ML20138L188
| ML20138L188 | |
| Person / Time | |
|---|---|
| Site: | Yankee Rowe |
| Issue date: | 09/30/1984 |
| From: | Stephen Schultz, Slifer B YANKEE ATOMIC ELECTRIC CO. |
| To: | |
| Shared Package | |
| ML20138L159 | List: |
| References | |
| NUDOCS 8510310215 | |
| Download: ML20138L188 (164) | |
Text
{{#Wiki_filter:. - . - - _. N
-s T
S
, A TORNADO COST-BENEFIT ANALYSIS FOR PROPOSED BACKFITS AT YANKEE NUCLEAR POWER STATION September 1984 Principal Contributors J. L. Staub W. F. Lucas S. Lee G. A. Harper S. M. Follen S. P. Fournier J. R. Chapman Approved By: *. OcM e 2 ,1914 Steph4n#p. Schultz ( MandgEr (Date)
Nuclear Evaluation and Sup' port Group Approved By:
- 1 h /0 Bruce C. Slifer Direct g (Date)
Nuclear Engineering Department i Yankee Atomic Electric Company Nuclear Services Division 1671 Worcester Road j Framingham, Massachusetts 01701 l g0310215851024 p ADOCK 05000029 PDR l
DISCLAIMER OF RESPONSIBILITY This document was prepared by Yankee Atomic Electric Company and is ccmpletely true and accurate to the best of our knowledge, information, and belief. It is authorized for use specifically by Yankee Atomic Electric Company and the appropriate subdivisions within the Nuclear Regulatory Commission only. With regard to any unauthorized use whatsoever, Yankee Atomic Electric Company, and its officers, directors, agents, and employees assume no liability nor make any warranty or representation with respect to the contents-1 cf this document or to its accuracy or completeness.
! ABSTRACT A cost-benefit analysis was performed for the Yankee Nuclear Power f i Station to esvaluate potential plant modifications aimed at reducing the risk du3 to tornado and wind loadings. The major modification examined involved hardening of the Safe Shutdown System to a design windspeed with an annual i frequency of 10 , upper 95% confidence level. Since the results of the i rick assessment performed for this analysis indicated structural failure of I the Cable Tray House to be a significant risk contributor, selective hardening j cf the cable Tray House was also examined. Plant site windspeeds with annual frequencies of 10 and 10- , upp:r 95% confidence level, were determined to be 110 mph and 165 mph, j re p:ctively. Ultimate wind capacities were generated for all key structures l and components. The risk assessment considers both hazard-induced and random failures and was performed in consonance with the PRA Procedures Guide (NUREG/CR-2300). Justifiable costs for each backfit option were based on NRC Provisional S foty Goals, including the resource allocation basis of $1,000 per person-rom i j cvarted. Since the Yankee Nuclear Power Station, in its present / l cenfiguration, meets individual and societal risk goals, plant modifications cro justified only if the actual costs of the modifications are less than the calculated justifiable costs. Results indicate that Safe Shutdown System design modifications
- sp
- cifically aimed at reducing the risk due to tornado and wind loadings are n:t justified. Upgrading the system to a design windspeed of 165 mph would l cost $296,000; the ratio of actusi to justifiable costs is approximately 30.
Without this upgrade the Safe Shutdown System design exceeds a 110 mph design [ I t:indepeed and the core melt frequency due to wind and tornado hasard is cin:ervatively estimated to be 4.8 x 10 /-3year, upper 95% confidence level.
-5 With this upgrade, the corresponding core melt frequency is 4.1 x 10 which l
represents a 15% reduction. 1 h j -ill-1 3
l l 1
. l ABSTRACT (Continued) ]
Selective hardening of the Cable Tray House to a 110 mph design windspeed should be considered to assure availability of existing redundant instrumentation. With a modification cost of $108,000, the ratio of actual to justifiable costs is approximately 2. Since probabilistic methods do not yield an exact result, it is difficult to judge and defend with confidence that this modification is not justified. With this plant modification the core melt frequency due to the hazard is conservatively estimated to be
~
1.1 x 10 '/ year, upper 95% confidence level, which represents a 75% ccduction. The ultimate capacity of the plant, itself, would increase to thout 160 mph. The ultimate capacity of the Safe Shutdown System without modification is about 175 mph.
-iv-
l
)
TABLE OF CONTENTS Eagg DISCLAIMER OF RESPONSIBILITY..................................... 11 ABSTRACT......................................................... 111 TABLE OF CONTENTS................................................ v LIST OF TABLES................................................... vili LIST OF FIGURES.................................................. ix
1.0 INTRODUCTION
AND
SUMMARY
......................................... 1 2.0 APPR0ACH......................................................... 5 2.1 Assessment of Plant Risk (Parts 1-3)....................... 5 2.1.1 Hazard Analysis.................................... 5 2.1.2 Plant System and Structure Response Analysis. . . . . . . 5
, 2.1.3 Fragility Analysis................................. 6-2.1.4 Plant Systems and Event Sequence Analysis.......... 7 2.1.5 Release Frequency Analysis......................... 7 2.1.6 Consequence Analysis............................... 8 2.1.7 Risk Profile....................................... 9 2.1.8 Changes in Plant Risk Profile...................... 9 2.2 Comparison of Plant Risk to Safety Coals (Part 4).......... 9 2.3 Cost-Benefit Analysis (Part 5)............................. 10 3.0 PLANT MODEL DEVELOPMENT.......................................... 13 3.1 Initiating Event Definition..............................t. 13 3.2 Critical Safety Functions / Mitigative Systems............... 16 3.2.1 Reactivity Control................................. 17 3.2.2 Main Coolant System Inventory Control.............. 22 3.2.3 Main Coolant System Pressure Control............... 23 3.2.4 Core Heat Removal.................................. 24 3.2.5 Main Coolant System Heat Removal................... 24 25 3.3 Event Sequence Analysis....................................
3.3.1 Loss of Off-Site Power............................. 25 3.3.2 Excessive cooldown................................. 25 3.3.3 Loss of Main Coolant System Inventory.............. 25 26 3.4 Identification of Critical Areas........................... Systems / Auxiliaries Vs. Critical Areas............. 26 3.4.1 3.4.2 Location and Description of Critical Areas......... 30
-v-
? l l TABLE OF CONTENTS i , (Continued) l Page 3.5 Containment Assessment..................................... 35 1 3.5.1 Background......................................... 35 ! 3.5.2 Approach........................................... 35 4.0 HAZARD INFORMATION............................................... 47 4.1 Wind and Tornado Hazard Probabilities...................... 47 5.0 FRAGILITY ANALYSIS............................................... 51 5.1 Failure Criteria........................................... 51 5.2 Structure / Component Windspeed Capacity. . . . . . . . . . . . . . . . . . . . . 52 6.0 QU ANT I FI CAT ION O F P LANT M0 D E L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 6.1 General Discussion of Core Melt Frequency Analysis......... 57 6.2 Initiating Event Frequency................................. 58 6.2.1 Loss of Off-Site Power............................. 58 6.2.1.1 YNPS Data................................ 59 6.2.1.2 Industry Data............................ 59 6.2.1.2.1 Data......................... 59 6.2.1.2.2 Discussion of Data........... 61 6.2.1.3 Switchyard and Transmission Line Capacity................................. 62 6.2.1.4 Combined Data............................ 65 6.2.1.4.1 To rn ad o s . . . . . . . . . . . . . . . . . . . . . 65 6.2.1.4.2 High Winds................... 66 6.2.1.5 Results.................................. 68 6.2.2 Excessive Coo 1down................................. 68 6.2.3 Loss-of-Coolant Accidents.......................... 70 6.2.3.1 Piping / Component Physical Failures....... 71 6.2.3.2 Isolation Failures....................... 71 6.2.3.3 Relief Valve Failures.................... 73 6.3 Top Event Development...................................... 75 l l 1
-vi-
j TABLE OF CONTENTS (Continued) { i En&* 6.4 Failure Data Development................................... 88 6.4.1 Fault Tree Basic Events............................ 89 6.4.2 Top Events......................................... 96 6.5 Location Failure Data...................................... 99 6.6 Core Melt Quantification....................... ........... 107 6.6.1 Mission Time....................................... 107 6.6.2 Event Tree Quantification.......................... 108 6.6.3 Overall Results.................................... 125 6.7 Release Frequency.......................................... 129 7.0 CONSEQUENCE ASSESSMENT........................................... 135 7.7.1 YNPS PSS Release Category Discussion............... 135 7.7.2 Use of the YNPS PSS Release Category Information... 139 7.7.3 Results............................................ 139 8.0 RISK ASSESSMENT.................................................. 145 9.0 COST-BENEFIT ASSESSMENT.......................................... 150 9.1 Cos ts f o r S t ruc tural Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.0 REFERENCES
....................................................... 152 APPENDII A - Acronym Table....................................... A-1
-vil-
LIST OF' TABLES Number Title Pggt 3-1 Master Logic Diagram Initiating Event Categories 37 3-2 Initiating Events 39 3-3 Critical Areas Vs. Systems 40 4-1 Tornado Hazard Probabilities 48 4-2 Straight Wind Hazard Probabilities 49 5-1 Structures / Components for Fragility Evaluation 55 5-2 Wind capacities of Structures / Components 56 6-1 Data to Assess Relief Valve Challenge Induced LOCA 131 6-2 Logic Expression Basic Events 132 7-1 Associated Release Category Parameters Required for 142 Consequence Calculations 7-2 Release Fractions - 5% Bound, 50% Confidence Level, 143 and 95% Bound 7-3 Expected Conditional Individual, Societal, and Person-Rem 144 Risk Level Values 8-1 Individual Acute Fatality Risk Development 146 8-2 Societal Latent Cancer Fatality Risk Development 147 8-3 Person-Rom Exposure Development 148 8-4 Risk Levels 149 8-5 Safety Goal Comparison 149 9-l' Cost-Benefit Analysis Results 151
-v111-
LIST OF FIGURES Number Title Pggg 2-1 Risk Assessment Procedure for External Events 12 3-1 Master Logic Diagram - All Events - Excessive 41 Release 3-2 Master Logic Diagram - Excessive Release Due to 42 In-Plant Events 3-3 Generalized Critical Safety Function Based Event Tree 43 3-4 Loss of Off-Site Power Event Tree 44 3-5 Relief Valve Challenges Event Tree 45 3-6 LOCA Event Tree 46 4-1 Hazard Curves 50 I 6-1 Feedwater Diagram 134 l 1 l 1
-1x-4
1.0 INTRODUCTION
AND SUI 9tARY NUREG-0825. Integrated Plant Safety Assessment, SEP, YNPS (Reference 13) Topic III-2, Wind and Tornado Loadings, describes Yankee Atomic Electric Company's (YAEC) approach to resolution of this topic. In general, that document describes three approaches which the NRC Staff would find ceceptable for resolution of this topic. Under the more general topic II-2.A.
~ " Severe Weather Phenomena". YAIC proposed to use the median value 10 ' wind speed as the design-basis tornado consistent with the YNPS probabilistic s fety study risk levels. The NRC Staff found this approach to be generally i cceeptable and in accordance with option three of their proposed resolution cith the following specific recommendations:
4
- 1. Determine the capability of the structures, systems and components necessary to ensure the ability to reach hot shutdown to withstand
~
the NRC's determined 10" and 10 upper 95% confidence level wind speed,
- 2. Determine the plant modifications necessary to protect against both wind speeds,
- 3. Estimate the cost of any necessary modifications for each value of wind speed, and
- 4. perform a cost / benefit analysis to support a determination of which modifications should be made.
In order to address the above, a cost-benefit analysis of potential plant modifications aimed at reducing the risk due to tornado and wind loadings was performed. The analysis consists of the following:
- 1. Assessment of the plant risk for the " Base Case".
- 2. Assessment of the plant risk as a function of each potential upgrade.
- 3. Assessment of the reduction in plant risk as a function of each upgrade, i
I ______ __ _ __ _ __
- 4. Comparison of the " absolute" risk levels (individual and societal) to provisional safety goals (Reference 1) for the " Base Case" and each upgrade.
- 5. Comparison of the justifiable expenditures to reduce the residual risk to the actual costs required for each upgrade.
In the scoping of this analysis, the analysis team determined that the 3:fe shutdown system (sss) which had been cossaitted to as an alternative to the seismic Upgrades for the say, could provide redundancy to present plant cystems and should be included in the " Base case" plant analysis. Therefore, the " Base Case" risk assessment assumes that the ass has been installed including necessary structural changes to support this upgrade. The ptA procedures Guide (NUREC/CR-2300, Reference 2) provides a discussion *of approaches available to assess the risk due to wind and tornado tradings. The approach taken in this study to assess plant risk is in consonance with these approaches. Since both hasard-induced failures and non-hasard-induced random faLLuces were modeled, a realistic assessment of the impact of additional plant modifications could be made. Ultimate structural capacities of the " Base Case" structures and components were determined (presented in section 5.0). This analysis found that the ultimate wind loading capacity of the safe shutdown system and r31sted structures, as designed for seismic concerns, exceeds the capacity of
~
the system if designed for the 10 95% wind (110 mph). Additionally, the system capacity exceeds that of the median 10 tornado wind (also 110 mph), resolving a staff concern from say Topic III-2 (Reference 13). Ultimate wind Itading sepacity of the seismic design safe shutdown system is actually limited by the Upper Levet primary Auxiliary Building (ULpAS) which houses the ass discharge headers the upper level PAR is predicted to fall at about 165 mph. For the " Base Case", the limiting plant area was found to be the Cable Tray House. The capacity of this area is about 70 mph for either winds or tornados. Failure of this area limits Control Room instrumentation. Local readings from penetrations would remain available. Overall, the "sase case" 2
c re melt frequency is dominated by a combination of a 70 mph wind-induced fcilure of the cable Tray House and random failure of the SSS. This oliminates instrumentation excepting local readings. < Since hasard-induced and random failures of other systems were smaller contributors, design modifications to the Cable Tray House were investigated. A proposed modification would design the Cable Tray House to a wind and
~
tcrnado loading capacity of 110 mph ( a 10 95% confidence wind or 10-median tornado). Ultimate capacity of this modified area would exceed 185 mph. The plant capacity is then limited by the Steam-Driven Auxiliary Boiler F edwater pump Room capacity (about 160 mph ultimate). With this modification, random failures do not dominate the core melt frequency. Modifications to the Safe Shutdown System were also considered. If the scismic design criteria for the Safe Shutdown System is upgraded by designing fcr the 165 mph windspeed, the SSS would ultimately withstand windspeeds exceeding 200 mph. The potential gain achievable by implementation of this modification was conservatively maximized in this evaluation by assuming a SSS ctpacity consistent with the predicted containment capacity of 250 mph. Core melt frequency for the modified plant, like the base case, is dominated by h::ard induced failure of the Cable Tray House in combination with randon SSS f 11ure. Section 9 provides details of the cost-benefit analysis and results. The Table below summarizes those results. Note that " plant Capacity" does not credit the SSS; the SSS capacity is shown separately. plant SSS DSN SSS Ultimate Hazard Ratio of Capacity Capacity Capacity Confidence Justif. Actual Actual to Description (meh) (meh) (meh) % Cost ($) Cost ($) Justif. Base case 70 - 175 - - - - Cable Tray 160 - 175 50 3.9K 100K 28 House Upgrade 95 52.5K 108K 2 888 Upgrade 70 165 250 50 0.3K 296K 987 95 9.9K 296K 30 As demonstrated by these results, there are no significant backfits justified from a cost-benefit perspective over and above the previously agreed I upon seismic upgrades. The reduction in person-rem as a result of hardening
~
the Cable Spreading Room for the 10 windspeed (110 mph) is 5.3 person-rem from the baseline case with a justifiable cost of $52,500 and a modification ecst of $108,000. For upgrading the baseline to incorporate the SSS at the 10" windspeed (165 mph), the reduction in person-rem is only 1.0 person-rem from the baseline case with a justifiable cost of $9,900 and a modification erst of $296,000. Based on these'results, hardening of the Cable Spreading R:om is the most cost-effective modification and is, therefore, more justified than upgrading the SSS to the 10 windspeed. Furthermore, the hardening of the Cable Spreading Room results in an ultimate plant capacity of approximately 160 mph without crediting the SSS. The everall results of this evaluation support the findings of the Y:nkee Probabilistic Safety Study and further confirm that the plant poses an cxtremely small risk for those events evaluated. It is important to note that the plant residual risk is extremely low. The residual risk is low for the following reasons:
- 1. The frequency of core melt is low for the base case. A value of
~
4.8 x 10 ' per year is evaluated for the 95% confidence level
~
hasard curve; 1.3 x 10 per year for the 50% confidence level hazard curve.
- 2. Containment integrity is assured for winds / tornados up to about 250 nyh.
Since the containment is mainteined isolated regarding direct release paths, the potential for early releases is low. Additionally, containment cooling is passive. Active cooling systems are not required to preclude overpressure failure.
- 3. The plant core inventory is low relative to more recent designs (600 Wt versus 3000 Wt).
4_ J
1 2.0 APPROACH As discussed in Section 1.0, the analysis consists of five parts. The technical approach used and the information required to perform each of these five parts are discussed below. 2.1 Assessment of Plant Risk (Parts 1-3) The PRA Procedures Guide (NUREG/CR-2300) provides a discussion of cyproaches available to assess the risk due to wind and tornado loadings. Figure 2-1, which is a reprint of Figure 10-1 from NUREG/CR-2300, illustrates the basic elements of this assessment. A discussion of each of these basic f elements is provided below. , 2.1.1 Hazard Analysis The hazard analysis, involving an evaluation of exceedance frequency versus hazard intensity, is the driving function for the remainder of the cnalysis. Section 4.0 presents the hazard analysis performed in support of this study. The hazard analysis was not performed in a complete probability of cxceedance frequency and intensity manner because it was' judged that the cvailable work represented a sufficiently broad tange of values for this assessment. Section 4.0 develops this basis in more detail. t Because a detailed " probability of frequency" relationship for the h::ard was not deemed necessary the remainder of the analysis was based on two h::ard curves, the 50% and 95% confidence level curves. Plant risk was c:sessed using each of these curves separately. The results, therefore, provide a reasonable quantification of the uncertainty in plant risk due to uncertainty in the hazard curves. 2.1.2 Plant System and Structure Response Analysis As discussed in NUREG/CR-2300, "the purpose of this analysis is to translate the hazard input" into the responses on plant structures, piping
cystems, and equipment. The methods used to perform this analysis and the ccnsequent results are provided in Sections 5.0 and 6.0. 2.1.3 Fraallity Analysis As discussed in NUREG/CR-2300, the " fragility or vulnerability of a component is defined as the conditional frequency of its failure given a value cf the response parameter". As portrayed in Figure 2-1, this conditional failure frequency is typically represented by a discrete f amily of curves which display both erndomness and uncertainty. In this study, it was decided to represent the fragility curves by step functions as shown below. 1.0 p - - - - - - I D 85 , 4a i
%e
- n. m l o.o I X
Hazard Intensity The " point estimate" values of I were developed conservatively such that they are expected to be less than the mean value that would be determined from a complete propagation of the randomness and uncertainty parameters implicitly present in this type of evaluation. Section 5.0 presents the development of fragility for this analysis.
2.1.4 Plant Systems and Event Sequence Analysis A plant model was developed to identify potential initiating events (o.g., loss of off-site power and small LOCA) and model the systems available to mitigate these events (Section 3). This model development was based on work performed in the YNPS Probabilistic Safety Study (Reference 3) and follows guidelines discussed in EUREG/CR-2300. First, potential plant initiating events were established by evaluating the response of plant structures and systems to the hazard. Second, initiating events impacting the plant response and mitigative systems in a cimilar manner were convolved into discrete categories. Third, mitigative system requirements wire established for each initiating event category based en ensuring satisfaction of " critical safety functions", such as those listed b31ow:
- 1. Reactivity Control
- 2. Main Coolant System (MCS) Inventory Control
- 3. MCS Pressure Control
- 4. Core Heat Removal
- 5. MCS Heat Removal e
- 6. Containment Integrity Event trees and fault trees were used to model plant response and were quantified as discussed below.
2.1.5 Release Frequency Analysis The 1) hazard, 2) plant system and structure response, 3) fragility, cnd 4) plant systems and event sequence analyses were combined to establish the likelihood of the following basic parameters:
- 1. Core melt, including timing and conditions.
- 2. Core melt plus containment failure, including timing and other parameters required to assess off-site consequences.
Core Melt Frequency The assessment of core melt frequency (Section 6.0) was based on quantification of the plant model (Section 3.0) using the hazard information from Section 4.0, fragility evaluations from Section 5.0, and non-hazard induced equipment failure frequencies developed in Sections 6.3 and 6.4. C*re Melt Characteristics The timing and conditions of the potential core melt were based on the plant mode 1 results and the MARCH analyses performed in the YNPS PSS (Reference 3). Release Frequency The YNPS PSS results indicated that potential releases could be characterized into six discrete release categories. For example, release times varying from i hour to 50 hours and release energy rates from 500 Btu /hr to 80 x 10 Btu /hr. From a review of the characteristics of these release categories, it w:s concluded that potential releases due to tornado and wind initiating cvents could be conservatively enveloped using one or more of these release categories. Section 7.0 explains the assignment of release categories to the cpectrum of potential events resulting from a tornado / wind initiating event and the consequences of this release. 2.1.6 Consequence Analysis The YNPS PSS included an assessment of potential effects for each of the release categories defined in that study. The analysis for the YNPS PSS was performed with the CRAC2 computer program and included plant-specific L
r:dionuclide evaluations using the ORIGIN computer program and site-specific weather, topography, and evacuation information. The major concern with direct use of this information involves the f impact of tornado and wind events on evacuation and weat'her conditions. Both ! cf these areas were, therefore, investigated. Section 7.0 discusses this investigation. I 2.1 ~. 7 Risk Profile The information developed by performing the analyses described in S:ctions 2.1.5 and 2.1.6 was combined to develop quantitative estimates of the following risk indices: -
, 1. Individual acute fatality risk within 1 mile of the plant,
- 2. Societal latent cancer fatality risk per person within 50 miles of the plant, and i
- 3. Person-rem exposure within 50 miles of the plant.
< The first two risk indices are those developed in Reference 1 by NRC. , The third risk index, person-rem exposure, is used in assessing the cost-benefit aspects of proposed plant design changes based on $1,000 per person-rem averted for the next 10 years. This is also based on guidance
- offered in Reference 1.
2.1.8 Channes in Plant Risk Profile i
- For each plant configuration, individual, societal, and person-rem risk levels were compared. This comparison provides a quanticative measure of the
. impact of each potential plant modification. Additionally, a comparison of the variation in the estimated core melt frequency was developed. 2.2 Comparison of Plant Risk to Safety Goals (Part 4) Numerous proposals have been made in recent years to set numerical goals or guidelines to judge the acceptability or desirability of the _g_
.. -- . . . _ . - _ - ~ _ - . - _. _ - _ _ -
b numerical risk levels calculated for nuclear power plants. Recently, the NRC h s published preliminary safety goals and numerical design objectives (Reference 1). These goals and objectives can be stated quantitatively as follows: Component Quantitative population of Risk Obiective Considered Individual Acute 5 x 10-7 per year Within 1 mile Fatality Risk Sscietal Cancer 2 x 10-6 per year Within 50 miles Fatality Risk per person C:st-Benefit $1000 per person-rem Within 50 miles averted i Lcese Scale 10-4 per year Core Melt R3ference 1 also makes the following two key points:
- 1. "No further benefit-cost analysis should be made when it is judged that all of the design objectives have been met."
1 2. "The design objective for large-scale core melt is subordinate to the principal design objectives limiting individual and societal risks." This information was used in assessing the cost-benefit relationship of bickfits proposed to reduce the risk due to tornado and wind events and is discussed next. 2.3 Cost-Benefit Analysis (Part 5) i i For the different plant configurations, all of which meet the individual and societal risk goals of Reference 1, an assessment of the justifiable costs to reduce these risk levels consistent with each upgrade considered was performed. As discussed in Section 2.1.8, this was based on
$1000 per person-rem averted per Reference 1 and taken over a 10-year period.
4
,,-#y,- p ,
y r _ , -., , . , - _ -- ,y e---__, .._y _ _ ,_ ,,_.____m.-_ _ _ _ _ _ _ _ . _ _ _ .
Next, these justifiable costs were compared to the actual cost required fcr the backfit. If the actual costs exceeded the justifiable costs, the b:ckfit is not warranted. An important aspect of this cost-benefit analysis is that it exceeds the explicit need for a cost benefit if "all of the design objectives have been met" as described in Reference 1. However, Yankee concluded that it was r:asonable to apply the $1000 per person-rem averted to each backfit option to cssess its cost-benefit characteristics.
/ O I .
E eaveposana jo AsuanbeJJ t e i . 3-2 .l s2 .5 =i t e c le}-cli h $0 E A 3 t tw h > T& $W EO " E ,f Alituap AllpQtQoJd t
<= n $ {
e 5 > 9 t ' C
. C
*= e
- g E, d 19 n ~ E E.1tE T -
a =s T u.j !lf !s n e ,s ,
- a n i =b i : , la s
go A3uanDead ji$ aJnpta 6o A3uanbeJ)* leuoitipuo3
- )i e
! il i
I E E}IIE
$5 5 5t %
it FIGURE 2-1 Risk Assessment Procedure for External Events
3.0 PLANT MODEL DEVELOPMENT As discussed in Section 2.1.4, a plant model was developed to represent 4 pstential initiating events and the systems available to mitigate these cvents. This model development was based on work performed in the YNPS Probabilistic Safety Study, but was specialized to account for the unique characteristics of this assessment. Each of the major steps involved in this development is discussed 1 below. Section 6 develops and quantifies the model's logic expressions. 3.1 Initiatina Event Definition Sections 3.0 and 5.0 of the YNPS PSS provide detailed discussions of the approach taken to identify and quantify " random" accident initiators. A brief review is provided below because this information serves as the bases fcr the initiating event types quantified in this tornado / wind analysis. o A Master Logic Diagram (MLD) was developed to serve as a road map for searching for accident initiators. In essence, the approach is based on a deductive evaluation of the plant design and operation and the potential perturbations of basic plant performance parameters that could impact continued plant operation. l The outcome of this deductive process is a listing of twenty-seven categories of possible initiating event types which could impact plant operation. Table 3-1 provides a listing of these categories. Figures 3-1 and 3-2 display the NLD development. 4 l o EPRI-NP-801 (Reference 4) was reviewed to determine if other initiating event categories existed that were not identified in the deductive development of the MLD. I o Personnel familiar with the plant design, operation, and transient performance characteristics reviewed the NLD categories and EPRI-NP-801 events. Any events not included in the MLD or I EPRI-NP-801 were added. i i :
- _ ~ - - - . . . , . - , - - - - . , . - , ,,.,_m ,y n.w_
i o Having completed the search for accident initiators, the impact on plant response of each initiator was evaluated to determine those initiators that had similar effects on the plant. From this review process, it was possible to convolve the possible initiators identified into nineteen specific initiating avent categories. These nineteen events are listed in Table 3-2. For the purposes of this analysis, the nineteen events can be further grouped into the following three basic categories:
- 1. Loss of Off-Site Power ,
- a. Plant trip
- b. Loss of ac
- c. Decrease in feedwater flow
- d. Decrease in steam flow
- 1) Loss of vacuum
- 2) NRV closure
- 3) Turbine trip
- e. Degradation of de power supply other than Bus No. 1
- f. Decrease in component cooling capability
- g. Decrease in service water delivery
- h. Decrease in control air delivery
- 2. Excessive cooldown
- a. Excessive cooldown l
l
- b. Steam line break
- c. Loss of de Bus No. 1
- 3. Loss of Main Coolant System Inventory
- a. Any LOCA
- b. Reactor vessel rupture
- c. Non-isolable LOCA outside containment The bases for this categorization are provided below.
