1 W. E. Bickford A. S. Tabatabat

i -

I September.1985

<*l

^

%A '

S M. p Pacific Northwest Laboratory I$ k h

Richland, Washington.

. t

,p

, _b  :

,, p, I lf

3 l

)

i i

SUMMARY

This report presents an estimate of core-melt frequency and public risk associated with control system failures in a Westinghouse Design Pressurized Water Reactor (PWR). The specific failure mechanisms and initiating frequencies used are those identified by the Idaho National Engineering Laboratory (INEL) report for the H. B. Robinson plant (Bruske, S. J., et al., NUREG/CR 4326, July 1985). The plant used to analyze potential core-melt initiators was the Surry plant, also a three-loop Westinghouse PWR. This plant is of similar power rating and was the reference PWR in the WASH-1400 probabilistic risk assessment.

However, many scenarios of interest are not found directly in this PRA, and other event trees have thus been devloped where necessary.

The INEL control system failures fall into four main scenarios: 1)

Overf111, 2) Overcool, 3) Overpressure, and 4) Steam Generator Tube Rupture (SGTR). For each of these, two failure sequences were postulated.

Note that the impact of external events may potentially be of interest to this program. The concern is that the conditional probability of control system failures given an externat (e.g., seismic) event may be higher in non-safety grade equipment than in safety grade equipment. Control failures could then possibly aggravate systems and operator response to the event. However, the role of external events on control system failure modes or rates was not i investigated by INEL in their definition of failure scenarios. Since PNL's analysis is based on the scenarios defined by INEL, external events are likewise excluded in the PNL analysis o,f the safety significance of the scenarios identified by INEL.

For the first three scenarios, no failure is postulated by INEL that initially impacts the success of the core cooling function. In fact, the overfill and overcool scenarios are just the opposite, with excessive cooling -

F being the initial problem. The scenario was postulated such that cooling rates then exceed standard technical specifications for the plant. The overpressure scenario likewise creates conditions that exceed technical specifications.

!- In tenns of public risk, the common connection in all of these scenarios was assumed by PNL. to be the potential for a trarisition to an undercooling event that could impact core integrity. The only mechanisms identified in this respect are the potential for inducing a main steam line break (MSLB) or a steam generator tube rupture (SGTR) that would in turn impact the core cooling function. The SGTR scenarios already represent a primary side loss-of-coolant accident (LOCA). In this case, INEL has postulated additional control system failures to further aggravate the rupture event.

• The above events progressing to main steam line break can also represent cooldown transients requiring plant shutdown. Steam line breaks or ruptures on the secondary side of a PWR were considered as cooldown transients in the WASH-1400 report, however, it was determined that this was not a credible pathway to core-melt. I.t was recognized that fuel damage could occur with release of fission gase's in the fuel / cladding gap, but no credible fuel melting scenarios were identified.

However, main steam line breaks were developed in the Oak Ridge and INPO 1

study (ORNL/NSIC-182, June 1982, and NUREG/CR-2497, September 1982, respectively) of precursors have progressed to severe core damage. To be 111 '

conservative in this analysis, the main steam line breaks were then modeled as e developed in the ORNL study and as updated by INPO. In addition, the potential for inducing SGTR given MSLB was also developed for each sequence when appropriate. The SGTR represents a LOCA which can then progress to core-melt.

More recent considerations of SGTR events, however, have significantly increased the potential for core-melt if the primary coolant system can not be successfully depressurized before exhaustion of injection water supplies. This type of accident then differs from SBLOCAs, where water would usually be available from building sumps for recirculation. Further, the potential for progression to core-melt given a SGTR is several orders of magnitude more likely for scenarios where the MSIVs can not be used to isolate the af fected steam generator. This would be true for pipe breaks or valve lifts above the NSIVs.

Given the uncertainty at this time in the potential for MSLB and where it may occur, PNL conservatively used a high probability of MSLB above the MSIVs making isolation of the af fected steam generator impossible and successful RCS depressurization unlikely. The same scenario was used.for inadvertent PORY lifts and failure to isolate with block valves. Failure of recirculation water supplies would also result in the failure of containment sprays, thus PNL assumed that such scenarios would be associated with a severe WASH-1400 release category 2. The net result was to predict a dominant contribution to overall core-melt and risk from progression of overfill or overcool control system failures to SGTR.

However, if the A-47 prog' ram generates more realistic evaluations on steam line dynamics and the potential for failure as a function of location (i.e.,

above or below the MSIVs), the contribution to core-melt and risk from assuming progression of the control system failure to SGTR could easily be reduced by several orders of magnitude.

EIS The poten5tal for pressurized thermal shock (PTS) and vessel rupture were

- also examined to the extent possible at this time. Results from the PTS program for severe cooldowns due to steam line break or valve lift and HPI pressurization of the vessel are thought to bound the types of failures predicted in the A-47 program that may produce PTS-type events. Prel iminary calculations by ORNL for such scenarios give conditional probabilities of vessel failure on the order of 1E-04, using 270'F as a conservative reference temperature for nil ductility transition. Given a vessel failure probability of IE-04, the overall frequencies of some control failures progressing to PTS, vessel failure, and core-melt will be on the order of 207, of the core-melt f requency for progression to MSLB, SGTR, and core-melt. The PTS contribution would thus become of interest, but would not change the overall estimate of core-melt and public risk,.and value/ impact conclusions significantly.

Overpressure scenarios likewise gave a low core-melt frequency due to PTS induced vessel failure.

If the actual transition temperature for H.B. Robinson of 130'F is used, the conditional probability of vessel failure for the representative PTS overcool scenario drops by several orders of magnitude. The contribution from iv l

l

-. v. w. . < . . . -. . ,

PTS and vessel failure to core-melt then becomes insignificant for A-47 events.

The PTS program concludes that plants with such low transition temperatures

. present an acceptably low risk with respect to PTS induced vessel ruptures.

The latter estimate is thought to be the best measure of risk due to PTS induced failures in the A-47 program. It is appropriate for conservative calculations to be used within the PTS program for evaluation and resolution of the PTS issue. However, these conservatisms should not be transferred back into related issues if undue weighting or influence of specific safety concerns is to be avoided in a calculation of relative risk. This best estimate then indicates that PTS plays a minimal role in core-melt and risk for the A-47 analysis of the Westinghouse H.B. Robinson PWR at this time.

The results are summarized in Table S.I. As can be seen, all estimated core-melt frequencies are quite low. Again, no distinction was made here between core damage and core-melt. This is considered conservative for steam line brek scenarios with the frequency of core damage scenarios more likely having to be reduced by an order of magnitude to represent core-melt.

The MSLB contribution for overfill and overcool scenarios shown is based on the INEL initiating frequency, times a probability of operator failure to terminate the event if possible, times the estimated probability of a MSLB, times the estimated probability of core damage given MSLB. The operator error term was put at 0.1 in most cases here, given the condition of the plant and positive instrumentation readings available. The probability of MSLB for the dominant event tree pathways was then put at 0.5, down from the 1.0 used in the BWR analysis due to the lower', temperature and. pressure levels involved for overfill or overcool. The net effect was to reduce the INEL initiating frequency by a factor of approximately 0.05 to MSLB. For sequences involving steam side PORY lift and sticking which creates a MSLB directly, the probability of operator failure to close a block valve or block valve failure was put at 0.055, based on consideration of PORV/ block valve reliability in Safety Issue 70.

Finally,'the probability of core damage given MSLB was then put at 1.1E-05,

. based on event trees from the ORNL/INPO studies. These considerations effectively reduced the estimated frequency of inducing core damage to the E-08/py range shown below. The accepted conversion to core-melt further reduces this probability by over an order of magnitude. However, this was conservatively equated to core-melt for simplicity, assigning the frequency to PWR release categories 3, 5, and 7 with the probability of 0.5, 0.0073, and 0.5, respectively. This is representative of transient-initiated core-melt sequences with ultimate failure of the long term core cooling function. The predicted public dose was then less than 1 man-rem /py for all MSLB sequences.

For overfill /overcool scenarios postulated by PNL to progress to SGTR, the probability of inducing a. SGTR given a FELB was put at 0.034, based on considerations of such events for the NRC Steam Generator Tube Integrity Program. The conditional probability of progression to core-melt, given the SGTR, was then calculated at 2.44E-02, dominated by the assumptions outlined above for isolation of' the affected steam generator. l l

For those sequences involving a PORY or feedwater under operator control,  !

the uncertainty in correct operator action has been discussed in the analysis. )

Only the overfill sequence number 2 gives an unambiguous indication to the y

l

w==.=.=== - --

TABLE S.I. Summary of the INEL and PNL Estimates of Accident Initiator Frequencies, Core-melt Frequencies and Public Risk INEL Accident PNL Public Initiating Core-Mel t Risk Frequency Frequency median best estimate best estimate Secuence Initiator (/oy) (/oy) ( man-rem / oy)

Steam Generator Overf111 1.4E-03 Sequence Number 1 Transient Shutdown 2.8E-09 1.5E-02 FGLB 7.7 E-10 2.1E-03 SGIB 5.8E-08 2.8E-01 Subtotal 6.2E-08 3.0E-01 Steam Generator Overfill 5.4E-08 Sequence Number 2 Transient Shutdown <1E-10 <1E-04 MSLB <1E-10 <1E-04 SGIB <1E-10 <1E-04 Subtotal <1E-10 <1E-04 Reactor Coolant System 2.6E-07 '

Overcool Sequence Number 1 MSLB <1E-10 <1E-04 1GIB <1E-10 <1E-04 Subtotal <1E-10 <1E-04 Reactor Coolant System 1.8E-02 Overcool Sequence Number 2 NGLB 1.1E-08 2.9E-02 g, SGIB 8.7E-07 3.9E+0 Subtotal 8.3 E-07 3.9E+0 Reactor Coolant System 1.5E-07 <1E-10 <1E-04 Overpressure Sequence Number 1 Reactor Coolant System 3.7E-04 <1E-10 <1E-04 Overpressure Sequence .

Number 2 Steam Generator Tube 2.0E-03 1.3 E-08 6.9E-02 Rupture Sequence Number F 7.0E-06 with SGTR Steam Generator Tube 3.2E-03 <1E-10 <1E-04 Rupture Sequence Number 2 1.1E-05 with SGTR Total 9.1E-07 4.3 E+0 vi l

'~

1

~

operator of changing steam generator levels. Thus the role of the operator in diagnosing and tenninating the scenarios introduces some uncertainties. The analyses tried to treat these in a conservative fashion.

Note that the role of the operator will also impact any potential fixes on the system. This will likely introduce operator training or control room human factors engineering.

The overfill scenarios were assumed to lead to steam line break to provide any sort of core-melt sequence initiator. The basic uncertainty in the potential for inducing a steam line break still exists in the PWR analysis as in the BWR analysis. Note, however, that the overfill analyses in this case did not actually progress to spillover of water into the steam lines. Power levels were also low or at startup for the PWR, The potential for water hammer and steam line break were adjusted accordingly compared to the BWR analysis, giving again what is thought to be a conservative assumption for steam line break.

Finally, INEL did postu. late two SGTR scenarios. However, no control system

~

failures were identified as initiator of the tube rupture event. These sequences assumed control system failures independent of the tupe ruptures as aggravation to the LOCA. These sequences are seen to provide an insignificant contribution to the potential for core damage. This is primarily due to the already extremely low frequency calculated by INEL for the initiating events of interest. Both SGTR scenarios are accompanied by independent control system failures used to increase the. severity of the transient, resulting in the low probabil ity. Note, however, that the necessary-system response is still that required to prevent core damage for a simple steam generator tube rupture.

The total predicted core- melt frequency is then on the order of 9.lE-07/py for all sequences considered, with a public dose of 4.3 man-rem /py. This is considered to be a nondominant contribution to the overall core-melt frequency of a PWR. For the WASH-1400 Surry Westinghouse PWR, the overall core-melt frequency was put at approximately 6E-05/py, with the contribution from small break LOCAs contributing approximately 2.9E-05/py. Because the LOCAs play a dominant role in the PWR risk, it is assumed that the risk calculated here will also represent only several percent of total overall plant risk.

Note that several sequences resulted in calculated core-melt frequencies significantly below a level where any meaning could be attached to them. These are simply reported in the summary tables as less than 1E-10/py.

Value/Imoact .

To analyze the value/ impact associated with this issue, it was necess'ary to postulate a number of possible design changes to alleviate the control system failures identified by INEL. For steam generator overfill, the failures are similar in nature to those postulated by INEL for initiating overfill in a BWR (i.e., instrument line leakage, level transmitter failure). Those portions of the value/ impact analysis then refer to the previous PNL examination of overfill in a GE BWR.

In addition, as with the BWR, it is expected that there is significant interaction of the operator with control systems. The operator's role was conservatively estimated in the core-melt calculations presented above.

vii

u i

i However, no improvement in performance was postulated as a remedy to failures

. identified by INEL. With control of vessel water levels being the focus of e training and procedures upgrades since the TMI accident, a significant reduction in operator error for main or auxiliary feedwater failures, PORY lifts, etc.

could reasonably be expected to reduce the progression of simple control failures to more serious accidents.

Before requiring, major equipment modifications, it is thus thought that the analysis of A-47 should recognize this important role of the operator, and make appropriate recommandations. This could include a more detailed exaratnation of the time available to the operator, signals and indications available, and current procedures. Recommendations could also be made concerning other specific task action items set up specifically to deal with operator actions during transients. These are better geared to deal with the potential for reducing operator error in general, and would insure a consistent approach to operator interactions.

The fixes postulated then were directed at reducing t.e rate of control equipment failures as identified by INEL. These are shown in Table S.2, along with the estimate for reduction in core-melt frequency, public risk reduction, cost, and resulting value/ impact.

Note that the addition of another level transmitter (LT) in a 2-out-of-4 trip logic, which was thought to be the most cost-effective measure to counteract the control system failures identified by INEL for feedwater overfill in the BWR, has a slightly less favorable value/ impact for the PWR. This is because the sequence of interest stabilized in the PWR, allowing more time for operator action with the failure probability reduced to 0.1, and the reduced potential for steam side problems progressing to core damage in the PWR versus the BWR.

In the PWR, the overfill sequence driven by AFW overfill could be terminated by the simple addition of a high-level AFW trip. The steam side break caused by PORY lift could likewise be eliminated through the use of block valves. Note that both of these fixes are already under operator control.

Fixes to reduce the frequency of such events could focus on operator training and procedures, or on providing automatic actuation of shutoffs or block valves as assumed here. A more detailed examination of current procedures and time / signals available to the operator would be required to determine which modification is more appropriate.

The value/ impact ratios calculated for the above fixes exceed the 1 man-rem /$1000 figure of merit, and thus appear beneficial at this time. As noted above, however, further information on the potential for MSLB and non-isolatable SGTR could easily reduce the estimated core-melt and public risk by several orders of magqitude. The value/ impact ratios must be considered in light of this uncertainty.

Note that in the . absence of a more rigorous analysis, the upper bounds on the core-melt frequency and public risk for all of the above scenarios are approximately a factor of 10 greater than the median estimates. The costs likewise represent a 'best engineering estimate.' Thus a certain amount of latitude is needed in interpreting the value/ impact ratio. However, the viii

w,rz:z r. - -

TABLE S.2. Summary of the Value-Impact Analysis of the Proposed Fixes ]

Estimated 1 Estimated Risk V/I Scenarios Cost Reduction Ratio Procosed Fix Affected ($) (man-rem) (ma n-rem /11000)

Better Weld SG Overf111 31.13 E+05 1.0E-03 <1E-04 Integrity Sequences 1

&2 Hardened SG Overfill 33.22E+04 7.8E-03 2.4E-04 Instrumentation Sequences 1 Lines &2 Automatic Shutoff SG Overfill $2.69E+04 9.0E+0 0.3 of the Auxiliary Sequence 1 Feedwater

New Level Trans- SG Overf111 31.50E+05 7.8E-04 <1E-4 mitter with 2-out- Sequence 2 of-4 Trip Logic Automatic Actua- RCS Overcool $1.23 E+05 20.5 0.17 tion of Isolation Sequence' 1 & 2 ,

Block Valves Modifications to RCS Overcool 31.23 E+05 20.8 0.17 Valve Controller Sequence 1 & 2 Logic Independent Power RCS Over- 56.40E+04 negligible negligible Source to the Pressure

. . Letdown Valve and Sequence 1 PORVs Modifications of RCS Over- $1.00E+04 negligible negligible LTOP Mode Switch Pressure Sequence 1 Modifications to RCS Over- $3.20E+04 negi tgible negligible the PORY Control Pressure Sequence 1 Logic Circuit RCS Over- 58.00E+04 negligible negligible Modification Pressure Sequence 2

• Negligible indicated for scenerlos with core-melt frequencies less that 1E-10/py and resulting value/ impact ratios less than lE-04.

ix j l

l w -

development of these accident initiators to core-melt is thought to reflect a

. conservative approach to estimating the impact of these failures on plant engineered safety systems. Cost estimates likewise tend to underestimate the true cost of nuclear plant modifications. These factors, when combined, tend to further reduce the estimated value/ impact ratios as given above.

Possible plant modifications to reduce the frequency of overfill can be bounded by comparison to the proposed Safety Goal benefit / cost guideline of

$1000/ man-rem averted. Assuming a 30-year ef fective plant life, the total possible risk reduction is (24.1)(30) or approximately 723 man-rem / reactor. If the costs of potential corrective features are compared to the benefits on the basis of $1000/can-rem averted, then an upper bound of approximately $723,000 can be placed on the costs of corrective features. Note again, however, that highly conservative assumptions were made concerning the probability of MSLB and subsequent SGTR given overfill. Further, assuming that breaks could occur above the MSIVs making solution of af fected steam generators impossible, the resulting probability of core-melt was high. More detailed information on the potential or MSLB and possible break locations could thus reduce the estimated contribution to core-melt an public risk by several orders of magnitude.

Areas of likelv Conservatism Again, a 'best engineering estimate' of failure probabilites was used whenever possible in the analysis of core-melt and risk for the control failures identified. Some uncertainty does exist however in several factors, with the analysis carried through using what is thought to be a high failure probability.

This in turn would weight the estimated core-melt frequency and public risk to higher values. These include:

a) Operator Error - The probability assumed for failure of the operator to diagnose and tenninate the scenarios ranged from 0.5 for scenarios with misleading or conflicting information or rapid progression (i.e. overfill in several minutes) to 0.1 for scenarios with non-conflicting information and alarms. Operator response may be better than this, particularly in

. plants with simulator programs stressing proper diagnosis of failures, b) Steam Line Break - Main steam line breaks (MSLBs) in PWRs were not assumed to be associated with core-melt in the WASH-1400 study. More recent studies have equated MSLB with core-damage, this thought to be equal to or less severe than a core-melt in terms of radionuclide release by up to a factor of 30. This study equated the consequences of MSLB with core-melt.

The probability of main steam line break given spillover into the steamlines at power was assumed to be 1.0, decreasing to 0.5 for spillover after shutdown. Althought several spillover events have occurred to date in US commercial plants resulting in support damage, no steam line failures have q: curred. Break location was further assumed to occur with a 50%

probability above. the MSIVs, making isolation impossible. The MSLB was further assumed to have a significant probability of inducing a steam generator tube rupture (SGTR), with the combination of SGTR and unisolatable MSLB leading with high probability to core-melt in a PWR.

This high probability of failure to recover is due primarily to depletion of the reactor water storage tank (RWST) water supply before depressurization of the reactor can be achieved. This gives no credit to other operator-initiated means of maintaining a water supply.

X

Further information on the probability of break for various overf111 scenarios and the break location could significantly reduce the risk

. associated with these scenarios, as would a more realistic analysis of operator initiated actions to restore water supplies and avoid core-melt, c) Transient Shutdown - The initiating event would cause a transient induced plant shutdown, with loss of the power conversion system (PCS) representing a serious precursor to core-melt in PWRs. A high probability of loss of the PCS given spillover was assumed here, but contributed insignificantly to risk in this analysis due to the low initiating frequency.

d) Release Categories - The WASH-1400 release categories most representative of the core-melt scenarios in this analysis were used to estimate risk, with the risk per event as per the Value-Impact Handbook (NUGER/CR-3568).

Ongoing evaluations of the source terms for various core-melt scenarios indicates that the WASH-1400 release categories may overestimate risk by up to several orders of magnitude. This will then result in a lower risk being attributed to each scenario.

e) Costs - Estimates of the costs associated with mo'difications in nuclear plants typically underestimate the final costs, even when accompanied by an extensive engineering-cost study. Higher than expected costs would further lower the value/ impact ratios estimated here for proposed modifications.

This calculation is provided only for perspective. The Nuclear Regulatory Commission has established the safety goals for evaluation during a two-year period, but not for regulatory use during that period. Furthermore, the proposed benefit-cost guideline, even if adopted, would not be the sole or even the principle basis for decisions on safety improvements; rather, it would be one consideration in such decisions. This presents only the preliminary analysis of the costs and benefits associated with possible design features to correct control system failures. It is suggested that a more detailed analysis into the possible negative impacts on control system performance would be required befor,e and such modifications as postulated here could be implemented in existing nuclear plants.

e' Xi

CONTENTS un

. . . . . . iii

SUMMARY

1.0 INTRODUCTION

. . . . . . . . . . . . . . 1.1 2.0 STEAM GENERATOR OVERFILL SEQUENCE NUEER 1 . . . . . . 2.1 2.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR OVERFILL SEQUENCE 1 . . . . . . . . . . . . . 2.1 2.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR OVERFILL SEQUENCE 1 . . . . . . . . . . . . . 2.2 2.3 FREQUENCY OF CORE-DAMAGE DUE TO OVERFILL SEQUENCE 1 WITH STEAM LINE BREAK . . . . . . . . . . 2.9 2.4 PUBLIC RISK DUE TO OVERFILL SEQUENCE WITH STEAM LINE BREAK . . . . . . . . . . . . . 2.9 2.5 CORE-MELT DUE TO OVERFILL INDU D SGTR . . . . . . 2.10 2.6 TRANSIENT SHUTDOWN INDUGD BY OVERFILL SEQUENCE 1 . . . 2.15 2.7 TOTAL CORE-MELT FREQUENCY AND PUBLIC DOSE FOR OVERFILL SEQUENCE 1 . . ,. . . . . . . . . . . 2.16 3.0 STEAM GENERATOR OVERFILL SEQUENCE NUEER 2 . . . . . . 3.1 3.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR OVERFILL SEQUENCE 2 . . . . . . . . . . . 3.1 3.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR OVERFILL SEQUENCE 2 . . . . . . . . . . . 3.2

' ~

3.3 FREQUENCY OF CORE-DAMAGE DUE TO OVERFILL SEQUENCE 2 WITH

, STEAM LINE BREAK. . . . . . . . . . . . 3.4 3.4 PUBLIC RISK DUE TO OVERFILL SEQUENCE 2 WITH STEAM LINE BREAK . . . . . . . . . . . . . 3.4 3.5 CORE-ELT DUE TO OVERFILL INDUCED SGTR FOR OVERFILL SEQUENCE 2 . . . . . . . . .

. . . . 3.5 3.6 TRANSIENT SHUTDOWN INDUCED BY OVERFILL SEQUENCE 2 . . . 3.5 3.7 TOTAL CORE-FELT. FREQUENCY AND PUBLIC DOSE FOR OVERFILL SEQUENCE 2 .'. . . . . . . . . . . . 3.6 4.0 REACTOR COOLANT SYSTEM OVERCOOL SEQUENCE NU E ER 1. . . . . 4.1 4.1 INITIAL PLANT CONDITIONS FOR OVERC00L SEQUENCE 1. . . . 4.1 4.2 ACCIDENT PROGRESSION FOR OVERC00L SEQUENCE 1. . . . . 4.2 4.3 FREQUENCY OF CORE-MELT DUE TO OVERC00L SEQUENCE 1 . . . 4.3 Xii

_ =: - = .

- . _ , = _ _

4.4 PUBLIC RISK DUE TO OVERCOOL SEQUENCE 1 AND MSLB . . . . 4.3

. 4.5 CORE-MELT DUE TO OVERFILL INDUCED SGTR FOR OVERC00L SEQUENCE 1 . . . . . . . . . . . . . 4.4 4.6 TOTAL CORE-MELT FREQUENCY AND PUBLIC DOSE FOR OVERC00L SEQUENCE 1 . . . . . . . . . . . . . 4.4 5.0 REACTOR COOLANT SYSTEM OVERC00L SEQUENCE NUE ER 2. . . . . 5.1 5.1 INITIAL PLANT CONDITION FOR OVERC00L SEQUENCE 2 . . . . 5.1 5.2 ACCIDENT PROGRESSION ANALYSIS FOR REACTOR COOLANT SYSTEM OVERC00L SEQUENCE 2 . . . . . . . . . 5.2 5.3 FREQUENCY OF CORE-E LT DUE TO OVERC00L SEQUENCE 2 AND MSLB . . . . . . . . . . . . . 5.4 5.4 PUBLIC RISK DUE TO OVERC00L SEQUENCE 2 AND MSLB . . . . 5.4 5.5 CORE-MELT DUE TO OVERFILL INDUCED SGTR FOR OVERCOOL SEQUENCE 2 . . . . . . . . . . . . . 5.4 5.6 TOTAL CORE-ELT FREQUENCY AND PUBLIC DOSE FOR OVERC00L SEQUENCE 2 . . . . . . . . . . . 5.5 6.0 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUEER 1. . . . 6.1 6.1 INITIAL PLANT CONDITIONS FOR OVERPRESSURE SEQUENCE 1. . . 6.1 6.2 ACCIDENT PROGRESSION ANALYSIS FOR OVERPRESSURE SEQUENCE 1 . . . . . . . . . . . . . 6.1 7.0 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUEER 2. . . . 7.1

- 7.1 INITIAL PLANT CONDITIONS FOR OVERPRESSURE SEQUENCE 2. . . 7.1 7.2 ACCIDENT PROGRESSION ANALYSIS FOR OVERPRESSURE 8.0 STEAMSCOUERETOR TUBE RUPTURE SEQUENCE.NUEER 1 . . . . . B.1 8.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR TUBE RUPTURE SEQUENCE 1 . . . . . . . . . . . 8.1 8.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR TUBE RJPTURE SEQUENCE 1 . . . . . . . . . . 8.3 8.3 FREQUENCE OF CORE-ELT DUE TO RJBE RUPTURE SEQUENCE 1 . '. . . . . . . . . . . . 8.5 xiii

.. :. ..:...ne a 4.,.. e < <., ,

l 8.4 PUBLIC RISK DUE TO TUBE RUPTURE SEQUENCE 1 . . . . . 8.5 8.5 TOTAL CORE-ELT FREQUENCY AND PUBLIC DOSE FOR SGTR SEQUENCE 1 . . . . . . . . . . . . . 8.5 9.0 STEAM GENERATOR TUBE RUPTURE SEQUENCE NUEER 2 . . . . . 9.1 9.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR TUBE RUPTURE SEQUENCE 2 . . . . . . . . . . . 9.1 9.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR TUBE RUPTURE SEQUENCE NUEER 2 . . . . . . . . . 9.1 9.3 FREQUENCY OF CORE-MELT DUE TO TUBE RUPTURE SEQUENCE 2 . . 9.3 9.4 - TOTAL CORE-ELT FREQUENCY AND PUBLIC DOSE FOR SGTR SEQUENCE 1 . . . . . . . . . . . . . 9.3 10.0 VALUE/ IMPACT ANALYSIS OF POTENTIAL CORRECTIVE FEATURES . . . 10.1 10.1 OVERFILL SEQUENCE 1. - FALSE MFW INCREASE,. TRIP, AND AFW OVERFILL . . . . . . . . . . . 10.1 10.2 OVERFILL SEQUENCE 2. - FALSE MFW INCREASE AND HIGH LEVEL TRIP FAILURE . . . . . . . . . . . 10.4 10.3 OVERC00L SEQUENCE 1. - INADVERTENT OPENING OF STEAM DUMP VALVES AT POWER AND INADVERTENT OPENING OF VALVES DURING HOT SHUTDOWN . . . . . . . . . 10.5 10.4 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUEER 1 . . 10.9 10.5 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUEER 2 . . 10.11 10.6 STEAM GENERATOR TUBE RUPTURE SEQUENCE NUEER 1 AND 2 . . 10.14 10.7 VALUE/ IMPACT

SUMMARY

. . . . . . 10.15

l. . . . .

11.0 CONCLUSION

S . . . . . . . . . . . . . .

11.1 REFERENCES

. . . . . . . . . . . . . . . R.1 XiV

_ ._,.- _, m .- _

FIGURES 2.1 Feedwater Overfill Sequence 1: Progression to Steam ,

Line Break . . . . . . . . . . . . . . 2.3  !

2.2 ORNL Overcool Event Tree . . . . . . . . . . . 2.6 2.3 Modified INPO Overcool Event Tree. . . . . . . . . 2.7 2.4 Steam Generator Tube Rupture Event Tree for Zion Westinghouse PWR 2.11 3.1 Feedwater Overfill Sequence 1: Progression to Steam Line Break . . . . . . . . . . . . . . 3.3 5.1 Overcool Sequence 2 Event Tree . . . . . . . . . 5.3 8.1 Steam Generator Tube Rupture Event Tree Sequence 1 . . . . 8.4

• TABLES S.1 Summary of the INEL and PNL Estimates of Accident Initiator Frequencies, Core-melt Frequencies and Public Risk . . . . vi S.2 Summary of the Value-Impact Analysis of the Proposed Fixes . . ix 1.1 INEL Identified Control System Accident Initiators for Westinghouse PWRs ,

,. . . . . . . . . . . 1.1 f

1.2 INEL Estimate of Accident Initiator Frequencies . . . . . 1.2 2.1 Sequence of Events for Steam Generator Overfill Sequence Number 1 . . . . . . . . . . . . . . . 2.1 2.2 Public Risk Associated with 5 team Generator Overfill Sequence Number 1 Leading to MSLB . . . . . . . . 2.10

[~ 2.3 Frequency of Core-Melt Given SGTR for Zion Westinghouse PWR . . 2.12 2.4 Public Dose Associated with Overfill Sequence 1, MSLB and SGTR . 2.14 3.1 Sequence of Events for Steam Generator Overfill Sequence Number 2 . . . . . . . . . . . . . . . 3.1 3.2 Public Risk Associated with Steam Generator Overfill Sequence Number 2 . . . . . . . . . . . . . . . 3.4 3.3 Public Dose Associated with Overfill Sequence 2, MSLB and SGTR . 3.5 4.1 Sequence of Events (br Reactor Coolant System Overcool Sequence Number 1 . . .- . . . . . . . . . . . . 4.1 4.2 Public Risk Associated with Overcool Sequence 1 . . . . . 4.3 4.3 Public Dose Associated with Overcool Sequence 1, MSLB and SGTR . 4.4 xy 6 -F - p .- ,n -r. - w,-.m,

. 4..w.., . ,_,,.;... s s.y.,

.- - s 5.1 Sequ:nca cf Evants fcr Reict:r Coolant System Overcool Sequence Number 2. . . . . . . . . . . . . 5.1 5.2 Public Risk Associated with Reactor Coolant System Overcool Sequence Number 2. . . . . . . . . . . . . 5.4 5.3 Public Dose Associated with Overcool Sequence 2, MSLB and SGTR . 5.5 6.1 Sequence of Events for Overpressure Sequence Number 1. . . . 6.1 7.1 Sequence of Events for Overpressure Sequence Number 2. . . . 7 .1 8.1 Sequence of Events for Steam Generator Tube Rupture Sequence Number 1. . . . . . . . . . . . . 8.1 10.1 Summary of the Value-Impact Analysis of the Proposed Fices . . 10.15 11.1 Summary of INEL and PNL Estimates of Accident Initiator Frequencies, Core Melt Frequencies, and Public Risk . . . . 11.2 r

O e

XVi

._ . , _ _ . . . . . . .-_ . ~ - - - . . . . . _ . _ _ , , . .

w ._.~._,m-nw ~ -

c - a.n.~ .n. - - -. .-

1.0 INTRODUCTION

This report will examine the probability of core-melt and risk associated with control system failures in Westinghouse pressurized water reactors (PWRs).

This work is based on the control system failures and failure frequencies identified by the Idaho National Engineering Laboratory (INEL) (Bruske, S. J . ,

et al . , 1984) .

The Carolina Power and Light H.B. Robinson Unit 2 Nuclear Plant was used as the reference design in the INEL investigation, this being a 3-loop PWR design.

The INEL report identified eight initiating events which had a potential to cause severe core damage. These are shown in the following table:

TABLE 1.1. INEL Identified Control System Accident Initiators for Westinghouse PWRs

1. Failures that result in increased feedwater flow rates which subsequently lead to the auxiliary feedwater flow causing a steam generator overfill.

2. Failures that result in excessive feedwater flow rates with subsequent failure of the steam generator high water level trips.

3. Failures that result in inadvertent steam dump operation with the reactor at power.

4. Failures that result in inadvertent opening of the steam line relief valves with the reactor plant in hot shutdown (T average less than 547' F).

5. Failures that result in loss of letdown flow and pressure relief capabilities with the reactor plant in cold shutdown.

6. Failures that result in inadvertent safety injection (SI) initiation with the reactor plant being heated from cold shutdown with the pressurizer power operated relief valves (PORVs) set for normal full power operation.

7. Failures that result in steam line safety or relief valves failing open and in high feedwater flow rates concurrent with a steam generator tube rupture on the affected steam generator.

8. Failures that result in steam line safety or reitef valves failing open and in high feedwater flow rates concurrent with a steam generator tube rupture.

The failure mechanisms causing the above systems failure were identified and sequence probabilities were calculated by the INEL. These are given in Table 1.2 below. The description of the sequences has been abbreviated to the title used by INEL.

1.1

-. . .- . - .~ . _.

.-~~ . m mum :.: ..-..1-e.wsgue m m- +, - - - - .x. - m; . . . - - -

TABLE 1.2. INEL Estimate of Accident Initiator Frequencies Median 90th Value Percentil e Per Per Reactor Reactor Secuence Year Year

1. Steam Generator Overfill Sequence Number 1 1.4E-03 5.5E-03

2. Steam Generator Overfill Sequence Number 2 5.4E-08 5.5E-07

3. Reactor Coolant System Overcool Sequence Number 1 2.6E-07 1.4E-06

4. Reactor Coolant System Overcool Sequence Number 2 1.8E-02 5.0E-02

5. Reactor Coolant System Overpressure Sequence Number 1 1.5E-07 7.7E-06

6. Reactor Coolant System Overpressure Sequence Number 2 3.7 E-094 1.2E-03 f

7. Steam Generator Tube Rupture Sequence Number 1 2.0E-03* 1.5E-02*

8. Steam Generator Tube Rupture

• Sequence Number 2 3.2E-03" 1.9E-02*

8.For SG tube rupture events, the probabilities are shown for the

, aggravating failures only. Probabilities for coincident tube rupture will be added in this report in later chapters.

The purpose of this report is to analyze the accident progression and determine its ef fect on core-melt and public risk. The accident initiators will be examined in the following chapters, and event trees developed to determine core-melt sequences. The performance of the relevant safety systems given the assumed initiating conditions will then be examined to determine any impact on system performance. The probability of sequences leadin'g to core-melt will then be estimated. Finally, the likely release categories associated with the sequences will be determined and an estimate of public risk associated with the accident will be made. The attempt will also be made to put these risks into perspective through a comparison to similar types of transient induced sequences and to overall plant risk in a comparable Westinghouse PWR. Lacking a probabilistic risk assessment (PRA) of the reference H. B. Robinson Plant, generic event trees will be developed to consider accident progression of the initiating events towards core damage and core-melt.

1.2

os.-~s:- s.. w.ss ses.s.,mm. s% -mss %.4s:usu;m: .sssss:+ :.s wwwsuu;musse+ww%,%ss 3.o f

In addition, plant modifications will be postulated to eliminate or reduce the frequency of the above failures. Costs associated with implementing these fixes will be estimated, and a value/ impact ratio presented in tenns of man-rem of potential public exposure reduced per $1000 spent in the modifications.

The following chapters will examine the individual accident scenarios given above.

l J , -.

O s

F 1.3

~c. n. m.,

2.0 STEAM GENERATOR OVERFILL SEQUENCE NUMBER 1 This sequence involves failures in the feedwater control that result in increased feedwater flow rates, subsequently leading to the auxiliary feedwater flow causing a steam generator overfill.

2.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR OVERFILL SEQUENCE 1 The initial plant conditions assumed by INEL for this sequence have the plant at 5 percent reactor power with the rod control, feedwater control, and turbine electrohydraulic control in manual, with all other systems in automatic.

The low initial power was used in the INEL scenario to get the largest possible steam flow /feedwater flow mismatch.

A failure in the feedwater level or control system, causing an increased feedwater flow, was then assumed. Calculations were ba, sed on a 10 percent /sec increase in the feedwater flow. The main pumps were then tripped on the high level trip signal at 36 seconds into the transient, with the overfill continuing with the auxiliary feedwater pumps. -

The INEL calculations indicate Lnat water carry-over can be inferred from the steam generator dome steam qualities, with carry-over predicted around 205 seconds into the transient. Significant carry-over then would occur in slightly over 3 minutes after main feedwater trip. Not,e that power levels would increase in response to the feedwater increase. INEL noted that for initial reactor power levels above the 5 percent point, the power increase would be sufficient to preclude steam generator overfill due to the parallel increase in the steaming rate.

The sequence of events as postulated by INEL and the required time for each event to take place due to the feedwater failure are shown in Table 2.1.

