a Review of the OCONEE-3 Probabilistic Risk Assessment. Internal Events,Core Damage Frequency

ML20154R389
Person / Time
Site:	Oconee
Issue date:	03/31/1986
From:	Chu T, Fitzpatrick R, Hanan N, Ilberg D, Xue D BROOKHAVEN NATIONAL LABORATORY
To:	Office of Nuclear Reactor Regulation
References
CON-FIN-A-3797 BNL-NUREG-51917, NUREG-CR-4374, NUREG-CR-4374-V01, NUREG-CR-4374-V1, NUDOCS 8603280335
Download: ML20154R389 (174)
v • d • e

Text

_ - _ _

NUREG/CR-4374 BNL-NUREG-51917 Vol.1 A Review of the Oconee-3 Probabilistic Risk Assessment Internal Events, Core Damage Frequency Prepared by N. A. Har;an, D. liberg, D. Xue, R. G. Fitzpatrick, T-L. Chu Brookhaven National Laboratory Prepared for U.S. Nuclear Regulatory Commission hbR 00287 p PDR

i l

NOTICE This report was prepared as an abount of work sponsored by an sgency of the United States Government. Neither the United $jates Government not any agency thereof, or ariy of their employees, makes any warranty,/ expressed or implied, or assumes any legal liabihty of re-sponsibility for any third party'sfu*.e of the results of such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not mfringe privately owned rights.

NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC pubikations will be available from one of the following sources' L The N RC Public Document Poom,1717 H Street, N.W.

Washington, DC 20555

2. The Superintendent of Dr,cuments, U.S. Government Printing Othce, Pmt Of f ere Box 37082 Washington, OC 20013-7082

3. The National Technical information Service, Springfield, VA 22161 Although the list.ng that follows represents the majority of documents cited m NRC publications.

it is not intended to be exhaustive.

Referenced documents aveifable for inspection and copying for a fee from the NRC Public Docu ment Room include NRC correspondence and internal NRC memoranda; NRC Off ace of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices, Licensee Event Reports; vendor reports and correspondence; Commission papers; and appbcant and licensee documents and correspondence, The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staf f and contracter reoorts, NRC sponsored conferetice proceedings, and NRC bookleta and brochures. Also available are Regulatory Guides NRC regulations in the Code of Federal Regu!ations, and Nuclear Regulatory Commission issuances.

Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, fe,rerunner agency to the Nuclear Regulatory Commission.

Documents availabie from public and special technical libruies include all open hterature items, such as books. journal and periodical articles, and transactions. Fedirral Register notices. federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations, and non N RC conference proceedings are available for purchase from the organization sponsoring the pubhcation cited Single copies of NRC draf t reports are available free, to the extent of supply, upon written restuest to the Division of Technical Information and Document Control, U S. Nuclear Regulatory Com mission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually sopyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.

l 4

NUREG/CR-4374 BNL-NUREG-51917 Vol.1

-~

A Review of the Oconee-3 Probabilistic Risk Assessment Internal Events, Core Damage Frequency

- ~

Manuscript Completed: January 1986 Date Published: March 1986 Prepared by ~

N. A. Hanan, D. liberg, D. Xue, R. G. Fitzpatrick, T-L. Chu Brookhaven National Laboratory Upton, NY 11973 Prepared for Division of Safety Review and Oversight Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555 NRC FIN A3797 l

l 1

I l

i i

ABSTRACT-A review of the Oconee-3 Probabilistic Risk Assessment (OPRA) was con-ducted with the broad objective of evaluating the contribution of the inter-nally-generated accidents to the frequency of core damage. The review included a technical assessment of the assumptions and methods used in the OPRA study. The.BNL staff reevaluated the main results of the study within the scope and general methodological framework, including both qualitative and quantitative analyses of accident initiators, and accident sequences which result in core damage. The effcct of uncertainties was considered throughout the review process, and the uncertainty bands for the core damage frequency were quantified.

h iii

TABLE OF CONTENTS Page ABSTRACT................................................................- iii LIST OF FIGURES......................................................... vii LIST OF TABLES.......................................................... viii AC K N OWLE D GME NT S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix NO M E N C L A T UR E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi EXECUTIVE

SUMMARY

...'..................................... .............. xv

1. INTRODUCTION........................................................ 1-1 1.1 Obj ective , Scope , a nd App ro ach to t he Rev i ew . . . . . . . . . . . . . . . . . . . 1-1 1.2 Organization of Report......................................... 1-1

2. PLANT M0nELING...................................................... 2-1 2.1 Sa fety Functions and Co rresponding Systems . . . . . . . . . . . . . . . . . . . . . 2-1 2.1.1 Sa fety Functions and Frontl ine Systems . . . . . . . . . . . . . . . . . . 2-1 2-1 2.1.2 Success2.1.2.1 Criteria Success for Criteria the Frontline Systems..Initiators......

for Transient . . .. . .. . .. .. . 2-2 2.1.2.2 Success Criteria for ATWS Initiators........... 2-2 2.1.2.3 LOC A Success Cri teri a . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.1.2.4 Steam Generator Tube Ruptures Success

. Criteria....................................... 24 2.1.3 S u p po r t Sy s t em s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.1.4 Frontl ine and Support Systems Dependences . . . . . . . . . . . . . . . 2-6 2.2 I n i t i a t i n g Ev e n t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.1 OPRA Ini ti a tors Sel ection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

-2.2.1.1 LOCA Initiators................................ 2-7 2.2.1.2 Transients With Successf ul Scram. . . . . . . . . . . . . . . 2-8 2.2.1.3 ATWS: Anticipated Transient -Without Scram..... 2-9 2.2.1.4 Extern al Ev ent s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 2.2.2 Comparison With Arkansas IREP and Midland PRA........... 2-10 2.2.3 BNL Assessment 'of the Selection of Initiating Events.... 2-11 2.3 Referencer..................................................... 2-12

3. AC C I DE NT SE QUE NC E DEF I N IT I O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.1 F u n c t i o n al Ev en t Tr e e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . 3-1 3.1.1 The Gen e r al Me t hod ol ogy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.1.2 Fu ncti o nal Ev ent Tree Devel opment . . . . . . . . . . . . . . . . . . . . . . . 3-2 3.1.3 Tre a tmen t o f De pe nd enc es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.1.4 The Transient Functional Event Tree. . . . . . . . . . . . . . . . . . . . . 3-3 3.1.5 The LOC As Function al Ev ent Trees . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.1.5.1 Sm al l -LOC A Ev ent Tr ee . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.1.5.2 La rg e-LOC A Ev ent Tre e . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.1.5.3 SGTR Event Tree................................ 3-6 3.1.6 ATWS Event Trees........................................ 3-6 3.2 Sy s t em Fa u l t T r e e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.3 H um a n P e r fo rm a nc e An al y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.4 References..................................................... 3-10 v

t _ _

Page 4 DATA ASSESSMENT..................................................... 4-1 4.1 Frequencies of Initiating Events............................... 4-1 4.1.1 The Ouantification of Initiating Events in OPRA......... 4-1 4.1.2 BNL Assessment of the Initiator Frequencies............. 4-1 4.1.2.1 Transient Initiators With Successful Scram..... 4-1 4.1.2.2 Compa ri son Wi th Ot her St ud i es . . . . . . . . . . . . . . . . . . 4-3 4.1.2.3 Trea tment of "Ra re-Even t" Ini t i a tors . . . . . . . . . . . 4-4 4.1.2.4 ATWS Initiators' Frequency..................... 4-7 4.2 Compo n ent Fa i l u re 0a ta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 4.3 Ma i n t e n a n c e Da t a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 4.4 References..................................................... 4-9

5. ACCIDENT SEQUENCE QUANTIFICATION.................................... 5-1 5.1 Quantification Procedure for Transients, LOCAs, and SGTR....... 5-1 5.2 Qua nti fi c ati on Proced ure fo r ATWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.3 Interfacing-Systems L0CA....................................... 5-2 5.4 BNL Review Results............................................. 5-3 5.5 Dom i n ant Acc i d ent Se q u enc es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 5.6 A TWS Se n si t i v i ty An al y s i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.6.1 Pr im a ry Rel i e f Fu nc t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 5.6.2 Failure to Inject Borated-Water (RCS peak pressure

<3500 psig)............................................. 5-8 5.6.3 Failure to Inject Borated Water and Failure of Long-Term Cooling (RCS peak pressure >3900 psig)........ 5-8 5.7 Un c e r t a i n ty An al y s e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.8 References..................................................... 5-9 APPENDIX A: RNL REVIEW OF THE ACCIDENT SEQUENCES FOR TRANSIENTS, LOCAS, AND STGR............................................................ A-1 APPENDIX B: REVIEW 0F SEQUENCES INVOLVING ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS)................................................ B-1 vi l

i LIST OF FIGURES Figure Page 0.1 Cumulative probability for the frequency of core damage........ xviii 3.1 OPRA event tree _for t.?nsient initiating events................ 3-12 3.2 Supporting logic for transient event tree _ top event Q, failure of RCS integrity....................................... 3-13 3.3 Supporting logic for transient event tree top event B, frilure of RCS heat removal.................................... 3-23 .

3.4 Supporting logic for transient event' tree top event P, failure of RCS pressure relief................................. 3-25 3.5 Supporting logic for transient event tree top event UT.

failure of core-heat removal by high pressure injection........ 3-25 3.6 Supporting logic.for transient event tree top event YT.

failure to maintain RCS makeup supply.......................... 3-26 3.7 Supporting logic for transicat event tree top event W, failure to restore RCS integrity............................... 3-26 3.8 Supporting logic for transient event tree top event XT.

failure of long-term core-heat removal......................... 3-27 3.9 - 0PRA event t ree ' for small-break LOCA events . . . . . . . . . . . . . . . . . . . . 3-27 3.10 Supporting logic for small-break LOCA event tree top event XS ,

f a i l u re of l on g-t e rm cool i n g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28 3.11 OPRA event tree for large-break LOCA events................. .. 3-30 3.12 OPRA event trce for $GTR initiating events..................... 3-30 3.13 Supporting logic for SGTR event tree top event BR .

failure of RCS heat removal.................................... 3-31 3.14 Supporting logic for SGTR event tree top event UR .

failure of RCS heat removal...'................................. 3-31 3.15 Supporting logic for SGTR event tree top event XR .

f ailure to achieve long-term cooling at cold shutdown.......... 3-32 3.16 Supporting logic for SGTR' event tree top event Xe, failure to maintain long-term cooling at hot conditions........ 3-34 3.17 OPRA scoping event tree for turbine trip with failure to scram. 3-35 3.18 OPRA scoping event tree for loss-of-offsite power with failure to scram.............~.................................

. 3-36 3.19 OPRA scoping event tree for loss of condenser vacuum with failure to scram............................................... 3-37 3.20 OPRA scoping event tree for loss of main feedwater with failure to scram............................................... 3-38 5.1 Cumulative probability for the frequency of core damage........

~

5-10 A.1 OPRA event tree for transient-initiating events................ A-30 A.2 OPRA event tree for small-break LOCA event..................... A-30 l-i A.3 OPRA event tree for large-break LOCA events.................... A-31 A.4 OPRA event tree for SGTR initiating events..................... A-31 B.1 Scoping event tree for turbine trip with failure to scram...... B-7 B.2 Scoping event tree for loss-of-offsite power with failure to Scram.....................................................'.. B-8 B.3 Scoping event tree for loss of condenser vacuum with failure to scram............................................... B-9 B.4 Scoping event tree for loss of main feedwater with failure to scram....................................................... B-10 vii L

LIST OF TABLES Table Page 0.1 Sumnary of Contributors to Core Damage Frequency for Intern al Ini ti ati ng Event s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix 0.2- Sumna ry o f Co re Damag e Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx 0.3 BNL Review Sumary of Core Damage Frequencies for Internal Events......................................................... xxi 0.4 OPRA Sumary of Core Damage Frequencies for Internal Initiating Events......................................................... xxii 2.1 Sa fety Fu ncti on s fo r Ocon ee- 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 2.2 Oconee-3 Transient Safety Functions /Frontline Systems.......... 2-13 2.3 Oconee-3 LOCA Safety Functions /Frontline Systems............... 2-14 2,4- Comparison of Oconee-3, ANO-1, and Midland-2 Frontline Systems. 2-15 2.5 Transi ent Success Cri teria for 0conee. . . . . . . . . . . . . . . . . . . . . . . . . . 2-17 2.6 Transient Success Criteria for Oconee-3 (RSSMAP) .. . . .. . . .. .. . .. 2-18 2.7 Transient Success Criteria for Arkansas Nuclear One............- 2-19 2.8 Transi ent Success Criteria fo r Midl and-2. . . . . . . . . . . . . . . . . . . . . . . 2-20 2.9 A Comparison of OPRA LOCA Success Criteria With Other PRAs and the BNL Review............................................. 2-21 2.10 Comparison of Very Small LOCA and SGTR Success Criteria f o r t h e L0 n g Te rm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22 2.11 Maj o r ~ Su p po rt Sy st em s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23 2.12 Oconee Frontl ine vs Support Systen Dependences. . . . . . . . . . . . . . . . . 2-25 2.13 Oconee Support vs Support System _Dependences................... 2-26 3 2.14' Comparison of Transient Initiators and Their Grouping in the Arkansas IREP, Midl and , and Oconee PRAs . . . . . . . . . . . . .. . . 2 27 3.1 Top Events i n the Tran si ent Event Trees. . . . . . . . . . . . . . . . . . . . . . . . 3-39 3.2 Important Human Errors in the 0PRA............................. 3-40 4.1 Sunnary of Initiating Event Frequencies in OPRA and BNL Review..................................................... 4-11 4.2 Categorization of Experienced Events in the Oconee Plants With Respect to OPRA Initiating Events......................... 4-12 4.3 Oconee Updated Initiating-Event Frequencies (Calculated by Di f ferent Twn-Stage Baye si an Code s) . . . . . . . . . . . . . . . . . . . . . . . . . 4-13 4.4 Comparison of OPRA and BNL Initiator Frequencies With Sev e r al Ot h e r St ud i e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 4.5 Los s-o f-Of f si te Powe r Recov ery Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 4.6 Loss of Instrtr,ent-Air-Initiator Frequency Contributors........ 4-16 4.7 Loss of Low Pressure Service Water System -- Contributors to the Initiator Frequency..................................... 4-17 4.8 Mean Annual Frequencies of Transients Categories at Oconee..... 4-18 5.1 S umm a ry o f Co re Mel t B i n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 5.2 Summary of Contributors to Core Damage Frequency for Internal In i t i a t i ng Ev en t s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 5.3 Summa y of Core Damage Frequency............................... 5-13 5.4 RNL Review Summary of Core' Damage Frequencies for Internal Events......................................................... 5-14 5.5 OPRA Summary of Core Damage Frequencies for Internal Initiating Events.............................................. 5-15 5.6 BNL Review Core Damage Frequency Di stribution. . . . . . . . . . . . . . . . . . 5-16 A.1 Ev ent Desc ri pti on Re ferenc e Li st . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-32 B.1 ATWS Core Damage Frequency in the BNL Review - Base Case....... B-6 viii

.1 ACKNOWLEDGMENTS The authors wish to thank their colleagues in the Department of Nuclear

. Energy at Brookhaven National Laboratory for many discussions and comments throughout the course of this work.

This . work was performed for the Reliability and Risk Assessment Bran'h c (RRAB) of the U.S. Nuclear Regulatory Commission. Mr. E. Chelliah of RRAB was the technical monitor of the project. The authors wish to acknowledge F. Coffman, E. Chelliah, and A. Thadani for comments on the draft of this report.

Lastly, the authors would like to acknowledge the relentless effort and

- the high standard of quality of C. Conrad in editing and preparing this docu-ment ~for publication, and of S. Flippen for her excellent typing.

J ix i

, . ~ , , - ._ _ , . _ . . . . - _ _ _ . . - _ ..,.;

NOMENCLATURE A Large LOCA ATWS Anticpated transients without scram B Failure of RCS heat renoval via. the steam generators B&W Babcock & Wilcox BNL Brookhaven National laboratory BWST Borated water storage tank CAS Compressed air system

.CCS Component cooling system CCWS Condenser circulating water system CFT Core ficoding tanks DHR Decay heat removal DPC Duke Power Company EPRI Electric Power Reseach Institute EFW Emergency feeowater system ESFAS Engineered safeguard actuation system FMEA Failure modes and effects analysis FSAR Final safety analysis reports HVAC Heating, ventilating and air-conditioning systems HPI High pressure injection system PPR High pressure recirculation HPSW High-pressure service water. system ICS Integrated control system IREP Interim Reliability Evaluation Program K Failure of the-reactor protection system L Failure of recover RCS heat removal LDST . Letdown storage tank LMFW Loss of main feedwater LOCA Loss of coolant accident LOOP Loss of offsite power LPI- Low pressure injection system LPR Low pressure recirculation LPSW Low pressure service water system MFW Main feedwater systen Xi

~

9

- N01ENCLATURE . Continued MDRA Midland Probabilistic Risk Assessment NRC- U.S. Nuclear Regulatory Commission NSAC The Nuclear Safety Analysis Center OPRA Oconee-3 Probabilistic Risk Assessment PORV Pilot-operated relief valve PCS Power conversion system PWR Pressurized water reactor PPCS . Primary pressure control system PRA Probabilistic risk assessment Q Loss of RCS integrity R Steam generator tube rupture RBCS Reactor building cooling system RBSS Reactor building spray system RCS Reactor coolant system RPV Reactor pressure vessel RPS Reactor protection system RSS Reactor Safety Study RSSMAP- Reactor Safety Study Methodology Application Program RCWS Recirculating cooling water system S Small-break LOCA SSF Standby Shutdown Facility SGTR Steam generator tube. rupture SRV Safety relief valve (s)

T Transient initiators T1 Reactor / turbine trip T2 Loss of main feedwater T3 Partial loss of main feedwater T4 Loss of condenser vacuum TSSUBF Failure of offsite power due to 230-kV substation failure T5FEEDF Failure of offsite power due to grid or feeder failure T6 Loss of air T7 Excessive feedwater T8 Spurious engineered safeguards actuation signal xii

NOME NCLATURE Continued Tg Sterm-line break Toi Feedwater-line break Til Loss of ICS power bus 3KI T12 Loss of low pressure service water T13 Spurious low pressurizer pressure signal T14 Loss of 4-kV switchgear 3TC UR Failure of high pressure injection (SGTR)

US Fat' ore of high pressure injection (LOCA)

UST Upper storage tank UT Failure of core-heat renoval by HPI cooling (' feed and bleed')

VS Very small-break LOCA W Failure to establish RCS integrity XT Failure to naintain long-term core-heat removal YT Failure to maintain RCS makeup supply l

xiii

[

A EXECUTIVE

SUMMARY

+

This review of the Oconee-3 Probabilistic Risk Assessment (0PRA) by

- Brookhaven National Laboratory (BNL) was sponsored by the U.S. Nuclear Regula-tory Commission (NRC). The Oconee-3 PRA was performed by -the Nuclear Safety Analysis Center (NSAC) of the Electric Power Research insititute, Duke Power Company (DPC), and- other participating utility companies. The 0PRA includes estimates of the frequency of accidents (internally and externally initiated events) that may lead to severe core damage, the frequency and characteristics of release of radionuclides, and the magnitude of the resulting public health effects. This review, which presents only an assessment of the frequency of

" internally" generated plant " accidents" (including loss of offsite power) leading to core damage, was ' begun ' in January 1985 by. members of the Risk Evaluation Group at BNL. A companion review of the frequency of " externally" initiated events was initiated at about the same time and the results are issued in Volume 2 of this report. ,

1 The broad objective of this review was to evaluate the OPRA with respect to the overall frequency 'of core damage, the main contributors to this fre-quency, and the associated parameter uncertainties, and to consider all these for core damage accidents initiated by functional events internal to the plant, as well as loss of offsite power. The review included a technical assessment of the assumptions and methods used in the OPRA study, as well as a reevaluation of the results of the study. This included both qualitative and quantitative analyses of accident initiators, data bases, human errors, and accident sequences which lead to core damage.

The review process included a site visit and a meeting with Duke . Power Company and NRC. This review also benefited from the DPC responses to several BNL questions. The DPC staff was very helpful and cooperative throughout the course of the review.

The main conclusions of the review are the following:

, a. Within the stated scope, the OPRA study is an excellent piece of work. The same tools were used as for the Reactor Safety Study (event trees / fault trees), but the OPRA also added to the state of the art.

b. The reviewers believe that, notwithstanding the differences discussed below, the OPRA study successfully identified the major failure com-binations that can lead to core damage. The reviewers also believe that modification of the OPRA study to reflect the results of this review will give a more realistic portrayal of the major characteris-tics of the Oconee-3 plant.

c. The assessment of the core damage frequency resulting from " internal-ly" initiated events performed in this review ' includes a modification made to the Oconee-3 plant after completion of the study of internal floods by the OPRA team, namely the addition of an automatic backup pressure service water (LPSW) cooling of the. motors of the high pres-sure injection (HPI) pumps. The OPRA did not factor this modifica-tion into the internal events analysis. In addition, the BNL review I

xy v.-, . -

7- , . , , , . ,-.-~e,,_

_,,,,.-,,.c,.. ,_,yv,, . , - . , - , - .,___,----cr-.-r_.m _,m -e-.,,-y,, , . . .o ,_-.y- -- --

)

e also included the information that. Oconee-3 has been operating with

. pressurizer PORV block valve closed for most of the time (about 80%

of operating time). This was not taken into account in the OPRA.

d. The total frequency of core damage calculated in this review is equal to 9.3E-5/yr as compared to 5.4E-5/yr for the OPRA. The contributors to the core damage frequency by bin and by. initiating event category are summerized in Tables 0.1 and 0.2; in both tables a comparison with the OPRA is also given. In Table 0.3, the dominant accident sequences in each bin are presented; for compart. son, the OPRA domi-nant accident sequences are presented in Table 0.4. From these tables the following conclusions can be drawn:

d.1. The largest increase is present in Bin III (5.7E-5/yr in this review vs 3.0E-5/yr in the OPRA). This difference is primarily due to events caused by loss of instrument air. (as an initiator or' due to . loss of offsite power). This difference in core damage (CD) frequency is mainly due to the assumption on time available for recovery of compressed air. In Oconee-3 a loss of instrument air causes the drainage of the upper storage tank (UST) to the conden-ser hotwell, because valve C-176, which is normally used as a means of hotwell makeup from the UST (hotwell level control system),

fails open on loss of air. In.the OPRA, between two and six hours were used for quantification of the probability of failure to recover air. In a meeting held at DPC to discuss BNL comments regarding the OPRA, it was verified that about one hour would be more appropriate for drainage of the UST into the hotwell, and therefore the time available for the operators to recover air or transfer the EFW suction from the UST (primary source) to the hot-well. This change in time modifies the probability of failure to recover air from the value used in the OPRA (5.5E-2) to the value used in this review (0.5); this latter value is based on the OPRA assessment for recovery of air together with the , judgment of the reviewers. For more details on specific sequences, see Appendix A.

In this review the loss of instrument air (Ts) becomes the most dominant contributor to the core damage frequency, being responsi-ble for 49% of the CD frequency due to transients with scram, and for 33% of the total. In the OPRA it is responsible for 11% of the CD frequency due to transients with scram, and 6% of the total.

Note that according to a letter from H. B. Tucker (DPC) to H. R.

Denton (NRC) dated Sept. 20, 1985, the Duke Power Company has taken an interim measure, namely the closure of manual isolation block valve (C-175) upstream of the air-operated valve C-175, to prevent the potential drainage of the upper surge tank (UST) following a loss of instrument air.

In the near future, according to the referenced letter, a modification to air-operated valve C-176 is planned. If this modification is taken into consideration, the BNL-calculated core damage frequency for Bin III will decrease from 5.7E-5/yr to about 3.1E-5/yr and the total CD frequency will be equal to 6.7E-5/yr instead of 9.3E-5/yr.

xv1

d.2. Table 0.2 also shows that the loss of low pressure service water transient (T 12) in the OPRA is the most important transient, being responsible for about 45% of the core damage frequency ~due to transients with scram (24% of the total CD). - In this review it accounts for 29% of the core damage due to transients with scram (19% of the total CD).

It is explained in Appendix A that some degree of conservatism exists in this review, because of the assumption that . if valve CCW-73 fails closed, a loss of LPSW to its most important loads, i.e., cooling of HPI and RCP pump motors and heat exchangers in the component cooling water system, will occur. However, a detailed pipe-flow calculation is needed to verify this assumption and this calculation is beyond the scope of this review.

Note also that if a recent DPC modification made in the discharge of the LPSW to the cooling of HPI pump motors (DPC Drawings Nos.

P0-115B, Rev. 26, and P0-124D, Rev.12) is considered, the contri-bution of loss of low pressure service water transient (T12) to the total CD frequency will decrease from 1.8E-5/yr to about 4.0E-6/yr; i.e., the total CD frequency in this review will become 7.9E-5/yr instead of 9.3E-5/yr.

d.3. The' differences in CD frequency for instrument air (Ts) and for loss of low pressure service water (T12) accounts for 71% and 13%.

of the increase in the total CD. frequency, respectively. The re-mainder of the difference in total CD frequency comes from small LOCAs (8%), ATWS (4%), and large LOCAs (3%).

e. The uncertainty in the frequency of core damage performed in this re-view is presented in Figure 0.1. The 90% probability rango for the frequency of core damage in this review spans an interval slightly higher than one order of magnitude from 1.9E-5/yr (5% percentile) to 2.5E-4/yr (95% percentile). The uncertainty, as in the OPRA study, should be interpreted ~ as being introduced by uncertainties in the values of the various parameters, given the modeling assumptions de-scribed in the main body of this report.

o n

I xvii m

~ -

c nn . .- . _

. s. m k

I i 1 0.9 -

0.8 -

E 0.7 - - - - - - - - - - - - - - -

d l j 0.6 - l

e i j 3 g 0.5 -

H 5

o 0.4 - I 5

l 0.3 -

1 02- l

. X05 0.1- i .9E-5 r5o na 195

5. 7E-5 9.2E-5 2.5E-4 1 0 '. . . . '. , , j, , ', , , , , , ,

)

0.00001 0.0001 0.001

~

CORE DAMAGE FREQUENCY (PER YEAR)

=

Figure 0.1 Cumulative probability for the frequency of core damage.

s -

• Table 0.1 Summary of Contributors to Core Damage Frequency for ,

Internal Initiating Events CM Initiating Core Damage Frequency.  ;

Bin Event ;0PRA BNL I Pipe-break- and 6.5-6 8.4-6 transient-induced smal1~LOCA SGTR 1.3-6. 1.2-6 ATWS 1.8-8 -1.2-8 Total bin I 7.T T 9.6-6 II Pipe-break- and - 1.1-6 6.7-6 transient-induced small LOCA' SGTR- 1.4-6 2.1-6 ATWS 1.8-8 1.2-8 Total bin II T6"E '6.56 III Transients 2.7-5 5.7-5 ATWS 2.8-6 6.9-7 Total bin.III TITT T7 E IV Transients 1.9-7 3.6-7 Total bin IV T.T7 T6-7 V Large LOCA 1.4-6 '1.5-6 ATWS 1.7-6 3.6-6

' Total bin V 3.1-6 5.1-6 VI Large LOCA 8.3-6 8.5-6 ATWS 1.5-6 3.4-6 Total bin VI 9.8-6 T T- F

! Interfacing systems 1.4-7 1.4-7 LOCA Total-CD frequency 5.4-5 9.3-5 XIX

Table 0.2 Summary of Core Damage Frequency .

Initiating-Event Core Damage Frequency Category BNL OPRA Plant Transients

-3.1-5 3.2-6 Loss Loss ofof Instrument Service Water (T 2Air (Ts)) 1.8-5 1.3-5 Feedwater Line Break (T i) 4.5-6 4.0-6 Loss of Offsite Power-(T ) 3.6-6 2.4-6 Loss of Reactor Trip (T) 1.7-6 1.2-6 Loss of Main Feedwater (T2 ) 1.3-6 1.2-6 Other Transients 2.4-6 -2.6-6 N 2.9-5 Loss-of-Coolant Accidents Large Break (A) 1.0-5 9.0-6 Small Break (S) 9.?-6a 6.1-6 Reactor-Vessel Rupture 1.1-6 1.1-6 Total 'fXT T T-5 Transients Without Scram (ATWS) 7.7-6 6.0-6 e

Steam Generator Tube Rupture (R) 3.3-6 2.7-6 Interf acing-System LOCA' 1.4-7 1.4-7 Total' T.TF TTE aincludes only LOCAs due to pipe breaks or spontaneous seal

' failures.

4 9

XX

, - . . . . , , _ . . , _ . _ _ _ _ . . , . . . _ . . . . . . . , , _ . . , _ _ . . , ,_.._.m, _ . . . , _ , - _..._m.. ___

Table 0.3 BNL Review Sumary of Core Dawge Frequencies for internal Events

- Total CD Frequency = 9.3E-5/yr.

86n I 5equ g es Bin !! Segisaces 8tn I!! Seg.iences Bin lW 5equences Bin V Sequences Bin V! Sequences Mean Mean Me.a n Mean Mean Mean Type Seq. Freq. Type Seq. Freq. Type Seq. Freq. Type Seq. Freq. Type Seq. Freg. Type Seq. Freq.

SEQUENCES WITH FF AN ANNUAL FREQUENCIES AB0VE 1.0E-6 (ABOUT 89% or TOTAL FPEQUENCt)

ATW5 3.6-6

[4] 5'551 5.4-6 [8] Tgjts 3.2-6 [F) T RU 2.9 5 [A] VR 1.1-6 [8] Ana 4.8-6

[C] Vt5$ 1.9-6 [G) T /U g l.8-5 [A] Ang 1.6-5

[8] RagJ 1.5-6 [E ) T ,pu 4.8-6 ATW5 3.4-6

[4] T780 1.3-6

[J) TPU  !.1-6 SEQuf MCES WITH ME AN ANNilAL FRIQUENcits Aa0VE 1.0E 7 (ABOUT 9910F TOTAL FREQtf[NCT)

[8] RuR 8.1-7 [C] SIS 9.0- 7 [C) T8U 7.6-7 i s.6MLX 2.1-7 [8] AU 4.1-7 ATWS 6.9-7

[a] 7005 7.3-7 [A] Rua 0 6.0-7 [W] I RU g 4.8 7 Ts .6ElI I'3*I I I'4*I

[F ) TQt5 3 i-F EMI I RU6 2.5-7

[E) TQts 2.2-7 [1] TdO 1.8-7

[A] T5 0ts 1.0-7 [D) T,grJ 1.8-7

[Cl 505 4.9-7

[lj TOUS 4.8-7

[Cf V055 4.2-7

[F l IJU5 4.2-7

[A] Rdg 4.1 7

[Dj ig]05 2.9-7 x

x Total shown 9.6-6 8.8-6 5.6-5 3.6-7 5.2-6 1.2-5 Other 2.3-7 6.C-8 3.4-7 - . 5.4-8 Total 9.5-6 8.8-6 5.7-5 0.6-7 5.1-6 1.2 5 e

Table D.4 OPRA Suneary of Core Damage Frequencies for Internal Initiating Events *-

sin i ,uences sin 11 eaguance, min f ri e*quenas ein tv esquenece pin v e*quences sin vi sequences mean mean mean mean mean mean Ty:w seg. freq. Type seq. freq. Type seq. freq. Type seg. freq. Type . seq. freq. Type seq . freq.

SEQUENCES WFTH MEAN ANNUAL FREQUENCIES ABOVE 1.0 m 10-6 ( APOUT 80% OF TOTAL FREQUENC7)

(C] T12"

(Al sys 's 5.o-6 (El T,onu I'.$~$

4 e-6 trl T6 no 4.7-6 tel Arg 4.e-6 (Al AI g 3. 3< 6 Ws 2.e-6 Ws 1.7-6 1A] T 2 nu I.2-6 (Al VR t.1-6 WS 1.5-6 SEQUENCES WIM REAN ANNUAL FREQUENCIES AnoVE 1.0 s 10*7 ( AaOUT 95e or total rmEQUENCY1 tel eU, e.5-7 tel as,o 7.4-7 (CI su s 'd'7 tel TQu, 5.9-7 4 (CI su, 4.4-7 (Al ax ,o 4.0-7 (C) Tm 4.2-7 (Al Ru, 3.9-7 tel 7,su 4.1-7 De 101 T6QU 2.5-7 (F) Tg 93 QI 2.2-7 (N) T

>< gli T ggif 2.3-7 h6 8U 2.2-7

, tal TsLx t.6-7 Isl AU 2.3-7 a  ?

It) I2,14UUs I '*4 Total shown 7.9-6 2.1-6 3.0-5 f.6-7 3.0-6 9.6-6 Summation of othere not shown 2.0-7 4.0-7 5.0-7 _3.0-e 1.0-7 2.0 7 Total core-eelt frequency 0.1-6 2.5-6 3.0-5 1.9-7 3.2-6 9.e-6 Notees 1 Se duplications of sequence types within a bin te.g., two type 141 in bin Il are due to the sequeneee reesttine f rom steam gewrator tu%e ruptures.

2. D e sequences are defined by sequence type. Wie ercuping of evente considered (t ) event-tree sequence type, (2) initiating-event effects if leportant. and til differences that would require enique treatment for the consequence analysis.

3. Se *ws sequences are discussed in Appendte E. De line Ste" in this table are summations of all Ws sequensees for a bin.

4. Nomenclateres A. large IOCAs T, tranglent events B, small TACA;g T, lose of main feeduatetegT ,' lose of offeite powers T 6' I*** *I I"'""**** *I'8 T , spurtous engineered-eafeguard actuations T , feedline breaks T e 12 I'** 'I I'"~P''

service waters T,3 spurioue low-pressuriser-preneure stenals 7,4 lose of 4-kV ew tegear Es R, steam' generator tube ruptores -

Va, resetor-veneel ruptures Q, loss of BCS integrity (tranatent-induced esall-break 14CAls B, failure of PC heat removat through the steme generatoresTU . f ailure of core heat removal by NPI coolingsg IF , fe!!are e' W I 1P injection Me for small 14CAes tig ,

f ailure of LPI in injection for large 14CAes U,. fallere of NPI in injection for tube rupturess Y failure to maintain RCs makeup supply: 2 7 failure to maintain long-tere core-heat removalappropriatetotheinit!Nn,geventsL,falleretorecover DCS heat removals,kag,la11ere to maintain long-tere cooling at het conditione for tube ruptores I, interfacing-eyetse LOCA.

• Reproduced from OPRA Table 8.1.

1. INTRODUCTION 1.1 Objective, Scope, and Approach to the Review Duke Power, in collaboration with the Nuclear Safety Analysis Center, has carried out a full-scope PRA of Oconee Unit 3. The Oconee PRA (OPRA) treats

" internally" initiated ~ scenarios (accidents initiated by a functional equip-ment failure or an external loss of offsite power), as well as externally ini-tiated ' scenarios (e.g.. earthquakes, floods, etc.) and other physical phenom-ena (fires, internal floods). Containment analysis was also performed in the PRA. BNL has conducted a full-scope review of the " internal" and " external event" scenarios defined in the OPRA. However, only a limited review of the containment performance and radiological source term analyses in the OPRA has been performed. The present volume describes the review of internal events scenarios out to core damage; the review of external events is presented In Volume 2 of this report. The review of the OPRA containment performance and radiological source terms will be presented in a separate report.