Category 1 (Loss of Off-Site Power) The ten specific initiating event types included in this category can ba treated as a loss of ac event because of their impact on plant response. Far example, a loss of ac event envelopes plant trip, decrease in feedwater flow, decrease in steam flow, and decrease in either component cooling, s rvice water, or control air events. The degradation of de power supply cvent is taken into account because it is one of the support systems challenged in the logic model developed to represent those mitigative systems cvailable to respond to a loss of ac. Category 2 (Excessive Cooldown) The three specific initiating events, excessive cocidown (a steam or feedline rupture affecting a single steam generator), steam line break (a break in a main steam line affecting all four steam generators), and loss of de Bus No. 1 (impacts turbine trip and non-return valve closure), were treated together because they all result in an excessive plant cooldown. An excessive plant cooldown event could lead to pressurized thermal shock concerns if not adequately controlled and mitigated. The characteristics of each of these three events are sufficiently comparable relative to mitigative system performance that they could be treated canservatively by the same basic logic model. Category 3 (Loss of Main Coolant System Inventory) All loss of Main Coolant System inventory events can be treated as 1 cvent for 2 reasons.
- 1. Their likelihood is low, and
- 2. Mitigative system performance requirements can be defined to conservatively envelop a spectrum of break sizes.
3.2 Critical Safety Functions /Mitimative Systems The YNPS PSS provides detailed discussions of the event sequence d;velopment for the three categories of initiating events provided above. In tummary, they were based on a logical representation of those systems needed to ensure satisfaction of the following basic " critical safety functions":
- 1. Reactivity Control
- 2. MCS Inventory Control
- 3. MCS Pressure Control
- 4. Core Heat Removal
- 5. MCS Heat Removal
- 6. Containment Integrity Figure 3-3 provides a generalized critical safety function-based event tree.
Each of the six critical safety functions (CSFs) listed above was reviewed with respect to wind / tornado events (off-site power loss assumed). Mitigative systems were identified for further evaluation including location dependence. 3.2.1 Reactivity Control The reactivity control CSF consists of two major categories: " insertion of negative reactivity" and " control of positive reactivity codition".
- 1. Insertion of Negative Reactivity Negative reactivity is inserted by the control rods following actuation of the Reactor Trip System. This consists of three basic functions:
- a. Detection of Need to Trip The need to trip is detected from various parameters monitored by the scram system. The perturbation of any of these parameters results in a reactor scram signal powered from de Bus No. 1 being sent to the scram breakers (BK-1 and BK-2).
- b. Trip Trip initiation is also supplied from de Bus No. I to open BK-1 and/or BK-2. DC Bus No. 2 supplies tripping power to BK-1 and BK-2.
Failure of de Bus No. 2 results in rod insertion because the rod drive holding coils are energized by this bus. A failure of de Bus No. 1 results in tripping the scram breakers due to
" fall safe" actuation of the main coolant flow under current /over current trip system.
. .- . .- ~ _ - - . . - . ._ ..
- c. Rod Insertion Rod insertion is assured since the rods fall in by gravity.
The integrity of the rod drive system is not challenged for hazard intensities not affecting containment integrity Chemical injection is not considered since the objective is to maintain the plant in a hot standby condition.
- 2. Control of Positive Reactivity Addition To prevent the insertion of excessive positive reactivity following trip, Main Coolant System temperature tr.ust be controlled; therefore, control of steam removal and feedwater addition is required, as well as sufficient instrumentation.
a.- Control of Steam Removal control of steam removal involves two phases: I o Termination of normal steam removal through the turbine, and o " Post-trip" steam removal control.
- 1) Termination of Normal Steam Removal Through Turbine Closure of turbine throttle and control valves terminates steam flow to the turbine. Support systems include tripping by de Bus No. 1 and sensing by generator electrical relaying, reactor scram, or manual trip.
Mechanical overspeed trip is the frontline backup to this tripping mechanism for a loss of load event. Further i backup is provided by closure of the non-return valves (NRVs) in each of the four main steam lines. i
~ _ _ _ - - - _ . _ , - _ , _ . _ . _ _ _ . . _ . _ - . _ , - _ _ _ _ _ --_ _ __- __
- 2) " Post-Trip" Steam Removal Control ,
i Turbine bypass would be unavailable because of loss of circulating water and loss of control air resulting from the loss of ac. The atmospheric steam dump system and steam generator code safety valves are available. The atmospheric steam dump is sufficient to remove decay heat. These valves can be controlled remotely by the operator from the Control Room or locally by manual operation. Remote operation requires electrical power as follows: o Emergency 480 V ac Bus No. 1 (2 valves), and o Emergency 480 V ac Eus No. 3 (2 valves). The size of these valves is such that a rapid cooldown would not occur if a valve failed fully opened. Furthermore, they can be manually isolated using upstream isolation valves. Steam generator safety valves back up atmospheric steam dump. If atmospheric steam dump is not available, heat can be removed by allowing the Main Coolant System and consequently the steam generator fluid to heat up to the point of simmering the steam generator safety valves. If a valve should stick open, it can be closed (gagged) by the operator locally and challenged valves are of low capacity relative to the potential for an excessive cooldown.
- b. Control of Feedwater Addition Normal main feedwater would be unavailable due to the loss of off-site ac. There are five systems capable of supplying water to the secondary system. Fer each syster, the operator has the ability to manually control the flow rate either by trimming
i the number of running pumps or throttling the flow or recirculation from the pump. These systems and their vital auxiliaries are:
- 1) Electric Emergency Feedwater (EFW) a) 2400 V Bus No. 2 or 3 b) Tanks TK-39 or TK-1 c) DC Bus No. 3 or 1 d) Flow path o Main feedwater o Blowdown
- 2) Steam Emergency Feedwater a) Main steam b) Tanks TK-1 or TK-39 .
c) Flow path o Main feedwater o Blowdown via charging path or electric EFW path
- 3) Charging Pumps (three needed for success for short ters; one pump needed after 1 day) a) 480 V Bus 4-1 through MCC-4, Bus 2 (NCC = Motor Control Center)
I b) 480 V Bus 6-3 through MCC-2 c) 480 V Bus 5-2 through MCC-4, Bus 1 d) TK-39 or Safety Injection Tank (SIT) e) Flow path o Charging to main feedwater o Charging to blowdown
- 4) ECCS Pumps a) Emergency 480 V Bus 1, 2, or 3 b) Safety Injection Tank c) Respective pumping train for energized 480 V Bus d) Flow path o Blowdown header o Charging header to main feedwater
- 5) Safe Shutdown System (SSS) a) Separate diesel and pump b) Fire water storage tank c) Flow path to blowdown
- c. Instrumentation In order to control heat removal, the operator must have instrumentation to detect the cooling conditions of the Main Coolant System. The instruments are supplied from Vital Buses No. I and 2 which are supplied from the station de Bu'ses No.1 and 2 on the loss of ac. Other detection means include local' readings at the vapor container penetrations, local installed instruments, and Safe Shutdown System instruments.
3.2.2 Main Coolant System Inventory Control To control Main Coolant System (MCS) inventory, the operator must be cble to detect the level or the core cooling effectiveness (if level is below the pressurizer), isolate the MCS, maintain this isolation, and make up for losses from the system.
- 1. Isolation The Containment Isolation System protects the MCS from inventory loss. It is supplied from control air and the station 125 V de battery buses. Inside containment, the pressurizer safety and relief valves, as well as the MCS boundary, must be intact.
o Pressurizer Power-Operated Relief Valve (PORV) The pressurizer power-operated relief valve, if challenged, must reclose or the operator must take action to close the PORV block valve or treat the open PORV as a loss-of-coolant accident. o MCS Safety Valves The MCS safety valves are not expected to be challenged; however, if they were challenged and failed to reclose, a LOCA is assumed. o MCS Pressure Boundary Integrity The Main Coolant System boundary is not expected to be challenged by the spectrum of winds for which the containment is not challenged (i.e. , < 250 mph) .
- 2. Makeup Given containment isolation with the maximum allowable leak rate of 1 spm, makeup would not be required to keep the core covered with water for a period of days. Additionally, the Safe Shutdown System has the ability to charge to the Main Coolant System to make up for normal leakage.
- 3. Detection Level and temperature instrumentation power is supplied from Vital Buses No. I and 2 which, on a loss of ac, are supplied from de Buses No. 1 and 2, respectively. The SSS provides additional detection and monitoring instrumentation.
3.2.3 Main Coolant System Pressure Control This critical safety function is aimed at ensuring MCS integrity. It een be considered a subset of the CSF "MCS Inventory Control". The most important element of MCS pressure control is maintenance of MCS pressure below a threshold value at which the structural integrity of the MCS is threatened. Tao low an MCS pressure is not critical because even saturated conditions will r:sult in adequate core cooling as long as the core is covered and decay heat is being removed from the MCS. Core heat removal and MCS heat removal critical safety functions address this area. For post-trip (i.e., decay heat power level conditions), the pressurizer PORV and code safety valves provide this protection. In fact, sven these systems are not required if the MCS is being adequately cooled by feedwater addition and steam removal. Since failure to supply sufficient feedwater or remove steam is addressed by the MCS heat removal critical safety
l l function review, MCS pressure control is redundant and can be neglected with , the following exception. If an excessive cooldown of the MCS were to occur, it is possible that cperator actions would be required to control the MCS pressure to preclude pressurized thermal shock (PTS) failure of the vessel. The events that could 1 cad to this situation are characterized by steam or feedline ruptures plus nitigative system failures outside the current design bases of the plant. It 13 necessary, however, to address these events in this analysis because ccquences are not limited to those within design bases. To address events that could lead to a PTS concern, a separate initiating event category was established, excessive cooldown. PTS type sequences resulting from other cvents such as those addressed by the " Loss of Off-Site Power" initiating cvent category are not important because of 1) the capacity of the steam removal ar.d feedwater addition systems, and 2) control of these systems is specifically addressed in examining satisfaction of the MCS heat removal critical safety function. 3.2.4 Core Heat Removal To maintain the core cooled, the Main Coolant System must remain intact to the steam generators and not be blocked. Additionally, enough water must be present to cover the core. These conditions are verified by detection of Main Coolant System inventory control and core exit temperatures. 3.2.5 Main Coolant System Heat Removal Heat removal from the Main Coolant System is credited only by secondary heat removal in this analysis. No credit is taken for primary feed and bleed cooling mechanisms. Steam removal is provided by atmospheric steam dump or oteam generator code safety valves. Feedwater addition is provided as discussed under Reactivity Control (Section 3.2.1). l I 3.3 Event Sequence Analysis Having identified the critical safety functions and systems which provide those functions, event trees can be developed for each of the three initiating event categories. Event sequences are discussed briefly here and in detail in Section 6.0. 3.3.1 Loss of Off-Site power The loss of off-site power category is the primary initiating event category for this analysis since plant history indicates that for most major atorms in the vicinity of YNPS, the off-site power grid is affected. (Note, h: wever, that only one complete loss of off-site power event has occurred in 24 years, its duration was 30 minutes and it was not weather-induced.) Furthermore, because of the hazards effect on off-site power, a complete loss of off-site power is conservatively. assumed for all event sequences in this cnalysis. Figure 3-4 provides the loss of off-site power event tree. 3.3.2 Excessive Cooldown In reviewing the mitigative features required for this category, the game functions are required as for the loss of off-site power category with the addition of the non-return valves. As will be discussed in Section 6.0, this category is a negligible contributor to wind / tornado-induced core melt. 3.3.3 Loss of Main Coolant System Inventory This category can be considered to consist of three event types:
- 1. Main Coolant System (MCS) pressure boundary violation involving piping or component physical failure.
- 2. Failure to isolate MCS bleed paths, such as the letdown portion of the Chemical and Volume Control System, and
- 3. Failure'of MCS pressure relieving devices (i.e., PORV, safety valves).
As Section 6.0 discusses in detail, the first two LOCA event types cbove are negligible contributors to core melt for this analysis; the third is represented by the Relief Valve Challenges Event Tree (Figure 3-5). Figure 3-6 represents possible event sequences should a LOCA occur. Event sequence logic expressions are developed and quantified in S:ction 6.0. 3.4 Identification of Critical Areas Based on the systems required to maintain the critical safety functions identified above, the critical plant areas required for safe shutdown in a high wind event can be determined. The routing of each system or auxiliary was reviewed for locations. 3.4.1 Systems / Auxiliaries Vs. Critical Areas
- 1. DC Bus No. 1 Switchgear Room
- 2. DC Bus No. 2 Switchgear Room
- 3. Emergency 480 V AC
- 1. Diesel Generator Individual Diesel Cubicle
- 2. E480 V AC Bus Safety Injection Building (SI Building)
SI Building North Wall
- 3. Respective DC Buses 1 & 2 - Switchgear Room for Breaker Control SI Building North Wall 3 - SI Building
- 4. Emergency Motor EMCC Switchgear Room Control Center (EMCC) EMCC SI Building EMCC-3, 4, 5 and 6 - Remote Shutdown 1
Facility
- 5. Fuel Oil Storage Southeast Yard
- 4. 480 V AC
- 1. Associated Emergency See Above 480 V AC Bus
- 2. Cable from E480 V AC Bus SI Building. North Wall through Manhole No. 3 to Switchgear Room
- 3. 480 V AC Bus Switchgear Room
- 5. 2400 V AC Bus 2 or 3
- 1. E480 V AC Bus See Above
- 2. 480 V AC Bus See Above
- 3. Station Service Switchgear Room Transformer Nos. 5 and 6
- 4. Nos. 2 and 3 Station Station Service Transformer Yard Service Transformer Bus Pump Room
- 5. 2400 V AC Bus Switchgear Room
- 6. DC Bus No. 3A
- 1. DC Bus No. 3 SI Building
- 2. Cabling DC Bus No. 3 SI Building, North Wall through Manhole to i
3A Bus
- 3. DC Bus No. 3A Switchgear Room
- 7. TK-39, Primary Water Southeast Yard Storage Tank
- 8. TK-1, Domineralized Water Under VC, Storage Tank Outside Auxiliary Boiler Room (ABR)
- 9. Electric Emergency Lower Level Primary Auxiliary Feedwater Pump (Elect. Building (LL PAB)
Pump)
- 10. Steam EBFP Auxiliary Boiler Room North Wall
- 11. MCC-4 LL PAB
- 12. MCC-2 Turbine Building Pump Room
- 13. ECCS Pump SI Building
- 14. Vital Bus Switchgear Room
- 15. Atmospheric Steam Dump Non-Return Valve (NRV) Enclosure
- 16. SG Safety Valves NRV Enclosure
- 17. Steam IBF to Auxiliary Boiler Room Main Feed Path Pump Room Under VC
- 18. Elec. EBF to Main Feed LL PAB Under VC Pump Room
- 19. Elec. EBF to Blowdown LL PAB UL PAB Northwest Wall UL PAB North Wall Upper Pipe Chase
- 20. Charging Cross Connect to LL PAB Nain Feed Under VC Pump Room
- 21. Charging to Blowdown LL PAB Upper Level (UL) PAB North Wall Upper Pipe Chase
- 22. SI to Blowdown SI Building UL PAB Upper Pipe Chase l
- 23. Charging Pumps PAB Cubicle Area
- 24. Elec. EBF Supply Piping LL PAB
- 25. Steam EBF Supply Piping Auxiliary Boiler Room South Wall
- 26. Charging Supply Piping LL PAB
- 27. SI Tank Southwest Yard
- 28. SI Supply Piping LL PAB SI Building
- 29. Safe Shutdown System South Yard
- 30. Fire Water Storage Tank South Yard
- 31. Safe Shutdown System UL PAB North Wall Feed Conn. Upper Pipe Chase
- 32. Non-Return Valves Switchgear Room Turbine Building (TB) West Staircase NRV Enclosure
- 33. Vital Instrument Detectors Vapor container Cable Tray House Pump Room LL PAB
- 34. Turbine Throttle Valves Switchgear Room Turbine Building Mezzanine
- 35. Vital Bus Switchgear Room 3.4.2 Location and Description of critical Areas From the list above, a table of critical areas was developed identifying system dependencies by area (Table 3-3).
Description of areas:
- 1. Auxiliary Boiler Room South Wall The supply piping from TK-1 passes through the Auxiliary Boiler Room south wall. If this wall were to topple, the supply piping could be faulted from TK-1 or TK-39 to the steam-driven emergency boiler feed pump.
- 2. Switchgear Room The 480 V and 2400 V electrical supplies for charging and electric-driven emergency feedwater come from the Switchgear Room.
Additionally, the de power to operate the switchgear, detection, and NRV actuation comes from the Switchgear Room.
- 3. Diesel Generator Cubicle The diesel generators and their cc ling air and fuel oil are located in their respective cubicles.
- 4. Safety Injection Building The Safety Injection Building is critical for operation of the safety injection pumps and Battery No. 3. Isolated areas are critical for operation of electric-driven equipment such as electric-driven emergency feedwater and charging. The emergency 480 V ac bus is located in an area that is relatively well protected even if a structural cladding failure were to occur on the SI Building. The bus is protected on two sides by the inside wall of the diesel cubicle and the remote shutdown facility. On the remaining two sides it is protected by distance and the intervening SI pumps and piping.
- 5. SI Building North Wall The north wall is important to maintaining continuity of emergency 480 V ac electric power to the Switchgear Room and 125 V de to the diesel generators and emergency switchsecr.
- 6. Station Service Transformer Yard In order to supply stopped-up 480 V ac to the 2400 V bus, the station service transformer bus must not be faulted outside the building at the voltage regulators and transformers following an event. The structure supporting the station service transformer supply from off-site power may topple. If it should, an electrician could remove a portion of bus bar to disconnect the faulted station service transformer within a few hours. This action is not procedura11:ed.
- 7. Fuel 011 Tank Needed for extended running of diesel generators.
1 I
- 8. TK-39, Primary Water Storage Tank 1 1
Needed as a primary water source to charging and electric-driven emergency feedwater and an alternate source to the steam-driven I emergency feedwater.
- 9. Under Vapor Container The electric emergency feed and charging to main feed path pass under the vapor container as do the main feed lines.
- 10. Lower Level Primary Auxiliary Building The electric supply for Nos. 1 and 3 charging pumps comes through motor control center No. 4 in the lower level PAB. The
' electric-driven emergency feedwater pumps are located in the lower level PAB. The emergency feedwater cross-connect for electric and charging feed .4 well as the vapor container recirc line are located in the overhead and pass through the east end of the north wall.
- 11. Auxiliary Boiler Room North Wall The steam-driven emergency feedwater pump is located on the north wall of the Auxiliary Boiler Room and the discharge pipe passes through it. This is an internal wall between the Auxiliary Boiler Room and Turbine Building Pump Room.
- 12. Pump Room The Turbine Building Pump Room is the conunon junction of the main feedwater header with the steam emergency feed, electric emergency feed, and charging emergency feed headers. The power supply to charging pump No. 2 at motor control center No. 2 is in this area.
- 13. Upper Level Primary Auxiliary Building North Wall The common junction of the blowdown feed path and the safety .
injection feed, charging feed, electric emergency feed, and Safe Shutdown System feed paths is located in this area.
- 14. Upper Level Primary Auxiliary Building West Wall
-The electric emergency feed path and safety injection feed path are located in this area. The safety injection line is not expected to be faulted by any structural cladding failure in this area due to its size and wall thickness. The safety injection piping is expected to protect the electric emergency feed piping from damage due to cladding failure.
- 15. Upper Pipe Chase (Non-Radioactive Pipe Tunnel)
The individual blowdown lines pass through this area to reach the containment.
- 16. Primary Auxiliary Building Cubicle Area The charging pumps and emergency feed line from charging are located in this area. This area is constructed of reinforced concrete.
- 17. Safety Injection Tank The safety injection tank is the primary water source for the ECCS and the alternate supply to charging.
- 18. South Yard
~
The Safe Shutdown System and the fire water storage tank are located in the yard south of the vapor container. i 4
- , - . , . - - -n..-,- .-.--,.,-.,n ~ ., - , - - , - , , _ . , _ _ , _ , - . _ _ . - - . . , , , . , . , _ , - - , . , - . . . . -- - . , - - , ,
- 19. TK-1, Domineralized Water Tank The domineralized water storage tank is located outside the south wall of the Auxiliary Boiler Room and provides the primary water source for the steam-driven emergency feed pump and alternate source for the electric-driven emergency feed pump and charging.
- 20. Non-Return Valve Platform The NRV platfona is the one area for steam remaval from the system and provides isolation in the event of a steam line rupture.
- 21. Turbine Building l
The turbine throttle valves are the primtry steam line isolation along with the main steam dump. A fault on the line to these valves can be isolated by the non-return valves.
- 22. Turbine Building West Staircase o
Cabling for operation of vital equipment, such as the NRVs and atmospheric steam dumps, passes through this area. Additionally, this area provides access for the operator to other plant equipment following a severe event. e
- 23. Cable Tray House Signals to and from the vapor container pass through this area for detection and control.
- 24. Vapor Container The vapor container provides containment of the atmosphere surrounding the Main Coolant System boundary and vital detection equipment.
_ _ . . , _ . _ _ . _ _ _ _ . _ . - _ . . . _ . _ _ . _ _ _ _ _ _ _ . _ _ . . _ _ _ _ _ - _ _ . ~ . _ _ _. _ _ _ , . .
3.5 Containment Assessment 3.5.1 Backaround The design of the YMPS containment is such that it is cooled entirely by passive means. Heat transfer between the containment environment through the containment steel skin to the outside atmosphere is sufficient to maintain the containment temperature and pressure below design conditions for all d: sign basis events. The combinstion of structural, MARCii, CORCON-MOD 1, and manual calculations performed in the YNPS PSS also showed that even core melt 'ctnditions should not result in containment pressures exceeding the ultimate pecssure capacity of this structure, about 100 psia. This assessment included an evaluation of piping, valving, and electrical penetrations. The same analysis performed in the YNPS PSS indicated that containment ultimate pressure responses were not extremely sensitive to the specific ccquence that led to core melt and vessel failure. 3.5.2 Approach In this tornado / wind study, there are additional considerations to be cadressed because of the potential effects of the hazard on containment structural integrity. Extremely high intensity events, equivalent wind velocities exceeding cbout 250 mph, have the potential to fail the containment directly. These cvents have frequencies less than 10- /yr even using the 95% confidence IcVel hazard curve. Because of this direct impact on containment integrity, and c nsequently core cooling capability, the YNPS PSS results could not be used directly. Instead, containment response was treated discretely as follows:
- 1. For hazard intensity levels not affecting containment integrity, YNPS PSS results were used; and
- 2. For hazard intensity levels resulting in containment failure, a core melt and early 1-hour direct release to the environment were
/
assumed. Sections 6.0 and 7.0 discuss this approach in more detail, d a '? a 4
TABLE 3-1 Master Lonic Disaram Initiatinz Event Categories 4 Increase in Main Coolant System Pressure Decrease in Main Coolant System Pressure Reactor Vessel Rupture Steam Generator Tube Rupture Very Small LOCA Small LOCA Intermediate LOCA i Large LOCA Increase in Main Coolant System Inventory Dilution Rod Withdrawal Rod Ejection Inadvertent Rod Insertion Rod Drop Boration Increase in Main Coolant System Flow Decrease in Main Coolant System Flow Increase in Steam Flow Feedwater Induced Increase in Secondary Heat Removal Decrease in Steam Flow Feedwater Induced Decrease in Secondary Heat Removal Degradation of the AC Power Supply Degradation of the DC Power Supply Decrease in Component Cooling Water Delivery Decrease in Service Water Delivery
Decrease in Control Air Delivery Non-Isolable LOCA Outside the Containment 0 TABLE 3-2 Initiating Events Excessive Cooldown Steam Line Break Very small LOCA Small LOCA Intermediate LOCA Large LOCA Steam Generator Tube Rupture Plant Trip Loss of AC Decrease in Feedwater Flow Loss of Vacuum NRV Closure Turbine Trip Degradation of DC Power Supply Single Bus Double Bus All Buses Loss of Service Water Loss of Component Cooling Water Loss of Control Air Non-Isolable LOCA Outside Containment Reactor Vessel Rupture Critlaal Areas Vs. Sretens steam mar ass Charmian system accs pummina sweten slee. mar Best Charge Lleudemn
^ -
31oudoun WN Bloudoun 31onsdemon Ch ae - W N
^a plear Path M WW *
- WN Bloudaum al_
I plou path to steen ESF ASE South teoll I I suction. I I Amorgency AC to nomal Switchgear Boom I I AC. I I I I amer 5ency AC supply DG Cubicle I I I may affect emergency I I I SI Du11 ding I I bus cablias from betterlee 1 and 2 and emergency bus. I I I I SIS Berth Wall I I 2400 V bus supply may SST Yard I I be faulted by fault in SST yard. I I I I amargency DC long-term puel 011 Tank I I primary supply. I I 71-39 I I I Cross-connect piping I I I under VC I under VC. I I Electric BSFr. MCC-4, I I I I fl. pas BCCS sucttoe. I I Inside ABS at steen Bar Asa porth tes11 I I I I I I HCC-2. Overhead is pump Boom I I junctica of charging, steen, electric, and lEnf. I I I I I I BCCS. Elec. Bar and UL PAS Worth I charging to bloudown. I I BCCS and Elec. ESF to UL PAS West I I bloudoest I I I I I B1 % to containeemt Upper pipe Chase I I charging pumpe and I I PAS Cubicle headore. I I I I BCCS supply and 51 Tank charglas alternate Safe Shutdemon System I South Yard and fire water storage taak I Dominera!! sed unter I I supply. TI-1 I I I I I I , steen removat and MV I I I I steen line isolation. Cable Trey Note 1 I I I I l I I I I Vapor Container I I I I I I I Access and NRV I I I I TS timet Staircase I I actuation. l l Turbine Building unto 2 Bates: 1 - The cable tray house is the preferred path for detection, the SSS provides a redundant path. 2 - The Turbine Building provides steen line isolation folloutng trip. If the steen line fails, the gave provide backup.
l 1 actsasvE OFFSITE LEVEL 1 RELEASE r% I actasivt Exessievt OFF5ffE RELEASE LEVEL 2 OFF9tTE RELEA.E IN-PLANT 4XTERNAL. EVENTS Y -~
'N . .