TABLE 2.1. Sequence of Events for Steam Generator Overfill Sequence Number 1 Time

.Lsl Event 0.0 Transient initiated by opening MFW control valve 10.0 MFW valve wide open 22.0 Steam dump valve flow peaked at 39 kg/s 35.7 MFW p mp tripped on 75 percent SGA NR level 36.1 SGA steam line check valve closed 55.0 Steam sump valve closed 127.0 Steam dump valve opened to control steam header pressure 2.1

m .- u . ~ - - ----

m m w sa m . mnw.--.nn -

TABLE 2.1. (Cont'd)

Time 131 Event 150.0 SGA boiler volumes at saturation pressure and begin voiding 196.0 SGA steam line check valve reopened 210.0 SGA NR level reached 96.6 percent 240.0 Transient terminated 2.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR OVERFILL SEQUENCE 1 A review of the INEL accident sequence for steam , generator overfill 4

indicates that there is initially no failure of the primary containment or cool'og system postulated. For the accident to impact the integrity of the i core, it must progress to an undercooling scenario.

For this accident scenario the principal hazard is believed to be an induced steam line break on the secondary side with the potential for causing a steam generator tube rupture (SGTR). Figure 2.1 presents the event tree leading up to possible steam line brehk and SGTR using logic similar to that developed

~

for analysis of overfill in the BWR. The steps in this event tree are discussed below.

Initiating Event. The initiating event for this scenario is the feedwater control opening the main feedwater valve, followed by feedwater trip and continued overfill with the auxiliary feedwater. The median value for this is put by INEL at 1.4E-03/py, with an upper bound of 5.5E-03/py. For the purposes of this examination, the INEL estimate of 1.4E-03/py will be used.

g, 1 Figure 2.1 then shows the initiating event, with overfill continuing following trip of the main feedwater turbines on high level. The auxiliary feedwater pumps, being electrically driven, are not impacted by the degrading steam quality in the steam lines. Operator action is required to terminate the overf111.

Ooerator Isolates Auxiliarv Feedwater. The transient can be terminated by the operator simply isolating the auxiliary feedwater flow. Given that the operator is trained to monitor the feedwater flow and water level during startup, the probability of the operator detecting the overfill condition and correcting it is consideped to be very likely. This is further increased by the high water level indication, followed by alarm and trip of the main feedwater system. The probability:of correct action was put at approximately 0.5 in the analysis of overfill for BWRs, but given the main feedwater trip and uniform

! level readings (i.e., no instrumentation failures), the probability of operator l failure to terminate the auxiliary feedwater flow will be put at 0.1 for this l examination (i.e., successful termination is thought to be more likely).

2.2

' h.

'i i

t.

z g

't, Feedwater Operator Main Turbine

)

p Steamline MSLB Turbine Isolates Failure and Overfili Br d  ?

Trip AFW SCRAM 9

M No ,

No z.

1. 4 E-03  :.

+

P 3

0.1 i j.

0.001 Static Level

• 0.5 Hamnier 4

Yes 7.01E-06 0.1

.' i.,

No E.

?

0.0 -

I*'

0.5 Hammer 6. 30E-05 5 Yea '

7.00E-05/ ry i

ic FIGURE 2.1. Feedwater Overfill Sequence 1: Progression to Steam Line Break i t

h

, - n .,x . , . n .n.. . .w . . a .. . ~ ~ . . . . ~ . .

P Nain Turbine Failure and Scram. and Steam Line Break In the BWR analysis,

-degrading steam quality and excessive moisture into the steam lines was identified as a possible failure mechanism for the main turbine, causing SCRAM. '

The potential for steam line break was considered worse if spillover of water occurred during actual operation with a significant steam mass flow versus a degrading steam flow or static steam in the main lines. If spillover occurred ,

during operation, a probability of 1.0 for pipe failure was then used, with a probability of 0.5 given SCRAM. A probability of 0.1 for early turbine failure was then used.

• In the case of the PWR, however, the FFW pumps and main turbine have tripped due to the high water indication. As a result, steam flow would then be directed via the bypass valve to the main condensor. The potential for water hammer still may exist, but the potential for pipe rupture is lowered to 0.5.

This is reflected in Figure 2.1. s In this case the steam generator level appears to stabilize at 96.6 percent i full. Spill-over of water therefore does not occur. However, given the i excessive moisture carry-over, the potential for water condensation and collection followed by water hammer in the steam lines still exists. A probability of pipe break due to water hammer of 0.5 will be used here, down from 1.0, to reflect the fact that no spillover will occur and that the reactor is tripped from only 5 percent power. PNL feels this is highly conservative, '

but justified given the level of uncertainty at this time. This value should be updated as more realistic modeling of pipe behavior becomes available. i f

The frequency of inducing a steam line break due to overfill with an initiating frequency of 1.4E-03/py is then reduced to an estimated 7.00E-05/py.

This then represents a probability of inducing a steam line break given overfill of (0.1x0.5) = 0.05, with the small assumed value for operator error contributing the most impact en reducing the probability of this scenario progressing t'o a LOCA.

Accident Progression to Core-Melt Given steam line failure, the accident can progress as a simple cool-down transient, or it can induce a steam generator tube rupture. Both situations will be considered here. The probability of SGTR given steam line break has i been addressed by the NRC (NUREG-0844, p. 3-8) as part of its evaluation of Unresolved Safety Issues A-3, A-4, and A-5. This probability is put at the following based on observed experience to date: .

p (one or more tube rupture) following a MSLB = 0.034 p (2 to 10 SGTRs) fpilowing a MSLB = 0.014 p (more than 10 SGTRs) following a MSLB = 0.003.

The probability of a cool-down transient alone is then (1 - 0.034) = 0.966.

This w'ill simply be modeled below for a probability of 1.0. The probability of SGTR will then be modeled with a probability of 0.034.

2.4

[

. ,, .~ , ~ , ~. o. n .- .~ .~ - -- ..~ ... - - . .- - -

l 1

1 Cool-down Transtant The WASH-1400 study used the three loop Surry Westinghouse plant, which is  !

similar to the H.B. Robinson plant is design and capacity, so this PRA is i thought to be best applicable here. WASH-1400 gave consideration to the l consequences that would follow from ruptures on either the primary or secondary side of a steam generator. Some 30 possible accident sequences were identified, but these all ended in either a rapid cool-down transient or a LOCA.

The transients induced by steam generator failures did not lead to core-melt in the WASH-1400 study but could release activity from the fuel-clad gap due to fuel damage. - However the end result was that steam generator rupture

. was not identified as an .important factor in the risks due to transient events (WASH-1400, Appendix I, p. I-47) .

To be conservative the excessive cool-down trans, tent will be modeled here with the event for steam line break.

A review of the ORNL Precursor Study (Minarick and Kukielka,1982)

, indicates that there have been several accidental lifts of steam relief valves.

The most similar to this postulated initiator include the incident at Beaver Valley I where the steam dump valves failed to close following load rejection l

(NSIC 148764), and the incident at Crystal River where an excessive cooldown i rate resulted from loss of ICS power, turbine. trip, and 50 percent opening of the atmospheric dump valves (NSIC 123150).

' Both initiators were modeled as a steam itne break in the Precursor Study, 1

using the event tree shown in Figure 2.2. This figure ignores initiating event j ,

f requency for the moment, showing only .the conditional probability of core 3

damage given the initiating steam line breaki or in this case the relief valve i lift. ..

The ORNL analysis determined that the prevention of core damage would

[- require steam generator isolation, auxiliary heat renoval, high pressure injection (HPI), .and long term cooling. . The operation of the HPI system with l borated water is needed to prevent a return to power as the overcool progresses. ,

The. potential for a PORY lift and failure to reseat given continued operation of the HPI is also considered.

Note that the failure to isolate the steam generator is the dominant i failure sequence in the ORNL analysis. In this case, no credit is taken for mitigating the consequences of the overcool by injection of the borated water.

j In addition, ORNL considered severe core damage possible with a stuck rod given steam generator isolation and HPI.

i

INPO re-analyzed ,this accident sequence to identify conservative assumptions on the part of ORNL (INPO, 1982). The event tree developed by INPO is shown in Figure 2.3. INPO observed that the HPI system is designed to borate i

the reactor even in the case where all steam generators are not isolated. t

! Credit was then given for HPI operation even if isolation fails. In addition,

! with isolation -INPO considered operation of the auxiliary feedwater sufficient to prevent core damage. Thus failure of the HPI function would not be expected to result in core damage if the generator were isolated.

2.5 l

1 __

. i, h

's

'. I I

i 3

Auxiliary PORV Opened PORV or PORV Long Potential Steam '*""' High

, Reactor Feedwater and Due to isolation Term Severe }

Line Generator Pressure Tri in Secondary , Continued Valve Core Core  ?

Break Isolation Heat Reasoval I"I'C " HPl Closure Cooling Damage I

i No 1 i

, 0.8 j No .k GE-3 g

1.2 E-3 Yes 5.8E-6

?;

to NO '

t i

2.8E-3 x Prols. of Stuck Rod (0.02) Possible (With Worst Case Stuck Rod) I j 5.6E-5 l No  !

! 1.2E 3 h

1.1 E 3 .- Yes 1.3 E-6 7-a 1 2.8E-3 i i Yes 3.1E-6 ,,

t r. .

10 '!llllfiff' 1.2 E-3

$ Yes 1.2E-3 5

3 GE S

! Yes 3.6E 5

• i FIGURE 2.2. ORNL Overcool Event Tree 1.3 E-3 i I

4 t 4

Ie 1

5

(

e 5

)

Steam Auxiliary OW Opened N or POW Long Polemial Steam Ili0 h Line Reactor Generator Feedwater and Pressure Due to isolation Term Severe Trip Isolation Secondary- Continued , Valve Core Core Break Injection Heat Removal HPI Closuro Cooling Damage No 0.8 No

.. 6E 3 1.2E-3 Yes 5.8E-6 m No c:

2.8E-3 No '

g, No f.

5.GE-4 Yes . 6.7E-7 2.8E-3 Yes 1.6E-6 No 1.0 ffllffffff 1. E-3

$ 2.8E-3 '

Yes 3.4 E-6 V

> ATWS 1.1E 5 1

i FIGURE 2.3. 11odifled INP0 Overcool Event Tree l

l

~~

%.~ . m . : , . .ms< , , ,s% .;,r i., o l

High Pressure In_fection (HPI)_._ In this overcool scenario, in e tion of borated water will be required primarily for reactivity control in addit'On"to coolant inventory control. The postulated valve lift is not thought to af fect the performance of this system. The failure probability of the HPJ function is put at 2.8E-03 as per the ORNL and INPO studies.

Power Ooerated Relief Valve (PORV) Ooened due to Continued HPI. Continued operation of the HPI could cause lif ting of the PORV. As per the ORNL and INPO studies, the probability of valve lift is put at 0.8.

PORV or PORY Isolation Valve Closure. Given tuh lifting of"ths PORV, the probability of failure to close the valve is put at 6E-03,-os per,the previous ,c

+

studies. ,

n.

(3 .

Long Term Core Cooling. The fr.11ure probability of this functicn is given in the ORNL study to be 1.2E-03. . s The predicted probability of core damage, given the initiating MSLB, is then estimated to be 1.1E-05.

The net probability of severe core damage given overfill and steam line break is then 1.1E-05 (obtained f rom Figure 2.3) .

e .-

2.3 FREQUENCY OF CORE-DAMAGE DUE TO OVERFILL SEQUENCE 1 WITH STEAM.LINE BREAK The predicted frequency of core damage due to steam generator overfill'is then estimated to be (1.4E-03/py)(0.05)(1.lE-05) = 7.70E-10py. if no

• corrections are applied to distinguish between core damage and cure-melt, the --

predicted frequency of core-melt is then 7.70E-10py. ~ ,

2.4 PUBLIC RISK DUE TO OVERFILL SEQUENCE WITH STEAM LINE BREAK ~.

Again, this scenario with overfill and subsequent main steam line break is expected to lead to core damage only. However, for the purposes of bounding the potential risk to the public, the results above will be associated with r core-mel t. Accident sequences for the Oconee PRA involving loss of the power >

conversion system, relief valve closure failure, and loss of long term decay heat removal or loss of high pressure injection are typically associated with PWR release categories 3, 5, and 7 with the probabilities of 0.5, 0.0073, and 0.5, respectively. This will be assumed to be applicable here, whe,re loss.of decay heat path leads to core damage. The public risk associated gith-these, release categories is then developed below. 3

O h

• p) 4e

/*

)

' m P

2.9

?,

", / e ri,

- . _ ~ s. _ ,~. s .~..~ ~ ~. - -,-. .s.,.._ _. ~. ~ s .~. m .m.- ,m ~ - - , - _ _ _ - . _

,In addition, the possibility of a stuck rod is omitted in the INPO analysis ,

because it. is not considered to be significant if complete steam generator  !

isolation,has occurred. Also, INPO does not assign core damage directly to the  !

reactor trip failure sequence (ATWS). It is thought that credit should be taken ,

for operattoo of mitigating systems that can prevent core damage given ATWS. l This, however, is not developed here as it is not a dominant contributor to core damage in any event.

Finally, INPO assigned a lower probability (2.1E-04) for failure of the auxiltary feedwater than the ORNL analysis, noting that the ORNL value of 1.1E-03 was based on system degradation that should not have been counted at system failures. After ACRS review, a value of 5.6E-04 has been proposed.

The net result is an estimated conditional probability of core damage of "1.1E-05 given the valve lif t. This compares to the 1.3E-03 value estimated in the ORNL stucy. The INPO study is thought to correct the uncertainties an deficiencies in the ORNL study, and will thus be used here.

, u The specific steps of the tree are discussed further below:

For the purposes of this examination, the initiating event will be taken as given.

Reactor Trio. The pressure transient and turbine trip caused by the erroneous valve lift will also generate the reactor trip signal. The probability of trip failure is put at 3.6E-05 in the ORNL report.

If this were assumed to lead to core damage as in the ORNL report, this

. anticipated transient without scram (ATWS) sequence would be the dominant sequence on the new event tree. However, the INPO report again points out that trip ' failure will not necessarily lead to core damage. The operation of other systems to mitigate the ATWS is thought by INPO to reduce this sequence to a

. nondominant c6ntributor to core damage. In this case, HP1 of borated water j . could reduce reactivity increases, and successful steam generator isolation s would likely restore feedwater flow. The INPO observation that this soquence would not proceed directly to core damage will therefore be used here, and the ATWS branch will not be fully developed.

Steam Generator Isolation. This step requires both closure of the main

' steam isolation valve (MSIV) to the affected steam line, and isolation of the feedwater flow. The failure probability of this is put at 1.2E-03 in both the ORNL and INPO studies. The postulated failures causing the inadvertent lift of the relief valve would not impact this probability.

A Note that the INPO study points out that the relief valves can also be manually isolated with a. block valve. However, it is assumed that the operator would contribute to this term as well as to that above for feedwater isolation, thus not significantly reducing the failure probability.

Auxiliarv Feedwater and Secondarv Heat Removal . This postulated accident is not thought to' affect the performance of the auxiliary feedwater system.

Again, the failure probability was originally put at 1.1E-03, and estimated at 2.1E-04 by INPO after an examination of degraded performance. This was later reviewed by the ACRS with the recommended value of 5.6E-04. This will be used here.

I 2.8

xsssss - ss,~ ~..s,..s. .m.w.~m . sm.m.: s-wmnwa. an. .a.,.mw.~.y,-c..s.ww w. .. w ,msm - o m n~sss ,

TABLE 2.2. Public Risk Associated with Steam Generator Overfill ,

Sequence 1 Leading to MSLB l Release Categorv Probability Man-rem / rel easa Frecuencv, 1/oy Man-rem / ov R(R-3 0.5 5.4E+06 7.70E-10 2.1E-03 PWR-5 0.0073 1.0E+06 7.70E-10 5.6E-06 8.9E-07  !

. PWR-7 0.5 2.3 E+03 7.70E-10 TOTAL 2.lE-03 l The total predicted man-rem exposure due to overfill sequence 1 is therefore on the order of 2.1E-03 man-rem /py.

2.5 CORE-MELT DUE TO OVERFILL INDUCED SGTR As discussed previously, the conditional probability of SGTR given a MSLB will be put at 0.034 based on the considerations presented in NUREG-0844. This represents a potential for single and multiple tube ruptures. The initial plant response to tube ruptures can be modeled as a small break LOCA. The WASH-1400 Surry analysis made no distinction between the two. However, the long-term system response to a SGTR may, differ to that for a LOCA in that water released from the break is not available for collection at sumps within the reactor building. Long term recirculation modes may not also be available as they would for most LOCAs.

To model the plant response to a SGTR, PNL examined the specific event tree developed for this purpose for the Zion Westinghouse PWR, and examined how the specific scenerio postulated by INEL might modify plant response from a simple SGTR event. 'The Zion event tree is shown in Figure 2.4. The resulting dominant

, , sequences and conditional frequencies are then given in Table 2.3. These results are based primarily on an assumed conditional initiating frequency for SGTR of 1/py with electric power supplies in specific configurations of availabil ity. Lower conditional frequencies for SGTR were assumed for configurations when electric power unavailability made key equipment unavailable.

The results predict a core-melt associated with transient-type behavicr, all with early core-melt. From Table 2.3, sequences 9, 3, and 7 contribute to core-melts characterized by early melting with containment sprays operating with a frequency of (6.68E-06/py + 2.30E-06/py) = 8.98E-06/py. It will be assemed here that this will be associated with WASH-1400 release category 5. Sequences 11, 5, and 8 contribute to early melting with failure of the containment sprays with a f requency of (4.51E-09/py + 2.05E-07/py) = 2.10E-07/py. This will be associated here with WASH-1400 release category 2.

l 2.10

\

l

s ,.y... ut ,4  % 5 4

..w. .

m 2

• e e

sts eefT I8 8's's'ee gasse.d .g o.Cta.f ene e.e w Ed.sessCE 8U".'f gvt Gd e.s.96. .e.Ctee.E f.** 1 dea h.# 0.CFOA 8' "u#.fi.e

.ct mu.e.r, p ug.g .osa06 ggggg ,gg S tdgmss3 . TO g39ggsur, SOL 8 93 two.6 ana es.as p spe y, f.*P s2 e . .ae.teess

.Ef.a eug 4 Cp 3 CE ,'** C.ftGO.T n.rtw.g .. S. I.Otisas t gaggs

• 8 adEE15 I ft pC 3

I '4 TEFC S 758 4 ffC I f YEC 0 ft 9 f5PC I e Tt *C 91 ft F 1

m3 TTC I 13 ftC 94 ft et TfrC

( se TS*C tt 758 le TEC I et ftC E N si neC g i  : n.C D of 34 ftC I 5 ftC as it gy m arrown

. em i

3 TIPC I 3 ftPC Ju fue 3 TEC 1 B Tec as TW .

5 Tf *C I 3e TIPC 3r ft*

a nC I a veC e n se TE FC g

• I Q NK g

43 fte

.e ftC

[ as ftC e6 71 49 ft#C 8 as Tg pC

• 4 T5 9 r

M nC

• St itC

= n la .f-G

- ,m i . ,m TTFC

, ,S,S n.C

, . n, N ftC l e FEC I I

.e n

. n.C I e f t FC I .e fte

. m

] I et TEC

.F T3

. n.e

. . n,e

, ,5 n.

- ,, ,9C l . n nC n.

, n.C n

, n n.C

>. n.

,, ne I n ttC N 95

. wu. .. . c C nC ..s.. . .C,,,, u . . ,,,

.. ux . . . . . . C . C ..- E,...t

.- . .on tr t.

i . . m. u..m..

.. ... m ,,

FIGURE 2.4. Steam Generator Tube Rupture Event Tree for Zion Westinghouse PWR 2.11

, TABLE 2.3. Frequency of Core-Melt Given SGTR for Zion Westinchouse PWR Dominant Sequences Sequence and U" t al Ee fr" ,[ " A 11a 1 Failed Branch Points req e Category 2 Bus No.

3,q, 14 _

TEFC 6.68-6 7,8,9 9 L-1 4.10-6 7,8,9 3 OP-5, R-3 2.28-6 TEF 4.51-9 7,8,9 11 L-1, CS 2.26-10 7,8,9 5 OP-5, R-3, CS 1.25-10 7,8 5 R-3, CS 3.61-9 TEC 2.30-6 i 7

~

2.16-7 TE 2.05-7 None 8 1.75-7 7 8 1.75-7 ATWS . 1.02-10 7,8,9 80 K-1, SA-2 5.12-11 71, 8 , 9 53 SA-2, K-2 5.12-11 4

~

NOTES: 1. Dominant sequences are shown with respect to 6-hour electric power bounding model results.

2. The Plant Event Sequence Categories are defined in Section 1.3.4.0 of Zion PRA.

A - Large LOCA behavior E - Early melt F - Fan coolers are operating 5 - Small LOCA behavior L - Late mel t C - Containment sprays are T - Transient behavior operating

3. Values are presenteg in abbreviated scientific notation, e.g.,

1.11-5 = L.11 x 10-2.12 l

I i

The total frequency is then (8.98E-06/py + 2.10E-07/py) = 9.19E-06/py given the initiation frequency of SGTR of approximately 1/py. The conditional ,

. probability of core-melt given SGTR is then taken as 9.19E-06, or approximately 1E-05 given SGTR. The ATWS sequence does not contribute significantly to this and is thus dropped from further consideration.

- This compares favorably to the results of NUREG-0844, where the total contribution to core-melt from SGTR was put at 1.5E-07/py. With an estimated tube rupture frequency of 2E-02/py, this effectively gives a conditional probability of core-melt given SGTR of 7.5E-06, or again approximately 1E-05 given SGTR.

Note, however, that in both the Zion PRA and the NUREG-0844 report, a number of failure sequences involving SGTR as the initiating event are not specifically applicable here. Successful recovery from a simple SGTR event centers on the ability to isolate the affected steam generator and depressurization of the reactor cooling system (RCS) before the water inventory in the reactor water storage tank (RWST) is exhausted. Many scenarios for single and especially multiple tube rupture events postulate the lifting and j sticking open of steam generator relief valves due to the large pressure spike seen by the secondary side on rupture of the tubes. However, in this case the i scenario is driven by an assumed steam itne break on the secondary side, thus making the lift of relief valves unitkely. Failure to isolate the SG due to rupture of the steam line inboard MSIV is also calculated in the NUREG-0844 report but this initiating frequency is quite low, resulting in a small contribution to the total core-melt frequency for MSLBs inboard of the MSIV.

I In this case, however, the potential for a' steam line break inboard of the ,

MSIVs may have a higher potential. The analysis here assumes that a steam line break occurs with a high probability given that the overfill occurs. If a conservative approach is further taken to assume a 50% probability of MSLB above or below the MSIV, then this scenerio may play a dominant role in the resulting i conditional probability of progression to core-melt.

. To detersine the potential impact of the MSLB location on core-melt

'! . frequency, the appropriate scenarios and failure probabilities from NUREG-0844

. Chapter 3.4 were examined, with the results given below. These have also been

{ ,

coupled with the assumed SGTR probabilities.

Case 1: Rupture of Main Steam Line Inboard of the MSIV Prob of Prob of Number Probabil ity Loss of RdST before Failure'to Net Core-Melt of SGTRs of Ruoture RCS Deoressurization Isolate SG Probability 1 0.0 17 lE-03 1 1.7E-05 2 to 10 0.014

~

lE-02 1 1.4E-04 more than 10 0.003 0.5 1 1.5E-03

, Total Prob of Core-Melt Given MSLB Inboard of >$IV 1.66E-03 ,

Conditional Prob of Core-Melt Given MSLB and SGTR 4.87E-02 l 2.13 i

, -- . - - - - ~ . , . - . , , - - . . - - , . . . , ~ ~ , - - * ,- m _ ~.C.i,..-.-_,,,...

Case 2: Rupture of Nain Steam Line Downstream of the MSIV

. Prob of Prob of Number Probability Loss of RWST before Failure to Net Core-Melt of SGTRs of Runture RCS Deoressurization Isolate SG Probab il itv 1 0.017 1E-04 lE-03 1.7 E-09

' 2 to 10 0.014 1E-03 1E-03 1.4E-08 more than 10 0.003 1E-03 1E-03 3.0E-09 I

Total Prob'of Core-Melt Given MSLB Downstream of NSIV 1.87E-08 Net Prob of Core-Melt Given MSLB and SGTR 5.50E-07 If a 50% probability of NGLB inboard of the MSIVs is used, the conditional probability of core-melt given MSLB and SGTR can then be weighted, giving

] (0.5)(4.87E-02 + 5.50E-07) = 2.44E-02. This will-be used here.

4 Cnenarison to SBLOCA Resnonse i

PNL also examined the possibility of modeling the SGTR event with small break LOCA _(SBLOCA) event trees from the Surry WASH-1400 PRA. With an initiating frequency of 3E-04/py for S1 (2 to 6 -inch) and 1E-03/py for S2 (0.5 1

to 2 inch) LOCAs, the resulting Surry core-melt frequencies were 6.1E-06/py and 2.3E-05/py, respectively. This gives a conditional probability of core-melt given LOCA of 2.03E-02 and 2.3E-02 for S1 and S2 LOCAs, respectively. The net results of the above consideration for SGTR then is to increase the conditional

! probability of core-melt given SGTR by several orders of magnitude (9.19E-06 to

! 2.44E-02) by recognizing the potential for the MSLB to occur above the MSIV..

i The resulting conditional probability is then similar to the probability of progressing to core-melt compared to SBLOCAs.

In this analysis, the frequency of overfill with MSLB and SGTR is then put

y at (1.4E-03/py)(0.05)(0.034) = 2.3 8E-06/ py. - Using this new initiating frequency for SGTR, the.. total predicted frequency of core-melt due to this control system failure is then put at (2.38E-06/py)(2.44E-02) = 5.81E-08py.

I The pubitc dose was estimated by considering that the above core-melt sequences were brought about by failure of_the water storage tank inventory, and i water not being available from the building sumps. As a result, the containment j sprays would also be inoperable. Zion PRA related the SGTR sequences to release categories 2 and 5, but given the above consideration, only release category 2

at 4.8E+06 man-rem / core-melt will be us 3d here. The results are summarized in Table 2.4 below.

i TABLE 2.4. Public Dose Associated with Overfill Sequence 1, MSLB, and SGTR Release Man / rem - A-47 PNL Analysis of Overfill Sequence 1 with SGTR Category Release Core-melt /py Man-rem /py Best Estimate Best Estimate i 2 '4.8E+06 5.81E-08 2.81E-01 i

The total public risk is then estimated at 2.81E-01/py.

2.14 i

. . - _ _ _. _. - _ , _ _ _ . _ _ _ . . ~ _ . . _ _ _ - _ __ _ , _ ,... _ , - , .,,,-..,_._, _

)

2.6 TRANSIENT SHUTDOWN INDUCED BY OVERFILL SEQUENCE 1 l Finally, the very act of plant shutdown can present a safety challenge,to feedwater and decay heat removal systems. In the BWR, transient shutdowns can represent the primary source for initiating a core-melt sequence. In PWRs, the transients have generally played a less important role in overall risk (V.

Joksimovich, Risk Analysis, Vol. 4, No. 4,1984), but will be examined here for completeness.

A review of the PRA for the three loop Surry (WASH-1400) and four loop Sequoyah (NUREG/CR-1659) Westinghouse PWRs indicates both use the same basic event tree to measure risk due to transients that may effect the power conversion system (PSC). The PSC represents the pathway for decay heat rejection after plant shutdown. The variables of interest are then:

T2 = transient frequency with loss of main feedwater = 3/yr (Sequoyah),

T3 = transient frequency with main feedwater available = 4/yr (Sequoyah),

M = probability of PCS failure = 1.0E-02 L = probability of auxiliary feedwater failure = 4E-05.

A T2 transient with failure of the auxiliary feedwater (L) was assumed to lead to core-melt for that particular plant. Note that other plants also require failure of a high pressure injection function before core-melt given loss of the PCS.

In this case, the initta{ing frequency of the overfill event is put at 1.4E-03/ y r. Further, the probability of operator failure to terminate the event was put earlier at 0.1. The frequency of spillover is then put at 1.4E-04/yr.

Having progressed to the point of spillover however, the potential for loss of the PCS is much higher than reflected above. The probability of 0.5 used earlier for damage to the steam lines will be used here for loss of the PCS given spillover. As this scenerio actually progresses to this point with auxiliary feedwater, no modification to the auxiliary feedwater failure probability is thought to be necessary. The net result is then a core-melt frequency estimate of (1.4E-03/yr)(0.1)(0.5)(4E-05) = 2.80E-09/yr.

, Bisk The Sequoyah PRA concluded that the TML sequence was the only sequence of risk importance, associated entirely with PWR release category 3. The Surry plant associated this primarily with PWR-7, and only 1% with PWR-3 due to different containment designs. The PWR-3 release category is more severe at 5.4E+06 man-rem / core-melt, and will thus be assumed here. The risk due to transient shutdown with this overfill scenerio is then put at (2.80E-09/yr)(5.4E+06 man-rem) = 1.5E-02 man-rem /py.

2.15

..s.- .:.m.:sw - w. .u.sswou. . :mm,-,= . . . , , , , , . . . , . _ , . _ . , _ . , - = - - , - - - _ -

2.7 TOTAL CORE-MELT FREQUENCY APO PUBLIC DOSE FOR OVERFILL SE0DENCE 1

. The total predicted core-melt frequency due to this issue is then the sum of the steam line break, SGTR and transient scenarios, or (7.70E-08/py +

5.81E-08/py) = 6.17 E-08/py. The predicted core-melt is then primarily associated with the SGTR assumption.

The total predicted dose associated with this sequence is then also the sum of the steam line break and SGTR scenarios, this being (2.1E-03 man-rem /py +

2.8E-01 + 1.SE-02 man-rem /py) = 3.0E-01 man-rem /py.

e 2.16

- ,._,...%s~..s. .. ....s ,s. m. .. , _ ._ .

. 3.0 STEAM GENERATOR OVERFILL SEQUENCE NUMBER 2 i As with the steam generator overfill sequence 1, this sequence also involves failures that result in increased feedwater flow rates. In this case, failures in the feedwater level indicators or controller are postulated. These will be developed more fully below.

3.1 INTITIAL PLANT CONDITIONS FOR STEAM GENERATOR OVERFILL SEQUENCE 2 The initial plant conditions assumed by INEL for this sequence are the plant at 67 percent reactor power with the rod control in manual and all other control systems in automatic.

A failure in the feedwater level or control system causing an increased feedwater flow and loss of the high level feedwater trip was then assumed. In this scenario, the steaming rate from the affected steam generator is projected to eventually come into equilibrium with.the higher feedwater flow rate, with reactor power increasing to 1740 MW. The water level in the affected steam generator also appears to stabilize, however, stemn' quality degrades to 13 percent which indicates that severe moisture carry-over would occur.

The sequence of events as postulated by INEL and the required time for each event to take place due to the feedwater failure are shown in Table 3.1.

s TABLE 3.1. Sequence of Events for Steam Generator Overfill Sequence Number 2 Time 151_ Event 0.0 Transient initiated by control or level failure with loss of high trip.

7.3 MFW valve wide open 146.0 Oscillations in steam generator mass flow rates stabilize in a smooth, asymptotically increasing rate 167.0 Minimum pressurizer pressure reached 250.0 Primary average temperatures in new equilibrium 300.0 Liqyid carry-over peaked at 19.2 percent 400.0 Analysis terminated in steady state with 19.2 percent liquid carry-over fraction, steam quality at 13 percent.

The accident initiator as postulated by INEL again involves no initial failure of the primary containment or cooling of the core.

3.1

3.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR OVERFILL SEQUENCE 2

~

The analysis of this steam generator overfill will be similar to the previous examination in that the potential for inducing a steam line break and SGTR will be of interest. However, in the first scenario the main feedwater flow tripped on the high level, with auxiliary feedwater continuing the overfill. In this case, the main feedwater turbines remain on and could possibly be impacted by the degrading steam quality. The event tree as developed to consider LOCA in the BWR will then be applicable. Figure 3.1 presents this event tree. The various steps are further developed below.

Initiating Event. The initiating event for this scenario is the feedwater control opening the main feedwater valve, followed by feedwater trip and continued overfill with the auxiliary feedwater. The median value for this is put by INEL at 5.4E-08/py, with an upper bound of 5.5E-07/py. For the purposes of this examination, the INEL estimate of 5.4E-08/py will be used.

Ooerator Isolates Feedwater. The transient can be terminated by the operator simply isolating the feedwater flow. In this case, however, the reactor is at 67 percent power and in fully automatic feedwater control. In addition, the failures postulated for the feedwater system present conflicting readings to the operator as was the case for level indicator failure in the BWR.

The potential for correct interpretation and action on the part of the operator is then expected to be reduced somewhat compared to the previous overfill l scenario.

The value of 0.517 for operator failure "was estimated for the BWR. Note, however, that in the PWR spillover does not occur, although steam quality again deteriorates rapidly. A value of 0.5 is proposed here for the PWR given the similar failure mechanisms to the BWR case, but with spillover never actually occurring. This value is thus thought to be more conservative than the 0.517 used in the BWR examination.

Feedwater Turbine Failure. As in the BWR analysis, the potential exists

, for the excessive moisture carry-over to damage the steam-driven feedwater turbine and end the overfill. This again is put at 0.1. The probability of the overfill continuing is then put at 0.9.

Main Turbine Failure and SCRAM. As with the previous analyses, a probability of 0.1 of main turbine failure and shutdown will be assumed, with a probability of 0.9 that the overfill would continue with the reactor at power.

Note that as with the previous PWR overfill scenario, spillover of water into the steam lines does nst occur with the reactor at power. A reactor SCRAM, however, could produce a spfelover given continued feedwater flow af ter reactor shutdown and reduced steaming, although feedwater flow will also decay after shutdown. .-

Steam-line Break.' As in the previous analysis, the potential for steam line break given reactor shutdown and spillover will be estimated at 0.5 for water hammer plus 0.001 for static load. Given continued operation, the probability for water hammer induced pipe break will be put at 0.5, reduced from the 1.0 used for the BWR where spillover of water actually occurred at power, as in this case spillover will not occur if operation continues.

3.2

I ),f1Ir,i f['g $ {[ !)%f'-

g,;k# 4 i 1 $' ;:[;jf f IigI rs:i1 $,l?I } }:j l:?$

y r

/

9 8 8 k 0 0 0 a

- - - e E E E r 1 2 B B 2 L 1 e S? 1 1 n

M i L

s s o o o e o e N N N Y N Y m a

e r r t e ic t

e e S in k a t

m m o a S m m lme a r 1 a a t

0 H H n o

SteB 0 5 5 i 0*0 0 s s

e e

n r' g

ib e n o r r i 9 r uud na r 1 o P Til 0

" iF n a ac S -  :

a .

M - 2 e

s c r d n e

t e n ec e u

anE n 9 q wib ae d r r u O e euuq S eTil e l F

F aS l i

' f r

. r e

v ton O a o 5 r it ec O r pA t e

O a d

w e

r e

y F e l t l r

afi /

wre de v 8

0 . 1 F

eO E 4

3 E

5 R U

i f

' i F

~

w,w

' .  ! l.

1

' . i

.-.~ a.x, r z.a.,;, - s,. ..w. .  :..:w + .:s ,... . ; .,-.

The frequency of inducing a steam line break due to overfill with an initiating frequency of 5.4E-08/py is then reduced to an estimated 1.24E-08/py. ,

This then represents a probability of inducing a steam line break of 0.23 given i the initiating event, i.e. (0.23 )(5.4E-08/py) = 1.24E-08/py.  !

Steam Line Break Event Tree. The reactor response to this steam line break l will be identical to that developed for the previous steam generator overfill sequence 1 as was shown in Figure 2.2. This figure estimated the probability of core damage given the steam line break of 1.1E-05. l 3.3 FREQUENCY OF CORE-DAMAGE DUE TO OVERFILL SEQUENCE 2 WITH STEAM LINE BREAK 2

The predicted frequency of core damage due to steam generator overfill is then estimated to be (5.4E-08/py)(0.23)(1.1E-05) = 1.37E-13/py. If no corrections are applied to distinguish between core damage and core-melt, the predicted frequency of core-melt is then l.37E-13/py. This could be considered negligible, but will be carried through to pubite risk for completeness.

i 3.4 PUBLIC RISK DUE TO OVERFILL SEQUENCE 2 WITH STEAM LINE BREAK j As with the overfill sequence 1, accident sequences for the Oconee PRA involving loss of the power conversion system, relief valve closure failure, and loss of long term decay heat removal or loss of high pressure injection are typically associated with PWR release categories 3, 5, and 7 with the probabilities of 0.5, 0.0073,r and 0.5, respec'tively. This will be assumed to be applicable here even though this is expected to give a highly conservative I

measure of risk associated with a core damage event. The public risk associated with these release categories is then developed below.

,7 TABLE 3.2. Public Risk Associated with Steam Generator Overfill i[ "

Sequence Number 2

'~

Release Category Probability Man-rem / release Frecuency. 1/oy man-rem / oy PWR-3 5.0E-01 5.4E+06 1.37E-13 3.7 E-07 PWR-5 7.3 E-03 1.0E+06 1.37E-13 1.0E-09 5.0E-01 PWR-7 2.3 E+03 1.37E-13 1.6 E-10 TOTAL . 3.7E-07 The total predicted man-rem exposure due to overfill sequence 2 with MSLB is then on the order of 347E-07 man-rem /py. Again, this is considered negligible, but will be used for completeness.

1 3.4

L.,.--,.s ,.s,.mm ---.,-.s.: .. .m,,,,s__. ,,..,,__,,,,_,__s_,,.,,,.,,,,__.

3.5 CORE-MELT DUE TO OVERFILL INDUCED SGTR FOR OVERFILL SEQUENCE 2 As with Sequence 1, the conditional probability of core-melt given SGTR is again taken as 2.44E-02.

In this sequence, the frequency of overfill with MSLB and SGTR is put at (5.4E-08/py)(0.23)(0.034) = 4.22E-10/py. Using this new initiating frequency for SGTR, the total predicted frequency of core-melt due to this control system failure is then put at (4.22E-10/py)(2.44E-02) = 1.03E-11/ py.