The broad objective of the BNL review of the internal events portion of the OPRA was to evaluate qualitatively and quantitatively the study's assess-ment of the important accident sequences that are internally generated and lead to core damage. In additior., the review included an assessment of the externally- generated LOOP accident initiator. To carry out this objective, BNL reviewed the assumptions and methods of the OPRA within its stated scope.

Within this scope and within the basic methodological framework of the OPRA, BNL reevaluated the important accident sequences that lead to core damage, their respective frequencies of occurrence, the total frequency of core dam-age, and the associated uncertainties. The review included evaluations of accident initiators, data, and accident sequence development and quantifica-tion. In addition, a limited ATWS sensitivity analysis was performed.

The internally generated accident initiators reported in this NUREG/CR were reviewed over a seven-month period by five people at BNL (three on a regular basis and two on a partial basis). D. Xue, D. liberg, and N. A. Hanan of. the Risk Evaluation Group were the main project engineers and they reviewed the frequencies of the accident initiators, the accident sequence and system modeling, the data base. the quantification of the event and fault trees, and they also performed the uncertainty analyses. R. G. Fitzpatrick and T-L. Chu contributed to the qualitative review of systems fault trees and the inter-facing system LOCA.

The project monitor was E. Chelliah of the Reliability and Risk Assess-ment Branch, Division of Safety Review and Oversight, U.S. Nuclear Regulatory Conmission.

The review benefited from a productive meeting and a plant visit held between NRC, BNL, and DPC. DPC staff provided the information and discussion need(d to gain a detailed understanding of the PRA for the in-depth review process. The various submittals, with which OPC responded to the various BNL comments in the meeting and plant visit, always constituted a technical improvement to the PRA and were always responsive to the BNL comments.

1-1

1.2 Organization of Report Section 2 gives a description of the plant modeling which includes iden-tification of initiating events that can lead to core damage and a discussion of safety functions and systems important to the prevention of core damage events. Section 3 presents a description of accident sequence definition and a discussion'of the event tree / fault tree approach used in the OPRA. Section 4 presents the quantification of the initiating events' frequencies and the evaluation of the data base used in the OPRA and in this review. Section 5 provides accident sequence quantification, reviews the numerical values of the parameters necessary for this quantification, gives a brief description of the 0PRA approach to quantification, and presents the BNL comments on the quanti-fication process and the revised core damage frequencies. This section also contains an analysis of the uncertainties in the core damage f requency and a limited ATWS sensitivity analysis. Details of the BNL core damage accident sequences are given in the Appendices, l

1-2

2. PLANT MODELING This section reviews the modeling of the plant in the Oconee PRA I (0PRA). The plant modeling includes the identification of

. Safety functions important to prevent or mitigate core damage.

. Systems that directly perform these safety functions (frontline sys-tems).

. Systems that support the frontline systems (support systems).

. Success criteria of the safety functions and systems.

. Initiating events that can lead to core damage.

Subsection 2.1 describes the safety functions, the corresponding front-line and support systems, and their success criteria. Subsection 2.2 presents the initiating events and their grouping according to the success criteria for the frontline systems. In both subsections, the Oconee PRA assunptions are reviewed, eva the Arkansas PRA, and juated, and the Midland compared to those of the Oconee RSSMAP study PRA.

2.1 Safety Functions and Corresponding Systems 2.1.1 Safety Functions and Frontline Systems The safety functions important to preventing or mitigating the conse-quences of core damage following any initiating event at Oconee-3 are given in Table 2.1. Each function in this table is directly performed by one or more frontline systems. The Oconee-3 frontline systems performing each of these functions for a transient and for a LOCA are given in Tables 2.2 and 2.3, respectively. A comparison of the frontijne systems for Oconee-3, Arkansas-1, and Midland-2 is presented in Table 2.4 Note from this table that the front-line systems for these three plants are almost identical. A detailed descrip-tion of the frontline systems operations and response to transients and LOCAs for Oconee-3 can be found in Appendix A of the OPRA,1 and in the FSAR.5 2.1.2 Success Criteria for the Frontline Systems The Oconee PRA considers four general classes of initiating events:

1. Transients with successful scram.

2. Anticipated transients without scram (ATWS).

3. Loss-of-coolant accidents (LOCAs).

4. Steam generator tube rupture.

Even though not specifically stated in the Oconee PRA, the success cri-teria for the prevention of core damage are defined in terms of the minimum number of systems required to prevent core uncovery or excessive fuel clad temperature. in the case of ATWS, it is stated that incipient core melt is used for the definition of the success criteria. This definition is said to be based on realistic (best estimate) predictions.

2-1

l The .following subsections discuss the success criteria used in the Oconee 2

PRA and compare them with those used in the Oconee RSSMAP study, the Arkansas PRA,3 and the Midland PRA." The following subsections also present the suc-cess criteria used in this BNL review whenever they differ from those of the OPRA.

2.1.2.1 Success Criteria for Transient Initiators The success criteria used in the OPRA for transient initiators are sum-marized in Table 2.5. These criteria were reviewed and considered reason-able. Note that except for the " Feed and Bleed" success criteria (high pres-sure injection with relief through the PORV or SRVs), all the other criteria are the same as those used in the Oconee FSAR.s In Tables 2.6 through 2.8, the success criteria used in the Oconee RSSMAP,2 the Arkansas PRA,3 and the Midland PRA" are presented, and it can be seen that they are very similar to the ones used in the Oconee PRA.

2.1.2.2 Success Criteria for ATWS Initiators The success criteria for ATWS initiators used in the OPRA are based on analysis performed by B&W.6.7 These success criteria, and those of the Oconee RSSMAP, Arkansas, and Midland, are also presented in Tables 2.5 through 2.8. From these tables the following conclusions can be made:

. The success criteria used in the OPRA and the MPRA are very similar, as are those used in the Oconee RSSMAP and the Arkansas PRA.

. The two sets of success criteria differ primarily in the assumption by the OPRA and the MPRA that a total loss of feedwater or f ailure of pressure relief will endanger the reactor integrity and perhaps result in a LOCA which can be mitigated by HP! and/or LPI.

This BNL review is in agreenent with the success criteria used by the OPRA.

2.1.2.3 LOCA Success Criteria The determination of the LOCA success criteria is briefly discussed. The OPRA approach, comparison with some other PRAs, and the BNL review are given in the following paragraphs.

The OPRA Approach The OPRA provides success criteria for the small- and large-break LOCAs.

Separate success criteria for the injection and recirculation phases are given. The derivation is based on several sources including the RSSMAP,2 the FSAR.5 and best-estimate calculations.

The OPRA provides the following explanations based on physical phenomena in establishing its success criteria:

1. For large LOCAs, depressurization actuates the LPI and the CFT. The BWST may be depleted in about 30 minutes by the LPI injection, requiring a manual transfer to the LPR mode. One CFT is needed for large LOCA to prevent excessive peak cladding temperatures and to provide injection flow 2-2

i during the early stages for the breaks at the lower end of the spectrum (4 to 10 inches). Breaks larger than 4 inches quickly depressurize the RPV to the point at which substantial LPI flow can be delivered. (This break -size was chosen as the boundary between small- and large-break LOCAs.)

2. For small .LOCAs, when the RBSS is actuated (because of loss of RBCS or when the reactor building pressure reaches the 10 psi set point), the BWST will be depleted in about two hours. Otherwise, it will suffice for HPI injection for at least 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. When low-low level is reached in the BWST, assumed to occur at either two or twelve hours, manual operator action to align the HPR or the LPR is required.

3. For small LOCAs, there are two ranges of break sizes for which RPV pres-sure behaves differently if heat removal by the steam generators is lost.

For breaks smaller than about 1.5 in., th? RCS may not depressurize since the break alone provides insufficient capacity to remove decay heat. The RCS will tend to pressurize to the point at which the pressurizer PORV and/or SRVs cycle. It is stated in the.0PRA that calculations indicate that the PORV/SRV discharge to containment will be sufficient to cause HPI automatic actuation at the 3 psi set puint within one hour; this is the time at which core uncovery starts. Thus, the OPRA treats the two sub-groups in the same way, as a simple group of small LOCAs.

The OPRA success criteria are summarized in Table 2.9. Note that a suc-cessful high pressure recirculation (HPR) consists of one of three HPI pumps, one of two LPI pumps, and one of two decay heat removal heat exchaagers.

Comparison With Other PRAs Table 2.9 compares OPRA success criteria with other PRAs; this table also presents the success criteria used in this review. It can be seen that either a 4-in. diameter or a 0.1-ft 2 break criterion (the two are very simi-lar) was used as a boundary between small- and large-break LOCA in all PRAs.

For the small LOCA range, there is almost total agreement on tuccess criteria, the only difference being the case of an open SRV in the Arkansas IREP in which two HPI pumps were assumed to be necessary. The Midland PRA" includes correspondence with B&W, in which B&W recommends the use of two HPI pumps for about 20 to 30 minutes, while later one HPI pump is stated to be sufficient.

Since core damage with no HPI pump working is not initiated in less than 30 to 3

40 minutes, and no reason for the 2/3 HPI criterion is given in the IREP study, the validity of this criterion is difficult to judge.

For large LOCAs, two main differences can be noted:

a. The requirement for a HPI pump in addition to LPI in some PRAs in the injection phase for breaks in the 4- to 10-in. range.

b. The number of CFTs considered to be required.

OPRA has acknowledged the possibility of using HPI for the 4- to 10-in.

break, but determined that rapid depressurization to the point of substantial LPI flow will occur (see item 1 in the preceding section). The correspondence with B&W included in the Midland PRA" also touches on this and points out that 2-3

LOCA analysis has not routinely explored all RCS pipe breaks outside the design basis conditions. In its response, B&W states that HPI' pumps are necessary for- smaller breaks where the pressure remains high for a longer time, and LPI pumps are necessary for large breaks where large amounts of water nust be supplied to balance the rapid rate at which it is being lost.

This indicates that either HPI or LPI is generally needed, rather than both systems. Some old physical calcu'lations (BAW-10052) show that a rapid pres-sure decrease (in less than 5 minutes) to below 200 psi is obtained for 0.5-and 0.3-f t 2 breaks. Thus, uncertainty with resgect to the success criteria seems limited to a narrow range of 0.1 to 0.2 ft . This is smaller than the 0.1- to 0.6-ft2 range in which this success criterion is applied in the other PRAs. BNL judges that ti e Oconee PRA criteria for the entire range of large LOCAs are more realistic. Notwithstanding, the results of this review indi-cate that the effect of using a requirement for both HPI and LPI is very small.

The second difference among the PRAs is the number of CFTs required. The main reason CFTs are needed is to limit peak cladding temperatures (see item 1 in the preceding section). In the B&W . response to the MPRA," it is stated that massive core damage would not be caused by CFT failure to operate, nor in general, -would CFTs substitute for the required LPI or HPI. On the basis of the above, BNL determined that the OPRA CFT success criterion is realistic and used the same criterion without change. The BNL evaluation of the large LOCA accident sequences (Section 5) revealed that the effect of requiring two CFTs rather than one on core damage frequency is very small.

2.1.2.4 Steam Generator Tube Ruptures Success Criteria The SGTR is a special case of a very-small-break LOCA, i.e., the rupture causes a slow decrease in RCS pressure. The success criterion for the injec-tion phase is one out of three HPIs, as in the small-LOCA case. Manual actua-tion of the HPI is considered necessary for the SGTR if .feedwater to SGs is not available, and this is further discussed in the subsection on LOCA system response in Chapter 3.

The main difference between SGTR and a very small LOCA appears in the definition of the end states. For a SGTR, the most desirable end state is to achieve long-term cooling at cold shutdown; in this case, the success is established by achieving the entry conditions for Decay Heat Removal (DHR) and having the DHR system working (one out of two LPI trains including the heat exchanger, with suction frora the RCS). If that fails, a long-term cooling at hot shutdown conditions can still be maintained by replenishing the BWST (suc-cess of the HPIS is implicit), or by using the HPR with the isolation of the affected steam generator. Table 2.10 compares the long-term cooling success criteria for small LOCAs and SGTR.

2.1.3 Support Systems This section briefly discusses the major systems supporting the frontline systems.in Oconee-3 and compares these systems with the corresponding support systems in the Arkansas Nuclear One and the Midland-2 plants. A sununary of these systems for all three plants is presented in Table 2.11.

2-4 l

i

\

/

Electric Power System (ac and dc). The major characteristics of- the Oconee-3, Arkansas, and Midland-2 electric power systems are summarized in Table 2.11. The most significant differences are:

. Oconee-3 has three ac load divisions, while Arkansas and Midland have only two.

. Oconee-3 uses the two Keowee hydroelectric generators and the 100-kV transmission system from the Lee Steam Station as the onsite power.

Arkansas and Midland have two 4160-V emergency diesel generators.

Service Water System. The service water system [ called low pressure ser-vice water system (LPSW) in Oconee-3] is designed to remove heat from plant auxiliaries which are required for a safe shutdown. Table 2.11 summarizes the features of this system for Oconee, Arkansas, and Midland. A comparison of the most important loads st.pported by the service water system is given below.

. For all three plants, the service water system is used by the reactor building cooling ' system, the HVAC room cooling, and the component cooling system.

. For Oconee and Arkansas, the service water system is directly used for cooling the motor of the HPI pumps (this cooling has an automatic backup from the high pressure service water system in Oconee).

. For Arkansas and Midland, the service water system is used for cooling the diesel genarators.

. For Oconee, the service water system is directly used for cooling the emergency feedwater system (cooling of the steam-d ri ven emergency feedwater pump is automatically backed up by the high pressure service water system). In Midland, only the motor-driven EFW pump is directly cooled by the service water system.

. In Arkansas, the low pressure injection and the spray pumps are cooled by the service water system. In Oconee, these pumps are only depen-dent on the service water system through the HVAC system. In a meet-ing with DPC, it was stated that the HVAC room cooling is no longer required for these pumps, since calculations show that they can operate for days without any room cooling; this consideration is in-cluded in the final analysis for the OPRA and for this review. Ir Midland, these pumps are cooled by the component cooling system.

[l

. In Oconee, the decay heat coolers (decay heat exchangers) use the ser-vice water system for RCS cooling.

. In Midland, the service water system is shared by units 1 and 2.

It is inportant to note that the Oconee-3 service water system has inter '

ties with the same system on the other two units (0conee-1 and -2), and also with the high pressure service water which is common for all three Oconee units.

2-5 .

Heating, Ventilation, Air Conditioning System (HVAC). This system is-similar for all three plants. In Arkansas and Midland, it is stated that the HVAC is required for ac and dc switchgear rooms. The Oconee PRA does not use this as a requirement, nor does the Oconee FSAR. Since the OPRA and the Oconee FSAR were the main sources for the BNL review, this assumption was also used in this report. Table 2.11 sumarizes the igortant loads for this system.

Instrument Air System. In the Arkansas PRA, it is claimed that several non-safety systems require air for proper operation and that safety-related cog onents fail safe upon loss of air. In the Midland PRA, no analysis of the instrument air system is presented; however, the Midland FSAR makes the same claims as the Arkansas PRA.

In Oconee, the instrument air and the station air systems are considered as one system' and referred to as the Compressed Air System. This system is very imortant for the proper operation of the MFW and EFW systems and the reactor coolant makeup system, and for the control of the flow rate of the service water used in the decay heat coolers. It is also important because nuch of the instrumentation depends upon the compressed air system. The importance of the cogressed air system can be seen in the dominant core damage sequences presented in Section 5 and Appendix A of this report.

Engineered Safeguards Actuation System. This system is very similar for all three plants and a summary is given in Table 2.11.

Integrated Control System. This system's most ig ortant function is proper coordination between reactor, steam generators, main feedwater, and turbine during normal operation. Even though a complete (detailed) descrip-tion of this system is not given in any of the FSARs or PRAs (the Oconee PRA is by far the best description), its major features are similar for the three plants. For Oconee and Arkansas, the present ICS design essentially elimi-nated ICS-caused failures of safety systems.

Component Cooling Water System. In Oconee-3, the only inportant function of the component cooling system is the cooling of the thermal barrier of the reactor coolant pump seals. In Midland, the cogonent cooling system is more important than in Oconee because it is required by the following loads: decay heat-removal, heat exchangers, high pressure injection pumps seal coolers, low pressure injection pugs seal coolers, the reactor building spray pumps and coolers, and the RCp seal coolers.

In the Arkansas PRA, the cog onent cooling water system is not mentinned.

2.1.A Frontline and Support Systems Dependences

.'n Sections 2.1.1 and 2.1.3, the frontline and major support systems were briefly described. Major differences in the loads served by the support systems were also presented in the preceding section. To give a better per-specthe of the dependences among frontline vs support systems and support vs support systems in Oconee-3, Tables 2.12 and 2.13 present dependence tables to illustrete the functional dependences of these systems.

2-6

2.2 Initiating Events This discussion of the selection of initiating events that could chal-lenge the safety systems is divided'into three parts. The first describes the appr the second cog ares this with the Midland," Arkan-sas,gachusedintheOPRA,1 and RSS-PWR 2 approaches, and the third presents the results of the BNL review with respect to the choice of initiating events.

The OPRA considers the following general classes of initiating events:

a. Loss-of-coolant accidents (LOCAs),

b. Transients with successful scram (Tj).

c. Anticipated transients without scram (ATWS),

d. External events (analyzed in a separate report).

2.2.1 OPRA Initiators Selection 2.2.1.1 LOCA Initiators The LOCA initiators are subdivided into two groups according to the size of the break and the corresponding frontline system response:

a. Large LOCAs - equivalent break size diameter about 4 in. or more, for liquid or steam breaks.

b. Small LOCAs - equivalent break size diameter about 4 in. or less, for liquid or steam breaks.

In addition, three other cases can be considered as belonging to these classes of initiating events:

a. Steam Generator Tube Rupture (SGTR). A 400-gpm flow rate from primary to secondary is considered representative of this initiator in the OPRA.

b. Reactor Pressure Vessel (RPV) rupture. OPRA assumes that RPV rup-tures would be beyond the capability of engineered s3fety features.

c. Ir,terfacing-System LOCA.

BNL considers this selection of LOCA initiators to be acceptable. BNL's only change was to divide the OPRA small LOCAs into two subgroups:

a. Very small LOCAs - equivalent break size diameter about 1.5 in. or less.

b. Small LOCAs - equivalent break size diameter between 1.5 and 4 in.

The advantage of this division is that it is more representative of the initiating-event frequencies for these break sizes as discussed in Section 3, and it allows for a better treatment of the automatic actuation of RBSS when the containment reaches 10 psi; in the upper-range break sizes (1.5 to 4 in.), the RBSS is automatically actuated even with the RBCS in operation.

This is believed to be more realistic.

2-7

2.2.1.2 Transients With Successful Scram i The transient initiators for which scram is successful are divided into 14 different groups, imposing the same success requirement on the frontline system. They are characterized in the OPRA Table 3.5:

T 3 Reactor / turbine trip T2 Loss of main feedwater T3 Partial loss of main feedwater Tg Loss of condenser vacuum T Fai'ure of offsite power due to 230-kV substation failure SSUBF T

5FEEDF Failure of offsite power due to grid or feeder failure

, Ts Loss of air T7 Excessive feedwater Te Spurious engineered safeguards actuation signal T, Steam-line break T go Feedwater-line break 7 33 Loss of ICS power bus 3XI T 12 Loss of low pressure service water T12( tos) Loss of low pressure service water due to transfer closed of

, valve LPSW-108 T 33 Spurious low pressurizer pressure signal T 3 Loss of 4-kV switchgear 3TC The list of transient initiators used in OPRA was obtained by a systemat-ic evaluation of several sources, of which the most important are the follow-ing:

a. An EPRI Survey 8 of operating experience with PWRs in which 41 tran-sient initiators are identified. Table 2.14 lists the grouping of some of these initiators into OPRA transient initiators' groups.

b. Feedback from the plant system review of all the safety-related and

, non-safety-related systems with special emphasis on support systems

! that could affect the frontline systems. Also, feedback from the event tree construction phase was incorporated.

! c. The Oconee plant-specific experience.

2-8

d. The Reactor Safety Study 10 -- Tabic 1.4-9 for PWR transients.

The review of the above sources, combined with the experience of the PRA team, resulted in a master list of 44 initiators which are shown in Table 3.3 of the OPRA. The grouping of these into 5 LOCA initiators and 14 transient initiators is given in Table 3.4 of OPRA. BNL considers this list and the qualitative grouping into the OPRA 14 transients to be correct; this is fur-ther shown in Section 2.2.3.

2e2.1.3 ATWS: Anticipated Transient Without Scram If the reactor protection system fails to scram the reactor after any of the transient initiating events, then an ATWS results. OPRA combined the 41 transients of the EPRI reporte into the following 12 groups of ATWS initiators which correspond to those addressed by NRC 9 and B&W6 reports:

1. Loss of condenser vacuum.

2. Turbine trip (TT).

3. Loss of main feedwater (LMFW).

4. Loss of offsite power (LOOP).

5. Load increase.

6. Loss of RCS floe.

7. Control rod withdrawal (CRW).

8. RCS depressurization.

9. Boron dilution.

10. Excessi<e cooldown.

11. MSIV closure.

12. Inactive RCS loop startup.

The collapse of the 41 EPRI initiators into this ' scheme is not provided in the PRA nor is the relation between the 14 initiators used as initiators of the transients. with scram and the 12 ATWS listed here. BNL has reproduced this relationship in order to review the quantification of the ATWS iaitia-tors. The grouping believed to 'be used in OPRA ATWS is shown in Section 4 where the BNL quantification of ATWS initiators is discussed.

OPRA has removed 8 of the above ATWS initiators, for the following rea-sons:

a. Numbers 11 and 12 are not directly applicable to Oconee-3.

b. Numbers 5 and 10 are insignificant contributors because of frequency smaller than 0.01 per year in B&W plants, and are bounded by LOOP and LMFW.

9- c. Numbers 7 and 9 again have low frequency and are ' bounded by other transients (TT).

d. Number 6 is not included in the ATWS analysis because it is accounted for in the LOOP event,

e. Number 8 is r.ot included in the ATWS analysis because it is included in the case of a small LOCA or a stuck-open relief valve that causes 2-9

the plant' to scram on low RCS pressure. Since the failure of RPS occurs at low RCS pressure, the ensuing pressure surges will be smaller than for the other ATWt initiators. Furthermore, the loss of water inventory has the effect of creating a higher void fraction in the core that reduces the core power. Considering the less severe system response and the lower frequency of LOCA, it is not considered to be a significant ATWS contributor cogared to the main four that are finally considered.

Thus, OPRA considers only four ATWS initiators for the accident sequence evaluation:

1. Loss of condenser vacuum.

2. Turbine trip.

3. Loss of main feedwater.

4. Loss of offsite power.

The OPRA ATWS analysis is a scoping analysis, and sequences that may con-tribute to core damage, but which have small impact, were not further addressed. On thii basis, the choice of the above four initiators is consid-ered appropriate.

The collapsing of the OPRA 12 transient initiators to the four ATWS initiators is not given in the OPRA. It is this review's assessment that the turbine trip group includes transients Ti , T3, T 7, Tg, T ,9 Tgg and Tg3; the loss of condenser vacuum group includes Tg; the loss of power group includes TS; and the loss of main fredwater group includes T2 and Ts.

The OPRA states that the ATWS scoping analysis has considered the initia-tors in a conservative way because of the grouping, and the use of all power levels (0-100% power). BNL agrees that the consideration of transients with power less than 25% is conservative, but believes that the overall grouping of initiators disregarding power level is a realistic representation of ATWS initiators.

The quantification of the ATWS initiators is reviewed in Section 4.

2.2.1.4 External Events OPRA considers several external events in different depth and detail.

Most detailed analysis is provided for internal floods and earthquakes. Other external events treated are fires, tornados, external floodings, and airplane.

crashes. The external events are considered in a separate report.

2.2.2 Comparison with Arkansas IREP 3 and Midland PRA" The Arkansas and Midland PRAs have systematically generated their initia-ting event lists in an effort to make them as complete as possible. Arkansas IREP claims to have performed a failure mode and effect analysis (FMEA) on the RCS piping and the frontline systems as well as their support systems. The RCS piping.FMEA considered all break sizes and locations. The FMEA performed for transient initiators' identification considered frontline and support system response or their availability after a single fault in any of these systems.

2-10

The Arken5&s snalysis and the grouping of the initiating events resulted in eight groups of transient initiators and six groups of LOCA initiators. In addition, interfacing LOCA was also considered, although it was later disre-garded because of very low probability of occurrence. The LOCA initiators for Arkansas are shown in Table 2.9. The use of more LOCA initiators is based on the different success criteria used, which were discussed earlier in Subsec-tion 2.1.2.3. The eight transient initiators for Arkansas are also given in Table 2.11.

The Midland PRA similarly used a systematic and detailed approach to gen -

erate its initial list of 47 initiators. It const.ucted a master logic dia-gram searching for equipment malfunction that causes excessive offsite re-leases by degrading the main safety functions. The list of 47 initiators was further grouped into 25 initiators consisting of 6 LOCA initiators (including SGTR and interfacing LOCA), 10 transients, and 4 external event initiators.

The 10 Midland transient initiators are shown in Table 2.14 where they are compared with Arkansas and OPRA. The table shows the grouping of some of the transients in EPRI-NP-2230s into the groups of the PRAs considered.

2.2.3 BNL Assessment of the Selection of Initiating Events The three PRAs considered in the preceding sections ; have all used a systematic approach to generate a master list of initiating events and have grouped them into their final list of initiators which are considered to generate similar system response and have similar success criteria.

The LOCA subdivision was considered earlier in the discussion of LOCA success criteria where it was shown that on the basis of the more realistic success criteria used in the OPRA the large- and small-LOCA groups can repre-sent the entire spectrum of breaks. The only change considered to provide a more realistic cnalysis is the division of the "S" group used in the OPRA into very small LOCAs, VS (<1.5 in.), and small LOCAs, S (1.5 to 4 in.).

Other LOCAs, e.g., interfacing LOCAs, are considered in all three PRAs.

SGTR is considered only in Midland and OPRA.

The transient initiator selection is compared in Table 2.14 It can be seen that OPRA accounted for- all transient initiators considered in the other PRAs. Loss of air, which is considered separately in OPRA, was grouped in the Midland PRA into the loss of FW transient. It should be considered separately in OPRA because it also affects the avellability of the emergency feedwater

! system. Loss of dc power, considered in Arkansas IREP, was also considered in OPRA in a special study of the electrical power supply system, and it was determined to be a minor contributor because of the high redundancy in the power system, Inis special study identified only T g as a significant initia-i tor. Thus, BNL concludes that the list of 14 transient initiators in OPRA is acceptable.

It can be seen from Table 2.14 that OPRA has used, in some cases, a more refined grouping of transients. The loss of condenser vacuum which was treat-ed separately in OPRA was included in loss of main feedwater in Arkansas and Midland PRAs. Loss of condenser vacuum in OPRA was considered to have lower (less successful) probabilities of recoveries than in the loss-of-main-feed-water transient sequences. The partial loss of feedwater which was separated 2-11

out in the case of OPRA was treated differently in the other two PRAs; this can be recognized i.f it is noted that EPRI transients Nos.15 and 22 are the main contributors to this group. Midland PRA includes both in the reactor trip case which does not affect any front system availability; Arkansas IREP includes part as turbine trip .(No.15) and.part as the more severe transient of loss of main feedwater (No. 22). OPRA acknowledges the unavailability of part of the main feedwater system, and consequently its treatment of ' these initiators is more realistic.

2.3 References

1. A Probabilistic Risk Assessment of Oconee-Unit 3, NSAC/60, June 1984

2. Kolb, G. J. et al., Reactor Safety Study Methodology Applications Pro-gram: Oconee #3 PWR Power Plant, NUREG/CR-1659 (Vol. 2), May 1981.

3. Kolb, G. J. et al., interior Reliability Evaluation Program: Analysis of the Arkansas Nuclear One-Unit 1 Nuclear Power Plant, NUREG/CR-2787, June 1982.

4 Midland Nuclear Plant - Probabilistic Risk Assessment, Consumers Power Company and PLG Inc., May 1984

5. Oconee Final Safety Analysis Report - Duke Power Company.

6. Analysis of B&W NSS Response to ATWS Events, BAW-1610 June 1980.

i

7. McBride, A. F. et al., Babcock & Wilcox Anticipated Transients Without Scram Analysis, BAW-10099, Rev.1, May 1977.

8. McClymont , A. S. and Poehlonan, B. W., ATWS: A Reappraisal - Part 3:

Frequency of Anticipated Transients, EPRI NP-2230, Jan.1982.

9. Anticipated Transients Without Scram for Light Water Reactors, NUREG-

, 0460,.Nov. 1981.

10. Reactor Safety Study, An Assessment of Accident Risks in U.S. Commercial Nuclear. Power Plants, WASH-1400, NUREG/75-014, 1975.

2-12

Table 2.1 Safety Functions for Oconee-3

1. Reactor subcriticality

2. Reactor coolant system (RCS) overpressure protection /RCS integrity

3. Core cooling 4 RCS inventory makeup

5. Containment overpressure protection

6. Radioactivity removal Table 2.2 Oconee-3 Transient Safety Functions /Frontline Systems Safety Function Frontline System (s)

Reactor subcriticality a. Reactor protection system (RPS)

b. Hi gh pressure. injection system (HPIS)

Reactor coolant system (RCS) a. PORV and SRVs Overpressure protection Core cooling a. Power conversion system (PCS)

b. Emergency feedwater system (EFWS)

c. High pressure onjection system (HPIS) and pilot-operated relief valve (PORV) or safety relief valves (SRVs)

RCS invertory makeup a. HPIS Containment overpressure protection a. Reactor building cooling system (RBCS) l

b. Reactor building spray system j (R6SS)

Radioactivity. removal a. RBSS I

l-ll 2-13 i-

L i.

Table 2.3 Oconee-3 LOCA -Safety Functions /Frontline Systems I

Safety Function Frontline System (s)

. . Reactor subcriticality a. RPS Core cooling

. Injection phase a. HPIS

b. LPIS

c. Core flooding system (CFS)

d. EFWS

e. PORV and.SRVs a

. Recirculation phase a. High pressure recirculation system (HPRS)

b. Low pressure recirculation system (LPRS)

c. Decay heat removal system (DHRS)

Containment overpressure protection

[. . Injection phase a. RBCS U

b. RBSS - injection node

. Recirculation phase a. - RBCS

b. RBSS - recirculation mode-Radioactivity removal a.. RBSS - injection and recirculation modes e

[

2-14

- . . = = -

Table 2.4 Comparison of Oconee-3, ANO-1, and Midland-2 Frontline Systems Oconee-3 ANO-l Midland-2 Reactor vendor B&W B&W B&W Power (Mha) 886 886 886 Containment Dry Dry Dry No. of PORY One opening at 2450 psig One opening at 2450 psig One opening at 2260 psig No. of SRys Two openings at 2500 psig Two openings at 2500 psig Two openings at 2500 psig High pressure Injaction 3 pumps (2900-psig shutof f head) 3 pumps (2900-psig shutof f head) 3 pumps (3700-psig shutof f head) system injects into 4 RCS cold legs Injects into 4 RCS cold legs Injects into 4 RCS cold legs Actuates upon RCS pressure of Actuates upon RCS pressure of Actuates upon RCS pressure of 1550 psig or containment pressure 150Q psig or containment pressure 1500 psig or contalement pressure of 3 psig of 4 psig of 4 psig Low pressure injection 2 pumps (a third pump is available; 2 pumps (190-psig shutof f head) 2 pumps (200 psig shutof f head) system It is normally valved out and is load shed)

Injects into reactor vessel via Injects into reactor vessel via Injection into reactor vessel via 2 low pressure injection IInes 2 low pressure injection lines 2 low pressure injection lines j, Actuates upon RCS pressure of Actuates upon RCS pressure of Actuates upon RCS pressure of (n 550 psig or containment pressure 1500 psig or containment pressure 1500 psig or containment pres-of 3 psig of 4 psig sure of 4 psig Core flooding system 2 tanks 2 tanks 2 tanks injects into reactor vessel via injects into reactor vessel via injects into reactor vessel vis 2 low pressure injection lines 2 low pressure injection lines 2 Independent injection lines Actuation upon RCS pressure of Actuation upon RCS pressure of Actuation upon RCS pressure of 600 psi 600 psi 600 psi

Table 2.4 Continue 1 Oconee-3 AN0*l Midland-2 Reactor building cooling 3 containment f an coolers 4 containment tan coolers 4 containment f an coolers system Actuates upon containment Actuates upon containment Actuates upon containment pressure of 3 psig pressure of 4 psig pressure of 4 psig or RCS pressure of.1500 psig Reactor building spray 2 nusp trains 2 pump trains 2 pump trains system (containment spray Sprays containment atmosphere Sprays containment atmosphere Sprays containment atmosphere system in Midland) via 2 spray headers via 2 spray. headers via 2 spray headers Actuates upon containment pressure Actuates upon containment pressure Actuates upor containment pressure of 10 psig of 30 psig of 30 psig Emergency f eedwater 3 pumps (2 electric, I turbine) 2 pumps (1 electric, I turbine) 3 pumps (2 electric,' I turbine, system modified as per FRA)

Injects into both once-through inj6 cts into both once through injects into both once-through steam generators stoem generators steen generators Actuates on both main f ee* pumps Actuates on reactor coolant Actuates on 3 out of 4 reactor trip, or low pressure at the pump trip, main f eed pump trip, ' coolant pump trip, both moln QJ gg discharge of both FW pumps low steam generator level, low f ood pumps trip, low steem gen-steam generator pressure orator pressure, emergency core cooling actuation system Power conversion system 3 electric condensate, 7 steam 3 electric condensate, 2 steam 2 electric condensate, 2 steam ma in f eed main feed, I auxillary feed mala food Normal post-trip steam generator Normal post-trip steam generator Wrmel post-trip steam generator cooling system cooling system cooling system

• The second electric pump was not considered in the definition of success criterla (see Table 2.8).

Table 2.5 Transient Success Criteria f or Oconee ,

Containment Reactor Coolant Overpressure System (RCS) RCS Protection Post- Acc iden t Overpressure inventory Due to Steen Radioactivity Suberl ticality Core Cooling Protection RCS Integrity Makeup ~ Evolution Removal

>6 Control rod groups Given RPS success

• Given RPS Success All saf ety/PORY 1/3 HPl$ I/3 Reactor Inserted into core by power conversion 1/2 Reactor I/2 Safety relief valves bui lding . building spray the reactor protection system (PCS) Rollef Valves system (RPS) reset af ter cooling injection system opening system f an OR OR coolers 1/3 Emergency feed- PORY open when OR water system (EFS) demanded --~

to one SG 1/2 Reactor Given RPS Fallure building upray ,

OR

~~- PURV and 1/2 5RVs injection open when demanded system f/3 High pressure injection system (HPIS) and PORV

$# valve opens te N

_OR 2/3 HPl pumps and SRVs open Given RPS f allure FCS and i#iTTT/3)

N 1/2 m EFW pune, the TD EFW pump and one HPI pump

?