ExcEsssV10FFBITE Excessive OFFSITE OTHERS RELEASE DUE To RELEASE DUE To I sesMIC l FutES }l FLOODS l ggygg 3 IN-PLANT EVENTS l IN-PLANT EVENTS l AT POWER DURING SHUTDOWN
\ /
s-FIGURE 3-1 Master Lonic Diarram - All Events - Excessive Release 1
l l
.lli Ili li - @
l l - -ll'. l llle- til @
---[
,11l @
e .
,l S l -
pe - i @
=
li @ e _ g i e = l @ i e .= . l @ ..
@ ~!
{.-ie- ll. _ 2 g a al a- @cI ;N
- 3
- ill@' -ll .,
=g e; je q e i 1 @ i=
iiij
- l - jj e- =
e ' I i liit _ R' _ _'l 1S _ i a- il
,il_
( a - g', l a I
-llll =
1 - I a- l li e =
- i @
li lji a- il l a k
.Ile- Il
-llleh H -
11
-ilil- ==
Yy @y
= __lig1 e- l
-ll11- ..
l ll ji -
- - .a .1. :.: .
4 i i i i i i j i j j
. ' i e
d t na Et S K M M M M M K 9 C C C C C 9 e e r T l t a n S t v e v Ca m Me o E H e R d e s a B n l o et a i ra vo t 3 c _ oe me CH 3
- n u -
F 3 R 4 e r y - u t g e i f F a e S r lo S s u r l C s t a _ c Mer no i t P C i r C d e y z rl i . oo l a St r Cnt r Men e vo n nC e I C l y - t l i i v ro t t c n a o e C R g n i t t s r a n e u s - i v c e t c Y Eo . i n = I h
)
7 ( e e s r u ) ) ) ) ) ) T ) 8 t 1 2 3 4 5 6 a ( ( ( ( ( ( A ( t C S K M M M M M O K 9 C C C C C L $
- tl n no e er N N N m it N Guncn N N N N Oroiot tifC n stf a nauol I tStP F l l N N N e O a o N N N e mv ao r
t r emd n T t eno t SRaC n e v E r 4 r - en l 3 e 4 t o N w 4 E ai o N e o O wt r N N r P di t u edd n g e edno i t FAaC F i s f f y O t N f ei m N o Dvvl al Oiioea s t t rt v s ictS o o san oeoee m l PRCrR C s O mr au rc cc SO d B e O t a l S o C ss MiI f e Aot s O irt r ssenu sf wec IofOPEO ovc
= .= = = = ===c. c : :
= 3 7 i
N s s s S $s $ e $ s GG i l I l 1 1 I I I I i I I I
,, IES I 1 I I
gli l l l l l I I
! l l l l
= IEls l l I
1 I fii I a a l II I
# I I I I l
i 1 l i l 1 1 I l l bl l l l 1 l l l l- l l l l l l l l g l 1 41 l l l l I l l E 1! l I I I 8 ' B t
!$ l I
I.* I e I g A
=
a 3;i l i s' g g-8 I a n 8
- -li- i a
! I ci E l
- l il c l n l l
\
) i i
I I I Q i .= l m "j E l = f 33 I !l o si! 11 l lij "
#5 l . 'll n at I; g
4w i 31 .
. .*2 "g 3 2
! j.&5 l t___ ,
l s ) ) ) u ) ) ) 3
) )
5 6 7 8 _ t 1 2 4 _ a ( ( ( ( ( ( ( ( t S M M K M M M M M 9 C C C C C C C a t tl n no e er N N N N N Nm it cn N N N N N L ur i o t nfC sof niuo I tSt l o r N N t N N N l n N N N N N S ao I mvC ao emd t en ' SR a l o r r N N ent N N t on N N N N F aio L wtC di edd ed n FAa n e o e i r t 6 a - T l 3 - E u N N N t 6 c N N N e n 4 L r r e - i u g v c E i e F A R C O L n o i D yt N N L t c N N ee fj an SI y t ei N vvl N C ii o L t t r ict san oeo PRC B s L mr au rc cc SO sr A Au L Cc Oc LO
'4.0 HAZARD INFORMATION This section discusses the development of the wind / tornado hazard curves used in the cost-benefit analysis. 4.1 Wind and Tormado Hazard probabilities Straight wind and tornado probabilities associated with the expected value and upper 95% confidence intervals were determined for input into the c:st-benefit analysis. The hasard probability, estimates are the same as those identified in Reference 5 with the following adjustment. Upon review of the NRC's assessment in Appendix A of Reference 5. Yankee identified an incorrect input for the local region area in the tornado analysis. As correctly noted cn page 5 of Reference 5, the local region area should be 28,945 square CLlos. However, the computer's printout listing in the Appendix A shows that a local region area of 20,560 square miles was used in the analysis. The result of this incorrect area in the analysis is an overestimation cf the annual probability of exceedance. Yankee has subsequently " corrected" the analysis in Reference 5 to account for the incorrect input area. The not effect on the results due to this correction is given in Table 4-1. Using the " corrected" tornado hazard results in conjunction with the straight wind probabilities, given in Table 4-2, the straight wind / tornado hasard curves were developed. These hazard curves are given in Figure 4-1 for the expected and upper 95% confidence level. l TABLE 4-1 Tornado Hazard Probabilities l ' Tornado Windspeeds. aph Corrected Annual NRC Expected Corrected NRC Upper Upper 95% Probability Value Expected 95% Level Level
~
10 40 40 87 85 10 122 110 174 165 10~ 188 175 244 230 10~ 248 235 291 285 't d
l l TABLE 4-2 l STRAIGHT WIND HAZARD PROBABILITIES Straight Windspeeds, mph Annual Expected Upper Probability Value 95% Level 10-1 57 61 10-2 70 78 10-3 82 94 10-4 94 110 10-5 107 127 10-6 119 143 6 0 0 0
'6 3
0
. 0 5
1
'3 S 0 E 0 V 0 R 7 U '2 C
D 0 R 0 O A D 5 Z A 2 N '2 H A R P H O/ T M S 0 O 0 , 1 E V D 0 D 4 R - A 8 E U 0 N 'l E C 5 E R - R P U D O S G R T D I A N % 0 0 D F Z
/ I 5 N A I
D - W 9 5 I I N T R
'3 l W I l i E W G P I P A U T R 0 H T 0 S
G O I '9 A R ~ T S 0 0
~
D \g (5 E T C E P X 0 E 0
, g , , , - 0 1 2 3 4 6 6 0 0 0 0 0 0 E E E E E E 1 1 1 1 1 1
>W~
$M WUzTQWdX* J.EDzzC
~
l 5.0 FRAGILITY ANALYSIS Fragilities for critical structures and components are a basic input into the cost-berefit analysis. Critical structures and components necessary fer hot safe shutdown are discussed in Sections 3.0 and 6.0. These ctructures/ components are listed in Table 5-1. Fragilities for these ! structures / components are modeled as a step function with failure probability stepping from 0.0 to 1.0 at " failure" windspeed. 5.1 Failure Criteria Failure criteria for structures / components evaluated for the ecst-benefit analysis are as follows:
- a. Block Walls For unreinforced masonry block walls, failure is defined as exceeding the ultimate out-of-plane lateral pressure loading as governed by the tensile strength of the mortar at failure.
Ultimate tension values of 22.7 psi (nocmal to bed joint) and 45.7 ] l psi (parallel to bed joint) were used. These ultimate tension values are consistent with Reference 6 and are 1.62 and 1.11 times the design tension allowables in Reference 7 for normal and parallel values, respectively,
- b. Tanks Based on the respective tank drawings for TK-1, TK-28 and TK-39 a design wind load of 25 psf on the projected area of the cylindrical surface is specified. For the fire water tank, the tank specification calls for a design wind pressure equivalent to 18 psf. These wind design pressures were adjusted upward to ultimate lateral pressure loads on the projected area of the cylindrical surface. Ultimate lateral pressure loads at " failure" are 30 psf for TK-1, TK-28, and TK-39, and 35 psf for the fire water tank.
.c. Equipment Enclosures Ultimate lateral pressure loads at " failure" were determined by adjusting wind design pressures upward by the ratio of factor of safety to the original design allowable stress increase for wind loadings.
- d. Roofs Roof uplift was evaluated using the deadweight of the roofs with an allowance for fastening of the roof deck to the roof girders.
5.2 Structure / Component Windspeed capacity The conversion of ultimate lateral pressure loads to straight wind and . ternado windspeeds is based on information presented in References 8 and 9. The methods in the references are actually design tools, which from a given straight or tornado wind, a design pressure is calculated. For this analysis, the methodologies were used to calculate an ultimate best-estimate windspeed for the structure / component equivalent to the calculated ultimate lateral pressure. For the straight wind calculations, Exposure Category B, as defined in R:ference 3 (wooded area), was used. Considering the location of the plant cite with respect to the surrounding terrain, the topography and vegetation of the surrounding region, and the sinuosity of the river valley, it was d:termined that Exposure Category B best reflects plant site conditions. Buildings and structures were analyzed as main wind-force resisting systems or components and cladding, as appropriate. The straight windspeeds determined cfter Reference 8 are equivalent to fastest mile windspeeds, 33 feet above the ground for Exposure Category C and are directly compatible with the straight , wind hazard curves. [ For the tornado wind calculations, a technique from Reference 9 was used. The calculated tornado windspeeds are equivalent to peak tornado windspeed, rotational and translational, and are directly compatible with the tornado hazard curves.
For the tornado portion of the analysis, the conversion of ultimate 10teral pressure load to tornado windspeed was based on the dynamic pressures cf the tornado windspeeds. The atmospheric pressure drop loading was assumed cs not producing the controlling load for structures / components in the cest-benefit analysis for the following reasons:
- a. The calculated tornado pressure drop is based on maximum tornado windspeed. Structures / components with a finite horizontal exposure would experience an average tornado windspeed less than the maximum and, therefore the actual tornado pressure drop would be somewhat less,
- b. A detailed analysis of the Battery Room demonstrated that the existing ventilation system of the room is capable of relieving the pressure drop differential to the point where the AP loading for the 10~ upper 95%,165 mph tornado is negligible.
- c. For the four tanks, the atmospheric pressure drop loading is quite small compared to the hydrostatic loading when the tanks are full; in addition, the tanks are vented.
- d. Most of the structures / components analyzed are not airtight and, given that the tornado pressure drop is developed over 5 to 6 seconds for the tornados of interest, adequate time is available for venting before any appreciable pressure differential could build up.
- e. The seismic SSS structures / components will be adequate for the 10~ AP loading.
Based on the above discussion, it was concluded that the controlling t:rnado loading is the dynamic wind pressure and that the atmospheric pressure drop loading for existing structures / components is negligible. Note the ccnceptual design for the SSS Pump House calls for an airtight structure, as cuch, this structure will be designed for load combinations including the j ctmospheric pressure drop. ! l
Table 5-2 lists the structures / components analyzed, their ultimate i 1:teral pressure loads at failure, and wind capacities for both straight and tcenado winds. The calculated windspeeds were datemined by appilcation of the techniques presented in References 8 and 9. l-4 1 l t 4 J 1 1 i
- - . - . - - . . . . - . ~ - . . . . - - _ - , . . . . - . . . , . _ _ _ . - . , . , _ _ . . . - . . , _ - , , . , - - - _ . , . . , . _ . _ - . - , . . . . - , , . , , . - , , . , _ , _ . _ . , . _
l l TABLE 5-1 Structures / Components for Fragility Evaluation Auxiliary Boller Room South Wall TlJ2 Auxiliary Boiler Room Interior Wall T102 Lower Level Primary Auxiliary Building Wall P1El Lower Level Primary Auxiliary Building Wall P1E2 Upper Level Primary Auxiliary Building Wall P2F1 Upper Level Primary Auxiliary Building Wall P2F2 Safety Injection Building South Wall D121 Safety Injection Building South Wall D122 Safety Injection Building West Wall D11051 Safety Injection Building West Wall D11052 Diesel Generator Building West Wall D11053
- Diesel Generator Building North Wall DlV1 Diesel Generator Building North Wall DlV2 Diesel Generator Building North Wall D1V3 Safety Injection Building North Wall D111 Domineralized Water Storage Tank, TK-1 Safety Injection Tank, TK-28 Primary Wa6.ee Storage Tank, TK-39 Non-Radioactive Pipe Tunnel Battery Room Wall T292 Battery Room Wall T2G3 Battery Room Wall T2C4 Turbine Building SW Stairwell Wall T1H2 Turbine Building SW Stairwell Wall T1121 Primary Auxiliary Building Roof Non-Return Valve Enclosure Fire Water Tank Fire Pump House Enclosure Safe Shutdown System Pump House Cable Spreading Room Walls Cable Spreading Room Roof TABLE 5-2 Wind Casacities of Structures /Comooients Ultimate Lateral Structure' Component Pressure Load. osf Wind Caoscities. moh Straight Wind Tornado Walls T1J2 22.8 122 162 T102 (Interior Wall) 23.1 122 162 P1El 54.2* 197 222 P1E2 54.2* 204 222 P2F1 38.2* 165 186 P2F2 38.2* 171 186 D1Z1 9.7 103 93 D1Z2 9.7 103 93 D11051 10.4 107 81 D11052 7.7 92 70 D11053 7.5 91 69 D1V1 26.9 172 156 D1V2 26.9 1/2 156 D1V3 26.9 172 156 D1X1 16.3 134 121 T292 (Interior Wa' ) 44.4* 161 186 T2G3 (Interior War.) 44.4* 145 186 T2G4 (Interior Wall) 44.4* 170 186 T1H2 (Interior Wall) 27.3* 126 145 T1121 (Interior Wall) 30.5* 120 154 TK-1 30.0 191 161 TK-28 (SIT) 30.0 179 164 TK-39 30.0 179 164 Non-Radioactive Pipe Tunnel 50.6* 173 176 Primary Auxiliary Building Roof 25.0 121 129 Non-Return Valve Enclosure 26.5* 135 119 Fire Tank 35.0* 190 182 Fire Pump House Enclosure 26.8* 156 119 Safe Shutdown System Pump House ** 60.0a 258 178 Cable Spreading Room Walls 8.0 69 65 Cable Spreading Room Roof 10.6 73 80 Cable Spreading Room W/Fix 64.7*** 196 186
*This calculated value assumes a " seismic upgrade" to YCS has been installed. **To be constructed in 1985.
C**This calculated value assumes structure upgraded to design for 10-4 event. Notet Wind capacities for interior walls are conservative since these walls are not subject to direct wind pressure loading. 6.0 QUANTIFICATION OF PLANT N00sL The purpose of this section is to discuss the release frequency analysis. This involves development and quantification of logic expressions representing the plant model (Section 3.0) to conservatively determine the l likelihood of: o Core molt, including timing and conditions. l o Core melt plus containment failure, including timing and other ! parameters required to assess off-site consequences. l i l The process involved in assessing each of these parameters is discussed below. 6.1 General Discussion of Core Malt Freauency AnalvsLs l ! As discussed in Section 3.0, the core melt frequency analysis consists Cf 1) identification of possible sequences leading to core melt, and 2) quantification of these sequences. Initiating events were categorised into three specific types: 1) loss of off-site power, 2) excessive cooldown and 3) 1 Css-of-coolant accidents. Hitigative system requirements for each event type were established based on 'saintenance of the " critical safety functions" listed below
- 1. Reactivity Control
- 2. NCS Inventory Control
- 3. NCS pressure control
- 4. Core Heat Removal 1
- 5. NCS Heat Removal j
- 6. Containment Integrity l
l I
I section 3.0 described the systems available to support maintenance of these critical safety functions and their locations at the plant. As i discussed in section 3.0, event trees and fault trees were used to translate this inforination into a plant model. The purpose of this section is to translate the qualitative plant model into logic expressions and quantitative results. 6.2 Initiatina Event Freeuency l i The frequency of each of the three initiating event types is dependent l on the hasard intensity. This relationship is discussed below for each event t I type, I 4.2.1 Loss of off-site Power L To assess the likelihood of a loss of off-site power due to weather ! related effects, two distinct sources of information can be used, as follows: c
; 1. Historical data at the YNpS site and other plant sites, and
- 2. Convolution of the hasard curves with plant switchyard and '
transmission line capacities. > Sections 6.2.1.1 and 6.2.1.2 discuss the avaltable historical data. The second inforination source is discussed in Section 6.2.1.3. Evaluation of this infocination also considered the following two laportant questions wh,11e casessing the likelihood of a loss of off-site powers i
- 1. Does the hasard event resulting in a loss of off-site power also tapact the structural integrity of the plant?
- 2. What is the function relating the frequency of off-site power loss ,
with the duration of loset , F
l 6.2.1.1 YNPS Date l The YNPS has operated for about 24 years. During this period, there has been only one complete loss of off-site power. This occurred on November 9, 1965 during the " Great Northeast Blackout". The plant was in cold shutdown Ct the time. A nearby hydro unit was used to re-energise the plant in about ! 30 minutes. l The loss of off-site power was R21 caused by local weather conditions. Thus, the evidence is 0 loss of off-site power events due to local weather i conditions in 24 years at the YNPS. I ! 6.2.1.2 Industry Data l 6.2.1.2.1 gait ! The following evaluation of weather-related loss of off-site power plant trips is based on the EPRI/NSAC data in Appendix A of draft report,
" Losses of Of f-Site Power at U.S. Nuclear Power plants", dated May 1984.
l l l Weather-Related (1) Plant Trips From LOSP LOSP LOSP LOSP LOSP LOSP ggggg < 1/ 2 HR > 1/ 2 HR Total > 3 HRS > 6 HRS >9 HRS Storm (2) 5 3 8 0 0 0 storm /Sait(3) 3 2 5 2 1 0 Lightning (4) 7 4 11 1 1 0 T;rnado 2 1 3 1 0 0 Total 17 10 27 4 2 0 Notes: (1) Weather-related is used because some events resulted from a combination of weather and other failures. (2) Storm includes wind, snow, ice or some combination thereof. (3) Events that resulted from salt on the switchyard insulators were separated since they were not applicable causes for inland sites. These events occurred at Hillstone and Pilgrim. i (4) Storms may be associated with lightning. The total number of site years in the EPRI data is 533. The frequency of LOSP vs. time using the maximum likelihood estimate is tabulated below. I_> _Q T > 1/ 2 HR T> 3 HRS T > 6 HRS T > 9 HR$ Total .051 .019 .008 .004 .002* Storm & Tornado ** .021 .008 .002 .002* .002* Tornado .004 .002 .002 .002* .002* l 0 1/S33 assumed vs. O. l C* Salt causes and lightning causes excluded. l (
Note that the overall industry frequency for a loss of off-site power cv nt due to storms and tornados exceeding 3 hours is less than 2 x 10~ per y:ar. Additionally, the total frequency of a loss of off-site power caused by otorms and tornados is about a factor of 10 higher at 2.1 x 10~ per year. There were no events in which off-site power losses exceeded G hours due to tcrnados and storms. (The longest loss was 4 hours as discussed below.) 6.2.1.2.2 Discussion of Data Tornados The three events involving tornado-induced loss of off-site power cccurred at the following plants:
- 1. -Dresden, 11/12/65, tornado passing north of station resulted in a
' loss of all transmission facilities. One 138 kV line was restored in 4 hours.
- 2. Browns Ferry, 4/3/74, four of five 500 kV lines and one of two 161 kV lines failed. Several transmission line towers were down.
Off-site power remained available from the remaining 161 kV line.
- 3. Arkansas Unit 1, 4/7/80, multiple line losses occurred, but the backup line remained available.
Thus, although there have been three plant trips caused by local tornado activity, only one event caused a complete loss of off-site power. And, for this event, off-site power was restored within 4 hours. Additionally, none of these events involved a direct hit at the plant. The cvidence is therefore zero direct hits in 533 plant years of operation, and Cne event in 533 years of plant operation resulting in a complete loss of .cff-site power for 4 hours. Storms Excluding salt and lightning related events, there have been eight cvents caused by storms. Of these eight events, there have been only three cvents in which off-site power was unavailable for greater than 30 minutes; no cvents exceeded a 3-hour loss. As assessed for tornados, none of these events r:sulted in structural failures at the affected plant.
- Switchyard and Transmission Line Capacity 6.2.1.3 In addition to historical data, a convolution of hazard curves with twitchyard and transmission line capacities can provide useful information i c
- garding loss of off-site power likelihood. The on-site switchyard structure et YNPS is designed for a 70 mph straight wind. The off-site transmission lines are designed for a 100 mph straight wind, limited by the capacity of the cupporting poles.
The plant's two independent off-site power supplies - Cabot and HErriman lines - would be available up to about 100 mph, their design rating. On-site switchyard failure (at about 70 mph) would result in a plant trip and would prevent powering the plant with the Harriman line. Power from the Cabot line would most likely remain available after switchyard failure since the
- ctation service transformer is tapped off upstream of the switchyard.
4 From Section 4.0, the exceedance frequencies of these events are provided below: Hazard Intensity (mph) Exceedance Frequency Per Year 50% Hazard Confidence 95% Hazard Confidence Tornados Winds Tornados Winds 70 4 x 10-5 1 x 1o-2 2 x 10-4 3 x 10-2 100 2 x 10-5 4 x 10-5 7 x 10-5 5 x 10-4 , Without crediting the inherent design conservatism in the switchyard and transmission line capacities, the frequency of a plant trip due to wind-
~
induced switchyard failure would be about 1 x 10 per year for straight winds and about 4 x 10~ per year for tornados. The frequency of off-site power loss resulting from severe. transmission line failure would be about 4 x 10~ per year due to winds and about 2 x 10~ per year for tornados.
~
F I Note that the exceedance frequency versus hazard intensities used above for tornados are based on the YNPS site area. In fact, the two independent power supplies - Cabot and Harriman - cover distances of about 20 miles and 3 miles, respectively. Thus, the overall frequency of a tornado-induced loss of cff-site power could be higher than stated above. This area dependence was investigated, as discussed below. References 10 and 11 document investigations involving transmission line wind loadings performed by Dr. Lawrence A. Twisdale of Applied Research Associates, Inc. These papers were reviewed to assess the impact of transmission line length on the overall yearly frequency of failure due to wind and tornado loadings. The major conclusion relative to tornado-induced transmission line failure is quoted below from Reference 10.
"For lines that exceed 10 miles in length, tornado winds may dominate the combined risk curve at fastest mile speeds as low as 70-80 mph."
Additionally, "The relationship between transmission line probability and point target probability for this example is a factor equal to approximately 10 times the length of the line (mile)." For the Cabot line, this relationship would yield a transmission line failure frequency due to tornados of about 4 x 10~ per year and
~
1.4 x 10 per year, using the 50% and 95% hazard curves, respectively. For the Harriman line, the corresponding values would be 6 x 10~ per year and 2.1 x 10~ per year. Thus, the total frequency of losing a single line is 4.6 x 10~ per year, 50% hazard, or 1.6 x 10~ per year, 95% hazard, due to tornados. There is insufficient plant specific data to validate these findings cince the plant has only operated for about 24 years, with no tornado-induced single line losses. The industry data discussed in Section 6.2.1.2 demonstrated a frequency of 6 x 10 per year for a loss of off-site power due to tornados. However, for a complete loss of off-site power to occur at YNpS either multiple - at least two - lines must be affected or the cwitchyard and Cabot line must be affected. Additionally, the longest (industry-wide, tornado-induced) loss reported was 4 hours, indicating that major structural damage did not occur.
Though a plant trip would occur on loss of a single line at YNPS, the ccnditional frequency of core melt is extremely low unless the plant itself incurs damage. If either line is intact, all normal plus emergency plant cquipment can be powered. In addition to the individual frequency of Harriman cr Cabot line loss due to tornados, a more important question is their dual fcilure. Dual line loss - Cabot and Harriman - could occur if the following events occurred:
- 1. Tornado-damage at the plant affecting the switchyard and Cabot line, where Harriman and Cabot join;
- 2. A tornado fails either the Cabot line or Harriman line, and the unaffected line fails " randomly"; or
- 3. A tornado (s) fails both lines during a short period of time (less than a 1-day period).
The frequency of case 1 was discussed previously as falling in the r:nge of 4 x 10- per year to 2 x 10~ per year (50% and 95% confidence). The frequency of Case 2 is negligible. And, the frequency of Case 3 is b311eved to be bounded by case 1 because the Cabot and Harriman lines leave the plant in opposite directions. A " double" hit would be required to fall bath of these lines unless the strike occurred at the switchyard, t For hazard intensities sufficient to fail the transmission poles, greater than 100 mph, restoration of off-site power to the plant through these lines would involve major repairs. From 1 to 4 days is estimated to be r2 quired to perform these repair actions. Another option svallable to restore off-site power to the plant is described below. A nearby hydroelectric facility, Sherman Station, could be used to cupply power to the plant. Cabling could be run over the ground, to the 2400V etation service transformers at the YNPS. Depending on the damage to Sherman Station, it is estimated that this action could be completed within 2 to 4 days. Cabling availability is not anticipated to be a problem.