The public dose is again estimated by release category 2 at 4.8E+06 man-rem / core-melt. The results are summarized in Table 3.3 below.

TABLE 3.3. Public Dose Associated with Overfill Sequence 2, MSLB, and SGTR A-47 PNL Analvsis of Overfill Secuence 7 with SGTR Man-rem core-mel t/ oy man-rem / oy Release Category Per Event Best Estimate Best Estimate 2 4.8E+06 1.03-11 4.9E-05 The total public risk associated with Overfill Sequence 2 progressing to SGTR is then . estimated at 2.02E+0/py.

3.6 TRANSIENT SHUTDOWN INDUCED BY OVERFILL SEQUENCE 2 As with Overf111 Sequence 1, the very act of plant shutdown can present a safety challenge to feedwater and decay heat removal systems. The same TML core-melt sequence is thought to be of primary interest here, with the necessary modifications for Overfill Sequence 2.

In this case, the initiating frequency of the overfill event is put at

!, 5.4E-08/yr. The conflicting signals to the operator were thought to increase

-l the potential for operator failure to tenninate the sequence, this being put at a probability of 0.5.

As before with Overfill Sequence 1, having progressed to the point of sp111over the potential for loss of the PCS is put here at 0.5 to reflect the potential for damage to the steam lines and condensor. This compares to the 1E-02 probability used in the Surry PRA. Again, no modification to the auxiliary feedwater failure probability is thought to be necessary at 4E-05.

The net result is then a core-melt frequency estimate of

( 5.4E-08/yr) (0.5 ) (0.5 ) ( 4E-05) = 5.40E-13/ yr.

Risk The PWR-3 release category at 5.4E+06 man-rem / core-melt will again be assumed here. The risk due to transient shutdown with this overfill scenario is then put at (5.40E-13/yr)(5.4E+06 man-rem) = 2.9E-06 man-rem /py.

3.5

~

.e w,.sammmmmwww , m:- 2:= =wssssw:awow+sssusswwwmse*+ssw-s-seums; == =s,m w+ss,.. -

3 .7 TOTAL CORE-MELT FREQUENCY AND PUBLIC DOSE FOR OVERFILL SEQUENCE 2 The total predicted core-melt frequency due to this issue is then the sum of the steam line break, and transient scenarios, or (1.37E-13/py + 1.03E-11/py

+ 5.40E-13/py) = 1.10E-11/ py. The predicted core-melt is again primarily associated with the SGTR assumption.

The total pr 11cted dose associated with this sequence is then also the sum of the steam line break, and transient scenarios, this being (3.7E-07 man-rem /py

+ 4.9E-05 man-rem /py + 2.9E-06 man-rem /py) = 5.2E-05 man-rem /py.

S e

I*

3.6

l 4.0 REACTOR COOLANT SYSTEM OVERCOOL SEQUENCE NUMBER 1 This sequence involves a failure of a steam dump valve opening, initiating an overcooling of the primary coolant system. The initial conditions and plant response are discussed below.

4.1 INITIAL PLANT CONDITIONS FOR OVERCOOL SEQUENCE 1 The initial ~ plant conditions assumed by INEL for this sequence are the plant at 102 percent reactor power and all control systems in automatic. The sequence is initiated by failing the steam dump valves to their open position.

This failure creates an increase in steam flow which reduces secondary pressure and causes a pressure surge back into the feed system that trips main feedwater pump on low feedline pressure. This leads to a turbine trip, a reactor trip, and closure of the turbine stop valve.

The high initial power level was assumed in order to place the plant closer to the setpoints that actuate a reactor trip, The INEL analysis indicated that a plant overcool would not occur if the reactor did not trip. The sequence of events as postulated by INEL and the required time for each event to take place due to the steam dump valve failing open are shown in Table 4.1.

TABLE 4.1. Sequence of Events for Reactor Coolant System Overcool Sequence Number 1 1

Time (s) Event

.t 0.0 Steam dump valves opened.

2.1 -

Main feedwater pump tripped on low feedline pressure.

Turbine tripped, reactor tripped, and turbine stop valve closed.

5.0 Low RCS pressure.

45.0 Low pressurizer level, pressurizer heaters tripped off.

90.0 Pressurizer anptied.

95.0 Void started to form in upper plenum.

110.0 Void started to form in reactor upper head region, void from upper plenum began to transfer to the upper head region.

240.0 End of calculations.

4.1 i

The accident initiator as postulated by INEL thus involves no initial failure of the primary containment or cooling of the core. In fact, the

. overcooling of the primary system has led to significant shrinkage of the primary coolant, with subsequent draining of the pressurizer.

4.2 ACCIDENT PROGRESSION ANALYSIS FOR OVERCOOL SEQUENCE 1 Again, the WASH-1400 study concluded that rupture of the steam generator shell causing transient overcools were not suf ficient in thanselves to lead to core-melt accidents. As with the previous scenarios examined, however, the lift of the steam relief valve can be modeled as a steam line break which was considered as a precursor to core damage in the ORNL Precursor Study. Again to be conservative, the valve lift will first be modeled as a main steam line break (MSLB). The probability of inducing a SGTR given the MSLB will then also be considered.

The other consideration is for the overcool scenario to lead to pressurized thermal shock and main vessel rupture that would preclude recovery from the accident. To investigate this, the potential for pressurized thermal shock and vessel failure was also examined to the extent possible at this time. The PTS program at 'ORNL is only now in the process of issuing a draft analysis of PTS events in the H.B. Robinson plant, so it is uncertain which of the scenarios examined best predicts the potential for vessel failure as it applies to the A-47 program. The preliminary information available at this time indicates that the cool-downs presented here ,would be bounded by the scenario involving lif t of all five steam line valves and pressurization of the vessel with high pressure injection. The ramifications of PTS will be discussed after MSLB and SGTR are examined below.

Initiating Event. The failure mode that initiates this scenario is

-inadvertent opening of the steam dump valve while the reactor is at power. The median frequency of this failure is calculated by INEL to be 2.6E-07/py. This is based on an examination of the possible failures in the temperature

~

instrumentation and solid-state control elements for the steam dump valve controller. The 90th percentile upper bound was put at 1.4E-06/py.

For the purposes of this examination, the INEL estimate of 2.6E-07/py will be used as representative of overcool from failures in the valve controller.

This issue is assumed to apply to the PORVs or steam dump valves downstream of the kGIVs rather than the safety relief valves on the secondary side. These are the only valves being instrumented for lift and closure, the SRVs being seated by spring pressure only. The PORVs also have operator actuated block valves upstream of the PORVs, making isolation of a failed PORV possible.

Continuation of this . scenario as a MSLB then requires PORY lift, failure of the PORY to close, and failure of the operator to actuate the block valve or failure of the block valve itself to close on demand. An examination of Safety Issue 70, PORV and Block Valve Reliability, and Task Action Item II.K.3.2 indicates that the accepted values for these variables are as follows:

4.2

% ... .s. s . . wws,. m: .sm... ,s._ w. .. .s ,.s s ,~,..s, .m.w ~... .x. , sms-1 frequency of PORY lift = 1/py p(failure of the PORY to close) = 0.02/ demand p(failure of the operator to actuate the block valve) = 0.05 p(failure of one block valve) = 0.005/ demand.

In this case, it will be assumed that the failure postulated by INEL already precludes successful electronic signals for closure of the PORV. Thus the alternate failure pathway is via the operator or block valve, giving a failure probability of (0.05 + 0.005) = 0.055. Note that the 0.005 failure for one block valve should be multiplied by the total number of block valves on the generator, assumed to be one here.

Progression of the scenario as a MSLB then has the frequency of (2.6E-07/py)(0.055) = 1.43E-08/py. The upper bound is then (2.6E-01/py)(0.055)

= 1.43E-02/py.

1 4.3 FREQUENCY OF CORE-MELT DUE TO OVERCOOL SEQUENCE 1 AND MSLB Referring back to Figure 2.3, the probability of core damage given MSLB was j put at 1.lE-05. The predicted frequency of core damage due to advertent valve lift is then estimated to be (2.6E-07/py)(0.055)(1.lE-05) = 1.57E-13/py. If no

[ corrections are applied to diptinguish between core damage and core-melt, the predicted frequency of core-melt is then 1.57E-13/py. Values this low are again considered to be negligible, but will be included for completeness.

I 4.4 PUBLIC RISK DUE TO OVERCOOL SEQUENCE 1 AND MSLB I

t Accident sequences for the Oconee PRA involving loss of the power y

conversion system, relief valve closure failure, and loss of long term decay heat removal or loss of high pressure injection are typically associated with t

I* PWR release categories 3, 5, and 7 with the probabilities of 0.5, 0.0073, and f 0.5, respectively. This will be assumed to be applicable here. The public risk j associated with these release categories is then developed below.

i

[ TABLE 4.2. Public Risk Associated with Reactor Coolant System Overcool Sequence 1 Release Category Probability Man-rem / rel ease Frecuencv. 1/ ov Man-rem / oy PWR-3 0.5 , 5.4 E+06 1.57E-13 4.2E-07 PWR-5 0.0073' l.0E+06 1.57E-13 1.lE-09 PWR-7 0.5 3 2.3 E+03 1.57E-13 1.8E-10

~

TOTAL 4.2E-07 4.3

The total predicted man-rem exposure due to overfill sequence 1 is therefore on the order of 3.9E-08 man-rem /py.

4.5 CORE-MELT DUE TO OVERFILL INDUCED SGTR FOR OVERC00L SEQUENCE 1 As with Sequer.ce 2, the conditional probability of core-melt given SGTR is again taken as 2.44E-02.

In this sequence, the frequency of overfill with MSLB and SGTR is put at (2.6E-07/py)(0.055)(0.034) = 4.86E-10/py. Note that the relief valve postulated to lift in this scenario is again inboard of the MSIV. The potential then exists for failures to isolate the SG as in the previous overfill scenarios where a MSLB was postulated to occur above the MSIV. As a result, the same probability of progression to core-melt will be used here given SGTR. Using this new initiating frequency for SGTR, the total predicted frequency of core-melt due to this control system failure is then put at (4.86E-10/py)(2.44E-02) = 1.19E-11/py.

The public dose is again estimated by assuming PWR release category 2 at 4.8E+06 man-rem / core-melt. The results are summarized in Table 4.3 below.

I TABLE 4.3. Public Dose Associated with Overcool Sequence 1, MSLB, and SGTR A-47 PNL Analvsis of Overfill Secuence 2 with SGTR Release Man-rem co re-mel t/ o'v man-rem / ov Category per event Best Estimate Best Estimate 2 4.8E+06 1.19E-ll 5.7E-05 The total public risk associated with Overcool Sequence 1 progressing to SGTR is

, then estimated at 5.7E-05/py.

4.6 TOTAL CORE-M'ELT FREOUENCY AND PUBLIC DOSE FOR OVERCOOL SEQUENCE 1 The total predicted core-melt frequency due to this issue is then the sum of the steam line break and SGTR scenarios, cr (1.57E-13/py + 1.19E-ll/py) =

1.21E-ll/py. The predicted core-melt is again primarily associated with the SGTR assumption.

The total predicted dose associated with this scenario is then also the sum of the steam line break and SGTR scenarios, this being (4.2E-071 man-rem /py +

5.7E-05 man-rem /py) = 5.7E-05 man-rem /py. Again these values are considered negligible, but are given for completeness.

4.4

~ . _ .. .

The other consideration is for the overcool scenario to lead to pressurized thermal shock and main vessel rupture that would preclude recovery from the

.. accident. To investigate this, the potential for pressurized thermal shock and vessel failure was also examined to the extent possible at this time. The PTS program at ORNL is only now in the process of issuing a draft analysis of PTS events in the H.B. Robinson plant, so it is uncertain which of the scenarios examined best predicts the potential for vessel failure as it applies to the A-47 program. The preliminary information available at this time indicates that the cooldowns presented here would be bounded by the scenario involving lift of all five steam line valves and pressurization of the vessel with high pressure inj ection. The ramifications of PTS will be discussed after MSLB and SGTR are examined below.

The resulting cooldown and pressurization with HPI is very similar to that predicted by this INEL Overcool Scenario 1. The overcool progresses to 200'F and pressurization to 1650 psi after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, giving a probability of vessel failure on the order of 1E-04.

The overall frequency of overcool initation and vessel rupture for this

, . scenario would then be estimated as the initiation frequency (2.6E-07/py) times some reasonable probability that the operator would fail to halt the PTS event by isolating the affected steam generator or reduce HPI flow (0.1), times the probability of PTS induced vessel rupture (IE-04). This gives an estimate of core-melt frequency of 2.6E-12/py, or approximately 24% of the core-melt frequency attributed to progression to MSLB and SGTR.

The indications are, how)ver, that vessel failure probabilities are highly sensitive to the assumed vessel weld composition and neutron fluence. These calculations were done with a conservative reference nil ductility transition temperature of 270'F. Using actual H.B. Robinson data, this transition temperature is actually 130'F and the failure probability for this scenario is reduced to less than 1E-06. Using actual data, the contribution to core-melt frequency from PTS then becomes insignificant compared to MSLB and progression to SGTR.

The latter estimate is thought to be the best measure of risk due 'to PTS induced failures in the A-47 program. It is appropriate for conservative calculations to be used within the FTS program for evaluation and resolution of the PTS issue. However, these conservatisms should not be transferred back into related issues if undue weighting or influence of specific safety concerns is to be avoided in a calculation of relative risk. This best estimate then indicates that PTS plays a minimal role in core-melt and risk for the A-47 analysis of this overcool scenario in the Westinghouse H.B. Robinson PWR at this time.

4.5

' Ap. M A. 0 8 '%*.

. .. A 4 as 4

• EF 6 6 4 +4 4., .4 & r s 6 -

5.0 REACTOR COOLANT SYSTEM OVERCOOL SEOUENCE NUMBER 2 This sequence involves a failure of a steca line power operated relief valve (PORV) opening, initiating an overcooling of the primary coolant system.

5.1 INITIAL PLANT CONDITIONS FOR OVERCOOL SEQUENCE 2 The initial plant conditions assumed by INEL for this sequence are the reactor in a hot shutdown condition with the reactor coolant pumps operating and a RCS temperature of 547'F. Rod control, pressure control, and feedwater control are in manual with all other parameters being controlled automatically.

The transient was initiated by failing the steamline PORV's open.

The sequence of events as postulated by INEL and the required time for each event to take place due to steam generator tube rupture are shown in Table 5.1.

TABLE 5.1. Sequence of Events for Reactor Coolant System Overcool Sequence Number 2 Time 13d_. Event 0.0 Stcamlind PORVs begin to,open.

i 1.0 Steamline PORVs are fully open.

3.0 Combined PORY flows peak at 832 lbm/s.

13.0 Primary to secondary heat transfer rate increased from 8 MW to 260 MW.

- 14.9 Safety injection actuation signal (SIAS) on one out of three high steam header to steamline pressure differential (100 psid).

Main feedwater (MFW) pumps tripped.

Motor driven auxiliary feedwater (MAFW) pumps initiated.

15.0 Steamline PORV combined flow at 655' lbm/s.

113.0 Primary to. secondary heat transfer rate began decreasing due to change from subcooled to saturated nucl~eate boiling.

23 0 .0 Reactor vessel downcomer temperature had decreased 100 F f rom the initial value.

250.0 End of calculation.

(

5.1

__ _ m_= __

The accident initiator as postulated by INEL thus involves no initial failure of the primary containment or cooling of the core. In fact, the overcooling of the primary system has led to significant shrinkage of the primary coolant, with subsequent draining of the pressurizer.

The results of the analysis performed by INEL demonstrates that when the reactor is subcritical, a failure that results in the removal of energy in excess of that being added by the RCPs, will cause a RCS cooldown.

Following, a detailed discussion of the analysis done on accident progression.

5.2 ACCIDENT PROGRESSION ANALYSIS FOR REACTOR COOLANT SYSTEM OVERCOOL SEQUENCE 2 As with the previous overcool scenario examined, the lift of the steam relief valve can be modeled as a steam line break which was considered as a precursor to core damage in the ORNL. Precursor Study. Again to be conservative, the valve lift will first be modeled as a main steam line break (MSLB). The probability of inducing a SGTR given the MSLB will then also be considered.

The potential for main vessel rupture with the overcool event was also

, considered, but like overcool , sequence 1, the probability of this was put at Zero. -

This scenario is very similar to reactor coolant system overcool sequence number 1. In both cases, failing open of steam relief valves caused excessive reactor coolant system overcool . The basic difference is that in overcool sequence number 1 the plant was in 102 percent power while in sequence number 2 it was in hot shutdown. Both of these scenarios have been modeled as a steam line break in .the ORNL Precursor Study (1982) and also in the INPO review of the ORNL's Study (INPO 1982) .

The generic event tree shown in Figure 5.1 used for this sequence will be similar to that used for overcool sequence 1, as shown in Figure 4.2.

The basic sequence of events following the initiation of this transient is similar to overcool sequence number 1. The only differento is that no reactor trip is required (plant is already shutdown). The net result, however, is the same, giving a probability of core damage of 1.lE-05 given the initiating event.

Initiating Event. The failure mode that initiates this scenario is the failing open of the steamline relief valves. The median frequency of this failure is calculated by JNEL to be 1.8E-02/py. This estimate is based on the examination of the possib'le failures in the solid state devices used in the steam dump controller and in the turbine EHC or in steamline PORY control circuit. For the purposes of this study the INEL estimate of 1.8E-02/py will be used. The 90th percentile upper bound is put by INEL at 5.0E-02/py.

This scenario again assumes a control system failure opening a PORV on the secondary side. The same failure probability of (0.05 + 0.005) = 0.055 for the 1 I

operator or block valve to fail to isolate the PORY is then used.

l 5.2 j i

i o

y e j' 4

I s

Initiatin St. Gen AFWS PORV Opened

?

Second PORV or PORV Event isolation itPI Due to Cont. Long Term Core-Heat Removal Isola tion Valvo llPI Closure Core CoolinD Melt?  :

I i

No 0.8  ?-

No i

?

6E-3 t

1.2 E-3 Yes 5.8E-6 0.2 No 2.8E-3 l

w No No 6.7E-7 5.GE-04 1.2E-3 1

Yes 28E-3 ,

Yes 1.6E-6 No 1.2L 3

• 2.8E-3 >

. - Yes 3.4E-6 I FIGlittE 5.1. Overcool Sequence 2 Event Tree

.! i

\

l i

1 Note again that the 0.005 failure for one block valve should be multiplied by the total number of block valves on the generator, assumed to be one here.

4 Progression of the scenario as a MSLB then has the frequency of (1.8E-0E-02/py)(0.055) = 9.90E-04/py.

5.3 FREQUENCY OF CORE-MELT DUE TO OVERCOOL SEQUENCE 7 AND MSLB The predicted frequency of core damage due to faili pen of the steamline relief valve is estimated to be (1.8E-02/py)(0.055)(d@ - 8) = 1.09E-06/py. If no corrections are applied to distinguish between core damage and core-melt, the predicted frequency of core-melt is then 1.09E-08/py.

5.4 PUBLIC RISK DUE TO OVERCOOL SEQUENCE 7 AND MSLB Accident sequences for the Oconee PRA involving loss of the power conversion system, relief valve closure failure, and loss of long term decay heat removal or loss of high pressure injection are typically associated with PWR release categories 3, 5, and 7 with the probabilities of 0.5, 0.0073, and 0.5, respectively. This will be assumed to be applicable here. The public risk associated with these release categories is then developed below.

TABLE 5.2. Public Risk Associated with Reactor Coolant System Overcool Sequence 2 Release Category Probability Man-rem / rel ea se Frecuencv. 1/ oy Man-rem /ov PWR-3 0.5 5.4E+06 1.09E-06 2.9E-02 PWR-5 0.0073 1.0E+06 1.09E-06 8.0E-05 PWR-7 0.5 2.3 E+03 1.09E-06 1.3 E-05 TOTAL 2.9E-02 The total predicted man-rem exposure due to overfill sequence 2 is therefore on the order of 2.9E-02 man-rem /py.

5.5 CORE-MELT DUE Td OVERFILL INDUCED SGTR FOR OVERCOOL' SEQUENCE 2 As with Sequence 1. the conditional probability of core-melt given SGTR is again taken as 2.44E-02.

5.4

In this sequence, the frequency of overfill with MSLB and SGTR is put at

- (1.8E-02/ py) (0.055) (0.034) = 3.37E-05/py. Using this new initiating frequency for SGTR, the total predicted frequency of core-melt due to this control system failure is then put at (3.37E-05/py)(2.44E-02) = 8.22E-07/py.

The public dose is again estimated by release category 2 at 4.8E+06 man-rem / core-mel t. The results are summarized in Table 5.3 below.

TABLE 5.3. Public Dose Associated with Overcool Sequence 2, MSLB, and SGTR i

A-47 PNL Analvsis of Overfill Secuence 7 with SGTR Man-rem Release co re-mel t/ ov man-rem / ov Rel ease -

Category . per event Best Estimate Best Estimate 2 4.8E+066 8.22E-07 3.9E+0

! The total public risk associated with Overcool Sequence 2 progressing to SGTR is 1 then estimated at 3.9E+0/py.

5.6 TOTAL CORE-MELT FREQUENCY AND PUBLIC DOSE FOR OVERCOOL SEQUENCE 2 The total predicted core-melt frequency due to this issue is then the sum of the steam line break and SGTR scenarios, or (1.09E-08/py + 8.22E-07/py) =

8.33 E-07/ py. The predicted core-melt is again primarily associated with the SGTR assumption.

4 The total predicted ' dose associated with this issue is then also the sum of the steam line break and SGTR scenarios, this being (1.9E-02 man-rem /py + 3.9E+0 man-rem /py) = 3.9E+0 man-rem /py.

1 O

t 6

i i

i.

0 6

4 5.5 l

t - .- ,--.y. , - . . . , __._s. -, _ _ , , _ - . , . . , . . , , , , , - .,.,.,..---,_,m,, ,

6.0 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUMBER 1 This sequence involves failures of the letdown flow and PORY valves in a PWR during cold shutdown, resulting in continued charging and pressurization of the pressure vessel.

6.1 INITIAL PLANT CONDITIONS FOR OVERPRESSURE SEQUENCE 1

~

The initial plant conditions assumed by INEL had the reactor shutdown with the RCS liquid solid at 100' F and 365 psig. One charging pump was in operation providing 77 gpm flow throughout the transient. The transient was initiated with a power failure that simultaneously closed the letdown valve and failed one PORV. An additional failure was that the second PORV also failed to open when the pressure exceeded the low temperature mode setpoint of 415 psia.

The sequence of events as postulated by INEL and the required time for each event to take place are shown in Table 6.1.

TABLE 6.1. Sequence of Events for Overpressure Sequence Number 1 Time 131 Event 0.0 Transient initiated by isolation of letdown valve and failure of one PORV 10.5 Failure of second PORV 105 Calculation terminated 4

The accident initiator as postulated by INEL thus involves no initial failure of the primary containment or cooling of the core.

6.2 ACCIDENT PROGRESSION ANALYSIS FOR OVERPRESSURE SEQUENCE 1 The Westinghouse system uses both centrifugal and reciprocating charging pumps. The 2 centrifugal pumps provide 2 x 75 = 150 gpm at 2800 psig, and the 1 reciprocating pump provides 58 gpm at 3200 psig. In addition, the following reactor coolant system designs pressures apply:

hydrostatic test pressure 3110 psig design pressure .- 2485 psig safety valves 2485 psig PORVs 2335 psig In this scenario as defined by INEL, one charging pump is running supplying 77 gpm. This implies that it is one centrifugal pump supplying the feed, with a 6.1

l maximum pressure head of 2800 psig. Failure of the letdown and 2 PORVs would then bring the system past the PORV lift pressure of 2335 psig to the safety valve set point of 2485 psig. The controlled lift of any SRV would then end the overpressure transient.

The potential then exists for pressurized thermal shock (PTS) to cause vessel failure. Such vessel failures are typically assumed to be catastrophic, leading directly to core-melt. Note that if PTS-induced vessci failure does not occur, no safety consequences are expected as a result of this scenario ~.

The NRC is currently funding a program at Oak Ridge National Laboratory (ORNL) to examine PTS related issues in PWRs, including the H.B. Robinson plant as a representative Westinghouse plant. The results have not yet been published, but a review of applicable information is possible for inclusion in the A-47 program at this time. A similar overpressure type of scenario in the H.B. Robinson plant was considered, with overpressure to 2200 psig and instantaneous drop in temperature to various levels. Again using a nil ductility transition temperature of 270 degres F as discussed in Chapter 4, vessel failure probabilities on the order of 2E-02 were obtained for a vessel temperature of 150 degrees. This failure probability dropped to 4E-09 at 350 degrees.

Again as discussed in Chapter 4, the actual nil ductility transition temperature for H.B. Robinson is on the order of 130 degress F. ORNL expects vessel failure probabilities to drop several orders of magnitude if 130 degrees is used versus 270 degrees. It will then be assumed that the vessel failure probability for this overpressure scenario postulated for the A-47 program is on the order of 2E-04 using the more realistic plant data.

A core-melt frequency can then be estimated by considering the initiating event frequency, a probability that the operator fails to manually terminate the overpressure, and the probability of PTS vessel failure. The probability of the operator to fail to terminate the scenario will be estimated at 0.1 here, given the consistent ~ information available. An estimate of the core-melt frequency is then put at (1.5E-07/py)(0.1)(2E-04) = 3.0E-12/py.

Public risk will be assumed to be associateo . th PWR Release Category 3 at 5.4E+06 man-rem per event, giving a public dose of (3.0E-12/py)(5.4E+06 man-rem)

= 1.6E-05 man-rem /py.

Again, these frequencies are considered to be so low as to be negligible.

They will be included only for completeness.

6.2

7.0 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUMBER 2 This sequence involves failures of the safety injection electronics that causes a spurious SI initiation signal during plant startup.

7.1 INITIAL PLANT CONDITIONS FOR OVERPRESSURE SEQUENCE 2 The initial plant conditions assumed by INEL had the reactor at startup with the RCS temperature at 350'F and pressure at 265 psia. During startup, the PORVs and SRVs are disabled untti a system temperature of approximately 470'F is reached. A spurious initiation of high pressure safety injection thus results in pressure rise that exceeds the Technical Specification temperature-pressure limit.

The sequence of events as postulated by INEL and the required time for each event to take place are shown in Table 7.1.

TABLE 7.1. Sequence of Events for Overpressure Sequence Number 2 Time Is1 Event 0 SI spurious signal ,

6 Accumulator isolation valves fully opened 10 High head SI discharge valves fully opened 13 Accumulator check valves closed 16f Pressure limit exceeded for existing RCS

- temperature 192 Calculation terminated The accident initator as postulated by INEL thus involves no initial failure of the primary containment or cooling of the core.

7.2 ACCIDENT PROGRESSION ANALYSIS FOR OVERPRESSURE SEQUENCE 2 The Westinghouse PWR uses two centrifugal charging pumps for the high head safety injection (SI) function, with suction from the boron injection tank. The 2 centrifugal pumps provfce 2 x 75 = 150 gpm at 2800 psig. (In addition, the charging system has 1 reciprocating pump which provides 98 gpm at 3200 psig which is not used for high head SI).

The pumps from the Residual Heat Removal System (RHRS) are used for the dual purpose of low head SI as well as heat renoval. These 2 pumps have a 7.1

a ,

y.

design pressure of 600 psig, with a design flow of 3000 gpm. Operation of tM

. RHRS is typically initiated at pressures and temperatures of approximately 425 psig and 350'F, respectively.

The following reactor coolant system designs pressures apply:  ;

hydrostatic test pressure 3110 psig design pressure 2485 psig safety valves 2485 psig '

[

PORVs 2335 psig -

In this scenario as defined by INEL, the plant is in startup mode, which implies that the PORVs are disabled until the system reaches 470'F. The system pressure exceeds that of the low head SI contribution from the RHRS pumps as pointed out by INEL. Thus, only the centrifugal charging pumps are of '

importance.

It is assumed that both charging pumps are running, with a maximum pressure head of 2800 psig. Disabling of the PORVs would then bring the system past the PORY lift pressure of 2335 psig, then past the safety valve set point of 2485 psig. The controlled lif t of any SRV would then end the overpressure transient,with the vessel pressure oscillating about the SRV set point, likely in the 2200 to 2485 psig range. ,

As developed in the previous chapter, the potential then exists for pressurized thermal shock (PTS) to cause vessel failure leading directly to #

core-mel t.

N f

Again relying on information from the PTS program at ORNL, the vessel +

failure probability for an overpressurization at 2200 psig at 350 degrees F wa:; ,

put at 4E-09 with a conservative nil ductility transition tanperature of 270 ^

degrees F. Again as discussed in Chapter 4, the actual nil ductility transition temperature for H.B. Robinson is on the order of 130 degrees. It will then be .

assumed that the vessel failure probability for this overpressure scenario >

postulated for the A-47 program is on the order of 4E-ll using the more realistic plant data. Probability estimates this low can essentially be .

3 considered insignificant, but again will be carried through to core-melt for -

completeness and comparison to the other contributors to risk being considered in the A-47 program.

A core-melt frequency can then be estimated by considering the initiating event frequency, a probability that the operator fails to manually terminate the overpressure, and the probability of PTS vessel failure. The probability of the operator to fail to terminate the scenario will again be estimated at 0.1 as in the previous overpressure scenario, given the consistent information available.

An (3.7E-04/py)(0.1)(4E-ll) = 1.5E-15/py.

1

-1 1

7.2 l

l

. . . .. .. .n a<....... -

C

.1 t

Public risk will again be assumed to be associated with PWR Release

. Category 3 at 5. 4E+06 man-rem per event, giving a public dose of (1.5E-15/py)(5.4E+06 man-rem) = 8.1E-09 man-rem /py.

1

' Again, these frequencies are considered to be so low as to be negligible.

They will be included only for completeness.

t I

i

' 's: ~

\

7

n ,

s i s

' \

4 9

i s rw s ,.

4 j 5 1

l 4 7.3

]

_ .. _ . , . _ , ~ , -

8.0 STEAM GENERATOR TUBE RUPTURE SEQUENCE NUMBER 1 This sequence involves opening a break in one steam generator tube adjacent to the cold leg tube sheet. Additionally, a complete loss of of fsite powerj is also analyzed as an aggravating failure. ,/

8.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR TUBE RUP1URE SEQUENCE 1 The initial plant conditions for Steam Generator Tube Rupture Sequence Number 1 are assumed to be that the plant was at 102 percent reactor power, the RCS pressure was 2280 psia, and all systems were controlling in automatic.

There are no system failure modes were identified by INEL for initiating a steam generator tube rupture. Therefore, it was assumed by INEL that this sequence is initiated by opening a break in one steam generator (SGA) tube adjacent to the cold leg tube sheet. A complete loss of offsite power was also analyzed by INEL as an aggravating failure.

The sequence of events as postulated by INEL and tihe required time for each event to take place due to steam generator tube rupture are shown in Table 13.

TABLE 8.1. Sequence of Events for Steam Generator Tube Rupture Sequence Number 1 Time

,Ls1 Event

. 0.0 Transient initiated by opening a break in one steam generator tube in SGA adjacent to the cold leg tube sheet. Additionally, a complete loss of offsite power was assumed.

Turbine tripped.

Reactor tripped.

RCPs tripped.

MFW pumps tripped.

Condensate pumps tripped.

Pressurizer heaters tripped.

1.0 Control rod banks begin insertion Turbi e stop valves closed.

3.6 All' control rod banks fully inserted.

7.5 MFW valves closed.

8.1

,.s ,s*,us -wss msi:s%sm::wsweswwm:me,:, :vss,.as ess e

msws.s , .g ,<- 3g:yhmsm,se:ww s

s q k TABLE 8.1. (Cont'd)

Time

.bil Event 8.0 Steam dump valves closed for remainder of transient.

?

10.0 Notor driven AFW system valves fully opened.

21.2 Turbine' driver. AFW initiated on 2/3 low-low steam generator NR levels (15 percent) 65.0 SGA PORY pressure setpoints (1050 psia) reached. PORV sticks in the fully opened position.

81.0 SGA secondary system pressure lowest of three SGs. All AFW preferentially flowed into SGA.

86.9 SIAS initiated due to steam header' pressure 100 psi higher than SGA steam line pressure.

250.0 Pressurizer empty.

360.0 Reactor vessel upper head began voiding.

388.3 MSIVs clo's ed on 2/3 low p'rf mary coolant loop temperatures

[<543 'F]

589.0 _

57000 lbm released to atmosphere through stuck open SGA PORV.

660.0 . AFW sources to SGA manually isolated.

- 780.0 Calculation terminated.

Primary to secondary mass = 46040 lbm 6

Secondary to atmosphere mass = 69394 lbm Average break flow rate = 58.6 lbm/ s Average PORY flow rate (60 s) = 63.5 lbm/s i Estimated time for break flow into SGA to reach 70000 lbm = 1190 s

,Ehtimatedmassdischargedto

.' atmosphere by 1190 s = 95429 lbm Following, a detailed discussion of the analysis done on accident progression to core-melt is provided.

8.2

_. _ m..,- ~ _..s. .._,_,_.,_,___.,,,,,_____,_m 8.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR TUBE RUPTURE SEQUENCE 1 The initiating events defined by INEL for this event already include the failure of some highly importart systems, primarily the loss of offsite power.

As a result, the bounding sequence leading to core-melt will be the failure of the emergency electrical power supplies neeued for the core spray systems.

This has been done in Figure 8.1, including a simplified version of the response of safety injection systems to demonstrate that the emergency power branch does bound the problem when coupled with the failure data presented below. This will be used rather than the more extensive event tree from the Zion plant presented earlier..

Note that the steam generator tube break (rupture) has been analyzed in the ORNL Precursor Study (Minarick, J. W. and C. A. Kukielka,1982) and also in the INPO review of the ORNL's Study (INPO 1982) . Therefore, in both studies the initiating event is simply " steam generator tube rupture," with no system failure modes identified which would cause the rupture.

In the ORNL assessment, failure of safety injection was assumed to lead to core damage. However, INPO's assessment shows that isolation of the af fected steam generator and successful operation of charging and isolation of letdown is sufficient enough in lieu of loss of safety injection.

One other possibility in this analysis is the RCS overcool due to stuck open steamline PORV. This sc6nario has already been analyzed and is of secondary concern in compare to steam generator tube rupture. As has already been mentioned the main concern here is to stop the break flow to limit the release of radioactive coolant to the atmosphere. Therefore, no attempt has been made to analyze this aggravating side effects.

The specific steps of the tree are described further below.

Initiating Event The INEL initiating frequency of 2E-03/py considers only the loss of of f-site power (LOOP) with PORV lif t. Again, INE1. did not identify any failure mechanism that would resul t in a SGTR given this event. The pressure transient is within design specifications of new SG tubes, and as such would normally not present a credible event to cause rupture. However, the potential certainly exists for degraded tubes to be present in a plant af ter operation has begun. As a result, two cases should be considered to estimate the frequency of a coincident SGTR with LOOP and PORV lift: the first would be a LOOP and PORV lift which in turn causes a SGTR, and the second a SGTR with LOOP and PORY lift occurring during recovery period following the SGTR. These will be developed further below.

Case 1 will consider the probability of causing a SGTR following LOOP and PORY lif t with a frequency of 2E-03/py. The probability of SGTR used previously was for SGTR following<a MSLB, put at 0.034 for single and multiple tube rupture. The probabil,ity of a single tube rupture only was 0.017. In this case, the PORY lift could be expected to represent a less severe pressure transient than a full MSLB. It is proposed that a failure probability of (0.1)(0.034) + 0.0034 be used for single or multiple tube ruptures, and 0.0017 8.3 L______

3 9

i i

i a.

SGTR With Char 0in0 Loss of Offsite Emeroency Safety STG Operates and f power injection isolation Power Letdown Isolates }

i 1

No 1

O.01 No No 1

2 P

+

6.95E-06/py 1.3E.3 0 01 Yes 9.04E-11 l 0.01  ;

Yes 9.04E-11 i I.8E 03 Yes 1.2SE-08 f

1 1.27E-08/py 5 flGURE 8.1. Steam Generator Tube Rupture Event Tree Sequence 1 1

..,.  ;..~....-,..~~.~~~~~~~~~~*~~"" ' " " ~

l for a single tube rupture following PORY lift. Although INEL modeled a single

• rupture, the 0.0034 value will be used here as more representative of the estimate of SGTR in general. The frequency of LOOP, PORY lift, and SGTR is then estimated to be on the order of (2E-03/py)(0.0034) = 6.8E-06/py.

For Case 2, the potential for a LOOP and PORY lift during a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period following SGTR will be considered. The frequency of random SGTRs was assumed to be 0.022/py in NUREG-0844. Using the INEL value of 7008 hrs /py, the frequency of SGTR followed by LOOP and PORV lift during a 24 recovery period is then (0.022 SGTR/py)(2E-03 LOOP with PORY 11ft/py)(1 py/7008 hrs)(24 hrs) =

1.5E-07/py.

The sum of both cases is then (6.8E-06/py + 1.5E-07/py) = 6.95E-06/py.

This will be used as an estimate of the frequency of this event driven by the control system failures on interest.

Emergenev Power. Since a complete loss of offsite is also assumed in this scenario, the startup of the emergency power is required for operation of safety systems. The failure probability of emergency power to start is assumed to be 1.8E-03. This estimate is obta'ined from the ORNL study (Minarick, J. W. and C.

A. Kukielka,1982) . It is assumed that steam generator tube rupture has no effects on the functionability of the emergency power.

Safety Infections. The failure probability of safety injection system is assumed by both the ORNL and the INPO study to be 1.3E-03. Failure of safety injection to operate during a tube rupture event would not necessarily lead to a core damage. Since the affected steam generator can be isolated the loss of primary coolant can be curtailed. With steam generator isolation, proper operation of charging and letdown would prevent core damage.