Borated water injection wi th HPl/LPI, given a RCS break.

'The standby, shutdown f acility avulliery service water system is also a successf ul means of core cooling.

. .. . ... - - . . . . - - , ~ . .

Table 2.6 Transient Success Criteria f or Oconee-3 (RSSMAP)-

Reactor Coolant System (RCS) Containment Post-Accident Over pressure Overpressure Radloectivity Subcriticality Core Cooling Protection RCS Integrity Protection Removal

>6 Control rod groups Power conversion 1/3 Safety / relief All safety /rellet 1/3 Reactor 1/2 containment Tnserted into core by system. valves open when valves reset Nilding cool- spray systne the reactor protection demanded Ing system fan system OR . trains 1/3 Emergency f eed- ~

OR

! water system 1/2 containment OR spray system HighTead auxillary w/ recirculation service water system

?

I/3 High pressure injection system N

Table 2.7 Translent Success Criteria for Arkansas Wclear One Reactor Coolant System (RCS) RCS Containment Overpressure inventory Overpressure Suberlticality Core Cooling Protection RCS Integrity leskoup Protection

>6 Control rod groups Given RPS success Given RPS success All safety /PORV f/3 HPIS 1/4 Reactor Inserted into core by Power conversion 1/2 safety rollet valves building the reactor protection system (FCS) rollet valves reset after, cooling system (RPS) open when demanded - opening system fan OR coolers 1/2 Emergency feed- OR water system (EFS)

I/2 Reactor building spray l OR Given RPS f ailure injection j system 2/2 safety relief I/3 High pressure valves open injection system (HPIS) and 1/3 j safety /PORV valves i N open l 8 1 5 Givoi RPS f ailure T S ard HPis and j