6.2.1.4 Combined Data 6.2.1.4.1 Tornados The " generic" data developed by EPRI demonstrates a point estimate value of about 6 x 10~ per year (3 events in 533 plant years) for plant trips caused by tornados. The frequency of a complete loss of off-site power is a factor of 3 lower at 2 x 10~ per year (1 event in 533 plant years). For this event, the tornado did not " hit" the plant; off-site power was restored within 4 hours. There has not been a tornado-induced loss of transmission lines connected to the YNPS. Based on switchyard and transmission line capacities end the hazard curves, long-tem losses of off-site power frequencies were
~
estimated to range from 2 x 10 per year, 50% hazard, to 7 x 10 per year, 95% hazard. The following table summarizes the available information. Loss of Off-Site Power Duration EPRI Data Plant-Specific Capacity / (hours) (yr-1) Hazard-Based (yr-1) 50% Hazard 95% Hazard
>0 2 x 10-3 4 x 10-5 2 x 10-4
~
>4 0 - -
>24 0 2 x 10-5 7 x 10-5 The frequency of a plant trip due to partial line losses ranged from 4.6 x 10~ per year, 50% hazard, tc 1.6 x 10" per year, 95% hazard, as discussed in Section 6.2.1.3. EPRI data indicates 4 x 10- per year (2 cvents in 533 years).
It is difficult to confire. the accuracy of frequencies in the 10- to 10- per year range because these frequencies indicate extremely rare cvents. And, as stated earlier, there have been no direct hits at any plant. Since this study is focused on assessing the cost-benefit relationship of backfits to increase the capacity of the plant to direct hits, the plent-specific information is most appropriate. This acknowledges that the total loss of off-site power frequency due to tornados is probably higher than thsse values in Columns 3 and 4, above. However, unless the tornado were a direct hit, the cost-benefit characteristics of additional plant hardening would be unaffected. Thus, the information in Columns 3 and 4 is appropriate. A final question centers around short-term losses (i.e., less than 24 h:urs). This is important because random equipment failure frequencies are d: pendent on the period of time they must operate. Electrical equipment such cs diesel generators and de power are the most sensitive to off-site power loss duration. From the table above, however, there is little difference (a fcctor of 2 to 3) between the frequency of losses exceeding 0 hours and 24 h:urs. Thus, for this analysis, the frequency for losses exceeding 0 hours will be conservatively used. 6.2.1.4.2 High Winds The generic data developed by EPRI demonstrates a point estimate value of about 1.5 x 10~ per year (8 events in 533 years) for plant trips caused by storms. Of these 8 events, only 3 events, frequency of 5.6 x 10' per year, resulted in losses exceeding 30 minutes. No events resulted in losses cxceeding 3 hours. There have been no storm-induced complete losses of off-site power at the YNPS. Several plant trips have occurred due to single line losses, lightning strikes for example. Based on switchyard and transmission line c pacities and the hazard curves, long-term losses were estimated to be 4 x 10 per year, 50% hazard, to 5 x 10- per year, 95% hazard. The following table sunearizes the available information. i Loss of Off-Site Power Duration EPRI Data Plant-Specific Capacity / (hours) (yr-1) Hazard-Based (yr-1) 1 50% Hazard 95% Hazard
>0 1.5 x 10-2 1 x 10-2 3 x 10-2
>0.5 5.6 x 10-3 - - i
>3 0 - -
1 24 0 4 x 10-5 5 x 10-4 Long-term losses are rare events. There have been none greater than 3 hturs throughout the industry. Therefore, judgement is required in developing cn exceedance frequency versus time function. It was judged that the .following relationship is reasonable, probably conservative. foss of Off-Site Power Duration Exceedance Frequency Exceedance Frequency (hours) (50% Hazard) (95% Hazard)
>0 1 x 10-2 3 x 10-2
>0.5 4 x 10-3 1 x 10-2
>3 1 x 10-3 3 x 10-3
>24 1 x 10-4 1 x 10-3 The 0.5-hour point was detemined by reducing the 0-hour point by a factor (1.5 x 10~ /5.6 x 10~ ) derived from the EPRI data.
The 3-hour point was determined by reducing the 0-hour point by a factor of 10 consistent with the EPRI Generic Experience Data derived as for stotle and tornado causes in Section 6.2.1.2.1. The 24-hour point is based on the transmission line capacity, rounded up to the nearest decade. For this. analysis, the frequency of losses exceeding 0.5 hours will be conservatively used. 6.2.1.5 Results For the purposes of this analysis, the frequency (per year) of a complete loss of off-site power caused by a wind / tornado hazard will be ccnservatively taken as: Frequency Per Year Hazard 50% Hazard Confidence 95% Hazard Confidence
-3 Wind 4 x 10 1 x 10~
Tornado 4 x 10~ 2 x 10~ 4 These values are believed to be conservative for the following reasons: o Switchyard / transmission line failure is assumed to occur at design windspeeds. o The generic industry data is based on any complete loss of off-site power caused by wind / tornado events. This analysis considers off-site power loss coincident with plant damage which is less likely. o These frequencies represent power outage durations exceeding 0.5 hours for winds and 0.0 hours for tornados. Quantification of all ~ event sequences in this analysis (Section 6.3) assume outage durations of 24 hours. o From the hazard curve (Section 4.0) these values correspond to hazard intensities in the range of 70 to 80 mph. Off-site power at YNPS (partial - the Cabot line) is likely to be available up to about 100 mph hazard intensity. 6.2.2 Excessive Cooldown 1
As discussed in Section 3, this event was reviewed separately because , 4 cn excessive plant cooldown event could lead to pressurized thermal shock ccncerns if not adequately controlled and mitigated. The excessive cooldown event consists of the following three specific initiating events, which are cufficiently comparable relative to mitigative system performance that they ccn be treated conservatively by.the same basic logic model. These events are:
- 1. Excessive cooldown (affecting one steam generator)
- a. Steam line break upstream of the non-return valves (NRVs),
- b. Feedline break downstream of the feedline check valves,
- 2. Steamline break downstream of the NRVs (affecting all four steam generators), and
- 3. Loss of de Bus No 1.
For Events 1 and 2, above, the non-return valves must be capable of closing, and the feed line to the affected steam generator must be closed. (For Case 1, automatic closure of the NRVs is not required if they close properly as a check valve.) Operability of the non-return valve actuators requires the availability of any two of the three de buses for successful tutomatic 2 out of 3 low steam line pressure trip, or, de Bus 1 or 3 for manual trip from the Main Control Room. Feedline isolation can be initiated remotely by closing the feedwater regulating valve with control air or closing the feed header isolation valve by non-IE 480 V ac from Bus 6-3. The feedline isolation can be initiated locally by manually operating any of the following valves: feed header isolation valve, feedline stop valve, or feedwater regulating valve to the affected steam generator. The feed and steam removal capability is the same as that for the loss of off-site ac event. For the third event, loss of de Bus No. 1, automatic turbine trip is not available due to loss of the de bus. Steam line isolation by the turbine throttle valves or non-return valves must be successful to prevent an sxcessive cooldown and possible pressurized thermal shock concerns. w- w
i Automatic NRV closure on low-low steam line pressure is reduced to a cingle 2 out of 2 logic train powered by de Buses 2 and 3. Non-return valve manual actuation.is available only from de Bus No. 3. It is reasonable to assume that if a failure of de Bus No. I were to cccur during the high wind event, the loss of off-site ac-will also occur
.cince the " wind capacity" of de power is significantly higher than ac power.
This would result in isolation of steam flow by turbine throttle valve closure
'cince the loss of load to the turbine will cause the turbine to trip on mechanical overspeed, thus terminating the cooldown.
For Events 1 and 2, the initiating event, high winds or tornados, will nst challenge the main steam and feed piping for windspeeds below that which may challenge the structural integrity of the containment at 250 mph. The likelihood of simultaneous random piping failure is extremely remote. For a loss of de Bus No. 1 to result in an uncontrolled excessive ecoldown, both of the following failures must occur:
- 1. Failure of an additional de bus or NRV equipment failure, and
- 2. Turbine overspeed trip failure.
Considering the capacity of the de power supplies and NRV equipment a's well as random failures, the overall yearly frequency is less than 10~ per year. Thus, this event is a negligible contributor and will not be addressed-further as a specific initiating event. 6.2.3 Loss-of-Coolant Accidents This initiating event category can be considered to consist of three cpecific event types, as discussed in Section 3.3.3.
- 1. Main Coolant System (MCS) pressure boundary violation involving piping or component physical failure.
- 2. Failure to isolate bleed paths such as the letdown system, and
- 3. Failure of pressure relieving devices such as the pressurizer power-operated relief valve and pressurizer code safety valves.
4 The analysis performed to identify these events and their likelihood is discussed below. 6.2.3.1 Pipinz/ Component Physical Failures The majority of the MCS piping and components which make up the system pressure boundary are located within the Vapor Container (VC). The structural integrity of the VC has been demonstrated for windspeeds in excess of 250 mph. Therefore, for the windspeeds being considered here, a failure of the VC cnd MCS pressure boundary components within the VC need not be considered b low a 250 mph windspeed. i Piping connected to the MCS that extends outside of the VC is routed through the radioactive pipe tunnel to the Valve Room area of the Primary Auxiliary Building (PAB). These areas are constructed of a minimum of 2 feet of reinforced concrete. This offers a level of protection greater than that of the VC. Therefore, a failure of this pressure boundary piping need not be censidered for the windspeeds considered in this analysis. 4 6.2.3.2 Isolation Failures The potential exists for pressure boundary failure if inadvertent cetuation of the isolation valves that establish the pressure boundary were to cecur. The valves used inside the VC are electrically motor-operated. The caly failure mechanism that could result in their inadvertent actuation is in
- the control portion of the valve circuitry. This equipment is located in the Main Control Room (MCR) and Switchgear Room (SWGR) areas of the Turbine Building. The MCR is constructed of reinforced concrete. The SWGR is also constructed of reinforced concrete with the exception of the north wall, an internal wall to the Turbine Building. This wall is constructed of concrete blocks reinforced with additional columns for seismic considerations. This wall is capabl, of withstanding a 10~ wind or 7 x 10~ per year tornado
l it ct windspeeds of 170 mph and 186 mph, respectively, using the 50% hazard. l C:rresponding exceedance frequencies using the 95% hazard are <10~ for winds and 5 x 10~ per year for tornados. Therefore, a tornado or wind-induced failure of this control circuitry resulting in an inadvertent cetuation of a motor-operated valve is not anticipated due to wall fa.'. lure. Lines Which run outside the VC to the Valve Room area of the PAB r; quire isolation by operation of the Containment Isolation System (CIS). This insures that the primary pressure boundary remains intact and that all nsemally open lines connected to the MCS are isolated. These lines are investigated below. Failure of the letdown system to isolate can lead to a challenge to the Mnin Coolant System Inventory Control and Pressure Control Critical Safety Functions. On a loss of off-site power, the Control Air System is de-energized and control air system pressure drops to zero within about 3 to 4 minutes from the less of the bus or a maximum of six minutes after the loss of ac, assuming a 2-minute coast down on 480 V Bus 4-1. The bleed line isolation valve, LC-V-222, is held open by control air. Therefore, the bleed line will close within a maximum of 6 minutes of the initiating event. Additionally, the cperator is directed by the immediate actions of the loss of AC supply smergency procedure to trip (close) the bleed line isolation valve, LC-V-222. If the bleed line isolation valve failed to close, the operator can isolate
'the letdown by closing in line valves CH-MOV-525 or CH-MOV-527, if electrical p:wer can be restored to non-Is 480 V Bus 5-2. The operator can isolate letdown manually by locally closing manual bleed line isolation valve CH-V-715 in the upper level Primary Auxiliary Building Valve Room (a room with a 2-foot-thick reinforced concrete structure).
The operator would have a time period measured in hours to perform this cetion because of the small capacity of the letdown system. This conditional initiating event frequency coupled with the hazard frequencies result in a negligible overall contribution to the frequency of a LOCA.
Other potential letdown paths such as the sample system were also reviewed. They were found to function the same or better than the letdown cystem. Since their probability of being open upon the event is much less than that of the letdown system, these paths are negligible contributors to the event. 6.2.3.3 Relief Valve Failures The relief valves connected to the Main Coolant System are listed below: o Pressurizer Power-Operated Relief Valve (PORV) (1) o Pressurizer Code Safety Valves (2) o Main' Coolant System Loop Safety Valves (4) PORV The PORV has a setpoint of about 2350 psi and a throat ID of about .9 inches. Dependent on operator action and equipment availability to operate the atmospheric steam dump valves, it is possible that the MCS pressu:.e could increase to 2350 psi following a loss of off-site power event. Without turbine bypass, which is unavailable on a loss of off-site power, the secondary temperature rise is sufficient to result in a MCS temperature rise; consequent swelling of the MCS could lead to MCS pressure increases beyond the setpoint of the PORV, if the secondary is allowed to challenge the secondary code safety valves. Secondary code safety valves have a setpoint about 175 psi higher than the turbine bypass. This equates to a secondary temperature at secondary safety valve setpoint about 23 F hotter than at turbine bypass setpoint. Additionally, during a loss of off-site power, MCS hot leg temperatures will be 30 to 40 F higher because of the reduction in MCS flow rates during natural circulation. l RETRAN-based analyses show that the operator has between 5 and 10 I ninuces to manually initiate the atmospheric steam dump system to preclude a challenge to.the PORV. Pressurizer Code Safety Valves The two pressurizer code safety valves are set at approximately 2500 and 2550 psi, respectively. Each valve has an effective throat ID of about 1 inch. These valves would not be challenged unless 1) the operator failed to cetuate the atmospheric steam dump system (or it is unavailable), and 2) the PORY failed to open. If both of these events occurred, the first code safety valve could be challenged. Only if it failed to open, would the second high GOt valve be challenged. Main Coolant System Loop Safety Valves Each of the four MCS loops has a small - 100 spm - liquid relief valve with a set pressure of about 2750 psi. The only possibility for these valves to be challenged is if the following scenario occurred:
- 1) Operator fails to actuate atmospheric steam dump system (or it is unavailable), and
- 2) The PORY fails to open, and
- 3) Both pressurizer code safety valves fail to open.
I As discussed in Section 3.0, a simple event tree was developed to ! d:pict the sequences that could result in a LOCA due to relief valve challenges, Figure 3-3. This relief valve event- tree, when quantified, ecpresents the likelihood of a LOCA resulting from a wind / tornado-induced loss of off-site power. It provides the development of Top Event "A" (the initiating event) of the LOCA event tree, Figure 3-6. Quantification of the relief valve event, which yields the LOCA initiating event frequency, is discussed in Section 6.6.2. 6.3 Too Event Develooment The approach taken to develop mitigative system failure frequencies cecounted for both hazard induced and " random" failures. Random failure frequencies were based largely on results of the YNPS PSS. Failures induced by the tornado / wind hazard are failures caused by structural or other physical damage. For each of the mitigative systems modeled, the physical locations centaining equipment within these systems were identified (Section 3.0). Having identified potential random failures and potential location failures, icgic expressions for mitigative system failure can be written. The following cxample illustrates the approach. Assume a simple system consisting of an electric pump, control power, and flow path as follows: O O Tank SG DC V Locations of each component follow: Tank - isolated outside all buildings. Piping from Tank to Pump - underground until entering Room A and joining the pump. Pump - in Room A. AC Power - supplied by Diesel Generator in Room B and routed through Room C. DC Power - supplied by Batteries in Room D backed up by Charger (Room D) which is powered by the Diesel Generator through Room E. Discharge Piping - Through rooms with CAPACITY exceeding 250 mph after leaving Room A. Reviewing the above, a failure expression for the system can be written. Tank is outside so the only location hazard failure is the tank itself. Random tank failures are negligibly small so tank failure is simply r0 presented by a hazard-lccation failure, TKL. Suction piping failure could be a random flow path failure (pipe or valves), SPR, or failure of the location containing it, Room A, or RMA. Similarly, pump failure is PMPR or RMA. AC power failure could be a random diesel generator failure DGR, a failure of the location containing it, RMB, or a failure of Room C through which the ac power cable runs from the diesel to the pump, RMC, (where random cable failure is neglected). DC power has 2 sources, both of which must fail to fail de power; (BAT .cc RMD) and (CHR + RMD + DCR + RMB + RME); that is, fail the battery or its location and the charger or its location or the diesel or its location (RMB) ce the cable route location, Room E (RME). Only random failure of the discharge flow path (DPR) need be considered cince all its locations withstand speeds exceeding 250 mph (containment failure is expected at 250 mph). 1 l
Then system failure S, is: S = Tank or suction pipe or ac or de or pump or discharge pipe failure. Then, S = TKL + SPR + RMA + pMPR + RMA + DGR + RMB + d RMC + ((BAT + RMD) * (CHR + RED + DGR + RMB + RME)) + DPR This logic expression could, of course, be reduced. The following is a description, and, as required, logic expression d2velopment, for each top event of the three event trees to be quantified, Figures 3-4 through 3-6. The top events are ordered below alphabetically. All acronyms used in the logic expressions are defined in Appendix A. Top Event A This is the initiating event, loss of off-site power, which was discussed at length in Section 6.2.1. Top Event B Event B " Atmospheric Steam Dump Availability", is considered in the cnalysis. In general, power is considered to be available to che atmospheric cteam dump as long as Emergency 480 V Bus 1 or 3 is available and powered from their respective diesel generators and the NRV structure is intact. The cable ge; . etntinuity from the Emergency 480 V ac bus is assured for'all areas from the NRVs back through the Main Control Room and Switchgear Rooms, since it is run through areas constructed of reinforced concrete. The only " soft" area is the Carth Wall of the Safety Injection Building where the cabling from the Emergency 480 V bus exits the building underground to the Turbine Building. Additionally, failure of the Cable Tray House was conservatively assumed to casult in failure of Atmospheric Steam Dump availability even though no ctbling related to these dump valves passes through the Cable Tray House; the reason being that Control Room instrumentation could be severely degraded by
l C:ble Tray Hcuse failure. Without instrumentation, it is unlikely that the operator would open the atmospheric steam dump valves within the five minutes required to prevent a PORV challenge. Based on the above, a logic expression for Event B can be written: B = NRVL + ((ASD12R + DOIR + DGlR + DGIL)
- l (ASD34R + DC3R + SIB + DG3R + DG3L)) +
SIBM + SWGR + KOR + CBLT Note that all acronyms used in logic expressions for this analysis are d: fined in Appendix A. Further detail is provided in Sections 6.4 and 6.5. Top Event C Event C, " Operator Actuation for Atmospheric Steam Dump Within 5 Minutes", is required to prevent a challenge of the PORV. This is an "immediate action" in the loss of of f-site power procedure. Top Event D Event D " Power to PORV Available", is dependent upon both random failure and the hazhed intensity. The PORV is powered from the station battery bus in the Switchgear Room and actuated by the pressurizer pressure instrumentation which is also powered from the station battery bus. Once cetuated, the de power is routed to the PORY via the Main Control Room, Cable Tray House, and'the Vapor Container. The " soft" area here is the Cable Tray House. The failure logic expression for Event D is: D = DClR + SWGR + CBLTPV + MCR As discussed in Section 6.5, failure probability of the PORV power cable through the Cable Tray House (CBLTPV) is conservatively always taken as zero. Note that failure of Event D reduces the chance of a LOCA.
Top Event E This event represents failure of the Power Operated Relief Valve (PORV) to open given a demand and available power. It is a simple component failure. ToD Event F This event represents failure of the PORV to reclose once opened. A 7 tuck open PORV is a LOCA, unless it can be isolated. Top Event G Event G. " Power to PORV Block Valve", considers that, given the PORV has actuated and fails to reclose, the operator attempts to close the PORV block valve. The event asks whether power is available to close the valve, given the operator attempts to close it. The operator has many sources of information available to him to indicate that the PORV has failed to close, cnd with the recent emphasis on PORV failures to close, it can be relatively well assured that the operator will attempt to close the block valve. The PORV block valve, PR-MOV-512, is supplied with emergency 480 V ac power from the Emergency Motor Control Center (EMCC) No.1 in the Switchgear Room. Power is normally supplied to this EMCC from Emergency 480 V ac Bus No.' l. Power is then applied to the PORV block valve via cabling that runs from the Switchgear Room through the Main Control Room and Cable Tray House to the Vapor Container. The weak areas for this path are the SI Building North Wall and the Cable Tray House. Based on the above discussion, the logic expression representing failure of block valve power is: G = DClR + DGlR + DGlL + SIBM + SWGR + MCR + CBLT Top Event H "PORV Block Valve Closes" represents failure of the block valve to close given power and demand. It is simply a random valve failure. A LOCA results if the block valve fails to isolate a stuck open PORV. l Top Event I At least one of the two primary code safety valves opens to relieve cxcessive Main Coolant System (MCS) pressure. This event is only challenged if neither the atmospheric steam dump nor the PORY has opened. Top Event J Primary code safety valve fails to reclose given that it has opened. Top Event K If the atmospheric steam dumps, the PORV and both safety valves fail to cpen, the loop safety valves will be challenged. Top Event K represents fcilure of all four loop safety valves to open. (Any one valve is sufficient to relieve excessive MCS pressure for this event). Top Event L Failure of one or more loop safety valves to reclose if opened would be a non-isolable LOCA. Top Event LA This is the LOCA initiating event. 79 previously discussed, the only LOCA to be reasonably considered for the wind / tornado hazard is.a relief valve LOCA. Event LA is, then, entirely developed by the Relief Valve Challenges Event Tree, Figure 3-5. Top Event LB
" Scram Occurs" represents the failure of the scram system to insert cufficient negative reactivity (via control rods). Scram failure is developed and discussed in great detail in the Yankee Nuclear Power Station Probabilistic Safety Study (YNPS PSS), Reference 3. The " Scram - No cooldown" case from the PSS conservatively represents scram for this analysis.
4 1 Top Event LC i' This event considers the control of positive reactivity insertion which could result from conditions such as excessive cooldown. It is discussed in detail in Section 6.2.2 as well as 3.2.1. Too Event LD 1 This event considers safety injection into the MCS to mitigate the LOCA. Since, for this case, only "small" leakage is possible, any one train (of the three) of the Safety Injection System is considered sufficient as long cs secondary heat removal is also successful (Events LF and LG). Note that safety injection could alternately be provided by the Charging System (all three trains); however, no credit has been taken. Failure of the SI System is represented by the logic expression: 4 SI LOCA = SIPIPE + SIT + SIB + (SIPIR + DGlR + DGlL + DClR + SWGR) * (SIP 2R + DG2R + DG2L + DC2R + SWGR) * ? (SIP 3R + DG3R + DG3L + DC3R) Top Event LE i
" Recirculation" is actually an extension of safety injection where cuction valves are realigned to take water from the containment sump to form a 4 recirculation cooling path. Then by quantifying SI through a long enough period to cover recirculation, the logic expression for the event can be written simply as:
RC = (DGlR + DGlL + RCMOV1) * , (DG3R + DG3L + RCMOV2)
- OERCMOV if credit is taken for remote or local operation of either of the two recirculation valves.
i
Too Event LF "Feedwatee Addition and Control" is discussed and developed under Event i OE, below. LF is a reduced version of OE since credit is taken here for only th3 Safe Shutdown System and Steam-Driven Emergency Boiler Feedwater. Csnservatively, SI, charging and all emergency ac power are assumed to be fully connitted to Main Coolant System makeup. The resulting, reduced logic expression for Event LF is: FWLOCA = (ULPAB + SSSL + SSSR + FWST) * (TK39
- TKIL + PPRM + ABR + SEBFP)
Top Event LG This event examines " Steam Removal and Control" via the atmospheric oteam dump valves or the secondary system's code safety valves. This is discussed further in Section 3.2.5. Top Event LH The availability of " Instrumentation Sufficient to Control" mitigative cystems and monitor plant conditions during a LOCA is considered by this cvent. The instrumentation required during a LOCA is identical to that required for the loss of off-site power case (see Top Event OG) with the cddition of safety injection pressure, flow, and tank level. Note that these cdditio..al parameters do not introduce any locations or important random
~
, fcilures not covered by the very conservative model for Event OG. For quantification purposes, it is reasonable to treat this Event (LH) and Top 8 Event OG as the same event. (See also Sections 6.4 and 6.5). Too Event GA I This top event examines the occurrence of a loss of off-site power cvent. If the hazard intensity is not severe enough to cause a loss of cff-site power, no further analysis is performed. (See Section 6.2.1.) I
~
~_- . .- .. __-_ . . ~_ ._
1 l l Top Event OB ! I l l This top event examines the integrity of the Main Coolant System (MCS). If excessive leakage exists, a transfer to the LOCA event tree l cccurs. Section 6.2.3 explained the development of this top event. ' I2g, Event OC i This top event examines reactivity control. Success is defined as insertion of greater than half of the control rods. It is an equivalent event to LB discussed previously in this section. The reactivity control CSF consists of two major factors as discussed
- in Section 3.0
- 1) insertion of negative reactivity and 2) control of pcsitive reactivity addition. The positive reactivity control is provided by the NCS heat removal CSF; the negative reactivity control is provided by
! insertion of control rods or chemical shutdown.
To provide for control rod insertion (scram), the system must detect I the need for scram and initiate a scram, and the rods must insert. Rod insertion is relatively well ensured since the rods fall in by gravity barring cny binding that may cause a rod to stick. This is accounted for in the scram fcilure probability in the YNPS PSS. The detection of need to scram is provided by a diversity of sources both on the plant electrical system (generator relaying) and primary system (MCP undercurrent /overcurrent flow trip). These signals initiate tripping of relays in the control circuit of the rod control scram breakers, BK-1 and BK-2 from Battery Bus No. 1. The scram breakers' trip coil is then energized by Battery Bus No. 2 to initiate tPe scram. Even a loss of Battery Bus No. 1 initiates opening of the scram Leeakers due to loss of power to the MCP ue/cc cabinet. The detection circuits are located in the Main Control Room and vapor container; the battery buses and scram breakers are located in the Switchgear Ruom. In the unlikely event that the rods fail to insert, chemical shutdown ctn be provided by one diesel generator feeding a 480 V non-IE bus to run a chargina pump and opening the boric acid suction valve remotely from the ! Control Room (powered from MCC 4 via 480 V Bus 5-2) or manually in the Lower d 4 !