Ruotured Steam Generator Isolation. This step requires both closure of the isolation valve to the affected generator, and isolation of the feedwater flow.

The probability of failure to isolate the affected steam generator was estimated to be 0.1 by ORNL study. INPO has however argued that isolation of the affected

, steam generator is a step in the tube rupture procedure and should be accomplished with a higher reliability than 0.9. For well-recognized procedural step, a reliability of 0.99 is suggested by INPO. This will be used here.

Charging Ooerates and Letdown Isolates. The proper operation of charging and letdown, combined with seat generator isolation can prevent the core damage even if the safety injection system has failed. The failure probability to properly operate charging and let down is estimated by INPO to be .01. This estimate is used in this analysis.

8.3 FREQUENCY OF CORE-MELT DUE TO TUBE RUPTURE SEQUENCE 1 The predicted frequen y of core damage due to failing open of the steamline relief valve is estimated to be 1.27E-08/py, with over 98% of this due simply to failure of emergency electric power. If no corrections are applied to distinguish between core damage and core-melt, the predicted frequency of core-melt is then 1.27E-08/py. As can be seen, the failure of energency electric power does dominate this probability. The upper bound is then on the order of 3.65E-10/py.

8.5

c . . a cc. ... . . .. ..,, .. .. . . .c.. ,. m.c 4a ,-

. . ,m.,,.,.__. A,, -- c,.mme_- __ _ _.:s ss , ,.c;a ,

f 8.4 PUBtIC RISK DUE TO TUBE RUPTURE SEOllENCE 1 Given the total failure of electric power supply, the worse case release category 1 will simply be assumed, with highest associated public dose of 5.4E+06 man-rem / core-melt. The resulting public dose is then (1.27E-08/py)(5.4E+06 man-rem) = 6.86E-02 man-rem /py.

8.5 TOTAL CORE-MELT FREQUENCY AND PUBLIC DOSE FOR SGTR SEQUENCE 1 The total core-melt frequency predicted as a result of this issue is again 1.27 E-08/ py.

The total predicted dose associated with this issue is then 6.86E-02 or 6.9E-02 man-rem /py.

O e

e 4

8.6

-e .+ya .r.- _, ,a --,

_. _ 4 s 9.0 STEAM GENERATOR TUBE RUPTURE SEQUENCE NUMBER 2 The initiating failure for this transient is similar to that of steam generator tube rupture sequence 1. A tube rupture is assumed to occur to initiate the event. As before, no system failures could be identified by INEL that could cause a tube rupture. The aggravating system failures assumed for this sequence are a failure that result in an increase in feedwater flow to the steam generator with the rupture and a failure that sticks the affected steam line PORV open when it initially opens to relieve the increasing steam generator pressure.

9.1 INITIAL PLANT CONDITIONS FOR STEAM GENERATOR TUBE RUPTURE SEQUENCE 2 The initial plant conditions for Steam Generator Tube Rupture Sequence Number 2 are the same as the previous scenario. It is assumed that the plant is at 102 percent reactor power, the RCS pressure was 2280 psia, and all control systems are in automatic. A tube rupture is assumed to initiate this transient.

The aggravating failures considered include an increase in feedwater flow to the affected steam generator, and a stuck open steam line PORY.

The INEL analysis showed that at 60 seconds the break flow rate was 89.5 lbm/s and the feedwater flow rate into the affected steam generator was 1116.8 lbm/s, which results in a total flow of 1206.3 lbm/s into the steam generator.

The only mass being removed from the SG is due to steam flow which was calculated at 996.8 lbm/s. Therefore, the net effect on the SG is an increase in mass of 209.5 lbm/s which corresponds to a rate of increase of 0.4 percent /s in the SG water level. The analysis for the steam generator tube rupture sequence number 1 showed that the PORV opening at 65 seconds after loss of offsite power would result in an immediate reactor trip and turbine trip. For sequence number 2 the turbine trips occurs at 61 seconds from high SG level and the reactor trip would be actuated from the turbine trip. The exact time of the PORV actuation could not be determined by INEL, but it was postulated to occur, after water enters the steamline at 123 seconds.

The remainder of this sequence is expected to be similar to steam generator tube rupture sequence number 1. A more detailed discussion of the analysis done on accident progression to core-melt follows below.

9.2 ACCIDENT PROGRESSION ANALYSIS FOR STEAM GENERATOR TUBE RUPTURE SEQUENCE NUMBER 2 Similar to the previous steam generator tube rupture scenario, several aggravating failures were considered in this tube rupture scenario. These were increase in feedwater flow to the steam generator and also stuck open steam line PORV. There are no direc't common mode failures for these two modes; however, there is a possibility ,that the steam ger.erator overfill which was aggravated by the high feedwater flow rate could result in two phase flow or a water slug being discharged out of a steamline safety valve. This could cause chattering or valve damage, reducing the reliability of the valve to re-seat. Again as 9.1

was developed in the BWR analysis, the available information indicates that chattering may occur but no reduction in valve reliability has been detected at present. Standard accepted valves for PORY performance will therefore be used.

Initiating Event As with the previous chapter, the INEL initiating frequency of 3.2E-03/py considers only the feedwater increase with PORV lift. INEL did not identify any failure mechanism that would result in a SGTR given this event.

However, the potential again exists for degraded tubes to be present in a plant after operation has begun. As a result, two cases will again be considered to estimate the frequency of a coincident feedwater increase with PORV lift and SGTR: the first would be a feedwater increase and PORV lift which in turn causes a SGTR, and the second a SGTR, with feedwater increase and PORY lift occurring during recovery period following the SGTR. These will be developed further below.

Case 1 will consider the probability of causing a SGTR following feedwatr increase and PORY lift with a frequency of 3.2E-03/py. The 0.0034 value will be used here as more representative of the estimate of SGTR in general following PORY lift, again a factor of 10 less than the 0.034 used in previous chapters for SGTR following a MSLB. .The frequency of feedwater increase, PORV lift, and SGTR is then estimated to be on the order of (3.2E-03/py)(0.0034) = 1.09E-05/py.

For Case 2, the potential for a feedwater increase and PORV lift during a

~

24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period following SGTR will be considered. The frequency of random SGTRs was assumed to be 0.022/py iniNUREG-0844. Using the INEL value of 7008 hrs /py, the frequency of SGTR followed by feedwater increase and PORV lift during a 24 recovery period is then (0.022 SGTR/py)(3.2E-03 LOOP with PORY lif t/py)(1 py/7008 hrs)(24 hrs) = 2.41E-07/py.

The sum of both cases is then (1.09E-05/py + 2.41E-07/py) = 1.11E-05/py.

This will be used as an estimate of the frequency of this event driven by the control system failures on interest.

Note that the INEL estimate is based on a feedwater failure contribution of 8.8E-06/hr and a valve lift contribution of 5.2E-02/hr over a period of 7008 hrs, or (7008 hr/py)(5.2E-02)(8.BE-06)/hr = 3.2E-03/py. The valve failure frequency includes a factor for failure open of 2E-02/ demand, thus dominating the contribution fo PORV or relief valve lift. This however assumes that a demand signal for valve lift will be generated with the feedwater increase, with the PORY then sticking open. This assumption may have been appropriate for the SGTR Sequence 1 where a LOOP would most likely result in a PORY lift due to rising pressure. It is highly uncertain if such is the case for a scenario initiated by feedwater increase as with Case 1 considered above fo SGTR Sequence

2. It is thought that an active control failure, likely on the order of IE-06/hr, would be required here for coincident PORY lift, For Case 2 however initated by a SGTR, a PORY lif t could be expected. As a result, the Case 1 frequecy of 1.09E-05/py is thought to actually be much lower. The Case 2 frequency of 2.41E-07/p'y is then thought to be a more correst estimate of the initiating frequency for SGTR Sequence 2.

This uncertainty is noted, but the original INEL frequencies will be used to estimate risk.

9.2

. ., s m . . .~

l l

l i

. 9.3 EREQUENCY OF CORE-MELT DUE TO TUBE RUPTURE SEQUENCE 2 This scenario introduces a number of control system failures that aggravate the cooldown rate on the secondary side. . The increased feedwater flow and steam line PORY lift all add to the cooldown transient. The additional failures do not in themselves impact the performance levels of systems which are required to respond to the scenario. However, the aggravating cooldown may make the required response different than that required for a SGTR alone. The primary concern is that the combination of loss of inventory plus shrinkage due to cooldown will couple to create a more severe accident.

In this scenario, the feedwater increase can again lead to overfill and sp111over into the steam lines. However as developed in Chapters 2 and 3 for the overfill sequences, the progression to SGTR and the actions required to recover from SGTR were seen to dominate the core-melt and risk contributions.

For this scenario, a steam line break already exists in the form of a PORY or steam dump valve lift. In addition, a coincident SGTR was also assumed. As a result, the same considerations that'were developed in Chapter 2 section 2.5 again apply here. It was shown that recovery from a SGTR with MSLB depended greatly on the ability to isolate the af fected steam generator. Conditional probabilities of core-melt were then developed for MSLB both above and below the MSIVs.

In this case however, th'e steam line break is due to a PORY or steam dump valve lift, both of which can be isolated. The failure probabilites of interest needed for recovery in this scenario were developed in Section 2.5 as Case 2:

Rupture of Main Steam Line Downstream of the MSIV (i.e. an isolatable break).

For a single SGTR as INEL postulated, the probability of loss of reactor storage water before RCS depressrization was put at 1E-04, and the probability of failure tp. isolate the SG was put, at 1E-03. The conditional probability of core-melt given the overfill, steam line valve lift and SGTR would then be

- (IE-04)(1E-03) = 1E-07.

The estimated core-melt frequency for ths sequence would then be the initiating frequency times the conditional probability of core-melt, or (1.11E-05/ py) (1E-07 ) = 1.11E-12/py.

The risk will be estimated by assuming PWR Release Category 2 as in Chpaters 2 and 3, giving (1.11E-12/py)(4.8E+06 man-rem / event) = 5.33E-06 man-rem /py.

9.4 TOTAL CORE-MELT FREQUENCY AND PUBLIC DOSE FOR SGTR SEQUENCE 1 The total core-mel frequency predicted as a result of this issue is again 1.11E-12/py.

The total predicted dose associated with this issue is then 5.33E-06 man-rem /py.

9.3

(

-~.n..~,.~._.....: -. ., ~ ~.n s.: ,n ,.;,-.- . .-.--.a.- . .. . s~..  :

10.0 VALUE/ IMPACT ANALYSIS OF POTENTIAL CORRECTIVE FEATURES

. In this chapter, various modifications will be postulated to correct the control system failures identified by INEL. An estimate will be made of the effectiveness of such fixes in reducing or eliminating the failure frequencies, and this will be translated into effective reductions in core-melt frequency and public risk. The cost of implementing such corrective features will also be estimated. The purpose of this is to provide a range of value/ impact . ratios of man-rem saved per $1000 associated with the various failure modes and fixes identified for the A-47 issue.

Again, the sequences of interest are as follows:

Overfill Sequence 1. - False MFW Increase, Trip, and AFW Overfill Overfill Sequence 2. - False MFW Increase and High Level Trip Failure Overcool Sequence 1. - Inadvertent Opening of Steam Dump Valves at Power Overcool Sequence 2. - Inadvertent Opening of Valves During Hot Shutdown Overpressure Sequence 1. - Loss of Letdown Flow and PORY Failure at Shutdown Overpressure Sequence 2. - Inadvertent Safety Injection at Shutdown Steam Tube Rupture Sequence 1. - SGTR with LOSP and Stuck Open PORV Steam Tube Rupture Sequence 2. - SGTR with High MFW Flow These will be discussed further below.

10.1 OVERFILL SEQUENCE 1. - FALSE MFW INCREASE. TRIP. AND AFW OVERFILL Referring to Section 4.6 of the INEL report, the failures of interest are listed as a failure of the controlling level transmitter, a pipe leak or rupture on the controlling instrument line, inadvertent opening of an air operated valve for the MFW, and failure of a circuit in the feedwater level controller and failures in the steam flow or feedwater flow instruments. The failure data is reporduced below.

- level control instrument failure 1E-06/hr

- leak in line SE-09/ hr

- regulating valve failure 3E-07/hr

- level control . circuitry failure lE-06/hr

- feedwater flow instrument failure lE-06/hr

- steam flow instrument failure 1E-06/hr 4.3 E-06/ h r.

This is assumed to convert to the INEL initiating frequency of 1.4E-03/py.

As can be seen, individual modifications to the plant to' reduce the 2.0E-03/py initiating frequency of this event will only impact small fractions of the overall initiating frequency. Individual modifications are discussed further bel ow.

Postulated Fixt Changes in the level Control High Level Trio Logic In this sequence,'the feedwater increase can be driven by a feedwater level controller failure as noted above. However, the high level trip functions as designed, with overfill continuing with the auxiliary feedwater system. As a result, the addition of another level transmitter or modifications to the trip logic will have no impact on risk reduction for this sequence. The value/ impact of such modifications would then be zero for this scenario.

1 10.1 i

~ a ., . . ~ . , . . . . . .

Note that this will be of interest for Overfill Sequence 2 discussed further below.

Postulated Fix; Better Weld Inteerity on Instrumentation Lines Note that this would impact Overfill Sequences 1 and 2, where in the latter the leaking line generated a low level indication and fails the high level trip.

The low initiating frequency of sequence 2 makes this an unsignificant contribution, however.

As with the BWR, the weld points on the 2-inch instrumentation lines were assumed by INEL to be the weak points subject to leakage or rupture. Better QA of welds (i.e., radiography or other NDE) could reduce the postulated failure rate. The lines may not be subject to the same stress corrosion cracking problems as in BWRs, but this will be assumed here which would require annual inspection to be effective.

The reduction in weld failure is likely to be small, given the QA the pipes are now subjected to. A reduction in weld failures of 10 percent will be estimated here, as was done for the BWR. The reduction in frequency is then (3.2E-04/py)(0.1) = 3.2E-05/py. (0.1)(5E-09/4.3E-06) = 1.16E-04, or a 0.01%

reduction in the initiating frequency.

The reduction in core-melt frequency is then (1.16E-04)(6.17E-08/py) =

7.12E-12/ py.

The reduction in risk is$ then (1.16E-04)(3.0E-01 man-rem /py) = 3.5E-05 man-rem /py, or 1.0E-03 man-rem over 30 years.

NUREG-1061 puts the cost of NDE piping inspection is put at approximately

$3000/ weld inspected. For such a small line that is not safety grade, much of the cost associated with QA will not be applicable. This cost is reduced tere to $500/ weld, divided between labor and QA/ records costs. The annual outage cost for 12 welds per instrument line, and 2 instrument lines is then

$12,000/py. At a 10 percent assumed discount rate over 30 years, this represents cost of ($12,000)(9.43) = $1.13E+05.

The value/ impact ratio is then (1.0E-03 man-rem)/( $1.13E+05) = 8.8E-06 man-rem /$1000.

As with the BWR, note further that NUREG/CR-1061 also predicts an occupational exposure of 0.8 man-rem per weld inspected for the large pipes.

The instrument lines also carry reactor coolant, but the radiation field would be expected to be significantly lower around the small pipe and away from the reactor vessel, being located on the stean generators in the PWR.

Postulated Fix: Hardened#Instrumentation Lines Note that this wo.uld impact Overfill Sequences 1 and 2, where in the latter the leaking line generated a low level indication and fails the high level trip. 1 As before however, the low initiating frequency of Sequence 2 makes this contribution insignificant.

l 10.2 l l

4

.. . . . - ._ ..~ _. ~ m,. _ _ ,,,_,s.._ ,sm,,,,._ ,_,,m_,,_,,,_,_ _

l l

l The pipe runs (likely 304 stainless steel) can be changed, using a material l like 316 SS that is more resistent to stress corrosion cracking. The 316

[- stainless steel piping would be expected to significantly reduce the frequency of weld failures due to the reduction in stress corrosion cracking. It is estimated that the frequency of pipe weld leakage could be reduced by a factor I

of 75 percent. It is uncertain that any reduction is pipe rupture frequency i

would be achieved.

Note that from the data above, leakage only contributes a fraction of

! SE-09/4.3E-06 = 0.001 to the initiating frequency. An estimated fraction of '

, reduction in the initiating frequency is then (0.75)(5E-09/4.3E-06) = 8.72E-04.

The estimated reduction in core-melt frequency is then (8.72E-04)(6.17E-08/py) =

5.38E-11/py. The reduction in dose is then (8.72E-04)(3.0E-01 man-rem /py) =

2.62E-04 man-rem /py or 7.8E-03 man-rem over 30 years.

The cost for replacing the piping, replumbing and recalibrating all i instruments is estimated at 4 man-weeks per instrument line or 8 man-weeks of installation labor. The engineering and QA time is put at 4 man-weeks, for a total of 12 man-weeks at $2270/ man-week or $27,240. The material costs are put at $5000 for approximately 200 feet of piping and fittings, for a total cost of

$32,240.

4 man-weeks of engineering support at $2270/ week, or $9080 8 man-week of craft services at $2270/ week, or $9080

$5000 in instrumentation and supplies.

The value/ impact ratio is then -

(7.8E-03 man-rem)/($32.2E+03) = 2.4E-04 man-rem /$1000.

i Postulated Fixe Automatic Shutoff of the Auxiliary Feedwater The actual overfill in this case is driven by the AFW system. The addition ,

j of a high water level trip to the AFW electric pumps would terminate the scenario. The high water level switches already in place could serve this t

function. If higher water levels are routinely allowed during shutdown, a pressure enable could be added to the logic, requiring pressure to be above some level (i.e. , 300 = psig) .

This would essentially eliminate the sequence, resulting in a core-melt reduction of 6.17E-08/py, and a public dose reduction of 3.0E-01 man-rem /py, or 9.0 man-rem over 30 years.

Develcoment Cost

No NRC generic issue evaluation costs are seen as necessary, but each utility would likely fund. studies on the impact of modifying this control

- system. This is put at '

j 2 man-months of utility time, or (8)($2270) = $18,160.

4 10.3 w, -, - - w e- ,-r-~=- w e ,--,r, - , ,.-,r-- ,. -,,w-,-, - , 4w,,,re , - , -<. er - r , a, m,-e,. ,- g,-r--~ww,--es.-wer -- + , , .,-+

L . .:. - ._. . m _ m,~._mmo ms,.+._,.,.ww o, ,.m ~ ,.e _ _ 2 = 2 = = , ~~~~~~.m.m~ ~ . ..

Imolementation Cost Assuming that this fix is implemented during normal outages, it is estimated that the actual work will require approximately the following:

- 2 man-weeks of engineering support at $2270/ week, or $4540

- 1 man-week of craf t services at $2270/ week, or $2270

- $2000 in instrumentation and supplies.

This comes to $8810. Once implemented, no recurring costs for the utility or the NRC are foreseen. The total is then put at $18,160 + $8810 = 526,970.

The estimated value/ impact ratio is then 1.16E+02 man-rem /$2E,970 = 4.30E+0 man-rem /$1000.

Postulated Fix- Modification to Air Ooerated Feedwater Valve The final modification that will be' considered here for Sequence 1 is the modification of the air-operated control valve, with the failure frequency assumed to be put at approximately 3E-07/hr by INEL. Note, however, that this failure frequency is that for a normal air-operated valve failure to remain open. In the case of the reactor feedwater valves, an air-operated-spring-to-open valve is used such that loss of all air pressure will result in the valve opening which could cause the feedwater increase. However, the valves also incorporate a lock-up feature into the air supply system such that loss of air pressure will lock the valve in its existing position at the time of failure. The valve failing open would then r'equire failure of the air supply, and failure of the lock-up feature. The actual failure rate for the system as designed should then be less than that presented here.

The system then already has safeguards for valve air supply failure, along with the high level trips and back-up support of the operator. Modifications to the control circuit to prevent false full open signals may also make the control of the valve 'less reliable. Given the safeguards already present, it is not

. thought to be necessary to postulate and evaluate the effect of an additional automatic trip or control circuit for the feedwater pumps .

If a modification to the valve were postulated, the risk reduction could at most approach (3E-07/4.3E-06) = 7E-02 of the total risk due to this sequence, or (7E-02)(3E-01 man-rem /py) = 2.lE-02 man-rem /py or 0.63 man-rem over 30 years.

The cost of modifications would have to then be left under approximately $1000 to achieve a value/ impact ratio of approximately 1 man-rem /$1000. This low a cost is considered unrealistic for any nuclear modifications.

10.2 OVERFILL SEQUENCE 2.- FALSE MFW INCREASE AND HIGH LEVEL TRIP FAILURE The low initiating frequency given by INEL results in estimated core-melt frequencies for the sequence below lE-10/py. This is considered negligible, and no credible modifications coudl be postulated and still obtain meaningful value/ impact ratios.

10.4

.~ ..- -. .- . _. - - . . . . - - - - _ _ . _ _ _

i Postulated Fire Changes in the Level Control High Level Trio Logic 4 .

In this sequence, the feedwater increase can be driven by a feedwater level controller failure, with failure of the high level trip function. In the INEL i BWR report this failure frequency was significant at 6.5E-03/py, but INEL has l.

put a much lower frequency of 5.5E-08/py for a similar failure in the Westinghouse plant. As a result, the benefits associated with an improved trip logic will be insignificant in this case, but will be discussed further' for

. completeness.

Going to a 2-out-of-4 rather than a 2-out-of-3 trip logic would require the addition of another level transmitter. In the PNL examination of such  :

modification for the BWR for this program, a INEL estimate of a 50 percent reduction in the total overfill initation frequency was assumed. Examining the failure contributions above, the simple addition of one transimitter would only i result in a reduction of (0.5)(1E-06/4.3E-06) = 0.23 of the original initiating frequency. This would imply .that additional circuitry changes would accompany

the addition of one transmitter if a 50 percent reduction is to be achieved.

This will be assumed here, giving an estimated reduction in core-melt frequency j of (0.5)(1.10E-11/py) = 5.50E-12/ py. The reduction in public risk is put at (0.5)(5.2E-05 man-rem /py) = 2.60E-05 man-rem /py, or 7.80E-04 man-rem over an assumed plant life of 30 years.

The cost of this modification was estimated in the BWR report at $150,000 to $1,000,000, depending on the need for additional penetrations. The PWR and BWR also differ:in that instrument lines would be to the steam generator shell

- rather than the vessel itsel f. The $150,000 figure will be used here as representative of the PWR. The value/ impact ratio is then (7.8E-04 4

man-rem) ( $150E+03 ) = 5.2E-06 man-rem /$1000,

c. 10.3 OVERCOOL SEQUENCE 1 AND 2 - INADVERTENT OPENING OF STEAM DUMP VALVES AT i, POWER AND INADVERTENT OPENING OF VALVES DURING HOT SHUTDOWN

? *

-These two sequences-involve an inadvertent opening of a steam relief valve

,. during operation or hot shutdown, respectively. .These were developed in ,

4 Chapters 4 and 5, respectively. Note that PNL feels that this issue should  ;

j apply only to the power operated relief valves (PORVs) upstream .of the main i

steam- isolation . valves (MSIVs), and the steam dump valves downstream of the

!GIVs. The code safety relief valves (SRVs) .fcond upstream of the MSIVs are passive in nature only, relying on. spring pressure with ru) powered operator. As  ;

j such, they should not be considered as part of the A-47 issue. l As with overfill Sequence 2, the low initiating frequencies and resulting  ;

core-melt and risk estimates give such small values that no credible modifications could be proposed for overvill Sequence 1 and arrive at meaningful value/ impact ratio. The ' sequence is not seen as housing a credible safety significance. As a result, the following discussion will apply to Overcool-

, Sequence 2 only. ,

j Referring to the fault tree of Overcool Sequence 2 as shown in Figure 4.3  :

. of the INEL NUREG/CR-4326 report, the following failure rates are used '

l 10.5  ;

t i

_ ,. . . . . . . . . _ . . . . s ~. .

- PORV control circuit failure lE-06/ hr

- PORY mechanical failure 3E-07/hr

. - PORV steam dump control circuit failure 1.3 E-06/ hr

- steamline safety valve fails open 1E-05/hr

- steam dump control and arming circuit failure 1.2E-ll/hr

- steam dump valve mechanical failure 3 E-07/ hr

- turbine reset switch failure 0.5E-08/hr 1.29E-05/hr This is assumed to correspond to the INEL calculated initiating frequency of 1.8E-02/py, based on 876 hrs /py when the plant is in the necessary hot shutdown condition. As can be seen, individual modifications to the plant to reduce the 1.8E-02/py initiating frequency of this event will only impact small fractions of the overall initiating frequency. Note that the SRV failure listed above is the dominant failure contributor identified by INEL. Again, PNL feels that this should not have been included in the A-47 program, the SRVs being passive spring loaded valves without active controllers. Individual modifications are discussed further below.

Two general modifications can then be proposed to reduce the frequency of the above scenarios. The most promising approach would be to make use of the block valves already installed in the system. Use of these valves would counter any type of premature or false actuation of the PORVs or relief valves. This also would not directly affect the control logic currently used for the PORVs.

The second fix would be to try to reduce the frequency of false actuations due to valve logic controller failure. These are discussed below, with modifications potentially red'ucing the frequency of both operational and hot shutdown failures of the valves.

Procosed Fix- Automatic Actuation of Isolation Block Valves As discussed in Chapter 4, the PORVs and steam dump in question already have block valves in place capable of isolating flow to the failed valve. One fix is to install an automatic logic to close the upstream block valvce if i inadvertent opening or leakage is sensed. Note again that automatic actuation of a block valve on leakage of a PORY is already the subject of Task Action Item II.K.3.2, Installation and Testino of Automated Power-Ocerated Relief Valve Isolation Svstem. . dealing with PORVs on the primary side. Note that some plants also have block valves on the steam dum valves that could also isolate the dump valve failure.

Negative impacts include the possible reduced flexibility of PORY operation in transient situations. It would likely be necessary to include an operator disable for the automated block valve function.

~

In Chapter 4 and 5, the frequency of steam line break was put at the initiating frequency time,s the probability of operator failure to close the block valve plus the prob' ability of block valve failuro, or (1.8E-02/py)(0.05 +

0.005) = 9.90E-04/py. l Task Action Item II.K.3.2 puts the probability of failure of an automated block valve isolation circuit rather than an operator at 0.002, giving an initiation frequency of (1.8E-02/py)(0.002 + 0.005) = 1.26E-04/py.

The net reduction in PORY failure is then (1 - 0.007/0.055) = 0.873 of the base case values. Note however from the INEL failure data above lE-06 + 3E-06 =

10.6

~

2.6E=06/py or that the PORY failure contributes only (2.6E-06/1.29E-05) = 0.2 of the total initiation frequency including the steam dump valves gives

. 2.9E-06/1.29E-05, or again approximately 0.2. The risk reduction must reflect this, giving a fractional reduction of (0.873)(0.20) = 0 .17 5 . The reduction in core-melt frequency is then (0.175)(8.33E-07/py) = 1.46E-07/py. The reduction in risk is then (0.175)(3.9 man-rem /py) = 0.68 man-rem /py or 20.5 man-rem over 30 years.

Costs The costs of modifying PORVs to safety grade were put in Issue 70 at

$25,000 each for $75,000 in the three-loop H. B. Robinson plant. Additional costs for safety analysis and license amendments brought the costs to approximately $250,000 per plant. However, this modification deals only with the block valve logic. For changes to the isolation logic only, costs were put as follows:

4 man-weeks at $2270/ week for engineering support, or T9080 2 man-weeks at $2270/ week for installation, or $4540

$25,000 for miscellaneous electronics, logic relays, panals, wiring, etc.

$25,000 for plant safety analysis but no license amendment.

This totals $63,620 per plant. No recurring annual costs or NRC costs are foreseen The value/ impact ratio is then 2.05 man-rem /$63,620 = 2.32 man-rem /$1000. If the costs for identifying all stsam dump valves are considered also, the risk remains the same resulting in a significantly lower value/ impact cost.

Procosed Fix- Modifications to Valve Controller Loaic The failures identified by INEL also dealt with false PORV valve lift.

Corrective features could be directed at reducing the frequency of such false signals. The exact failure mechanisms are uncertain at this time, but any changes in the control circuitry for valve operators is likely to require a more substantial cost, plus the potential for reduced reliablity for valve operation.

As an estimate, it will be assumed that some type of additional enable will be required between the control logic and the valve operator. This fix will not eliminate failures of the valves themselves. As a result, the change in core-melt and risk is thought to be bounded by the reduction in false actuation signals which are thought to be a relatively small contribution of the failures listed above for the PORVs. The risk reduction for full elimination of this problem is put at (2.3E-06/1.20E-05) = 0.178. The core-melt frequency and risk woula also be reduced by a factor of 0.178 or (0.178)(8.33E-07/py) = 1.48E-07/py for Overcool Sequence 2 ,

7 The public risk for full elimination of false PORV actuation signal would be reduced by (0.178)(3.9 man-rem /py) = 0.69 man-rem /py) or 20.8 man-rem over 30 years.

10.7 l

--- n -

The potential for vessel failure by PTS was considered possible, but the low initiating frequency resulted in core-melt frequencies below lE-10/py. With

. the resulting insignificant risk, this makes the presentation of any value/ impact ratio based on reduced plant core-melt frequency and risk di f ficul t. However, several fixes will be discussed below for completeness.

Procosed Fix- Indeoendent Power Sources to the Letdown Valve and PORVs Tho loss of power supply to the letdown valve and PORV was identified by INEL as one of the dominant causes of this scenario's initiation. The failure rate of a power bus was put at lE-08/hr for 876 hours0.0101 days <br />0.243 hours <br />0.00145 weeks <br />3.33318e-4 months <br /> /yr when the reactor is in cold shutdown, or 8.76E-06/yr. Providing independent power supplies to the letdown valve and PORY would decrease the frequency of common mode failures.

The most likely solution is to provice power from a safety grade bus to the PORVs. This reliability could be further improved by splitting the power to the two PORVs between the ' A' and 'B' safety grade bus power supplies. Note that due to the general design guidance not to mix safety and non-safety grade systems, this may also require an overall upgrade of, the PORVs to safety grade, along with the necessary studies and Technical Specification changes. This type of upgrade is the subject of Safety Issue (70.

Given this modification, the assumption of independent power supplies is relatively certain. Of interest then is given the power failure in one system, what is the probability of failure in the second? A reasonable time interval must be assumed for this calculation, with 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> suggested as representative for repair to power circuits? Given an electrical power bus failure frequency of 8.67E-06/py, the new system would then have a failure rate of (8.67E-06/py)(8.67E-06/py)(1 py/365 days)(1 day) = 2.lE-13/py. This for all practical purposes would eliminate the potential loss of PORV or letdown valve failure due to power failure.

Costs This m6dification would impact the safety grade electrical power supplies.

. As such, the minimum effort for safety studies is put at 6 man-months, or approximately $50,000. Actual engineering and plant modifications would be in addition to this, estimated at $10,000 for both staff time and materials.

License amendments would be put at approximately $4,000. This gives a total rough estimate of $64,000 per plant.

Postulated Fix- Modification of Low-Temoerature, Low-Pressure Mode Switch The failure of the mode switch to properly reconffgure the PORV control logic appears to be a possible common mode failure for both PORVs. This would require the switch to fail internally while indicating the proper condition.

The logical modification is to include an indicator light for each switch logic position, giving a positive indication of circuit connection. Failure of the mode select function would then require both a switch failure, and operator failure. If the circuit already has this feature, consideration of the role of the operator further ' reduces the likely frequency of this scenario. Additional modifications to the mode switch could then not be defended on a reliability basis.

10.8

--_,~...m._.----.~~.--=m--we+---;-----~~;- - - - -

Cost and Value/Imoact Ratio If costs are put at $63,620 per plant as for the fix to block valve logic above, the value/ impact ratto becomes 20.8 man-rem /$63.62E+03 = 0.327 man-rem /$1000. Modifications would not in fact result in the total elimination of false PORY actuation signals, so this value/ impact ration represents maximum possible resk reduction.

Safety Imolications Due to the role of power-operated reitef valves in transient control, modifications to the relief valves will actually require safety studies and changes in the plant technical specifications. These costs are put at

- $50,000 NRC generic issue evaluation (spread over 47 completed PWRs),

or approximately $1000 per plant 6 man-months of utility time, or $54,500

- $4000 license amendment.

This gives an additional cost of $59,500, for a total cost of ($63,620 +

$59,500) = $123,120. This would give a value/ impact ratio of 20.5 man-rem /$123.12E+03 = 0.11 man-rem /$1000 for the block valve modification, and 20.8 man-rem /5123.12E+03 = 0.17 man-rem /$1000 for the PORY logic modification.

These are thought to better reflect the actual costs involved, and will be carried through the final summary table for value/ impact ratios.

10.4 REACTOR COOLANT SYSTEM bVERPRESSURE SEQbENCE NUMBER 1 This transient is initiated when the RCS is water solid and in a low temperature and low pressure condition (cold shutdown). The failure mode of this scenario is a loss of letdown flow coupled with a failure of both pressurizer PORVs to open. The PORVs can fail either together or independently and their fail.yre can occur any time prior to or exactly when they are challenged by the increasing RCS pressure.

i -

The following mechanisms were identified by INEL which could cause this failure:

1. Loss of power supply that feeds both a letdown valve and one of the PORVs, so that the let down valve goes to its fail safe (closed) position and the PORV is rendered inoperable, and a single active failure of the second PORV caused by any of the following: .

a. failure of the pressurizer pressure instrumentation

b. failure of the PORY control circuitry

c. failure of the valve

d. failure in the mode switch so that the low-temperature low-pressure mode is not selected

e. failure of the power supply to the valve.

2. Independent failure of a letdown valve (closed) and of both pressurize PORVs, so they do not open to relieve RCS pressure.

The median probability for this sequence is again put at 1.5E-07/yr. It is apparent that the current system design already requires multiple failures to 10.9

. block the function of both PORVs and the letdown valve. As a result, any fixes postulated will have a marginal return on plant safety.

The potential for vessel failure by PTS was considered possible, but the low initiating frequency resulted in core-melt frequencies below lE-10/py. With the resulting insignificant risk, this makes the presentation of any value/ impact ratio based on reduced plant core-melt frequency and risk di f ficul t. However, several fixes will be discussed below for completeness.

Procosed Fixr Indeoendent Power Sources to the Letdown Valve and PORVs The loss of power supply to the letdown valve and PORV was identified by INEL as one of the dominant causes of this scenario's initiation. The failure rate of a power bus was put at 1E-08/hr for 876 hours0.0101 days <br />0.243 hours <br />0.00145 weeks <br />3.33318e-4 months <br /> /yr when the reactor is in cold shutdown, or 8.76E-06/yr. Providing independent power supplies to the letdown valve and PORY would decrease the frequency of common mode failures.

The most likely solution is to provide power from a safety grade bus to the PORVs. This reliability could be further improved by splitting the power to the two PORVs between the ' A' and 'B' safety grade bus power supplies. Note that due to the general design guidance not to mix safety and non-safety grade systems, this may also require an overall upgrade of the PORVs to safety grade, along with the necessary studies and Technical Specification changes. This type of upgrade is the subject of Safety Issue #70.

Given this modification, the assumption of independent power supplies is relatively certain. Of interest then is given the power failure in one system, what is the probability of failure in the second? A reasonable time interval must be assumed for this calculation, with 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> suggested as representative for repair to power circuits. Given an electrical power bus failure frequency of 8.67E-06/py, the new system would then have a failure rate of (8.67E-06/py)(8.67E-06/py)(1 py/365 days)(1 day) = 2.lE-13/py. This for all practical purposes would eliminate the potential loss of PORY or letdown valve failure due to power failure.

Costs This modification would impact the safety grade electrical power supplies.

As such, the minimum effort for safety studies is put at 6 man-months, or approximately $50,000. Actual engineering and plant modifications would be in addition to this, estimated at $10,000 for both staff time and materials.

License amendments would be put at approximately $4,000. This gives a total rough estimate of $64,000 per plant. ,

Postulated Fixe Modification of low-Temoerature, Low-Pressure Mode Switch The failure of the mode switch to properly reconfigure the PORV control logic appears to be a possible common mode failure for both PORVs. This would require the switch to fail internally while indicating the proper condition.

The logical modification is to include an indicator light for each switch logic position, giving a positive indication of circuit connection. Failure of the ,

mode select function would then require both a switch failure, and operator '

failure. If the circuit already has this feature, consideration of the role of the operator further reduces the likely frequency of this scenario. Additional modifications to the mode switch could then not be defended on a reliability 10.10  ;

I 4

,,_.,.~.,,,_...-._..~,,.m___,_.s._~...____.. ...-_ .-_ _ _.

Costs

. Cost for such a simple modification are put approximately $10,000 as a first estimate for engineering support, equipment and installation.

Postulated Fixr Modifications to the PORV Control The single active failure of the PORV can be partially avoided by reducing the failure rates of the pressurizer pressure instrumentation and the PORY control circuitry. Note that the INEL report does not provide detailed information on this circuitry. However, the failures required to defeat both the PORVs and the letdown valve appear to be independent in nature. Given this, the increased complexity due to the addition of another layer of control circuitry to reduce failures can not be justified from a reliability standpoint.

Costs Modifications to the control circuitry or logic of the valve systems will require engineering support, materials and equipment,. and installation by craf t services. As a rough estimate, it is assumed that 4 man-week of engineering support is required for the development of any design changes, and that approximately 8 man-week of technical labor would be required. The cost of labor time is calculated based on $2270/ man-week. This will therefore, yield a total labor cost of $27,240. The cost of general supplies is estimated at $4000.

The total cost of implementing simple fixes is then put at $27,240 + $4000 or approximately $32,000. Thsse are summarized below.

- engineering support, 4 man-weeks at $2270/ week

- craft services, 8 man-weeks at $2270/ week miscellaneous supplies, 34000.