2/2 safety relief valves open E

EFS and HPl$ and j 1

2/2 safety relief vaIvos open l

'From Table A.4 in MGEG/CR-2787 I

I I

i

Table 2.8 Transient success Criterla for Midland-2 Containoent Reactor Coolant Overpressure System (RCS) RCS Protection Post- Acc iden t Overpressure Inventory Due to Steam Radioectivity Subcriticality Core Cooling Protection RCS Integrity Makeup Evolution Removal 59 out of 61 control Given RPC success Given RPS success All safety /PORV One HPIS 1/3 Reactor 1/2 Reactor rods power conversion I/2 Safety rollef valves pump building building spray system (PCS) rellaf valves reset after cooling injection system opening system fan OR OR cooIerS I/2 Aux!IIary feed- PORV open when OR water system (AFWS) demanded 1/2 Contain-Given RPS failure mont spray OR

~~~

system

. With turbine One high pressure trip Injection system 2/3 Rollet pump (HPIS) and 1/3 valves (PORV/

na safety /PORV valves SRVs) open da open c) . Withet t turbine Given RPS f ailure trip PCS and HPIS (1/2) 3/3 Rollet valves open OR OR

'-~

1/2 AFW and HPIS (1/2)

. Reactor vessel (5_t head lif f Reactor vessel, head lif t, and one HPl and one LPI

Table 2.9 A Comparison of OmA LOCA Success Criteria with Other PRAs and the BNL Revlaw I Break Size Oconee PR A - Oconee RSSMAP Midland PRA Arkansas IREP BNL Review O l a. sreg injection Recircula- Injection Recircula- Injection Recircula- Injection Recircula- Injection Recircula-Ilnchl Ift i Fhase tion Phase Phase tion Phase Phase tion Phase Phase tion Phase Phase tion Phase 0.5 0.001 1/3 HPR 1/3 HPR or ' or 0.003 11/2 LN 11/2 EFS t end . 1/2 HPl 1/2 HfR 1/3 HPl during In- 1/3 HPl Same as.

1.0 cooldownl ,

Joction Oconee N A 0.01 1/3 HPl If BwSe suf- 1/3 HPl 1/3 HPR and 1.5 fIce 12 hr 1/2 DHRSI 0.03 1/3 HfR If 2/3 HPl 1/3 HPR BwST suf- -----------

fIce 2 hr Same as same as 1/3 HPl Same as Same og Sameog above above above above above 4.0 0.1 1/3 HPI 1/2 HPl 1/2 L R and 1/2 LFR and 1/3 HPI 0.3 1/2 LP1 2 11/2 LPl' and 1/2 L m N or 1/2 LPI k 2/2 CFTl 1/2 LPI 1/2 Lm M 10.0 1/2 LPI 1/2 LPR and at 30 min and at 30 min 1/3 HPl 1/2 LPI 1/2 CFT when BwST 1/2 CFT when BwST and Saee and Same depleted depleted 13.5 1.0 1/2 LPI Same as I/3 HP1 above 1/2 LPI Same as and Same as and above 1/2 LPI above 2/2 CFT and 2

2/2 CFT ISuccess criteria for containment heat removal are nearly the same in all cases. One of three (four for Midland and Arkansas) RBCU or one of two RBSS are suf ficient.

20conee RSSMAP also considered the following critoria at a later stage:

,1/3 HPI and 1/2 LPI and 2/2 CFT for 4- to 10-Inch breaks; 1/2 LPI and 2/2 CFT for >10-inch breaks.

1. The dif fectientletion between small and very small LOCAs in BNL review was made for containment system responses, the success criterla are the same for both ranges in the BNL revlow.

C" .,

Table 2.10 Comparison of Very Small LOCA and SGTR Success Criteria for the Long Term LOCA Initiator Success Criteria Very small-break LOCA 1/3 HPR or [RCS cooldown and 1/2 LPR] if BWST

- (<1.5 inch) suffice for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Steam Generator Tube [RCS cooldown and affected steam generator

Rupture (-400 gpm) isolation and 1/3 HPR]

or Replenishing BWST (success of HPI is implicit) i or

[RCS cooldown and 1/2 DHRS]

N t

I e

2-22

Table 2.11 Major Support Systens Oconee-3 ANO-l MIDLAND-2 Ac power system 3 load divlslons 2 load divisions 2 load divisions

- 2 Keowee hydroelectric 2 4160-V emergency diesel. 2 4160-V emergency diesel generators generators generators

- 100-kV transmission system f ram the Lee steam station

. Several bus interties . Several bus interties . Several bus interties De power system 2 load divisions 2 load divisions 2 load divisions 2 125-v batteries 2 125-V batteries 2 125-V batteries Backup from Unit 1

. Bus Interties '. Limited bus Interties . Bus Interties Engineered safeguards . Actuates high pressure system, . Actuates high pressure system, . Actuates high pressure system, actuation system low pressure system, reactor low pressure systen, reactor low pressure system, reactor I building cooIIng system, reactor building cooling system, and building coollng system, and building spray system, and service several support system conpo- several support system compo-water system standby pung nents nonts 2 out of 3 logic actuates upon 2 out of 3 logic actuates upon 2 out of 3 logic actuates upon 3-psig/10-psig containment 4-psig/30-psig containerent pres- 4-psig/30-psig containment pressure or 1550-psig/550-pstg sure or 1500 psig RCS pressure pressure or 1500-psig RC$

RCS pressure pressure.

Service water system 2 pumps 3 pumps /2 pump trains 5 pumps /2 trains (shared by m units 1 and 2) g . Provides required support sys- ' . Provides required support sys- . Provides required support sys-w tem cooling for high pressure tem cooling for high pressure tem for component cooling sys-Injection system, low pressure systen, low pressure system, tem, reactor building cooling decay heat coolers, emergency spray system, reactor building system, HVAC room cooling, ,

feedwater system, reactor bulld- cooling system, HVAC room diesel generator cooling, AFWS .

Ing cooling system, HVAC room cooling, diesel generator cooling, component cooling cooling system Heating, ventilation, air . Required for low pressure injec- . Required for high pressure, low . Required for high pressure, conditioning systems tion and spray pump roces* pressure, spray pump rooms low pressure, spray pump rooms (HVAC)

. Required for ac and de switch- . Required for oc and de switch-gear rooms gear rooms

'No longer a regelrement according to oral intornetlon given by DFC In a meeting held on 6/14 (BNL and NRC were present).

l Table 2.11 Continued Oconee-3 ANO-l MIDLAND-2 Integrated control system . Controls proper coordination . Controls proper coordination . Controls proper coordination between reactor, steam gen- between reactor, steem gen- between reactor, steam gen-rators, main feedwater, and orators, main feedwater, and orators, main feedwater, and turbine during normal operation turbine during normal operation turbine during normal operation

. Recent design upgrade has essen- . Recent design upgrade has flally eliminated ICS-caused essentially eliminated ICS-f ailures of saf ety systems caused failures of safety systems a

Instrument air . Several systems require Instru- . Several non-safety systems . Several non-saf ety systems ment air for proper operation, require Instrument air for require Instrument air for e.g. , MFW, EFW proper operation proper operation

. Safety-related components fall . Safety-related components fall safe upon loss of instrument sa8e upon loss of Instrument air air b

i 1

f I

J

i Table 2.12 Oconee Frontline vs support System Dependences 4

I E 8

s .

8

-r r e:

s:

3 t 5

• E is Es _! Er =

If )g 5I I  : -5

' 33 :e 8 ss is 31 .E **

j

. .I -:  :

5 g

2 ::

y _r A e

s $- I $ I J j_

} i li I

Raactor protection system / /

Figh pressure injection / recirculation / / / /

Low pressure injection /

recirculation / decay heat removal / / / / / /

Power conversion system / / / / / / <

Emergency feedwater y system / / / / /

, e

' N Pilot-operated reitef m

valve / / / ~/

l Reactor building cocifng system / / /

z Reactor twilding spray system / / / / /

1 1 Standby shutdown facility Core flooding system High pressure injection system - makeup mode / / / / /

1

! i 4

+

1L -

,-- . _ _ . _ . . - . - _ _ _ _ _ _ . . .. ~ . _ _ _ . _ . . . . . . _ _ . . . . . m. x . . _ ,

'l, i

l Table 2.13 .0conee Support vs ' Support System Dependences s- .5 I

ig 2

, r I /:

o . .  :  : -

s: a e I I is 3 -! ir .

a..s et ri- zg  !!

J. ::: :s :g3- 3 a  ! :e 4

. i 3 3: a-

: s .3 -- 4-e  :  !' i e

• 18 28 t 53 i .

2 B E h $ & 5 E 15 i l Ac power X /

125-Y de power /- X Engineered safeguards system / ,r X

/

e Service water

, system / / / 3 / / / /

[ongressed air system / / X / /

y Component cooling to system / /. /

cn ./ X Condenser circulating water system / X Recirculating cooling water system / / X Integrated control system / / / X

Heating, ventilation and

, air-conditioning system ./ / X Frimary pressure control system -/ / X e-

,, ,._y . . . . _ , _

Table 2.14 Creparison of Translent initiators and Their Grouping (

In the Arkansas IREP, Midland, and Oconee PRAs Arkansas-lREP .MidIand-PRA Oconee-PRA Transient EPR l-NP-2230 Translent EPRI-NP-2230 Translent EPRI-NP-2230 Initiator Grouping initiator Grouping Initiator Grouping

• Turbine trip 1,2,3,6,10,14 Reactor trip 1,2,3,8,11,12 Turbine trip 1,2,3,4,5,6 15,17(505),23 14,15,17,21.72 (TI) 7,8,10,11,12 33,34,37,38,39 23,28,36,37, 13.14,26,27, 38,39,40 28,29,33,34, 36,37,38,39 Turbine trip 18,33,34 Total Interrup- 16,17(505),18, Total loss of 16,24,25,27, Loss of sein FW 16,24 ilon of the FCS 20,21,22,24, FW 30 (T2)

(Loss of main 25,29,30 FW) Portlal loss of 15,21,22,23 FW (T3)

Loss of condon- 25,30 ser . vacu um (T4 )

MUPS malf unction -- Spurlous ESF 9 signal (T8)

Excessive FW f low --- Excessive FW 19,20 flow (T7)

ICS malfunction --- Loss of ICS bus ---

Ki (TII)

Low PZR pressure ---

signal (T13)

Loss of service Loss of service --- Loss of service 32 water water water (T12)

Loss of coneo- --

nont cooling Loss of offsite Loss of of fsite Loss of of fsite 35 power power power (T5s Loss of ac power Loss of ac power bus A3 bus 3TC (T14)

Loss of ac power bus 85 Loss of de power bus 001 Loss of de power bus D02 Loss of air (T6)

Steam-IIne break --- Stoom-line break ---

(T9)

FW-line break .--

(TIO)

'OfRA does not provide this grouping T3ey voce geaerated f rom Table 5.8 by the BNL revlaw.

2-27

3. ACCIDENT SE0VENCE DEFINITION The objective of this section is to provide a discussion and major con-clusions of the review on the following topics: 1) the- OPRA3 accident sequence definition and the qualitative description of the functional event trees (Section 3.1), 2) the system fault trees that were used in the OPRA (Section 3.2), and 3) the various aspects of human performance analysis that entered into the risk assessment (Section 3.3).

3.1 Functional Event Trees Subsections 3.1.1 througn 3.1.3 briefly present the general methodology, the functional event tree development, and the treatment of dependences used in the OPRA,1 respectively; an overview of the BNL comments, where applicable, isalso presented. Subsections 3.1.4 through 3.1.6 present detailed discus-sions of the BNL qualitative review of the transients,'LOCAs and steam genera-tor tube rupture (SGTR), and anticipated transients without scram (ATWS),

respectively. The analysis of the interfacing LOCAs for Oconee-3 does not require the use of event trees because it was assumed that the occurrence of the event results in core damage; therefore, in this report, the interfacing LOCAs are discussed in Section 5.

3.1.1 The General Methodology An accident sequence is defined in the OPRA report, as "a sequence of events leading to a core damage state of interest, the resultant break of the barriers to the release of the radionuclides in the core, and the transport of those radionuclides after their release." In this BNL review only the davel-opment and definition of the portion of the accident sequences up to the onset of core damage are reviewed; this corresponds with Chapters 3 to 8 in the OPRA. This portion of an accident sequence is referred to as " core-melt se-quence" in the OPRA, and as " accident sequence" or " core damage sequence" in this review.

Three steps were taken by the OPRA to identify as completely as possiMe the core damage sequences for Oconee-3: 1) a search for the initiating events of interest; 2) the formulation of a set of safety functions necessary to pre-vent core damage; and 3) a detailed analysis of the plant-system failures that preclude tha success of these functions. To link these three steps to obtain the core damage sequences in a systematic manner, an event tree / fault tree methodology similar to that used in the Reactor Safety Study (RSS) 2 was em-ployed. The 0PRA used a variation of the RSS approach, also called the small event trec/large fault tree method. In this method a supporting logic, some-times called functional fault tree or top-level fault tree, is developed for each top-event function in the functional event tree.

OPRA began the development of the event trees by ' constructing event sequence diagrams (ESDs) and translating the ESD actions into top events for event trees, with a di f ferent event tree constructed for each initiating event. This process became unmanageable because of the number and complexity of the event trees developed. Therefore, functional event trees were devel-oped for transients', LOCAs, SGTR, and ATWS. The top events of these function-al event trees represent the initiating events and the safety functions neces-sary to avert core damage. The initiating events are discussed in Section 3-1

2.2, and the definition of the safety functions is reviewed in Section 2.1 of this report.

Since, as stated above, the OPRA uses the small event tree /large fault tree approach to link the functions (or top events) of the functional event trees to the detailed analysis of the plant-system failures (hardware or human errors, and the different initiating events including their interaction with equipment unavailability), an intermediate step was necessary. This step was performed via the construction of the supporting logic in which the top events are the' functional event tree top events and the inputs are top events from the system fault trees and human errors.

3.1.2 Functional Event Tree Development The functional transient event tree starts with an initiator followed by the subcriticality functicn. The. success or failure of this function has a dramatic effect on the ability to achieve the other safety functions consid-ered in the functional event tree. Therefore, the sequences with failure of the mbcriticality function are developed on separate event' trees (ATWS event trees). The next function is the preservation of the RCS integrity. .Agai n ,

the impact of success or failure of this function is large. Its failure is transferred to the small-LOCA functional event tree. The LOCA event tree represents breaks in the RCS integrity due to pipe breaks or to transient-induced LOCAs (i.e., PORV/SRV stuck open or RCP seal failure). The next func-tions ~ are _ associated with removal of heat from the reactor core, transfer of heat from the RCS, and 'long-term core cooling. The end points of the func-tional event trees in OPRA can be one of the following.

a) Successful hot or cold shutdown, and cooldown.

b) Bin I core damage: Early failure of core cooling following a tran-sient-induced LOCA or a small-LOCA initiator (within about two hours after initiation).

c) Bin II core damage: Late failure of core cooling following a transient-induced LOCA or a small-LOCA initiator (within about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the onset of the LOCA).

d) Bin III core damage: Early failure of core cooling following a tran-sient.

e) Bin IV core damage: Late failure of core cooling following a tran-sient.

f) Bin V core' damage: Early failure of core injection following a large LOCA.

g) Bin VI core damage: Late failure of core recirculation following a ,

large LOCA.

h) Transfer to other sequences, which will then result in one of the above seven end points.

l The core damage bins for SG tube rupture were designated IR and IIR.

I 3-2 L

A successful shutdown and cooldown is considered to be hot shutdown in most cases. Cold shutdown is considered as the most desirable end state for the SGTR sequences.

3.1.3 Treatment of Dependences The treatment of dependences within the accident sequences is inherent to the methodology egloyed in the OPRA and followed by the BNL review. An acci-dent sequence was modeled with the SETS 3 computer code by merging the initiat-ing events, the top function in the event tree, its supporting logic, and the detailed system fault trees. The OPRA and the BNL review c'arefully used the same designators for the same basic events, and cross-reference of frontline system to support system wa; kept. Therefore, the minimal cut sets obtained for any sequences directly accounted for the system interdependences found in the analyses.

Human error dependences were reviewed on a sequence-by-sequence basis.

To avoid elimination of potentially important sequences, high screening values for human errors were e@loyed in the quantification of sequences (see Section 5); these screening values were later modified when the sequences were indi-vidually reviewed.

3.1.4 The Transient Functional Event Tree The OPRA constructed only one functional event tree for all transient initiators. This section presents the review of this functional event tree, including its supporting logic. It is imortant to note that the review of the transient functional event tree is in complete agreement with the OPRA.

Therefore, only a brief discussion is given in this section, because there is no need to repeat the detailed description given in the OPRA, Section 3.3.

The transient event tree is modeled using the functional event tree given in Figure 3.1, and the function-oriented top events are listed in Table 3.1.

The supporting logic for the top events in the functional event tree is given in Figures 3.2 through 3.8. Again, it should be emphasized that very few dif-ferences exist between this review and the OPRA; so Figures 3.2 through 3.8 in this report are almost reproductions of Figures 3.5 through 3.11 in the OPRA.

Some event names were modified because the OPRA uses what is called the modu-larized system fault trees and this review uses the detailed fault trees.

The first top event evaluates the question of successful scram (K).

Where the scram is not successful, the sequences are transferred to the ATWS event trees (see Section 3.1.6). Otherwise, the evaluation of the function Q, loss of RCS integrity, follows.

Supporting logic for function Q (Figure 3.2) is developed to evaluate the different possibilities that could result in a stuck-open pressurizer PORV or SRY (gate QO2), or that could lead to a failure of the RCP sealt (gate HPRCPF, transferred from the HPI system fault trees). The analysis of the progression of the transient accident sequences with failure of the ECS integrity, Q is transferred to the event tree for small-break LOCAs (Figure 3.9).

Function B, failure to maintain heat removal from the core and RCS via the steam generators, is the next function. The development of the supporting j 3-3

logic for this function is given in Figure 3.3. The failure of the RCS heat removal would happen if:

a. All feedwater flow is lost (gate 802),

b. RCS circulation is lost (Gates B03 and B04), and

c. large feedwater line breaks occur (initiating event T10).

The success of function B indicates the achievement of hot shutdown, and fail-ure indicates a demand for forced cooling by - the HPI system to avoid core damage . (feed and bleed). This mode of cooling requires the opening of the PORV or one SRV, event P, to provide.a path for decay-heat-removal cooling and the success of the HPI system, event U.T The failure of event P (Figure 3.4) is conservatively considered to lead to a core damage; this is very con-servative, but its contribution to core damage is negligible and this assump- >

tion is used for both the OPRA and the BNL review. Failure of the HPI system in the feed-and-bleed mode of operation is represented by UT (Figure 3.5) and includes the operator's failure to actuate the system, a procedural step in the Oconee Emergency Procedures."

The remaining events, Y, T L. W, and X, T all relate to possible effects after HPI cooling is successful (feed-and-bleed mode of operation).

Event YT (Figure 3.6), failure to maintain RCS makeup supply, occurs if the reactor building spray system (RBSS) is actuated, depleting the inventory in the borated water storage tank (BWST). The occurrence of event YT affects the timing of events L. W, and X , because T the RBSS will . empty the BWST nuch more rapidly than the HPI system alone. Event YT will occur if the reactor buildi ng cooling system fails (gate BCTOP), or if breaks (in feedwater condensate or steam line) -inside containment actuate the RBSS and '

the operators fail to stop it in 30 minutes (YT02).

Event L indicates failure to recover RCS heat removal in the steam gener-ators before the BWST is emptied (about two hours for sequences including Y and about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for YT ). If RCSheatremovalissuccessfullyrecovereb (E), the pressurizer relief valves must be reclosed to establish stable hot shutdown conditions. Failure of any of these valves to reclose, event W, results in a small-break LOCA and the sequences are transferred to the small-LOCA event tree. Finally, if RCS heat removal is not recovered before the BWST inventory is depleted (L), the failure to establish a long-term mode of HPI cooling, event XT , will result in core damage.

In conclusion, BNL's review of the OPRA functional event tree for tran-sients found that it correctly represents a detailed qualitative model of the plant response.

3.1.5 The LOCAs Functional Event Trees The OPRA constructed the following functional event trees for LOCAs.

. Small-break LOCA event tree.

. Large-break LOCA event tree.

3-4

. Steam Generator. Tube Rupture (SGTR) event tree.

A supporting logic for the top event., in the funtional event trees was also developed, when necessary, for each of the above event trees.

This review basically agrees with the event trees and supporting logic used in the OPRA except that the OPRA treats the entire spectrum of breaks up to four inches in diameter as small-b'reak LOCAs. The OPRA does acknowledge that for breaks smaller than about 1.5 inches in diameter [ called very smell LOCAs (VS) in this review] with no steam-generator cooling, the RCS will not-depressurize and the HPI automatic initiation would not ~ occur. However, the OPRA claims that calculations indicate that in these cases the RCS will tend to pressurize to the point at which the pressurizer PORV and/or SRVs will cycle and the containment pressure will increase to the set point (3 psig) of automatic initiation of HPI on high containment. pressure in less than one hour (the time at which the core uncovery would start). This review did not bene-fit from these calculations, and on the basis of other analyses it assumes -

that for very small~ breaks the manual actuation of HPI will be necessary when steam-generator cooling is unavailable. Therefore, two identical functional event trees were constructed for small and very small LOCAs. Note that in the quantification of the sequences (discussed in Section 5), this difference was found to have no effect on core damage frequency, and because of this only the event tree for small LOCAs will be briefly discussed.

3.1.5.1 Small-LOCA Event Tree The first questiun in - the small-LOCA event tree, Figure 3.9, refers to the subcriticality function (K). If this function fails, a small-LOCA ATWS occurs; this sequence was not further characterized in the ATWS event trees because its. contribution to core damage is very small by comparison with other ATWS.

Following a successful reactor trip (E), the availability of the HPIS (US ) is asked. If the HPI fails, core damage occurs. Note that at this point (success of reactor trip), the transient sequences with loss of RCS in-tegrity (TQ) are transferred in.

If HPIS is successful (Ug), the function " failure to maintain RCS makeup supply" (YS) is analyzed. If this function fails, either because the RBCS fails or because the operator fails to terminate the RBSS, the inventory in the BWST will be depleted in about two hours and the operators must start the high pressure recirculation (function Xs with the occurrence of event Ys; gate XS02 in Figure 3.10). Failure of this function (XS ) results in core damage, Note that, for the very small LOCAs in this review, the RBSS is not automatically initiated unless the RBCS also fails.

If function (s is successful, the inventory in the BWST will be depleted in about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; at this time, a failure of high pressure recircu-lation and low pressure recirculation, if feedwater to stean generators was

! available, (function Xs, gate XS03 in Figure 3.10) results in ' core damage.

3-5 i

I

> i.1.5.2 Large-LOCA Event Tree in the large-LOCA event tree (Figure 3.11), the first question is the availability of injection (U A), and its failure leads to core damage. With successful injection, the failure of the low pressure recirculation (XA )

also results in core damage. -

BNL and the OPRA are in cog lete agreement on the large-LOCA event tree.

3.1.5.3 SGTR Event Tree The SGTR is treated in OPRA as a special case of a very small LOCA; Fig-ure 3.12 shows the SGTR event tree. If all feedwater pumps are lost, the pressure in the RCS may not decrease to the ES actuation set point and, there-fore, manual HPI actuation is assumed to be required in both the OPRA and the BNL review.

The requirements for long-term cooling of the SGTR sequences are differ-ent from those of other very small LOCAs, because cold shutdown is the most desirable modt of- long-term stable condition. However, as discussed in Sec-tion 2, long-term cooling at hot conditions is also a stable end state for SGTR sequences.

The special supporting logic for the long-term cooling in the 5GTR case was also accepted with no changes by BNL, and for completeness purposes it is given here as Figures 3.13 through 3.16; these figures are reproduced from Figures 3.19 through 3.22 in the OPRA.

3.1.6 ATWS Event Trees As discussed in Appendix E of the OPRA, and in Subsection 2.2.1.3 of this report, all transient initiators were grouped in four classes for analysis of the ATWS accident sequences, i.e., turbine trip, loss of offsite power, loss of condenser vacuum, and loss of nain feedwater. Thus, the OPRA presents four functional event trees for the ATWS analysis (Figures 3.17 through 3.20).

The ATWS sequences for B&W reactors have been studied in depth.5p Several reports present different peak pressures for the case in which the reactor protection system fails to scram the reactor following a transient.

The results in the report BAW-1610,5 where it is shown that essentially the N RCS co@onents would survive a peak pressure smaller than 3900 psig, were usedy' by the OPRA and also by this review as a basis for the analysis of ATWS sequences. For peak pressures higher than 3900 psig, the OPRA assumes that deformation in the RCS valves would increase unavailability of the systems used for injection of borated water from the BWST; this review agrees with this assumption.

Before the discussion of the ATWS event trees, it is important to provide the assumptions used in the OPRA and in several other PRA studies. The most important assumptions are described below according to the logical order of appearance in the OPRA ATWS event trees reproduced here in Fi gures 3.17 through 3.20 (Figures E-1 through E-4 in the OPRA).

3-6 s

1. Feedwater to Steam Generators - In the Crystal River PRA,10 it is stated that if feedwater (MFW or EFW) is available to the steam gene-rators (SG) the core can be maintained in a stable condition without need for boration.

In the Midland ll and AN0 12 PRAs, it is stated that with feedwater available to the SG, boration may be needed in certain cases (not explained) in order to maintain a stable state.

In the NRC analysis,9 it is assumed that during the 50% of the time that the mcderator temperature coefficient (MTC) is favorable, the availability of feedwater to the SG requires boration in about 10 minutes in order to maintain stable conditions.

In the OPRA I it is assumed that for the fraction of time that the MTC is smaller than the 95% value (-1.04E-5 Ak/k *F), the availability of feedwater to the SG also requires boration; however, the time con-straint is not like that of the NRC analysis.9

2. Moderator Temperature Coefficient - In the Crystal River.10 ANO,12 ll PRAs, the moderator temperature coefficient is not part and Midland of the analysis. In the NRC analysis, if the MTC is not favorable (i .e., Service Level C will be exceeded 50% of the time) core damage results.

In the OPRA, if the MTC is larger than the 95% value, i.e., -1.04E-4 ak/k *F, a LOCA will result. In this case, since the peak pressure may exceed the 3900 psig threshold, deformation in the RCS valves may occur and the probability of failure to inject borated water is assumed to be 0.1 in the injection phase and 0.1 in the long-term phase.

3. Primary Pressure Relief - In the faC9 analysis, no consideration is given to the failure of the pressurizer PORV to open for pressure re-lief. In the Crystal River,10 Midland.Il and AN0 12 PRAs, the failure ,

of the PORV to open is included but it makes no difference in the up-availability of the injection function if the SRVs open; note that it was assumed in the ANO analysis that the FORV block valve is always closed and the Midland PRA, on the basis of communication with B&W,11, assumes that for any peak pressure above 3200 psig the vessel head will lift and a LOCA will occur; no deformation of RCS valves will occur.

In the OPRA, the failure of the PORV, or of any of the SRVs, to open is assumed to cause a peak pressure bigger than 3900 psig, and a LOCA will result. For the unavailability of injection or long-term cooling, the same values in item 2 above (0.1) are used.

On the basis of the above information, this review is in qualitative agreement with the ATWS event trees constructed in the OPRA (Figures 3.17 through 3.20), and only the analysis of the turbine trip ATWS (Figure 3.17) will be discussed here.

3-7

The first two top events in Figure 3.17 evaluate the question of success-ful main feedwater, M, or emergency feedwater, L. For the case where both of these systems are not successful the OPRA assumes that a LOCA would occur and the injection of borated water from the BWST, function I, is still possible, and if this function is successful the question of long-term cooling, function X, is asked.

For the case where either main feedwater, M or eaergency feedwater is successful, the next top level f ault, moderator temperature coefficient (MTC) sualler than the 95% value, event C, is asked. If the MTC is larger than the 95% value, a LOCA would occur and the availability of injection of borated water, I, and long-term core-cooling, X, are evaluated. When - the MTC is smaller than the 95% value, C, the pressure relief function, P, o follows.

If the PORV or any one of the SRVs do not open, a LOCA results, and the func-tions I and X follow. If the relief valves do open. F, the closure of the relief valves, P c , is evaluated. If the relief valves do not stick open, injection of barated water, I, will still be needed to shut down the reactor.

Failure of this function or failure of long-term cooling will result in core damage.

For the case in which any of the relief valves is stuck open, a LOCA occurs and injection of barated water, I, and successful long-term cooling are needed to avoid core damage.

3.2 System Fault Trees The system fault trees are given in Appendix A of the OPRA. The follow-ing system fault trees are an&lyzed in the OPRA:

Ac Power System (AC)-

Compressed Air System (CAS)

Core Flooding System (CFS)

Dc Power System (DC)

Engineered Safeguards System (ESS)

Emergency Feedwater System (EFS)

Heating, Ventilating, and Air Conditioning System (HVACS)

Hi gh Pressure Injection, Makeup, and Reactor-Coolant-Pump Seal Cooling System (HPIS)

Integrated Control System (ICS)

Low Pressure Injection / Recirculation System (LPIS)

Low Pressure Service Water System (LPSW)

Power Conversion System (PCS)

Primary Pressure Control System (PPCS)

Reactor Building Cooling System (RBCS)

Reactor Building Spray System (RBSS)

Standby Shutdown Facility (SSF)

For most of the systems above, the OPRA constructed a detailed fault tree and a modularized fault tree (or reduced f ault tree). This modularization consisted of grouping into a single event large pieces of the . logic that are independent of all other events in all the f ault trees (this step was done by the analysts, not with a computer code like SETS3 ). In this review, only the3 detailed fault trees were reviewed because BNL intended to use the SETS 3-8

computer. code to evaluate the accident sequences, and therefore the mcdu-larized fault trees.

A thorough review of each system fault tree was performed by BNL based on the drawings and information given in the OPRA I and the Oconee FSAR.13 It is important to note that almost no logic or instrumentation diagrams were avail-

. able to the BNL reviewers and thus some aspects of the review were not inde-per.dently verified, e.g., logic for actuation of pumps or for the integrated control system. Even though these parts were not reviewed, a comoarison of the level of detail used for these portions in other PRA studies tb-12 indi-cates that this omission does not seem to affect the results of this review.

The review of the OPRA system fault trees resulted in very small changes to several fault trees. Since none of these changes had any -effect on the most important minimal cut sets for the systems or on the accident sequences, these modifications are not discussed.

In conclusion, the BNL review found that the OPRA fault trees adequately represent the failure modes for each system (based on the information de-scribed above), and the level of resolution in the OPRA detailed fault trees (down to component level, if data are available) is consistent with state-of-the-art PRA practice. Two states are considered for each component in the fault trees: .either the component operates as designed or-it fails. The fol-lowing items were not included in the analysis of the failure of a component (or systems):

a. External events (including earthquakes, fires, floods, and tornados),

b. Sabotage,

c. Operator errors of commission.

The review of the effects of external events is analyzed in Volume 2 of this report. items (b) and (c) above are outside the scope of the PRA.

3.3 Human Per'9rmance Analysis A human-reliability analysis was conducted as part of the OPRAI and its conclusions are presented in Chapter 6 and Appendix C of that document. Four

[ categories of human errors were used. Their usual location in the logic trees is shown in Figure 3.21, and the four categories are defined as follows:

a) Unavailability errors (U): errors that occur before an initiating event; also called latent errors. These errors result in a system or component being unavailable and as such they are modeled at the sub-system or component level in the system fault trees, b) Inadvertent actions (1): errors that occur when the operator unin-tentionally defeats the functions of a system during the course of an event. Typically, they are modeled at the subsystem or component level, c) Operator inhibits (01): errors that occur when an operator inten-tionally defeats the function of a system during the course of an event, because of misdiagnosis. These errors are typically modeled at the system level, i.e., at the top of the system fault tree.

3-9 i

m _

l d) Operator fails to (0F): errors that occur when an operator fails to perform a necessary action during the event. These errors are typi-cally modeled at the system level. The OPRA also models the failure to recover a system's operation or to find alternative systems. Even though these errors also belong to the OF category, they are referred to as "recove ry errors" and are normally modeled at the-accident-sequence level to ensure that any factors specific to the sequence are appropriately considered.

The ~ important human errors, with a description of the required action, the time available for the action (when appropriate), and the assessed proba-bility, are given in Table 3.2. The BNL review is basically in agreement with the modeling approach and quantification of human errors used in the OPRA.

Therefore, the human errors and assessed probabilities given in Table 3.3 are mostly taken directly from Table C.5 of the OPRA, Appendix C; a comparison of the human error probabilities used in the OPRA with those used in previous PRAs is given in Section 6.5 of the OPRA. Some additional recoveries were listed in Table 3.2 to reflect BNL assessment of the time available for recov-ery of the instrument air system. These additions, as will be seen in Section 5, have an important effect on the frequency of core damage calculated in this BNL review. It is important to note that these changes in recovery times were discussed with Duke Power Company, and an agreement was reached.

3.4 References

1. A Probabilistic Risk Assessment of Oconee-Unit 3, NSAC/60, June 1984

2. Reactor Safety Study, An Assessment of' Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400, NUREG/75-014, October 1978.

3. Worrell, R. B. and Stack, D. W., A SETS User's Manual for the Fault Tree Analyst, NUREG/CR-0465, Nov. 1978.

4. Oconee Nuclear Station Emergency Procedures, EP/0/A/1800/14 -

Loss of Steam Generator Feedwater.

5. Analysis of B&W NSS Response to ATWS Events, BAW-1610, June 1980.

6. McBride, A. F. et al., Babcock & Wilcox Anticipated Transients Without Scram Analysis, BAW-10099, Rev.1, May 1977.

7. Anticipated Transients Without Scram for Light Water Reactors, NUREG-0460, Nov. 1981.

8. Collier, R. P. et al., Selected ATWS Audit Calculations for Three PWR Designs, Battelle Columbus Laboratories, Dec.1982.

9. Recommendations of the ATWS Task Force, Enclosure D, NRC.

10. Garcia, A. A. et al., Crystal River-3 Safety Study, NUREG/CR-2515, Dec.

1981.

11. Midland Nuclear Plant - Probabilistic Risk Assessment, Consumers Power Company and PLG Inc., May 1984.

3-10

6 1

1

12. Kolb, G. 'J. et. al., Interim Reliability Evaluation Program: Analysis of 4 the Arkansas Nuclear One - Unit 1 Nuclear Power Plant, NUREG/CR-2787 June 1982.

13. Oconee Final Safety Analysis Report - Duke Power Company.

1 1-

}'

I i

i.

3 d

l 1

l l 3-11 t.

t