Level Primary Auxiliary Building (LL PAB). This analysis takes no credit for chemical shutdown. The wind / tornado effects on scram are negligible in that the Cable Tray House failure should induce a scram signal upon the loss of instrumentation. If a scram signal is not induced by the failure, the diversity of instrumentation will cause a scram signal to be affected. In the evsnt that a scram signal is inhibited, the manual trip is still available to the operstor ct the Main Control Board. Actuation by the operator is assurad since it is a routine, almost reflex action to manually initiate scram on gyert trip. If a b2ttery bus should be failed by the event, scram is assured since loss of de Bus No. 1 or 2 initiates a scram. Top Event OD This top event examines control of " positive reactivity insertion". It is equivalent to LC. Top Event OE This top event examines feedwater addition to the secondary. No credit is taken for direct." feed and bleed" cooling through the MCS. Feedwater addition and control can be provided by any one of the following: o Electric-driven emergency boiler feedwater pump (either of 2) supplying through either the main feedwater header or the blowdown header. o The single steam-driven emergency boiler feedwater pump supplying through the main feedwater header. o All 3 charging pumps supplying through either the main feedwater header or the blowdown header. r o One safety injectior, pump train (of the 3) supplying through the blowdown header, o The Safe Shutdown System supplying through the blowdown header. For any of the above, a total feedwater flow of at least 100 spm is required initially; this model conservatively assumes at least 2 steam generators must be supplied. The following water sources are available to the v rious systems:
!!,3.F. SEBF .CJA)_t $1 SSS TK1 K X TK39 K K X SIT X X FWST X N;te that certain other suction and/or discharge flow paths are available in sorne cases; conservatively, no credit has been taken.
For all of the above, both random equipment failures (pumps, valves, pipe, power, etc.) and " location" failures caused by the hazard were censidered. The following set of logic expressions was used to represent failure to cupply feedwater assuming no off-site power: FW= CHAR *SI*EEBF*SEBF*SSS. CHAR =3CHPP+3DG+3DC+(SIT *TK39)+(CHBLDN*CHMFWH). 3DG=DC1R+DG2R+DG3R+DC1L+DG2L+DG3L. 3DC=DC1R+DC2R+DC3R+SWGR+ SIB. SI=(SI1R+DC1R+DC1L+DC1R+SWGR)*(SI2R+DG2R+DG2L+DC2R+SWGR)* (S13R+DG3R+DG3L+DC3R)+ SIB + SIT +SIBLDN. EEBF=(RBFP1R+DG1R+DG1L+DC1R+24V3R)*(EBFP2R+DG3R+DG3L+DC3R+24V2R+ SIB)+ SIBN+SWGR+LLPAB+(TK1*TK39)+(EBFBLDN*EBFMFWH). SEBF=SEBFP+ABR+(TKl*TK39)+SEEFMFWH. SSS=SSSBLDN+FWST+SSSR+SSSL. CHBLDN=LLPAB+ULPAB. CHMFWH=LLPAB+PPRM. EBFBLDN=LLPAB+ULPAB. SEBFMFWH=PPRM. EBFMFWH=LLPAB+PPRM. SIBLDN=ULPAB. SSSBLDN=ULPAB. TKl=TKIL+ABR. Note that TK1 has two possible location failures, since a certain pipe break in the Auxiliary Boiler Room would result in draining of the tank. Top Event OF This top event examines steam removal through the secondary atmospheric steam dump valves or code safety valves. It is an equivalent event to LG discussed above. Top Event OG This top event examines the availability of instrumentation sufficient to monitor and control plant conditions. The following instrumentation was cxamined:
- 1. Core exit thermocouples
- 2. MCS pressure
- 3. Steam generator pressure
- 4. Steam generator level
- 5. Emergency feedwater flow
- 6. Safety and relief valve flow indicators In order to properly control the parameters of the Main Coolant System heat removal, main coolant pressure control, and reactivity control critical cafety functions, the operator must be able to assess these parameters for tbsolute values and trends. This is provided by instrumentation that is l db i l
1
oltt.c; in the Main Control Room or remote from the Main Control Room which can be either installed or temporary depending upon the remaining cable continuity and power supplies following the event. Instrumentation in the Main Control Room is that " normal" Main Control I Room instrumentation that the operator has immediately available to read in the desired units. Instrumentation remote from the Main Control Room is that instrumentation which provides a redundant means of monitoring the critical parameters in an area such as local safety injection tank level or instrumentation available in, and powered from, the Safe Shutdown System facility. Installed instrumentation is that instrumentation that is already installed and can be read directly in the desired units by the operator. Temporary instrumentation is that instrumentation that is connected following cn extreme event which may or may not read directly in the desired parameter, cuch as safety injection tank level read from a clear hose in inches that must be converted to gallons or core exit thermocouple readings taken by an Instrumentation Technician either in the SSS facility or directly at the containment penetration with a millivolt potentiometer that must be converted to degrees Fahrenheit. The instrumentation considered critical to safe shutdown following an event resulting in a loss of off-site power is: o Pressurizer Wide-Range Level o Main Coolant System or Pressurizer Pressure o Main Coolant Temperature - Wide-Range o Core Exit Temperature o Steam Generator Level o Steam Generator Pressure The instrumentation was modeled and reduced in the SETS computer code, quantified by the QUANTV code and input as a basic event to the loss of off-site power and LOCA event trees. Failure of any one parameter was set to failure of the system. For safety injection instrumentation, the additional instrument did not effect the failure probability significantly. The instrumentation failure expression is: l i l INS =(INSA*SSSI*LCLI)+SGPI. INSA=INSl* INS 2. - INSl= INST 1+CBLT+PWRCHl. f PWRCH1=VBIR+SWGR+((EBSIR+DGlR+DGlL+DCID+SIBM)
*(UPS1R+DClRUN)). I DClRUN=DCBSIR+((BATCGRlR+MCClBSIR+BSS-2R +
EBS3R+DG3R+DG3L+DC3D)*(BAT 1RUN+DClL)). l INS 2= INST 2+CBLT+PWRCH2. , PWRCH2=VBS2R+SWGR+((EBS3R+DG3R+DC3L+DC3D+ SIB +SIBM)* (UPS1R + DC2RUN)) DC2RUN=DCBS2R+((BATCCR2R+MCC2BS2R+BS6-3R+EBS1R+DGlR+DG1L+DCID)* (BAT 2RUN + DC2L)). SSSI=SSSINST+SSSR+SSSL. Note that Cable Tray House fai xx is modeled to fail all normal Main Control Room instrumentation. This approach is considered to be quite conservative since the cabling in the Cable Tray House is laid in
" ladder-type" trays spaced one above the other at approximately 2-foot inte rvals . Since the cables are laid in the trays loosely and the block wall has little velocity when it strikes the cable tray, if is difficult to believe that even half of the cables in any tray would be broken or shorted. It would require an extremely elaborate model to predict what instrument cables have a probability of surviving and, therefore, failure of the concrete block cladding has been assumed to be failure of all cabling passing through the Cable Tray House, except that to the PORV; PORV power is always modeled as available since such a condition increases the likelihood of a LOCA.
6.4 Random Failure Data This section discusses all random failure data used in this analysis to quantify event sequences. The discussion is broken into two parts as follows: o Basic events contained in the logic expressions developed in Section 6.3 are discussed and assigned failure data in Section 6.4.1. o Top events not having logic expressions developed in Section 6.3 (either simple events or events already developed in the YNPS PSS) i are assigned failure data in Section 6.4.2. 6.4.1 Fault Tree Basic Events The icgic expressions developed in Section 6.3 include certain basic cvents to represent failures of plant equipment and operator errors. These b: sic events, which are defined in Appendix A, and their failure probabilities, are listed in Table 6-2. The following paragraphs discuss each cvent and the' basis of its failure probability as used in this analysis. i ASD12R(F): Atmospheric Steam Dump Valve 1 or 2 fails to open. From Table 6-1. NOV failure is 3.0 x 10~ (open failure rate assumed same as closed) so for either of 2 valves (2) x
~
(3.0 x 10~ ) = 6.0 x 10 . ASD34R(F): Atmospheric Steam Dump Valve 3 or 4 fails to open - see ASD12R(F). BATCGRlR: Random failure of Battery Charger Number 1. From YMPS PSS.(Table 7-2), charger failure rate is 1.226 x 10~ per hour for 24 hours = 2.94 x 10~ . BATCGR2R: Random failure of Battery Charger Number 2. See BATCGRlR. BAT 1 RUM: Battery Number One failure to run for 24 hours. It is assumed that, without recharging, or load shedding by the b operator, the batteries will not last for 24 hours. Mg credit is taken for the batteries to run (for any length of time) without charging. .This event's failure probability is set to 1.0 which is very conservative. BAT 2 RUM: Battery Number Two failure to run for 24 hours. See BAT 1RUN. l - . . . . .- ..- - . -. -- - . - - , . _ _ . . _ . _ - - - , .- ..
i i BSS-2R: 480 V Bus 5-2 failure. Using the per hour bus failure l
~
l rate from Table 7-2 of YNPS PSS, 0.37 x 10 hour x 24 hours = 8.88 x 10 . BS6-3R: 480 V Bus 6-3 failure. See BSS-2R. DCBS1R: DC Bus Number One, random failure. Again, using the per hour bus failure rate from YNPS PSS, Table 7-2, for 24 hours yields 8.88 x 10~ . DCBS2R: DC Bus Number Two, random failure. See DCBSIR. DCID: Battery Number One - demand failure. From YNPS PSS, Table 7-2, 3.61 x 10~ . For conservatism use 3.61 x 10~ . DClR: 125 V de Bus Number One fails to supply power for 24 hours given that off-site power is unavailable. From YMPS PSS (Table 7-2) (Reference 3), battery failure is 3.6 x 10 per demand and (4.2 x 10~ per hour x 24 hours) = 1 x 10~ . Note that the logic models take no credit for de power if emergency ac is lost. Also, no cross-tie is credited. Use 3 x 10~ for de bus failure. DC2R: 125 V de Bus Number 2. See DClR. DC3D: Battery Number 3, demand failure. See DCID. DC3R: 125 V de Bus Number 3. See DClR. DGlR: Diesel Generator Number 1 fails to supply emergency ac power for 24 hours. Note that the logic models take no credit for a diesel if its de starting power is not available. From Reference 3. Table 9-1, the probability of failure of one of three diesels to start or continue to run for 4 hours is 5.0 x 10~ , co for one of one 1 l l
~
(5.01 x 10 )/3 = 1.67 x 10~ . Then for 24 hours use l 0.1 which is very conservative. DG2R: Diesel Generator Number 2. Sec DGlR. DG3R: Diesel Generator Number 3. See DG1R. EBFP1R: Electric-driven Emergency Boiler Feedwater Pump Number 1 failure to start or continue to run for 24 hours or flow path related failure. Pump failure to start and run, from Table 7-2 of Reference 3, is 1.25 x 10" + 24 (1.01 x 10~ ) = 1.5 x 10~ . From Table 9-1 of Reference 3, failure of electric and steam EBF is 4.8 x 10~ . So, conservatively use 1 x 10~ . EBFF2R: Electric-driven Emergency Boiler Feedwater Pump Number 2. See EBFPlR. EBS1R: 480 V Emergency Bus Number 1, random failure. As for the other buses discussed above, 8.88 x 10~ . (See BS5-2R). EBS3R: 480 V Emergency Bus Number 3, random failure. See EBSlR. INST 1: This is a " super component" representing the failure of any one of the following instruments which feed instrumentation channel number 1: o Main Coolant System Pressure (1 and 3), or, o Pressurizer Level, or, o Core Exit Temperatures, and Cold Leg Temperature (1 and 3), or o Steam Generator Level (1 or 3) From Table 7-2 of the YNPS PSS, the failure rate per hour for general instrumentation is 2.66_x 10~ or for 2'4 j hours,.6.38 x 10 . Then the failure rate of the above super component for 24 hours is: INST 1 = (6.38 x 10- ) + (6.38 x 10- ) + (6.38 x 10 ) + 2 ('6.38 x 10 ) = 1.9 x 10 INST 2: This " super component" is similar to INSTl except that, for channel 2 instrumentation, only one main coolsnt pressure channel is available and no core exit temperature channel is involved. The result is INST 2 = 4(6.38 x 10- ) + (6.38 x 10" ) = 2.55 x 10~ . r LCLI: Local Instrumentation. The probability of failure of the various local instrumentation channels throughout the plant which could be used in the event of remote instrumentation failure was set to 0.1. This value is not dominated by actual instrumentation failure but by the difficulty in using it due to location and, in some cases, indirect readings (i.e., reading millivolts on a thermocouple and converting to degrees F). MCClBSIR: Random failure of Motor Control Center Number 1, Bus Number 1. Again, random bus failure for a 24-hour period is 8.88 x 10~ . (See BSS-2R). MCC2BS2R: Random failure of Motor Control Center Number 2, Bus Number 2. See MCC1BSIR. OERCMOV: Operator Error - fails to open at least one of two recirculation valves locally given they failed to operate remotely. Use 0.1 which is conservative, especially since for this event, the time period available is relatively long. l
RCMOVl: Motor-operated recirculation valve 1 fails to open remotely given a signal. MOV failure is 3.0 x 10~ per the Relief Valve Data Table. (Table 6-1) RCMOV2: Motor-operated recirculation valve 2. See RCMOV1, above. SEBFP: Steam-driven emergency boiler feed pump falls to deliver feedwater. Use 1 x 10~ which, by engineering judgement and a knowledge of general failure data, is believed to be reasonable and conservative. SGPI: Steam Generator Pressure Instrumentation. From YNPS PSS, Table 7-2, for pressure sensors, the failure rate is 1.043 x 10~ per hour. So, the probability of failure
~#
of a pressure instrument over 24 hours is 2.5 x 10 . This analysis has assumed that feeding two steam generators is successful feedwater addition. Since both generators will behave in a very similar manner, indication of pressure in either of the two is sufficient. Failure of SGPI then requires failure of both of the two pressure indicators on the generators being fed. For conservatism, double the failure rate; then SGPI = 2(2.5 x 10~ ) = 2.5 x 10~ . SIPIPE: Failure of safety injection piping or valves such that sufficient flow paths for SI are not available. From Reference 3, Table 9-1, failure probabilities of the SI System are on the order of 10~ , so using 1.0 x 10~ here for flow paths is conservative since SI pumps are added separately in the logic expressions. SIPIR: Safety Injection Pump 1 random failure, from Reference 3 Table 7-2, SI pump failure to start and run for 24 hours
~
is about 1.5 x 10~ . Use 1 x 10 conservatively. SIP 2R: SI Pump 2 - See SIPIR. r i l SIP 3R: SI Pump 3 - See SIPIR. Note regarding SI: depending on specific plant conditions, injection (to primary or secondary) may be accomplished by HPSI alone, LPSI alone or may require LPSI boosting HPSI. One LPSI pump can boost at least 2 HPSI pumps. The model " safety injection pump" is specifically not designated high or low pressure but is intended to mean whichever pump or combination is required. The very conservative 10~ failure probability covers this situation. SIlR: Random failure of safety injection Train Number 1 to supply sufficient feedwater to the secondary. From Table < 9-2 of Reference 3, this case has a failure probability of 6.14 x 10~ which is very conservative for this analysis since it includes operator error and is based on the assumption that 2 of 3 SI trains are committed to primary injection leaving only 1 available for secondary feeding. Conservatively, use the 6.14 x 10~ . SI2R: SI Train 2 - See SI1R. SI3R: SI Train 3 - See SI1R. SSSI: Safe Shutdown System Instrumentation. The proposed Safe Shutdown System will have one channel of each of the following five indications as a minimum: o Main Coolant System Pressure o Pressurizer Level o Steam Generator Level o Main Coolant Temperature o Core Exit Temperature
1 l Conservatively assuming that failure of any one indication is instrumentation failure, and using 6.38 x 10~ for failure of an instrument for 24 hours (as discussed earlier), then SSSI = 5 (6.38 x 10" ) = 3.15 x 10~ . SSSR: Random failure of the Safe Shutdown System. Since the SSS is not yet fully designed, a complete failure probability determination cannot be made. 1 x 10~ has been assumed and is believed to be somewhat conservative based on information available to date. UPSIR: Random failure of uninterruptible power supply Number 1. , From Table 7-2 of YNPS PSS, for a static inverter, the
~
failure rate per hour is 1.22 x 10 , so for 24 hours = 2.94 x 10~ . UPS2R: Random failure of uninterruptible power supply Number 2. See UPSlR. VBIR: Vital Bus Number One random failure. As discussed several times above, probability of bus failure over
~
24 hours is 8.88 x 10 . VBS2R: Vital Bus Number Two random failure. See VBlR. 24V2R: Random failure of 2400 volt Bus Number 2. Since off-site i power is not available, this bus must be powered by a diesel generator and back fed through the normal 480 V
;. bus; failure probability would be about 5 x 10" .
- However, this bus is connected by bus bar to the station service transformer located outside in the switchyard, l
l There is some chance that hazard-induced damage causes a a short at the station service transformer which fails the 2400 V bus. Conservatively set bus failure probability to 0.5. i 4 4 93_
}
+w - - - . - w,--n -, -~--,-,n, - , . - -.,- _-~,---,,n-
,-n--,a,n ,,,-~n,-,_.,-w,, w---.,--,--,---,, w y,,aym ,w ,----mm e e g e , -,,--,--,,.exe-w
24V3R: 2400 volt bus 3. See 24V2R. 3CHPP: The Charging System supplies feedwater to the secondary (all three pumps required). From Table 9-2 of Reference 3, the failure probability is 8.23 x 10~ which is conservative for this analysis since it includes operator error. Uae 8.23 x 10~ . The failure probabilities developed here for basic events will be used in Section 6.6.2 to quantify event trees using the logic expressions developed
-in Section 6.3 as well as the top event failure data discussed below.
This approach was used in assessing the survivability of systems cvailnble to satisfy each of the critical safety functions modeled in the event trees. Failure to satisfy any one critical safety function results in core melt. 6.4.2 Top Event Failure Data Each top event for which a logic expression was developed in Section 6.3, was provided failure data in Section 6.4.1. This section provides failure data for those top events which were not further developed as fault teses but are basic events. Too Event Failure Data Development for the Relief Valve Challente Event Tree Too Event C. Operator Actuates Atmospheric Steam Dume The probability of failure of this event was set to 0.1 to conservatively account for this proceduralized immediate operator action for any loss of off-site power. 100 Event E. power-Operated Relief Valve Opens As developed in Table 6-1, the probability of a PORV failing to open on demand is 1 x 10~ . 1 Too Event F. Power-Operated Relief Valve Closes l As developed in Table 6-1, the probability of a PORV failing to close en demand is 2 x 10~ . Too Event H. PORY Block Valve Closes As developed in Table 6-1, the probability of a Motor-Operated Valve (NOV) failing to close on demand is 3 x 10" . Top Event I. Pressuriser Code Safety Valve (1 of 2) Opens As developed in Table 6-1, the probability of a code safety valve failing to open on demand is 1 x 10~ . The failure of both valves to open en demand was set to 1 x 10~ conservatively. Too Event J. Pressurizer Code Safety Valve Closes . As developed in Table 6-1, the probability of a code safety valve
-3 failing to close is 2 x 10 ,
Top Event K. Main Coolant System Loop Safety Valve Opens As developed in Table 6-1, the probability of a safety valve failing to cpen on demand is 1 x 10' . Too Event L. Main Coolant System Loop Safety Valve Closes As developed in Table 6-1, the probability of a safety valve failing to
~
close on demand is 2 x 10 . 4 i Too Event Failure Data Development for the LOCA Event Tree 4 Too Event LB. Scram Occurs From the analyses performed in the YMPS PSS, the failure to scram and insert at least 12'of the 24 control rods is completely dominated by the fcilure of the two scram breakers (99.99%). The failure of detectors and irgic circuits provided an insignificant contribution to the failure to scram because of redundancy of the RPS and diversity of signals received upon a loss of off-site power. The failure probability of the system including independent and common mode failures is 1 x 10" . Additionally, as long.as ac power is available, the operator can charge bseic acid to the Main Coolant System to induce sufficient shutdown margin. J.
. The failure probability of one or more charging pumps to provide borated water
~
to the primary for chemical shutdown from the BANT is 2.44 x 10 . Therefore, for the ac power available case, the probability of failure to scram it failure of scram and failure of chemical injection (1 x 10" x
~ ~
2.44 x 10 = 2.44 x 10 ) neglecting operator error However, no credit was taken for chemical injection in this analysis. The probability of failure
~
to scram is 1 x 10 . 2 Too Event LC. Positive Reactivity Control As discussed in Sections 6.3, 6.2.2, and 3.2.1 this event is a negligible contributor to failure of this event tree. Too Event LG. Steam Removal and Control As discussed in Section 6.3 and 3.2.5, this event is a negligible 4 contributor to failure of this event tree. Too Event Failure Data Development for the Loss of Off-Site Power Event Tree
! Too Event OC. Screa Occurs See Top Event LB, above.
i
)
I
-Too Event OD. Positive Reactivity Control See Top Event LC, above.
Too Event OF. Steam Removal and Control !~ See Top Event LG, above. 4 6.5 Location Failure Data From the systema identified for maintenance of critical safety functions, a list of critical locations was developed in Section 3.4. These creas were analyzed to determine ultimate wind and tornado loading capacities in Section 5.0. i' From the models developed for the event trees and fault trees in
-Sactions 3.0 and 6.0, the minimum critical areas were identified. Each of these areas was reviewed in detail to determine the " failure" wind / tornado cpeed. As can be seen from Table 5-1 and 5-2, any given area has a variety of fcilure windspeeds based upon which wall (or the roof) is considered to fail
- the critical equipment in that location.
Each location was reviewed by a team consisting of an Environmental Engineer, Systems Engineer, Structural Engineer, and Risk Assessment !. Engineer. The failure mode of each system for each location was identified end the structural component causing the system failure was identified. The location failure wind / tornado speed was then set to that speed at which the limiting structural component was predicted to fall. In general, this was the 4 lowest windspeed of any structural component in a given location. Exceptions to this rule are identified in the following description. The exceptions generally occurred when there was no system within the area of the limiting j component or a roof failure could not be found to impact a particular system. To determine if equipment could be impacted by a cladding failure, it was l casumed that the clad (block) could only fall in the equivalent of the wall height from its footing. The acronym Table (Appendix A), list includes the cinimum critical areas. 4
-- - . . ., ..,_,.,s.,,,.m_.m,,.. ._.,,_,,,.,--,-_.w.,,-.------.
i ABR - The steam driven emergency boiler feedwater pump and its suction, ! discharge, and steam supply piping are located in the Auxiliary Boiler Room. It was determined that the wind could not impact the interior wall and that otructural failure of the exterior wall could not impact.the pump. Failure of the exterior wall could fault the pump c,uction piping from TK-1 or TK-39; therefore, the limiting structure is the Auxiliary Boiler Room South Wall, TlJ2. Then, using Table 5-2, the ABR fails at 122 mph wind or a 162 mph ternado. CBLT and CBLTPV - The Cable Tray House failure can fail cables entering cnd exiting the vapor container. Structural cladding (block wall) failure can impact the cables and sever or short them. The reviewers recognized that the I cable tray house cladding failure would not sever all the cables, which could result in a more severe event. In particular, the power cable to the j- power-operated relief valve may not fail but the power cable to the PORV block j valve may fail. This damage results in the PORV opening with no ability to l close the PORV block valve if the PORV should fail to close. Because of this potential failure mode Cable Tray House failure was broken into 2 parts: CBLT represents failure of the structure and all cables except power to the PORV; CBLTPV represents failure of the structure and the PORV cable. For any and all cases where the Cable Tray House wind or tornado failure speed is exceeded, CBLT is set to failure; CBLTPV is never failed. This is quite conservative as it assumes the worst case failure of the Cable Tray House. i Since the Cable Tray House wall failure limits the capacity of this location and the roof failure was not predicted to have any significant impact en the cabling within the cable Tray House, wall failure wind / tornado speeds were used in this analysis. Therefore, CBLT is taken as failed for any hazard cbove 69 mph wind and 65 mph tornado (Table 5-2). Since this failure is cxpected to be a major contributor to instrumentation failure and core melt frequency, the Cable Tray House was also analyzed for a backfit design capacity to'the 10" hazard frequency wind / tornado speed (110 mph). This ! backfit design would yield an ultimate capacity of 196 mph wind or 186 mph i tornado.
) -100- )
i
.. . -. . _ _ _ - - _ _ = - - . - -__ . ._. .
I DG1L, DG2L, DG3L - The Diesel Generator location failures were found to l be dominated by wall failure impacting the diesel cooling water supply and ecoling air supply. The Diesel Generator Building West Wall, that is the West Wall of Diesel Generator Cubicle No. 3, D11053, suffers structural cladding. l fcilure of the wall at a much lower windspeed than the building North Wall and therefore limits No. 3 cubicle. The possibility of interior West Wall failure of each successive diesel cubicle was reviewed by the team. It was determined that this failure was not very plausible since the time of passing of the tcrnado or high wind is so short as to not significantly impact the remaining (interior) West Walls. The failing of the building North Wall will cause the came failure mode, loss of cooling, but at a much higher windspeed and impacts oil three diesel generators. The walls are DIV1, DIV2, and DIV3. Then, from T:ble 5-2, hazard-induced location failure of diesel generators 1 and 2 occur ct 172 mph wind or 156 mph tornado; DG3L fails at 91 mph or 65 mph for wind or tornado, respectively. FWST - The fire water storage tank is the sole supply credited for the 03fe Shutdown System. Failure is taken as structural failure of the tank, Which occurs at 190 mph (wind) or 182 mph (tornado). LLPAB - Since the electric driven emergency boiler feed pumps, the electric supply (NCC) for Nos. 1 and 3 charging pumps, the suction piping to olectric E8F and charging, as well as vapor container recirculation valves and piping are located in this common area, it was reviewed for failure mechanisms. It was determined that structural cladding failure of the North Wall, Wall Section PIEl and PIE 2, was the only feasible failure since the South Wall is made of reinforced concrete and is underground; the east and West Walls are bordered by adjacent rooms. Due to equipment locations within the area, failure of the North Wall could only impact the vapor container recirculation line and charging and electric EBF cross connect to main feedwater. All of these lines pass through the upper corner of the North Wall such that wall failure is unlikely to cause damage, especially to the larger (4") recirculation piping. For conservatism, however, LLPAB was included in the failure expressions for both electric emergency boiler feedwater and charging. LLPAB was not included in recirculation, however, as this would have been extremely overconservative. From Table 5-2, the limiting LLPAB wall, PIEl, f ails at 197 or 222 mph for wind or tornado, respectively.