It is also assumed that the design changes will take place during normal fuel outage so no power replacement cost is been considered in the cost analysis.

Note again that modifications to the PORV logic could be interpreted as requiring extensive safety analysis and modifications to the plant Technical Specifications as.with the use of a safety grade power supply. The safety costs alone could easily exceed 6 man-months of utility time, or approximately

$50,000. The NRC would likely also study the modifications. NRC costs on the order of $50,000 would average to several thousand dollars per reactor when spread over the industry.

10.5 REACTOR COOLANT SYSTEM OVERPRESSURE SEQUENCE NUMBER 2 This transient is in,itiated when the reactor is bei heated up from cold shutdown. It is postulate'd by INEL that during heatup procedure the pressurizer PORVs are shifted from .the " low temperature" to the " normal" position and the ECCS systems are enabled. The failure mode that causes the transient is an inadvertent SI initiat' ion. The following failure mechanisms were also identified by INEL to cause this failure mode to occur:

10.11

~. . . _ . _ . _ . - _ ... ,

1. A single logic circuit failure results in actuation of the safeguards sequence.

2. Independent failures that initiate high head safety injection flow and opening of the accumulator isolation valve.

3. A single failure in one of the two safety injection actuation buttons that results in actuation of the safeguards sequence.

The failure frequency for this sequence is again put at 3.7E-04/yr.

Note that as with the previous sequence, the PNL analysis determined that although the overpressure exceeded current technical specifications in the INEL analysis, the potential for vessel failure due to PTS would be extremely low at 350'F based on work at ORNL for the PTS program. The resulting estimated core-melt frequencies were again below 1E-10/yr which is insignificant. This again makes the presentation of any value/ impact ratio based on reduced plant core-melt frequency and risk insignificant. However, several fixes will ba discussed below for completeness.

Postulated Fixes Logic Circuit Modification Although individual failure rate estimates are again not reported in the INEL study, it appears that a single failure in the SI injection logic would likely be one of the leading causes of false SI injection. Modification to the circuit to place an additional enable is possible. However, this is done at the possible expense of reducing reliability of SI operation when actually demanded.

The mode switch selector is also obviously designed to avoid enabling the SI system until the proper conditions in the vessel are achieved.

The problem appears to arise over a short interval during startup when the output pressure and capacity of the high pressure S.s cumps can exceed the allowable pressurization rate set by the relatively ic temperature and pressure of the vesselv One possible solution is to delay enabliag of the SI function.

In this fashion, the SI initiation logic is not changed during normal operation, but only during the startup process.

Another solution would be to provide a higher minimum pressure enable for the high pressure system during the startup process. The logic can be designed with a one-way enable such that once the new minimum pressure has been reached, a lowering of pressure would not negate the SI enable. A manual reset would then be required.

Costs Modifications to the SI logic would impact a safety system, requiring significant safety analysis and license amendments. Utility efforts would likely not be less than 6 man-months, or $50,000 plus $4,000 for the amendment.

Engineering design and craft services support plus materials would likely add costs similar to those estimated for the PORVs above at approximately $30,000.

The total cost could then exceed $80,000 per plant for a modification which does not appear at this time to have any quantifiable safety significance.

10.12

.= :.z . . = n.'. a :.u:. 2 .: w.x - - - - - - --- - -

i SGTR Seouence 1

. For SGTR Sequence 1, the scenario was assumed by PNL to consist of a loss of off-site power (LOOP) resulting in PORY lift and SGTR, or an independent SGTR followed by a LOOP.and PORV lift during the shutdown process. In either case, the dominant failure mechanism from a risk prespective is the LOOP which requires operation of emergency power or recovery of off-site power to prevent core-melt. Plant modifications directed at reducing the frequency of SGTR or

LOOP, or c.t improving the recovery of electric power are considered to be better dealt with oy specific NRC programs outside of the A-47 program and thus will not be addressed further here.

Note modifications to the PORY do not help in plant recovery from a risk perspective, this still being dominated by the. LOOP and need for electric power.

However, elimination of the PORY lift through the addition of an automatic j actuation of the block valve as discussed earlier would eliminate 20 percent of the valve failures as defined by INEL and given earlier.

Referring back to Chapter 8, this would result in a reduction in core-melt frequency of (0.2)(1.27E-08/py) = 2.54E-09/py, anc a risk reduction of (0.2)(6.9E-02 man-rem /py) = 1.38E-02 man-rem /py or 0.4. man-rem over 30 years.

With the cost for such a modification put at $63,620, the value/ impact ratto would be put at (0.4 man-rem)(163.62E+03) = 6.3E-03 man-rem /$1000.

Note that PORY modifications were discussed earlier for Overcool Sequence l 2, with a risk reduction put at 20.5 man-rem. The value/ impact of PORY modifications should also include the contribution from SGTR Sequence 2 to risk

reduction, but at 0.4 man-rem, this'is approximately a factor of 50 less than that from the Overcool Sequence 2 alone. The value/ impact ratio considering the contribution from both sequences together thus would not change the value

! previously calculated for the Overcool Sequence 2, and this value/ impact ratio j will be carred through to the final summary tables.

i SGTR Secuence.2

• This scenario involves again a feedwater increase with a PORY or steam l valve failing open, coincident with a SGTR. The feedwater increase and PORY j failure frequency. was put by the INEL fault tree as (7008 hrs /py)(feedwater i failure and valve failure) = (7008 hrs /py)(8.8E-05)(5.2E-02) hrs = 3.2E-03/py.

! With coincident SGTR, the overall frequency was further reduced by PNL to 1.lE-05/py. Again, the probability of failure of recovery from a single SGTR

! with an isolatable break was quite small, giving a core-melt frequency of

, 1.11E-12/py and a risk of 5.33E-06 mar-rem /py.

• t i Modifications to reduce the frequency of overfill or steam valve lift as l discussed earlier will also impact the frequency of this sequence. Note however that with the low core-me,lt frequency and risk estimated for this sequence, any contribution from this sequence to additional risk reduction attributable to

such modifications woul.d be insignificant.

t l The value/ impact ' ratios calculated earlier modifications will therefore not change significantly as a result of considerations for the SGTR Sequences 1 and 2.

10.13

. - - . - . _ _ -. - . ~. - - - -

ew.m,u__..,,.,,,,,,,sme.,..co,,,im.,,,,,mm,.~.,,,~,,,,,,.m,.,,,,.~._,. . . .

Prooosed Fixt Modifications to the Manual SI Actuation Button The other single failure mode identified by INEL was the failure of either of two manual actuation buttons. The simplest modification would be to replace each of 2 single buttons with two buttons in series. This would then require both buttons of either pair to activate the system.

However, the system is now designed with two switches in parallel with either capable of initiating the SI function. This is to insure that a single switch failure would not prevent manual operation. Changing the switch logic would thus increase the potential for failure of the logic. In addition, failures of buttons to make contact on demand are presumably more likely than random failures producing active connections.

Any changes in the logic to series buttons must thus presume that inadvertent actuation presented a greater safety hazard than failure on demand, which has not been shown to be the case. Such modifications are thus not recommended. Fixes to the SI actuation buttons would have to be limited to changes in quality, presuming that buttons less prone.to random internal failures can be found and utilized.

10.6 STEAM GENERATOR TUBE RUPTURE SEQUENCE NUMBER 1 AND 2 The two steam generator tube rupture events are discussed together. The plant status for the INEL evaluations put reactor power at 102 percent, RCS pressure at 2280 psia, and al;l control systems.in automatic. Sequence 1 assumed a loss of off-site power with stuck open steam side PORV, while sequence 2 assumed a main feedwater increase to the affected steam generator along with a stuck open PORV.

No control system failures were identified by INEL for initiation of these sequences. Rather, steam generator tube ruptures were simply postulated with aggravating failures PNL however considered the case also where an initial PORV or relief valve lift could cause a SGTR event. The assumed initiating events

~

were not demonstrated to be a cause for later control system failures. As a result, the scenarios consisted of a series or otherwise independent events.

This is reflected in the low estimated frequency of the scenarios, again put at approximately 2E-03/py for sequence 1, and 3.2E-05/py for sequence 2 without SGTR, and 7.0E-06/py and 1.1E-05/py with SGTR for sequences 1 and 2, respectively.

Note that with the SGTR as the initiator for these sequences, fixes associated with reducing the frequency of tube ruptures' would be the most likely area for consideration. The whole question of tube integrity, however, is the subject of specific investigations at the NRC. The scenarios modeled by INEL do not appear to indicate where any control system modifications could be used to reduce the frequency of the initiating event, or where the SGTR contribute to later control system failures.

9 10.14

--~ ~-_.s.,__. _. . ..-~.,~.-__----.-,.sm..s...~..~~...-~. ....~...- .

10.7 VALUE/ IMPACT SU41ARY Table 10.1 presents a summary of the recommended fixes along with their value-impact ratto. The value-in. pact ratto is the ratio of the public risk reduction (man-rem) to the cost of implementing the design change ($).

TABLE 10.1. Summary of the Value-Impact Analysis of the Proposed Fixes Estimated Estimated Risk V/I Scenarios Cost Reduction Ratio Prooosed Fix Affected (5) (man-rem) (man-rem /51000)

Better Weld SG Overfill $1.13 E+05 1.0E-03 8.8E-06 Integrity Sequences 1

&2 Hardened SG Overf111 $3.22E+04 7.8E-03 2.4E-04 Instrumentation Sequences 1 ,

Lines &2 Automatic Shutoff SG Overfill $2.69E+04 9.0 0.3 of the Auxiliary Sequence 1 Feedwater New Level Trans- SG Overfill $1.5 E+05 7.8E-04 5.2E-06 mitter with 2-out- Sequence *2 -

of-4 Trip Logic Automatic Actuc1 RCS Overcool $1.23 E+05 20.5 0.17 tion of Isolation Sequence 1 Block Valves &2 Modifications to RCS Overcool $1.23 E+05 20.8 0.17

. Valve Controller Sequence 1 Logic A2 Independent Power RCS Over- $6.40E+04 Negl igible Negl igible Source to the Pressure Letdown Valve and Sequence 1 PORVs Modifications of RCS Over- $1.00E+04 Negligible Negligible LTOP Mode Switch Pressure Sequence 1 Modifications to RCS Over- $3.20E+04 Negligible Negligible the PORY Control Pres'su re Sequence 1 Logic Circuit RCS Over- $8.00E+04 Negligible Negligible Modification Pressure Sequence 2

• Negligible indicated for scenarios with core-melt frequency estimates less than 1E-10/py.

10.15

-,. ~..m . _.~.,.,,._ .. . ~ A.~.a-s.- -~.~ .s - .a -,- - - _

m..._~

As can be seen, the addition of a high level trip on the auxiliary feedwater is thought to be the most cost effective measure for the Overfill Sequence 1.

The main feedwater trips function as designed in this scenario, so modifications to the main feedwater control logic are not called for here.

Overfill Sequence 2 however does combine a f alse low level reading and loss of high trip function associated with the level transmitters and switches of the main feedwater system. An additional level transmitter and modification to the control logic for a 2-out-of-4 trip signal appear to reduce the frequency of such failures without a corresponding increase in false trip signals. Howeve r, the INEL estimated initiation frequency for this sequence is too low to justify any modifications to the trip logic.

Modifications to the instrumentation piping to reduce leakage and false low level signals appear to provide a relatively poor value/ impact for the two overfill scenarios compared to the other two modifications mentioned above.

For the overcool scenarios, the addition of an automated block valve or modifications to the PORV logic appears to provide the most likely solution.

Given the fact that the valves are already in place and that many plants are instrumented for tail-pipe steam flow, the ' cost of adding a trip would be minimal. Note however that modifications to the performance of the PORVs will impact directly the use of such valves in transient overpower scenarios. It may be necessary to thus fund safaty studies for block valve isolation, with changes to the plant procedures and technical specifications. -

For RCS Overpressure Sequences 1 and 2, th core-melt frequency estimated was extremely low due to the low initiating frequency and probability of vessel failure due to PTS.

It is believed that due to the low frequency of initiation of these two scenarios, no more fixes is needed.

Note that the core-melt frequency and public risk for all of the above scenarios represent a 'best engineering estimate. The costs likewise represent a 'best engineering estimate,' thus a certain amount of latitude is needed in interpreting the value/ impact ratio. However, the development of these accident initiators to core-melt is thought to reflect a conservative approach to estimating the impact of these failures on plant engineered safety systems.

Cost estimates likewise tend to under estimate the true cost of nuclear plant modifications. These factors when combined tend to reduce the estimated value/ impact ratios as given above. The best estimates, as given above thus are thought to reflect the relative importance of each accident initiator and proposed fix, and its overall importance to plant safety.

All values for core-melt and public risk are so low however, that the ,

l resulting low value/ impact ratios make it difficult to mandate plant i modifications on the basis of these considerations for the A-47 program. i 10.16 1

l

- -~w..~.._-. .

11.0 CONCLUSION

S The results of the analysis done in this report are presented in Table 11.1. This table presents the frequency of postulated INEL control system failures, and further estimates of the additional probability of progressing to co re-mel t. The associated public risks estimates are also given. The upper bounds for the sequence initating frequency are also given. These frequencies were then propagated through appropriate event trees to core-melt, with the results presented below as a best estimate and upper bound.

The overfill and overcool scenarios postulated by INEL were primarily modeled as steam line breaks. The WASH-1400 study did not consider an overcool transient due to secondary side rupture as a viable initiator for a core melt sequence. However, the steam line break is considered a precursor to core damage. Appropriate event trees from the ORNL and INPO study of precursors were then used, and the resulting frequency of core damage was very conservatively associated directly with core-melt. The public doses were then estimated by using release categories associated with core-melt sequences involving loss of high pressure injection and long term decay heat removal, these being release category 3, 5, and 7.

In addition, the potential for inducing a steam generator tube rupture was considered. This probability was put at 0.034 given steam line creak based on NRC considerations for USI A-3, A-4, and A-5 for the Steam Generator Tube Integrity Program. As a result, both the MSLB and SGTR scenarios modeled here are expected to have signifi$ ant conservatism even in the best estimate results given in Table 10.1.

As can be seen, all predicted core-melt frequencies are quite low, all being below lE-06/py. The dominant sequences contributing to core-melt are the reactor coolant system Overf111 Sequence and Overcool Sequences 1 and 2. Three factors determined this. First, the contribution to core-melt and risk from SGTR versus MSLB was dominated by the SGTR analysis regardless of the sequence examined. The overcool scenarios then had relatively high initiating frequency, and the sequences involved a steam line PORY failure. This, then, constituted a main steam line failure, introducing directly the potential for a SGTR. The net result was a relatively high prediction for core-melt and dose predicted for these sequences.

The PRA of the Zion plant was studied, where the conditional probability of core-melt given SGTR was on the oraer of IE-05. However, steam line break due to water spillover could occur above the steam line MSIVs in this analysis.

This type of failure significantly increases the potential for core-damage given a subsequent SGTR, as isolation of the affected SG is not possible. The potential of exhausting injection water supplies, before RCS depressurization can be achieved, is then raised significantly.

For those sequences involving a PORY or feedwater under operator control, the uncertainty in cc,rrect operator action has been identified in the analysis.

Only the Overfill Sequence Number 2 gives an unambiguous indication to the operator of changing steam generator levels. Thus the role of the operator in diagnosing and terminating the scenarios introduces some uncertainties. The analyses tried to treat these in a conservative fashion, 11.1 i

es-s ess e ..s., ,.,,,,,,_s.,,,,,_,___,, ,

~%

TABLE 11.1 2 Summary of the INEL and PNL Estimates of Accident Initiator  ;

Frequencies, Core-melt Frequencies and Public Risk INEL Accident PNL Public Initiating Core-Mel t Risk Frequency Frequency median best estimate best estimate

(/cy) _ _( man-rem /oy)

Secuence Initiator _ /ov)

(

Steam Generator Overfill 1.4E-03 Sequence Number 1 2.8E-09 1.5E-02 l Transient Shutdown 7.7 E-10 2.lE-03 MSLB S.8E-08 2.8E-01.

SGTR 3.0E-01 6.2E-08 Subtotal Steam Generator Overfill 5.4E-08 Sequence Number 2 <1E-10 <1E-04 Transient Shutdown <1E-10 <1E-04 MSLB <1E-04 SGTR 51E-10

<1E-10 <1E-04 Subtotal

- Reactor Coolant System 2.6E-07 Overcool Sequence Number 1 .

<1E-04

<1E-10 MSLB <1E-04 SGTR 51E-10

<1E-10 <1E-04 Subtotal Reactor Coolant System . l . 8E-02 Overcoc1 Sequ,ence Number 2 2.9E-02 MSLB 1.lE-08 8.7E-07 3.9E+0

- SGTR 8.3 E-07 3.9E+0 Subtotal 1.5E-07 <1E-10 <1E-04 Reactor Coolant System Overpressure Sequence Number 1 3.7 E-04 <1E-10 <1E-04 Reactor Coolant System Overpressure Sequence -

Number 2 2.0E-03 1.3 E-08 6.9E-02 Steam Generator Tube Rupture Sequence Number,1 7.0E-06 with SGTR 3.2E-03 <1E-10 <1E-04 Steam Generator Tube Eypture Seouence Number 7 1.1E-05 with SGTR 9.1E-07 4.3 E+0 Total 11.2

M .~ ns wymesss+sems-e.+.e.essmesssmuses% msm.m.m b

o Note that the role of the operator will also likely play an important role in reducing the frequency of control failures progressing to more serious .

accidents. This will likely introduce operator training or control room human factors engineering into any resolutions associated with this issue.

h /-

The overfill scenarios were assumed to lead to steam line break to provide The basic uncertainty in the any sort of core-melt sequence initiator.

potential for inducing a steam line break still exists in the PWR analysis as in the BWR an'alysis. Note, however, that the overfill analyses in thisPower case did levels not actually progress to spillover of water into the steam lines.

were also low or at startup for the PWR. The potential for water hammer and steam line break were adjusted accordingly compared to the BWR analysis, giving again what is thought to be a conservative assumption for steam line break.

The overpressure accident scenarios also had the potential for inducing a rupture in the reactor pressure vessel. However the potential for vessel rupture due to pressurized thermal shock was determined to be low based on PTS program results from ORNL.

Finally, INEL also considered two SGTR events with aggrevating control system failures, including loss of off-site power with PORY lift, and feedwater increase with PORV lift. The core-melt frequencies estimated were comparable to those for the overfill and overcool scenarios, but the combination of independent non-control related f ailures. t; this core-melt ' frequency Value/ impact significantly reduced the role of any control modifications.

- ratios were accordingly judged to be insignificant.

The total ~ estimated frequency for _ core-mel't of 9.1E-07/py and risk of 4.3 man-rem /py are considered to be a nondominant contribution to the overall core-melt frequency of a PWR. For the WASH-1400 Surry Westinghouse PWR, the

.overall core-melt frequency was put at approximately 6E-05/ry, with the contribution from small break LOCAs contributing approximately 2.9E-05/ry.

SGTRs were not modeled directly in the WASH-1400 PRA, but the system response would be similar to small LOCAs where water did not return to sumps for

- recirculation. Because such LOCAs play a dominant role in the PWR risk, it is assumed that the risk calculated here will also represent only several percent of total overall plant risk.

EIS The overcool and overpressure scenarios postulated by INEL also have the potential for leading to pressurized thermal shock (PTS) events which could Overfill scenarios leading rupture the vessel and lead directly to core-melt.

to MSLB or SGTR could likewise initiate a PTS event. The PTS program at ORNL is only now in the process of issuing a draft analysis of PTS events in the H.B.

Robinson plant. However, an examination of the preliminary information available at this time indicates that potential for control failures leading to PTS and vessel rupture are very remote for the scenarios identified by INEL.

Even with conservative estimates of the nil ductility transition temperature for 11.3

H.B. Robinson of 270'F, the modeling by ORNL a severe overcool due to steam line lift and HPI pressurization of the vessel appears to give vessel failureHowever, th probabilities on the order of IE-04. When the core-melt weretemperature still estimated to be below that due to MSLB l and SGTR actual transition of 130'F fo H.B. Robinson is used, theThe conditiona The probability of vessel rupture given PTS apparently drops overpressure scenerios give insightficant core-melt frequencies.

The latter estimate is thought Ittoisbe the best measure appropriate for conse of risk due to PTS vative induced failures in the A-47 program. f calculations to be used within the PTS program forisevaluation to the PTS issue.

related issues if undue weighting or influence of specific safety concernsThis best estim f

be thatavoided in a calculation PTS plays a minimal roleof relative risk. and risk for the A-47 analysis in core-melt o this overcool scenario in the Westinghouse.H.B. Robinson PWR at this time.

131ue/Imoact An attempt was also made to propose several system modifications These which might reduce the frequency The public of initiation of INEL identified scenarios.

have been discussed in detail in Chapter 10.

modifications (fixes) risk reductions and the cost associated with implementing each fix was also estimated, providing a value/ impact ratio in terms of man-rem of public exposure reduced per $1000 of cost.  ; ,

These results were presented in Table 10.1, with value/ impact ratios ranging from approximately 0.3 man-rem /$1000 over a 30 year period to n val ues.

The fixes that appear most promising for the PWR focus on an automatic high water level trip for the auxiliary feedwater These which PORY block val-ves to protect against inadvertent PORY lifts. m man-rem /$1000, respectively.

In the PWR, the overfill sequence driven by AFW overfill The could be side steam terminated by the simple addition of a high level AFW trip.

break caused by PORV lif t could likewise be eliminated through the use of blo valves.

Note that both of these fixes are already under operator control.

Fixes to reduce the frequency of such events could fo A more detailed examination of current procedures and as assumed here.

time / signals available to the operator would be required to determine which modification is more appropriate.

11.4

l l

As with the BWR it is apparent that there is significant interaction of the This role of the operator was conservatively

- operator with control systems. estimated in the core-melt calculations presented With above i

in performance was postulated as a remedy to failures identified by INEL. l control-of vessel water levels being the focus of training and procedures l upgrades since the TMI accident, a significant reduction in operator error for i main or auxiliary feedwater failures, PORY lifts, etc. could reasonably beious

• . expected to reduce the progression of simple control failures to more ser accidents.

It is thus thought that the final resolution of A-47 should recognize This this i

important role of the operator, and make appropriate recommendations.

could include a more detailed examination of the time available to the operator,before re d

, signals and indications available, and current proce uresRecommendations could also equipment modifications. task action items set up specifically to deal with operator actio transients. These are better geared to deal with the potential for reducing operator error in general, and would insure a consistent approach to cperator ,

- interactions.

in a 2-out-of-4 trip logic I. The addition of another level transmitter (LT) was found not to represent a cost-effective a modification in the PWR to counteract the feedwater control system failures identified by INEL for l-feedwater overfill. The INEL estimate for trip failure with overfeed at 5.4E-08/yr makes such modifications pointless.

Note, however, that thist is all primarily , dependent on the conservative assumptions used here for a high If potential further of steam line analysis indicatesbreak and thatSGTR the given the initiating control failures..

potential fcr MSLB is much less, or that isolation of the affected generator is possible (i.e., if breaks would occur preferentially below the MSIVs), then the resulting impact on core-melt frequency could easily be reduced by several l

i orders of magnitude. Note also that the more prominent fixes such as for PORY

• lift are the~$ubject of separate NRC safety action items.

li The core-melt frequency and public- risk for all of the above scenarios are The costs likewise represent a 'best presented as a best engineering estimate.

engineering estimate', thus a certain amount of latitude is needed inHowever, the interpreting the value/ impact ratio.ht to reflect a conservative approach to ,

initiators to core-melt is thou3 estimating the impact of these failures on plant engineered safety systems.

Cost estimates likewise tend to underestimate the true cost of nuclear plant modifications. These factors, when combined, tend to further reduce the estimated value/ impact ratios as given above.

/

11.5 1

e .re---,e e rv -,,m.~..n--- , - - - , . , - - - , ,

. - -- -.-.,_an.ae.. n.,v,m_ .,n._ -

,-,..-- ~ ,,_ n ,m e.w v , ,, n ..n,-

m REFERENCES

' Austin, P. N., et al. DRAFT. 1984. An Assessment of the Safety Imolications of Control at the Oconee-1 Nuclear Plant - Volume 1 Executive Summarv. Oak Ridge National Laboratory, Oak Ridge, Tennessee.

Bruske, S. J. , et al . DRAFT. 1985. Effects of Control Svstem Failure on Transients and Accidents at a 3-Loco Westinghouse Pressurized Water Reactor NUREG/CR-4262. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

Bruske, S. J. , et al . DRAFT 1985. Effects of Control Svstem Failures on Transients and Accidents at a General Electric Boiling Water Reactor Main Recort NUREG/CR-4326. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

Electric Power Research Institute and Duke Power Company. 1984. A Probabilistic Risk Assessment of Oconee Unit 3 - Summary Reoort. NSAC-60.

Electric Power Research Institute, Palo Alto, California and Duke Power Company, Charlotte, North Carolina.

Heaberlin, S. W. , et al . 1983. A Handbook for Value-Imoact Assessment.

NUREG/CR-3568. Pacific Northwest Laboratory, Richland, Washington.

INPO. 1982. Review of NRC Reoorte Precursors to Potential Severe Core Damage Accidentse 1969-1979 - A Status Reoort NUREG/CR-2497. INPO 82-025. Institute of Nuclear Power Operators, ' Atlanta, Georgia.

J oksmovich, V. , A Review of Plant Soecific PRAs. Risk Analysis, Vol .4, No. 4, 1984. WASH-1400, Reactor Safety Study, 1975.

Minarick, J. W. and C. A. Kukielka. 1982. Precursors to Potential Severe Core Damage Accidentse 1969-1979. NUREG/CR-2497. Science Applications, Inc., Oak l Ridge National Laboratory, Oak Ridge, Tennessee.

NUREG/CR-1659. 1981.- Reactor Safety Studvs Seouovah #1 PWR Power Plant.

Stevens, D. L., et al. 1983. VISA-A Comouter Code for Predictino the Prob ab il ity of Reactor Pressure Vessel Failure. NUREG/CR-3384 (PNL-4774) .

Pacific Northwest Laboratory, Richland, Washington.

U.S. Nuclear Regulatory Commission. 1975. An Assessment of Accident Risks in U.S. Commercial ' Nuclear Power Plants. WASH-1400 (NUREG-75/014) . U.S. Nuclear Regulatory Commission, Washington, D.C.

U.S. Nuclear Regulator Commission. DRAFT 1983. NRC Integrated Program for the Resolution of Unresolved Safety Issues A-3. A-4 and A-5 Regarding Steam Generator Tube Intecritv. ( NUREG/-0844) .

U.S. Nuclear Regulatory Commission, Washington, D.C.

Zion 1 & 2 Probabilistic Risk Assessment. USNRC docket 50-295. 1981.

I l

R.1 j l

<s -

. <: .# .- m i .. . .a ,,, . m, ..,

s .%N %b..; .;.g % W., .4 Ns%bbbhbN.2%%%%eag4+;,4Wel4=;gm.%Ng %%Ns..*N.h%;.N.cs

.%:

• y = .3%%,*% *t bSN*NN.NN%N a %*ta bb *>.' * **?.**t*MsN+.%%N-PN%%%N' PNL-5544 NUREG/CR-b O, /

I EFFECTS OF CONTROL SYSTEM FAILURES ON TRANSIENTS, ACCIDENTS AND CORE-ELT f /

FREQUENCIES AT A B&W PRESSURIZED WATER REACTOR W. E. Bickford A. S. Tabatabai 4

September 1985 i

4 Pacific Northwest Laboratory Richiand, Washington 3

1 p/

IgL

.g Y k- 71 sf O [@(p y,

SUPNARY This report presents the results of the estimate of core-melt frequency, ,

public risk and value impact of potential modifications associated with control

- system failures in the B&W Oconee PWR. The failure mechanisms and scenarios used are those identified by ORNL in its analysis of the Oconee plant for the A-47 progran.

' The failure scenarios examined were those identified by ORNL as bein'g of a principal importance. The judgment of which sequences to analyze was made by the NRC, PNL and ORNL f rom an extensive review of control system failures and possible interactions identified by ORNL. The three scenarios examined involved control system failures that might progress to more severe failures, primarily centering on the feedwater systems. The potential for overfill of the steam generators progressing to spillover into the steam lines was identified by ORNL, along with scenarios with a potential for feedwater failures combining with operator failure to reestablish flow, thus progressing to core-melt.

The A-47 issue often deals with control systems routinely under operator control. As such, the consideration of the interaction of the operator with failure diagnosis and recovery is appropriate here. Several of the recommendations for reducing the risk associated with control system failures As a result, center on operator awareness, diagnosis, and correct response.

several recommendations for A-47 might well be integrated with operator training and transient response programs.

No estimate of the upper bound for the initiating frequency of the scenarios identified was made by ORNL. Only point estimates for frequency were made, representing a 'best engineering estimate' of the core-melt frequency and risk.

Steam Generator Overfill The steam generator overfill scenario examined deals with the potential in i

• the Oconee plant for undetected f ailures in the high SG water level main feed water (MFW) trip function. The risk associated with this was examined by considering several possible accident sequences: a transient shutdown with the power conversion system unavailable due to degrading conditions in the secondary side, overfill progressing to spillover and main steam line break (MSLB), and i

MSLB progressing to SGTR.

As can be seen, the The resulting estimate of risk is given in Table S.I.

contribution from MSLB progressing to SGTR was estimated to be dominant for the above scenario. The assumption was made that given main steam line damage, the steam lines had a 50 percent probability that the break would occur outside of the reactor building where water released f rom the break would not be available for collection in buildin~g sumps for recirculation. The ability to isolate the af fected steam generator can play an important role in recovery from a SGTR, but the Oconee plant has no MSIVs. A category 2 type release was then assumed for public risk, involving as it does an early core-melt with failure of the containment sprays which is consistent with exhaustion of recirculation inventories.

iii i

. - - . . .m __

" ~

22%w ::::L.z:;w:. . .. :. ..

. . . :T ~....:. :i.l.2::::2 .. C 2 2 L 2 L.:h;.a;.- ;a :

l TABLE S.I. Summary of ORNL and PNL Estimates of Accident Initiator Frequencies, Core-melt Frequencies, and Public Risk for the B&W Oconee PWR ORNL (a) PNL Accident PNL Public Initiating Core-Mel t Risk Frequency Frequency Best Best Estimate Best Estimate Estimate

(/oy) (/oy) (man-rem /oy)

Seauence Initiator RCS Subsystem Overf111 & 6.0E-03 High Trip Failure .

T2 Transient Shutdown 6.88E 1.86E-01 MSLB 6.27E-08 1.71E-01 SGTR 9.45E-06 4.54E+01 9.58E-06 4.58E+01 ICS Hand Power Failure with SG Dryout 9.0E-03 9.00E-06 2.44E+01 ICS Auto Power Failure 9.0E-03 SG Dryout 2.70E-06 7.31E+0 T2 Transient Shutdown 0 0 MSLB 1.16E-09 3.14E-03 SGTR 8.77E-08 4.21E-01 2.79E-06 7.73E+0

- TOTAL 2.14E-05 7.79E+01 (a) ORNL estimates of initiating frequencies include operator error 0

iV

The estimate is thus highly subject to the assumed potential for main steam line break (MSIB) given spillover, and the break location if a SGTR occurs. The ,l effective Drobabilities 0 MSLB and SGTR oiven MSLB were out at 0.95 and 0.034, 3

respectively, in this analysis. Break location, however, is not as important in Oconee due to the lack of MSIVs as compared to the H.B. Robinson plant examined earlier for the A-47 program. The Oconee plant, however, is apparently not l

representative of all B&W plants, most of which apparently have MSIVs.

The design modifications proposed to reduce the frequency of this scenario focus on the notential for undetected failures in the high level MFW trip circuit. This failure probability was assumed to be fairly hinh hv OPM due to_

an annon1 inspection f reauencv.

Reducina thTs to a monthly basis was assumed to r_ educe the failure Dotential by a factor of two. this testing would be possible for most components (i.e., comparative signal readings from transmitters, etc..), however, the trip relays themselves are in series.

The ORNL suggestion to add an additional FPTX relay to make the trip relay circuits associated with each generator parallel in configuration was then examined. A factor of 10 reduction in the failure frequency was assumed if modifications actually make it possible to test the generator trip circuits alternately during operation. The man-rem reduction associated with the monthly testing of this new trip circuit was estimated at 1050 man-rem over 30 years.

The costs associated with the modification and testing were estimated at approximately $305,000, giving a value/ impact ratio of 3.44 man-rem /51000.

Note that no modifications to a 2-out-of-3 or 2-out-of-4 trip logic were postulated by ORNL or PNL, The impact of a number of logic modifications were evaluated with possible risk reductions similar to those postulated for improved reliability of the high level trip function. The value/ impact ratio of such modifications is highly sensitive however to the cost of proposed modifications for additional level transmitter and associated hardware. Given the different control function of the level transmitters and high trip in the B&W design, and given the high., degree of uncertainty in cost of modification changes in the level transmitter appear less benefical. Similar risk reductions could be

- possible through improved testability of the high level trip function with much less uncertainty in the associated costs.

Loss of ICS Hand Power The loss of the ICS hand power circuit was found to present the potential for steam generator dryout if the operator failed to reestablish feedwater flow in 30 minutes or HPI flow in 60 minutes following loss of this power supply.

Several modifications were developed which could potentially reduce the frequency of automatically progressing to dryout. These included MFW trip on loss of hand power which would initiate EFW flow, a higher minimum runback setpoint on the MFW to pr9 vent the zero MFW flow in this case, and rewiring the loss-of-voltage signal to' the MFW pump controller to represent a 50% setting as is apparently used in other B&W plants.

The potential risk reduction was estimated at 659 man-rem over 30 years.

No costs for the above modifications were estimated. It was pointed out, however, that the above modifications were thought to easily be under $659,000, giving value/ impact ratios in excess of 1 man-rem /$1000.

v

W m w .m .

~n,- .. - ,, ,

Loss of Auto Power The loss of auto power was initially thought to leave the plant in an ,

unstable equilibrium, allowing the operator time to manually control the reactor before the development of an instability and subsequent trip. Oconee personnel However, ORNL indicated that this is how they would respond to such a failure.

studies of the failure indicated that no annunciators are associated directly No with the H1 circuit which serves the majority of feedwater components.

As a result, an event tree assuming emergency procedures were found either.

eventual reactor trip without prior operator awareness of the failure was assumed. The operator would then be required to reestablish feedwater flow as with the above scenario.

The potential benefit of annunciated power failure and proper emergency procedures in lowering operator error were estimated to provide a 155 man-rem risk reduction over 30 years. The costs for implementing such modifications were estimated to be minimal, giving a value/ impact ratio of 2 man-rem /$1000.

Initiation of EFW on Low Level The final modification examined was the automatic initiation of EFW on low level signals from the steam generator level transmitters. This modification would ef fectively eliminate the two scenarios above that require operator action to reestablish feedwater before dryout of the generator occurs.

The modification does not appear to degrade or in any way jeopardize the current operating mode of the EFW, providing as it does only an additional initiation signal. Examination of ORNL indicates that this modification does not require a cross-tie between a safety and non-safety grade system to require Two IE "startup a range" i full safety upgrade of the level transmitting equipment.

level signals per S6 currently are used for EFW valve control 1 and could be used for initiation.

~

Table S.1 summarizes the estimated core-melt frequency and public risk represented by all scenarios examined, put at 2.14E-05/py and 78 man-rem /py, respectively.

This compares to the overall core-melt frequency for the Oconee plant of 8.20E-05/py, with a public risk of 207 man-rem /py. The consideration of the overfill scenario leading to spillover and the dryout scenarios thus represent a significant fraction (20 parcent) of this risk.

Table S.2 presents the results of the value/ impact analysis, examining the Note possible cost and risk reduction associated with design modifications. Rather, the that for several modifications, no cost estimate is made directly.

maximum costs that will keep the resulting value/ impact ratio at or above the 1 man-rem /11000 figure of me'rit are pointed out.

The conclusion was,that all modifications examined appeared capable of being justified based on the value/ impact ratio. The failure modes identified by ORNL-appear to be readily amenable to correction without extensive modification, thus the costs estimated were not restrictive in any sense.

vi

.I.........'... '... . .,.AJ.10?l!I12.%i%1s ,is..<a....,, ""Tf.!.5... .

.cc.c c .. ..,~..

TABLE S.2. Summary of the Value/ Impact Analysis for the Oconee B&W Plant Estimated Risk V/I Scenario Estimated Reduction Ratio Prooosed Fix Affected Cost. 1 (man-rem) (man-rem /11000)

Monthly Testing Overf111 & 8.8 E+04 4.53 E+02 5.2 undetected high trip failure Monthly Testing Same as 2E+05 1.05E+03 5.3 Plus Parallel above FTPX Relay

-Modified Trip Logic *

, /-

,l'. 1-out-of-1, 1 FTPX 624 4.53 E+02 0.73 with two spurious -

trips in 30 years l',' l-out-of-2, 1 FTPX 612 8.99E+02 1.47 I with two spurious <'

trips in 30 years

.m

3. 2-out-of-3, 1 FTPX 300.16 8.86E+02< 3.0 v

4. 1-out-of-2, 2 FTPX 636.0 1.15E+03 18 with two spurious trips in 30 years h5)2-out-of-3,~

~~

360.16 1.12E+03 3.1 1 FTPX per LT I6. 2-out-of-4,- 1 FTPX 600' 9.07 E+02 1.5 r-f7. 2-out-of-4, 684 1.17 E+03 ' l7

- 1 FTPX per LT

• Value/ impact Ratios for modifications to triplogic would lower by approximately a factor of 10 if implemental af ter full modification for monthly testing.