T K- Q B P Uy Yr L W Xy Sequence Type-bin T NCM TB - NCM

-- TBW S LOCA T8L NCM TBLXy CM-IV TBY r NCM

--d TBYy W S LOCA TBYy L NCM TBYrLX7 CM-lil TBUy CM-lil TBP CM-Ill -

---

d TO S LOCA

_____________4m - 1WS NCM = no core melt CM = core melt TWS = transent ethout scram Figure 3.1 OPRA event tree for transient initiatina events.

I-1 3-12 i

1

4 k

4 Failure of

' isCS

' integrity

, 001 1 I I ere s sur u.c see i i-er..

RV feits LOCR h to to close, RCP seal failure 002 O HPRCPT I I RV f ails RV felis l RV fails efter loss of eftee FPI efter high heet s l A causes high pressurlaer RCS pressure presse e 003 004 005 I I I I I ~~l Inteceuptten of RV feels to f%:tuation of RV f ails to Spurious Estree SRv I Y

e-*

feedwater to steen generater close efter less of p3 wit g g LOCR reciese oftee Pressure

• ow RCS pressure falls to close efter w heet s ir* r.ii.f signes st.no r.ii.f b

7005 b b b T13 RCSRVSC TOOG TOOS 1007 Figure 3.2 Supporting. logic for transient event tree top event Q, failure of RCS integrity.

t

c Y

+

g# CT b: o 6

63 Sgt?

2 -

U c-25

• 3 3 U gT

~

, }

a 8:=-! -

~

.' .: $3* s g' O

g qs .,:

s.

a $2 55.

j'ii } -

2

.s..'

y-y

. ~  : I ".

J .

,0.i:

-I 22 7 8

-%~ iss -

'E G ~

't.t *t Ng" Ap E ii

. 2'$

~ ~~k AS.}

f t-1' 2 ' Qg-~

v Nbf n

.c r-Y C

g t:;

6 o

d'

$ .6

~

1... N m

w Eli

. 2 *:

i o 2 gig $i, D m e.n Ae u.

g45 5

5

$.h.oh

" s'Of k*$ 2 gi

's Q de

..:t 5 A

=ts. a84%:. N 654 h ---

s.. 6 SZ:g 4J

. s. . .

. 3. .J -

2.)*

-3 o: - c'*!

• g~ -

h e52 ~  :"hi R.: s lb"E . U 9 E fi -

• tJ My

• NW .-

g 3~14

"R,, s

-*S  : d 3 *. ; A 5

• c A1 , fr.2 g

%8e h 3 $$ $

~

~.2t m E"1: Q N

"a g t .

%:5, 8  % :~

.8% s v0 i,5.$3 -

m a

{

- E

~ mh- '&3 6 . t .a

• 5,;-

e

- .e.-

.c

%5 e

v Q

( h A a 5*

13--g ;- 5 ~.

m 5:ii G c L

m3.- g. e

" :3 d D 4- .

%. 6mt

- *~

b h"s f

e-o

} h 5 - ~

. 'm e ; a

.b a.

4 . m s s . C

-s;,

m I fc ^

0%jj h --

a.

3-15

In tecry t t en of feedwater to steen gener atoe s T005 g_

l I Large Less of feedwater- feedwater i ane breelt <

flew i

e T10 015 I I r.nur. .f to,, e, IIWS pe6n El 'f I feedwatec pumps needed) b T806 C16 I I I I I I I .I I w Less of Less of Less of Less of Less of .Less of g ,,, ,,

e W W ofter 6Fe tFW ofter hans due to Int,erupti

, ,,,,,gm t#w due to tFW due to 4_gy ,,,rl t weemstve y turbane Centtasting degradelsen due less of con- g p ., less of less of tesp event) to instanter densec weeuum sosteunent c:ar ICS powee group 3TC

_ f*_ _'er_,

O TLonFRT T2 O T017 Yg O T6 11 114 no TPSTsutTUP

• With successful trip of the main feedwater pumps on high SG 1evel (MFWPRF)

Figure 3.2 Continued

2 -

ll iO e

e

~

IS i

s. _

,- r p '!@ -

fn.

he

.f(

a a n 9 f. "

j<

<t i llO K:

g n a n ,,

t - -

il iG- I!

se i<

s e, l$- G _

n.

_K

- < t! -

,thm e.

K gh s" $c 3-17

i R

tO e4PS NUT D

LI C nlvR IPEU VR I

I neR iDO I

RE Tt sU M TLtP s MNO I

5GTR PSWT 1T GO P

M DI P

I9 d

M I

e c0I 50T D7A L

CSS T

5 IO U

E M

I d

C WGH G

rs0 RvR e t

U K:MI Oc0 v7 tt/

rnM u TP I H tt Ov n inM i MRIT T n uvE c t dnI i

W F tTn 2 I

. n Wt s W

i si c cwsi e C o

F81R L

T mcEr TtO S I U I L

ST RnC ca 2 5

O R rnD rc Ou L E OTN D 3 TP sf l L T TsSN MRI I mEYO I

e T cvSI r f

Wt Ws rc Oa Sf i

C A

'Mt I

r L

snLC cvTm arCI Ti Nl TORW eRTP T

h5 W

I lOi F u

g St O R cs Dn ri L vSW OS iL2W c

Or2 i O s i

O re tor c0lr m7 u diA I

M tuu0 01 1 nLf rr

~

y5 4

t i , l 1,

M s.

i i I

. n O rDE O

V S C I

vO- L 3 ouC W r I v

W c W8 1 TG NS P E o

, Io CT

'a I

Tw Fo WlA I

rtL ir e

I 08 c 8

r i i

T I P

InI N r Ee P unt iO

. ID cu C (L I aT lF 't l r nP oIR N Ft i  ; l d

t e a

l W m- u .

WA n i

TG I

D IO CT 5

S J

P P I t

n o

I W C TM fel um 5tf 2

io FCw M t nT aC I (t (0 I

u T 3 L LfT Te e R tv u T ]

eE e map Ih1 T lLIe o l

r A

fT C n DsSD o P eW Ai I

otl u cTa M P GOCJ Sr t g I s W E g SWT nD r

ow WI(T T

S ErU t t fT(

tt I

I W

o5 nal F

I F

sro s

I Tus f i r lr uo PSu E

f u

eNtR T T (DI C P0C .F I oDs f vF I oL IRE T cFl S

I A

t TLte r WWN ut I 3

IA 1

SGTn $ n 8

I sWU 1 F5Wi tO T

W I

u oI!

M W P t P I mEo iS sSH TI eI f HI G

rO o

H L y:

t i

a

c. _  !.* i 8

!: lC *is-!<

p e

.g

. i e i-88 {e

• EI I"i _

!gl l< llE 11ji!<

1

!!g -

e 3-20

1 5 _

}=O

{d pb g

IYtf D J

!!$ .h

'l,3 E

,s 3 g

b p!

M 4

lig g

i

\ {<3 in, -

it D

11 b

3..

~

k, a J.

3-21

f d

f f

4

, acto.ti.o .f

. m . te,-t toca 4.,

.i

I I I I h"' I I I I

.t., si...i.e.

,. s,, ,,,~,.

, , , ,cs , o. . .., r.. ., .- ro. .. o. . . n, . tornia. f.o.

t.r ,. v

,,,..w., , , , . ,

6 t, e v. .a one isv. .a .a4 4 t. ** iP8P ofter la.3de (6nt14 16pg

, , ., ,. ,,, ,. , , , , , , . . . . . . . . . < = ,..i s. r.. ... ,.o t. c...... .... . . i .. cr = r..ei.e tri, ,,,,,....,,t ... o is s ve wstir is l

Goss Qnevoet Gozs Qoan l I I 1 I I

< W c.nt,.! Eith., W . pw.p L... of L.cg. f.ed..t.c

! N n. tr.,en F.ed.. t w l

$ f.it. f.il. to trip in tco.ent .ir cia.ti.e..,

6-ko,$. crw , ,,,,,,,,,,

lip. be..k 6,. ,.....ine .

J iie .e i...,

.... o c.at,.i == ... ...,,,, . t.i t are w w.tr 16 crrer ite certo

I I i i w l,.w.. c.o.1 c ... . . .. v. v ., . w., .ie ., n ;

. . .,t., c . . . t . t .,,, ro . . , ,,i, j N tor ... tri, . .. o . . . . , . , . ....

! O

"='

17 A .c, r

.1 i.

l . Figure 3.2 Continued 2

J d

a i

4 1

1 1

4 s

, m . _.. - . .i

_ _ . . . . _ _ , . . . _. -. . .-. - . - _ . . _ .- , , _ _ . . . _ . . m._ . . . . . -.. m F.ilure of fiCS boet reeev.s 001 I I I I

to. . e, .n r. iur. oc r. i . er t feedw.ter f.CS RCS cercul.16en feedwater-flow ciecul.tsen v6thout povea isne breefe

.03 804 T10 802 I I I I I I

F.alues of UWS fiCP. of f due Feiture 1. Interruption Insuffic6ent Interew t ion c6ccut.te of normet fiCS of U of 3 pump, to operatee '

.en ..t,, ce. .,, ,ie ,e.e, .n..nter,

-. need.d>

o o o Te07 Q .0. - A-TPStfiRTUP o

1909 T906 Qt6 1 1 y in.ueri.ient Z ,,

5 in E . ;;c g -, .y...

I I I I 0,er.ter <.. . inede v ie mi U.

,,c5 ,,, tu.iian ie -int..n

e. ,,e, ,e,,,

iCS eu, i <.

e.e . ,uie.is. <....

o e=>. o iI fie Q i.

THReul I I r.. iure ., o.s 0,er.ser <.. .

o e, i -, to init .te needed) UW fiou o

TSO6 sum Figure 3.3 Supporting logic for transient everit tree top. event B, failure of RCS heat removal. -

- .!R h*3 " (: I a; ev r

o. $ .

e -

0I 3 -

kff5 E

s; *  ;

"bl 23  :

S

.g 0

~

1;35 V

't .

is 8 358 d5 $e me3 w o O

M.

n as L

I s Un

+ *

- [ ! :5 ' ' t!

~

E

Im(i l -

i

- i bb TB (C ?

$5f O- *h  ! (! -

23 .*g -

3

$3 s  :

i

-es :

1.

.-~g {%E I 5 ,3 3-24

nr .-

c FoiIvre of RCS pressure celief PC1 I I PORY f ail s Seth Says

$* w fe:i t.

• • ",gey** . coon en esser.d b

oes.i

=Sav0 Figure 3.4 Supporting logic for transient event tree top event P, failure of RCS pressure relief.

v.;s.ee ef eeen boet removal by WI UTot i I Operatee fea t s W IS fails W IS falls to attempt (t of 3 pumps with PORY WI cooling - De*ded) unevel Mie UTW1H 'b UTCI TW1 'T I I PORY fails pts fests to apen (2 of 3 pumps for WI needed) eeelieg b

TRC201 b

TW201 Figure 3.5 Supportine logic for transient event tree top event U s failure of core-heat removal by high pressure injectidn.

3-25

1 Feetwe. t.

maintain flCS

.ek.up uppIy YTot

t. I I MSS 1.ft .no fees .ctwet.d eit and not HSCUs feii n d.d '

b-TSCTOP YT02 I T

, I I RS sprey Op.est.e 3 .ctw.t.d du. fails 1.

t. ha,h st., me spe.y ftS pr.ssue. In 30 .en YTC) ya l l St..mi6n. F dwet.e-iin.

be.ek be k insid. InsId.

' containment e.nt.in nt vf04 YT05 I I I I bt.eelse. St elan. F.edvet.e-tin. F dwet.e-e s n.

be.* be.e v.ek ve ciniti. tin, in.id. cineti. tin, in.id.

...ni3 ..nt.. t .. t> ..nt.ine.nt 19 CPT91 T10 CPT101

. _ Figure 3.6 Supporting logic for transient event tree top event y, i: failure to maintain RCS' makeup supply.

c..

r..

t,. aCs

.e.

i.

in t.r . t y W01 1 I l re.i ,. t. re. ,. .,

t.c.in.i. rony e.n r ..<.tr.v.i..

t. e. u. .

(_\

TRC101 Gmee I I roav es. . t. cisner sav n e.r reis t. ei...

pr . .,.

c. n .,

ertoe nwse c.ii.,

i- ,h, aCsavte i

Figure 3.7 Supporting logic for transient event tree top event W, failure to restore RCS integrity.

I 3-26 i

j f

, *- . - . - , ,e- v -r, -,_.,-or------ -y . - , . , . . . - - . - ~ , - - - - -

s 6

I rou w . .f leag-term eere heet renewal MTO1 I I Operator Failure of fails to initiet. een high peo...we in;.e ie.

O Te@ft1 men g.e, ea . in.wi., vu

c. . .e. win, vu Figure 3.8 Supporting logic for transient event tree top event XT '

-failure of long-term core-heat removal.

S K US Ys Xs Sequence Type-bin 1

S NCM SX s CM-nl 2

SYs NCM 3

SYsXs. CM-l sus CM-l SK TWS Figure 3.9 OPRA event tree for small-break LOCA events.

3-21

, , , , , , , , - ~ - - - - - - - - - - , , . -,r-,,--- ~ *-"-=~ ~ ~ -"' "" '

. . .- - - - . - . . - - - - . . - . - . - . - - . ~ . . . . - .. - --. . . - . - . . . . .---

1 i,

4 4

I i

r..sur. .f 1

{ teng-tern

- . . ins 1

XS01  !

S eae. S.

anclud.a Y emetudes Y

, raiior. t. -renor. i.

, iaitiet. 1

.. tiet. ,-

} ifft in

1.=e 2w ..c,oelleg 2w a

XSO2 XS03 i

I I I l Operater feels re,g,e g

1. ettempt Failure of

1. anattet. W .F8 8 8 kr* *f '

1. LM W an 2 w to 12 hr

$ offt2H Tifft1 XSO4 X505 I I I l Operator Operatee fools Fetture of i falls to Felsure of to attempt e.eldeun Fetture .f i ettempt tett oft -gou progeuce to Lpgg tygg

! In 12 he caelseg eendettens q

Mfft12H TpfRt

)$LppgH TRSOE

. b TLpec t

! Figure 3.10 Supporting logic'for small-break LOCA event tree top event'X '3 l failure of long-tem cooling.

4 4

a

}

t 3

1 6

l

Fes two et eeelde.n to LPR eenditaans TX$06 X506 I I Fe61ure of Failure to supply SG eentrol pain feed eter st.no pressure XSG7 XSOS I I I I Lees of Fe e lure to Fm61ure to Fe61we to o c. .t.n co ..., conte.i Tes .ita n =*

e es r..o..t.e r.e e ne ='>=c m e.ii., p.in.

6 msroen O TItevCL

,o cis Figure 3.10 Continued

A U4 X4 Sequence Type-bin A NCM AX 4 CM-Vi Aug CM-V Figure 3.11 OPRA event tree for large-break LOCA events.

R K Bn. Un O Xn Sequence Type-bin R NCM RXn NCM RXno CM-IIR RUn CM-IR RBn NCM RBnXn NCM RBnXn O CM-IIR RBnUn CM-IR RK .TWS Figure 3.12 OPRA event tree for SGTR initiating events.

3-30

k Feiture of IICS heet reeevet 9 01 I I-Intecewstaen EF115 f a a i ef tFw . c t of i .

flew pumps needed)

FCE 0 TEF0

+

I I Less of A Cperatee 70Vs in ef ter - falls to .' broken SG turbine trip stese broken fois to apen SG en hd O

TLonFAT enSo,. O TITpvmCL Figure 3.13 Supporting logic for SGTR event tree top event Bg ,

failure of RCS heat removal, r.nor. .f WI I

ronoe. .f w!S Seewomes ct of i ine;;;***

,oses .. 43

]

Operator feas to setwet. w!

Ufte!H Figure 3.14 Supporting logic for SGTR event tree top event Up ,

failure of RCS heat removal.

1 s

(

i 3-31

Failure to och4 eve long-1ere cooling et cold shutdown l I Fanture to Fe. t wo Fellwe to attempt of DHt schieve D>ft eceldown .systee entry XflGelH N TLPO1 1 I Fes two to Fetture to depres swire cool ulth with SG to D>Gt LfA103/104 T10101 entry y

de i I I N Operator feats LP-103 o'

• Fe61ure to Fe6lwe to to open LP-104 f es t s centrol steen lower IICS M8 w-103 -

LP-104 ie -

en deoend r .ssu,. ,ressw a 'a r-

,,,, o T)ip05 o

Taft0E o

TNet07 re. we t.

r*****"

feedwater worout Figure 3.15 Supporting logic for SGTR event tree top event RX . failure to achieve long-term cooling at cold shutdown.

lsi t

!!! dl 3 5 1.s

.tr 1-4~g- .. i titi e-I,s-

= 3 ;it k

~- t ,.

1. I g ~s

1; O R,g A

=. x

- .s :su< 1

.s. .= 1 a a

. :1

.= e s i, it~

dl "

st s

-t; E h2 o

,e,t 35 e s'

.g

{g, m s.

e, (P

<3:g 2 L <3 ~1

.ti..

d5u -

l11 i

t3 e . :t si I

,1 3 al. A, tt e i:1 O p3, 1 11 4 _a b. ..

=s,,

)

4 3

- 3 ts.

2..- E he o-

_ e

, t; 4!;

pe9 a -31 3-33

1-

[_'

r f ,,

/

g

• f*

f e

r fo6 fur. 1.

• eenetain 4.ng-f term c lleg at h.t cond614 ens 001 I I r.o,. t.

I* ' I#* *I Instiet.

• b 'h 5 BWST r.f641 6s.let.d

,, y , p OOWSTN 002 I I I I reilur. t. On. .c see.

fe.Is 1. F.,tur. .f S.qu.nc.

Sc=,c.

, ,,,, g3 O

g , y,;,,

ex m,. y -, TWRI 2,c ........

r c.w.e f..dwet.e g j l 4, r.6 i,. 1. r.u or. t.

d.pr.. uri=. a

= i .e pr.. .or.

w;th PORV with XN LP-101/104 O

TRC201 O

TXROI Figure 3.16 Supporting logic for SGTR event tree top event eX , failure to maintain long-term cooling at hot conditions.

/

f

.c s J

- - _ . . _ _ _ _ _ . _ _ _ .. . . . _ . , _ _ . . _ , - . - - . . . . . . , - - , . . . . . . = . , _ _ . . ~ _ _ _ . ._. . .

• 'I

" hf

, ' 'turs

" Main Emergency , Primary ,' , Borated g Sequence TWS to scram feedwater feewam ,,,,, reiset secured water

,,,,,,g_ num w ben

' 1 OK 2 'III 3 III

. 4 OK(a) s- II 6 I

. 7 OK(b) a vi 9 V

.10 OK(b) 11 VI 12 V

, 13 OK(b) y 14. III e

W 15 III

• 16 OK(b)

IF II

. 18 .I 19 OK(b) 'l

' 20 vi 21 'V 22 OK(b) 23 'd!

- 24 4

. 25 OK(b) 2s vl.

27 y Note: OK = no core melt or LOCA OK(4) = reisef-valve LOCA with successful mitigation OK(b) = pressure-boundary LOCA with successful mitigatum Figure 3.17 OPRA scoping event tree for turbine trip with failure to scram.

r1 y

g y

) ) ) ) -

S I I a b b b I(I (l W MI I I t I s I Kv (I

KV IiV (I

t V V m

T - O O O C -

a -

e r -

c s

S e M :s 01 2 333 345 333 3 a 9o 3a4 2

4 3

4 t

o -

e -

r -

u l

g i _

m a lo f I, o C

h t

. -" =' - ' i w

d e r ta I" e r 3 o w B* o p

• - t e

i Y d s

• ,,re f

,c u f e

S o-f o

s y s r

a o w'

r l

r P'

o -

n f o -

it a e g e 4e it r ni t lu o m -

,av ita luf t -

igs n -

r s e ie v mcc e y luu c" f s g nI e8 s

sh n g* eit i p

r e cw c o m uA E

sC c s

hO t

iL A Awy r R C

" r e O L Cd Aa P O

cw a r Onu o

p oL o lt ebv 8 el e 1 mar vu 3 efs f

e r olies r

cer e e o fum a r p r s

a far c o u s

o h S n== g L i o = ))

ab i

twt MKK(

( F OOO t

a o

N weM

m a

S

.)

I a

)

b

)

b

) r n KI I

I(I (I (t b

(I c

• b T

i OI IKI O

IKV O

yKv O

V KV O

V s o

t e

cr e n

ebe r 45 67s 901 234 5 67 8 um qu 44 444 455 555 $ 55 5 u l

en S i u

a f

h t

~

g i i

n w lo o m c u u

c

.= ' -' . ' a v

d r ere e tat r a s ow n B e d

n o

c d f t e eru o

c s e s s o l

r o

f Y n

.io

' f

• ie e I*l e t

a e g r E' r it t nm ior t t ts a u gs t i

e it s v e

%, Irc t

c e

5 luu g

[9 fs s i n

sh et p cw i

c o uA c

^

sC s yr hO it L A ce nt Awy R ea gw C r P r O L Cd Aa O ed e Onu me Ef r

oL o 9 lt veb 1 el e e

mar vu 3

r ef s lum r ol ies e e r

fo"uia s ar cer pr u

s'ufh cs o g o

o n== i L t t

• iw = )a b) F

( t KKK OOO e

t o

N w

- . ~- . -.- - -- . ,,, -

1 j-e Loss of Turtune Emef0ency I Premary feedwater 8,'Y Sorated , Osquence TWS with fa. lure Inp watn [9,,,

,, rehof secured coohng "*' b" to scram r- 59 OK l 60 111 l

61 til

. 62 OK(a) 63 11 64 I 65 .0K(b) 6s VI 67 V r- 68 OK(b) 69 VI 70 V

! 7, OK(b) i =

72 VI w 73 V 1 0 W

1 co

! . 74 OK(b)

' FS VI 76 V i

j '

Note: OK = no core rnelt or LOCA OKla) = relief valve LOCA with successful mitigation OK(b) = pressure boundary LOCA with successful mitigation i

! Figure 3.20 OPRA scoping event tree for loss Of. main feedwater with failure to scram.

I 4

... v. = + .

Table 3.1 Top Events in the Transient Event Trees Event Description

'T Occurrence of a transient initiating event K Failure of the RPS to trip' the reactor Q Loss of RCS integrity B Failure of RCS heat removal via the steam generators P Failure to provide RCS pressure relief UT Failure of core-heat removal by HPI cooling YT Failure to maintain RCS makeup supply L Failure to recover RCS heat removal W Failure to reestablish RCS integrity XT Failure to maintain long-term core-heat removal 1

3-39

Table 3.2 Inportant Human Errors in the OPRA Assessed Event Description Probability YRBSH Operator fails to terminate RB spray (given RB ~0.5 cooling available) to extend availability of suction for HPI during small-break LOCA Operator fails to initiate HPR after a small LOCA:

XHPR2H In 2 hr 0.003 XHPR12H In 12 hr 0.0003 UTHPIH Operator fails to attain or maintain HPI cool- 0.01 ing in about 40 min after the loss of etl feed-water Operator fails to recover feedwater in 30 min:

REFDW1 One alternative available 0.5 REFDW2 Two alternatives available 0.3 REFDW3 Three alternatives available 0.1 Operator fails to recover festrument air:

REIA1 In 1 hr 0.5 REIA90 In 90 min 0.4 REIA2 In 2 hr 0.3 REIA6 In 6 hr 0.04 REIA12 In 12 hr 0.0024 TREFWSUCa Failure in transfer of EFW suction to hotwell- 0.15 CW157VV1Ha Operator fails to maintain suction supply to 0.1 CW391MV2Ha the steam-driven EFW pump by opening valve CW-391 and closing valve CW-157 (totally coupled)

CW391MVHa Valve CW-391 not restored after maintenance 0.001 RESW12 Operators fail to recover LPSW from another 0.014 unit before failure of the HPI pumps (in about 30 min after RCP trip)

RESW108 Operator fails to recover LPSW to the HPI pumps 0.11 given valve LPSW-108 transfers closed (dis-charge path blocked)

RECCW73 Operator fails to recover LPSW to the HPI pumps 0.11 given valve CCW-73 transfers closed (discharge path assumed to be blocked)

RESSFS1 Operator fails to provide RCP seal injection 0.1 from the SSF within 30 min of losing seal cooling via HPI LPTHROTTLE Operator fails to throttle injection valves to 0.003 prevent pump runout during LPR for a large-break LOCA XALPRH Operator fails to achieve LPR after a large- 0.005 break LOCA OBWSTH Operator fails to refill BWST after an SGTR 0.5 RECC8 Operator fails to jack open A0V CC-8 after 0.2 closure due to loss of instrument air 3-40

Table 3.2 Continued Assessed Event Description Probability REDHRSUC Operator fails to locally open suction valves 0.1 to permit motor operators REEM0D12 Operator fails to restore ac power by manually 0.1 closing an "E" breaker Operator f ails to restore power to load-shed IA compressors (after loss of offsite power due to failure of feeders to the Oconee switchyard)

REFEEDAIR1 In I hr 0.013 l REFEEDAIR90 In 90 min 0.011 1 REFEEDAIR2H In 2 hr 0.011 REFEEDAIR12d In 12 hr 0.0012 REHPPPCS Operator fails to allow standby HPI pump C to 0.05 remain idle until restoration of pump cooling RESSFW12H Operator fails to initiate ASW from the SSF in 0.001 12 hr (human portion)

> RESSFW30 Operator fails to initiate ASW from SSF in 0.1 l

30 min from loss of feedwater Operator fails to restore power to load-shed IA compressors (after loss of offsite power due .

to failure of the Oconee switchyard):

RESUBAIR1 In 1 hr 0.034 RESUBAIR90 In 90 min 0.025 RESUBAIR2 In 2 hr 0.022 RESUBAIR12 In 12 hr 0.004 RESUMPMF Operator fails to locate and isolate leakage 0.1 from emergency sump via valves LWD-99 and LWD-103 before flooding HPI pump motors SW71VVHb Valves supplying LPSW to LPI coolers left un- 0.002 SW72VVHb available after maintenance LPPSTOPH Operator fails to turn off LPI pumps to prevent 0.0008 dead-heading during small-break LOCA LP28VVCHb BWST suction valve LP-28 left closed after 0.000028 maintenance LWD 99103Hb Valves LWD-99 and LWD-103 left open after 0.0006 maintenance BRSGH Operator fails to steam the affected steam 0.01 generator during an SGTR HP242GMVHb MOVs HP-24 and HP-25 (HPI ES suction valves) 0.00005 left unavailable LP15MVMHb MOV LP-15 not restored after maintenance 0.0018 LP16MVMHb MOV LP-16 not restored after neintenance 0.0018 SW3BPPSHb Operator fails to start standby LPSW pump 0.008 SW7778CMHb Manual valves LPSW-77 and -78 both left closed 0.003 SWC89VVHb Manual valve CCW-89 inadvertently left closed 0.0008 SWEECCHb Manual valves LPSW-513 and -518 inadvertently 0.0002 left overthrottled 3-41

E Table 3.2 Continued Assessed Event Description Probability XRDHRH Oparator fails to success jij initiate DHR 0.0003 after an SGTR aAll these actions plus hardware failures are included in the TREFWSUC.

bunavailability errors (U).

l 3-42

4. DATA ASSESSMENT.

This section reviews the numerical values of the parameters necessary for the quantification of the accident sequences.

Subsection 4.1 includes the OPRA frequencies for the initiating events and the BNL reassessment; comparison with other PRAs is also given. The data base used in the OPRA for component failure rate and maintenance, with BNL comments and modifications (if appropriate), is presented in Subsections 4.2 -

and 4.3, respectively.

4.1 Frequencies of Initiating Events 4.1.1 The Quantification of Initiating Events in OPRA The OPRA I considered 21 initiating events, as discussed in Section 2.2.

Their frequency quantification was pe ' formed using two general approaches:

a. Use of generic nuclear power plant data to obtain a population prior and updating it with Oconee-specific experience. Most of the tran-sients with scram were treated in this way.

b. Use of special studies such as a fault tree analysis, component fail-ure data, or experience from other industries to evaluate the fre-quencies of plant-specific initiators, e.g., loss of air and loss of LPSW. In most of these cases, the basis for performing a special study was the belief that plant-specific design characteristics would provide a more realistic assessment than operating experience taken from other not always similar plants.

The quantification by case (a) approach sometimes lacks sufficient sup-porting information in the OPRA. The main missing link was the " grouping ma-trix" used in the reduction of the EPRI NP-22302experience from 41 transients into the OPRA set of initiators.

The initiating-event frequencies used in OPRA are shown in Table 4.1, as are BNL values with differer..es and comments; further discussion is presented in the next subsections.

4.1.2 BNL Assessment of the Initiator Frequencies 4.1.2.1 Transient Initiators With Successful Scram In this subsection, BNL discusses the transient initiators that were evaluated on the basis of EPRI NP-2230.2 This report includes 36 PWR plants and a separate section on B&W plants in particular. It provides data on 41 different transient initiators for these plants.

The grouping of the 41 EPRI transient initiators into the corresponding OPRA event categories is not provided. BNL derived this grouping, and the re-sults are given in Table 2.14, where a comparison with the grouping reported in Midland and Arkansas" PRAs is also provided.

The following points can be made on the basis of this comparison:

4-1 t

i

1. Transients of MSIV closure (EPRI Nos.17 and 18) are not considered in OPRA because this plant does not have MSIVs.

2. Manual trips by the operator (EPRI transient No. 40) are not consid-ered in OPRA. It is considered as part of turbine trip in MPRA.

3. OPRA treats transients with PCS interruption more realistically by dividing them into four subgroups.

4. Midland PRA chose to treat the " low pressurizer pressure" transient (EPRI No. 6) as events leading to very small LOCAs. OPRA does not have this category. It is covered by the small-LOCA group for breaks ranging from 0.5 to 4 in. [see Section 4.1.2.3(a). for further discus-sion].

5. All other differences in the grouping are in low frequency events with small effect on the frequency of the initiating-event category.

The generic plant-population initiating-event data used in OPRA and sum-2 marized in Table 5.8 of that report were taken from the EPRI report with some modifications:

a. OPRA did not include tne short experience from the Indian Point 3 plant.

b. OPRA used plant data for " full years," and neglected reported expe-rience from the last year if it covered less than half a year of operation.

BNL believes that the use of the entire EPRI 2 data without modifications is more consistent; however, the effect of these modifications is very small.

The Oconee plant-specific data in Table 5.8 of OPRA were derived from the operating experience of all three Oconee units, because of their similarity in design and operating characteristics. OPRA states that "the principal sources of operating histories. of the three Oconee units were incident reports, LERs evaluations of operating experience and the allowable operating transients logs." The OPRA provides in Appendix B6 several tables of the operating tran-sient logs, summarizing 120 unit-trip events for all three Oconee units, covering the period from the date of their effective service to tM end of March 1980 -- a total of 17.5 plant-years. BNL has reviewed these trip sum-maries and, on the basis of the short description given for each one, has grouped them according to OPRA initiating-event categories. In Table 4.2, I

this grouping is compared with that of the OPRA (Table 5.8 of OPRA) and EPRI NP-22302 for the three Oconee units. It is ' apparent that the OPRA used the EPRI categorization for the Oconee units, but modified it with information from the Oconee trip summaries given in Appendix B6 of the OPRA.

Table 4.2 shows that from the evidence from the unit trip summaries,15 occurrences of partial loss of MFW (T3 ) of the EPRI categorization were recat-egorized as turbine trip transients (T ),3 and as loss-of-MFW transients (T2 ).

BNL agrees that the unit trip summaries support this change and made the same modification in its reevaluation. However, on the basis of the unit trip summaries, BNL considered that three events ~ of loss of MFW could also be 4-2

categorized as precursor events of the types T ii, T i3 and a case of turbine-bypass-valve (TBV) failure. As will be discussed later, the frequencies derived for Til and Tg3 in OPRA are consistent with the experience of one event in 19 reactor years. The TBV-failure transient was included by BNL in T3 -- steam-line break.

The' generic plant-population initiating-event data of the 35 PWRs were used by 0PRA to generate a prior-event-frequency distribution for each of the transient categories. The Oconee operating histories were used to generate a posterior-event-frequency distribution by means of the Bayesian updating process. BNL has redone this calculation with its own code,5 which uses a gamma-function esent-frequency model as opposed to the OPRA code's lognormal event-frequency model. Comparison of the results in Table 4.3 shows a general agreement for the mean values and less of an agreement with respect to the uncertainty in the event frequencies, which is to be expected because of the different event-frequency distributions; it occurs ptimarily in cases in which strong evidence is lacking. One difference between the BNL and the OPRA results is the case of Ts. Since it has no effect on the core damage frequen-cy, it was not further pursued .by BNL.

4.1.2.2 Comparison With Other' Studies BNL has considered the Midland PRA,3 the Arkansas-IREP,4 and a B&W Owners Group report 6 in its comparison of initiating-event frequencies. Table 4.4 I

gives a comparison of all three sources, and the OPRA and the BNL values.

Some comments on the main differences follew:

a. The higher turbine trip frequencies for Arkansas and Midland are the results of using EPRI NP-2230 point estimates in the first case and one-stage Bayesian analysis in the latter case, whereas OPRA updated the generic EPRI data with Oconee plant-specific experience using two-stage Bayesian analysis;'the Oconee plants experienced fewer tur-bine trips than the average PWR population. The posterior reflects the lower f requency of turbine trips (and transients in general) experienced by the' Oconee units. Note that EPRI NP-22302 data reflect 9.7 transients per year for an average PWR vs 6.5 transients for the B&W plants. As seen from Table 2.14, the turbine-trip tran-sients category in the Arkansas-IREP includes, in part, the case of a partial loss. of MFW which in OPRA is considered part of another group.

b. The higher loss of MFW frequencies in the Arkansas and Midland are

partly due to the inclusion of the loss of condenser vacuum tran-sients in this category,

c. If the transients related to the interruption of the power co: version system (T2 , T 3, Tu, and T7 ) are evaluated together, it can be seen that in OPRA and BNL their frequencies are higher than in MPRA, j Arkansas-IREP, or the B&W Owners Group cases (e.g.,1.6 in OPRA vs

! 0.9 in MPRA). This is because EPRI transient No.15 -- loss or re-duction in FW flow (1 Loop), which is considered in OPRA as partial loss of FW, is included in the turbine trip category in the other PRAs.

4-3 l

.~ __.

d. Loss of offsite power in OPRA is plant specific, while it is evaluat-ed generically in the other studies.

e. Excessive FW transient in OPRA is plant specific. It is smaller than the other studies because Oconee experienced only one event.

f. The B&W Owners Group study . assesses a frequency of 0.052 for small steam-line breaks. MPRA groups TBV failures in the same category as steam-line breaks. On the basis of these, BNL included the one case of a TBV failure event identified in the Oconee trip summaries in this category, and obtained a frequency of 0.053; this may be conser-vative but, as shown in Section 5, its effect on the total core damage frequency calculated in this review is small.

g. On the basis of MPRA, the B&W Owners Group, and the fact that Oconee experienced events of ICS malfunctions in the past, a value corre-sponding to one event in 19_ years was used by BNL for Tii. In assum-ing one event only, BNL gave credit to design changes made to rectify the past incidents.

h. Other significant differences are discussed in the next subsections on the quantification of special " rare-ever.t" initiators.

4.1.2.3 Treatment of " Rare-Event" Initiators OPRA derived the frequencies of. some initiators in a special study con-sidering additional sources of information beyond the EPRI NP-22302 and the plant trip summaries.

a. Pipe Break Initiators (T , T n,i A, S, .and R)

Initiating-event categories T ,9T o, A, S, and R are evaluated in OPRA on i

the basis of reported events of p1pe breaks or leakages that occurred in one of the 35 plants considered in the OPRA Table 5.8. The experience considered in the OPRA is:

T9 One event of a rupture of a 6-in. steam line in H. R. Robinson Unit 2 in April 1970.

Tgo No event experienced in U.S. nuclear power plants.

S One event that occurred in Zion Unit 1 in 1975.

A No event experienced.

R Three events of SG tube ruptures with leakage rates greater than 100 gpm: Surry Unit 2, November 1972, Point Beach Unit 1, February 1975, and Prairie Island Unit 1, October 1979.

A two-stage Bayesian analysis was applied to the above generic data and the Oconee plant-specific experience which reflects none of the above events in L any of the three units.

BNL accepted the operating experience provided as basis for Tg, Ti o, A, and R frequencies. For small LOCA(s), BNL considered that the Zion 1 event is applicable to the breaks ranging from 1.5 to 4 in. in diameter. For breaks smaller than 1.5 in., denoted in BNL review by the group "very small" or VS, BNL has considered the event of a seal failure in H. R. Robinson Unit 2 that 4-4 f

occurred on May 1975, and added the frequency of 3.0 x 10-3 for the group of very small LOCAs that are not induced, but are caused by very small pipe breaks or by the spontaneous f ailure of the RCP seal itself.

MPRA has 'also used separate groups for the small and very small LOCAs (see Table . 4.4). The very small LOCA in MPRA is derived from PWR experience given in the EPRI NP-2230 data for transient No. 6. This resulted in a mean value of 5.2 x 10-3 However, the applicablity of this frequency estimation to.the Oconee situation is not obvious. The B&W Owners Group report6 provides a value of 8.3 x 10-3 stated to be due mainly to seal LOCAs and referred to the precursor study (NUREG/CR-2497). 7 The precursor study in Table C.1 (page C.8) shows that the H. R. Robinson. event is responsible for 5 x 10-3/yr out of the total of 8.3 x 10-3/yr evaluated for very small LOCA (defined as breaks less than 1.5 in. in diameter).

In Table 4.3 the results of the two-stage Bayesian analysis performed in OPRA for these initators are shown. The set of LOCA frequencies used in the BNL review is given in Table 4.1.

b. Loss of Offsite Power (T d The OPRA frequency of loss-of-offsite-on- the basis of EPRI NP-2301 (1982) study. power (LOOP)

The date events for the was Elec-Southern evaluated tric Reliability Council (SERC) Nuclear Power plants .were w.ed and include three LOOP events in 65 site-years. The Oconee site was assumed to have experienced one LOOP event (on 1/4/74). A tw3-stage Bayesian analysis was employed in OPRA using a gamma density function to represent the distribution of the LOOP frequency for each of the SERC plants. The analysis resulted in a mean annual frequency of 0.17 for LOOP at the Oconee site.

BNL reviewed this evaluation by using more recent data sources: NSAC-80 (1984) report 9and NUREG-1032 (1985) draft.10 They include 14 LOOP events for 105 SERC sites-years ; 'both reports have almost identical lists of LOOP events. The small differences between the data given in these two studies are believed to result from further evaluation of the LERs of a few of the reported events. Using the more recent data for the SERC, assuming a gamma density function, and using the two-stage Bayesian metnodology, BNL obtained a LOOP frequency.of 0.12. The larger OPRA frequency is not due entirely to the differences in the data sources. The value 0.17 seems unreasonably high even if the older data (EPRI NP-2301) are used.

OPRA considered two initiating events 'in Category .T3:

1) T 5 FEED - 1feeders, ss of offsite and power due to a failure of the grid or

2) TSSUBF -- loss of offsite power due to a substation failure.

The data for breaking TS into its constituents were obtained from the EPRI (1982) report,8 which indicates that 78% of the LOOP events are substation type and 22% are grid related. This is close to the division used in OPRA.

BNL used the more recent evaluations9 .10 for this breakdown too. A break-down of 16 grid-related events and 30 substation-related events is given t in the draft NUREG-1032.10 The results are compared in Table 4.1.

4-5

The recovery data used in OPRA are given in Appendix D, pp. D-127 and D-130, and are derived from EPRI NP-2301.8 BNL used the information from the 9

two more recent sources .10 which are similar to each other. The derivation s

by BNL was based on its one-stage Bayesian code using the Student-T distribu-tion function. Table 4.5 compares the recovery data employed in OPRA with that used in the BNL review,

c. Loss of Instument Air (T6).

OPRA derived the frequency of this initiator on the basis of the fault tree analysir of the instrument air (IA) system. BNL reviewed this analysis and agrees with the OPRA list of contributors as seen in Table 4.6. Some changes in quantification were made- by BNL because of small changes in the failure rates, and because the factor 0.8 was used, rather than 0.7, to account for Unit 3 being at power during the fault.* Note that the value derived from the fault tree analysis is consistent with the occurrence of two loss-of-air events in the 11 system-years of operation.Il

d. Loss of Low Pressure Service Water (T12)_

OPRA provides a fault tree with various modules representing the differ-ent possible failure modes of the LPSW. BNL reviewed the analysis and agrees with the main contributors considered in OPRA. Small changes in quantifica-tions were made as listed below. Table 4.7 compares the OFRA and BNL results for the evaluation of this initiator. The values for the pipe and valve breaks, the backwash, and other items were checked. The difference is seen to be due to the design that includes two additional valves ll: CCW-94, suction from crossover (due to internal-flooding plant-design modification), and CCW-73, discharge manual value.

~

This was partly balanced by the use of 0.8 (rather than 1.0) to account for Unit 3 being at power during the fault.

In both the OPRA and the BNL review, two initiators with different recovery probabilities were considered:

a) Failure of the LPSW: 3.5-3 (0PRA), 3.0-3 (BNL).

b) Failure of suction or discharge valves: 7.8-4 (OPRA), 1.9-3 (BNL).

e. Other " Rare" Initiating Events a) Reactor Vessel Rupture (RPV): It was not reviewed in detail.

The use of the UKAEA information, with credit given for in-service inspection, was judged to be reasonable and to result in a frequency consistent with other studies and other PRAs.

b) Loss of ICS Power Bus KI (Ti t)_: BNL has increased the frequency of this initiator because of its judgment that although three similar events have occurred at Oconee the design changes later implemented would reduce the initiator frequency to the equivalent of about one event in the 19 years of plant operation. This results in a frequency of 0.05/yr. Note that one event occurred close to the end of the reporting period (in November 1979, while Appendix B.6 reports to March 1980).

• Based on Table 5.1 of the OPRA, excluding the TMI related shutdovn period.

4-6

c) Spurious Low-Pressurizer-Pressure Signal (Ti d: BNL has found the OPRA estimate of the mean annual frequency to be reasonable, on the basis of its judgment that one similar event was experienced (11/20/73). Consider-ing the 19 reactor-years of experience at Oconee, the same frequency as in GPRA is obtained.

d) Loss of Power to 4-kV Switchgear 3TC (Ti d: The frequency of

- this initiator remained unchanged in the BNL review. No such event in this particular bus has occurred in Oconee-3, and the failure rates used were accepted by BNL when the data were reviewed.

4.1.2.4 ATWS Initiators' Frequency OPRA spent some effort evaluating the frequencies of ATWS initiators by collapsing the 41 transient categories of EPRI NP-2230 into 12 categories used in ATWS studies.12 However, the information developed was not used in the final quantification of the ATWS initiator frequencies. It was used primarily for qualitative support for:

(a) Discarding some low frequency initiators, reducing the initiator categories.from twelve to four (see Section 2.2.1.3).

(b) Claiming an approximately 20% margin in the results of the ATWS scoping study provided.

The frequencies finally used for ATWS initiating events were obtained from the derivation of the frequencies for the transient with scram as follows:

1. Turbine trip initiator frequency (including the partial loss of MFW and the excessive FW transients) 5.7

2. Loss of condenser vacuum 0.2

3. Loss of offsite power 0.2