-101-
MCR - Main Control Room failure was included in the model for completeness though it is not predicted to. fail for the spectrum of winds analyzed in this analysis since it is constructed of heavily reinforced etacrete. NRVL - The Non-Return Valve location was modeled since it may impact the excessive cooldown and steam removal events. In reviewing this area the tcam agreed that structural cladding failure may affect remote control of the Ctmospheric steam dump valves and non-return valves due to the possibility of s;vering electrical cables. This was not found to have any significant impact en excessive cooldown or steam removal since turbine throttle valve and etntrol valve closure will protect the plant from excessive cooldown and the ctmospheric steam dump valves can be operated by hand. In the unlikely event that the structural cladding failure inhibits access to the steam dump valves, the steam generator safety valves are assured of operation and result in cuccessful steam removal. The limiting wind / tornado speed (Section 5.0) was d termined from an extrapolated design windspeed for the structure, the ultimate capacity of this location is quite conservative since the limiting c pacity of this structure is obviously static and dynamic loads from main steam piping. The non-return valve platform cladding is conservatively predicted to fall at 135 mph wind or 119 mph tornado. SIBM - The Safety Injection Building North Wall was identified as a potentially critical area in that all cabling to and from the emergency diesel generators passes through the manhole and conduits on this wall. Though it is cxpected that the conduits, due to the vast number of them, would actually protect the wall from structural cladding failure. The cladding (block wall) failure is assumed to fault the cables at wall location DlKl. This wall is taken to fall at 134 mph and 121 mph for wind and tornado, respectively. SIB - The Safety Injection Building has two walls, the South Wall and the West Wall, that could cause damage to Safety Injection System equipment, the No. 3 battery or the fire water tank heater (a potential flooding hazard). A review of the West Wall failure found that though the No. 3 train of safety injection pumps could be damaged, the remainder of the Safety Injection System would not be significantly impaired. Failure of the Safety Injection Building South Wall would fail all the LpSI pumps and the No. 3
-102-
battery resulting in failure of all three trains of SI and failure of Diesel N3. 3 to start on demand. Therefore, failure of the Safety Injection Building w s set to Safety Injection Building South Walk failure at wall sections D121 and D1Z2. From Section 5.0, these walls are expected to fail at 103 mph wind cc a 93 mph tornado. SIT - The Safety Injection Tank provides a water source to the SI System and alternate source to the Charging System. Its failure was taken as structural failure of the tank, which is predicted to occur, for wind and tornados respectively, at 179 mph and 164 aph. SSSL - The Safe Shutdown System Building was analyzed as the system will be installed to the Yankee composite seismic spectrum. The predicted ultimate windspeed capacities of the seismic design Safe Shutdown System are 258 mph for wind and 178 mph for tornados. It is reiterated here that the original intent of this cost benefit analysis was to consider an upgraded SSS design to withstand wind / tornado
~ ~
hazards of 10 and 10 annual frequency. From Section 4.0 it is clear
~
that 10 frequency is dominated by a 110 mph wind (95% confidence level)
~
and 10 frequency is dominated by 165 mph torr. ado (95% confidence level). Since the seismic design has an ultimate capacity of 258/178 mph (wind / tornado), an " upgraded" desian capacity of 110 mph is not reasonable to
~
cvaluate. An upgrade to the 10 ' hazard, 165 mph design, would yield an ultimate capacity over 200 mph. This upgrade is worthy of a cost-benefit analysis. To maximize the potential benefits of such a backfit, the ultimate capacity was set to 250 mph for both wind and tornado. SWGR - The Switchgear Room was recognized as a vital area for switchgear, buses, and de power (Battery Rooms) and was included in the failure model to represent failure of any or all of these components. In the detailed review of fragilities, it was determined that:
-103-
- 1. The Battery Room walls T292 and T2G3 for Battery No. 2 or T2G4 for Battery No. 1 would dominate for wind / tornado capacity.
- 2. The exterior walls of the Switchgear Room would not enter into the model due to the inherent strength and location.
- 3. The Battery Room walls and roof are to be modified for seismic concerns and therefore, would no longer pose a problem once the backfit was complete, and
- 4. The Switchgear Room North Wall and the Battery Room walls are interior to the Turbine Building and even if Turbine Building cladding failure were to occur, they could not be directly impacted by high winds due to imposing turbine / condenser structure, feedwater heaters, and pipe whip / jet impingement plates.
The SWGR term was conservatively set to failure at the Battery Room No.1 Wall failure wind / tornado speed for wall location T2G4 and the DC2R, random failure of de Bus No. 2, was set to 1.0 at the wind / tornado speeds greater than the capacity of wall location T2G3. From Table 5-2, it is clear that, for wind, SWGR failure is expected at 170 mph except for DC2 at 145 mph; for tornados, SWGR f ailure (including DC2) is predicted at 186 mph. TKIL - The domineralized water tank failure location was taken as structural failure of the tank and entered in the model as such. Failure is predicted at 191 aph wind or 161 aph tornado. TK The primary water storage tank f ailure was taken as structural failure of the tank. Section 5.0 predicts failure at 179 and 164 uph for wind and tornado, respectively. ULPAB - The upper level primary Auxiliary Building term was included in the model to account for location failure of the blowdown header either in the upper level PAB or non-radioactive (upper) pipe tunnel. The fragility analysis found that the ULPAB North Wall was dominant for the wind case and
-104-
I i the non-radioactive pipe tunnel was dominant for the tornado case. The model was quantified accordingly. Failure of the ULPAB roof was found to not be ccpable of impacting the blowdown header or connecting piping due to the 1ccation of the header (under the upper pipe tunnel) and imposing piping and ) tanks. The ultimate capacity of the non-radioactive pipe tunnel and ULPAB were determined assuming seismic backfits had already been completed. The c pacities are 165 mph wind or 176 mph tornado. For the remaining locations / critical areas identified in Section 3.4.2 ccch location was considered for location dependencies and the following r:asoning was applied: Ftation Service Transformer Yard - Since no specific data was available cn the failure of the SST support structure the terms 24V2R and 24V3R were set to 0.5 to account for a 50/50 chance that given the yard structure is failed, it fails the 2400 V station service transformer bus to the Switchgear Room. (See Section 6.4.1). Fuel Oil Tank - The fuel oil tank was not modeled since each diesel has its own 264 gallon fuel oil tank (day tank) and, assuming the diesel is running at full load, each diesel burns about 13 gallons per hour of fuel oil yielding a run time of about 20 hours. It is reasonable to assume that within 20 hours the operators could rig a temporary fuel supply or establish a bucket brigade to keep the diesel running, or provide an alternate feed path due to low decay heat levels. Under VC - This area was not modeled since piping is not expected to be directly impacted by the windspeeds of concern in this analysis. Pump Room - This location was not explicitly modeled since the piping cf concern is located at the mezzonine level and is not expected to be impacted by any structural cladding (sheet metal) failure of the Turbine Building due to its own structural integrity (piping) and imposing beams, grits, and gratings.
-105-
- - .- . - - . - - - _ _ _ - _ ~ _ . - . _-
r Upper Level Primary Auxiliary Building West Wall - This area is not cxpected to impact the integrity of the safety injection and emergency fcedwater piping even if it should fail due to the inherent structural integrity of the piping and other imposing piping and structures. Primary Auxiliary Building Cubicle Area - This area was not modeled cince it is constructed of reinforced concrete and will not be impacted by the winds of concern in this analysis . i South Yard - The south yard is covered by the two areas SSSL and FWST. Turbine Building - The Turbine Building is not modeled since it was included to model the failure of the turbine and associated equipment. This j was found to not be a concern since a structural failure in the area of the turbine can be anticipated to cause a turbine trip due to loss of control oil cince the valves are spring driven to close. i Turbine Building West Staircase - This area was not modeled explicitly 1 1 oince failure of this area is not expected to directly impact any system i i credited in this analysis. The main purpose for including this area was to cover operator access for local manual operation of equipment. Since the
; human error probabilities modeled are conservatively high and there are many other ways to exit the Control Room, it was not considered necessary to cxplicitly model this area. This area is of concern for tornado venting j because of AP concerns. This is a conservative concern since the walls of ; concern are inside walls of the Turbine Building. The cost estimate for the s
seismic backfit includes venting of this area. t Vapor Container - The Vapor Container is not included in the logic I model since it is not anticipated to be impacted by any wind / tornado hazard below 250 mph. It is included as a separate input to the core melt and release probability for cost-benefit analysis. (Core melt and containment failure are assumed to occur for hasards exceeding 250 mph). 1 't i
! -106-1 I
6.6 Core Melt Quantification 6.6.1 Mission Time In order to assess the importance of random failures of plant equipment, it is necessary to establish a mission time for use in. calculating equipment unreliability. The mission time selected for calculating system unreliabilities was 24 hours. The bases for the 24-hour mission time are discussed below. Because this analysis is concerned with events involving a loss of cff-site power, the key components include diesel generators. Other power cupply equipment, such as electrical buses and battery charges, are minor centributors to electrical power reliability. As discussed in Section 6.4, diesel generator failure probability was set to a very conservative 0.1. In g:neral, all random failure data used in this analysis is conservative. Furthermore, these component unreliabilities could be conservatively eciculated based on long mission time requirements without significantly effecting the overall results. The initiating event frequency (Section 6.2) is based on off-site power losses of durations less than 1 hour. Losses approaching or exceeding 24 hours are, then, much less likely than the event frequency used in this cnalysis. Also, 29 previously discussed, repair of off-site transmission cquipment to restore power after significant damage could take on the order of c d ay. The flow required to remove decay heat 24 hours after shutdown is about 30 gym either to the core, if a LOCA has occurred, or to the steam generators for non-LOCA situations. This value is substantially lower than a typical plant because of the core size, equivalent to 600 Nwt at full power. If, at the end of one day after shutdown, all makeup systems failed, core uncovery would not occur for at least one-half day unless a LOCA existed. This time period allows for repair of equipment, re-energitation of normal plant
-107-
equipment from off-site power, and use of portable makeup systems available at the plant. Because makeup requirements are so low at 24 hours, less than 30 spm, the success criteria are substantially less stringent than those modeled. This increases the number of plant systems available for success. For cxample, 2 or 3 charging pumps are required for a time period measured in h:urs after trip, whereas 1 charging pump is sufficient after i day. For these reasons, a 24-hour mission time is reasonable for this analysis. In some cases, it is extremely conservative. 6.6.2 Event Tree Quantification In order to support a cost-benefit analysis, the Event Trees must be quantified for four cases: o The " base case", that is the present plant including modifications to be installed for the Yankee Composite Spectrum seismic upgrade. This includes the Safe Shutdown System. o The " Cable Tray House Upgrade", which is the base case plus an upgraded Cable Tray House with a desian windspeed of 110 mph (10- annual frequency). o The "SSS Upgrade", which is the base case but with the new Safe Shutdown System deslaned to withstand a wind / tornado event of
~
10 annual frequency (165 mph). o The " Combined Upgrade" which is the base case plus both the Cable Tray House upgrade and the SSS upgrade. Recall that the original intent of this analysis was to consider SSS
~
upgrades to 10 and 10' windspeeds. The SSS seismic design withstands a 10" wind without upgrade so there is no need to evaluate such a modification. The Cable Tray House case was added by the analysis team for
-108-i
ctnsideration since this area is expected to be an important contributor to tha results of this core melt frequency calculation. Additionally, the following conservatisms are important to understanding the core melt frequency quantification: o The present Cable Tray House is predicted to fail at 69 mph for wind and at 65 mph for tornados. (Diesel No. 3 location also fails at 65 mph tornado). The threshold speeds for loss of off-site power, the initiating event, are over 70 mph (Section 6.2.1). Model quantification will conservatively begin at cable tray failure speeds with off-site power assumed lost. (Note that this does not apply to the case of Cable Tray House Upgrade), o The tank failure speeds for wing used in the quantification are less than those actually predicted as follows: Failure Speed (MPH) n T_3njg Predicted Used SIT 179 163 TK1 191 174 TK39 179 163 Event tree quantification details are discussed below for each of the four ecses. Base Case The event tree quantification was performed in two major parts. LOCA and non-LOCA Which were then summed along with common top events (scram and instrumentation). Both location and random failures must be considered. Won-LOCA This part considers the loss of off-site power event tree (Figure 3-4) where core melt occurrence is represented by the logic expression:
-109-
CM = OA * (OC + OD + OE + OF + OG) Note that Event OB, failure of which leads to LOCA, not core melt, is developed by the relief valve event tree which is discussed below under LOCA. Event OC (scram) and OC (instrumentation) are conunon with LOCA so they till be added separately. Top Events OD (positive reactivity control) and 0F (steam removal) are negligible as discussed in Sections 3.2 and 6.4.2. Then this part of the quantification reduces to: CM = OA
- OE Initiating event frequency for loss of off-site power was discussed in S:ctions 4.0 and 6.2. Event OE has a logic expression developed in Section 6.3 with appropriate data discussed in 6.4 and 6.5.
The OE logic expression was modeled and reduced using the SETS computer code and quantified with the code QUANTV. This was done in several stages to cecount for location failures at various windspeeds. Specifically, the hazard wina, tornado speeds were divided into several ranges with appropriate Ltcations failed in each range. (Based on Section 6.5 data). Then, using the "0MEGA" option in SETS, reduced logic expressions were developed for each hazard range with appropriate locations forced to failure. Each expression was then quantified with QUANTV to account for random failures., The result is o conditional probability of core melt given the occurrence of a hazard within c ch range. From Section 4.0, the frequency of a hazard within that range can be determined. For each hazard speed range, multiplying the conditional core melt probability by the hazard frequency gives the core melt frequency for that range. Summing these products yields the total annual frequency of core melt due to feedwater failure for wind / tornado hazards. The following tables provide the details.
-110-
F;r the wind hazard (95% confidence level): med Interval Point Frequency Interval Core Melt Interval Core ,(MPH) (95% Confidence) Frequency Probability Melt Frequency
'69-91 (3 x 10-2) - (1.8 x 10-3) 2.8 x 10 2 2.91 x 10-7 8.1 x 10-9 91-103 (1.8 x 10-3) - (3 x 10-4) 1.5 x 10-3 2.21 x 10-' 3.3 x 10-9 103-122 (3 x 10-4) - (2.5 x 10-5) 2.8 x 10-4 6.13 x 10-5 1.7 x 10-8 1 122-135 (2.5 x 10-5,, - (2 x 10-6) 2.3 x 10-5 6.12 x 10-3 1,4 x to-7 135-145 (2 x 10-') - (2.5 x 10-7) 1.8 x 10-6 1.00 x 10-2 1,3 x to-8 (2.5 x 10-7) - ( 10-8) 1.5 x 10-7 1.00 x 10-2 < t , $ x 10-9 145-163 160- (< 10-8 ) . <10-8 1,00 <10-8 b fer the wLnd hazard, at the 95% confidence level, the total core melt frequency due to cedwater failure'(non-LOCA) is about 1.9 x 10-7 Fce the wind hazard (50% confidence level):
fpeedInterval Polnt Frequency Interval Core Melt Interval Core (MPH) (50% Confidence) Frequency Probability Melt Frequency 69-91 (1 x 10-2) - (2 x 10-4) 9.8 x 10-3 2.91 x 10-7 2.9 x 10-9 1,3 x 10-4 2.21 x 10-6 4,o x 1o-10 91-103 (2 x 10-4) - (2.5 x 10-5) 103-122 (2.5 x 10-5) - (4 x 10-7) 2.5 x 10-5 6.13 x 10-5 1.5 x 10-9 122-135 (4 x 10-7) - (1 x 10-8) 3.9 x 10-7 6.12 x 10-3 2.4 x 10-9 ( 135-145 (1 x 10-8) - (< 10-8) c 1.00 x 10-2 <1o-10 l 145-163 (< 10-8 ) - (< 10-8) c 1.00 x 10-2 <1o-10 f 163- (< 10-8) - <10-8 1.00 < 1 x 10-8 Then, fer the 50% confidence level wind hasard, the total core melt frequency due to lfeedwater failure (non-LOCA) is less than 10-8 l I
-111-t
F:r the tornado hazard (95% confidento 1 v01): poed Int rval Point Frequency Interval Core Melt Interval Core
- (MPH) (95% Confidence) Frequency Probability Melt Frequency 65-93 (1.7 x 10-4) - (8.5 x 10-5) 8.5 x 10-5 2.21 x 10-6 1.9 x 10-10 93-120 (8.5 x 10-5) - (4 x 10-5) 4.5 x 10-5 6.13 x 10-5 2.8 x 10-9 120-156 (4 x 10-5) - (1.6 x 10-5) 2.4 x 10-5 1.00 x 10-4 2.4 x 10-9 156-162 (1.6 x 10-5) - (1.1 x 10-5) 5.0 x 10-6 1.00 x 10-4 5.0 x 10-10 l
162-176 (1.1 x 10-5) - (7.0 x 10-0) 4.0 x 10-6 1.00 x 10-2 4.0 x 10-8 176- (7.0 x 10-0) - 7.0 x 10-6 1.00 7.0 x 10-6 'he t:tn1 core melt frequency due to (non-LOCA) feedwater failure is 7.0 x 10-4 for the 95% onfidence tornado hasard. I l And for the tornado hazard (50% confidence level): Ipeed Interval Point Frequency Interval Core Melt Interval Core (50% Confidence) Frequency Probability Melt Frequency l(MPH) 65-93 (4.5 x 10-5) - (2 x 10-5) 2.5 x 10-5 2.21 x 10-6 5.5 x 10-11 93-120 (2 x 10-5) _ (y x 10-6) g,3 x 10-5 6.13 x 10-5 g,o x 10-10 l 120-156 (7 x 10-6) - (2.0 x 10-6) 5.0 x 10-6 1.00 x 10 ' 5.0 x 10-10 156-162 (2.0 x 10-6) - (1.7 x 10-6) 3.0 x 10-7 1.00 x 10-4 3.7 x 10-11 ! 162-176 (1.7 x 10-6) - (9.2 x 10-7) 7.8 x 10-7 1.00 x 10-2 y,g x 10-9 ! 176- (9.2 x 10-7) - 9.2 x 10-7 1.00 9.2 x 10-7 Then, ftr the 50% confidence level tornado hasard, the total core melt frequency due to , (non-1.0CA) feedwater failure is 9.3 x 10-7 l l
-112-L
1 l 1 T3 susunarise the non-LOCA feedwater failure part: Core Melt Frequency lipigr1 $ M Magard confidence 95% Hazard Confidence
~ ~
Wind <10 1.9 x 10 i
~ ~
Tornado 9.3 x 10 7.0 x 10 l i r l t
-113-t L.
I Lec_4 The quantification method here is the same as for the non-LOCA case but l the logic model is more involved. As previously discussed, the only LOCA ! which is reasonable to postulate for this analysis is one caused by relief valve failure. The relief valve event tree (Figure 3 'i), an expansion of Event 08, is then the initiating Event LA for the LOCA Event. Tree (Figure 3-6). A boolean logic expression for LOCA leading to core melt is: CM = LA * (LB + LC + LD + LE + LF + LG + LH) Again, scram (LB) and instrumentation (LH) will be added separately; p:sitive reactivity control (LC) and steam removal (LC) are negligible. Logic cxpressions for safety injection (LD) and recirculation (LE) were developed in i Section 6.3 as was a reduced feedwater for LOCA expression (LF). LA can be replaced by an expecssion for the relief valve tree leading to occurrence of a leak. This expression, in reduced form, ist LA = (C + B) * (F * (H + C) + (E + D) * (J + I
- L))
l The top events within this expression were discussed in Sections 6.3 cnd 6.4. I The SETS computer code was used to merge this set of logic expressions, ! then substitute and reduce to one expression which represents the occurrence cf and failure to mitigate a LOCA. (Excluding, of course, scram and instrumentation). The merged logic model can then be quantifLed in the same manner as the non-LOCA logic expression. l
-114-l
l i F:e wind at 95% hazard confidence level: eed Int rval Point Frequency Interval Core Melt Interval Core GMPH) (95% Confidence) Frequency Probability Melt Frequency '69-91 (3 x 10-2) - (1.8 x 10-3) 2.8 x 10-2 7.24 x 10-5 2.0 x 10-6 91-103 (1.8 x 10-3) - (3 x 10-4) 1.5 x 10-3 4.84 x 10-4 7.3 x 10-7 103- (3 x 10-4) - 3.0 x 10-4 2.0 x 10-2 6.0 x 10-6 D t:t:1 annual core melt frequency due to relief valve LOCA due to a wind event (95% hazard 2fidencO) is 8.7 x 10-6, At 50% confidence for wind: poed Int rval Point Frequency Interval Core Melt Interval Core
- (MPH) (50% Confidence) Frequency Probability Melt Frequency 7,1 x 10-7 69-91 (1 x 10-2) - (2 x 10-4) 9.8 x 10-3 7.24 x 10-5 91-103 (2 x 10-4) - (2.5 x 10-5) 1.8 x 10-4 4.84 x 10-4 8.7 x 10-8
! 103- (2.5 x 10-5) - 2.5 x 10-5 2.00 x 10-2 5.0 x 10-7 then, fer the wind hazard, at the 50% confidence level, the total core melt frequency due to %11:fvolveLOCAis1.3x10-6, 1 F:e tornados at 95% hazard confidence, BPeed Interval Point Frequency Interval Core Melt Interval Core (MPH) (95% Confidence) Frequency Probability Melt Frequency 65-93 (1.7 x 10-4) - (8.5 x 10-5) 8.5 x 10-5 4.8 x 10-4 4.1 x 10-8 93- (8.5 x 10-5) - 8.5 x 10-5 2.00 x 10-2 1.7 x 10-6 e the tornado hazard, at the 95% confidence level, the total core melt frequency due to 4re1L:f valve LOCA is 1.7 x 10-6,
-115-
And finally for tornados with a 50% hazard frequency confidence, lpeed Interval Point Frequency Interval Core Melt Interval Core (MPH) (50% Confidence) Frequency Probability Melt Frequency 65-93 (4.5 x 10-5) - (2 x 10-5) 2.5 x 10-5 4.84 x 10-4 1.2 x 10-8 93- (2 x 10-5) - 2.0 x 10-5 2.00 x 10-2 4.0 x 10-7 te the 50% hazard confidence tornado, the total core melt frequency due to relief valve LOCA Le 4.1 x 10-7 r3 summarize the LOCA failure (base case): Core Melt Frequency Hazard 50% Hazard Confidence 95% Hazard Confidence
-6 -6 Wind 1.3 x 10 8.7 x 10
~ ~
Tornado 4.1 x 10 1.7 x 10
-116-
CABLE TRAY HOUSE UPGRADE The ultimate failure speeds of a cable Tray House designed to 110 mph (10~ annual frequency) are predicted to be 196 mph wind and 186 mph tornado. From the hazard curve, Exceedance Frequency Speed 50% 95% MPH Wind Tornado Wind T;enado
~ -6 186 -- 6.5 x 10 -- 5.0 x 10 196 <10~ -- <10~ --
A logic model review indicates clearly that the Cable Tray House does n:t impact non-LOCA feedwater but does affect relief valve LOCA as well as instrumentation. Instrumentation, and the relief valve LOCA are considered below for the upgraded Cable Tray House. For Instrumentation: Conservatively, no credit is taken for batteries if there is no ac p:wer available to charge them. Then instrumentation failure probability is 10
~
with no hazard failures; 10~ when all ac power or the Cable Tray House are lost and 10~ when the Safe Shutdown System is also lost. (See Sections 6.3 through 6.5). For wind events, ac power is lost at 135 mph when the SI Building North Wall (SIBN) fails; the SSS can withstand at least 250 mph wind.
-117-
Fce tornados, lac power fails with the SIBN at 120 mph; the SSS f ails at 78 mph. S3 for wind at 95% confidence level: peed Interval Point Frequency Interval Core Melt Interval Core (95% Confidence) Frequency Probability Melt Frequency (MPH) 69-91 (3 x 10-2) - (1.8 x 10-3) 2.8 x 10-2 10-5 2.8 x 10-7 91-135 (1.8 x 10-3) - (2 x 10-6) 1.8 x 10-3 10-4 1.8 x 10-7 135- (2 x 10-6) - 2.0 x 10-6 10-3 2.0 x 10-9 Fce tornados at the 95% level: Ip;cd Interval Point Frequency Interval Core Melt Interval Core (MPH) (95% Confidence) Frequency Probability Melt Frequency 65-120 (1.7 x 10-4) - (4.0 x 10-5) 1.3 x 10-4 10-4 1.3 x 10-8 120-178 (4.0 x 10-5) - (7.0 x 10-6) 3.3 x 10-5 10-3 3.3 x 10-8 178- (7.0 x 10-6) _ y,o x 10-6 to-1 7,o x 10-7 Then, fcr the combined wind / tornado hazard at the 95% confidence level the total core melt frequincy due to instrumentation failure, is 1.2 x 10-6, if the cable Tray House is upgecded to 110 mph design.
-118-
Now, for wind at the 50% level: ) I teed Intceval Point Frequency Interval Core Melt se. .al Core ; (MPH) (50% Confidence) Frequency Probability Melt Frequency 69-91 (1 x 10-2) - (2 x 10-4) 1.0 x 10-2 10-5 1.0 x 10-7 91-135 (2 x 10-4) - (1 x 10-8) 2.0 x 10-4 10-4 2.0 x 10-8 135- (1 x 10-8) _ 10-8 10-3 1.0 x 10-11 And for tornados at the 50% confidence level: pOcd Interval Point Frequency Interval Core Melt Interval Core (MPH) (50% Confidence) Frequency Probability Melt Frequency 65-120 (4.5 x 10-3) - (7.0 x 10-6) 3.8 x 10-5 10-4 3.8 x 10-9 120-178 (7.0 x 10-6) - (9.2 x 10-7) 6.1 x 10-6 10-3 6.1 x 10-9 178- (9.2 x 10-7) 9.2 x 10-7 10-1 9.2 x 10-8 ten for the combined wind / tornado hazard at the 50% confidence level, the total core melt
'ecqu:ncy due to instrumentation failure, is 2.2 x 10-7, if the Cable Tray House is ipgend:d to 110 mph design.