S Vii

""" '.. .I!CC C l21222i a mas ~ ~ smi e,.s. w s - -. ---m- -

TARIE S.2 (Continued)

Estimated ,

Risk V/I Scenario Estimated Reduction Ratio Cost. 5 (man-rem) (man-rem /11000)

Pronosed Fix Affected MFW Trip on ICS Hand -

Loss of ICS Power Failure i Hand Power with SG dryout Higher Minimum MFW Setpoint MFW Default to 50% output on -

0 Voltaae -

~

6.59E+05 6.59E+02 - 1.0 (i.e. cost of any or all of above can be less than $659,000 and still give a value/ impact ratio equal to or greater than 1 man-rem /$1000.)

Annunciation Auto Power 7.36E+04 1.55E+02 2.04 of Auto Failure Power Failure and Emergency Procedures EFW ICS Power 1.0E+05 8.68E+02 8.68 Initiation Failures on Low SG Level

- (Note: Cost of implementing the EFW initiation function can be as high as

$868,000 or approximately $1,000,000 per plant and still give a value/ impact ratio on the order of 1 man-rem /$1000.)

9 viii

Modifications to Trio Logic This analysis gave a partial examination of the possible reduction in the high-level trip failure probability associated with the installation of a more complex high-level trip logic for the main feedwater pumps. In the PNL examination of the GE BWR and Westinghouse PWR, the installation of a 2-out-of-4 trip logic did not appear to be favorable. In the Oconee B&W PWR plant, the output from the level transmitters is not being used as a level control- signal to maintain an exact steam generator water level as it does in the previously mentioned plants. Rather, the B&W design operates with the water level falling within a broad operating range. Conditions are maintained within this range to give the proper degree of steam superheat at the generator output rather than to maintain a set water height. The normal configuration is then a 2-out-of-2 logic on each generator rather than the 2-out-of-3 logic seen on the Browns Ferry and H.B. Robinson plants.

The GE and Westinghouse designs combine the feedwater level control and trip functions with the level transmitters. A failure there that could both fail the high trip and drive the feedwater increase becomes the dominant failure mechanism. Fixes proposed then addressed the level transmitter failure modes and logic. With the separation of these functions in the B&W design, the dominant failure identified by ORNL became an undetected failure of the high trip. As such, corrective actions should be directed at this failure specifically for the B&W plant.

Although the ability of 1-out-of-l type logics for the high water level MFW trip function was shown to be theoretically superior to more complicated configurations in preventing spiilover, the possible costs associated with spurious trips was shown to make such simple configurations undesirable. The realistic options for the A-47 program are then thought to be the 2-out-of-3 and 2-out-of-4 options, with one FPTX relay or with one FTPX relay per LT. All of these options reduce the trip failure probability significantly, approaching a failure probability of only the MFW valves themselves (0.007/ demand). As a result the value/ impact ratios associated with these configurations are relatively insensitive to risk reduction, but highly dependent on cost. As expected then, those options which require the least hardware additions appear to perform best from a value/ impact standpoint (i.e., the 2-out-of-3 with 1 FTPX rel ay) . The 2-out-of-4 logic is predicted to perform slightly better in preventing overfeeds and spillovers, as was the case in the PNL examination the GE and Westinghouse plants for the A program. The cost however can be significantly more than the other options if additional penetrations are required.. The configuration also makes it, easier to design on-line testing procedures, which is more in keeping with safety grade component requirements.

Note, however, that the risk reduction and value/ impact ratios estimated for such hardware changes,are comparable to the reduction estimated by monthly testing alone to improve 'the reliability of the existing 2-out-of-2 trip configuration. The monthly testing alone is estimated to reduce significantly that portion of the MFW high level trip failure probability due to instrument failure (0.047/ demand with 85% due to transmitter or relay failures, and 15% due to MFW valve failures). Any modifications to the trip configuration or logic after implementation of such testing would then be subject to some diminishing returns in risk reduction, acting on only approximately 8.5% instead of 85% of iX l

l As a result, if configurations the original high trip failure probability.

changes are made after monthly testing has been implemented, the value/ impact ,,

ratios predicted here for hardware changes would be reduced by approximately a factor of 10. The NRC must then weigh such additional judgmental factors in deciding if the current system is inadequate, and to what level improvements will be required, possibly up to the 2-out-of-4 logic configuration with monthly testing for high water level transmitters in each steam generator.

Limitations and Real-World Considerations i Additional uncertainties in the calculation of feedwater control reliability further contribute to a solution in favor of monthly testing versus hardware changes. It must be pointed out that any comparison between different level control and high level trips and other modificaticns is highly conditional on a number of factors, including basic hardware and reliability as well asThis operator response to system failures and the plant dynamics to failures.

can include plant-specific differences in and compensations for a number of factors, including:

- type of level control (three element, one element)

- power supplies

- back-up or alternate level displays

- instrument line plumbitig configuration .

- controlling level display

- controlling level record

- annunciators and alarms

- operator training and procedures.

- maintenance, general age and state of equipment.

" The indications are that real world considerations could easily overshadow theoretical calculations, particularly for level control instrumentation where the ability to test often carries more weight than calculated reliabilty. As pointed out in previous PNL reports for the A-47 program, uncertainties could include hydraulic shocks which occur at dif ferent rates in separate instrument

- lines making some failure combinations of sensors more likely, or common mode failures of instruments due to f aulty maintenance. The data currently available on component failure rates is not specific enough as to failure cause (i.e.,

shocks, faulty maintenance, etc.) and failure mode (i.e., inoperable low scale.

drif t low, etc.) to draw any firm conclusions or to rigorously support specific recommendations based on theoretical calculations for level transmitters.

Areas of Likely Conservatism Again, a 'best engineering estimate' of failure probabilites was used whenever possible in the analysis of core-melt and risk for the control failures identified. Some uncert,ainty does exist however in several factors, with the analysis carried through using what is thought to be a high failure probability.

This in turn would weight the estimated core-melt frequency and public risk to higher values. These, include:

a) Operator Error - The probability estimated by ORNL for failure of the operator to diagnose and terminate the scenarios ranged from 0.7 for scenarios with misleading or conflicting information or rapid progression X

(i.e. overfill in several minutes) to 0.1 for scenarios with slow progression and non-conflicting information and alarms. PNL assumed the high value of 0.7. An average failure probability may be lower than this, particularly in plants with simulator programs stressing proper diagnosis of failures.

b) Steam Line Break - Main steam line breaks (MSLBs) in PWRs were not assumed to be associated with core-melt in the WASH-1400 study. More recent studies have equated MSLB with core-damage, this is thought to be equal to or less severe than a core-melt in terms of radionuclide release by up to a factor of 30. This study equated the consequences of MSLB with core-melt.

The probability of main steam line break given spillover into the steamlines at power was assumed to be 1.0, decreasing to 0.5 for spillover after shutdown. Althought several spillover events have occurred to date in US commercial plants resulting in support damage, no steam line failures have occurred. The Oconee plant has no MSIVs, making break isolation impossible. Other B&W plants however do have MSlys, making break location important in other plants.

The MSLB was further assumed to have a significant probability of inducing a steam generator tube rupture (SGTR), with the combination of SGTR and vaisolatable MSLB leading with high probability to core-melt in a PWR.

This high probability of failure to recover is due primaril, to depletion of the reactor water storage tank (RMST) water supply befort depressurization of the reactor can be achieved. This gives no credit to other operator-initiated means of maintaining a water supply.

Further information on the probability of break for various overfill scenarios and the break location for other B&W plants could significantly reduce the risk associated with these scenarios, as would a more realistic analysis of operator initiated actions to restore water supplies and avoid co re-mel t.-

c) Transient Shutdown - The initiating event would cause a transient induced plant shutdown, with loss of the power conversion system (PCS) representing a serious precursor to core-melt in PWRs. A high probability of loss of the PCS given spillover was assumed here, but contributed insignificantly to risk in this analysis due to the low initiating frequency.

d) Release Categories - The WASH-1400 release categories most representative of the core-melt scenarios in this onalysis were used to estimate risk, with the risk per event as per the Value-Impact Handbook (NUGER/CR-3568) .

Ongoing evaluations of the source terms for various core-melt scenarios indicates that the WASH-1400 release categories may overestimate risk by up to several orders of,. magnitude. This would result in lower risks

' attributed to these scenarios.

i e) Costs - Estimates of the costs associated with modifications in nuclear plants typically underestimate the final costs, even when accompanied by an extensive engineering-cost study. Higher than expected costs would further lower the value/ impact ratios estimated here for proposed modifications.

Xi

..L. . ' ' .,. ': .: L.,..~ ,:: :::,.;;;;e.;;;;;,;;;;.:.; :: :z.::;;; ::L.:::;e:::.au.:::. ::::.  :. :. ; . :.

As a result of these uncertainties and possible negative impacts on operational reliability and the unique dynamic control features of the B&W design, the implementation of monthly testing first to improve reliability appears to be the optimum course of action at this time. It becomes apparent that these recommendations should be presented as preliminary, with the recognition that these should be subjected to detailed evaluation if plant modifications are to be performed.

4 0

O s'

1 l

xii j 1

I i

1

""*TTlT::TT:::L:.::::: 2 2:,. M :: :aa :.. v.;.a. . ...: 1 CONTENTS SUMY . . . . . . . . . . . . . . . . . . . . . iii

1.0 INTRODUCTION

. . . . . . . . . . . . . . . . . 1.1 2.0 STEAM GENERATOR OVERFILL . . . . . . . . . . . . . '2.1 2.1 STEAM GENERATOR OVERFILL . . . . . . . . . . . . 2.2 2.2 ACCIDENT PROGRESSION ANALYSIS FOR SG OVERFILL . . . . . 2.4 2.3 PROGRESSION OF SCENARIO TO SGTR AND CORE-MELT . . . . . 2.7 2.4 PUBLIC RISK DUE TO STEAM GENERATOR OVERFILL AND SGTR .- . 2.11 2.5 RESULTS OF STEAM GENERATOR OVERFILL . . .. . . . . 2.11 3.0 ICS POWER FAILURES . . . . . . . . . . . . . . . 3.1 3.1 LOSS OF ICS HAND POWER . . . . . . . . . . . . 3.1 3.2 PUBLIC RISK DUE TO LOSS OF ICS HAND POWER . . . . . . 3.2 3 .3 LOSS OF ICS AUTO POWER . . . . . . . . . . . . 3.2 3.4 PUBLIC RISK DUE TO LOSS OF ICS AUTO POWER . . . . . . 3.8 4.0 VALUE/ IMPACT NJALYSIS . . . . . . . . . . .

.. . . 4.1 4.1 MODIFICATIONS TO REDUCE UNDETECTED FAILURE OF THE HIGH-LEVEL MFW TRIP . . . . . . . . . . . . . 4.1 I~ 4.2 MODIFICATIONS TO REDUCE ICS HAND POWER DRYOUT SCENARIO .

. 4.10 4.3 MODIFICATIONS TO REDUCE ICS AUTO POWER OVERFILL SCENARIO . 4.11 4.4

SUMMARY

OF YALUE/ IMPACT . . . . . . . . . . . . 4.13

5.0 CONCLUSION

S FOR THE B&W OCONEE PWR . . . . . . . . . .

5.1 REFERENCES

. . . . . . . . . . . . . . . . . . . . R.1 9

9 xiii

~

.:. . c. i c .s w a u 4 a c e . c a s , -s .. ~ ~. s .x +.-s,~. w % .w.n. .+ ~. ~

FIGURES 2.1 INPO Event Tree for Propagation of MSLB to Core Damage . . . 2.6 3.1 Loss of ICS Hand Power Event Tree . . . . . . . . . . 3.3 3.2 SAI ICSA Auto Power Failure Event Tree . . . . . . . . 3.5 3.3 Proposed PNL Modification of ICS Auto Power Failure Event Treo . 3.6 4.1 BaW Oconee PWR High Level MFW Trip Circuit . . . . . . . 4.2 TABLES S.1 Summary of ORNL and PNL Estimates of Accident Initiator Frequencies, Core-melt Frequencies, and Public Risk for the B&W Oconee PWR . . . . . . . . . . . . . . . . . vi S.2 Summary of the Value/ Impact Analysis for the Oconee B&W Plant . vii 2.1 Public Risk associated with Steam Generator Overfill with MSLB, and Transient Shutdown . . . . . . . . . . . . 2.7 2.2 Core-Melt Contribution of SGTR Events for the Oconee PRA . . . 2.8 2.3 Public Risk Associated with Steam Generator Ovorfill, NGLB, and SGTR . . . . . . . . . . . . . . . . . 2.11 2.4 Result of Overfill Scenario for Oconee . . . . . . . . . 2.12 3.1 Public Risk Associated with ICS Hand Power Failure . . . . . 3.2 3.2 Public Risk Associated with Failure of ICS Auto Power . . . . 3.8 4.1 Alternate Configurations for the B&W Oconee PWR High-Level MFW Trip Function . . . . . . . . . . . . . . . . 4.5 4.2 Risk Reduction Associated with Alternate Configurations . . . 4.8 4.3 Summary of the Value/ Impact Analysis for the Oconee B&W Plant . 4.13 5.1 Summary of ORNL and PNL Estimates of Accident Initiator Frequencies, Core-melt Frequencies, and Public Risk for the B&W Oconee PWR . . . . . . . . . . . . . . . 5.1 3

xiv 1

1.0 INTRODUCTION

The purpose of this report is to examine the potential frequency of core-melt and pubile risk associated with control system f ail ures in Babcock and Wilcox (BaW) pressurized water reactors (PWRs), and to eval uate the val ue/ impact associated with proposed modifications. The scope will be l imited to f ail ure modes identif ied by the Oak Ridge National Laboratory (ORbt) in their examination of the Oconee-1 Nuclear Power Plant ( Austin et al.1984).

This work is a direct extension of the examination by PNL of the potential core-mel t frequency and public risk associated with control system f ail ures in GE BWRs and Westinghouse PWRs. This previous examination of risk was based on the f ailure mechanisms identified by the Idaho National Engineering Laboratory

( INEL) fcr the GE (Bruske et al.1984), and a Westinghouse plant (Bruske et al .

1984). The approach used in these previous examinations is further developed here for the B&W fMR.

The Duke Power Company Oconee 1 PWR, a 860 FWe unit in Seneca, S.C. was used as the ref erence design in the ORNL investigation. This plant was al so the subject of a RSSMAP probabilistic risk assessment (PRA) (Kol b et al .1981) . The Oconee Unit 3 was also the subject of a PRA (S. R. Lewis, et al.1984). These studies will be used in the evaluation of core-melt and public risk presented here, where appropriate.

The ORNL investigation reports three major f ail ure modes impacting reactor saf ety as a result of control system f ail ures at this timo. These are:

e Steam Generator (SG) Overfilling with Undetected Failure of FFW High Level Trip e Loss of ICS Hand Power e Loss of ICS Auto Power.

For each of these major f ail ure modes, specific f ail ure mechanisms in the control system have been identified and will be developed in the following chapters.

1.1

2.0 STEAM GENERATOR OVERFILL The ORNL report identified a number of safety concerns relative to steam 9enerator overfill. Overfill could

a. produce secondary side damage which might compromise safety equipment or produce a cascade of events which might have primary side effects including radiological leakage

b. cause densification of primary coolant, reducing pressure, possibly losing pressurizer control, possibly vapor-locking the primary flow path, possibly introducing excess reactivity from cold flow

c. provide excess cooling which might in some cases contribute to pressurized thermal shock . (PTS).

Of primary interest here is the initiation of a transient requiring plant shutdown or response of the engineered safety features,. PNL believes that the first manifestation of system damage in the overfill scenario is the potential for main turbine damage and turbine trip. This in itself is not a serious

. challenge to plant systems. However, the potential for excessive moisture carry-over and even spillover does introduce the potential for water hammer and main steam line break (MSLB).

WASH-1400 gave consideration to the consequences that would follow from ruptures on the secondary side of a steam generator for a Westinghouse PWR

( Surry) . Some 30 possible accident sequences were identified, all ending in either a rapid cooldown transient or a LOCA. It was concluded in the WASH-1400 study that the transients induced by steam generator failures did not lead to core-melt but could release activity from the fuel-clad gap due to fuel damage.

The end result was that steam generator tube rupture was not identified as an important factor in the risks due to transient events (WASH-1400, Appendix I, p.

I-47). ,

However, to be conservative here, the excessive cool-down transient will be modeled with an appropriate event tree for steam line break. The potential for core damage as a result of MSLB will then be given. In addition, the potential for inducing a steam generator tube rupture (SGTR) or multiple ruptures will be considered.

An examination of the potential for pressurized thermal shock (PTS) in the Westinghouse plant based on the parameters generated by INEL for the postulated failure scenarios indicated that thermal shock generated could be outside technical specification limits. However based on preliminary data from the NRC PTS program the probability of vessel failure is estimated to be less than 1E-06 at this time.

A~ discussion of the allure initiators identified by ORNL is given bolow, followed by a consideration of progression of the accident to MSLB or SGTR and core-mel t.

f 2.1

2.1 STEAM GENERATOR OVERFILL The ORNL analysis of the Oconee-1 main feedwater (MFW) control system indicates that steam generator (SG) high water level control is maintained via both throttling of the feedwater control valve, and a high level trip of the main MFW pumps. The integrated control system (ICS) uses two level transmitters per SG. One of the level signals generated is selected per SG and used to limit the feedwater demand signal, with SG water input controlled through the .

feedwater control valve. In addition, both SG signals per SG are fed to ICS bi-stables which form an array to provide a high SG water level trip signal for the main feedwater pumps. A non-ICS FTPX relay is used or this purpose. The latter relay receives a signal to close and trip the MFW pumps at 359 inches of water. It is apparent, therefore, that the MFW cannot overfill a steam generator (above the 359 inch level) unless both high level protection features are defeated and an overfeed mechanism is initiated which is not controlled by cross limits or any of the other compensatory features of the ICS.

Overfill of the Oconee steam generators then requires failures that initiate an overfeed, failure of the MWF trip signal, and failure of the operator to isolate the feedwater flow.

Note that the auxiliary feedwater system (AFW) is not subject to the high level protection features. Therefore, once the system is on AFW, fewer control system failures are required to bring on SG overfill. There are mitigating factors however. First, there must have been a prior failure or unusual circumstance to bring on the AFW. The other factor is that the AFW pumps water much more slowly than the MFW with full open or nearly full open control valve.

Hence, in the AFW case, there is more time for intervention.

The following initiating failures have been identified by ort 2 to bring on the SG overfill:

A) Failures which place both the level MFW pump trip and the high level control valve closure in failed state - since both of these systems depend

- on the same level detection equipment, a failure there would ef fect both equivalently.

B) Failures which place the high level MFW pump trip in undetected failed state.

C) Failures which block the high level MFW control valve closure and also initiate steam generator overfeed.

D) Failure which may initiate fast overfeed by the MFW.

E) Failures that would cause MFW overfeed at relatively low rate - these would provide more time for operator intervention.

F) Single failure causing relatively slow overfill of steam generator. An example would be a suf ficient leak in selected pressure tap A or the connecting pipe from that tap or the packing of the blocking valves on which the connecting pipe terminates.

i 2.2

The following conclusions were made by ORNL regarding the above failure initiators:

e Type A and B failures do not cause SG overfeed but block some or all of the high level protection.

e Type C failure, taken alone, should cause a rapid filling of the steam generator to the 359 inch level followed by MFW pump, reactor, and turbine trip and initiation of AFW. Type D failure, taken alone, may be controlled by the ICS. .

l

'e One Type F single failure was identified.

A more detailed discussion of these failure initiators is irovided in the ORNL report.

Initiating Event Frecuency The overfill scenario, considered of importance at' this time by ORNL, which may progress to actual spillover of water into the steam lines is the Type 8 failure, where a failure of the high level MFW pump trip exists in an undetected state, followed by an ICS failure which drives a feedwater increase. The failures contributing to this undetected failure state are given below, with an estimate by ORNL of the potential for failure on demand based on an annual testing interval. ORNL further assumed that 50 percent of the annual failures would be detected and repaired during this period prior to the ICS failure driving the feedwater increase:

a) either MFW pump. intercept valve fails 0.001/ demand b) either MFW pump trip solenoid valve fails 0.006/ demand c) MFW pump trip relay FTPX fails 0.009/ demand

[, d) either SG operate range level transmitter fails 0.004/ demand

! e) either multiplication module fails 0.018/ demand f) either signal monitor module fails 0.007/ demand g) either signal generator module fails 0.002/ demand This totals to the estimated failure on demand probability of 0.047 for the undetected failed state of the high level trip function.

The initiating f requency for feedwater increase during this period of undetected high trip failure was put at 0.144/py. This was coupled with a failure of the MFW trip on demand of 0.047.

2.3

The potential for operator failure to terminate the overfeed was estimated by ORNL to range from 0.7 to 0.1, depending on the rate of overfeed. This range is consistent with previous PNL estimates of operator error ranging from 0.1 to 0.5 to overfills in the GE and Westinghouse plants.

Based on this data, the range in frequency is put by PNL at (0.144/py)(0.047)(0.7) = 4.74E-03/py to (0.144/py)(0.047)(0.1) = 6.77E-04/py, or 0.005 to 0.0007/py to one significant figure, depending on the operator error used. The net estimate of frequency of overfill was put in the range of 0.006 to 0.001/py by ORNL, citing a more rigorous reduction of the fault trees.

The approach used by PNL in the previous examination of overfill in the Browns Ferry GE BWR and H. B. Robinson Westinghouse PWR was to use a best and upper estimate of the overfill initiation frequency as provided by INEL, coupled with a single conservative estimate of the operator failure probability. To be consistent with this approach, this approach, the higher estimate of 0.7 for operator failure made by ORNL will be used here, givinj a best estimate for overfill of 0.0006/py. An upper estimate of the initiating frequency for overfeed was not made by ORNL. Rather, the uncertainty was reflected in the severity of the overfeed and likely time for operator response. The 0.7 factor could then be interpreted as an upper bound estimate of the probability of operator error given overfeed.

2.2 ACCIDENT PROGRESSION ANALYSIS FOR SG OVERFILL Accident progression to steam line break and possible SGTR are then proposed here as the scenarios of interest for progression to core-melt. The potential for pressurized thermal shock (PTS) leading to vessel rupture should also be considered. This will require thermal hydraulic simulations of excessive cooldown in the B&W design given MSLB. ORNL does indicate, however, that probability estimates of MSLB progressing to PTS as calculated by the PTS program did not show it to be a significant contributor to risk. This will,

~

therefore, be assumed to play an insignificant role in progression to core-melt, as was the case with the Westinghouse PWR. This assumption can be updated as more information is made available from the PTS program.

Main Steam Line Break For MSLB, again the WASH-1400 analysis of the Surry plant concluded that steam line breaks are not a viable pathway to core-melt. However, the ORNL Precursor Study (Minarick and Kukielka,1982) and the updated INPO Precursor Study (INPO, 1982) did consider MSLB initiated event trees leading to core damage, and these will be used here as a conservative estimate to the contribution to core-melt from this type of failure.

~

As discussed in prev'ious PNL examinations of overfill in the GE BWR and Westinghouse PWR, the probability of MSLB given spillover has been conservatively put at 1.0 given spill over at rated power, and 0.5 for spill over af ter main turbine failure and plant trip. The latter figure would include the potential for continued water buildup af ter SCRAM and pipe failure due to excessive static load. A 0.1 probability of turbine trip was assumed, giving a not probability of (1.0)(0.9) + (0.5)(0.1) = 0.95 for MSLB. A lower probability of 0.5 was proposed for spill over at low power.

2.4

,w n w . . . . . - . ,. - ~-,., _ , . . . . . ~ . ..

i The ORNL analysis identified specific overfill scenarios which maximized the overfill aspect of the control system failure in a PWR. Using the

'~ assumptions outlined above, a probability of 0.95 for MSLB given overfill will ,

~

again be used here. The frequency of MSLB for this scenario is then estimated to be (0.006/py)(0.95) = 5.70E-03/py. . ORNL evaluation indicated that protective turbine trips are in fact in existance. A transient induced shutdown is thus more likely, -and will be developed further below.

?

Accident Progression to Core-Melt Given Transient or MSLB 4.

l The MSLB is not recognized as a dominant contributor to core-melt in the Oconee study. For this analysis, the results of the ORNL Precursor study as I updated by INPO will be used. The resulting event tree for core damage given l MSLB in a PWR is given in Figure 2.1. The predicted probability of core damage j given MSLB is then estimated at 1.1E-05. The failures involved in the overfill scenario are not thought to impact the response of the engineered safety systems in any fashion. The predicted frequency of core damage due to MSLB is then estimated at (5.70L-L3/py)(1.1E-05) = 6.27E-08/py. A further reduction by i" approximately one order of magnitude is typically estimated to convert to the i

probability of core-melt, but this estimate will be used here as a conservative estimate of core-melt.

T2 Transient Shutdown l As mentioned previously, the potential for main turbine trip before the j point of spillover exists. Degrading steam quality will introduce excessive j moisture in the steam flow to the main turbine. Being highly sensitive to such

! moisture, this could induce a turbine failure and reactor SCRAM. This main i turbine damage can represent a T2 transient in the Oconee PRA, this being a loss 9 of the power conversion system caused by other than loss of of fsite power. The

! T2 transient above represents a significant initiator to core-melt regardless of

, the potential for MSLB. The frequency of T2 transients in the Oconee study is i put at 3/py. The total ccntribution from all T2 sequences in the Oconee PRA add It up to a predicted core-melt frequency of 3.44E-05/py out of a total plant j core-melt f requency of 8.2E-05/py. Note that in this scenario, the sequence of 4

interest is where the operator again fails to terminate the overfeed, and where i turbine failure occurs before MSLB. Transients with the PLS available contribute ,

i a core-melt frequency of 1.1E-06/yr with an initiating frequency of 4/yr. The l T2 transient thus represents the more serious core-melt initiator.

Again, in the above analysis the probability of turbine failure was weighted towards continued operation in the theory that this would be more j likely to create the conditions for the presumably more' serious water hammer and 4 MSLB. The probability of continued operation was then put at 0.9, with 0.1

}~ probability of failure. ,.The 0.1 factor should be used given the assumption made above. In reality, turbine trip due to failure or out-of-balance signal may be ,

l much more likely, especially given spill over of water into the steam lines.  ;

In this case the initiation frequency is put at 0.006/py, assuming the 0.7 operator error represents the failure to terminate the overfill before turbine i failure. Although no mechanisms for loss of the PCS have specifically been i identified, the potential exists for loss of the feedwater or decay heat sink being aggravated by the transient. The probability of loss of the PCS is not

'2.5 i

0

-_ _ -,_, .._ _ - , . - - . . , , _ _ , _ _ _ _ . _ , , , _ _ . - . . . , , _ . . . _ ___-.,___r

?

' i E

I

^2 V 1

< q.

h-n h4 m i?

c: Auxiliary PORV Opened PORV or PORV ,t ,-

o Steam Steam High Long Potential m Reactor Feedwater and i.!.i..

Line Generator Pressure Due to .

isolation Term Severe N Break Trip Isolation Secondary injection Cont,mued Valve Core Core

3 Heat Removal HPI

g

• Closure Cooling Damage; i:e n- H?

oZ

• i'V $.

1 3$ .,

No gm 0.8 fh am mm ih ce . . :.

No S s

• f i

m 6E 3' :L %

T m 1.2 E-3 '

3-a .

Yes 5.8E 6 II re- f 2: :,

. .m o, -

m No 45 '

C.

t. :

o '

2.8 E-3 jf,3 42 ..

,E No W 4.

$

e .: 4 l -

y No n9 a e

.,l w :2 0

' 1.2E-3 5.6E 4 k:!k x

to Yes 6.7E-7 J44 r- .5:2 M 2.8 E-3 ':' .5 n

o Yes 1.6E 6  :!!

. .y

0

! . .1s i*

1.0 ,ammm.

m e m e. 1.2E 3 No I

]i

!

• 2.3E-3 g Yes 3.4E 6 '1'

.-3 1

l > ATWS - 1.1 E-5/ry '1.e r

i

' ' ~ '

.,....;...:*..._.~.........,._..~~..-~....~.~ . .

d certain if this is assumed to be 1.0 here, this will give a net frequency of a

- T2 type transient of 6E-03/py. The upper bound will be assumed again to be a factor of 10 higher at 6E-03/py.

Reducing the Oconee T2 core-melt frequency by the assumed initiating frequency here of 6.0E-04/py for overfeed gives a predicted core-melt frequency due to the transient nature of the scenario of (3.44E-05/py)(6.0E-03/3) =

6.88E-08/py.

Total Corc Melt from SG Overfill with MSLB. and Transient Shutdown The total estimated core-melt frequency due to transient shutdown from turbine damage or MSLB is then put at (6.27E-08 + 6.88E-08)/py = 1.32E-07/py.

Public Risk for SG Overfill with MSLB. and Transient Shutdown 4

The public risk associated with the transient sequences for the Oconee i plant is primarily associated with PWR release categor.ies 3, 5, and 7 as shown bel ow. - This distribution will be used here for both transient and MSLB scenarios. Again, the equating of core-damage from MSLB to core-melt is considered conservative.

l TABLE 2.1. Public Risk associated with Steam Generator Overf t11 with MSLB, and Transient Shutdown

! Release Category Probability Man-rem / rel ease F recuencv/ oy ma n-rem / oy l

PWR-3 0.5 5.4E+06 1.32E-07 3.56E-01 I PWR-5 0.0073 1.0E+06 1.32E-07 9.64E-04 i ..

l PWR-7 0.5 2.3 E+03 1.3 2E-07 1.52E-04 f

Total 3.57E-01 The median estimate of public risk is then 3.57E-01 man-rem /py. The a

conservative assumptions are the high operator failure rate, and certain failure l of the PLS given spillover.

i-2.3 PROGRESSION OF SCENARIO TO SGTR AND CORE-MELT Given steam line faklure, the accident will most likely progress as a )

simple cool-down transient. However, the potential exists to induce a steam generator tube rupture due to the differential pressures generated in the

! bl ow-down. The probability of SGTR given steam line break has been addressed by the NRC (NUREG-0844, p. 3-8) as part of its evaluation of L'aresolved Safety

Issues A-3, A-4, and A-5. Based on observed experience, this probability is i

given in the following values:

l 2.7 s

9 -- . , . , - , - - - , , , - . - -w m,--,-... --~ w , . -,..mp.,e we. ,--, - - , , ~~ -. - - , - , . ,,- .en-w, ,

p (tube rupture following a MSLB) = 0.034 This was broken down as follows:

P (1 SGTR following MSLB) = 0.017 p (2 to 10 SGTRs following a MSLB) = 0.014 1

p (more than 10 SGTRs following a MSLB) = 0.003.

The report did differentiate by reactor type in considering plant response However the probabilities of tube rupture were applied to all to the SGTRS.

reactory types. As a result, it will be assumed here that these are applicable to the B&W Oconee plant. The initial plant response to tube ruptures can be modeled as a small break LOCA. However, the long-term system response to a SGTR may differ from that of a LOCA in that water released from the break may not be available for collection at sumps within the reactor building. Long-term recirculation modes may not be available as they would :for most LOCAs.

To model the plant response to a SGTR, PNL examined the specific event tree developed for this purpose for the Oconee B&W PWR (NSAC-60, A Probabilistic Risk Assessment of Oconee Unit 3. EPRI, June 1984), as well as information developed

in support of unresolved safety issues A-3, A-4, and A-S concerning steam l generator tube integrity (NUREG-0844). The event tree developed for Oconee is

,' as given in Volume 1, page 3-64. The results are sumraarized in Table 2.2 below.

TABLE 2.2. Core-Melt Contribution of SGTR Events for the Oconee PRA Core-Mel t Estimated i Secuence Tyoe Ergguency. 1/ oy RU A 3.9E-07 RU B 8.5E-07 RX0 A 4.0E-07 i RX0 B 7.4E-07 Total 2.3 8E-06 I In this table, the following definitions apply:

l R = frequency of the,.SGTR event (greater than 100 gpm) = 8.6E-03/py 4

U = failure of HPI:

l i

{ X = failure to achieve long-term cooling at cold shutdown

A = core-melt with sprays available to scrub radionuclides B = core-nelt with sprays failed.

! 2.8 r

_. . . .....s_... ,.s.., . . . .s._

With the total predicted dominant contribution to core-molt from SGTR put at 2.38E-06/py and a SGTR initiating frequency of 8.6E-03/py, the conditional probability of core-molt given SGTR is then put at 2.77E-04.

This compares to the Zion Westinghouse PWR, where the conditional probability of core-melt given SGTR was taken as 9.19E-06, or approximately 1E-05 given SGTR.

As pointed out in the PNL A-47 examination of MSLB leading to SGTR for the Westinghouse plant, the sequences developed in the PRAs do consider the potential for failure of the HPI system to successfully depressurize and cool the RCS following a SGTR. This centers on the early failure of the HPI itsel f, or exhaustion of the water inventory in the reactor water storage tank (RWST) before depressurization. The latter is highly dependent on the ability to isolate the affected steam generator.

In the PRAs, many scenarios for single and especially multiple tube rupture events postulate the lifting and sticking open of steam generator relief valves due to the large pressure spike seen by the secondary side on rupture of the tubes. However. in this case the scenario is driven by an assumed steam line break on the secondary side, thus making the lif t of relief valves unlikely.

Failure to isolate the SG due to rupture of the steam line inboard of a main steam isolation valve (MSIV) is then considered in NUREG-0844, being a potential contributor to tt5e rupture. However, this initiating frequency is quite low due to the low random potential for valve or steam line rupture. This then results in a small contribution to the total core-melt frequency for MSLBs inboard of the MSIV predicted in NUREG-0844.

In a spillover scenario, however, the potential for a steam line break inboard of the MSIVs may have a higher potential. The analysis here assumes that a steam line break occurs with high probability given overfill. If a conservative approach is further taken to assume a 50 percent probability of MSLB above or below the MSIV, then this scenario may play a dominant role in the resulting conditional probability of progression to core-melt. Note again that the Oconee plant in particular has no MSIVs, but the consideration of such

- valves is likely applicable to the general population of B&W PWRs.

To determine the potential impact of the MSLB location on core-melt frequency, the appropriate scenarios and failure probabilities from NUREG-0844 Chapter 3.4 were examined, with the results given below. They have also been coupled with the assumed SGTR probabilities. This same approach was used to model the Westinghouse plant response to MSLB and SGTR. Given the level of uncertainty in exact plant response, this is considered appropriate at this time.

2.9

.- .. ....._ ... ,.. -.~ ... =- =. - m.=.

.s... ,. =..

. .m.~. ..w Case 1: Rupture of Main Steam Line Inboard of the MSIV Probabil ity Probability of of Number Probability Loss of RWST before Failure to Net Core-Melt of SGTRs of Ruoture RCS Deoressurization Isolate SG Probability 1 0.017 lE-03 1 1.7 E-05 2 to 10 0.014 1E-02 1 1.4E-04 more than 10 0.001 0.S 1 1.SE-03 Total Prob of Core-Melt Given MSLB Inboard of MSIV 1.66E-03 Conditional Prob of Core-Melt Given MSLB and SGTR 4.87E-02 Case 2: Rupture of Main Steam Line Downstream of the MSIV Probabil ity Probability of of Number Probabil ity Loss of RdST before Fail.ure to Not Core-Melt of SGTRs of Ruoture RCS Deoressurization Isolate SG Probab il i ty 1 0 .0 17 1E-04 1E-03 1.7E-09 2 to 10 0.014 1E-03 1E-03 1.4E-08 more than 10 0.003 1E-03 1E-03 3.0E-09 Total Prob of Core-Melt Given MSLB Downstream of MSIV 1.87E-08 Net Prob of Core-Melt Given MSLB and SGTR 5.50E-07 For plants with MSIFs, a 50 percent probability of MSLB inboard of the MSIVs is used, the conditional probability of core-melt given MSLB and SGTR can then be weighted, giving (0.5)(4.87E-02 + 5.50E-07) = 2.44E-02. In B&W plants with MSIVs, the core-melt frequency would then be estimated to be lower by a factor of 2 compared to Oconee-l.

. Note however that the Oconee plant is design specific in that no motor-operated MSIVs are present, only manual valves. As such, any failure in the steam line would likely result in loss of water collection in sumps for reci rculation. This will thus be used at Oconee as well until better information is available as to the probable frequency and location of MSLB given spillover, giving a conditional probability of core-melt given SGTR of 4.87E-02.

In this analysis, the frequency of overfill progressing to spillover, MSLB and SGTR is then put at (5.70E-03/py)(0.034) = 1.94E-04/py. Using this new initiating f requency for SGTR, the total predicted f requency of core-melt due to this control system failure is then put at (1.94E-04/py)(4.87E-02) =

9.45E-06/py.

Comoarison to SBLOCA Resoonse PNL also examined 'the possibility of modeling the SGTR event with small break LOCA (SBLOCA) event trees from the Oconee PRA. With an initiating frequency of 1.3E-03/py for S3 (less than 4 inch) SBLOCAs, the resulting Oconeo 2.10 l

core-melt frequency due to S3 sequences was 1.56E-05/py, giving a conditional probability of core-melt given SGTR of (1.56E-05/py)/(1.3E-03/py) = 1.20E-02.

The approach used above then gives roughly a factor of 4 increase in the estimated frequency of core-melt compared to an analysis based on system response to a SBLOCA. .

P_T.S The potential 'for MSLB or SGTR leading to pressurized thermal shock (PTS) and possible vessel rupture has not been fully evaluated at this time. The consideration of such events in the Westinghouse PWR has put preliminary estimates of vessel failure probability below IE-06 given the PTS event, indicating that PTS would not contribute significantly to risk for events initiated by the control failures examined. The role of PTS should likely be

examined specifically for the B&W plant design when the PTS program makes its l conclusions.

2.4 PUBLIC RISK DUE TO STEAM GENERATOR OVERFILL AND SGTR The core-melt sequences above were brought about by failure of the water storage tank inventory. -and water not being available from the building sumps.

i As a result, the containment sprays would also be assumed to be inoperable. In

) addition, the release is characterized by a significant leakage of containment, given the SGTR and MSLB. Given these considerations, only release category 2 at 4.8E+06 man-rem / core-melt will be used here to estimate the public risk, as was done with the PNL analysis of the Westinghouse PWR. The results are summarized i- in Table 2.3 below.