4. Loss of MFW 0.7 Total 6.8 Since the total frequency of transients calculated in Section 4.1.1 was close to 7.0 per year, it is apparent that some part is missin . BNL judges that the loss-of-air transient is not accounted for in the abos: breakdown (Ts

= 0.17 per year). BNL included this transient in the loss-c7-main-feedwater transient, and reduced the loss-of-offsite-power frequency to 0.12 to be con-sistent with the frequencies shown in Table 4.1.

BNL reviewed the information given in the OPRA. Appendix E, and summarized it in its Table E.1 (Table E.1 in the OPRA has several misplaced headings).

It was stated earlier that this information was used for qualitative support in the OPRA. BNL then reevaluated the information in EPRI NP-2230,2 and used it to derive its own set of ATWS initiator frequencies.

4-7

2 The collapsing of the 41 EPRI NP-2230 transients into the 12 ATWS initi-ater for the Oconee units is not provided in OPRA. This war, reconstructed by BN. and is shown in Table 4.8, in a format similar to Table E.1 of OPRA. The factor of frequency reduction due to consideration of power level greater than 25% was derived from this evaluation and used in the BNL frequencies.

1. Turbine trip at power level >25%-(including partial loss of MFW and excessive FW) 5.7*(4.3/5.1) = 4.81

2. Loss of condenser vacuum 0.21*(0.2/0.25) = 0.17

3. Loss of offsite power 0.12*1.0 = 0.12

4. Loss of MF4 (including Te , Tg, T io, T it, T13) (including the loss of air and assuming it has the same percentage at low power as loss of MFW) 0.87*(0.35/0.7) = 0.43 Total 5.53 Assuming a benign consequence of transients occurring at power level less than 25%, tne overall ATWS frequency is reduced by about 20%. However, the more demanding case of a loss of MFW is reduced even more.

4.2 Component Failure Data The method used to develop the data base for the OPRA is the standard method used for plants with operating experience, i.e., Bayesian analysis to combine generic information obtained from industry experience, with plant-specific data. This method is considered to be state of the art in data base evaluation.

The OPRA provides in- Appendix B the generic data used for practically all components in the fault trees; in this appendix, not only are the distribu-tions given, but also the source from which they were obtained. BNL reviewed that appendix item by item to verify whether the data were correctly obtained, and found that a very good job was done in this respect.

The OPRA also provides summaries for plant-specific component-failure rate in Appendix B; in this part not all components from the generic data have plant-specific data. BNL checked against the LERs for valves l3 and pumpsl "

and, since not all failures are reportable, found that in nearly all cases the OPRA specific failure data present more failures than the LERs data.

BNL did not check the Bayesian update process used in the OPRA'. However, a comparison of the data used in the OPRA (the posterior distribution in the Bayesian analysis) with those used in several other studies 3

."i l5 indi-cated that most of the failure probabilities used in the OPRA are similar to or larger than those used in recent PRAs.

In conclusion, it can be said that BNL accepted most of the data used in the OPRA, and very few changes were made; the only change that had some effect on core damage frequency was the failure of the circuit breaker to open on demand. This ~ change was made because the generic data used in the OPRA come 4-8

from the IEEE-500/1977,16 and the data from the IEEE-500/1984 17 are much dif-ferent from those in the previous edition. Accordingly, BNL conservatively used the . upper bound from the OPRA specific data (-1.0E-3/d), which are the

~

same as those used in the IREP study for ANO.4 4.3 Maintenance Data The OPRA presents the analysis for maintenance unavailability (frequency and duration of maintenance) in Section 5.2 and Appendix B4.

A review of these sections indicated that the methodology (Bayesian anal-ysis) used is acceptable. However, the analysis of the data used in the generic frequency and duration of the maintenance is beyond the scope of this revi ew. Comparison of the maintenance unavailabilities used in the OPRA with those used in previous PRAs,3.4.15 led to the following conclusions:

a) The OPRA, in general, has used higher maintenance unavailabilities than the AN0" and IP-3 PRAs.15 b) The OPRA, in general, has used lower maintenance unavailabilities than the Midland 3 and Seabrook PRAs.18 On the basis of the facts above, BNL accepted the maintenance unavaila-bilities used in the OPRA except for the maintenance unavailability for the Keowee hydro units and Lee gas turbine; BNL used the data from the Oconee experience without any updating. This modification has almost no .effect on the core damage frequency, as can be seen in Appendix A..

4.4 References

1. A Probabilistic Risk Assessment of Oconee-Unit 3, NSAC/60, June 1984.

2. McClymont, A. S. and Pochimam, B.W., ATWS: A Reappraisal - Part 3:

Frequency of Anticipated Transients, EPll NP-2230, Jan.1982.

3. Midland Nuclear Plant - Probabilistic Risk Assessment, Consumer Power Co. and PLG Inc., May 1984.

4. Kolb, G. J. et al., Interim Reliability Evaluation Program': Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant, NUREG/CR-2787, i

June 1982.

5. Papazoglou, I. A. et al., Bayesian Inference Under Population Variability with an Application to the Frequency of Loop in Nuclear Power Plants, BNL-NUREG-31794, Nov. 1983.

6. B&W Owners Group Probabilistic Evaluation of Pressurized Thermal Shock Phase 1 Report, BAW-1791, Junt 1983..

7. Precursors to Potential Severe Core Damage Accidents: 1969-1979 -A

! Status Report, NUREG/CR-2497, June 1982.

8. Losses of Offsite Power at Nuclear Power Plants: Data and Analysis, EPRI NP-2301, March 1982.

l 4-9 1

r

9. Loss of Offsite Power at U.S. Nuclear Power Plants through 1963, NSAC-80, July 1984

10. Evaluation of Station Blackout Accidents at Nuclear Power Plants - Tech-nical Findings Related to Unresolved Safety Issue A-44, USNRC, Draf t.

~

NUREG-1032, Jan.1985.

11. Personal Communication with DPC (L. Read) - Meeting at OPC on June 14, 1985.

12. Analysis of B&W NSS Response to ATWS Events, BAW-1610, 1980.

13. Hubble, W. H. and Miller, C. F., Data Summaries of Licensee Event Reports of Valves at U.S. Commercial Nuclear Power Plants, NUF.EG/CR-1963, June 1987.

14. Sullivan, W. H. and Poloski, J. P., Data Summaries of Licensee Event Re-ports' of Pumps at U.S. Commercial Nuclear Power Plants, NUREG/CR-1205, Jan. 1980.

15. Indian Point Probabilistic Safety Assessment.

16. lEEE Std500 Nuclear. Reliability Data Manual, The Institute of Electrical and Electronics Engineers, Inc.,1977.

17. IEEE Std500 Nuclear Reliability Data Manual, The Institute of Electrical and Electronics Engineers, Inc.',1984.

18. Seabrook PRA.

4-10

F Table 4.1 Summary of Initiating Event Frequencies in OPRA and BNL Review initiator Frequency Initiator Oconee BNL BNL Comments T g s, Turbine trip 4.9 4.9 T:2 Loss of MFW 0.64 0.50 Consistent with Oconee unit trip s amaries T:3 Partial loss of MFW _ 0.69' O.69 Tsg Loss of condenser vacuum 0.21 0.21 T$seps LOOP 0.13 0.08 %re recent data source used by BNL' TSFEEDF LOOP 0.04 0.04 mre recent data source used by BNL' T:6 Loss of air 0.17 0.21 See Table 4.6 T:7 Excessive FW 0.092 0.092 Consistent with one occurrence ~at Oconee T:8 Spurious ESF. 0.01 0.01 T:g SLB and TBV f ailure 0.003 0.053 One experienced TBV f ailure added by BNL T10: FW line breat 9.-4 9.-4 Tgg: ICS power bus f alls 0.02 0.05 One experienced event assmed by BNL T12: Loss of LPSW (total) 4.u , 4.9-3 See Table 4.7 T12(108): Loss of suction / discharge 7.8-4 1.. 3 See Table 4.7 Tg3: Stuck open spray 0.044 0.044 Consistent with one event ee erlenced T gg: Loss of ac power to bus 5.4-3 5.4-3

, R: SG tube rupture 8.6-3 8.6-3 RPV: RPV rupture 1.1-6 1.1-6 Aout: Interf acing LOCA 1.4-7 1,4-7 VS: Very small LOCA -

3.0-3 Added by BNL based on one seal failure experienced in nuclear plants S: Small LOCA 3.0-3 3.0-3 A: Large LOCA 9.-4 9.-4

'Also, di f f srent recovert data used in OPRA and BNL (see Table 4.5).

4-11

(

Table 4.2 Categorization of Experienced Events in the Oconee Plants With Respect to OPRA Initiating' Events

-From Initiator Oconee Unit Trip Sumaries! EPRI-NP BNL Category Unit 1 Unit 2 Unit 3 Total 2230 OPRA Review Turbine trip ('T )i 45 22 25 92 82 94 94 Loss of MFW (T2 ) 3 2 1 6 9 ~13 10 Partial loss MFW (T3 ) 5 4 1 10 27 12 12 l Loss of condenser (TS) 0 3 0 3 5 4 4 Excessive FW (T7 ) 1 1 1 3 1 1 1 TBV failure (-) 0 0 1 1 - -

1" LOOP (TS ) 0 0. 0 0 1 1 1 Loss of air-(Ts) 0 0 0 0 -

02 .

Spurious ESF.(Ts ) 0 0 0 0 0 0 0 5

ICS malfunction (Tii) 1 1 1 3 0 0 1 Loss of SWS (T12) 0 0 0 0 0 0 0 Stuck open spray (Ti3) 1 0 0 1 0 0 1 Loss of vital bus (T g)i 1

3 0 0 13 0 0 0

' Total events 57 33 30 120 125 125 125 Total years of operation 17.5 19. 19. 19.

1 Based on BNL evaluation of the events reported in OPRA Appendix B6.

2 BNL was informed in a meeting with Duke that one event occurred before 1980 and another one in 1984.

3 Included in T i for frequency calculations. . This loss-of-bus event was not in the 3TC bus. The 3TC is considered to be the most severe case.

"BNL included turbine bypass failure (TBV) in the category T9--Steam-Line Break.

i S DPC made a design modification which makes- the recurrence of past events unlikely.

t 4-12 e

i

Table 4.3 Oconee Updated Initiating-Event Frequencies (Calculated by Oifferent Two-Stage Bayesian Codes)

Initiator Initiating Event Frequency (yr-1)

Category Mean 51 Median 95%

Turbine trip OPRA I 4.9 4.1 4.9 5.7 (T ) i BNL 4.8 3.5 4.4 5.5 Loss of OPRA 0.64 0.36 0.61 0.92 feedwater (T2) BNL 0.53 0.28 0.47 0.73 Partial loss OPRA 0.69 0.40 0.64 0.97 of FW (T 31 BNL 0.80 0.45 0.72 1.1 Loss of con- OPRA 0.21 ~0.083 0.18 3.8 2 denser vacuum (Tg) BNL 0.23 0.086 0.20 0.38 Excessive OPRA 0.092 0.018 0.076 0.21 feedwater (T7) BNL 0.11 0.021 0.088 0.24 Spurious ESF OPRA- 0.01 3 7.8E-6 2.8E-3 0.043 actuation (Ts) BNL 0.04 5.0E-3 0.030 0.084 Steam-li ne CPRA 3.0E-3 1.0E-6 5.0E-4 1.2E-2 break (T9) BNL 4.6E-3 1.3E-4 2.4E-3 1.4E-2 Small OPRA 3.0E-3 1.0E-6 5.0E-4 1.2E-2 LOCA (S) BNL 4.6E-3 1.3E-4 2.4E-3 1.4E-2 Feedwater . OPRA 9.3E-4 6.9E-7 6.8E-5 2.8E-3 line break (T io) BNL 6.9E-4 1.4E-6 5.0E-5 3.2E-3 Steam gererator OPRA 8.6E-3 2.6E-5 3.1E-3 2.7E-3 tube rupture (R) ~ BNL 1.3E-2 1.6E-3 1.0E-2 4.2E-2 1

0PRA code applies the lognormal distribution. BNL code applies the Gamma distribution.

2 Apparently, a typo.

3 May be a typo. No .significant effect on the core damage frequency.

4-13 t - -- r w +, e -9 w --

u-+

Table 4.4 Comparison of OPRA and BNL Initiator Frequencies With Several Other Studies B/W Arkansas l Midland Owner BNL Initiator IREP PRA3 Group OPRA Review T: Turbine trip 6.1 {4,9 g4,9 i g Reactor trip 7,3 1.9 {4,y T:2 Loss of MFW 1.0 0.7 0.9 0.64 0.5 T:3 Partial loss of MFW 0.69 0.69 Tg: Loss of condenser vacuum 0.21 0.21 Ts: LOOP 0.32 0.135 0.14 0.17 0.12 Ts: Loss of air 0.17 0.21 T-7 g Excessive FW flow _

0.22 0.22 0.092- 0.092 MUPS malfunction 2.9E-3 T:8 Spurious ESF - - -

0.01 0.01 T:9 SLB and TBV failure 3.-3 0.053 6.7E-3 }0.052 Ti o: FW-line break - - -

9.3E-4 9.3E-4 +

1 T it: ICS malfunction -

.0.055 0.048 0.02 0.05 T12: 2.6E-3 3.7E-6 -

4.0E-3 4.9E-3

{ Loss LossofofCCW SWS - 4.1E-5 - - -

T i3: Stuck open spray - - -

0.044~ 0.044 Tig: g loss of ac power bus 0.035 - -

5.4E-3 5.4E-3 Loss of dc power bus 0.036 - _

R: SG tube rupture -- 0.014 0.017 8.6E-3 8.6E-3 RPV: RPV rupture - - -

1.lE-6 1.1E-6 Aout: Interfacing LOCA -

7.7E-7 -

1.4E-7 VS: Very small LOCA 0.020 5.0E-3 8.3E-3* -

3.0E-3 S: Small LOCA 6.9E-4 3.3E-3 4.E-4 3.0E-3 3.0E-3 M: Medium LOCA 1.6E-4 4.7E-4 - -- -

A: Large LOCA 8.7E-5 2.0E-4 -

I 9.3E-4 }9.3E-4

• Taken from the ORNL precursor study NUREG/CR-2497. It includes induced LOCAs (about 40%).

l i

4-14 l

r - - -,

Table 4.5 Loss-of-Offsite Power Recovery Data OPRA Bk Nonrecovery Probability Substation Grid Substation

• Gri d**

30-min nonrecovery 0.46 0.67 0.28 0.66

~

1-hr nonrecovery - - 0.19 0.48 2-hr nonrecovery 0.21 0.44 0.12 0.32 f

4-hr nonrecovery - - 0.07 0.18 hr nonrecovery - - 0.04 0.10 12-hr nonrecovery 0.07 0.22 0.03. 0.06

• From Table A.4 of the Draft -NUREG-1032, using BNL one-stage Bayesian com-puter code and Student-T probability distribution function.

• • From Tables A 5 and A.7 of the Draft NUREG-1032, using BNL code as above.

e 4-15

Table 4.6 Loss of Instrument-Air-Initiator Frequency Contributors initiator Frequency (yr"I)

Event Description Dominant Cut Set OPRA BNL**

Contamination inadvertent IA system con- AIAPICF 0.102 0.133 famination with water or oil Pipe rupture I A pipe rupture not repaired AIAPlLF* 0.052 0.059 In 10 minutes

• AIAPlLIDF Loss of SA and one l A Pipe leak in SA system and ASAPILF# 0.006 0.007 train f allure of one l A compressor A!APCF#3 to run

~

Loss of SA and one IA in Pipe leak In SA system and AS APl LF

• 0.003 0.004 maintenance one I A congressor in mainte- AIAT AM*3 nance Loss of SA and loss of Pipe leak in SA system and ASAPILF8 0.002 0.003 RCW to I A RCW valve to I A f alls closed ARCwlASVO*3 One f4 train falls and l A f alls mechanically to run, AIAPCF'3' -0 0.001 SA Interconnect and and SA Interconnect falls (ASAIAvDO +

falls too 'ASAlAVVH)

Total 0.17 0.21

• The ability to repair or isolate a major leak in the IA system is complicated by the f act that the systen was not included in the detailed design drawings -- which make the recovery operation more difficult. Some pipes and valves are not visible or accessible (OPRA, page A.15-lC).

• • Differences in the BNL reevaluation are due to BNL's use of a f actor of 0.8, rather than 0.7, to account for unit 3 being at power during the f ault, and to correctly use the f ailure data given on pags A15-19 of OPRA.

4-16 i

Table 4.7 Loss of Low Pressure Service Water System -- Contributors to the. Initletor Frequency initiator Frequency (yr*I)

Event Description OPRA .BNL Comments Pipe break in supply heeder LPSW (or HPSW) suction broek 9.5E-4 -9E-4 From flooding LP$W (or HPSW) valve break s tudy.

CCW crossover break LPSW discharge f ailure LPSW-108 or discharge manual 7.8E-4 1.3E-3 BNL considered valve t ransf er clossd (CCW-73) the two valves.

Potar f actor of 0.8 appl ied cuction f ailure CCW-94 valve transf ers closed -

6.2E-4 Result f rom CCW crossover Isola-tion in the mod-Ifled plant.

Factor of 0.8 applied.

Backwash Standby puso in backwash and 7.5E-5 6.0E-5 BNL applied a running pump f alls f actor of 0.8 for Oconee being at power.

Standby pump in maintenance Standby pump in maintenence 4.DE-4 3.2E-4 As above.

and running pump f alls Operatoi f alls to start Standby pump does not start 2.lE-3 1.7E-3 standby pump and running pump f alls Total 4.3E-3 4.9E-3 i

s 4-17

Table 4.8 Mean Annual Frequencies of Transient Cetegories at Oconee (f rom EPRI-NP-2230)

Power Level Greater than All Power Levels 255 Ali Subsequent AlI ~ Subsequent-EPRl-NP-2230 years years years years Transient Category Grouping (19.8 years) (16.8 years) (19.8 years) (16.8 , years)

Loss of condenser vacuum 25,27,30 0.25 0.12 0.20 0.12 Turbine trip 3,9,12,15,19, 5.10 4.40 4.30 3.70 21,23,28,33, 34,36-40 Loss of main feedwater 16,22,24 0.70 0.48 0.35 0.16 Loss of of fsite power 35 0.05 <0.01 0.05 <0.01 Load increase 26,29 0.05 0.M 0.0 <0.01 Loss of RCS flow 1,14 0.25 0.18 0.15 0.12 Control rod withdrewal 2 0.10 0.12 0.10 0.12 RCS depressurization 4,5,7 0.05 0.06 0.05 0.06 Boron dilution 11 <0.01 <0.01 <0.01 <0.01 Excessive cooldown 6,20 <0.01 <0.01 <0.01 <0.01

,MSiv closure 17,18 N/A N/A N/A N/A Inactive RCS toop startup 13 <0.01 <0.01 <0.01 <0.01 Total 6.60 5.50 5.20 4.30 l

l l

l 4-18 l l

l l

S. ACCIDENT SEQUENCE QUANTIFICATION This section presents the quantification of the accident sequences in the OPRA.1 Subsections 5.1 through 5.3 present an overview of the OPRA approach used to quantify the accident sequences initiated by transients, LOCAs, and SGTR, anticipated transients without scram (ATWS), and interfacing LOCAs, re-spectively; BNL comments and modifications are also discussed. Subsection 5.4 presents the results of the BNL review compared with the OPRA results; further details are provided in Appendices A and B. Subsection 5.5 presents the -

uncertainty analysis performed in the BNL review with comparisons with the OPRA, where possible.

5.1 Quantification Procedure for Transients, LOCAs, and SGTR

- As discussed in Section 3, the OPRA constructed the following functional event trees:

Tra.nsient.

. Small LOCAs.

. Large LOCAs.

. SGTR event tree.

For all the above event trees the same approach to quantification was used, and the main steps for performing the accident sequences quantification were:

1. Solution of system fault trees. In this' step, the OPRAI used the SETS computer code to find the minimal cut sets for each system.

2 This step was performed to ensure that system-level fault trees were logically correct; the results of this step were not used in the accident sequence quantification. This review used the same method as the OPRA.

2. Construction and solution of fault trees for core damage bins. In this step the OPRA constructed core damage fault trees (CDFT) for each core damage bin (see Section 3.1.2 and Table 5.1); i.e., the functional event trees presented in Sections 3.1.4 and 3.1.5 were converted to core damage fault trees (CDFTs), and the supporting logic and system fault trees were used as input to these C0FTs.

After constructing the CDFTs for each core damage bin, the OPRA used SETS 2 for quantification of the accident sequences for each bin.

The only difference between the approach used in this review and that used in the OPRA was that this review quantified the CDFTs for each sequence instead of for each core damage bin, which allows for a more refined treatment of the success states in each sequence.

In this step, both the OPRA and this review used screening probabili-ties for human errors, which allows for a more accurate evaluation of the human errors for each minimal cut set at the sequence level.

Note also that no recoveries are yet considered in this step.

3. Review of results and iteration. This step, which is a must in any analysis, provides assurance that the results are consistent with the 5-1

t models and data used in the quantification process, and was performed ,

by both the OPRA and this review.

4. Quantification of final minimal cut sets. In this step, after veri- ,

fication that the results are consistent with the understanding of the actual behavior of the plant, the screening values used for human errors in step 2 are replaced by their best-estimate' values. Al s'o ,

in this step, consideration is given to operator actions to terminate sequences, and recovery factors are applied to each sequence minimal cut set to obtain the appropriate final core damage frequency. Both the OPRA and BNL performed this step and differences appear in the quantification of some recovery actions, mainly due to the grace time available to the operators. In Appendix A, details of those differ-ences are provided.

5.2 Quantification Procedure for ATWS fhe quantification of the ATWS was done in the OPRA, and also in this re-vi ew , in a simplified nenner. The functional event trees were constructed (see Section 3 of this report for details), and probabilities /unavailabilities were estimated for each top event in the event tree. The assumptions used in the evaluation of these probabilities /unavailabilities are generally compati-ble with those used in the rest of the OPRA. Differences existed between BNL and the OPRA on some of the assumptions, and details of these differences are given in Appendix B of this report.

The sequences were quantified by direct multiplication of the branches in each sequence of the event tree; this quantification process was also used in this review.

5.3 Interfacing-Systems LOCA In its Appendix F, the OPRA presents a detailed analysis of the Interfac-ing-systems LOCA. The only system providing interfaces between low and high pressure piping that could result in a diversion of flow out of the reactor r

building is the low-pressure-injection system (LPIS). For this system, the l tollowing interfaces were considered.

i

1. LPI-system injection lines (two lines).

2. Low pressure auxiliary spray line.

3. The decay heat removal (DHR) suction line.

A detailed evaluation of all possible modes of failures that would cause

! an interfacing-systems LOCA through these lines was performed by the OPRA and reviewed by BNL. Since the frequency of the initiating events was very low' ,

it was assumed in the OPRA that these frequencies represent core melt with containment bypass.

This review is in agreement with the models and failure rate /probabili-ties used in the OPRA, and for further details the reader should refer to the OPRA Appendix F.

l 5-2 u

5.4 BNL Review Results This subsection presents the summary of the results obtained in this re-view with comparisons to the OPRA; for more details of similarities and dif-ferences between the results of this review and those in the OPRA, refer to Appendices A and B of this report.

The total frequency- of core damage calculated in this review is equal to 9.3E-5/yr as compared to 5.4E-5/yr for the OPRA. In Tables 5.2 and 5.3, con-tributors to the core damage frequency are summarized by bin (see Table 5.1 for the definition of bins), and by initiating-event category; in both tables, a comparison with the OPRA is also given. From these two tables the following conclusions can be drawn:

1. The largest increase is present in Bin III (5.7E-5/yr in this review vs 3.0E-5/yr in the OPRA). The major contribution to this difference comes from events caused by loss of instrument air (as an initiator or due to-loss of offsite power). This difference in CD frequency is mainly due to the assumption of time available for recovery of com-pressed air. In Oconee-3 a loss of instrument air causes the drain-age of the upper storage tank (UST) to the condenser hotwell, because valve C-176, which is normally used as a means of hotwell makeup from the UST (hotwell level control system), fails open on loss of air.

In the OPRA, between two and six hours were used for the quantifica-tion of the probability of failure to recover air. In a meeting held at DPC to discuss BNL comments regarding the OPRA, it was verified that about one hour would be more appropriate for the time for drain-age of the UST into the hotwell, and therefore the time available for the operators to recover air or transfer the EFW suction ~from the UST (primary source) to the hotwell. This change. modifies the probabil-ity of failure to recover air from the value used in the OPRA (5.5E-2) to the value used in this review (0,5), which is based on the OPRA assessment for recovery of air together with the judgment'of the reviewers. For more details on specific sequences, see Appendix A.

In this review, the loss of instrument air (Ts.

) bacomes the. most dominant contributor to the core damage frequency, being responsible for 49% of the CD frequency due to transients with scram and for 33%

of the Botal. In the OPRA it is responsible for 11% of the CD fre-c,uency due to transients with scram'and 6% of the total.

Note that according to a Sept. 20, 1985 letter from H. B. Tucker (DPC) to H. R. Denton (NRC), Duke Power Company has taken an interim measure, i.e., closure of manual isolation block valve (C-175) up-stream of air-operated valve C-175, to prevent the potential drainage of the upper surge tank (UST) following the loss of instrument air.

In the near future, according to the referenced letter, a modifica-tion to air-operated valve C-176 is planned. If this modification is taken into consideration, the BNL-calculated core damage frequency for Bin III will decrease from 5.7E-5/yr to about 3.1E-5/yr and the total CD frequency will be equal to 6.7E-5/yr instead of 9.3E-5/yr.

5-3

2. In Table 5.3 it is also shown that the most important transient in the OPRA is the loss of low pressure service water transient (T12)'

which is responsible for about 45% of the core damage frequency due to transients with scram (24% of the total CD). In this review, it accounts for 29% of the core damage due to transients with scram (19%

of the total CD).

It is explained in Appendix A that some degree of conservatism exists in this review because of the assumption that if valve CCW-73 fails closed a loss of LPSW to its most important loads, i.e., cooling of HPI and RCP pump motors and heat exchangers in the component cooling water system, will occur. However, a detailed pipe-flow calculation to verify this assumption is beyond the scope of this review.

Note also that if a recent modification made in the discharge of the LPSW to the cooling of HPI pump motors (DPC Drawings - Nos. PO-115B, Rev. 26, and P0-124D, Rev.12) .is considered, the contribution of 'the loss-of-low-pressure-service-water. transient (T12) to the total CD frequency will decrease from 1.8E-5/yr to about 4.0E-6/yr; i.e., the total CD frequency in this review will become 7.9E-5/yr instead of 9.3E-5/yr.

3. Th'e differences in CD frequency for instrument air (T6 ) and for loss of low pressure service water (T12) accounts for 71% and 13% of the increase in the total CD frequency, respectively. The remainder of the difference in total CD frequency comes from small LOCAs (8%),

ATWS (4%), and large LOCAs (3%).

4. In this review, the core damage frequency is larger than that in the OPRA for almost every bin.

5.5 Dominant Accident Sequences The dominant accident sequences for each core damage bin is presented in Table 5.4; for definition of the core damage bins see Table 5.1. For compari-son, the equivalent table in the 0PRA (Table 8.1) is reproduced here as Table 5.5. In these tabl.es, the doninant accident sequences are given by sequence type as discussed in deta.il in Appendix A. The most important sequences in Table 5.4 are described br'fefly below:

Sequence Type [F] igBU: Bin III, Frequency 2.9E-5/yr (OPRA = 4.7E-6/yr)

These sequences involve a loss of instrument air, as an initiating event, or as a result of loss of offsite power, or as a result of system faults after a reactor trip. Main feedwater is unavailable because of the loss of instru-ment air, and the emergency feedwater becomes unavailable if the steam driven pump is not available and air is not recovered, or if the operator fails to transfer the EFW steam-driven pump suction to the condenser hotwell and air is not recovered. After the loss of MFW and EFW, failure of the operators to establish HPI cooling and make feedwater to the SGs available from the Standby Shutdown Facility (SSF) will result in core damage. As discussed in detail in Appendix A, BNL and the OPRA differ primarily in the time available to the operators for recovery of instrument air. The OPRA assumes two to six hours for this recovery of air with a failure probability of 5.5E-2. In this 5-4

review a time on the order of one hour is used, with a failure probability of 0.5, which is based on the fact that the OPRA analysis for recovery of air (OPRA Appendix C, page C-15/C-16) states that the dominant failure modes require considerable effort to recover, and the failure probability equal to 0.3 is given in the OPRA for failure to recover in two hours. The value used in this review is also partly based on the judgment of the reviewers.

These sequences account for about 31% of the total core damage frequency in this review, and for about 9% in the OPRA.

Note that if the modification described in Section 5.4 item 1 is consid-ered, the core damage frequency for this sequence type will decrease from 2.9E-5/yr to about 3.0E-6/hr.

Sequence Type [G] gT ,BU: Bin III, Frequency 1.8E-5/yr (OPRA = 1.5E-5/yr)

These sequences are characterized by failure of the LPSW as an initiator, or failure of the 4.6-kV bus 3TC with other failures in the second LPSW pump, or any other transient with failure of the LPSW. The loss of LP5W causes fail-ure of the HPI pumps. Since in these sequences the RCPs are tripped, tne failure of the HPI seal injection will result in a small RCS leak (see page A3-16, item 2, in the OPRA) with inability to make up if the SSF seal injec-tion is not actuated in about 30 min; item 2, page A3-16, of the OPRA states that " seal leakage will result if injection flow is interrupted and the RCPs are tripped."

In this review, the automatic HPSW makeup to the LPSW cooling of the HPI pumps is considered for the cases in which the loss of LPSW is not due to the blockage of the LPSW discharge path from the HPI pumps cooling and the compo-nent cooling; in the OPRA, this modification to the plant was not taken into account.

It is also important to note that the first cut set given in A.5.7.2

( Appendix A), i.e., loss of LPSW to cooling of the motor HPI' pumps and compo-nent cooling system due to failures in the discharge path, is considered to be conservative. However, in order to evaluate the correctness of this failure mode (which was also later found but not included by the OPRA; see footnote in OPRA, page A14-27), pipe-flow calculations would be necessary. Thus, BNL does include this failure in some of its sequences. At a meeting held at DPC, drawings were given to BNL and NRC to show that this failuce mode and that in-cluded in the second cut set in Appendix A (A.S 7.2) would be eliminated by the modification of the discharge of the SW from the cooling of the HPI pumps. However, this modification was not analyzed in the base case of this review, to be consistent with the OPRA. Note that the analysis of the Oconee-3 as is, i.e., with the mcdification described above, would change the core damage frequency due to these sequences to be equal to about 4.0E-6/yr.

As a consequence of this modification, the total core damage frequency will decrease :from 9.3E-5/yr to 7.9E-5/yr. Note that in the remainder of this section, this modification is not considered.

These sequences account for about 19% of the total core damage frequency in this review, while they contribute about 28% in the OPRA.

5-5

Sequence Type [A] SYcX 3 : Bin I, Frequency 5.4E-6/yr (OPRA = 5.0E-6/yr)

These core damage sequences are characterized by a small-break LOCA, with successful HPI injection.. The LOCA causes the actuation of the RBSS (even with the successful operation of the RBCS), and the operators fail to terminate its operation. HPR fails to be initiated upon depletion of the BWST inventory or fails during operation.

There is almost no difference between this review and the OPRA, and these sequences account for about 6% of the total core damage in this review and for about 9% in the OPRA.

Sequence Type [B] AXA: Bin VI, Frequency 4.8E-6/yr (OPRA = 4.8 E-6/yr)

These sequences are characterized by a large-LOCA initiating event, with successful injection but failure of the low pressure recirculation (failure of initiation or hardware failures).

There is no difference between' BNL and the OPRA, and these sequences for about 5% of the total ccre damage frequency in this review and for about-9% in the OPRA.

Sequence Type [E] T i oBU: Bin III, Frequency 4.8E-6/yr (OPRA = 4.8E-6/yr)

These sequences are characterized by a large feedwater- or condensate-line break which results in failure of main and emergency feedwater. Failure of the operators to provide other sources of feedwater and failure to estab-lish HPI cooling result in core damage.

Tnere is no difference between this review and 'the OPRA, and the sequences account for about 5% of the total core damage frequency in this review and for about 9% in the OPRA.

Sequence ~ Type [A] AUXA: Bin VI, Frequency 3.6F-6/yr (0PRA'= 3.3E-6/yr)

These sequences are characterized by a large-LOCA initiator, with. suc-cessful injection but failure of low pressure recirculation. The low pressure recirculation fails because high flow develops during the recir-culation phase (a failure mode in the OPRA), and the operators fail to throttle the flow.

Following this failure to throttle, pump cavitation and failure can occur.

There is practically no difference between BNL and the OPRA, and these sequences account for about 4% of the total CD in this review, and for about 6% in the OPRA.

Note that from the minimum cut sets presented in Appendix A of this re-port (also present in Appendix D of the OPRA) a single failure exists attrib-utable to the common power supply to the LPI valves 3LP-12 and 3LP-17.

According to the OPRA, Duke Power Company had initiated a modification to pro-vide separate power supplies to these valves. This modification which is necessary to satisfy the single failure criteria practically does not change the core damage frequency for these sequences.

5-6 e

Sequence Type ATWS: Bin V, Frequency 3.6E-6/yr (OPRA = 1.7E-6/yr)

These sequences, which involve a transient with failure to scram, are characterized by a large primary-system pressure, which may exceed 3900 psig, due to: a) moderator temperature coefficient larger than the 95% value, or b) failure of primary relief, i.e., failure of the PORV or any of the SRVs to open, or c) failure of the MFW and partial failure of the EFW system (failure of the steam-driven pump, or failure of one motor-driven pump, or delay in EFW initiation). In all these sequences, it is postulated that a primary-system rupture will result. Following the pricary-system break a failure to inject borated water occurs, resulting in core damage. For all these sequences, a probability equal to 0.1 is used for failure of injection because of possible deformations in valves (this value given by the OPRA is accepted in this review). It is important to point out that B&W analysis 3 indicates that no deformation will occur at about 3900 psig.

The main difference between this review and the OPRA is due to the proba-bility used for failure of the function " primary relief." As discussed in Appendix B, Section B.1, the OPRA uses a value of 2.0E-2/d, while in this re-view a value of 0.17/d is used. This value of 0.17 was obtained by assuming that for 20% of the time of an equilibrium cycle primary conditions (MTC, etc.) are such as to ~ require PORV relief in order to avoid a peak pressure higher thar. 3900 psig; it was also considered that the PORV block valve in Oconee-3 has been closed for about 80% of the time the plant is in operation.

Note that, as discussed in Appendix B, Section B.7, the value used in this review is subjected to judgment, and a sensitivity study of total CD to this value is performed.

These sequences account for about 4% of total CD frequency in this PRA (vs 3% in the OPRA).

Sequence Type ATWS: Bin VI, Frequency 3.4E-6/yr (0PRA = 1.5E-6/yr)

The only difference between these sequences and the ATWS sequences de-scribed above is that here, injection of borated water is successful but long-term cooling fails.

The differences between BNL and the OPRA are exactly the same as dis-cussed above. These sequences account for less than 4% in this review and for about 3% in the OPRA.

Note that if the PORV block valve is open during all times the plant is in operation, as stated in a Nov. 26, 1985 letter from H. B. Tucker (DPC) to H. R. Denton (NRC), the BNL-calculated ATWS core damage frequency for Bins V and VI will be equal to 1.4E-6/yr and 1.2E-6/yr respectively,

~5.6 ATWS Sensitivity Analysis As discussed in more detail in Appendix B, a limited sensitivity analysis was performed for the following functions in the ATWS event trees.

5-7 i

5.6.1 Primary Relief Function The OPRA states that late in their work it was found that Oconee-3 had been operating with the pressurizer PORV block valve closed for about 80% of the time. However, in the quantification of the ATWS sequences, this was not considered. Since the failure of the PORV to open affects the peak pressure',

which also depends upon other parameters such as the moderator temperature and Doppler coefficients and power level, it was assumed in the base case of this' review that for 20% of operation time, primary conditions (MTC, etc.) are such as to require PORV relief to avoid a peak pressure higher than 3900 psig. If this fraction of time is changed to 10% or 50%, the following is the impact on the total ATWS core damage frequency (CD):

. Base Case (20%) - CD = 7.7E-6/yr.

. 10% - CD = 5.4E-6/yr.

. 50% - CD = 1.5E-5/yr.

Note that in the reviewer's judgment, which is based on the reactivity coefficients for an equilibrium cycle for Oconee-3, the fraction of the time in which the peak pressure may be larger than 3900 psig will be smaller than that used in the base case (20%).

5.6.2 Failure to Inject Borated Water (RCS peak pressure <3500 psig)

The OPRA used a value of 10-3 for the probability of failure to inject barated water for the cases in which the peak pressure will be smaller than 3500 psig. In this review, the same value was used for cases in which the MFW system remains on line, and a value of 2.0E-2 was used otherwise.

If, for all cases above, a probability of failure equal to 5.0E-2 (a value used in the NRC ATWS task force analysis) is used, the total ATWS core damage frequency will change from 7.7E-6/yr to 1.3E-5/yr.

Note again that the values used in the base case are the more appropriate values in the opinion of the reviewer.

5.6.3 Failure to Inject Borated Water and Failure of Long-Term Cooling (RCS peak pressure >3900 psig)

In the OPRA and in this review (base case), a value of 10 1 was used for probability of failure to inject borated water or the failure of long-term cooling for cases in which the peak pressure may exceed 3900 psig and a LOCA will result. These values were used because of a probability of deformation

, of valves in the injection paths. If these values are changed from 0.1 to

! 0.2, the total core damage frequency will change from 7.7E-6/yr to about 1.5E-5/yr.

5.7 Uncertainty Analyses In Chapter 12, Section 12.3, the OPRA presents a quantitative analysis of input data uncertainties. The computer code SPASMS was used to propagate the basic-event distributions to obtain their contributions to distributions for the core sequence type, core damage bin, and total core damage frequency. To obtain these distributions, the OPRA used only the core damage sequences with 5-8