Far relief valve LOCA with the Cable Tray House 110 mph design modification: At the 95% hazard confidence for wind: Bpstd Interval Point Frequency Interval Core Melt Interval Core (MPH) (95% Confidence) Frequency Probability Melt Frequency 77-91 (1 x 10-2) - (1.8 x 10-3) 8.2 x 10-3 4,49 x 10-5 3.7 x 10-7 91-103 (1.8 x 10-3) - (3 x 10-4) 1.5 x 10-3 4.36 x 10-4 6.5 x 10-7 103-122 (3 x 10-4) - (2.5 x 10-5) 2.8 x 10-4 2,07 x 10-3 5.8 x 10-7 122-135 (2.5 x 10-5) - (2.0 x 10-6) 2.3 x 10-5 2.07 x 10-3 4.8 x 10-8 135- (2.0 x 10-6) - 2.0 x 10-6 2.00 x 10-2 4.0 x 10-8 F:r th3 wind hazard, at the 95% confidence level, the total core melt frequency due to relief valva LOCA excluding instrumentation failure is 1.7 x 10-6, if the Cable Tray House is upgred:d to the 110 mph design.
-119-
I At the 95% confidence level for tornados: peed Intcrval Point Frequency Interval Core Melt Interval Core Frequency Probability Melt Frequency (MPH) (95% Confidence) 70-93 (2.0 x 10-4) - (8.5 x 10-5) 1.2 x 10-4 4.36 x 10-4 5.2 x 10-8 93-120 (8.5 x 10-5) - (4.0 x 10-5) 4.5 x 10-5 2.07 x 10-3 9.3 x 10-8 120- (4.0 x 10-5) - 4.0 x 10-5 2.00 x 10-2 8.0 x 10-7 Ir tha tornado hazard, at the 95% confidence level, the total core melt frequency due to 'elicf volve LOCA, excluding instrumentation failure is 9.5 x 10-7, if the Cable Tray House 3 modified to 110 mph design. At the 50% hazard level for wind: ip;cd Interval Point Frequency Interval Core Melt Interval Core (50% Confidence) Frequency Probability Melt Frequency (MPH) 3.8 x 10-3 4,49 x 10-5 1,7 x 10-7 75-91 (4 x 10-3) - (2.0 x 10-4) 91-103 (2.0 x 10-4) - (2.5 x 10-5) 1.8 x 10-4 4.36 x 10-4 7.8 x 10-d 103-122 (2.5 x 10-5) - (4.0 x 10-7) 2.5 x 10-5 2.07 x 10-3 5.2 x 10-8 122-135 (4 x 10-7) - (1 x 10-8) 3.9 x 10-7 2.07 x 10-3 8.1 x 10-10 135- (1 x 10-8) _ 1 x 10-8 2.00 x 10-2 2.0 x 10-10 7cr tha wind hazard, at the 50% confidence level, the total core melt frequency due to relief valva LOCA, excluding instrumentation failure is 3.0 x 10-7 if the Cable Tray House is upgerd;d to the 110 mph design.
-120-
At the 50% level for tornado: god Intceval Point Frequency Interval Core Melt Interval Core Frequency Probability Melt Frequency (MPH) (50% Confidence) 70-93 (4 x 10-5) - (2 x 10-5) 2.0 x 10-5 4.36 x 10-4 8.7 x 10-9 93-120 (2 x 10-5) _ (7 x 10-6) 1,3 x 10-5 2.07 x 10-3 2.7 x 10-8 7.0 x 10-6 2.00 x 10-2 1,4 x 10-7 120- (7 x 10-6) - gr the tornado hazard, at the 50% confidence level, the total core melt frequency due to blicf v:21ve LOCA, excluding instrumentation failure is 1.8 x 10-7, if the cable Tray house 3 modified to 110 mph design.
.=
-121-i
SSS UPCRADE If the Safe Shutdown System design is upgraded to 165 mph design windspeed (10 ' event), its ultimate failure speeds will exceed 200 mph. In order to maximize benefit of this upgrade (conservative for cost benefit), it is assumed here that the upgraded system will withstand 250 mph. Note that the upgrade must include the Fire Water Storage Tank and the Upper Level primary Auxiliary Building to be effective. This upgrade has no effect on LOCA since for the " base case" plant, the SSS survives a stronger hazard than safety injection. Feedwater and instrumentation are both affected by an improved SSS capacity. FSedwater There is no change below 163 mph wind or 176 mph tornado, since for the
" base case" plant, no damage to any SSS related location occurs below these speeds. Then, for wind 163 to 250 mph melt probability becomes 10~
improving from 1.0; interval core melt frequency (95%) goes from less than 10' to less than 10' . For this case, total core melt frequency remains unchanged at 1.9 x 10" . Applying the same at the 50% level, the total core melt frequency again remains unchanged at less than 10~ . Now consider tornados for feedwater on the 95% confidence level. Above 176 mph the core melt probability changes from 1.0 to 10- so the interval core melt frequency improves to 7.0 x 10~ from 7.0 x 10' . Total core melt frequency due to feedwater failure becomes 1.2 x 10- for the 95% confidence tornado hazard. At the 50% level, interval melt frequency above 176 mph, becomec 9.2 x 10' resulting in a total fcequency of 1.8 x 10' which is an improvement from 9.3 x 10~ . Instrumentation Instrumentation failure probability is not significantly improved by this upgrade such that the value remains unchanged from the base case at 10~ .
-122- .
I
COMBINgD UPCRADs Finally, look at both upgrades together (110 mph Cable Tray House dscign and 165 mph Safe Shutdown System design). Feedwater System results for the SSS upgrade are appropriate for this cese; LOCA results for the Cable Tray House upgrade are also appropriate. Instrumentation for this combined upgrade is an improvement over the Cable tray case since here, for tornados, instrumentation never gets.to 10 . (SSS does not fail below 250 mph). Then, for tornados at the 95% level, interval core melt frequency above 178 mph goes from 7.0 x 10~ to 7.0 x 10 so for the combined wind / tornado hazard, total frequency due to instrumentation improves from 1.2 x 10~ to 5.2 x 10~ . At the 50% confidence level, interval core melt frequency above 178 mph -sces from 9.2 x 10~ to 9.2 x 10 improving the combined wind / tornado total frequency of core melt"due to instrumentation failure from 2.2 x 10~ to 1.3 x 10~ .
-123-
i I Then, to summarize event tree quantification results for each of the four cases, For 95% hazard confidence: Core Melt Frequency Per Year Due To: Instrumentation Non-LOCA Relief Valve LOCA Case Wind + Tornado Wind / Tornado Wind / Tornado B:se 3.0 x 10-5 1.9 x 10-7/7.0 x 10-6 8.7 x 10-6/1.7 x 10-6 C;ble Tray 1.2 x 10-6 1.9 x 10-7/7.0 x 10-6 1.7 x 10-6/9.5 x 10-7 House Upgrade SSS 3.0 x 10-5 1.9 x 10-7/1.2 x 10-7 8.7 x 10-6/1.7 x 10-6 Upgrade Combined 5.2 x 10-7 1.9 x 10-7/1.2 x 10-7 ' 1.7 x 10-6/9.5 x 10-7 Upgrade For the 50% Hazard Confidence: Core Melt Frequency Per Year Due to: Instrumentation Non-LOCA Relief Valve LOCA Case Wind + Tornado Wind / Tornado Wind / Tornado Base 1.0 x 10-5 < 10-8/9.3 x 10-7 1.3 x 10-6/4,1 x 10-7 Cable Tray 2.2 x 10-7 < 10- 8/9.3 x 10-7 3.0 x 10-7/1.8 x 10-7 House Upgrade SSS 1.0 x 10-5 <1o-8/1.8 x 10-8 1.3 x 10-6/4.1 x 10-7 Upgrade Combined 1.3 x 10-7 <10-8/1.8 x 10-8 3.0 x 10-7/1.8 x 10-7 Upgrade The next section combines the above information to deterinine total core melt frequency.
-124-
6.6.3 Oy_erall Results l The total annual core melt frequency due to the wind / tornado hazard is d;termined by simply adding the Event Tree results to the scram and in2trumentation failure frequency. Scram, from Section 6.4.2 has a failure probability of 1.0 x 10~ l which is constant over the hazard speed range and LOCA/non-LOCA events. The
-2 dominate event threshold frequencies are .for wind, being 3 x 10 and 1 x 10~ for 50% and 95% confidence levels, respectively. Then, core melt
~
frequency due to scram failure is 3 x 10~ (95%) or 1 x 10 (50%). Note that it is conservatively assumed that scram failure leads to core melt. l Instrumentation is as discussed in Sections 6.3 (base case) and 6.6.2 (upgrade cases). Overall results are summed as follows: For the base case and 95% hazard confidence: Non-LOCA feedwater - wind 1.9 x 10~
- tornado 7.0 x 10~
Relief Valve LOCA - wind 8.7 x 10~
- tornado 1.7 x 10~
Scram 3.0 x 10~ Instrumentation 3.0 x 10~ Total annual core melt frequency 4.8 x 10~ where instrumentation is clearly the major contributor here being 62.5% of the total. Recall that Cable Tray house failure is the major contributor to instrumentation failure probability.
-125- l l
For the base case and 50% hazard confidence:
~
Non-LOCA feedwater - wind <10 tornado 9.3 x 10-Relief Valve LOCA - wind 1.3 x 10~
- tornado 4.1 x 10" Scram 1.0 x 10" Instrumentation 1.0 x 10-Total annual core melt frequency 1.3 x 10-where instrumentation contributes 77% at the 50% hazard confidence.
If the Cable Tray House is upgraded to 110 mph design, the overall results improve as follows. For 95% haz'ard' confidence: Non-LOCA feedwater - wind 1.9 x 10~
- tornado 7.0 x 10~
Relief Valve LOCA - wind 1.7 x 10~ tornado 9.5 x 10' Scram 3.0 x 10' Instrumentation 1.2 x 10~ Total annual core melt frequency 1.1 x 10-Instrumentation contributes only about 11% here with the main contributor being non-LOCA feedwater for the tornado hazard (64%).
-126-
Considering the Cable Tray House upgrade at 50% hazard confidence level: Non-LOCA feedwater - wind <10~ tornado 9.3 x 10~ Relief Valve LOCA - wind 3.0 x 10~ ;
- tornado 1.8 x 10~
l Scram 1.0 x 10-Instrumentation 2.2 x 10-Total annual core melt frequency 1.7 x 10~
- Instrumentation is about 13% of this total with non-LOCA feedwater for the tornado hazard being almost 55%.
L For the case of the Safe Shutdown System upgrade (95% hazard J ccnfidenco): Non-LOCA feedwater - wind 1.9 x 10~
- tornado 1.2 x 10~
Relief Valve LOCA - wind 8.7 x 10~
- tornado 1.7 x 10~
Scram 3.0 x 10~ Instrumentation 3.0 x 10~ Total annual core melt frequency 4.1 x 10~ For the 50% hazard confidence with the Safe Shutdown System designed to 165 mph hazard:
~
Non-LOCA feedwater - wind <10
- tornado 1.8 x 10~
Relief Valve LOCA - wind 1.3 x 10~
- tornado 4.1 x 10~
~
Scram 1.0 x 10 1.0 x 10 Jnsttumentatior _ Total annual core melt frequency 1.2 x 10
-127- -_ I
Finally, consider the combined modification case: For the 95% hazard confidence case,
~
Non-LOCA feedwater - wind 1.9 x 10 tornado 1.2 x 10~
~
Relief Valve LOCA - wind 1.7 x 10 tornado 9.5 x 10~ Scram 3.0 x 10~ Ynstrumentation 5.2 x 10~ Total annual core melt frequency 3.8 x 10~ And for the 50% confidence combined upgrade: Non-LOCA feedwater - wind <10~ tornado 1.8 x 10~ Relief Valve LOCA - wind 3.0 x 10~
- tornado 1.8 x 10~
Scram 1.0 x 10~ Instrumentation 1.3 x 10~ Total annual core melt frequency 7.3 x 10~ To summarize the overall core melt frequency results: Total Core Melt Frequency Due to Wind / Tornado Case 95% Confidence 50% confidence
~
Base Case 4.8 x 10 ' 1.3 x 10~
~
Cable Tray House Upgrade 1.1 x 10~ 1.7 x 10
~
SSS Upgrade 4.1 x 10 ' 1.2 x 10~ Combined Upgrade 3.8 x 10~ 7.3 x 10~
-128-
To put the potential modifications in some perspective, the following ' table presents each, in tenns of reduction in core melt frequency (at the 95% confidence level). Improvement Melt Frequency Annual Core From Plant Proposed Reduced Melt Frequency Condition UpReade From T J Reduction Base Case Cable Tray 4.8 x 10-5 1,1 x 10-5 3.7 x 10-5 Base Case SSS 4.8 x 10-5 4,1 x 10-5 0.7 x 10-5 Base Case Combined 4.8 x 10-5 3.8 x 10-6 4.4 x 10-5 Cable Tray SSS* 1.1 x 10-5 3.8 x 10-6 0.7 x 10-5
*This case considers installation of the 10-5 SSS upgrade given that the 110 mph design Cable Tray House has been installed. The result, of course, is the combined upgrade.
The combined upgrade, of course, yields the maximum reduction in annual core melt frequency. It is important to note that 84% of this reduction can be accomplished by the Cable Tray House upgrade alone. Core melt frequency alone is not necessarily a good indicator of plant risk and, therefore, cannot reliably indicate modification benefit. Further, any potential benefit must be weighed against its costs if an upgrade justification is to be valid. Section 9.0 provides further case comparison from a cost-benetit perspective. 6.7 Release Frequency Section 6.6 determined annual core melt frequency for hazards up to 250 mph. The annual, release frequency for hazards up to 250 mph is the product of: o Core melt frequency, i o Vessel failure probability given core melt, and o Containment failure probability given core melt and vessel failure.
-129-l
The probability of reactor vessel failure given core melt will, conservatively be taken as 1.0. Containment failure frequency given core melt and vessel failure was determined by the YNPS PSS. From Page 13-46 of that document: 5.27 x 10- "best estimate" (taken here as 50% confidence) 2.15 x 10- " baseline" (taken here as 95% confidence) For hazard events greater than 250 mph, containment failure is expected and core melt is assumed. The frequency of release above 250 mph is simply taken as the hazard frequency at 250 mph. At this high speed, wind event frequency is negligible. Tornado frequency at 250 mph is 6 x 10- at 50% confidence and 4 x 10- at 95% hazard confidence. Resulting annual release frequencies are as follows: Release Frequency Total Annual
< 250 MPH Release Frequency case 95% Confidence 50% confidence 95% Confidence 50% Confidence Base Case 1.03 x 10-5 6.85 x 10-7 1.07 x 10-5 7.45 x 10-7 Cable Tray 2.37 x 10-6 8.96 x 10-8 2.77 x 10-6 1.50 x 10-7 House Upgrade SSS Upgrade 8.82 x 10-6 6'.32 x 10-7 9.22 x 10-6 6.92 x 10-7 Combined 8.17 x 10-7 3.85 x 10-8 1.22 x 10-6 9.85 x 10-8 Upgrade The consequences of a release are discussed in the next section. Section 8 combines the above release frequencies with the release consequences in order to assess plant risk.
l
-130-
i I TABLE 6-1 Data to Assess Relief Valve Challente Induced LOCA Event Mean Value Reference PORY FT0 3.75-3 YNPS PSS 4.27-3 SB PSA 3.0-4 IREP PG 1.0-3
- PORY FTC 1.25-2 YNPS PSS 2.50-2 SB PSA 2.0-2 IREP PG 2.0-2
- Snfety Valve FTO 4.6-5 YNPS PSS 3.3-4 SB PSA 1.0-5 IREP PG 1.0-4
- S;fety Valve FTC 4.6-4 YNPS PSS 2.9-3 SB PSA
- 1. 0~- 2 IREP PG 2.0-3
- MOV FTC 1.25-3 YNPS PSS 4.30-3 SB PSA 3.0-3 IREP PG 3.0-3
- Legend FTO = Fails to Open FTC = Fails to Close YNPS PSS = Yankee Nuclear Power Station Probabilistic Safety Study SB PSA = Seabrook Station Probabilistic Safety Assessment IREP PG = Interim Reliability Evaluation Program Procedures Guide (NUREG/CR-2728)
* = Value used in'this study
-131-
TABLE 6-2 Loric Expression Basic Events Event Failure Probability ASD12RF 6.00 x 10-3 ASD34RF 6.00 x 10-3 BATCGR1R 2.94 x 10-4 BATCGR3R 2.94 x 10-4 BAT 1RUN 1.0 BAT 2RUN 1.0 BSS-2R 8.88 x 10-6 BS6-3R 8.88 x 10-6 DCESIR 8.88 x 10-6 DCBS2R 8.88 x 10-6 DCID 3.61 x 10-3 DC1R 3.00 x 10-3 I l DC2R 3.00 x 10-3 l f DC3D 3.61 x 10-3 ! DC3R 3.00 x 10-3 I DG1R 0.1 i l DC2R 0.1 i DG3R 0.1 EBFPIR 1.0 x 10-2 i i TBFP2R 1.0 x 10-2 l EBS1R 8.88 x 10-6 EBS3R 8.88 x 10-6 INST 1 1.9 x 10-4
-132-
TABLE 6-2 (continued) Logic Expression Basic Events Event Failure Probability INST 2 2.55 x 10-4 LCLI 0.1 MCC1BSIR 8.88 x 10-6 MCC2BS2R 8.88 x 10-6 OERCMOV 0.1 RC110V1 3.0 x 10-3 RCMOV2 3.0 x 10-3 SEBFP 1.0 x 10-2 SGP1 2.5 x 10-7 SIPIPE 1.0 x 10-3 SIPIR 1.0 x 10-2 SIP 2R 1.0 x 10-2 SIP 3R 1.0 x 10-2 SSSI 3.15 x 10-4 SSSR 1.0 x 10-2 UPS1R 2.94 x 10-4 UPS2R 2.94 x 10-4 VBIR 8.88 x 10-6 VBS2R 8.88 x 10-6 24V2R 0.5 24V3R 0.5 3CHPP 8.23 x 10-2
-133- . . . . 1
jl l li' T
) ,
S 9 '
\ W
' F 3 T c . I T . S E (O - - m_ W 5" u g 62 ER$
- R YR
~ BELE u
- CE N > AW OE u V u E
O - G P LL u u O ON) R E C u~ u x u G
.M iF E I u
u O m o p' . N IE
- )
[ L GL : Q D D RIC : AB HU : , RL o4r . CC : BEE Eg . PV APE _ - i' P UL YR j C N E T E A C V G R W D
' E E ME E F MPM
' RUO
/ f-
/" O
/ - - FM A l
/TE
\
AT S
~ -
x ,^$ AP
~
~
~
g C4' IJP M R L T A
~ a
~
~ ' _
[ [ G N I[
's - > ; ) )
C Ah
> Mp M O O -
/
N O -
- 1 E H -
[ L \v k i Y R P g D y EG O T A r1 N X L 8A k I P L [P E Bi DPM RI L MO D X-I O $'MT k _ B NPUS - N UUUC _ . TBPR X U u -" A S8s [
.(%*' y5$
.C*' -
- 1 I ll .
'7.0 CONSgOUENCE ASSESSMENT In order to assess the consequences of a release following core melt the characteristics of the release (i.e., its energy and fission product inventory) as well as the plant site characteristics (i.e., weather, population) must be considered. Both aspects have been investigated at length in the YNPS PSS (Reference 3). Sections 7.7.1 and 7.7.2 briefly discuss the various release types and their applicability to this analysis, respectively.
Section 7.7.3 discusses consequence results on a per release basis. 7.7.1 YNPS PSS Release Cateaory Discussion An event tree was developed to logically represent the physical processes associated with core melt and containment of radionuclides, which incorporated pertinent design features for YNPS. Using MARCH and CORCON-MODI computer c6 des, and by manually calculating the process of particle-bed cooling and reactor cavity response, frequencies and timing of releases of radionuclides from the core to within the vapor container were determined. Then, failure modes for containment failures and their frequencies were determined. Further analysis using the CORRAL-2 code established the behavior of radiontelides that escape the vapor container. Core melt sequences were divided into six types, depending on containment response. These six types are listed below:
- 1. Large LOCA, in which the reactor vesse; pressure is low at the onset of core melt.
- 2. LOCAs and transients, in which the reactor vessel pressure is high at the onset of core melt and where there is some means for injecting water into the lower plenum.
- 3. TMLB' and ATWS sequences for which there is no means for injecting water into the lower plenum or when the power level is high enough that any water which is available is not effective in cooling the core debris in the lower plenum.
-135-2
Steam generator tube ruptures (SGTRs) in which the primary system
~
4. is not isolated from the affected steam generator.
- 5. Non-isolable LOCAs outside the vapor container.
- 6. Reactor vessel ruptures.
Each group was handled differently when quantifying the release frequencies. Based on MARCH and CORRAL-2-EI results, six release categories were identified that cover the spectrum of release magnitudes and timings possible from severe accident sequences. A discussion of these release categories follows: o Release Categories 1 (RCl) and 1A (RCIA) cover core melt accidents in which the primary vessel lower head fails, molten core mixes violently with the water in the neutron shield tank (a steam explosion is assumed to occur), and major structural failure of the containment occurs, resulting in a rapid release of radioactivity into the environment. RCl covers all of the accidents in which this type of failure occurs two hours or later into the accident. RCIA covers accidents in which the failure occurs approximately one hour into the accident. A high rate of energy release from the containment would be expected for these categories. Also, after the structural failure of the containment, any additional fission product release from the core would be released directly into the atmosphere. RC1 and RCIA result in the highest release fractions of all six categories because of the short time period between core melt and containment rupture, and because of the manner of containment rupture. RCl corresponds roughly with WASH-1400's PWR1 release category. Both involve an early energetic containment rupture and both involve an additional oxidation (or steam explosion) release component. However, the PWR1 category involves a postulated
-136-
catastrophic steam explosion within the primary system, while for l the YNPS such an explosion within the primary system is not considered to be possible. The RCl category containment failure results from a possible steam explosion once the reactor vessel head has failed and the molten core mixes with the water contained in the neutron shield tank. o Release Cateaory 2 (RC2) covers core melt accidents in which containment failure occurs soon after the reactor vessel head fails. This category covers the containment failure modes of early overpressurization and early hydrogen-burn-induced overpressurization. RC2 corresponds most closely to the PWR2 category in WASH-1400 Reactor Safety Study (RSS). o Release Cateaory 3 (RC3) includes three distinct containment failure modes. The first is overpressurization due to hydrogen combustion failure. This failure mode is assumed to occur an hour or more af ter primary head f ailure and is distinct from the overpressurization f ailure immediately af ter head failure which is included in RC2. The second type of containment failure mode is failure of the reactor cavity concrete after only partial melt-through has occurred. (It is assumed that the containment shell fails immediately after the cavity fails.) Finally, the large leakage core melt accidents are also included in this release category. Examination of the containment failure modes for RC3 indicates that the hydrogen burn failure is clearly dominant. Therefore, the release characteristics for this category are assumed to be those associated with hydrogen-burn-induced 1 overpressurization. Release Category 3 does not correspona directly with any of the RSS release categories, o Release Cateaory 4 (RCA) represents core melt accidents in which containment f ailure is not expected to occur until the containment floor has almost entirely melted through. In such cases, the
-137-
failure would not occur until nany hours af ter the core has melted. The energy release would be much lower than those for RC1, RC2, and RC3. Release Category 4 does not correspond directly to any WASH-1400 categories. The reason for this is that melt-through-induced containment failure at the YNPS results in release directly into the atmosphere because of the elevated containment sphere. Nelt-through failures for the Surry plant analyzed in WASH-1400 result in release to the ground, where significant fission product retention would occur. o Release Cateaory 5 (RCS) represents accident sequences in which core melt occurs, but where containment integrity is preserved. Release occurs due to normal allowable leakage from the containment. The release fractions for RCS are much smaller than those for any of the other release categories. The philosophy followed in the YNPS PSS to predict fission product release was to use the Reactor Safety Study (RSS) methodology and then to cdjust the results in order to conduct a probability of frequency evaluation. An overview of the methodology is described below. Fission products' transport and deposition within the containment and their release to the atmosphere were predicted with the CORRAL-2 computer code. Results of these predictiors were used to group the various accident sequences and containment failure nodes into representative release categories based on release amounts, time and duration of releases, and release energies. At this point, the release results were adjusted to account for conservatisms which lie mainly in the core source terms for the various fission product species. The representative release categories were input to the CRAC2 computer code to determine consequences. (CORRAL-2 direct output represents an upper-bound result, called 95% confidence level. The median estimate was based on CORRAL-2 results reduced by approximately a factor of 3, and the lower bound called 5% confidence level, was based on CORRAL-2 results reduced by a factor of approximately 9.)
-138-
Characteristics of the release categories are provided in Tables 7-1 cnd 7-2. 7.'7.2 Use of the YWPS PSS Release Catemory Information Section 10.9 of Reference 3 discusses the grouping of taleases due to v rious core melt event sequences into appropriate release categories. As shown in Section 10.9, for each initiating event type, the total annual rolease frequency can be divided into release categories by percent of total rolease. For all the initiating events of interest in this analysis, for h: ard intensities up to 250 MPH the annual release frequency breaks down as follows (from table 13-6 of Reference 3): o RC1 15.2% o RC2 17.1% o RC3 60.5% o RC4 7.2% Nste that RCS, containment leakage, is assumed to always be present in cddition to the above. For events involving hazard intensities above 250 MPH, direct ecntainment failure and early core melt are assumed. Release category RCIA is censidered appropriate for this case. These release category distributions are used to calculate release consequences and evaluate risk. 7.7.3 Results In the YNPS PSS, consequences of the various release categories were analyzed using the computer code CRAC2. Site-specific parameters - meteorology, topography, and evacuation - were used to produce the plant risk profile.
-139-
CRAC2 output was examined and individual, societal, and person-rem risk levels were determined for each release category assuming the following cvacuation assumptions:
- 1. No evacuation during or following a hurricane. Sheltering was assumed.
- 2. For tornados, a 3-hour delay followed by evacuation at 10 mph was
-used.