TABLE 2.3. Public Risk Associated with Steam Generator Overfill, l MSLB, and SGTR

. A-47 PNL Analysis of Overfill with SGTR h+ Release Induced SGTR Core-mel t/py ~ Man-rem /py Category Co're-mel t/py Best Estimate Best Estimate 2 2.38E-06 9.45E-06 4.54E+01 2.5 RESULTS OF STEAM GENERATOR OVERFILL

- The results of the consideration of steam generator overfill leading to a transient shutdown, MSLB, or progressing beyond MSLB to a SGTR are summarized in

the following table. Nots that the simple consideration of the overfill as a

. transient requiring plant shutdown represents the major part of the risk estimated here. Again, these frequencies given here assume an overfill initiating frequency of 0.006/py considering both steam generators including a 0.7 failure probability of the operator to terminate the overfill. The probability of inducing a MSLB was 'then put at 0.95, and probability of 2.11 l

_ . _ - _ _ , , . . _ . . _ . . , , _ _ . _ , ~ . _ . _ - _ - . , _ . _ - . . . _ . _

n.-3....

. 3

,3m. _

>y g.333~

g333 3 .g y g g y;_.p> y >m~

progressing to core damage given MSLB was put at 1.1E-05. Note also that the predicted core-melt frequency for MSLB is similar to that predicted for transient shutdown. However, the MSLB frequency actually predicts core damage and not core-melt.

The probability of SGTR given MSLB was then put at 0.034, and the resulting response modeled assuming the break occurs above an isolation valve in the steam line and outside the reactor building where water would not be collected by building sumps for recirculation.

Note that for Oconee the latter assumption is not particularly conservative as the plant is not equipped with operator powered MSIVs. The plant may have manual valves on steam lines, but credit for their operation could not be assumed given a MSLB.

TABLE 2.4. Result of Overfill Scenario for Oconeo Secuence Frecuency Core-Melt Frequency.1/oy Public Risk. man-rem /py Best Estimate Best Estimate T2 Transient (0.006) 6.88E-08 "

1.86E-01 Shutdown Overfill & (0.006)(0.95) 6.27E-08 1.70E-01 MSLB 1.32E-07 3.56E-01 SGTR (0.006)(0.95)(0.034) 9.45E-06 4.54E+01

= 1.84E-04/py TOTAL- 9.58E-06 4.58E+01 O

s' 4

2.12

_._.. ... . . - ~.~ .-~.%L..%CWCL.%w4.;a.;.;%@%2L%C"7ddMM"C*f=CC"Z=7^*

3.0 ICS POWER FAILURES The ORNL analysis of control system failures identified two Integrated Control System (ICS) related power failures that may land to overfill and undercool events. They are analyzed further here.

3 .1 LOSS OF ICS HAND POWER The ORNL analysis identifies an insufficient core cooling scenario involving the loss of ICS branch circuits HX or HXI. This is determined to result in the MFW pumps being run back to the minimum speed and the turbine bypass steam dump valves being closed. This then initiates a reactor and turbine trip on high RCS pressure.

The scenario as postulated by ORNL is that continuous MFW pump operation will block the initiation signal for Emergency Feedwater System (EFW) operation as no low MFW pump discharge pressure or trip signal has been generated. The steaming rate then exceeds feedwater input, and steam , generator dryout will occur unless the operator manually initiates AFW within 30 minutes. Core-mel t can also be prevented by initiating HPI within 60 minutes.

The frequency of this event is estimated by ORNL as follows:

frequency of ICS hand circuit failure = 0.009/py

- probability of operator failure to initiate AFW within 30 min = 0.1

- probability of operator failure to initiate HPI within 60 min = 0.01.

The total sequence frequency is then put at (0.009/py)(0.1)(0.01) = 9E-06/py.

The power failure and trip cause closure of the turbine bypass and stop valve, seals -the secondary side and maintains the steam pressure at a high enough level to prevent MFW flow. The ORNL simulation then predicts that pressures will cycle about the safety relief valve lift points, maintaining suf ficient pressure in the secondary side to prevent MFW flow.

The question is then if conditions can remain such that FFW flow is prevented for the 30-minute period af ter ICS hand power failure. With sa f ety relief valves cycling several times during the interval of interest the potential exists for a~ relief valve to stick open, thus depressurizing the secondary side. The Oconee PRA estimates this probability to stick open at 0.05 per demand. The probability of failure to depressurize to allow MFW flow then will be a function of the number of valve lif ts experienced in the 30-minute period. For example, 5 lif ts would reduce this probebility to 'C.95)**5 = 0.77.

Ten lifts would reduce th.is to (0.95)**10 = 0.6. To be conservative, it will simply be assumed that r611ef valve sticking is possible, but no credit will be taken for this at this time. Successful cooling will then rely on operator 3

action to initiate MFW or EFW flow during the 30-minute period.

3.1

~ r.T .

_. [ J. 20.4.5. C ,. g;l: ,.,. ,... ,. _.. , ,.,. ... , :. . _. ,. , _ . , .

The event tree f or this scenario is depicted in Figure 3.1. The potential for passive recmery of feedwater flow during the 30-minute period preceeding dryout is included, reflecting the potential for rellef valve depressurization of the secondary side. The probabil Ity of this f all Ing is, however, put at 1 at th i s t ime.

The ORtt estimates f or operator f ailure to reestabl ish MFW or EFW flow is put at 0.1 and f ailure to initiate HPI at 0.01 will be used here. These val ues are consistent w ith the estimates used f or operator perf ormance in the Oconee PRA sponsored by the NRC (NJREG/CR-1659) . Note that f ailure of the H1X power circuit w ill be annunciated directly in the control room (alarTn A1-24, control board UBI, NSAC/60, page A9-31). The probabil liy of operator detection and correction could thus be higher than assumed here.

The not resul t is an estimated core-mol t f requency of 9.0E-06/py.

3.2 PUBLIC RISK DUE TO LOSS OF ICS HAfD POWER This scenario then progresses to core-ocit given the f ailure of f eedwater cr high pressure injection systems. In the Oconce PRA, core-molts as e resul t of such system f ailures are characterized by WASH-1400 release categories 3, 5, and 7, with a probabli ity distribution of D.5, 0.0073, and 0.5, respectively.

Using the associated man-rem / release f cctors as presented in the Value/ impact Handbook (tUREG/CR-3568), the resulting estimate of public risk represented by this scenario is given below.

TABLE 3.1 Pubt Ic Risk Associated With ICS Hand Pcwcr Failure Core-!*eI t ReIease Man-Rcm Man-Ran Frecuency. 1/ov Catec_orv Probability Per Release Per Pl ant-Yr 9.0 E-06 3 0.5 5 .4 E+ 06 2.43E+ 01 5 0.0073 1.0E+06 6.57 E-02 7 0.5 2.3 E+ 03 1. 04 E-02 2.44 E+ 01 The total publ ic risk is then estimeted at 2.44E+01 man-rem /py. No estimate of the upper bound f cr the initiating f requency was made by ORit. This w ill simply be assumed here to be a f actor of 10, giv ing an upper bound on core-r.41 t of 9E-05/py, and an upper bound on risk of 2.44E+02 man-rcrr/py.

3.3 LOSS OF ICS AUTO M The ORiL analysis Ilso develops the loss of ICS auto power on the H or H1 branches.

3.2

1. M , .FW*, MPd '# N g

![

)

1 it ICS Passive EFW or HPI ,I Hand Recovery of MFW flow Initiated Power L MFW Recovered in 4].

Failure Flow in 30 min. 60 min.  !> t.

-: t 3,

{

i $

' y l

• No l)

{

7, -

7 w

0.009/py No

]

Es:

g.

i ;<.

}

jf

, 1 No g, g.

i t

r.

' 0.1 pl .

i 0.01 Core-melt 9E-06/py d 4

31 1

i i

tg DL I FIGURE 3.1 Loss of ICS Hand Power Event Tree N.

ti je l

l j

The ORM. core-melt event tree associated w ith the loss of ICS auto power, assuming that Oconee MFW pumps do not trip automatically, is given in Figure 3.2. As can be seen, tha primary contribution to f ailure comes f rom operator error in f alling to isolate the MFW pumps, and then in f ailing to initiate EFW or HPI 30 to 60 minutes af ter WW isolation when the scenario becomes an undercool ing event.

ORNL Indicates, however, that operation could continue w Ith f ailure of the ICS auto power as the system is in an unstable equilibrium with respect to f eedwater fl ow. Instrument drif ts, etc., would tnen be expected to eventually cause an out-cf-bal ance condition generating a trip signal . ORNL puts this probabil ity at I, and assigns operator error probabil ities on the assumption that they are responding to a reactor trip af ter an Instabil ity occurs, without any prior indications as to the cause.

PNL f eels that the operator response w ill be highly cependent on the recognition of the ICS power failure. Once alwted to the power f ailure, the probabil ity of successf ul operator action in maintaining stabil ity of the pl ant

~

bef ore a trip occurs is thought to be much higher than reflected in the ORNL number s. The opt ions open to t he operator aga i n i ncl ude cont i nued operat i on i n manual control, or pl ant shutdown. The probabil ity of f ailure to maintain adequate f eedwater flow under manual control during operator induced shutdown would likewIse be expected to be smaller than that given by CRNL.

ORNL points out that loss of ICS auto power would not resul t directly in a transient. Howevcc, the automatic response to perturbations in the pl ant operating state wculd be I imited. it was assumed that en eventual pl ant trip would occur in response to such perturbations (e.g., a main f eedwater control valve drif t). The question is then how long the pl ant can operate in this unstable equil ibrium state, and if operator detection and correction cf plant condition is I ikely while in this state compared to operator response to an of f-normal pl ant trip.

An event tree based on continued operation af ter detection of the cuto l

power f ailure is shown in Figure 3.3. The event tree is developed f or a 0.9 probabil ity of detection, resulting in a signif icant reduction in the core-r.mit f requency esticate. The probabil ity of operator f ailure to maintain f eedwater controls af ter detection of the f ailure would be lower comparco to responding to a tri p.

The event tree then centers on a reasonable estimate of operator detection of the ICS circuit H or HI power f ailure bef ore an upset condition develops. An ORNL rev iew of the Oconee pl ant indicates that the H circuit f ailure woul d be annunciated in the control room. However, no annunciators or clarms were f ound directly related to the HI circuit which f eeds most of the f eedwaior control circuits. Oconee person,nel indicated that they would respond to the f ailure by taking manual control crid maintaining reactor operation as depicted in Figure 3.3, h< wever no existing procedures wwe f ound f or such a f ailure.

4 As a resul t, the more conservative Figure 3.2 as developed by ORNL will be used at this time. It shoul d be recognized, however, that proper annunciation and operator response could reduce the scenario f requency signif icantly.

3.4

.

• t i

>{

ICS Reactor Operator MFW or EFW HPI. .

Safety

• b!

Auto Power Transient Isolates' reestablish . Initiated Conseque'nce 21 Fails Trip MFW ed-in 30 in 60 min- 1) minute's utes

I ,

sg 35 t . s

s o

c: .

21 w e-m . .

.- s" i, i

m . .

~

w hI,

{'

.h  : .

,  !) .

. t . is m 5 3 Trip Does Not Occur i None i

R $

}

3m l .

• $)

u  % -

'm o *

?

a =

g m

I None j:$

• 1

, 0.009/yr i -

i. l a, +11 E -

0.5  ;

i 3

m . .

, i n

None i;

~

i t 8, :D y

--e '

0.03 ,

3 2  : i;;

e ' Trip Occurs , .

zt

-  : 0.01 ' ' Core-mel t 1.35E-16/yr {f

~1 -

p p

[$

zs 0.5

• SG overfill 4.50E-03/yr E!

Transient ,

e Operator MFW or EFW HPI Safety i ICS Operator Reactor Auto Power Detection Trip Isolates reestablish - Initiated Consequence i ed in 30 in 60 min-

)

Failure Before .. MFW 0?

minutes utes .

Transient -

~

Trip 55' :

No trip 0.5 i None l' !

! i $1 g -

Si

!5 None  :);

m Yes y 0.9 0.9 F '!';

None Trip .

0.01  :

,; j:

>o 0.5 "3

Core-melt 3.65E-08/yr

,} 0.001 ll

!,E ; 0.1 ,SG Overfeed 4.05E-04/yr :O F 0.009/yr en

.{[

-s

- g 4& .

. - t x.

m .*

mn .

jE ,

No Trip -

None ~

rt 0 Yo i'

mm No .

None 3..

2L

- 0.1 ^

0 .

0.5 None  !

[

Trip 0.03 f-

' ~1 1.35E-07/yr 0.01 Core-melt .

.* ll C y ..

0.5 S,G Overfeed 4.50E-04/yr j

. I

• e e e e w

~_

Core-Melt Frecuency The frequency of this scenario progressing to core-melt is then put at j

1.35E-06 in Figure 3.2, with another branch progressing to overfill with a f requency of 4.50E-03/py. Note, however, that given the auto power failure, the high level MFW pump trips still are functional . As a result, the MFW pumps will  ;

f trip if the operator fails to isolate them. From an operational standpoint, the demands placed on the plant certainly favor the operator action in throttling feedwater flow. However, in this development of risk, there is no real distinction between operator or automatic MFW isolation. Both will eventually require operator re-initiation of flow within 30 minutes to prevent dryout.

j Note also that the latest ORNL simulations indicate that the feodwater pumps may

! trip themselves on runout af ter reactor trip, making F igure 3.2 applicable. As a result, the last branch on Figure 3.2 will also contribute to core-melt with a frequency of 1.35E-06/py, for a total estimated f requency of 2.70E-06/py.

Again, it will be assumed that the upper bound is a factor of 10 higher.

Proa_ression of Overfill to Soi11over and MSLB To present a potential for MSLB, PNL has assumed that the overfill must progress to the point of actual spillover into the steam lines. The overfeed as analyzed by ORNL is expected to result in MFW pump trip due to low suction 1 pressure, or if this does not occur, all MFW pumps would trip on high level in either SG. Either trip would end the overfeed. To be conservative it will be assumed that trip on low suction does not occur, with release on the high level trip. In this case, that would require the failure of the high level trip on demand. The ORNL estimate of an undetected failure existing giving a failure probability on demand of 0.047 will be used here, giving a spillover frequency of (4.50E-03/py)(0.047) = 2.12E-04/py.

The potential for MSLB given overfill has then been estimated by PNL to be 0.5 given that spillover occurs af ter plant trip. This is reduced from 1.0 for i spillover during operation, assuming that the conditions that might drive a

!i possible pipe failure are reduced. The frequency of MSLB is then put at

- 1.06E-04/py due to this scenario. The probability of further progressing to i core damage given MSLB was put earlier at 1.1E-05, giving a final estimate of i the frequency of core-damage following overfill and MSLB at 1.16E-09/py. The upper bound is again put at a factor of 10 higher, or 1.16E-08/py.

Procression to So111over and T7 Transient Shutdown As with the first spillover scenario, this scenario has the potential for damaging the PCS necessary for successful shutdown and decay heat removal. The j overfill and progression to spillover could then be considered a transient initiator even if no MSLB occurs. Again using the 0.5 operator error probability for MFW control and 0.047 for failure of the high trip, and a 0.1 factor for failure of the'PCS, the T2 initiating f requency for this sequence becomes (0.009/py)(0.5)(0.047)(0.1) = 2.12E-05/py. Again rattoing this to the Oconee T2 frequency of 3/py gives the predicted core-melt estimate of

( 2.12E-05/3 ) (3.44 E-05/ py) = 2.43E-10/py. This contribution is for all practical 3

purposes negligible.

i 3.7 i

, ... w . . . , om. , m.... o . n . -- ... - , . . . . . -

Proaression of Overfill to Solilover. MSI_B. and SGTR The probability of SGTR given MSLB was estimated earl ler at 0.034. The probability of core-melt given MSLB and subsequent SGTR was also put at i

2.44E-02. The net result is an estimated probability of core-melt given overf II I, ;pil lover, MSLB, and SGTR of (4.5E-03/py)(0.047)(0.5)(0.034)(2.44E-02)

= 8.77E-08/py. The upper bound is again assumed to be a factor of 10 higher.

The total estimated core-mel t f requency is then (2.70E-06 + 1.16E-09 +

8.77E-081/py = 2.79E-06/py, with an upper bound a f actor of 10 higher.

3.4 PUBLIC RISK DUE TO LOSS OF ICS AlfrO POWER The release categories associated with a f ailure of feedwater. HPI, or core damage due to MSLB were assumed earl ier to be WASH-1400 release categories 3, 5, and 7, with the probability distribution of 0.5, 0.0073, and 0.5, respectively.

The SGTR scenario is assumed to be associated entirely with release category 2.

The results are given below.

TABLE 3.2. Public Risk Associated with Failure of ICS Auto Power ReIcase Man-Rom Man-Rom Core-MeIt Frecuency, 1/oy Catecorv Probabilltv Per Release Per Plant-Yr Overfill with Operator Failure io initiate Feedwater or HPI f 3 0.5 5.4E+06 7.29E+0 2.70E-06 5 0.0073 1.0 E+06 1.97 E-02 7 0.5 2.3E+03 3.11E-03 7.31 E+ 0

, Overf IlI w'Ith Subsequent WW High Trip Fall ure, and MSLB

. 1.16E-09 3 0.5 5.4 E+06 3.13E-03 l 5 0.0073 1.0 E+ 06 8.47E-06 7 0.5 2.3E+03 1.33E-06 3.14E-03 Overf ill with Subsequent WW High Trip Failure, MSLB and SGTR 8.77 E-08/ py 2 1.00 4.8 E+06 4.2i E-01 The total public risk is then estimated at (7.31E+0 + 3.14E-03 + 4.21E-01)

= 7.73E+0 man-run/py. No estimate of the upper bound for the initiating f requency was made by ORit. This will simply be assumed here to be a f actor of 10, giving an uppor boun.d on core-melt of 2.79E-05/py, and an upper bound on risk of 7.73E+0i man-run/py.

j 1

i 3.8 i

. ~ . - _ - . _- . - . . _ . .- _ - _ - - - _ _ _ .

l l

4.0 VALUE/ IMPACT ANALYSIS In this chapter, several modifications to the plant will be postulated to

evaluate the potential cost and associated reduction in risk.

i 4.1 MODIFICATIONS TO REDUCE UPOETECTED FAILURE OF THE HIGH-LEVEL MFW TRIP ORNL suggests that modifications can be made to the high-level trip logic,

! or the time between inspection periods can be reduced to lower the potential for undetected failure. The latter will be addressed first, however, the two are

closely related.

1 The initial overfill scenario developed by ORNL centers on the failure of the high-level MFW trip function in an undetected state. The assumed component

failures and equivalent failure on demand probabilities calculated by ORNL are given again below, based on an annual inspection rate with 50 percent of the failures being detected and repaired in that period: ,

1 a) either MFW pump intercept valve fails 0.001/ demand b) either MFW pump trip solenoid valve fails 0.006/ demand ,

c) MFW pump trip relay FTPX fails 0.009/domand i

d) either SG operate range level transmitter fails 0.004/domand e) either multiplication module falls 0.018/ demand f) either signal monitor module fails 0.007/comand g) either signal generator module falls _0.002/ demand

. Total 0.047/ demand l

s 1

The problem centers on the current configuration of the high-level trip

circuit. This consists of two parallel circuits acting on signals f rom ,

generator A and B, respectively, each with two trip relays in series (i.e., onc  !

l f rom each of two level transmitters in the generator), as shown in Figure 4.1.

To produce the trip signal, both level transmitters in a generator must then j send a high signal, and both associated normally-open relays in one parallel branch of the trip circuit must close. High signals from the other generator j would act the same. This could be termed a 2-out-of-2-once trip logic, as a

! high-level condition in either generator could produce the trip. These parallel

! circuits then feed to one FTPX solenold/ contact which provides another single failure point as given on the IIst above.

i -

i ORNL suggests that, the trip relays acting on signals from the two Icvol j transmitter 1 in each generator could be wired in parallel rather than series, thus lowering the potential for one to fail in the open condition. The function i of the FTPX relay would also have to be dupitcated in parallel if this advantage i is to propagate through the entire trip circuit. It was pointed out, however, that this would increase the potential for spurious trips.

i 4.1 1

L _- _ _

%r.2%C.CL. . .sm+mm.. s,s..sif'" l17.BT2.';.2O22.Tl1Ch.a2011'?"f.'70.. '""l.0%l.7.27.EAJL;;ZJ;.T1.

SGA (0.072 overfueds/yr) SGB (0.072 overfeeds/yr)

LTA1 Failure on Demand LTB1 Transmitter 0.002 Multiplication Module 0.009 Signal Generator Module 0.001 0.0155 Signal Mcnitor Module 0.0035 0.0155 LTA2 Failure on Demand LTB2 Transmitter 0.002 Multiplication Module 0.009 Signal Generator Module 0.001 0.0155 Signal Monitor Module 0.0035 0.0155 4 E _ .

l FTPX I ~\

Relay .

\

0.000 1--J f

~

i ~

MFW Pump Intercept valves 0.001

.- MFW Pump Trip Solenoid Valves 0.006 ,

FIGURE 4.1. B&W Oconee PWR liigh Level MRI Trip Circuit 4.2

gf However, a simpler approach based on reducing the period between testing may provide as much or more benefit using the same basic circuit logic.

Discussions with the ORM. subcontractor ( Aurther McBride, SAI) indicate that the annual inspection and calibration period assumed is the major contributor to the undetected failed state. The estimate was made that the probability of failure on demand could likely be reduced in direct proportion to the inspection period.

As a result, monthly inspections or inspections on each shutdown could reduce the assumed failure probability by a factor of 10 across the board for all these failures listed above.

It is uncertain if such testing can be accomplished during plant operation

on all components listed above, particularly the pump valves and trip solenoids themselves. However, level transmitter outputs can be checked in comparison to other outputs, and signal module outputs can be tested on generator A, then generator B. Af ter consultation with ORNL, this is thought to reduce all factors above by a factor of 2 IqbaramWt except a, b, and c, giving an estimated reduction in the high trip failure of (0.5)(0.047 - 0.016)/(0.047) = 0.33. This would reduce the core-molt frequency proportionally, giving a reduction of (0.33)(9.58E-06/py) = 3.16E-06/py. The public risk would also_be reduced by (0.33)(4.58E+01 man-rom /py) = 1.51E+01 man-rom /py or 4.53E+02 man-rom / plant over 30 years.

a The development of now testing procedures is estimated to require on the order of 2 people for 2 months, or 16 man-weeks at $2270/ man-week using the costs suggested in NUREG/CR-3568. This gives a development cost of $36,320.

The current effort required annually to inspect the circuits above is not known. As a conservativo estimate, it will be assumed here that this requires one man-day per inspection, or currently (1/5) (52270/py) = 1450/py. Increasing the inspection rato to once a month would then raiso this to 55.5E+03. Assuming a 10 percent discount rate over 30 years, this represents a cost of (9.43)(55.5E+03) = 15.2E+04. The total cost is then $5.2E+04 + 536,320 =

$8.8E+04 per plant.

The value/ impact ratio is then estimated at 4.53E+02 man-rom /18.8E+04 = 5.2 man-rom /11000.

Addition of Parallel FTF 5X Relay With Monthly Testing of Trio Function The circuit as it is now installed again has the two trip relays associated with steam generator A (SG A) level transmitters and the two from SG D feeding a signal to one FTPX relay. Simply adding an additional FTPX relay to the circuit such that the trip signal from SG A and SG B have their own associated FTPX relay does not change the logic arrangement or theoretical failure probability compared to the original configuration. However, with two FTPX relays, the circuit can be wired to allow for testing of trip rolays while still providing overfill protection for each generator. It will be assumed hore that an

- additional FTPX relay is wired to allow for such testing with modifications to i all components except the valves themselves to allow on-lino.

\.

! c .

cq , ./

l 4.3 -

I i

s

This is thought to reduce all factors mentioned above by 90 percent except a, b, giving a estimated reduction in the high trip failure of (0.90)(0.047 -

0.007)/(0.047) = 0.766. This would reduce the core-melt frequency. _

proportionally, giving a reduction of (0.766)(9.58E-06/py) =[ 7.34E-06/ py. ' The public risk would also be reduced by (0.766)(4.58E+01 man-rom /py) = 3.51E401 man-rem /py or 1.05E+03 man-rem / plant over 30 years.

The cost of adding the additional relays is estimated here as follows: s

- two man-weeks of engineering support one man-week of craf t services for installation

- $5,000 in equipment cost.

This gives a total of $11,810, or approximately $12,000 in addition to tho

$2.93E+05 above for a total of 18.8E+04. This will be asumed to double for additional changes in wiring to allow full operational testing at the other components in the circuit. This gives a total of $1.88E+05, or approximately

$2E+05.

Tnts gives a value/ impact ratio of 1.5E+03 man-rom /52E+05 = 5.3 man-rem /51000. The ratto is thus improved approximately 30% with the addition of the parallel FTPX relay and monthly full oporational testing compared to monthly testing only.

Modifications to Trio Loaic In the PNL examination of the GE BWR and Westinghouse PWR, the installation of a 2-out-of-4 trip logic was examined but did not appear to be favorable. In the Oconee B&W PWR plant, the output from the level transmitters is not being used as a level control signal to maintain an exact steam generator water level as it does in the previously montioned plants. Rather, the B&W design operates with the water level falling within a broad operating rango. Conditions are maintained within this range to give the proper degroo of steam suporheat at the generator output rather than to naintain a set water height. The operation of

- the ICS control loop is developed in detail in the ORNL report.

Because the GE and Westinghouse designs combine the foodwater level control and trip functions with the level transmitters, a failure there that could both f ail the high trip and drive the feedwater increase, becomes the dominant f ailure mechanism. Fixos addressing the level transmitter failure modos and logic then became the obvious targets for correction. With the separation of those functions in the B&W design, the dominant failuro identified by ORNL became an undetected failure of the high trip. As such, correctivo actions should be directed at this f ailure specifically for the B&W plant.

In the B&W plant, the ICS system rolles on control of the feedwater valvos as the first level of def'ense in preventing overfill of the steam generators.

This in itself provides a high level protection function. The MFW pump trip function then operates, independently of the ICS control loop. As such, the system already provides a back-up protection from overfill progressing to spillover. The question is what is the best way to improve this reliability.

4.4

Going to a multiple high-level trip logic system may theoretically improve the reliability of the trip, but on a practical level most of the benefits associated with a 2-out-of-3 or 2-out-of-4 trip logic are derived by allowing '

the ability to test the function during operation. Because the trip function is not used directly in control of the B&W design, the minor modifications postulated above essentially provided this ability without the installation of these more complicated logic networks. Putting the existing network of trip relays in parallel for a 1-out-of-l logic would be less costly, however, the potential then exists for an increased rato of spurious trips as pointed out by ORNL.

However, several modifications to the trip logic will be c>amined hero for comparison. These are listed below in Table 4.1. The failure probabilities used for relays and modules are based on the values from ORNL, as given at the beginning of thin chapter. Note that the current circuit has two level transmitters and associated modules (multiplication, signal monitor, and signal generator modules) in series for a total failure probabilty of (0.004 + 0.018 +

0.007 + 0.002) = 0.031. It is assumed here then that ono icvel transmitter cod associated modules hevo a fMlure probability of 0.5(0.031) = 0.0155. Thir logic is shown more cleorly in Figure 4.1. This again is the probability for failure on demand calculated by ORNL based primarily on undetected f ailures over the annual inspection period.

Note also that it will be assumed here that the failure probability of the NFW valves themselves will bound the possiblo reductions here for the trip circuit. This is put at (0.001 + 0.006) = 0.007 out of the total of 0.047.

This is 0.007/0.047 = 14.9 porcent of the total failuro probability, implying that a perfect trip logic providing a trip signal to the valves could only reduce the failure probability here by 85.1 percent. This ' perfect' logic would then correspond to a risk reduction of 0.851(4.58E401 man-rom /py) = 3.90E+01 man-rea/py or 1.17E+03 man-rem over 30 years.

TABLE 4.1. Alternate Configurations for the B&W Oconee PWR liigh Level MFW Trip Function (Annual Testing Assumed) i Failure Ratio of Alternato Cass Configuration on Demand to Basc._ Case, n 1-n 1 Base Case, 2-out-of-2, (total of 4 LTs and 1 FTPX) 2 LTs in series por SG 0.0155 + 0.0155 1 FTPX relay in sortes 0.009 MFR valves D J 02_.__

0.047 1.0 0 2 2-out-of-2, extra FTPX (total of 4 LTs and 2 FTPX , annual testing) 2 LTs in series pereSG 0.0155 + 0.0155 1 FTPX relay por SG 0.009 MFR valves 0,007 0.047 1.0 0 if i

4.5 r

WA

- hf D Wdlf'I e

'l

w=- _

s -

TARIF 4.1 (Continued)

Failure Ratio of Alternate CAis Configuration on Da=and to Base Case. n 1-D 3 1-out-of-1, (total of 2 LTs and 1 FTPX) 1 LT per SG 0.0155 1 FTPX 0.009 MFR valves 0.007 0.0315 6.70E-01 0.33 4 1-out-of-2,1 FTPX (total 4 LTs and 1 FTPX) 2 LTs in Parallel per SG 0.0155"*2 1 FTPX 0.009 MFR valves 0.007 1.62E-02 3.46E-01 0.654 5 2-out-of-3,1 FTPX (total 6 LTs and 1 FTPX)

'3 LTs in Parallel per SG 3(0.0155)**2 +0.0155**3 1 FTPX relay 0.009 MFR valves 0.007 1.67E-02 ,

3.55E-01 0.645 6 1-out-of-2, 2 F rPX (total 4 LTs and jr FTPX) 2 LTs in Parallel per SG (0.0155 v 0.009)**2 with 1 FTPX relay per LT MFR valves 0.007 7.60E-03 1.62E-01 0.838 7 2-out-of-3, 3 FTPX (total 6 LTs and 6 FTPX) 3 LTs in Parallel per SG 3(0.0155 + 0.009)**2 +

. with 1 FTPX relay per LT (0.0155 + 0.009)**3 IFR valves 0.007 8.82E-03 1.88E-01 0.812 8 2-out-of-4, 1 FTPX (total 8 LTs and 1 FTPX) 4 LTs in Parallel per SG 4(0.0155) * *3 + (0.0155) *'4 1 FTPX relay 0.009 MFR valves 0.007 1.60E-02 3.40E-01 0.66 9 2-out-of-4, 4 FTPX (total 8 LTs and 8 FTPX) 4 LTs in Parallel *per SG 4(0.0155 + 0.009)*"3 +

1 FTPX relay per LT (0.0155 + 0.009)*84 HFR valves ,

~

0.007 7.06E-03 1.50E-01 0.850 10 No MFW Trip 1/0.047 = 21 (i.e., without other modifications, renoval of the high trip would increase risk by a factor of 21 over the current base case).

4.6

a .J... c., . , ~. a c..s.m. %.,.c - _ u.. , , ..~.2.s..+...;.s..

Note that as in the PNL examination of alternate high level trip configurations for the GE and Westinghouse plants, the 1-out-of-l configuration appears to be theoretically preferable to the 2-out-of-2 configuration. This is because the latter is subject to 2 single transmitter failures that could defeat the function versus 1 for the 1-out-of-l configuration. More realistic evaluations must, however, consider the potential for spurious trip signals as well. Using the mean of 0.17 feedwater increases per year in 1 loop reported to date for B&W plants as a likely measure of level failures (NP-2230, ATWS:

Frecuencv of Anticioated Transients, January 1982), one transmitter could result in 0.17/yr(30 yrs) = S spurious trips over a plant lifetime. Requiring 2 independent failures would reduce this to (0.17)(0.17)(30), or approximately 1 spurious trip. The true cost penalty for the simpler trip logics can then be signifiant over the lifetime of the plant. This will be considered further below.

Costs The cost estimated earlier of 112,000 for one additional FTPX relay will be used here to estimate costs for additional relays or m'odules.

The cost of adding a level transmitter and associated relays to an existing 2-inch instrument line was estimated as follows in the PNL examination of Westinghouse PWRs and GE BWRs at approximately $150,000 with costs approaching

$1,000,000 if additional penetrations would be required. the $150,000 per transmitter figure will be used here.

This totals $33,580. No license amendments are thought to be required for such a modification. This will be used hore.

The cost of removing LTs for less complicated systems is estimated at 112,000 per LT. For Case 3 below with a 1-out-of-1 trip on each generator, the cost would then be put at 124,000.

For Case'4 no hardware is added, and only the trip logic is modified to a

. 1-out-of-2 instead of a 2-out-of-2. The cost here is estimated as similar to adding a relay, or $12,000.

These figures were then multiplied by the number of transmitters or relays added to give the desired modification in Table 4.1, with the resulting risk reduction, cost, and value/ impact given in Tabic 4.2. The configurations given are per generator, i.e. , a 2-out-of-2 level transmitter configuration implies that each generator has 2 transmitters, for a total of 4.

The cost of a spurious trip is put at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of downtime, at $300,000 per day for replacement power costs (NUREG/CR-2800). The simpler configurations will be more subject to such trips, however the others may also suf fer from several such trips over the lifetime of the plant. As a result the value/ impact ratios are presented below with 2 spurious trips considered for the 1-out-of-l configurations, as well as without consideration of trips for comparison.

4.7

.: . w.m.; e ~ y. j g. 4..A.; g. g { ,

! TABLE 4.2. Risk Reduction Associated with Alternate Configurations Risk Reduction Man-Rem Man-rem Cost Value/ Impact l

Confiouration Per oy 30 yrs $1000 Man-rem /11000

1. 2-out-of-2, 1 FTPX 0 0 0 0

2. 2-out-of-2, 2 FTPX 0 0 12 0

3. 1-out-of-1, 1 FTPX 7.56E+0 2.27E+02 24 9.46 with two spurious 624 Oj 36 trips in 30 years

! 4. 1-out-of-2, 1 FTPX 1.50E+01 4.49E+02 12 37.42 -

with two spurious 612 0.73 trips in 30 years

5. 2-out-of-3, 1 FTPX 1.48E+01 4.43E+02 67.16 6.60

6. 1-out-of-2, 2 FTPX 1.92E+01 5.76E+02 36.0 16.0, with two spurious 636.0 0.91

/

trips in 30 years

7. 2-out-of-3, 1.86E+01 5.58E+02 127.16 4.39 l

1 FTPX por LT

! 8. 2-out-of-4, 1 FTPX 1.51E+01 4.53E+02 134.32 3.37

9. 2-out-of-4, 1.95E+01 5.84E+02 218.32 2.67 1 FTPX por LT l

• Implementing equipment modifications as por calls 3 through 9 Alter monthly testing would reduce associated value/ impact by approximately a factor of 10.

Note that hardwaro changes appear possibly favorable when considered alone.

4.

However, implomontation af ter the simple monthly testing is applied would significantly reduce tho estimated value of such hardware changes.

]

It must be noted that monthly instead of annual testing gives a similar 1 risk reduction and value/ impact ratio. This alone was postulated to act on 85 percent of the variables contributing to the trip failuro (0.04/domand out of 0.047/domand, with 0.607 or 15 percent due to MFW valvo failuro), resulting in a 76.6 percent reduction in the sequence risk of 4.58E+01 man-rom /py. When the 15 l percent contribution from the MFW valvos is removed, the further modifications would be acting on only (100 - 76.6 - 15) = 8.5 porcont of the risk, giving 3.89 man-rem /py or 1.17E402 ma'n-rem in 30 years. This essentially reduced the estimated value/ impact, ratio for hardware changes by a factor of 10. The NRC must then weigh these additional judgmental factors in deciding if the current system is inadequate, and to what level improvements will be required.

I Limitations and Real-World Considerations

, Further real-world limitations bring into question the implementation of 4

hardware changes first. It must be pointed out that any comparison between

- 4.8

~- .. . _ . .. _. .

different level control and high-level trips is highly conditional on a number of factors, including basic hardware and reliability, as well as operator response to system failures. lhis can include plant-specific differences in and compensations for a number of factors, including:

- type of level control (three element, one element)

- power supplies

- back-up or alternate level displays

- instrument line plumbing configuration

- controlling level display

- controlling level record

- annunciators and alarms

- operator training and procedures.

- maintenance, general ago and state of equipment.

Systems which rely more heavily on the operator for detection and correction of failures may also have more emphasis on level display, operator training and procedures. Many of the variables impacti,ng performance of the high level trip in the B&W plant are not fully defined'in the time and resources available for this analysis, however. As a result, the results above mustlny taken as only a oreliminary review of the notential imnact of other feedwater control confic_urations on the A-47 issue.

Finally, note that the Peach Bottom FSAR (pago 7.2-20) notes that in a GE BWR, a 1-out-of-2 configuration is theoretically more reliable than a 1-out-of-2-twice, which in turn is theoretically more rollable than a 2-out-of-3 configuration. This agrees with the basic finding presented in Tabic 4.1 abovo for possible failure combinations which can lead to an undetected high trip f ailure in the Oconeo plant. Considerations based on available failure data may change this conclusion slightly in practico. However, the FSAR goes on to say that the dif ferences are slight, and in a practical sonso are negligible. It indicates that the primary reason to go with the more sophisticated configuration is that it allows for testing during operation.

The indications are then that real world considerations could easily overshadow theoretical calculations. As pointed out in the PNL BWR report, this could include hydraulic shocks which occur at dif ferent rates in separato instrument lines making some failuro combinations of sonsors more likely, or common modo failures of instruments due to faulty maintenance. The data currently available on component failuro rates is not specific enough as to failuro cause (i.e., shocks, f aulty maintenance, etc.) and failuro mode (i.e.,

inoperable low scale, drif t low, etc.) to draw any firm conclusions or to rigorously support specific recommendations based on theoretical calculations.