l a frequency greater than 1.0E-6/y r. The distributions for the total core damage and for CD for each bin include the internal as well as external i events.

This review also performed an assessment of the un:ertainties about the frequency of core damage for internal events only. The uncertainty, as in the OPRA, should be interpreted as being introduced by uncertainties in the values -

of the various parameters, given the modeling assumptions described in previ-ous sections. BNL used the SAMPLE 6 code to propagate the uncertainties; the uncertainties in the initiator and basic events were quantified by fitting lognormal distributions to evaluate uncertainty measures (mean and variance).

For each bin, the uncertainties in the frequer.cy of core damage were quanti-fied by using the accident sequences that account for 90% of the bin core damage; the same approach was used for the uncertainty in the total core damage frequency. The results of this analysis are given in Table 5.6 and Figure 5.1. A comparison with the OPRA results is not possible because in the OPRA the results for each bin and for the total CD uncertainty include both internal and external events; in this review only internal events are considered.

5.6 References

1. Oconee PRA - A Probabilistic Risk Assessment of Oconee Unit-3, NSAC/60, June 1984.

2. Worrell, R. B. and Stack, D. W., A SETS User's Manual for the Fault Tree Analyst, NUREG/CR-0465, Nov. 1978.

3. Analysis of B&W NSS Response to ATWS Events, BAW-1610, Jan. 1980.

4 Recommendation of ATWS Task Force: Enclosure D, NRC-staff.

5. Leverenz, F. L., SPASM, A Computer Code for Monte Carlo System Evalua-tion, EPRI NP-1685 (1981).

6. Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG/75-014), October 1975.

5-9

- . . . . , . ~ . , .. - - . . . ..

1 0.9 - -

0.8 -

.E 0.7 -

j 0.6 -

I l

(3 0.5 - l I

e 0.4 - l

$ 1 r u 0.3 -

I E

0.2 - -

[

305 1 0.1- 1.*-s xso "m x,s

5. 7E-5 9.2E-5 2.5E-4

.'),

i 0 '. . , , '. . .

0.00001 0.0001 0.001 Core Damage Frequency (per year)

Figure 5.1 Cumulative probability for the frequency of core damage, i

4

^

Table 5.1 Summary of Core Melt Bins Bin Sequence Characteristics

, I RCS pressure and leakage rates associated with small-break LOCAs, with early me sting of the core (i .e. , within about two hours after the brcak occurs)

. II RCS pressure ced leakage rates associated with small-break LOCAs, with late melting of the core (i.e., af ter about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from when the break occurs)

' III High RCS pressJre and leakage -rates associated with boiloff of the reactor coolant through cycling pressurizer relief valves, with early core malting (within about two hours)

- IV His5 RCS pressure and leakage rates associated with boiloff of the reactor coolant through cycling relief valves, with late melting of the cme V Large rates of leakage from the RCS and low pressures associated with large-break LOCAs with failure of core injection VI Large-break LOCA conditions with failure of coolant recirculation 4 .

a I

t t

I

(

5-11 s

,w , , , . - - ., -, -

Table 5.2 Summary of Contributors to Core Damage Frequency for Internal Initiating Events CM Initiating Core Damage Frequency Bin Event UPhA BNL

.I Pipe-break- and 6.5E-6 8.4E-6 transient-induced small LOCA SGTR 1.3E-6 1.2E-6 ATWS 1.8E-8 1.2E-8 Total bin I 7.8E-6 9.6E-6 II Pipe-break and . 1.1E-6 6.7E-6 transient-induced small LOCA SGTR 1.4E-6 2.1E-6 ATWS 1.8E-8 1.2E-8 Total bin II 7.5E 6 N III Transients 2.7E-5 5.7E-5 ATWS 2.8E-6 6.9E-7 Total bin III T 0E T 3 7E T IV Transients 1.9E-7 3.6E-7 Total bin IV T NE 7 '3 6E-7 V Large LOCA 1.4E-6 1.5E-6 ATWS 1.7E-5 3.6E-6 Total bin V. 3.1E-6 5.1E-6 VI Large LOCA 8.3E-6 8.5E-6 ATWS- 1.5E-6 3.4E-6' Total bin VI T.6E' 6 T.KT Interfacing systems 1.4E-7 1.4E-7 LOCA Total CD frequency 5.4E-5 9.3E-5 i

i. 5-12

-Table 5.3 Summary of Core Damage Frequency Initiating-Event Core Damage Frequency Category BNL -0PRA

- Plant Transients Luss of Instrument Air-(T ) 3.1E-5 3.2E-6 Loss of Service Water (Tg ) 1.8E-5 1.3E-5 i

4.5E-6 4.8E-6 Feedwater Loss of Offsite Line PowerBreak (T

Loss of Reactor Trip (T)s (T o) 3.6E-6 -2.4E 1.7E-6 1.2E-6

. Loss of Main Feedwater (T2 ) 1.3E-6 1.2E-6 Other Transients 2.4E-6 2.6E-6 6.2E-5 2.9E-5 Loss-of-Coolant Accidents Large Break (A) 1.0E-5 9.0E-6 Small Break (S) 9.2E-66 6E.1-6 Reactor-Vessel Rupture 1.1E-6 1.1E-6 Total 2.0E-5 1.6E-5 Transients Without Scram (ATWS) 7.7E-6 6.0E-6 Steam Generator Tube Rupture (R) 3.3E-6 2.7E-6 Interfacing-System LOCA 1.4E-7 1.4E-7 Total 9.3t-5 5.4E-5 aIncludes only LOCAs due to pipe breaks or spontaneous seal failures.

I 5-13

fahle 5.4 BNL Review sumary of Core Damage Frequencies for Internal Events

- Total CD Frequency = 9.3E-5/yr.

Rin ! Sequences Bin !! Sequences Rin III Sequenc,es Bin IW 5equences Bin V 5equences Bin VI seguences Mean Mean . Mean Mean Mean Mean Ty pe $cq. Freq. Type Seq. Freq. Type Seq. Freq. Type Seq. Freq. Type Seq. Freq. Type seg. Freq.

SEQUENCES WiiH MEAN ANNUAL FREQUf MCIE5 A80VE 1.0E-6 ( ABOUT 6910F TUTAL FREQUENCY)

ATW5 3.6-6

[4] 5Y5 ts 5.4 6 , [8] T,QIs 3.2-6 [F ] i BU g 2.9-5 [A] VR 1 I-6 8] Afg 4.8-6 fC] VASS 1.9-6 [r. ) T ,,no 1.R-5 A) Afg 3.6-6

[B] Rigd 1.5-6 [L j Ig BU 4.R-6 ATW5 1.46

[A] TrRU l.3-6

[J] T HI) .1.1-6 SEQtENCES WITH ME AN ANNUAL FREQUENCIES ABOVE 1.0E-1 ( Anouf 995 0F TOTAL FREQUENCY)

[9] EUa 8.1-7 (C) 525 9.0-7 [C] TBd 7.6-1 T5 ,gB LE 2.3-1 [8] Au 4.1 1 ATWS 6.1-7

[8] TQU5 7.3-7 [Al RIgG 6.0-7 [8] T.RU 4.8-7 is.6Rll I+3*I I I+4*i

[F ] TQrs 3.7 7 [H] is68U 2.5 7

[E] TQrs 2.2-7 [I] TRO 1.8-7

[4] T5GXS 1.0-7 [0] Ig 90 1.8-7 (C] $US 4.5-7 (1) TQUS 4.R-1 (C] VU5S 4.2-7

[F ] TQ05 4.2-7

[A] Ryg 4.1-7

[D] T ,005 2.9-7 L

b Tot al s%n== ~ 9.6-6 8.8-6 5.6-5 3.6 1 5.2-6 1.2 5 Other 2.3-7 6.0-8 3.4 7 - -

5.4-8 Tot al 9.5-6 9.8-6 5.1-5 3.6-7 5.1-6 1.2 5 5.4-6 means 5.4E-6

Table 5.5 OPRA Summa v of Core Damage Frequencies for Internal Initiating twents*

sin i n.qu.nces sin tr wquene.e 111 e.quencas atn IV e.quence, min V nequ nces sin vr wquenc.e Mean Mean Mean nean Mean steen Type Feq. freq. Type Seq. freq. Type Seq. freq. Type Seq. freq. Type Seq. freq. Type Seq .' freq.

SFQUENCES WITH MEAN ANNUAL rREQUENCIES AROVE 1.0 s 10*O ( ABCL*y 80% OF TOTAL FREQUENCT)

Ici T 12nu 1.5-5 IAI SYs *s 5.0-6 *

• IEl T,onu 4.e-6

'trl 76 s0 4.7-6 tal Ar, 4.e-6 :

(Al AX g 3.3-6 tws 2.n-6 TwS 1,7-6 (Al T2mu 1.2-6 IA) VR 1.1-6 TwS 1.5-6 SEQUENCES WITN MEAN ANNUAL rREQUENCIES ABOVE 1.0 s 10'I (ABOUT 95% or TUTAL rpEQUENCT) tel nu, s.5-7 tel ax ,o 7.4-7 (Cl Sx -

s 6.9-7 (91 Tgug 5.9-7 (C) 'Ug 4.4-7 (Al RI,0 4.0-7 (C) TBU 4.2-7 (Al au, 3.9-7 tal T eu 4.1-7.

- ui to! 76Qu 2.5-7 .trl Tg,,3Qx 2. 2

• Inl T5,6eu 2.2-7

[

ut III (El T 5QU T y y,9 4QUg 2.3-7

1. M IB) TBLE 1.6-7 (P) AU 2.3-7 I 1.44 Total shown 7.9-6 2.1-6 3 3-5 1.6-7 3.0-6 9.6-6 Summation of othere not shown 2.0-7 4.0-7 5.0-7 3.0 8 1.0-7 2.0-7 Total core-melt fraquency 8.1-6 2.5-6 3.0-5 1.9-7 3.2 6 9.8-6 Notes . 1 We duplicatiene of s-qtwnee types within a bin (e.g., two type ( Al is bin I) are due to the sequences resulting free steam generator tube ruptures.

2. Se sequences are defined by sequence type. His grouping of evente considered (1) event-tree sequence type, (2) initiating-event effects if important, and (3) dif ferences that would require unique treatment for the consequence analysis.

3. Se twS sequences are discussed in Appendia E. H e line items in this table are summations of all TwS esquences for a bit..

4. Momenclatures A, large IECAs 7, transient events S, small IDCA; T, lose of main feedwaters T , le s of offsite 2 5 powers T 6, loss of instrument airs T .g spurious engineered-safeguard acteations T,o, feedline breaks T12, loes of low-pressure service waters 7,3, spurious low-pressuriser-pressure signals T,4, loss of 4-kV switchgear 2TCs B, steam generator tube ruptures VR, reactor-vessel ruptures Q, loss of DCS integrity (transient-induced small-break LOCALS B, fallere of RCS heat removat through the steam ge wratores yD , f ailure of core heat removal by NPI coolings gU , failure of HPI in injection mode for small 14CAes U g ,

failure of Let in injection for large ImCass p,, failure of uri in injection for tube ruptureep Y f ailure to maintain aCs makeup supplys 29 , failure to esintain long-term core-heat removal appropriate to the init1Nn,g events L, failure to recover aCS heat removals ,'a y,f ailure to maintain long-term cooling at Pot contitions for tube ruptures I, interfacing-system IDCA.

• meproduced from OPRA. Table 8.I.

5.0-6 seans 5.0E-6

~ Table 5.6 BNL Review Core Damage Frequency Distribution Bin X # Mean X 00 50 95 1 8.4E-7 4.1E-6 8.8E-6' 2.8E-5 IR 1.2E-7 6.8E-7 1.2E-6 3.9E-6 II 5.5E-7. 3.0E-6 6.5E-6 2.2E-5 IIR 9.2E-8 7.9E-7 2.1E-6 7.2E-6

. III 3.6E-6 2.2E-5 5.7E-5 1.9E-4

, IV 3.1E-9 5.8E-8 3.5E-7 1.3E-6 V 4.8E-7 2.5E-6 5.1E-6 1.7E-5 VI 7.3E 4.9E-6 1.2E-5 4.0E-5 i

2 4

4 1

1 1

5 t

5-16

~

~ .

APPENDIX A BNL' REVIEW 0F THE ACCIDENT SEQUENCES FOR TRANSIENTS, LOCAs, and SGTR This appendix summarizes the detailed results _ of the BNL review of the OPRA internal events sequences. The methodology used to derive these se -

. quences is basically the same as that used in the OPRA and is discussed in Sections' 3 and 5 of the main- report; the data used for the BNL accident sequence quantification are discussed in Section 4 For each comparison, this ~

- appendix is. arranged in the same order as Appendi'x 0, Section D2 through 04,

- of the OPRA.

For each sequence type, its corresponding event tree designaticn (Figures A.1 through A.4) is identified and a general description and frequency are provided. -The corresponding number for the 0PRA sequences is also printed in square brackets, and the containment-safeguard state ~ is provided for each sequence. A list of the events occurring in each sequence, with .its descrip-tion and probability / unavailability, is provided in Table A.1.

A.1 BIN I SEQUENCE DESCRIPTION-The Bin I core damage sequences include small- and very-small-bre~ak LOCAs, both as initiating events and as transient-induced LOCAs, with early

~

failure of core cooling due to (1) failure of the HPIS, or (2) failure to initiate high pressure recirculation (HPR) following depletion of the- BWST inventory in about two hours.

A.1.1 Bin I, Sequence Type A, Event Tree Sequence SYgX3 These core damage sequences are characterized by a small-break LOLA (SLOCA), with successful HPI injection. The LOCA causes the actuation of the RBSS (even with the successful operation of the RBCS), and the operators fail to terminate its operations (YRBSH).- HPR fails to be initiated upon deple-tion of the BWST inventory or fails during operation; the different modes of HPR failures are discussed in Subsection A.1.3.

A-1

A.1.1.1 Minimum Cut Set Listing - BNL CD frequency: 5.4E-6/yr OPRA CD frequency: 5.0E-6/yr BIN 1A =

[7] 1 4.5000E-06 !LIEA e YBRSH s DR21 +

2 2.2500E-07 SLOCA e YBRSH e SW7779CNI e ESW78 +

3 1.5000E-07 SLOCA e YBRSH + LP40WH + LP414dVH +

[681,682, 4 1.5000E-07 SLOCA e YBRSH e IST-250

• IST-251 +

682A1

[130,131,183 5 1.2696E-07 SLOCA e YBRSH e IST-247 e IST-249 +

469,470,5211 (4) 6 9.0000E-08 SLOCA e YBRSH e LIR)S3103WH e ERMpt +

7 4.3200E-08 SLOCA e YBRSH e IST-171 e IST-174

• ESILPI +

8 3.3120E-06 SLOCA e YBRSH e IST-174 e E 9 E91

• IST-247 +

9 3.3120E-08 SLOCA e YBRSH e IST-171 e ESILPI e IST-249 +

10 3.0000E-48 OTERBIN1A +

[3001 11 4.1400E-09 E K A 4 YBRSH e IST-247 e IST-245 e LP14NYDi +

[2%) 12 4.1400E-09 E.fEA e YBNSH e IST-249 e IST-244 # LP121WCH A.1.1.2 Discussion The different modes of HPR failures are described below:

MCS 1 : Operators fail to atte mt recirculation within 2 hr.

MCS 2,7: failure of LPSW to decay heat coolers.

MCS 3 : flow diversion from sum to BWST.

MCS 4 : failure of both sump line valves to be opened.

MCS 5 : failure of suction paths between the LPI decay heat cooler and the HPI pumps.

MCS 6 : failure of drain valves in suction line from sump, resulting in flooding of HPI pump room; operators fail to detect drainage and isolate.

MC.9 8,9: failure of LPSW to decay heat cooler in one LPI train, and failure in the suction paths between the other LPI train and the HPI purps.

MCS 11,12: failure of the suction path between one LPI train anti the HPI pumps and failure in the other LPI train.

The main differences between BNL and the OPRA come from the addition of cut set number 3 and the change in the probability assigned for operator fail-ure to correct the alignment of valves SW77 or SW78 (SW7778CMH).

A-2

A.1.1.3 Containment-Safeguard States a) RDSS fails in the recirculation mode in all MCS, but No. 5.

b) No direct failures in MCS No. 5.

A.1.2 Bin I, Sequence Type B, Event-Tree Sequence TQUs These core damage sequences are characterized by a loss of LPSW with failure to recover. The loss of LPSW leads to a RCP seal failure and failure of the HPI pumps. If the RCPs are not tripped (HPRCPH), a leakage of about 100 gpm/ pump will develop in about I hr; otherwise the leakage is only about 15 gpm.

A.1.2.1 Minimum Cut Sets Listing - BNL CD frequency: 7.3E-7/yr OPRA CD frequency: 5.9E-7/yr BIN 1B =

1 7.1500E-07 191CPH e 112E e EIINT3 +

(1) 2 4.7880E-09 T12C

• HPICPH e SH247

• IESW12 +

[1] 3 4.2640E-09 T12A e 19llCPH e SH!47 e flE9112 +

[5] 4 3.8880E-09 l#IICPH e 9M247

• T14 e SWPAll

• SW3BPPSH +

(1881 5 9.7920E-10 HPflCPH e SM247 e Si3BPPSH e T e IST-173 +

[621] 6 3.4272E-11 191CPH e SHt47 e Emil2 e T e 15T-173 e IST-175R A.1.2.2 Discussion In all MCS, the failure to trip the RCPs (HPRCPH) is present.

MCS No.1, which does not appear in the OPRA, is due to a failure of the valve CCW-73 (T12E) and failure to recover -(RECCW73). It is assumed, in this review, that this failure causes failure in the discharge of LPSW to the cool-ing in the HPI pump motors and to the component cooling system; this is prob-ably a conservative assumption, but the realistic assessment of the effect of this failure is nuch beyond the charter of this review, and since it is not a very important contribution to the total CD frequency, it was not further evaluated. A realistic evaluation of- this failure mode would require detailed .

pipe flow calculations.

All the other MCSs have a very low frequency in this review because the modification (after the analysis of the turbine building floodings) made to Oconee-3 in order to provide an automatic HPSW backup to the LPSW flow to the cooling of the HPI pump motors (SWH247 in MCS) was included. The OPRA did not include this modification.

A-3

-S. .

A.1.2.3 Component-Safeguard State a) RBCS and RBSS in MCS 2 through 6.

~b) No direct failures in MCS No.1.

A.1.3 Bin I, Sequence Type C, Event-Tree Sequences sus and Vsus These sequences ar a characterized by a small- or very-small-break LOCA followed by failure of liPI.

A.1.3.1. Minimum Cut Set Listing - BNL CD frequency: 1.0E-G/yr OPRA CD frequency: 4.4E-7/yr BINIC =

Il003 1 1.5000E-07 !LOCA e HP24NA +

2 1.5000E-07 HP242SNH e ELOCR +

!!3,1983 3 1.4400E47  !LOCA e IST-186 +

4 1.4400E-07 IST-186

• VSLOCA +

(1213 5 1.2288E-07 SLOCA e HP248WO e HP25MVD +

6 ^1.2288E-07 HP24MVD e HP25MWU e VSLOCA +

7 '3.8400E-08 SLOCA e HPESNO e EACCHAG +

8 3.8400E-48 ELOCA e HP24NVD e EACC200 +

9 8.5000E-08 OTEMINIC A.1.3.2 Discussion The failure of the HPI system in all these sequences is due to failure to establish suction flow to the HPI pumps from the BWST. The main difference between BNL and OPRA results is due to the fact that BNL has also considered a very small LOCA initiator (VSLOCA) (see Section 2 of this report).

A.1.3.3 Containment-Safeguard State

. Failure of RBSS for all sequences.

A.1.4 Bin I, Sequence Type D, Event Tree Sequence T QUs 6 These sequences are characterized by a loss of instrument air (Ts), which causes loss of component cooling and loss of makeup flow to the letdown stor-age tank (LDST), followed by a failure to make the BWST available to the HPI pumps and failure to trip the RCPs.

A-4

A.1.4.1 Minimum Cut Sets Listing - BNL CD frequency: 2.9E-7/yr OPRA CD frequency: 2.5E-7/yr BIN 1D =

(1441 1 1.0500E-07 HpEiH e HP2425 Mi e T& +

[29,301) 2 1.0080E-07 HPRCPH e IST-186 e T6 +

[169) 3 8.6016E-08 iGNElH e Hp24NVO e 1923NO e T6 +

[5311 4 3.7800E-10 HARCP4

• SWH247

• T6 e IST-172 A.1.4.2 Discussion There is no difference between the OPRA and BNL review results.

A.1.4.3 Containment-Safeguard State a) Failure of RBSS in MCS No. 2.

b) No direct failures in all other MCSs.

A.1.5 Bin I, Sequence Type E, Event Tree Sequence TQUs These sequences are characterized by a loss of LPSW, leading to loss of EFW and HPI. If MFW fails (SUMMFW or T g), the SRVs will be challenged with i

water and with any one failing open (RCSRVLC) a LOCA is created; mitigation is lost because of loss of HPI.

A.1.5.1 Minimum Cut Sets Listing - Bhl CD frequency: 5.5E-8/yr OPRA CD f requency: 1.0E-7 /y r BIN!E =

(49,50,..) 1 3.4000E-06 SWH247

• FDWP e RCSRVLC e IST-197

• T12 e SMFW +

[3,11,..) 2 8.7636E-09 SH247

• T14 e 954WI e FDWR e IST-175

• ESINLC e IST-197 +

3 1.2000E-08 UTEMIN1E A.1.5.2 Discussion The major difference between BNL and OPRA results is due to the inclusion of the automatic HPSW backup to the cooling of HPI pump motors (SWH247) in the BNL review (see A.1.2.2).

A.1.5.3 Containment-Safeguard State

. Failure of RBCS and RBSS in all sequences.

A.1.6 Bin I, Sequence Type F, Event Tree Sequence TQUs These sequences are characterized by other losses of MFW events followed by failure of EFW and HPI, with a stuck-open SRV (RCSRVLC).

A-5

A.1.6.1 Minimum Cut Sets Listing - BNL CD frequency: 4.2E-7 OPRA CD frequency: 7.7E-8 BIN 1F =

[12,27,..) 1 2.3625E-07 T6 e ESRVLC e TREFdiUC e 9MfP!

• EIR1 +

(12,27,..) 2 1.4490E-07 T6

• RCSRVLC e IST-197 e SLMiPI e ElR1 +

3 1.5000E-08 OTERBIN!F +

[th) 4 1.3500E-06 RCSRVLC e SLM4p!

• T10 +~

[31,45,..] 5 6.1200E-09 RCSRVLC

• TIEFndilE e SMiPI e T5EEF e ESUBAIR1 + .

[31,45,..) 6 3.7536E-09 RCSRYLC e IST-197

• RMipi e T5EEF e ERSAIR1 A.1.6.2 Discussion Sequences 1, 2, 6, and 7 are initiated by a loss of instrument air (di rectly , Ts, or indi'rectly through LOOP, TSSUBF) and failure to recover instrument air in one hour, REIAl'(time in which the upper storage tank will drain to the hotwell), followed by failure of the steam-driven EFW pump (IST-197), or failure to transfer EFW suction to the hotwell (TREFWSUC). With a stuck-open SRV (RCSRVLC) and failure of HPI (SUMHPI), core damage results.

The main difference between' BNL and the OPRA resides in the time available for recovery of instrument air (1 hr for BNL vs 2 to 6 _hr in the OPRA); see Section 5 of this report.

Sequence 4 is initiated by a large feedwater line break (T io) followed by a stuck open SRV and failure of HPI.

A.1.6.3 Containment-Safeguard State

. About 30% of all these sequences cause failure of the RBSS (because of the same suction path for HPI and RBSS).

A.1.7 Bin I, Sequence Type G, Event Tree Sequence T 33qUs 0 This sequence is characterized by failure of pressurizer pressure control (Ti3) resulting in stuck open SRV followed by failure of HPI.

A.1.7.1 Minimum Cut Sets Listing - BNL CD frequency: 6.3E-8 OPRA CD frequency: 6.8E-8 BIN 16 =

[76,404...) 1 6.3360E-08 S Mtp1 e T13 e R(3RYSC A.I.7.2 Discussion There is no difference between the BNL review and the OPRA results.

A-6

A.I.7.3 Containment-Safeguard State About 30% includes the failure of the RBSS (see Subsection A.1.6.3).

A.1.8 Bin I, Sequence Type H, Event Tree Sequence TiaYX s3 This sequence is characterized by a large feedwater line break (T io) in-side the reactor building (CPT101), followed by the operators' failure to ter-ainate the RBSS and to initiate the HPR in 2 hr (XHPR2H).

A.1.8.1 Minimum Cut Sets Listing - BNL CD frequency: 1.2E-8 OPRA CD frequency: 1.4E-8 BIM1H =

U24) 1 1.3500E46 YORBI e BWR2H e ACSRVLC e T10 e CPT101 A.1.8.2 Discussion There is no difference between the BNL and the OPRA results.

A.1.8.3 Containment-Safeguard State

. Failure of the RBSS in recirculation.

A.1.9 Bin I, Sequence Type I, Event Tree Sequence TQU These sequences are characterized by a blackout (PIR30, PIR1), failure of the steam-driven EFW pump (IST-197) on TREFWSVCM, failure to provide feedwater from the standby shutdown facility in 30 min af ter loss of the steam-driven EFW pump, and failure of the SRVs to close after liquid relief.

A.1.9.1 Minimum Cut Sets Listing - BNL CD frequency: 4.8E-7/y r OPRA CD frequercy: 8. lE -8/y r BIN 11 =

1 3.800CE-07 RCSRVLC e IST-197 e P!R30 +

2 4.9000E-08 ESRVLC e TREFWiUCM e PIR1 e ESIFW30 +

3 4.7000E-06 ACSRVLC

• TEFWRD o PIR1 e ESFP A.1.9.2 Discussion The main differences between the BNL and the OPRA results are due to the following:

a) The frequency of a blackout in the RNL review is higher than that used by the OPRA (PIR30 = 4.2E-5/yr vs 1.4E-5/yr in OPRA) because of the inclusion of the failure of both main feeder buses following any initiating event, e.g., because of failure of the breaker, N1 and 3TC1 or 3TEl, or 3TD1 are included in the BNL review; these failure modes are not included in the OPRA.

A-7

b) The probability of failure of the operators to transfer the steam-driven EFW pump to the hotwell was also assessed to be larger in the BNL review (TREFWSUCM = 0.25 vs 0.15 in OPRA); this is due to the blackout conditions.

c) The probability of failure of the SSF backup power system, given a blackout (RESSFP = 0.096), was not included in the OPRA.

d) The timing for the EFW suction transfer is I hr in this review, as opposed to 2 hr. in the OPRA.

Note that the inpact on the total core damage frequency is still. very small, even with all these differences.

A.I.9.3 Containment-Safeguard State

. Failure of RBCS and RBSS.

A.1.10 Summary for Bin I Sequences The total Bin I core damage frequency calculated in this review is equal to 8.4E-6/yr as. compared to 6.5E-6/yr in the OPRA. The major contributions for this difference are: time for recovery of instrument and system, inclu-sion of very-small-LOCA initiator, changes in blackout frequency, and failure to transfer EFW suction to the hotwell.

A.2 BIN IR SEQUENCE DESCRIPTIONS The Bin IR includes core damage sequences initiated by a' steam-generator tube rupture (SGTR), followed by failure of the HPI.

A.2.1 Bin IR, Sequence Type A, Event Tree Sequences RBUR SGTR (R) with failure of HPI due to failure of the BWST to provide suc-tion to the HPI pumps.

A.2.1.1 Minimum Cut Sets Listing - BNL CD frequency: 4.1E-7/y r l

OPRA CD f requency: 3.9E-7 /y r 31N1RR =

ti,61 1 4.1290E-07 IST-106 e R A.2.1.2 Discussion There is no difference between this review and the OPRA.

A.2.1.3 Containment-Safeguard State

. Failure of the RBSS.

A.2.2 Bin IR, Sequence Type B, Esent Tree Sequence RE(Ug SGTR with failures of the HPI suction, other than the BWST.

A-8

A.2.2.1 Minimum Cut Sets Listing - BNL CD frequency: 8.1E-7 OPRA CD frequency: 8.5E-7 BIN 115 =

[4] 1 4.3000E-07 15E425mM e R +

[5] 2 3.5226E47 ip2#NO e 1925MYO e R +

I231 3 1.4310E-48 192SNO e R e HPBEBiti +

[24] 4 1.4310E-08 9924NWO e R e 69lE WI A.2.2.2 Discussion There is no difference between this review and the OPRA.

A.2.2.3 Containment-SafegJard State

. No direct failure of RBCS or RBSS.

A.2,3 BinIR,SequenceTypeC,EventTreeSequenceRB'@g SGTR with failure of HPI due to loss of LPSW.

There is no sequence of this type in the BNL review because of the inclu-sion of the automatic HPSW backup to the LPSW cooling of the HPI pumps.

A.2.4 Summary for Bin IR Sequences The core damage frequency calculated in this review (1.2E-6/yr) is prac-tically the same as in the OPRA (1.3E-6/yr). No differences were found.

A.3 BIN II SEQUENCE DESCRIPTIONS These sequences involve a small and very small LOCA, or a transient-induced LOCA' (transient with stuck-open SRV). The HPI is successfully actu-

! ated and the RBCS removes heat from the containment; the latter allows the BWST inventory to last longer than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. At the time of BWST-depletion, HPR and LPR fail and core damage results.

A.3.1 Bin II, Sequence Type A, Event Tree Sequence TcQUTX, These sequences are initiated by a LOOP-initiating event causing a loss of instrument air, with failure to recover power to the instrument air in one hour-(RESUBAIR1). A loss of EFW due to failures in the steam-driven EFW pump (IST 197) or to operator failure to transfer suction to the hotwell (TREFWSUC) will cause a challenge to the SRVs with one of them sticking open (RCSRVLC).

HPI cooling and RBCS are successful. The recirculation with HPR or LPR fails because of the following: a) excessive LPSW to LPI coolers (SWEXCESS*

SWEXCESSLPR), b) pump room flooding (LWD 99103VVH), or c) operator failure to initiate HPR/LPR (XHPR12H).

A-9

A.3.1.1 Minimum Cut Sets Listing - BNL CD frequency: 1.0E-7/yr OPRA CD frequency: 1.9E-8/y r Bluen =

1 2.6400E-48 ESHLC e TEFWBUC e TESF e ESERIR2 e SEICESS e MICESSLM +

2 1.6192E-08 RCSRVLC e IST-197 e T5SUBF e EStBAIR2

• SEICESS

• SEICESSLM +

[2rd 3 1.5840E-08 Ue99103VVH e RCSRVLC

• TEFWSUC e T35UBF e RESLBAIR2 +

4 1.2240E-06 RCSRVLC e TREFWEUC e T5SLSF e RESUBAIR1

• IHPR12H +

5 9.7149E-49 US99103WH e EINRC e IST-197 e T3ESF e ESSAIR2 +

E 2.4000E-08 OTEfBIN2R A.3.1.2 Discussion The main differences between this review and the OPRA are due to the fol-lowing:

a) The BNL consideration that, ven a loss of air, the air-operated valves downstream from the decay heat coolers fail open and when the reactor building pressure reaches 3 psig the MOVs (MOV LPSW-4 and LPSW-5) open, resulting in excessive LPSW to the decay heat coolers.

This excessive service water, according to the OPRA, may fail the coolers and therefore the HPR (SWEXCESS). It is also considered that the LPR may be disabled if several tubes are broken (SWEXCESSLPR).

Note that in the fault trees given in the OPRA it was assumed that the excessive LPSW would disable the cooling function of the decay '

heat coolers with certainty. However, the DPC response to the BNL question explains why this assumption is not valid; BNL agrees with the reasons in that DPC answer.

b) The BNL assumption that if the operators fail to recover the instru-ment air in two hours no credit is given for possible actions to avoid pump room flooding due to the drainage of the reactor building

sump (LWD 99103WH).

A.3.1.3 Containment-Safeguard State

. Failere of RBSS.

A.3.2 Bin II, Sequence Type B, Event Tree Sequence TgQUTXs These sequences are very similar to the ones previously disabled in The only difference is that here the loss of instrument air is the A.3.1.

transient initiator.

i A-10 l

A.3.2.1 Minimum Cut Sets Listing - BNL CD freqeency: 3.2E-6/yr OPRA CD frequency: 1.1E-8/yr SIlet =

1 9.4500E-07 T6 e ESIM.C e TEFWRE e EIA2 e SEICESS

• SWEICESSLPR +

2 5.7960E47 T6

• ESINLC e IST-197

• EIA2

• MICESS e SWEICESSLPA +

3 5.6700E-07 Ue99103WH e T6 e ESINLC

• TEFEJC e EIA2 +

4 4.7250E47 76 e RCSINLC

• THEFWSUC e REIA1

• IHPR12H +

5 3.4776E47 US99103WH e T6 e ESINLC e IST-197

• EIR2 +

6 2.8900E47 T6 e llCSRYLC e IST-197

• EIAI e D9R12H A.3.2.2 Discussion _

The differences discussed in Subsection A.3.1.2 also apply here.

A.3.2.3 Containment-Safeguard State

. Failure of RBSS.

A.3.3 Bin II, Sequence Type C, Event Tree Sequence SDYXs These sequences involve a small- or very small-break LOCA followed by successful HPI injection. HPR and LPR fail because of a) Silure to be initi-ated (XHPR12A), b) flow diversion to the BWST (LP40VVH*LP414e.".N), c) failu~re 4

of sump valves to open (IST-250*IST-251), d) operator failure to >*op the LPI pumps before their failure due to deadhead (LPPSTOPH) and f ailure to use the backup LPI pump C (LPIPUMPC), and e) pump room flooding (LWD 99103VVH).

l t

l l

l r

l i

i A 11 L

A.3.3.1 Minimum Cut Sets Listing - BNL CD frequency: 2.8E-6/yr OPRA CD frequency: 6.9E -7/yr BIlg!C =

1 9.0000E-07 VSLOCA

• IMPR12H +

[83: 2 4.5000E-07 !LOCA

• XHPR12H * /YBRSH +

3 3.0000E-07 LP40WH

• LP4142Wh

• VSLOCA +

4 3.0000E-07 IST-250

• IST-251

• VSLOCA +

5 2.4000E-07 VSLOCA

• LPPPSTOPH

• LPIPLMPC +

6 1.8000E-07 LIG9910AW e RESlMpt

• VSLOCA +

7 1.5000E-07 SLOCA

• LP40WH e LP' 4 142Y.N * /YBRSH +

[A,B,C) 8 1.5000E-07 SLOCA

• IST-250

• IST-251 * /YBRSH +

[231 9 9.0000E-Ce SLOCA

• LlG99103WH

• IER85DF e /YBRSH +

10 1.0000E-06 OTElBIN2C A.3.3.2 Discussion The main difference between BNL and OPRA is due to the BNL inclusion of the very small LOCA initiator VSLOCA (see Section 2.3).

A.3.3.3 Containment-Safeguard State

. Failure of RBSS.

A.3.4 Bin II, Sequence Type D, Event Tree Sequence TQDTX, The dominant sequence involves a loss of feedwater initiated by a large feedwater break (T io) followed by a stuck-open SRV (RCSRVLC) with successful HPI. When the BWST inventory is depleted, the operator fails to initiate HPR or LPR.

A.3.4.1 Minimum Cut Sets Listing - BNL CD frequency: 4.8E-8/y r OPRA CD frequency: 4.8E-8/yr IIIe9 =

[35El 1 2.7000E-06 RCSINLC

• T10

• IMPLPR12H +

2 2.0000E-06 DT)EIBIleD A.3.4.2 Discussion There is no difference between the BNL and the OPRA results.

I A-12 l

A.3.4.3 Contai nment-Safeguard ' State

. Failure of RBSS.

A.3.5 Bin II, Sequence Type E, Event Tree Sequence TQUTXs These sequences involve- transients that lead to overcooling (T9 ), and other t'ransients (T) that are followed by additional failures (IST-255,14007) also lead to overcooling. The actuation of HPI with operator failure to con-trol injection (QHPIH), or open PORY block valve, RC417VCH (which is closed about 80% of the time), will challenge the SRV which sticks open after releas-ing liquid (RCSRVLL). When the BWST is depleted, HPR and LPR fail because of failure of initiation (XHPR12H), flow diversion (LP40VVH*LP4142VVH), or fail-ure of the sug valves to open (IST-250*IST-251).

A.3.5.1 Minimum Cut Sets Listing - BNL CD frequency: 2.2E-7/yr OPRA CD frequency: 5.8E-0/yr Idee =

1 6.3600E-08 ESMC e IHpt12H e T9

• E41M e EMPIH +

2 3.0000E-06 OTERBIN2E +

3 2.1200E48 LP40WH e LP4142WH

• ESMC

• T9 e E41M e OHDIH +

4 2.1200E-08 IST-250

• IST-251

• RCSMC

• T9 e E41M e (Np!H +

5 5.5000E48 i e ESMC e XMPR12H

• E41M e MIH

• IST-255 +

6 3.3000E-08 T

• ESMC e IHpR12H

• E41M + 991H e 14007 A.3.5.2 Discussien These sequences do not appear in the OPRA because the PORY block valve was not considered to be closed for about 80% of the time. This was later realized by the OfRA team, but no modifications to the final results were made because of the small effect on total core damage frequency (see page D-77 of OPRA, Appendix 0).

A.3.5.3 Containment-Safeguard State

. Failure of RBSS.

A.3.6 Bin II, Sequence Type F, Event Tree Sequence TQIiiXs These sequences involve primary-system pressurization by the pressurizer hea ters (T13), or inadvertent HPI actuation (T e), or overcooling (T3 ) followed stuck-open SRV relieving steam. The PORV is either failed (T33) or by a HPI is successful, and HPR and LPR fail for the reason blocked (RC417VCH).

given in Section A.3.5.

A-13

A.3.6.1 Minimum Cut Sets Listing - BNL CD frequency: 3.7E-7/yr OPRA CD frequency: 2. 2E-7 /yr BIIeF =

[258) 1 1.2672E-07 T13

• K3RYSC e D9R12H +

2 4.2240E-08 LP40VWi e LP4142WH e T13 e ESEYSC +

[R) 3 4.2240E-08 IST-250 e IST-251

• T13

• RCSRYSC +

4 4.0704E-08 LP40WH e LP4142WH e ESRVSC e T9 e E417VDI +

5 4.0704E4WL 15T-250

• IST-251

• RCSRV9C e T9

• E417VDi +

[583 .6 2.5344E-08 Lie 99103WH e ESLMPPF e T13 e ESRVSC +

7 2.3040E-08 RCSRVSC e HPR12H e RC417VCH e T8 +

8 3.3000E-08 UTERIN2F A.3.6.2 Discussion The main difference between BNL and the OPRA is the inclusion of differ-ent failure modes for HPR and LPR.

A.3.6.3 Containment-Safeguard State

. Failure of RBSS.

A.3.7 Summary for Bin II Sequences The total Bin II CD frequency in this review is equal to 6.7E-6/yr, as

. compared to 1.lE-6/yr in the OPRA. The major contributions to this difference are the inclusion of the very small LOCAs, the inclusion of the failure of HPR and LPR due to loss of air, and the different treatment for recovery of air (recovery time is different).

A.4 BIN IIR SEQUENCE DESCRIPTIONS These sequences. are characterized by a steam generator tube rupture (SGTR), with successful injection, and failure to establish a stable mode cf long-term cooling before the BWST inventory is depleted.

A.4.1 Bin IIR, Seque.nce Type A, Event Tree Sequence RBgUgXg0 SGTR(R) with failure of a main steam relief valve on the affected SG to close (MSRVIC) such that HPR is not an option because the water to replenish the RPV is being discharged through the SG safety relief valve and the con-tainment sump will be empty. The BWST fails to be refilled (0BWSTH) and decay heat removal function fails (XRDHRH, LPDHRSUC*REDHRSUC, or LP016*RELPD16).

A-14

A.4.1.1 Minimum Cut Sets Listing - BNL CD frequency: 6.0E-7/yr OPRA CD frequency: 4.0E-7/yr BINimR =

[4] 1 3.4400E-07 R e CBWSTH e MSRVIC e LPCHASLE e EDHELE +

2 .1.7200E-07 R e (BWSTH e MSRVIC e LPD16 e ELPD16 +

[61) 3 5.1600E-06 R e (BIETH e ISRVIC e IMDHEi +

4 3.2000E-06 OTERBIEIR A.4.1.2 Discussien The only difference between BNL and the OPRA is the inclusion of the failure of valves 3LP-19 and 3LP-20 (LPD16) in the BNL review.

A.4.1.3 Containment-Safeguard State

. Failurt of RBSS.

A.4.2 Bin IIR, Sequence Type B, Event Tree Sequence R @

SGTR with failure to refill the BWST before the inventory is depleted, and failure of the LFI system to operate.

A.4.2.1 Minimum Cut Sets Listing - BNL CD frequency: 1.5E-6/y r OPRA CD frequency: 7.4E-7/y r BIN 2RB =

II) 1 6.4500E-07 SW7778CMH e ESW78

• R e OBWS1H +

[181 2 4.3000E-07 LP40VVH e t.94142WH e R * (BIETH +

3 1.3000E-07 OTERBIN2RB +

[113 4 1.2384E-07 IST-171 e IST-174 e ESILPI e R e DBWSTH +

5 4.3000E-08 R

• OBWSTH e RC660SVH e IRRCPH e ICLP1034H +

(701 6 3.8700E-08 LP14MVCH e LP12MVCH e R

• IBWSTH +

[301 7 3.0960E-08 IST-171 e RESlLPI e LP14NVCH e R

• OBl6TH +

[291 8 3.0960E-08 IST-174 e ESULPI

• LP12MVCH e R e CBWSTH +

9 2.5800E-08 R e OBWSTH e LPDHRSUC e EDHRSUC e (LTDi +

10 1.2900E-06 R e (BWSTH e EDHRSUC e LPD16 e (LTCH +

(551 11 1.0320E-08 IST-171

• ESILPI e LP40WH + R e (BIETH

. A-15

I A.4.2.2 Discussion i

The major difference between BNL and OPRA resides in the recovery of valves LPSW-77, or LPSW-78 (RESW78). In this review a probability of 5.0E-2 is used for the event RESW78, and a value of 5.0E-3 is used in the OPRA.

A.4.2.3 Containment-Safeguard Stcte

. Failure of RBSS.

A.4.3 Summary of Bin IIR Sequences The major contribution to the difference in core damage frequency between this reviev. (2.1E-6/yr) and the OPRA (1.4E-6/yr) is the recovery of LPSW valves LPSW-77 or LPSW-78.

A.5 BIN III SEQUENCE DESCRIPTIONS The sequences in this bin are cnaracterized by transients in which the ability to remove decay heat via the steam generators is lost, and c9re cool-ing fails because the high-pressure injection cooling fails to be initiated, or is lost during the injection phase, or when the BWST is depleted in two hours (this last failure occurs only if the RBCS is lost).

A.S.1 Bin III, Sequence Type A, Event Tree Sequence T,BU Sequences with loss of MFW (T 2 ) initiating event followed by failure of EFW (EFUSTF, IST-197, IST-198,...) and failure of HPI cooling (UTHPIH).

A.S.I.1 Minimum Cut Sets Listing - BNL CD frequency: 1. 3E-6/yr OPRA CD frequency: 1.2E-6/yr II G =

(15) 1 6.9000E-07 T2 e UTHPlH e EFLETF e IEFDW2 +

2 2.0000E-07 OTERBIN34 +

3 1.1730E-07 15T-197 e T2

• UTHPIH e REFDW2 e CCW87WH +

4 1.1730E-07 IST-197 e T2 e UTHP!H e E!M2 e 91527WH +

Il05,168,4251 5 4.9680E-08 IST-197 e T2 e UTHPIH e IEFDW2

• IST-198 +

(115] 6 4.8400E-08 T2

• UTi@IH e IEFDW1 e IST-192 e IST-191 +

7 4.8300E-06 15T-197

• T2

• UTHP!H e REFDW2 e SW606 +

[58, 85) 8 4.6000E-08 IST-197 e T2 e UTHPIH e SfEF(IH e REFDW1 +

!!05,168,425) 9 1.7940E-08 IST-197

• T2 e UTHPlH e fEFDW2 e IST-199 +

(2101 10 1.!!ME-48 IST-197 e T2 e UD91H e IST-177 e IST-l?6 e IE3W23 A-16

A.5.1.2 Discussion There is essentially no difference between BNL and the OPRA.

A.5.1.3 Containment-Safeguard State

. No direct effects.

A.5.2 Bin III, Sequence Type B, Event Tree Sequence T g Sequences with loss of condenser vacuum initiator (TS ). The progression of these sequences is identical to the sequence type A above.

A.S.2.1 Minimum Cut Sets Listing - BNL CD frequency - 4.8E-7/yr OPRA CD f requency - 4.lE-7/yr BIN 38 =

[30) 1 2.8980E-07 UTHPIH e ETLETF e IEFIN2

• T4 +

2 4.9266E-08 IST-197 e UTHPIN

• REFIN2 e CDE7WH e T4 +

3 4.9266E-08 IST-197

• UTHPIH e REFIN2 e 9Ci27Mi e T4 +

4 2.0866E-08 IST-197

• UTHP!H e IEFIM2

• IST-198 e T4 +

5 2.0328E-08 UTHPIH e IEFIW1

• IST-192 e IST-191

• T4 +

6 2.0286E-08 IST-197

• UTNP!H e IUIM2 e SW606

• T4 +

7 1.9320E-08 IST-197

• UTHpIH e 9EFCCH e REFlW1 e T4 +

8 7.5348E-09 IST-197 e UTHPIH e MFme o IST-199

• T4 +

9 4.6754E-09 IST-197

• UTIFIH e IST-177 e IST-176 e IEFBW23 e T4 A.5.2.2 Discussion There is essentially no difference between BNL and the OPRA.

A.5.2.3 Containment Safeguard State

. No direct effects.

A.5.3 Bin III, Sequence Type C, Event Tree Sequence TBU Sequences initiated by a turbine trip or another initiating event that does not disable MFW(T), followed by loss of PJW (SUMMFW) and EFW (EFUSTF, and others) and failure to recover feedwater, and failure to initiate HPI cooling (UTHPIH).

A-17

A.S.3.1 Minimum Cut Sets Listing - BNL CD frequency: 7.6E-7/yr OPRA CD frequency: 4. 2E-7 /yr IIE =

[ALL Op m E G) 1 4.7191E-07 i e R88FW e UTHPIH e ERSTF e IEF9e + -

2 2.872EE-47 ODEMINT A.5.3.2 Discussion The only difference between BNL and OPRA is in the sequences denoted by a OTHERBIN3C, where the other failures of the EFW system appear.

A.S.3.3 Containment-Safeguard State

. No direct failures A.5.4 Bin III, Sequence Type D, Event Tree Sequence T igBU, Loss-of-ICS-power-initiating event (Tri) causes loss of MFW. Loss of EFW (EFUSTF and others) and loss of HPI (UTHPIH) follow.

A.5.4.1 Minimum Cut Sets Listing - BNL CD frequency: 1.8E-7/yr OPRA CD frequency: 6.0E-8/yr BI G =

[102) 1 1.1500E-07 UD91H e ERETF e IEFDit e Til +

2 7.0000E-98 #DERIrJD A.5.4.2 Discussion The differences between BNL and the OPRA are due to a large frequency used for T 33 (5.0E-2/yr in this review vs 2.0E-2/yr in the OPRA; see Section