The bases for these assumptions are provided below. The conditional per release values for each of these risk indices are provided in Table 7-3. In the hurricane situation, people are assumed to take shelter in the building structure. The hurricane could last for 5 to 10 hours, including 3 to 6 hours of intensive activity, and could affect the entire emergency planning zone. Heavy rain and high wind could cause flooding and road damage end thus preclude evacuation. In the tornado situation, people are assumed to evacuate with a speed cf 10 mph and a delay time of 3 hours. A tornado affects a small area and lasts for a short time. However, the accompanying thunderstorm could cause some delay to the evacuation. The difference in acute fatality risk is caused by the difference in evacuation assumptions. However, latent cancer fatality and population dose cre insensitive with respect to the evacuation assumption and thus remain the same. Based on the conditional frequencies assigned to each release category in Section 7.7.2, the following averages for each risk index (per release) were developed from the CRAC2 results in Table 7-3. l
-140-
Containment Integrity Not Impacted by Hazard Societal Individual Latent Cancer Event Acute Per Person Person-Rem Tsenado 4.7x10-5 2.4x10-5 6.6x105 Hurricane 6.0x10-4 2.4x10-5 6.6x105 Containment Integrity Impacted by Hazard Societal Individual Latent Cancer Event Acute Per Person Person-Rom i Tcrnado 6.0x10-4 5.5x10-5 1.3x106 Hurricane 2.5x10-3 5.5x10-5 1.3x106 To conservatively envelope individual acute fatality risk estimates (Section 8), the hurricane values will be used for hazard intensities not impacting containment integrity. Note that this could result in a factor of 4 to 13 conservatism for sequences in which tornado-induced damage dominates. For hazard intensities impacting containmer.t integrity (> 250 mph), tornado values will be used since the frequency of high wind / hurricane type events - cxceeding 250 mph is much less than tornado events greater than 250 mph.
-141-
TABLE 7-1 Associated Release Category Parameters Required for consequence Calculations Time of Duration Elevation Energy Evacuation 2 R0 lease Release of Release of Release Rglease Warning Time Category (hr) (hr) (m) (10 Btu /hr) (hr) kC1 2.0 0.5 0.0 80.0 2.0 RCIA 1.0 0.5 0.0 80.0 1.0 RC2 1.0 0.5 0.0 80.0 1.0 RC3 2.5 0.5 0.0 60.0 2.5 RC4 50.0 3.0 0.0 0.2 50.0 RCS 1.0 10.0 0.0 0.0005 1.0 l l 1 Time from initiation of accident to start of significant release. 2 Time from point at which it is known that significant release might occur to the start of significant release, t
-142-
TABLE 7-2 4 I I Release Fractions - 5% Bound. 50% Confidence Level and 95% Bound 2 2 3 2 3 Ru La I*I *** 1 2 2 Cs-Rb Te Ba-Sr Category Kr-Ie OI I 2 i 0.77 0.17 0.44 0.012 0.99 0.0070 0.73 0.67 0.008 I RC1 95% 0.22 0.51 0.06 0.15 and 50% 0.99 0.0023 0.24 0.04 0.002 ; 0.0007 0.07 0.07 0.15 0.02 RCIA 5% 0.99 0.37 0.14 0.0032 95% 0.96 0.0068 0.62 0.49 0.0021 l RC2 0.0023 0.21 0.16 0.25 0.05 0.96 l 50% 0.07 0.01 0.004 0.0006 ! 5% 0.96 0.0007 0.06 0.05 0.14 0.18 0.033 0.0030 t RC3 95% 1.00 0.0070 0.15 0.0020 l 0.0023 0.05 0.05 0.12 0.011 50% 1.00 0.003 0.003 0.0006 1.00 0.0007 0.02 0.01 0.04 i 5% 0.0098 4.0(10)-4 4.0(10)-4 1.0(10)-4 5.3(10)-4 RC4 95% 1.00 0.0070 3.5(10)-6 50% 1.00 0.0023 0.0033 1.3(10)-4 2.7(10)-4 0.3(10)-4 0.0010 0.4(10)-4 0.8(10)-4 0.1(10)-4 0.6(10)-5 1.1(10)-6 5% 1.00 0.0007 f 2.8(10)-6 l 95% 0.02 0.00010 3.4x10-4 2.1(10)-4 2.2(10)-4 5.6(10)-5 l RC5 0.00003 1.1x10-4 0.7(10)-4 1.4(10)-4 3.7(10)-5 1.9(10)-6 50% 0.02 0.3(10)-5 0.6(10)-6 l i' 5% 0.02 0.00001 0.3x10-4 0.2(10)-4 0.4(10)-4 0.6(10)-5 i 1 No reduction from the base case (95% bound) is assumed. 1 2 2 Factor of 3 reduction from base case (95% bound) for 50% confidence level, and a factor of 10 from base case for 5% i l I bound. Note - For Ru group, these reductions apply only to RC1 and RCIA. 3 Factor of 1.5 reduction from base case (95% bound) for 50% confidence level, and a factor of 5 from base case for 5% l bound. Note - For Ru group, these reductions apply only to RC2, RC3, RC4, and RC5. I
- 1
-143-i l _ _
TABLE 7-3 Expected Conditional Individual. Societal and Person-Rem Risk Level Values Per Release Acute Fatality Risk Latent Cancer Per Person Within Fatality Risk Person-Rem R31 ease 1 Mile of the Plant per Person Within ! Catemory Hurricane Tornado Within 50 Miles 50 Miles l l l RC1 2.4x10-3 3.1x10-4 5.4x10-5 1.3x106 RCIA 2.5x10-3 6.0x10-4 5.5x10-5 1.3x106 dC2 1.4x10-3 0.0 3.3x10-5 1.0x106 RC3 0.0 0.0 1.6x10-5 4.8x105 RC4 0.0 0.0 1.0x10-7 3.0x103 RCS 0.0 0.0 4.2x10-8 1.3x103 i l Latent cancer fatality and whole body dose are insensitive to the evacuation cssumptions. I
-144-
8.0 RISK ASSESSMENT The results of the analysis performed in Sections 6.7 and 7.3 can be ccabined to develop quantitative estimates of individual, societal, and p;rson-rem risk levels. Table 8-4 provides the results of this evaluation for c ch of the plant configurations evaluated for the spectrum of wind events from 0 to infinity. The following tables develop the Individual Acute Fatality Risk, S:cietal Latent Cancer Yatality Risk per person and Person-Rem Exposure from d;ts developed in Section 6.0 and 7.0 for each plant configuration considered es Tables 8-1, 8-2, and 8-3, respectively. Table 8-5 provides a comparison of the NRC preliminary safety goals (Reference 1) to risks resulting from each plant configuration analyzed. Note that the " Base Case" results in individual and societal risk levels less than those discussed in Reference 1.
-145-
TABLE 8-1 Individual Acute Fatality Risk Dev.41opment Core Core Total Melt Individual Individual Melt Individual Individual Individual and Acute Acute and Acute Acute Acute Release Fatality Fatality Release Fatality Fatalit Fatalit Case Frequency (yr-1) Risk Risk (yr-1) Frequency (yr-1) Risk Risk (yr-{) Risk (yr- ) Description <250 MPH <250 MPH <250 MPH >250 MPH >250 MPH > 250 M*H Base Case 50 6.85-7 6.0-4 4.11-10 6.0-8 6.0-4 3.6-11 4.47-10 95 1.03-5 6.0-4 6.2-9 4.0-7 6.0-4 2.4-10 6.42-9 C ble Tray 50 8.96-8 6.0-4 5.38-11 6.0-8 6.0-4 3.6-11 8.98-11 House 95 2.37-6 6.0-4 1.42-9 4.0-7 6.0-4 2.4-10 1.66-9
' Upgrade SSS 50 6.32-7 6.0-4 3.8-10 6.0-8 6.0-4 3.6-11 4.15-10 Upgrade 95 8.82-6 6.0-4 5.3-9 4.0-7 6.0-4 2.4-10 5.53-9 Combined 50 3.85-8 6.0-4 2.31-11 6.0-8 6.0-4 3.6-11 5.91-11 Upgrade 95 8.17-7 6.0-4 4.9-10 4.0-7 6.0-4 2.4-10 7.3-10 l
-146-
J TABLS 8-2 1 1 Societal Latent Cancer _ Fatality Risk Develomment Per Person Conditional Total Conditional Societal ) Societal Societal core Societal Societal Core Latent Latent latent Latent Melt Melt Latent and Cancer Cancer Cancer and Cancer Cancer Fatality Fatality Fatality Release istall&f Release Fatality Frequency (yr-1) Risk Risk (yr-1) Risk (yr-1) Case Frequency (yr-1) Risk Risk (yr-1) l > 250 MPH >250 MPH >250 MPH De cription < 250 MPH <250 MPH <250 MPH i 5.5-5 3.3-12 1.97-11 Ba:e Case 50 6.85-7 2.4-5 1.64-11 6-8 2.7-10 4-7 5.5-5 2.2-11 95 1.03-5 2.4-5 2.48-10 l 5.5-5 3.3-12 5.45-12 C:ble Tray 50 8.96-8 2.4-5 2.15-12 6-8 7.88-11 2.4-5 5.68-11 4-7 5.5-5 2.2-11 House 95 2.36-6 Upgrade 5.5-5 3.3-12 1.85-11 SSS 50 6.32-7 2.4-5 1.52-11 6-8 2.34-10 2.12-10 4-7 5.5-5 2.2-11 Upgrade 95 8.8-6 2.4-5 9.23-13 6-8 5.5-5 3.3-12 4.22-12 ! Combined 50 3.85-8 2.4-5 2.2-11 4.16-11 2,4-5 1.96-11 4-7 5.5-5 UPgrade 95 8.17-7 i
-147-
TABLE 8-3 Person-Rein Exposure Development Core Core Melt Total ' Melt and Conditional Person-Res Person-Rem and Conditional Person-Ren Exposure Release Person-Rem Exposure Person-Resa Exposure (yr-1) Release (yr-1) Frequency (yrl) Exposure (yr-1) case Frequency (yr-1) Exposure
>250 MPH > 250 MPH
< 250 MPH < 250 MPH >250 MPH Description < 250 MPH 6-8 1.3+6 7.8-2 0.53 6.85-7 6.6+5 0.45 7.33
! Ba a Case 50 6.81 4-7 1.3+6 0.52
- 95 1.03-5 6.6+5 6-8 1.3+6 7.8-2 0.14 C;ble Tray 50 8.96-8 6.6+5 5.91-2 0.52 2.08 6.6+5 1.56 4-7 1.3+6 l Housa 95 2.37-6 Upgrade 1.3+6 '7.8-2 0.50 l
50 6.32-7 6.6+5 0.42 6-8 SSS 5.82 4-7 1.3+6 0.52 6.34 Upgrade 95 8.S-6 6.6+5 1.3+6 7.8-2 0.10 Combined 50 3.85-8 6.6+5 2.54-2 6-8 4-7 1.3+6 0.52 1.06 Upgrcde 95 8.17-7 6.6+5 5.4-1 ] I j I
-148-
TABLE 8-4 Risk Levels Societal Individual Latent Cancer Hazard Acute Fatality Risk Person-Rem Description Curve Risk (Per Person) Exposure B se case 50% 4.5 x 10-10 2.0 x 10-11 0.53 95% 6.4 x 10-9 2.7 x 10-10 7.33 Cable Tray 50% 9.0 x 10-11 5.45 x 10-12 o,14. House Upgrade 95% 1.7 x 10-9 7.9 x 10-11 2.08 SSS Upgrade 50% 4.15 x 10-10 1.85 x 10-11 0.50 95% 5.5 x 10-9 2.34 x 10-10 6.34 Combined Upgrade 50% 5.9 x 10-11 4.22 x 10-12 o,lo 95% 7.3 x 10-10 4.16 x 10-11 1.06 TABLE 8-5 Safety Goal Comparison Hazard % of Individual % of Description curve Acute Fatality Societal % of Core Risk Goal Risk Goal Melt Goal Base Case 50% 0.09% 0.001% 13% 95% 1.0% 0.01% 48% Cable Tray 50% 0.02% 0.0003% 2.0% House Upgrade 95% 0.34% 0.004% 11% SSS Upgrade 50% 0.08% 0.001% 12% 95% 1.0% 0.01% 41% 1 Combined Upgrade 50% 0.01% 0.0002% 0.73% 95% 0.15% 0.002% 4.0% 1
-149-4
-9.0 COST-BENEFIT ASSESSMENT As shown in Section 8.0, both individual and societal risk safety geols, and the core melt frequency design objective are met for the base case plant configuration including the SSS designed for seismic. Since this system will be installed, it is the appropriate plant configuration from which to coress the benefit of additional design modifications. Table 9-1 provides the r:sults of the investigation of the two backfits discussed in Section 1.0.
Neither backfit is justified from a cost-benefit perspective for the r00 sons provided in Section 1.0. 9.1 Costs for Structural Upgrade Cost estimates have been developed and are summarized in this section for proposed modifications to structures / components. The costs presented for the proposed 10~ event and 10~ event structural modifications include bsth direct and indirect dollars. All aspects of the modifications are cccounted for including equipment, labor, management, engineering, etc. Ycnkee seismic structural modifications control design of structures for windspeed through the 10~ event. The estimated modification costs associated with the events are as follows: Event Cost 10~ $108,000* 10~ $296,000** CThe 10-4 event is governed by the 110 mph straight wind and modification of the Cable Tray House.
** Structures / components requiring modifications for the 10-5 event are the
! Turbine' Building SW Stairwell, the PAB North Wall, the NRV Enclosure, the Fire Pumphouse Enclosure, Fire Water Storage Tank and the SSS Pumphouse.
-150-
~ -- . - - . _ - - _ .. .. . - -. - - _ _ _ _ , , - . __ - ..
TABLE 9-1 Cost-Benefit Analysis Resulto Ratio Core Reduction (3) of Indiv. Societal Residual in Just. Actual Actual (1) SSS Melt Risk Risk Person-Rem Person-Rem Costs to Costs of to Plant SSS DSN Actual Hazard Freq. Upgrade Justif. Per Per Per Upgrade Capacity Capacity Capacity curve Per Per ($'s) Costs (mph) (%) Year Year Year Year Year . ($'s) Description (mph) (mph) __ 0.53 - - Baca Care 70(2) -- 175 50 1.3-5 4.47-10 1.97-11 -- -- 7.33 6.43-9 2.7-10 -- -- - 95 4.8-5 3.9K 108K 28 C;ble Tray 160 -- 175 50 1.8-6 8.98-11 5.45-12 0.14 0.39 2.08 5.25 52.5K 108K 2 Houca Upgrade 95 1.1-5 1.66-9 7.88-11 4.15-10 1.85-11 0.50 0.03 0.3K 296K 987 SSS Upgrade 70(2) 165 250 50 1.2-5 5.53-9 2.34-10 6.34 0.99 9.9K 296K 30 95 4.1-5 5.91-11 4.22-12 0.1 0.43 4.3K 404K 94 Combin d 160 165 250 50 7.9-7 95 4.2-6 7.3-10 4.16-11 1.06 6.27 62.7K 404K 6 Upgrcd2 50 5.91-11 4.22-12 0.1 0.03 0.3K 296K 987 Combin:d 160 165 250 7.3-7 95 4.2-6 7.3-10 4.16-11 1.06 1.02 10.2K 296K 29 Upgecda Comptred to C:.ble Tray Hours Upgrade (1) Excluding Safe Shutdown System. j(2) The Cable Tray House fails at'70 mph, this analysis assumes the Cable Tray House failure fails all normal plant instrumentation yielding a core melt probability of 10-1 above 70 mph since only local instrumentation is credited. This is extremely conservative for reasons stated in the analysis. (3) Based on $1,000 per person-rem averted for 10 years or $10,000/ person-rem.
-151-
10.0 REFERENCES
1
- 1. 48FR10772, March 14, 1983, " Safety Goal Development".
- 2. NUREG/CR-2300, January 1983, "PLA Procedures Guide".
- 3. YAEC Letter to USNRC, dated January 3, 1983 (FYR 83-1).
i
- 4. EPRI-NP-801, "ATWS: A Re-Appraisal Part III - Frequency of Anticipated Transients".
- 5. Mcdonald, J. R., 1980, " Tornado and Straight Wind Hazard Probability for Yankee Rowe Nuclear Power Plant Site", prepared for USNRC.
- 6. Owners and Engineering Firms Informal Group on Concrete Masonry Walls,
" Reassessment of Safety-Related Concrete Masonry Walls", October 6, 1980.
- 7. American concrete Institute, " Building Code Requirements for Concrete Masonry Structures", ACI 531-79 (Revised 1981).
- 8. American National Standard, " Minimum Design Loads for Buildings and Other Structures" ANSI A58.1 - 1982.
- 9. Simiu, E. , and R. H. Scanlan, Wind Effects on Structures: An Introduction to Wind Engineering, J. Wiley & Sons, 1978. '
- 10. Twisdale, L. A., " Wind Loading Frequencies and Transmission Line Design",
paper presented at Southeastern Electric Exchange. ,1984 Conference, Bal Harbour, Florida, April 1964.
- 11. Twisdale, L. A., " Wind Loading Underestimate in Transmission Line Design",
Transmission Distribution December 1982.
- 12. CYGNA Energy Services, " Preliminary Review of Masonary Walls at Yankee Nuclear Power Station at Rowe", October 1981. Appendix A, Wall location drawings.
- 13. NUREG-0825, June 1983, " Integrated Plant Safety Assessment, Systematic Evaluation Program, Yankee Nuclear Power Station, Final Report".
-152-
APPENDIX A Acronym Table 3R AUX BOILER ROOM HAZARD / LOCATION FAILURE 3D12R(F) ATM STEAM DUMP VALVE 1 OR 2 FAILS TO OPEN - RANDOM 3D34R(F) ATM STEAM DUMP VALVE 3 OR 4 FAILS TO OPEN - RANDOM INITIATING EVENT - LOSS OF 0FFSITE POWER LTCGR1R RANDOM FAILURE OF BATTERY CRARGER NUMBER 1 ATCGR2R RANDOM FAILURE OF BATTERY CHARGER NUMBER 2 AT1RUN BATTERY NUMBER 1 FAILURE TO RUN FOR 24 HOURS AT2RUN BATTERY NUMBER 2 FAILURE TO RUN FOR 24 HOURS S5-2R 480V BUS 5-2 RANDOM FAILURE S6-3R 480V BUS 6-3 RANDOM FAILURE TOP EVENT - ATMOSPHERIC STEAM UUMP AVAILABLE BLTPV CABLE TRAY HOUSE (PORV POWER) HAZARD / LOCATION FAILURE BLT CABLE TRAY HOUSE (EICEPT PORY POWER) HAZARD / LOC FAILURE HBLDN FLOW PATH - CHARGING PUMPS TO BLOWDOWN HEADER HMFWH FLOW PATH - CHARGING PUMPS TO MAIN FEED HEADER TOP EVENT - OPERATOR ACTUATES ATM STEAM DUMP iCBS1R RANDOM FAILURE OF DC BUS NUMBER 1 >CBS2R RANDOM FAILURE OF DC BUS NUMBER 2 >C1 D DEMAND FAILURE OF BATTERY NUMBER 1 )C1 L BATTERY ROOM NUMBER 1 HAZARD / LOCATION FAILURE )C1RUN FAILURE OF DC POWER SUPPLY NUMBER 1 )C1R 125V DC BUS NUMBER ONE FAILS TO REMAIN ENERGIZED )C2L BATTERY ROOM NUMBER 2 HAZARD / LOCATION FAILURE )C2RUN FAILURE OF DC POWER SUPPLY NUMBER 2 )C2R 125V DC BUS NUMBER TWO FAILS TO REMAIN ENERGIZED JC3D DEMAND FAILURE OF BATTERY NUMBER 3 DC3R 125V DC BUS NUMBER THREE FAILS TO REMAIN ENERGIZED DG1 L DIESEL GENERATOR 1 HAZARD / LOCATION FAILURE DG1R DIESEL GENERATOR NUMBER 1 FAILS TO SUPPLY POWER DG2L DIESEL GENERATOR 2 HAZARD / LOCATION FAILURE DG2R DIESEL GENERATOR NUMBER 2 FAILS TO SUPPLY POWER DG3L DIESEL GENERATOR 3 HAZARD / LOCATION FAILURE DG3R DIESEL GENERATOR NUMBER 3 FAILS TO SUPPLY POWER D TOP EVENT - POWER AVAILABLE TO PORY EBFBLDN FLOW PATH - ELEC EM FEED PPS TO BLOWDOWN HEADER BBFMFWH FLOW PATH - ELEC EM FEED PPS TO MAIN FEED READER QBFPIR ELECTRIC EMERGENCY BOILER FEEDWATER PUMP 1 BBFP2R ELECTRIC EMERGENCY BOILER FEEDWATER PUMP 2 OBS1R RANDOM FAILURE OF EMERGENCY 480V BUS NUMBER 1 EBS3R RANDOM FAILURE OF EMERGENCY 480V BUS NUMBER 3 E TOP EVENT - POWER OPERATED RELIEF VALVE OPENS FWST FIRE WATER STORAGE TANK HAZARD / LOCATION FAILURE F TOP EVENT - POWER OPERATED RELIEF VALVE RECLOSES G TOP EVENT - POWER AVAILABLE TO PORV BLOCK VALVE H TOP EVENT - PORV BLOCK VALVE CLOSES INSA MAIN CONTROL ROOM INSTRUMENTATION INST) RANDOM FAILURE OF INSTRUMENTATION FOR CRANNEL 1 INST 2 RANDOM FAILURE OF INSTRUMENTATION FOR CRANNEL 2 INS 1 INSTRUMENTATION CRANNEL NUMBER 1 INS 2- INSTRUMENTATION CHANNEL NUMBER 2 INS INSTRUMENTATION FAILURE I TOP EVENT - 1 0F 2 PRIMARY CODE SAFETY VALVES OPENS J TOP EVENT - PRIMARY CODE SAFETY VALVE (S) RECLOSE K TOP EVENT - MCS LOOP SAFETY VALVE (S) OPEN LA INITIATING EVENT - LOCA A-1
- - - - - _ _ - _ _ _ _ _ _ . . _ l
B TOP EVENT - SCRAM LI LOCAL INSTRUMENTATION . TOP EVENT - POSITIVE REACTIVITY CONTROL D TOP EVENT - SAFETY INJECTION B TOP EVENT - RECIRCULATION P TOP EVENT - FEEDWATER ADDITION AND CONTROL G TOP EVENT - STEAM REMOVAL AND CONTROL H TOP EVENT - INSTRU AVAIL SUFFICIENT TO CONTROL PLANT LPAB LOWER LEVEL PRIMARY AUX BUILDING HAZARD / LOC FAILURE TOP EVENT - MCS LOOP SAFETY VALVE (S) RECLOSE CC1BS1R MOTOR CONIROL CENTER NUMBER 1 BUS NUMBER 1 RAND 0M FAILURE CC2BS2R MOTOR CONTROL CENTER KUMBER 2 BUS NUMBER 2 RANDOM FAILURE CR MAIN CONTROL ROOM HAZARD / LOCATION FAILURE
'RVL NON-RETURN VALVE PLATFORM HAZARD / LOCATION FAILURE iA INITIATING EVENT - LOSS OF OFFSITE POWER lB TOP EVENT - MAIN COOLANT SYSTEM IS ISOLATED IC TOP EVENT - SCRAM ID TOP EVENT - POSITVE REACTIVITY CONTROL (RE STM REMOVAL)
)ERCMOV OPERATOR ERROR - FAILS TO OPEN RECIRC VALVE MANUALLY )E TOP EVENT - FEEDWATER ADDITION AND CONTROL >F TOP EVENT - STEAM REMOVAL AND CONTROL X: TOP EVENT - INSTRU AVAIL SUFFICIENT TO CONTROL PLANT 'PRM TURBINE BUILDING PUMP ROOM HAZARD / LOCATION FAILURE 'WRCH1 INSTRUMENT CHANNEL NUMBER 1 POWER SUPPLY ?WRCH2 INSTRUMENT CHANNEL NUMBER 2 POWER SUPPLY RCMOV1 MOTOR OPERATED RECIRCULATION VALVE 1 RCMOV2 MOTOR OPERATED RECICRULATION VALVE 2 SEBFMFWH FLOW PATH - STEAM EM FEED TO MAIN FEED HEADER SEBFP STEAM DRIVEN EMERGENCY BOILER FEEDWATER PUMP SGPI STEAM GENERATOR PRESSURE INSTRUMENTATION SIBLDN FLOW PATH - SAFETY INJECTION TO BLOWDOWN HEADER SIBN SAFETY INJ BUILDING NORTH WALL HAZARD / LOC FAILURE SIB SAFETY INJECTION BUILDING HAZARD / LOCATION FAILURE SIPIPE ALL SAFETY INJECTION FLOW PATH COMPONENTS SIP 1R SAFETY INJECTION PUMP 1 - RANDOM FAILURE SIP 2R SAFETY INJECTION PUMP 2 - RANDOM FAILURE SIP 3R SAFETY INJECTION PUMP 3 - RANDOM FAILURE SIT SAFETY INJECTION TANK HAZARD / LOCATION FAILURE SI1R SAFETY INJECTION TRAIN NUMBER 1 TO THE SECONDARY SI2R SAFETY INJECTION TRAIN NUMBER 2 TO THE SECONDARY SI3R SAFETY INJECTION TRAIN NUMBER 3 TO THE SECONDARY SSSBLDN FLOW PATH - SAFE SHUTDOWN SYS TO BLOWDOWN HEADER SSSINST SAFE SHUTDOWN SYSTEM INSTRUMENTATION RANDOM FAILURE SSSI SAFE SHUTDOWN SYSTEM INSTRUMENTATION SSSL SAFE SHUTDOWN SYSTEM HAZARD /LOCTION FAILURE SSSR SAFE SHUTDOWN SYSTEM - RANDOM FAILURE SWGR SWITCHGEAR ROOM HAZARD / LOCATION FAILURE TK1L WATER SOURCE - TANK 1 HAZARD / LOCATION FAILURE TX1 WATER SOURCE - TANK NUMBER ONE TK39 WATER SOURCE - TANK 39 HAZARD / LOCATION FAILURE ULPAB UPPER LEVEL PRIMARY AUX BUILDING HAZARD / LOC FAILURE UPS1R UNINTERRUPTIBLE POWER SUFFLY NO.1 RANDOM FAILURE UPS2R UNINTERRUPTIBLE POWER SUPPLY NO. 2 RANDOM FAILURE VBS2R RANDOM FAILURE OF VITAL BUS NUMBER 2 VB1R RANDOM FAILURE OF VITAL BUS NUMBER 1 A-2
(2R 2400V BUS NUMBER 2 RANDOM FAILURE - k3R 2400V BUS NUMBER 3 RANDOM FAILURE RPP 3 CHARGING PUMPS - FAILURE IS ANY ONE OF THREE FAILS \ A-3}}