Note then that when coupled with the above considerations, plus the role of the operator and possible negativo impacts on operational rollability and the unique dynamic control features of the B&W design, it becomes apparent that the implementation of monthly testing should be considered first, with modifications to equipment hold to those necessary to allow full on-lino testing of all relays and components in the tsip circuit. Thoso recommendations should bo presented as preliminary, with the recognition that thoso should be subjected to dotalled evaluation.

4.9

u .. - .. -.,4 ...

y.#m . . - _ - _ _ - ._

i 4.2 MODIFICATIONS TO REDUCE ICS HA E POWER DRYOUT SCENARIO Discussions with ORtt and their SAI contractor indicate that several modifi attons are possible to avoid the dryout scenario caused by the hand power circuit failure and MFW runback to the minimum setpoint. These include the following and are discussed below:

l - trip MFW pumps on loss of hand power .

- reset minimum runback setpoint for MFW pumps l

- modify MFW controls to reset to 50 percent position on 0 voltago signal

- allow initiation of EFW via low level signal

- reduce operator error.

WW Trio on Loss of ICS Hand Power i

The most basic modification is to simply trip the MFW pumps on f ailure of the ICS hand power circuit. The EFh function would then automatically bo

}

initiated, tenninating the dryout scenario. c Reset Minimum Runback Setooint for the MFW Pumns 1

The foodwater pump rpm at its minimum sotpoint is insufficient to deliver water into the steam generator given closure of the turbino stop and bypass valve. The minimum sotpoint could simply bo increased to provide greater output flow. The high-level trip functions are still in place, proventing overf til to the point of sp111over.

Modify the MFW Controls to Roset to the 50 oercent Position on 0 Voltace Sional The system as it is currently designed gives a zero voltage signal to the This equates to a pump speed control unit on loss of the hand power supply.

However, many of the control minimum setpoint, resulting in the runback.

' circuits are designed to operate on a +10 to -10 voltago range, with 0 volts providing the middle or 50 porcent range reading.

ORfL indicates that Oconeo may be unique in its 0 voltago/ minimum runback ,

configuration. As such, other D&W plants would already uso this modification.

1 Note that this would most likely result in transforming the dryout scenario to an overfill, but again the high trips are still functioning, thus proventing progression to spillover. On trip of the MFW pumps, the EFW system would again como into operation.

Allow Initiation of the EFW System Via Lew SG Level .IndlCAt,19D The EFW system is provented f rom initiating in this scenario by continued operation of the MFW system, even though this is resulting in steam generator dryou t. The lovel signals indicating a low steam gonorator However,water lovel theare i

levol present, and would be used to control EFW given operation.

j transmitter signals are not used as an actuation signal for the EfW system.

Reduce OpquLor Error The failure of the ICS hand power circuit is annunciated as such in the

control room. Procedures also exist for the propor control of feodwater flow. i i 4.10

I

_...._.-_._s.s.s,.. .., , . - , _ , , . , . . , , . . , _ . , . , . , _ . . , . ~ . . . . . , _ , . . , . . . , . , . . . . . . , . . ~ . . , _ .

As a result, reductions via this approach would be of lesser offectiveness than those above.

Potential Risk Reduction Any of the modifications above could be postulated to reduce the frequency of tt.e accident progressing to dryout and core-molt by an order of magnitudo.

The reduction in core-melt f requency is then estimated at 90 percent, or (0.90)(9.0E-06/ py) = 8.10E-06/py. The reduction in risk is also estimated at (0.90)(2.44E+01 man-rem /py) = 2.20E+01 man-rem /py or 6.59E+02 man-rom over 30 years.

The examination of this system by ORNL indicates that two IE "startup range" level signials per SG currently are used for EFW valvo control and could be used to provido an initiation signal. This modification would include the addition of SG 1evel bi-stables and modification of existing EFW start logic within existing IE cabinets (assuming space is available within the cabinets).

Costs tad Value/Imoact The cost of any one or a combination of modifications could thus approach

$659,000 por plant (considered to be extremely unlikely) and still give a value/ impact ratio of 1 man-rom /51000. Because of the relatively simple nature of the fixos, the value impact ratio will simply be assumed here to be greator than 1 man-rom /51000.

4.3 MODIFICATIONS TO REDUCE ICS AUTO POWER OVERFILL SCENARIO Discussions with ORNL and their SAI contractor indicato that soveral modifications are possible to avoid the overfill scer.ario caused by the ICS auto power circuit failure. Those include tho following and are discussed below:

- insure annunciation of the Auto power circuit failure in the control room

- provido emergency proceduros to the operator for auto power failuro

- allow initiation of EFW via low level signal.

Note that the plant was originally thought to continue operation in an unstable equilibrium, eventually leading to some of f-normal condition and plant trip. The most recent simulations indicate that a foodwater induced trip is likely. In any event, the high-level foodwater trips are still in place. The dominant risk f rom this scenarlo was then found to be the potential for the accident progressing to a dryout scenario, where the operator fatis to roostablish foodwater or l1PI flow.

PNL did carry the s[enario ono stop further by assuming failure of the high trip and spillover, but this risk was found to be an order of magnitudo lower than that due to the dryout scenarlo. Fixes discussed in Section 4.2 to prevent the high trip failure would reduce this even further. Thus, fixes for this dryout scenario should address the need to reduce operator error in reestablishing flow, or in providing an automatic initiation of flow. The first two proposed fixes address the form,r.

4.11

y- ~ '

., .:. . .. a;:;. .n

, z. . ~ '

..a, :u.,,. ,:pg;,.;,;c y..ccc..w... ,. .;a:- . .

Annunciation of Power Failure and Fmaroencv Procedures In the ORNL examination of Oconee for auto power failure, no annunciators I or alanus were found associated with the H1 circuit which serves the majority of the feedwater controls. As a result, the assumption was made that no such indications are currently present. Discussions with Oconee operating personnel indicated that their response to an auto power failure would be to attempt i stabilization of the plant through manual feedwater control, indicating that operator awareness of feedwater conditions would bo high. However, no specific emergency procedures were found, and again reduced credit was taken for alert operator action in the risk calculation, which assumed an error probability of 0.03 for establishing feedwater in 30 minutes.

Assuming that annunciation of the failure and emergency procedures did

, exist, the operator error would be re-estimated at 0.01, the valuo used for failure to initiato HPI. The reduction in core-molt would then be 1.8E-06/py, and the reduction in risk would bo (2/3)(7.73E+0 man-rom /py) = 5.15E40 man-rom /py or 1.55E+02 man-rom over 30 years. .-

As a rough estimato of cost, the cost for providing annunciation of the power failure is estimated to require tho following:

one man-month of engineering support

- two man-months of craf t services for installation

$10,000 in miscollaneous equipment.

This comes to 13.72E+04. In addition, the amorgency procedures are estimated to requiro 4 man-months for formal development and implomontation.

This comes to 13.63E+04, for a total of $7.36E+04. The value/ impact ratto is then estimated at 2.04 man-rom /11000. Costs could thus increaso by a factor of

! 2 to 5155,000 and still give a figure on the order of 1 man-rom /51000.

Allow Initiation of the EFW System Via low SG Level Indication As with the previous sequence, the automatic actuation of the EFW system would prevent the progression of the scenario to SG dryout. Allowing actuation on low SG 1evel would be the logical modification. Again ORNL studios indicato that 1E "startup rango" level signals for EFW valvo control are already in place.

The costs associated with this fix will not be estimated directly, but again risk reduction could likely approach 90 percent of 7.73 man-rom /py, or 2.09E+02 man-rom over 30 years. This is in addition to the 659 man-rom risk reduction for the ISC hand power dryout scenario. This oquates to $209,000 for this scenario alono to stay above the 1 man-rom /11000 figure of marit. If the

] benefit of risk reduction,from EFW automatic initiation in the previous dryout i scenarin for ICS hand pow'or failuro is included, this figuro could go to j 1659,000 + $209,000 = $868,000, or approximately 11,000,000 and still approach 1 the 1 man-rom /$1000 figure of merit. ORNL estimatos costs at approximately l 11000,000 giving a value/ impact ratto of 8.68E402 man-rom /11000,000 = 8.7.

1 l

3 4.12 1

I 4.4 SUW4ARY OF VALUE/IWACT i The proposed modifications to the B&W plant and the associated reduction in

' risk, estimated cost and value/ impact are summarized in the Table 4.3 below.

Note that this is not meant to present an all-inclusive list of the failure modes and possible fixes resulting from the ORNL examination of control system failures in the Oconee B&W plant. The ORNL study is quite extensive, with a number of failure mechanisms having been identified that may, in fact contribute to the potential safety concerns associated with A-47. However, the scenarios examined here are thought to represent those failures of greatest safety concern, and the fixes summarized below are to address those scenarios directly.

The implementation of monthly testing, with an additional FTPX relay added to allow on-line testing of the entire circuit, certainly appears cost-effective. More reliable high-level configurations such as a 2-out-of-4 also appear cost-ef fective when considered above. Implementation of such hardware change af ter going to monthly testing would reduce the value/ impact ratios by approximately a factor of 10, making such changes slightly less viable for the B&W Oconee plant, but still giving value/ impact ratios only slighly below 1 man-rom /11,000. Modifications to prevnt ICS power failures appear to be very cost-effective.

TABLE 4.3. Summary of the Value/ Impact Analysis for the Oconee B&W Plant Estimated Risk V/I Scenario Estimated Reduction Ratio

Pronosed Fix Affected Cost. $__ (man-rem) (man-rem /11DDD1 j

Monthly Testing Overfill & 2.93 E+05 4.53E402 5.2 undetected high trip failure j

Monthly Testing Same as 2.0E+055 1.05E+03 5.3 Plus Parallel above j FTPX Relay

~

Modified Trip Logic

1. 1-out-of-1, 1 FTPX 624 4.53E+02 0.73 with two spurious i trips in 30 years

2. 1-out-of-2, 1 FTPX 612 8.99E+02 1.47 with two spurious trips in 30 years i

! 3. 2-out-of-3,1 FTPX 300 8.86E+02 3.0 l

i 4.13

g,.yy,3_- ;_y.m. 7g7 gg3 g33 (,;3 = n33 .;=. = ==

l TARIF 4.3. (Continued)

Estimated Risk V/1 Scenario Estimated Reduction Ratio Prooosed Fix Affected Cost. 1 ( ma n- rem) f =ar.-rem /11000) 4.1-out-of-2, 2 FTPX 636.0 1.15E+03 1.8 with two spurious trips in 30 years

5. 2-out-of-3, 360 1.13 E+03 3.1 1 FTPX per LT

6. 2-out-of-4, 1 FTPX 600 9.07 E+02 1.5

7. 2-out-of-4, 684 1.17 E+03 1.7 1 FTPX per LT MFW Trip on ICS Hand - - -

Loss of ICS Power Failure Hand Power with SG dryout Higher Minimum - - -

MFW Setpoint '

MFW Default to 50% output on 0 voltage - - -

6.59E+05 6.59E+02 1.0 (i.e. cost of any or all of abovo can be less than $659,000 and still give a value/ impact ratio equal to or greater than 1 man-rom /11000.)

Annunciation Auto Power 7.36E+04 1.55E+02 2.04 of Auto Failure Power Failure and Emergency Procedures EFW ICS Power 1.0E+05 8.68E+02 8.68 Initiation Fail ures on Low j SG Level (i.e. cost of implementing the EFW initiation function can be less than 1868,000 or approximately 31,000,000 per plant and still give a value/ impact ratio on the order of 1 man-rem /$1000.)

4.14

._n..~.._~.

3.;

. ; .g _; ,

5.0 CONCLUSION

S FOR THE RAW OCONEE PWR The results of the consideration of core-melt potential for control system f ailures in the Oconee B&W PWR are summarized in the following table. The failure scenarios examined were those identified by ORtt as being of principal importance. The subjective judgment of which sequences to analyses was made from an extensive review of control system failures and possible interactions identified by ORNL. This examination is thus not meant to represent an exhaustive study of all failure modes and the associated risk in the Oconee plant, but does represent a risk study of those failures thought to present the most serious safety concern to the A-47 program at this time.

TABLE 5.1. Summary of ORPL and PNL Estimates of Accident Initiator Frequencies, Core-melt Frequencies, and Public Risk for the B&W Oconeo PWR PNL Accident PNL Public Initiating Core-Mel t Risk frequency Frequency Estimate Best Estimate Best Estimate Best Estimate U oy) U py ) (man-rem /oy)

Secuence Initiator RCS Subsystem Overfill & 0.006 High Trip Failure T2 Transient Shutdown 6.88E-08 1.86E-01 FGLB 6.27E-08 1.71E-01 SGTR , 9.45E-06 4.54EtD1 9.58E-06 4.58E+01 ICS Hand Power Failure with SG Dryout 0.009 9.00E-06 2.44E401 ICS Auto Power Failure 0.009 SG Dryout 2.70E-06 7.31E+00 T2 Transient Shutdown 0 0 FGLB 1.16E-09 3.14E-03 SGTR 8.77E-08 4.71E-01 2.79E-06 7.73E+00 TOTAL

, 2.14E-05 7.79E+01 (a) ORtt estimates of initiating frequencies, including operator error.

5.1

)

I i

The three scenarios examined involved several failures of control systems that might progress to more severe failures, primarily centering on the feedwater systems. The potential for overfill of the steam generators progressing to spillover into the steam lines was identified by ORNL, along with scenarios with a potential for feedwater failures combining with operator failure to reestablish flow, thus progressing to core-melt.

Typical regulatory requirements for plant recovery take no credit for possible operator actions in the first 10 minutes of an accident. However, es the A-47 issue deals with control systems routinely under operator control, the interaction of the operator with failure diagnosis and recovery is appropriate here. Several of the recommendations for reducing the potential for control system failures leading to more serious actions then center on factors which aid in operator awareness, diagnosis, and correct response. As a result, several recommendations for A-47 might well be integrated with operator training and transient response programs.

Steam Generator Overfill The steam generator overfill scenario examined deals with the potential in the Oconee plant for undetected failures in the high SG level MFW trip function.

The risk associated with this was examined-for progression to several scenarios:

a transient shutdown with the power conversion system unavailable due to degrading conditions in the secondary side, overfill progressing to spillover and main steam line break (MSLB), and MSLB progressing to SGTR.

The resulting estimate of risk is given in Tabic 5.1. As can be seen, the contribution from progressing to SGTR is dominant for the above scenario. The assumption was made that the steam lines had a 50 percent probability of failure given spillover of water into the steam lines af ter reactor trip, and a 50 percent probability that the break would occur outside of the reactor building where water released f rom the break would not be available for collection in building sumps.for recirculation. The ability to isolate the af fected steam generator can play an important role in recovery from a SGTR, but the Oconee plant has no motor-operated MSIVs. A category 2 type release was then assumed for public risk, involving as it does an early core-melt with failure of the containment sprays- which is consistent with exhaustion of recirculation inventories. -

The potential for MSLB given spillover, and the likely break location thus play an important role in the potential for progressing to core-moit given SGTR.

Break location, however, is not as tmportant in Oconeo due to the lack of MSIVs as compared to the H.B. Robinson plant examined earlier for the A-47 program.

The Oconee plant, however, is apparently not representative of all B&W plants.

The design modificattons proposed to reduce the frequency of this scenario focus on the potential foi undetected failures in the high-level MFW trip ci rcui t. This failure probability was assumed to be fairly high by ORNL due to S.2

' ' ' *' ~ ~~

an annual inspection frequency. Reducing this to a monthly basis was assumed to reduce the failure potential proportionally. This testing would be possible for most components (i.e., comparative signal readings f rom transmitters, etc.),

however the trip relays themselves are in series. The ORNL suggestion to add an additional FPTX relay to make the trip relay circuits associated with each generator parallel in configuration was then examined. TLis makes it possibio to test the generator trip circuits alternately during operation.

The man-rem reduction associated with the monthly testing of this new trip circuit was estimated at 1050 man-rem over 30 years. The costs associated with the modification and testing were estimated at approximately $200,000, giving a value/ impact ratio of 5.3 man-rem /51000.

Note that no modifications to a 2-out-of-3 or 2-out-of-4 trip logic were postulated by ORNL. Given the different control function of the level transmitters and high trip in the B&W design, the analysis of such modifications l 1s highly uncertain at this time. A simple rollability comparison indicates that a 2-out-of-3 or 2-out-of-4 logic could give similar value/ impact ratios as compared to the increased testing discussed above. Implementation of monthly i testing first would, however, reduce the effected risk for any subsequent hardware charges, and hence reduce the latter's value/ impact ratio. Less uncertainty is also associated at this time with the reliability of monthly testing versus gains through equipment modifications. As a result, the monthly testing is thought to represent the better choice at this time.

Loss of ICS Hand Power The loss of the ICS hand power circuit was found to present the potential for steam generator dryout if the operator failed to reestablish feedwater flow in 30 minutes or HPI flow in 60 minutes following loss of this power supply.

Several modifications were developed which could potentially reduce the frequency of automatically progressing to dryout. These included MFW trip on loss of hand power which would initiate EFW flow, a higher minimum runback setpoint on the MFW to prevent the zero MFW flow in this case, and rewiring the loss-of-voltage signal to the MFW pump controller to represent a 50 percent setting as is apparently used in other B&W plants.

The potential risk reduction was estimated at 659 man-rom over 30 years.

No costs for the above modifications were estimated. It was pointed out, however, that the above modifications were thought to easily be under this amount, giving value/ impact ratios in excess of 1 man-rom /51000.

Loss of Auto Power The loss of auto power was initially thought to leave the plant in $n unstable equilibrium, alloying the operator time to manually control the reactor before the development of ~an instability and subsequent trip. Oconee personnel ,

indicated that this is how they would respond to such a failure. However, ORNL ,

studies of the failure , indicated that no annunciators are* associated directly .,

with the HI circuit which serves the majority of feedwater components. No emergency procedures were found either. ~ As a result, an event tree assuming ,

eventual reactor trip without prior operator awareness of the failure was s assumed. The operator would then be required to reestablish feedwater flow as with the above scenario, i 5.3

+

[

The potential benefit of annunciated power failure and proper emergency procedures in lowering operator error were estimated to provide a 155 man-rom risk reduction over 30 years. The costs for implementing such modifications ,

were estimated to be minimal, giving a value/ impact ratio of 2 man-rem /11000.

Initiation of EFW on Low Level The final modification examined was the automatic initiation of EFW on low-level signals from the steam generator level transmitters. This modification would effectively eliminate the two scenarios above that require operator action to reestablish feedwater before dryout of the generator occurs.

The modification does not appear to degrade or in any way jeopardize the current operating mode of the EFW, providing as it does only an additional initiation signal. However, this modification is not allowed by current NRC practices, involving as it does a cross-tie between a safety and non-safety grade system. Implementation would thus likely require a full safety upgrade of the level transmitting equipment if this philosophy were maintained.

Note that ORNL did not make an estimate of the upper bound for the initiating frequency of the scenarios identified. As a result, PNL has simply i,

carried through an estimate of core-melt and public risk based on 'best

] engineering estimates'.

This analysis compares to the overall core-melt f rcauency for the Oconeo plant (NURF.G/CR-1659) of 8.20E-05/py with a public risk of 297 man-rom. The consideration of the overfill scenario leading to spillover and the dryout scenarios thus represent a significant fraction (26 percent) of this risk.

i O

e 5.4

REFERENCES Andrews, W. B. et al. 1983. Guidelines for Nuclear Power Plant Safety Issue  !

Prioritization. NUREG/CR-2800, Battelle, Pacific Northwest Laboratory, Richland, Washington.

Austin, P. N., et al. DRAFT. 1984. An Assessment of the Safety Imolications of Control at the Oconee-1 Nuclear Plant - Volune 1 Executive Summary. Oak Ridge National Laboratory, Oak Ridge, Tennessee.

Bruske S. J., et al. DRAFT. NUREG/CR4326, July 1985. Ef fects of Control System Failure on Transients and Accidents at a 3-Loon Westinahouse Pressurized Water Reactor. Idaho National Engineering Laboratory. Idaho Falls, Idaho.

Bruske, S. J. , et al . DRAFT. 1984b. Effects of Control System Failures on Transients and Accidents at a General Electric Boiling Water Reactor Main Report. Idaho National Engineering Laboratory, Idaho Falls, Idaho.

EPRI. 1982. ATWSr Part 3. Frecuency of Anticioated Transients. NP-223 0, Electric Power Research Institute, Palo Alto, California.

4 INPO. 1982. Review of NRC Renorte Precursors to Potential Severe Core Damage Accidents 1969-1979 - A Status Reoort NUREG/CR-2497. INPO 82-025 Institute of Nuclear Power Operators, Atlanta, Georgia.

Kolb, et al . 1981. Reactor Safety Study Methodologv Acolications Procrame Oconee #3 PWR Power Plant. NUREG/CR-1659/2, SAND 80-1897/2, Sandia National Laboratories, Albuquerque, New Mexico.

Lewis, S. R., et al. 1984. Oconee PRA: A Probabilistic Risk Assessment of

, Oconee Unit 1. NSAC/60-54, Electric Power Research Institute, Palo Alto,

. California.

Minarick, J. W. and C. A. Kukielka. 1982. Precursors to Potential Severe Ccre Damage Accidents- 1969-1979. NUREG/CR-2497, Science Applications, Inc., Oak Ridge National Laboratory, Oak Ridge, Tennessee.

Stevens, D. L. , et al . 1983. VISA-A Comouter Code for Predicting the Probability of Reactor Pressure Vessel Failure. NUREG/CR-3384 (PNL-4774),

Pacific Northwest Laboratory, Richland, Washington.

U.S. Nuclear Regulatory Commission. 1975. An Assessment of Accident Risks in U.S. Cnmaercial Nuclear Power Plants. WASH-1400 (NUREG-75/014), U.S. Nuclear Regulatory Commission, Washington, D.C. ,

l U.S. Nuclear Regulator Commission. Draf t 1983. NRC Integrated Program for the Resolution of Unresolved Safety Issues A-3. A-4 and A-S Regarding Steam Generator Tube Integrity. (NUREG/-0844), U.S. Nuclear Regulatory Commission, Washington, D.C.

R.I

klllh7

( d, d

, i GhAU Su k u vitt$ m (ess &  % GrU ,

sJysi. -

f'W M/Ste % ~ft"/Y*

tgGu (pH .

i dult

! pq is you hefo < i -

l I

> 4 mh .f (p

4 M M , - tA4 A o. i

, Afx I l W p ri d inaklMu'~ 'I L FT ft oily l

gus p i.rs, j  ;

i 9a" - g mu j ETr^ ve% . f

'lO  !

i a+ -

b as l U te R(w cfJnLA Fa

~

M thk stitcsc~kel

^

L sle (m % is

' f e.oo, .297 m-res, l c p <f. ss s+o I ~-~(ry Qa,,,) =

(

\ \

' F w v, i

!' f, _ c,y., /'4t 2.It.

p /*diahme N yf *W f ' $0 V;0** Y bt ye o% ,$pu gn+-nn a ,, p ,\

l va r(ad% ,

\ \ n u ~ + ;, a p r.i s l

k aat,cs~ s e via eid i

( l J n.t +,;. Ma a wJ/. -

! I( ~ ad;;A s6as/ us d(se A s.AW LT 4 a ce//M I

uh 65 ~~ri stuAJ e" J A J,. 4.f4/} i A % e mJ .-

! te a r i .+c ) , A

+

+ + k L~.J e.s.sas a n

- 6 e L \ \ a ( , ..a . .. .,....7 .

-a v , 1 m

1

, af.[j'y s .a i. l$esm a-nm f ( o .n, o . o 2 < 6,,

h

• UE

. I I

! 6 ,o a c, %. 6- 1 2 oe *3 2.rr *4 z l fc _

0 ** O Y h I

I of % o'sQA d o4 ) % pM< Libly &+ O cf O i nn (v1.g>)= .m l

p .b M (J i- 1

[d 97'l)['/.(8 Et$l A Vfh[7oya / 3 7 O# * ~*

l I.

y fs /.59E+0L Bull  % G SM if N l Inde p & IT Styab Wk &-

(

h a flkU su h=~  % OtPfee.fAA ( & & ~NT4

! wsusu u u s e< > a p t akmua MJ-tsobag M. ep > -

)

i l

1

P bd.. e ..

Ma.

r.,... .. .

ei coa,= ,:

r".-" 4. _.., qA,..u a 6 ,, , .

- .m...,

.. .m .a..

- .fs .

- $1.- r* ;; 3 it .,9 p 4/ter k g,"

.?,, 3.? .

,, ,a  : + -

T

.m f -

i 2 g.,,, %y e.,

T-E.fd n_ y

=..., my ,

...[>-.....

.npim = w.ms

- - w y l .

t *5 ' Pr. d M~

3~ J I

j ru !

.i N"

'... .ui

_.j

@wb #

1......n....a . us -

e l#

em _..w.

,> ~.

.:. w .

- .. u! ~ p ois,{to

.~6 . <.

l

&) 5-7

.. 1 .t y .H

..P:} ., .

AI' OA 8)

M

<.. 3. t e4 '.8 3'8 h

• 2=

.,,t.t.

1 0 ~.a' - e. /4 g -- Og. . n. i..

3 j f:. 3r 3 3 3 3 .M iM ...! gg, y ,Y,.

,\. ~

. :. r,

.. & f. 3 . . . . i g . .

..m.- ,

en en ... ,

sw n.

.r* , l.52 g e., . M,

e. i . . .s. m. e 6 6. t

[

f . .. /.. + + .N..., . I

s. ,

$pp . j n.u y..

4.M .) 4.H .5 f f I

.. lr

, ..a

. ,,,, r -

ni. =:= 6

.c .

...,.:- r - - . .

[

r.. . . r

.-.9 ..x,M... f... ..

• 'x 2U

. ;;y;

~ . w

.m... .. . .;. . . . ,

'[ . r ' ' '1

-)

.. f.... .. u

. ~ .

ym . . ..u r.u v. .i .m I ...

== ..

. . s....

I -

o,. am.

,,, .nl*,

I g "....u.5......i

,}

[ ,., -

l l 6 . s.. j,... .

y, .=

a. g..

.m

.~.

1 = -: a.

x v 1

,. g

.;., , 4 ,,,

,g[ vs X; .* g , ,,, ". E #

A .n " .u ...,

s. u o.

- 7 -u -- r ';) T e +wWG

't ., saa. (9 ,

,5.cm c-1 :t3.-

• la- l ' I ._.

{'C;*'~.a F - ;',,*,'

==,., .s. , , .ra.. Oi' ',

. Figure B13-1. Oconee Emergency Feedwater System B13-23 i

i l

TABLE S.2. Summary of the Value/ Impact Analysis for the Oconee B&W Plant Estimated Risk V/I Scenario Estimated Reduction Ratio Prooosed Fix Affected Cost. 110 0 (man-rem) (man-rem /11000)

Monthly Testing Overfill & .k er+04 4.53 E+02 5.2 undetected F high trip failure Monthly Testing Same as 3&+05~ 1.05E+03 5.3 Plus Parallel above t. J FTPX Reiay Modified Trip Logic

1. 1-out-of-1, 1 FTPX 624 4.53E+02 0.73 with two spurious trips in 30 years

2. 1-out-of-2, 1 FTPX 612 8.99E+02 1.47 with two spurious l trips in 30 years

3. 2-out-of-3, 1 FTPX 300.16 8.86E+02 3.0

4. 1-out-of-2, 2 FTPX 636.0 1.15E+03 1.8 with two spurious trips in 30 years

5. 2-out-of-3 , 3,60:16 1.12E+03 ,3 .1 1 FTPX per LT 7 81 , , , 5 6. r. ) >7 -

6. 2-out-of-4, 1 FTPX 600 9.07E+02 1.5

7. 2-out-of-4, 684 1.17 E+03 1-<7 '

1 FTPX per LT OL f.f

• Value/ impact Ratios for modifications to triplogic would lower by approximately a factor of 10 if implemental af ter full modification for monthly testing.

1 e

9 2

vii f

f

- - _ _ , - _ . . ~ ~ . .

,, ,,,, ,--,_ , ~ ._ ,

p, ~, ,

- However, a simpler approach based on reducing the period between testing may provide as much or more benefit using the same basic circuit logic.

Discussions with the ORNL subcontractor ( Aurther McBride, SAI) indicate that the annual inspection and calibration period assumed is the major contributor to the undetected failed state. The estimate was made that the probability of failure on demand could likely be reduced in direct proportion to the inspection period.

As a result, monthly inspections or inspections on each shutdown could reduce the assumed failure probability by a factor of 10 across the board for all these failures listed above.

It is uncertain if such testing can be accomplished during plant operation on all components listed above, particularly the pump valves and trip solenoids themselves. However, level transmitter outputs can be checked in comparison tc other outputs, and signal module outputs can be tested on generator A, then generator B. Af ter consultation with ORNL, this is thought to reduce all f actors above by a factor of 2,pectSt except a, b, and c, giving an estimated reduction in the high trip failure of (0.5)(0.047 - 0.016)/(0.047) = 0.33. This would reduce the core-melt frequency proportionally, giving a reduction of

( 0.33 ) ( 9.58E-06/ py) = 3.16E-06/ py. The public risk would also be reduced by (0.33)(4.58E+01 man-rom /py) = 1.51E+01 man-rm/py or 4.53E+02 man-rem / plant over 30 years.

The development of new testing procedures is estimated to require on the order of 2 people for 2 months, or 16 man-weeks at 12270/ man-week using the costs suggested in NUREG/CR-3568. This gives a development cost of $36,320.

• The current ef fort required annually to inspect the circuits above is not known. As a conservative estimate, it will be assumed here that this requires one man-day per inspection, or currently (1/5) (52270/py) = 5450/py. Increasing the inspection rate to once a month would then raise this to 55.5E+03. Assuming a 10 percent discount rate over 30 years, this represents a cost of

( 9.43 ) ( 55.5 E+03) = $5.2E+04. The total cost is then 55.2E+04 + $36,320 =

58.8E+04 per plant.

The value/ impact ratio is then estimated at 4.53E+02 man-rem /58.8E+04 = 5.2

> - man-rem /51000.

Addition of Parallel FTPX Relav With Monthlv Testino of Trio Function The circuit as it is now installed again has the two trip relays associated with steam generator A (SG A) level transmitters and the two from SG B feeding a signal to one FTPX relay. Simply adding an additional FTPX relay to the circuit such that the trip signal from SG A and SG B have their own associated FTPX relay does not change the logic arrangement or theoretical failure probability parad_to_the original contiguration. However,With-twc "PX : elays, the circuit can be wired to allow for testing of trip relays while still providing overfill protection for each generator. It will be assumed here that an additional FTPX relay is wired to allow for such testing with modifications to all components except the valves themselves to allow on-line.

[g, -b fM be <Ukas gOM' mu & ~ m / $ h (o. sam. & en-M M . k&,

4.3 s, g a %% s og e. gagg e.e. e.= w . , e. &. gam, , go, ,

= w -s % % s . % N % 9 m %% g % %%% % % % %% % 4 m % %% en e s % %,s

i l

TABLE 4.1, (Continued) l Failure Ratio of Alternate Case Configuration on Demand _to Base Case, n 1-D 3 1-out-of-1, (total of 2 LTs and 1 FTPX) 1 LT per SG 0.0155 1 FTPX 0.009 MFRJvalves 0.007 0.0315 6.70E-01 0.33 4 1-out-of-2, 1 FTPX (total 4 LTs and 1 FTPX) 2 LTs in Parallel per SG 0.0155""2 1 FTPX 0.009 MFR valves 0.007 1.62E-02 3 '.46 E-01 0.654 5 2-out-of-3,1 FTPX (total 6 LTs and 1 FTPX) 3 LTs in Parallel per SG 3(0.0155)**2 +0.0155a*3 1 FTPX relay 0.009 MFNvalves 0.007 l.67E-02 3.55E-01 0.645 1

6 1-out-of-2, 2 FTPX (total 4 LTs and p FTPX) 2 LTs in Parallel per SG (0.0155 +-02009)**2 withiLFTPX rel aydi8r'ff.T (c.=0,.. t MF,% valves 0.007 7-.60E-03 1 J>2E401 J).838 z u =- e , . .f t c - . ..m 7

7 2-out-of-3,,3FTPX(total 6LTsanddFTPX) 3 LTs in Parallel per SG 3 (0.0155 +-O:009-) **2 + (8 *4 0 withI FTPX relayifdr 'Cf- (o. s).* 2 40.0155 +-0:0091**I

~

0.007 MFhvalves 8.82E-03 L 88E-01 0.812 7, a s e. - 6 , , st e -o # o , gw 8 2-out-of-4,1 FTPX (total 8 LTs and 1 FTPX) 4 LTs in Parallel per SG 4(0.0155)**3 + (0.0155)**4 1 FTPX relay 0.009 MFKvalves 0.007 d 1.60E-02 3.40E-01 0.66 S. 2 9 2-out-of-4, A FTPX (total 8 LTs and g FTPX) 4 LTs in Para 11eT'per SG 4(0.0155 M 009)*"3 +

Al FTPX relay; p5'f'l-T- (0.0155 +-O:009) **4' MF valves DE gr h 06E 03 L.50E-01 0.850 1.ro s-.s s.o s-ee 10 No MFW Trip 1/0.047 = 21 (i.e., without other modifications, removal of the high trip would increase risk by a factor of 21 over the current base case).

4.6

. . . . . . . . _ . . . . . , . . . . . ...._-- .- - ~.---,... ..... . . , _ _ _ .

TABLE 4.2. Risk Reduction Associated with Alternate Configurations Risk Reduction Man-Rem Man-rom Cost Value/ Impact Configuration Per oy 30 yrs 11000 Man-rom /11000

1. 2-out-of-2, 1 FTPX At 48%

t 6'

,pl

'I- )[d .,

0T1 l *u.)

2. 2-out-of-2, 2 FTPX UO 0- ,1 2" p' 0 %$

c- A t c=&3

3. 1-out-of-1, 1 FTPX 7.56E+0 2.27 E+02 --2 4- 4.46-~ ,

with two spurious . . s ' ' 4.c a+ 0 r. 624 0.36 3. ,;

trips in 30 years

4. 1-out-of-2, 1 FTPX 1.50E+01 4.49E+02 -12' W.n with two spurious d'!" '

M "- 612 .OfTI /.@

trips in 30 years

->.;. ,- a . .. e n ,n

5. 2-out-of-3, 1 FTPX 1.4'8E+01 4.43 EiO2 -67.16 Jn6tT 7.*

6. 1-out-of-2, 2 FTPX 1.92E+01 5.76E+02 .I3O .lfr:0 >^

with two spurious 1 7*" /.4 L ' - 636.0 G<91' # A34 trips in 30 years W*

7. 2-out-of-3, 1.86E+01 5.58E+02 .127:16 4.39 3./

y ,l' FTPX per-ET u " * '" uf tm M u.~ s. .; em c,e c

8. 2-out-of-4, 1 FTPX 5'.,51 E+01 4.53 E+02 ,134.32 3.37 T 3 . 91 . i.o ; t.* 2 : b lz.

9. 2-out-of-4, 1.95E+01 5.84E+02 .218:32 2267 / 7 JL,l' FTPX per-t.T

• Implementing equipment modifications as per calls 3 through 9 after monthly testing would reduce associated value/ impact by approximately a factor of 10.

- Note that hardware changes appear possibly favorable when considered alone.

However, implementation after the simple monthly testing is applied would significantly reduce the ostimated value of such hardware changes.

It must be noted that monthly instead of annual testing gives a similar risk reduction and value/ impact ratio. This alone was postulated to act on 85 percent of the variables contributing to the trip failure (0.04/ demand out of 0.047/ demand, with 0.007 or 15 percent due to MFW valve failure), resulting in a 76.6 percent reduction in the sequence risk of 4.58E+01 man-ran/py. When the 15 percent contribution from the MFW valves is removed, the further modifications would be acting on only (100 - 76.6 - 15) = 8.5 percent of the risk, giving 3.89 man-rem /py or 1.17E+02 man-rem in 30 years. This essentially reduced the estimated value/ impact ratio for hardware changes by a factor of 10. The NRC must then weigh these additional judgmental factors in decidir.g if the current system is inadequate, and to what level improvements will be required.

Limitations and Real-World Considerations Further real-world limitations bring into question the implementation of hardware changes first. It must be pointed out that any comparison between 4.8 .

c TABLE 4.3. (Continued)

Estimated Risk V/I Scenario Estimated Reduction Ratio Pronosed Fix Affected Cost. 1 ( man- rem) f man-rem /11000)

4. 1-out-of-2, 2-FTPX 636.0 1.15E+03 1.8 with two spurious trips in 30 years J. t c6 ~* 37

5. 2-out-of-3, 360 yin 1.13E+03 3 . l' 1 FTPX per LT

6. 2-out-of-4, 1 FTPX 600 9.07 E+ 02 1.5

7. 2-out-of-4,,a 38L,4; , 1.17 E+03 .l .7 /.9 JJ FTPX M MFW Trip on ICS Hand - - -

Loss of ICS Power Failure Hand Power with SG dryout

, Higher Minimum - -

MFW Setpoint MFW Oefault to 50% output on 0 Voltage -

6.59E+05 6.59E+02 1.0 (i.e. cost of any or all of above can bo less than 5659,000 and still give a value/ impact ratio equal to or greater than 1 man-rom /51000.)

Annunciation Auto Power 7.36E+04 1.55E+02 2.04 of Auto Failure Power Failure and Emergency Procedures EFW ICS Power 1.0E+05 8.68E+02 8.68 Initiation Failures on Low SG Level (i.e. cost of implementing the EFW initiation function can be less than 5868,000 or approximately 31,000,000 per plant and still give a value/ impact ratio on the order of 1 man-rem /51000.)

4.14

..