4) and to the inclusion of other failures of the EFW system (included in sequence named 0THERBIN30).

A.5.4.3 Containment-Safeguard State

. No direct failures.

A.5.5 Bin III, Sequence Type E, Event Tree Sequence T i cB

,U.,

Large feedwater or condensate line break (Tro) which causes loss of MFW and EFW. Feedwater from other sources fails to be initiated (REFDWI), and HPI cooling fails (UTHPIH),

A.S.5.1 Minimum Cut Sets Listing - BNL CD frequency: 4.8E-6/yr OPRA CD frequency: 4.8E-6/yr BI E =

[141 1 4.5000E-06 T10 e UD91H e IEFDW1 A-18

A.5.5.2 Discussion There is no difference between BNL and the OPRA.

A.5.5.3 Containment-Safeguard State

. No direct failures.

A.S.6 Bin III, Sequence Type F, Event Tree Sequence TBU These sequences are characterized by a loss of instrument air, as an as a result of LOOP (TSSU8F, TSFEEDF), or following a initiating event trip reactor . turbine (Ts),(T) with other failures (IST-3), and failure to recover instrument air in one hour (REIA1, REFEEDAIR1, RESUBAIR1). Loss of EFW (IST-197, TREFWSUC, EFUSTF), failure to initiate' HPI cooling (UTHPIH) and failure to provide feedwater from the SSF (RESSFW30) results in core damage.

A.S.6.1 Minimum Cut Sets Listing - BNL CD frequency: 2. 9E-5/y r OPRA CD frequency: 4. 7E-6/y r SI F =

I2] 1 1.5750E-05 T6

• TEFWSUC

• EIA1 e ES!FW30

• UTHPIH +

[4,9) 2 9.6600( 76

• IST-197

• EIA1

• RESSFW30

• UTHPIH +

[343 3 9.6600E47 T6

• UT}@I51

• EFUSTF +

[6] 4 4.0800E47 TREFWSUC

• T55UBF

• Fe:SUBAIRI

• ESSFW30

• UTHPIH +

[52) 5 3.6800E47 T55UBF e UTHPIH

• EFUSTF +

6 3.0353E-07 T

• TREFWSUC

• EIA1

• RESSFW30

• UTHPIH e IST-3 +

[8,12) 7 2.5024E-07 IST-197

• T55UBF

• RESUBAIR1

• ESSFW30

• UTHPIH +

[21] 8 2.4675E-07 T6

• EIA1

• RESSFW30

• UTHPIH + EFRl3

• ETSlH + IST-207 +

9 1.8616E47 T

• IST-197

• EIA1

• ESSFW30

• UTHPIH

• IST-3 +

[51) 10 1.8400E-07 T5FEEIF

• UTHPIH + EFUSTF +

(3G 11 1.0500E47 T6

• EIA1

• ES!FM30

• UTHPIH e SW191WW +

[39) 12 8.4000E-08 T6

• EIA1

• PESSFW30

• UTHP!H

• SWC89WH +

[5] 13 7.8000E-08 TREFWSUC

• RESSFW30

• T5FrEDF

• REFEEDAIR1

• UTHPIH +

[642) 14 1.8616E-08 T

• UTHPIH

• EFUSTF

• IST-3 +

[27) 15 9.5200E-09 T5RRF

• ERERIRI

• EWM30

• UD91H + Sf130E0 A-19

A.4.5.6.2 Discussion The main differences between BNL and the OPRA are the fol',1 wing:

a) In the OPRA, a 2- to 6-hr time interval was allowed for recovery of the instrument air before drainage of the UST into the hotwell due to the opening of valve 3C-176. At a meeting held at DPC (BNL, DPC, and NRC), DPC responded to BNL questions by acknowledging that this time allowance was too long and one hour would be more appropriate.

Accordingly, this review used the one-hour time (i.e., REIA1 = 0.5 vs. REIA2/6 = 5.5E-2 in the OPRA), which accounts for most of the difference in the CD frequency.

b) A second factor is the frequency of the initiating event Ts (see Sec-tion 4.1.2.3); BNL uses 0.21/yr as opposed to 0.17 in the OPRA.

It is inportant to note that in the sequences initiated by LOOP due to substation failures (TSSUBF), BNL calculates a lower frequency of core damage because the initiator frequency is smaller (8.0E-2/yr vs 1.3E-1/yr in the OPRA), and the probability of failure to recover air is also smaller in the BNL review; the probability of failure to recover air is smaller because the failure to recover power is smaller in this review (see Section 4).

A.S.6.3 Containment-Safeguard State ~

. No direct failures of RBSS or RBCS.

A.S.7 Bin III, Sequence Type G, Event Tree Sequence TBU These sequences are characterized by the failure of the LPSW as an initi-ator (T12A, T12C, T120, T12E), or failure of the 4.6-kV bus 3TC (T14) with other failures in the second LPSW pump (SW3BPPSH, IST-175A), or any other transient (T) with failure of the LPSW (CCW73VVT, SW108VVT, IST-173*

SW33PPSH). The loss of LPSW causes failure of the HPI punps. Since in these sequences the RCPs are tripped, the failure of the HPI seul injection will re-sult in a small RCS leak (see page A3-16, item 2, in the OPRA) with inability to make up if the SSF seal injection is not actuated in about 30 min (RESSFSI); item 2, page A3-16, of the OPRA states that a seal leakage will re-sult if injection flow is interrupted and the RCPs are tripped.

In this review, the automatic HPSW makeup to the LPSW cooling of the HPI pumps (SWH247) is considered for the cases in which the loss of LPSW is not due to the blockage of the LPSW discharge path from the HPI pumps cooling and the component ccoling (failures other than T120, T12E, SW1089VVT, and CCW73VVT); in the OPRA,. this nodification to the plant was not taken into account.

It is also inportant to note that the first cut set given in A.S.7.1 below, i.e., loss of LPSW to the cooling HPI pumps and conponent cooling sys-tem due to failures in the discharge path, is considered to be conservative.

However, in order to evaluate the correctness of tnis failure mode (which was also found later by the OPRA, but - not included; see footnote in GPRA, page A14-27), pipe flow calculations would be necessary. Thus, BNL includes it as one of its sequences.

A-20

At a meeting held at DPC, drawings were given to BNL and NRC to show that this failure mode and that included in the second cut sct below were eliminat-ed by modifying the discharge of the SW from the cooling of the HPI pumps.

However, even though this modification was not analyred in this review, to be consistent with the OPRA, it is expected that the first two cut sets and also cut sets 5 and 6 will no longer be valid for the present Oconee-3 (as built).

A.S.7.1 Minimum Cut Sets Listing - BNL CD frequency: 1.8E-5/y r OPRA CD frequency: 1.5E-5/yr 81N36 =

(1A1 1 7.1500E-06 T12E e EIDl73 e ESFS! +

IIA) 2 7.1500E-06 T12D e ESW108 s ESSFS! +

til 3 3.0600E-06 T12A e 9H247 e ESSFSI +

[723 4 1.3167E-07 2ECCW73

• T

• RESSFSI e CCW73WT +

[72] 5 1.3167E47 T e SW108WT

• KSW108

• RESSFSI +

6 5.5814E-Od SWH247

• SW3BMiH e T + IST-173 e RESSFS! +

(1) 7 4.7800E-08 T12C e sin 247

• RESW12 e RESSFS! +

8 3.8880E-08 SIM247

• T14

• SWPAR e SIGPPSH e ES3FSI +

9 1.3600E-09 SN247

• RESW12

• T14

• BSAR e IST-175R

• ESSFS!

A.S.7.2 ' Discussion Even though the BNL total CD frequency for this sequence is not much dif-ferent from that in the OPRA, significant differences exist in some of the contributors, as explained above (Subsection A.5.7). The following factors account for these differences: a) the inclusion of the valve CCW-73 (T12E and CCW73VVT), which increases the CD frequency; b) the inclusion of the automatic HPSW backup to the LPSW cooling of HPI pumps (SWH247), which decreases the CD frequency; and c) the decrease in the f requency of T12D (blockage of valve LPSW-108) which also decreases the CD frequency.

Note that if the modification in the discharge of the SW cooling to the HPI pumps is to be considered, the CD frequency for this sequence would be i about 4.0E-6/yr.

A.5.7.3 Containment-Safeguari State

. Failure of RBCS and RBSS.

A.5.8 Bin III, Sequence Type H., Event Tree Sequence TSU These sequences are initirated by a loss of instrument air (T6) or by a LOOP (TSSUBF, T5FEEDF) which results in loss of air. As a consequence of loss l of air, the LDST makeup is lost. With flow unavailable from the BWST to the A-21

9 HPI puinps (IST-186, HP245MVH, others), and since the RCPs are tripped, because of loss of component cooling, seal leakage results; if RCPs were not tripped, a seal failure would occur. Failure to protect the HPI pumps by cycling them (REHPPPCS) or failure to recover LDST makeup (by recovering air; RESUBAIR90),

and failure to initiate makeup from the SSF (RESSFSI) before seal leakage occurs result in slow RCS leakage with no ability to make up, and core damage occurs.

A.S.8.1 Minimum Cut Sets Listing - BNL CD frequency: 2.5E-7/yr OPRA CD frequency: 2. 2E-7/yr Bl e =

1 E.5600E-08 HP2SM) e T5SUEF e RESSFSI e REHPPPCS e HP24PNH +

2 2.5600E-08 HP24MVO e T55UBF e RESSFSI e REHPPPCS e HP25MVH +

[774) 3 2.0000E-08 HP2425MVH e T5SUBF e RESSFSI e REHPPPCS +

[272,6332) 4 1.9200E-08 IST-186 e T55UBF e RESSFSI e REHPPPCS +

[833] 5 1.6384E-08 HP24MVD e HP25MVD e T5SUEF e RESSFSI e REHPPPCS +

6 1.2800E-08 HP25MVO e T5FEEDF e RESSFSI e REHPPPCS e HP2W4{ +

7 1.2800E-08 HP24MVD e T5FEEDF e ESSFSI e REHPPPCS e HP25MVH +

8 1.2800E-08 HP25MVD e T55UBF e RESSFSI e HP24MVH e RESUBAIR30 +

9 1.2000E-08 HP24MVD e TSSUBF e RLSSFSI e HP25MVH e ESL11 AIR 90 +

10 1.0000E-08 HP2425MVH e T5FEEDF e RESSFSI e REHPPPCS +

!! 1.0000E-08 HP2425MVH e T5SUBF e ESSFS!

• RESUBelR90 +

12 7.0000E-08 OTERBIG A.5.8.2 Discussion The BNL review and the OPRA differ primarily in the time available to recover the ' instrument air. DPC has acknowledged that the time available to recover air and consequently LDST makeup is about 90 min; BNL has used this time (RFSUBAIR90) in its review. Since the probability of failure to recover air given a LOOP in this review is smaller than that used in the 0FRA (RESUBAIR90 = 2.b.-2 vs RESUBAIR12 = 8.1E-3 as used in OPRA) and also the initiator frequency for TSSUBF is smaller in the BNL evaluation (0.08/yr vs 0.13/yr in the OPRA), the total core damage in both studies becomes almost the same.

It is important to note that sequences with loss of instrument air de not show up (i.e., their frequency of occurrence .is included in the OTHERBIN3H),

because in the case of. a loss-of-air initiator the emergency procedures direct the operators to open the valve CC-8, thus providing component cooling and avoiding the trip of the RCPs and the subsequent seal leakage. A recovery A-22

factor for this action was included (probability of failure equal to 0.2),

making the frequency of these sequences lower than 1.0E-8/yr.

A.5.8.3 Containment-Safeguard State,

. No direct failure of RBCS or RBSS.

A.S.9 Bin III. Sequence Type I, Event Tree Sequence TBU Sequences are characterized by a loss of all ac power for longer than four hours (PIR4), with successful secondary heat sink provided by the turbine driven EFW pump. This review assumes that in four hours the batteries are depleted and the failure to provide feedwater from the SSF (RESSFW30, RESSFP) results in core damage.

The. sequence type also includes the sequences with loss of ac power for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (PIR12) with successful secondary heat sink provided by TDEFWP and later from the SSF. Failure of the SSF makeup function to provide seal injection in 30 min (RESSFSI) will result in gradual loss of RCS inven-tory, loss of primary to secondary heat transfer, and core damage.

A.5.9.1 Minimum Cut Sets Listing - BNL CD frequency: 1.8E-7/y r OPRA CD frequency: 2.f'E-8/yr BIN 31 =

1 7.9787E-08 E9lFW30

• P1R4 */TEFWliUC * /!57-197 2 7.6592E-06 ESSFP e P1R4 * /TEFWUUC e /IST-197 3 2.6000E-08 ESEFSI e p1R12 A.5.9.2 Discussion The main differences between BNL and the OPRA are due to the BNL assump-tion that the batteries will be depleted in four hours (the OPRA assumes bat-tery depletion in .12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />), and to the frequency of loss of all ac power (discussed in Section A.1.9.2).

A.5.9.3 Cor.tainment-Safeguard State

. Failure of RBCS and RBSS.

i A.S.10 Bin III, Sequence Type J, Event Tree Sequence TBU These sequences are characterized by: a) loss of all ac power for 30 min followed by failure of the steam-driven EFW pump (IST-197) and failure to provide feedwater flow for the SSF (RESSFW30, RESSFP), or b) loss of all ac power for about two hours with the steam-driven EFW pump operations, but with failure to transfer its suction from the UST to the hotwell (TREFW50CM), and failure to provide feedwater to the SG from the SSF.

A-23

I i

A.S.10.1 Minimum Cut Sets Listing - BNL CD frequency: 1.lE-6/yr OPRA CD frequency: 2.9E-8/yr BIh3J =

~1 3.8640E-07 IST-197 e P!A30 + ESSFu30 +

2 3.7096E-07 IST-197 e PIR30 e ESSFP +

3 1.8750E-07 TERRE e ESR30 e PIR2 +

4 1.8000E-07 TEF)RE e ESFP e PIR2 A.5.10.2 Discussion The main differences between BNL and the OPRA come from the following:

a) In the OPRA a loss of all ac power for longer than two hours was assumed for secuances with loss of the steam-driven EFW pump (IST-197), and a 30-min time is used in this review. Note that it is stated in the OPRA that getting any source of feedwater after 30 min of loss of feedwater is ineffective. Also, in response to BNL questions, DPC agreed that a 30-min time period should be used, b) In the OPRA the failure of the SSF power system (RESSFP), which must be used in the event of a blackout, was not considered.

c) In the BNL review, the probability of failure to transfer the EFW suction from the UST to the hotwell was increased for the case of a blackout.

A.5.10.3 Containment-Safeguard State

. Failure of RBCS and RBSS.

A.S.11 Other Sequences in BIN III These sequences, which do not belong to any of the sequence types dis-cussed above, were added by BNL and are described below:

1. T7*EFUSTF*REFDW2*'JTHPIH 1.3E-7/y r.

2. T7*0THEREFWF*REFDW2*UTHPIH 7.9E-8/yr.

These _ sequences (event tree sequence TBU) are initiated by excessive feedwater (T7) with successful trip of the MFW pumps (success event does not appear in the sequence), followed by loss of EFW (EFUSTF or other failures OTHEREFWF), failure to recover feedwater (RTFDW2), and failure to initiate HPI cooling.(UTHPIH). These sequences are similar to sequences in types A and B.

3. T10*CPT10I*YBRSH*XHPR2H 1.3E-7/yr.

A-24

This sequence (event tree sequence TBIJYLX) is initiated by a large feed-water breaker (T o) inside containment (CPT101); feedwater is lost, and HPI i

cooling is successful. The RBSS is initiated and the operators fail to ter-minate its operation (Y3RSH). After depletion of BWST in about two hours, the operators fail to initiate PR (XHPR2N).

'A.5.12 Summary of Bin III Sequences The BNL core damage frequency for this bin was calculated to be equal to 5.6E-5/yr (vs 2.7E-5/yr in the OPRA). Tnis difference is primarily due to the time available for recovery of instrument air (sequence ' type F); . the BNL review used one hour and the OPRA used two to six hours.

A.6 BIN IV SEQUENCE DESCRIPTIONS These sequences involve a transient followed by failure. of all feedwater for 6 or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. HPI cooling is successful and long-term recovery of feed-water fails, requiring HPR to be in'tiated; failure of HPR results in ccre damage.

A.6.1 Bin IV, Sequence Type A, Event Tree Sequence TBUYWLX These sequences are initiated by loss of instrument air, as an initiating event or due to LOOP, with failure to recover the instrument air for about six hours (REIA6). EFW is lost because of ' failure of the steam. driven punp or failure to transfer suction to the hotwell (IST-197 or TREFWSUC). HPI cooling-is successful initially, but fails in about six hours because of pump room flooding (LWD 99103VVH). If the SSF' fails to provide seal injection and feed-water to the secondary side within 30 min of the Icss_ of HPI, core damage will result.-

A.6.1.1 Minimum Cut Sets Listing - BNL CD frequency: 1.3E-7/yr OPRA CD frequency: 3. 2E-8/yr BI N =

l 1 7.5600E-08 Ue99103WH e T6 e TEFWSJC e ESSFE!W30 e EIA6 +

2 4.6167E-08 UG99103WH e T6

• IST-197 e ESSFSIW30 e EIA6 +

3 1.0000E-08 OTERBIN A.6.1.2 Discussion The differences between BNL and the OPRA are explained below:

a) BNL uses a time of six hours for recovery of air because the HPI will be lost at that time, and feedwater and makeup from the SSF nust be initiated within about 30 min after loss of HPI (see also OPRA, page

-D-27, Section D.2.6.1); the OPRA used IP hours.

i I

A-25 L

l

b) The failure of the SSF (RESSFlW30) used in the OPRA (0.2) is not correct because this is true only for a blackout. BNL uses a value equal to 0.1, which is the correct value for the sequences in this class.

Note that the sequences appearing in the OPRA are, in this review, part of.the other sequences in Bin IV A (OTHERBIN4A)

A.6.1.3 Containment-Safeguard State

. Failure of RBSS.

A.6.2 . Bin IV, Sequence Type B, Event Tree Sequence TBUYWLX These sequences are initiated by a loss of air, as an initiating event.

(T6), or failure of LOOP (TSSUBF, TSFEEDF) with failure to recover the instru-ment air for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The EFW is lost because of failure of the steam-driven pum or failure to transfer suction to the hotwell (IST-196, TROFWSUC). HPI cooling is successful, but high pressure recirculation fails because or exces-sive SW to the LPI coolers (SWEXCESS) due to loss of air (see Section A.2.1.2), eliminating the availability of high pressure recirculation (failure of LPI coolers). The SSF fails to provide seal injection and feedwater to the secondary side (RESSFIW30), and core damage will result.

A.6.2.1 Minimum Cut _ Sets Listing - BNL CD frequency: 2.3E-7/yr OPRA CD frequency: 1.6E-7/yr BIN 4B =

1 7.5600E-08 T6

• TPEUSUC e SWEICESS t RESSFSIW30

• REIA12 +

2 4.8000E-0G TREFWSUC e 75S' J BF e SWEICESS e ESSFSIW30

• RESUBAIR12 +

3 4.6368E-08 T6

• IST-197 e SWEICESS e ESSF31W30

• REIA12 +

4 2.9440E-08 IST-197 e T5SUBF e SWEICESS

• RESSFS!W30

• RESUBAIR12 +

5 3.0000E-08 UTERBIN4B A.6.2.2 Discussion The main differences between BNL and the OPRA are:

a) BNL added the excessive service water to the LPI coolers (SWEXCESS) as a failure of the HPR.

b) BNL. correctly used the failure of the SSF to provide makeup and feed-water; the OPRA includes the failure of the SSF power (RESSFP), which should be used only for a blackout.

c) The OPRA used the wrong probability for operation failure to initiate recirculation in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (XHPR12H = 3.0E-3 instead of 3.0E-4).

A-26

Note that Items b) and c) explain why the OPRA cut sets (with correct values) appear in this review as part of others (OTHERBIN4B).

A.6.3 Summary of Bin IV Sequences The main difference between the core damage in this review (3.6E-7/yr) and that in the OPRA (1.9E-7/y r) is due to inclusion of excessive service water as a failure of the HPR.

A.7 BIN V SEQUENCE DESCRIPTION These sequences are all large-break LOCAs that result in core damage due to failure of injection.

A.7.1 Bin V, Sequence Type A, Event Tree Sequence AU This sequence is due to the failure of the reactor vessel, which causes the failure of mitigation. This review.is in agreement with the OPRA.

1.1E-6 RPVRUPTURE A.7.2 Bin V, Sequence Type B, Event Tree Sequence AU These sequences are characterized by a large-break LOCA initiator, with failure of the LPI injection due to hardware or operator error.

A.7.2.1 Minimum Cut Sets Listing - BNL CD frequency: 4.3E-7/yr OPRA CD frequency: 3.6E-7/yr BIf68 =

1 9.3000E-08 A

• LPAIN +

[10) 2 9.3000E-08 LP40WH + LP4142Vhl

• A +

3 8.3000E-08 DTHERBIN5B +

(7,27) 4 4.4640E-08 IST-186

• A +

[15] 5 3.9252E-08 A

• 157-236

• 157-239 +

6 1.8135E-08 A

• IST-239 + IST-241 +

7 1.8135E-08 A

• IST-236

• 13T-243 *

(231 8 1.8135E-08 IST-244

• LP12NCt

• A

• IST-236 +

[24) 9 1.8135E-08 IST-245

• LP14N Of e A

• IST-239 l

A.7.2.2 Discussion The main difference between this review and the OPRA is the inclusion of '

l MCS No.1, i.e., operator fails the LPI system (LPABH) because of misdiagnosis l (see OPRA, Appendix A, pages A2-17 and A2-52). Tne OPRA misses this sequence, l

which is part of their LPI fault tree (Figure A2-2 in the OPRA).

1 A-27 1

L l

A.7.2.3 Containment-Safeguard State

. Failure of RBSS in about 20% of the total sequence type frequency.

A.7.3 Sumary of Bin V Sequences There is essentially no difference between the bin V core damage frequen-cy in this review (1.5E-6/yr) and that of the OPRA (1.SE-6/yr).

A.8 BIN VI, SEQUENCE DESCRIPTIONS The sequences in this bin are characterized by a large-break-LOCA initia-tor with successful injection but with failures in the recirculation phase.

A.8.1 Bin VI, Sequence Type A, Event Tree Sequence AUXA large-LOCA-initiating (A) event and successful. injection, but high flow develops during recirculation in the low pressure recirculation (LPFLOWH) and either the operators fail to throttle, or the power to the valves is lost, or the valves fail to operate (P23XLF, P63XLF, LP12MVC*LP14MVC), resulting in punp initiation and failure.

A.8.1.1 Minimum Cut Sets Listing - BNL CD frequency: 3.6E-6 /yr OPRA CD frequency: 3.3E-6/yr _

BIN 5A =

[1] 1 2.7900E-06 A

• LPFl M e LPTHRO ULE +

C41 2 6.6030E-07 A

• LPFL M

• P231LF +

[6] 3 9.3000E-06 A

• LPR.m e p63ILF +

I21) 4 3.8093E-08 A

• LPFLM

• LP14NYC

• LP12!NC A.8.1.2 Discussion The only difference between this _ review and the OPRA comes from the prob-ability of failure of components included in P23XLF and P63XLF.

A.8.1.3 Containnent-Safeguard State

. Failure of RBSS in the recirculation mode if the LPI spare pucp is not brought ~to operation.

A.8.2 Bin VI, Sequence Type B, Event Tree Sequence AUXA Large LOCA initator with successful injection but failure of the LPR due to failure of- initiation or failures during the mission time.

A-28

i A.8.1.1 Minimum Cut Sets Listing - BNL CD frequency: 4.8E-6/yr OPRA CD frequency: 4.8E-6/y r BIN 6B =

[2] 1 4.6500E-06 A e IALPSI +

M 2 9.3000E-08 IST-250

• IST-251

• A +

[363 3 1.7707E-08 IST-173

• IST-175

• A +

A.8.2.2 Discussion There is no difference between BNL and the OPRA.

A.8.2.3 Containment-Safeguard State

. Failure of RBSS in all sequences and failure of RBCS and RB3S in Sequence 3.

A.8.3 Bin VI, Sequence Type C, Event Tree Sequence AUXA Large-LOCA initiation with successful injection and failure of LPR due to pump room flooding (LWD 99103VVH). (drainage through valves LWD-99 abd LWD-103),

with failure of the operators to isolate this drainage (RESUMPMF) in time (about six hours).

[3] 5.6E-8 A* LWD 99103VVH*RESUMPMF There is no difference between BNL and the OPRA, and for this sequence the RBSS is also failed.

A.8.4 Summary of Bin VI Sequences The bin VI core damage in this review (8.5E-6/yr) is essentially the same as that in the OPRA (8.3E-6/yr).

A-29

-.- --..__v

T K O B P Uy Yy L W X7 Sequence Type-bin T NCM TB NCM

-- f TBW S LOCA TBL NCM TBLX T CM-IV

• BYy NCM

--d TBYrW S LOCA i TBYT L NCM

! TBYTLX T CM-Ill TBu r CM-Ill TBP CM-Ill

---

d TO S LOCA TK TWS

- - - - - - - - - - - - - d NCM = no core melt CM = core melt TWS = transent without scram figure A.1 OPRA event tree for transient-initiating events.

S K Us Ys Xs Sequence Type-bin S NCM SX s CM-Il SY S NCM 3

SYsXs CM-l sus CM-l SK TWS Figure A.2 OPRA event tree for small-break LOCA event.

A-30

.A.. U4 X, Sequence Type-bin A NCM

. AX A CM-VI AU, CM-V Figure'A.3 OPRA event tree for large-break LOCA. events.

R K B.

R Un Xn D Sequence Type-bin R NCM RXn NCM.

RXnO CM-IIR 4

Ru n CM-IR RBn NCM RBnXn NCM-RBnXnO CM-IIR RBnUn  : CM-IR RK TWS Figure A.4. OPRA event tree for SGTR initiating events.

A-31

Table A.! Event Dessription Reference List A large LOCA initiator 9. 3E.4 CCW73VVT CCW.73 transfers closed 2.lf-6  ;

CCW87VVH CCW.h? lef t closed 8. 5E.4 CPilo! Feedvater-Itne break inside containment I. nt - i E ACCHAMOD Failure of E5 power supply to A .hannels 2.ff.3 E ACCHBMOD' Failure of E5 power supply to G channels 2. 0E . 3 EF5U3 Failure of startup steam supply from Unit 3 5.DF-1 EF5UH Operator isolates steam to 5/U header or loss of MFW without estahltshing alternative steam supply 1.0 tesuf ficient water in the UST 4. 6E. 4 EF tr5TF HP242;MvH MvYs D4P.24 and pip-25 lef t unavailable 5.nE -5 HP24MVH Operator f ails to open MOV JIP-24 1. DE.2 HP?aMVO Mtv 3HP-24 f alls to open on demand 6.4E . 3 HP25MVH Operator f ails to span M0V 3HP-25 1. 0E - 2 HP2%MVO Mov 34P-25 f ails to open on demand 6. 4E - 3 hiRCPH Operator f alls to trip RCPs on less of cooling flow I .0F- 2 H PSE GPM Segment P (v0V 3HP.24, sheck valve 3HP.IDI) in maintenance 2. 6E .4 ,

HPSEGOM 5egment 0 (MOV 3HP.25, check valve 3HP-102) in maintenance 2.6E.4 J MOV 3L P-l? f alls to throttle closad 6. 4E .3 i L Pl?MVC I Operator inadvertently throttles valve 3LP-32 closed F

3. DF - 3 l LPl2MWCH MOV 3LP-14 f atis throttle closed 6. 4E - 3 l L P14MVC Operator inadvertently throttles salve 3LP-14 cf ased 3. nE .3 l LP14MVCH Valve 3tP-40 lef t open 1, nE . 3 tP40VVH LP4142VVH Enth valves 3LP-41 and 3tP-42 lef t open 1. 0E - 1 LP60VWO Relief valve 3LP-60 f alls to open 8.nE 3 Operator inhtbits/ falls system 1. DE- 4 LPABM DHR suCiton flow fror the reactor vessel is unavailable 2. 00 - 2 L PDHR $HC L PFL OWH High flow (>4200 gpm) in A loop (large LOCA) 1.0 Operator falls to use LPI pump C given f atture of pumps A to B 1. nE .1 L P!PUNPC i

LPPPSTOPH Operator f alls to stop pump for SLOCA during LPI 8.0E 4 l 3,0E 3 1 3* LPTHROT1LE Operator falls to throttle flow for Large LOCA Drain valve not restored 6.0E 4

[a LWD 99103VVH One or more 5RVs f alls te close 4. nE - 2 rs: MSRVIC 5.0E 1 OBWSTH Failure to inttf ate 8WST refill in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Operator f ails to cool at SG pressure 3. nE . 3 OLTCH Failure of recovery power te I hour 1. 7E-5 PIR1 Failure of recovery power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 7. 5E .6 PIR2

Tahle A.! Continued PIRin Fallure of recovery power in in minutes 4. ?E.5 PIR 4 Failure of recovery power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 1.lf.6 P 314PF local failure of primary snurre to 3RR 6.lf.4 P23XlF local f ailure of 708-V MCC 3rt 7. lf . 4 P73RDF Local f ailure of 20R-V MCC 3X0 7. !F - 4 P63rLF total fatture of 6nn-V MCC 3XL 1.f4 4 PF E ED1C AF Feed cable to 6DD-V MCC 3I52 f ail 5 6.0E.4 OI DWR Failure to recover feedwater in 10 min after loss of FW T.fE .1 DHP!H Operator f alls to throttle HPI (on overrooling transients) 5,eE.2 R Inttlator SG tube rupture R.6E.3 PC417 VCH PORV block valve lef t closed to inactivate PORV 8. 0f . !

RC6005VH Operator f alls to open PORV when needed for HPI cooling I. 0E - F RCSRVLC Elther SRV fails to close af ter Itquid relief 1. 0E- l RCSRVSC Elther SRV f alls to : lose after steem relief 9. 6E . 3 RECCR Fa11ure of open A0V JEC.8 locally following closure as a result of loss of IA 2. 0E.1 RECCW73 Failure of open valve 3CCW-73 localli 1.lE.1 RE DHR50C Falls to open LPI suction MOVs for DHR. given f ailure of rpmvte operation 1.ft .1 RE F DW1 Failure to recover iW in 30 min. one source available for recovery 5.(E .1 REFDW2 Failure to recover FW in 30 min.; two source available for recovery 3. nE - 1 REF EE DAIRI f ailure to recover of fsite power and reloed IA within I hr. of T5FIFrf initiated 1. 3F.7 REFEEDAIR90 Fallure to recover of fsite power and reload I A within 90 min. of T;FFEft initiated 2. SF.2 RTF EE DAIRl2 Failure to recover of fsite power and reinad IA within 12 hrt, of T5f f EDF initiated 1. ?[ . 3 RE HPPPC5 Failure to operator tn protect standby NPI pumps by allowing them to remain idle when suction unavaileSle 5. nF .?

REIAl Failure to recover I A in I bour 5. DF - 1 REIA90 Failure to recover 14 in 90 minutes 4. 0E - 1 REIA? Failure to recover I A in ? hours 3.0E.1 RE1A6 Failure to recover IA in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> 1. 0E.2 REIAlt f ailure to recover I A in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 7. 4E . 3

[* RELP016 Failure to recover the suction of RHR p1mps 1. 0E .1 to RESSFP Failure to initiate SSF due to f ailure of hardware (sequences involving blackout) 9. bf.?

La RE55F51 Failure to initiate SSF seal injection in 30 min, following a loss of seal injection 1. nf .I RE55F W12 Failure to initiate FW from SSF within !? hours 3. 5E . 3 RE 55FW30 Failure to f eitiate FW from 55F within 30 minutes 1.(11 RESURAIRI Failure to recover offsite power and reload IA in I hour af ter substation failed 2.4E.?

R E SHR AIR 90 Failure to recover of fstte power and reload IA in 99 minutes af ter substation failed 7. 5E .2 e

Tahle A.! Continued RE5tEAIR2 Failure to recover of f site powr and reloa t I A in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> af ter substation f ailed RE51BAIR12 Failure to recoger of fsite power and reload IA in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after substation f ailed 4.T-3 RE5tM MF Failure to find and isolate leakage from sump via LWD 99 and 103 before HPI pump flooded I .ff -!

RESW12 Failure to recover LP5W f rom Units 1 anet 2 1.at -2 RE5W13 Failure to open valve CCW-73 locally 1.1E I RE5W7R Failure to open valve SW-78 locally 5.f1E - 2 RE WLPI failure to recover failures that lead to isolation of LP5W to L'I cooler 2.0E 1 RE5W108 Failure to open valve SW108 IcCa11y 1.1E-1 RPVRtIPTIIRE RPV rupture 1.lf-6 SL OC A initiator: small LOCA 3.ff - 3 SW13AAVO AW-eperated valve LP5W-13R f alls to open 3. 5E - 3 SW10PVVT Valve transfer to close F.lf-6 SW3BPP5H Operator falls to start pump 9 8. fE- 3 5W52TVVH Valve LP5W-521 lef t closed 8.;T - 4 SW6Df Fat tures of valves LP5W.IFF and LP5W-lF9 3. 5E - 4

%W 7 7 XMH Valves LPW-17 and FM lef t in wrong position 3.f4 - 3 SWC89VVH Manual valve CEW-P9 left closed by operator ' 8.0E - 4 SWIFCCH Manual valves LPsW-513 and 518 inadvertently overthrottled 2.f4 -4 SWE rCE 55 Failure of HPR due to encess flow in LPI coolers 1.f4 -2 SWE NC E 5ttPR Failure of LPR given excess flow in LPI coolers I. ft - 1 SWH247 Failure of automattC HP5W haChup to LP5W for PDI tooling 1.PE - 2 SWPAR Percent of time LP5W pimp A is the operating pump 5.ft - 1 StPHPI Fatture of HPI due to hardware frilure 1. 5E -4 5 *4F W Failure of MFM due to hardware f ailure 6 f1I-2 T The sin of intators emcept loss feedwater 5.7 Tl Initiator: Reactor / Turbine Trip 4.9 T2 Initiator: Total loss of main feedwater 5.0E-!

T3 initiator: Partial loss of main feedwater 0.69 T4 Initiator: Loss of Condenser vacuum 2. l E - 1 y T55tBF Initiator: Failure of offstte power at the substation 8J1E -2 e T5FEEDF Initiator: Failure of electrfcal geld or main feeders W T6 Initiator: Loss of instriment atr 4 ft-2

1. 0.21 TT Initiator: Excessive feedwater 9.FE - 2 T8 Initiator: ' curious engineered-safeguards signal I . f1I - 2 T9 Initiator: Steamline break 5. 3E - 2 fin ' Initiator: Feecline break 9.M - 2

Tal,le A.1 Continued Til Initiator: Loss of ICS power bus K1 5.nE.7 Tl? Initiator: loss of service water 4. 9F . 3 11?A Loss 6f LP5W (initiator) . Pump A f ats and operato, falls *o start Eump B 1. 7E - 3 Tl ?C toss of LP!W { initiator) . Suction failures 1. 9f . 3 Il?D Loss LPSW (initiator) - f ailure of valve LPSW.10R 6.5E.4 it ?E Loss LP5W (initiator) . f ailure of valve 0(W.73 6. 5E - 4 113 Initiator: Spurious low.pressurtier-pressure signal 4.aE.2 T14 Initiator: Loss of power to bus 3TC 5. af . 3 TRE FW5 TIC Oberator f ailure to transfer EFW suction from UST to hotwell 1. 5E.1 TR E F WSliCM Same as above for blackout situations  ?. 5E .1 UTHP!H OP erator f alls to attempt HPI cooling (feed and bleed) ' l DE.2 V5LOCA Initiator: very small LDCA 3.nE.3 1AL PRN Operator f alls to attempt LPR in 30 minutes 5. 0E.3 NH PR?H Operator f alls to attempt HPR in ? hours 3. DE . 3 NHPRIPH (Verator f alls to atterf t HP9 in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 3.0E . 4 XHPL PRI ?H Operator f ails to attempt L PR-HPR in !? t.ourg 3.n[.4 NOLP1034H Operator f alls to open LP.tDa and LP.104 1. nf . I NROHRH Failure to 9ttempt cocidown 3.(14 XRRCPH Operator f alls to restart RCPS 1. n[.2 YBR$H (perator f ails to stop RR spray in 30 minutes given RBCS is operating 5.nE.1 IST.3 Loss of Instrianent air during mission time 7. lE.4 A!4Pl;F AI APILF AltPIL10F AIAACVVT IST.171 ho ' low through LPI cooler A 1.?E 2 SW14MVO SW11VVH 3> SW4C54VT 8

3W435AVH kN (R hers

Table A.1 Continue <l 1%T-172 h SW flow f rom LPSW header A to HPI pump cooling jaChet I. II-5 SWl48CVT 5W147VVT SW347VVT SW347FLF IST-113 Fal. lure of LPSW pep Train A 6.7E.4 SW 3APrit Others IST-174 No flow through LPI cooler B 1.2E-2 SWOSMVO SW12VVH SW404AVT SW404AVH Ot hers iST.175 Failure of LPSW pum Train B 2. M - 3 SW3RPPSH 8.M . 3 SW3BF PH 1.4f-2 SW 3RPPBM

3. M . 3 SW 38PFM 1. 6E. 3 Ot hers I. 7E. 3 lil-175A Same as IST 175 without SW3BPPSM 2.M.2 151-176 No cooling flow through EF pep A 1. lE - 2 SW517VvH 6.X-3 SW516AVO 3. 5E .3 SW500WH 8.M - 4 Ot hers 2. M -4 IST.177 No coo?fng flow through EF pump R I.1[-2 SW526VVH 6. 3E.3 SW525AVO 3.5E-3 2 SW518VVH 8. M . 4 8

Other

$ IST-IR6 LP29VVT LPI loss suction

2. RE - 4

4. 7E- 5 T.5E-6 L P2RVVC H 2. M - 5 Others 1.2E 5

Table A.] Continued 157-191 The inlet of SG3A blocked 4. 4f. 3 EF2005VF 2.4E . 3 EF 315AVO 1. 6E .3 Ot hers 0. 4E. 4 IST-192 The inlet of SG3R bloc,ked 4.4E.3 EF 2015Vf 2. 4E. 3 EF 316Av0 1.6E. 3 Others 4.4E .3 IST-197 TD pump fatis to start or run 9.2E.2 EFIDPPS 3. W .2 EFIDPPR 2.4E.2 EFTOPPIM 1. 0E .2 SW137MVO 6.4E.3 EFIDPfM 5.2E . 3 Others 8.0E.3 15T-198 MD EFW pwt loss suction from UST 4.M.4 CW573VVH 1.0E.4

1. 0E.4  ;

CW166VVH CW180VVH 1.0E .4 i CW572CVO I.f1E . 4 ,

15T-199 M3 ETW pump loss suction from UST 1.0E.3 i CW15frVM j.M.3 CW158MvT 4. 3E.5 IST-207 TD EFW pino loss steam supply f rom SG3A & 31 4.M .3 M587AVO 1.6E.3 M5P6VVH . 1.f1E .3 M590VVH 1.0E 3 MSR9VVH 1.0E . 3 M59tCv0 8. 7E.5 I 3 1ST.236 One of two LPI path blocned 6.5E.3 l e '

00 LPIRMVO 6.8E.3 N LPifMVMH . 1. 5E .4 15T-237 RHR suction path f ails t0 openrun 6.9E. 3 LPIMVO 6.4E.3 l

Othe* 5.4E 4

Table A.1 Continued IST-241 LPI pump 3 falls to start and run 3.0E-3 L PBPPS 1. 7E-3 L PBPPR 8.9E-4 LISPFNH 4. 5E -4 IST-243 LPI pump A falls to start and run 3.0E-3 L PAPPS 1. 7E-3 LPAPPR 8.9E-4 LPAPFHH 6.5E 4 IST-244 Operator falls ti reopen the discharge valve of LP pump train A afte* inadvertently closed 1.0E+0 LP12MV0H 1. 0E +0 LP12MVO 6.4E-3 IST-245 Operator f ails to reopen the discharge valve of LP ptop train B af ter inadvertently closed 1. 0E + 0 LP14MV0H 1.0E+0 LP14MVO 6.4E-3 IST-247 Failure to deliver fiow to HPI pump A suction due to valve closed dfring LPI-HPI mode 9.2E-3 LP15MVO 6. 4E- 3 LP15MVMH 1.8E-3 L P15MVH 1.M-3 IST-249 Failure to deliver flow to HPI pump B suction due to valve closed during LPI.HPI mode 9.?E-3 LP16MVO 6. 4E - 3 LP16MVMH 1.8E-3 L P16MVH 1.0E-3 IST-250 Failure of the suction of LPR train B 1. GE-2

> LP20MVO 6. 4E - 3 e LP20MVRH 3.OE-3

$ Others IST-255 Tm or more MSRVs open and fall to reclose or turbine f ails to trip 1.0E-3 8.0E-3 MSRVC 3.0E - 3 MSTTF 5.0E-3 14007  !CS f ailure causing loss of MFW (gate in ICS FT) 1.M -2 LP190HRH 5.0E-3 LP30DHRH 5.0E-3

APPENDIX B BNL REVIEW 0F SE0VENCES INVOLVING ANTICIPATED TRANSIENTS WITHOUT SCRAM (ATWS)

B.1 INTRODUCTION This appendix summarizes the results of the BNL review of the GPRA se-quences involving anticipated transients without scram (ATWS). The OPRA pre-sents only a scoping analysis of these accident ' sequences, and because of this the BNL review is also comparable to the analysis presented in the OPRA.

The development of the ATWS accident sequences was discussed in Section 3 of this report, and the data used for- quantification of these accident sequences will be. discussed in this appendix. The order of the sequences appearing in this appendix is the same as that present in the OPRA, to provide an easy com-parison.

Basically, this review agrees with the qualitative construction of the ATWS event trees (reproduced here in Figures B.1 through B.4). However, dif-ferences exist in the quantification. The main differences are the following:

1. The OPRA initiator frequencies for ATWS do not take into considera-tion the power level, and this review considers only the fraction of transients in which the, power level exceeds 25% (see Section 4).

This difference results in a decrease in core damage frequency in this review.

2. In its evaluation of the probability of the PORV to open, the OPRA fails to consider that the PORV block valve in Oconee-3 has been closed for about 80% of the time the plant is in operation. Since this affects the pressure spike, which is also dependent upon the reactivity coefficients and power levels at the time of the ATWS event, this review assumes that. for 20% of the time during an equi-librium cycle, the failure of the PORV to open may result in a peak pressure higher than 3900 psig; due to the impact of this assumption on ATWS core damage frequency a sensitivity analysis on this param-eter is performed. This difference between the OPRA and this review results in an increase in the core damage frequency for ATWS.

3. The OPRA makes a mistake when evaluating sequences 14 and 15 of Fig-ure E-1 in Appendix E of the OPRA. A value of 0.1 is used for the top events " Borated Water" and "Long-term Cooling" (instead of I.0E-3 as used in all equivalent sequences in the other event trees, and as discussed in the OPRA Appendix E).. Correction of this error would bring down the total ATWS core damage in the OPRA from 6.0E-6/yr to about 3.6E-6/yr. In this review, a different probability is used for this event, as will be discussed below.

A detailed list of the ATWS sequences obtained in this review is given below. For each core damage bin, the most important sequences are presented with a short discussion, ' here w differences between .this review and the OPRA (Appendix D4 of OPRA) are presented. Note that in the quantification of the sequences presented below it is assumed that, for 20% of an equilibrium cycle, the failure ~of the PORV to open (because of valve failure or because the block B-1

J-valve is closed) creates a~ peak pressure greater than 3900 psig, i.e., the pressure at which B&W analysis (BAW-1600) indicates that some deformation of valves nay occtr. A sensitivity analysis to the value of this parameter is presented in a later subsection of this appendix.

B.2 BIN I ATWS SEQUENCES - BNL CD FREQUENCY: 1.2E-8/YR OPRA CD FREQUENCY: 1.8E-8/YR All sequences of this type involve an initiating event with failure to scram, followed by a small LOCA due to a stuck-open SRV with failure of bora-tion. One sequence dominates this class:

. ATWS sequence number 6 = 1.0E-8/yr (CPRt. = 1.5E-8/yr).

The $ mall difference-between BNL and the OPRA is due to the frequency of initiating events (4.8/yr .in this review vs 5.7/yr in the OPRA), and to the -

success state of the " primary relief" function. In the OPRA, a probability of 2.0E-2 is used for the failure of the function " primary relief," which in-cludes the failure of the PORV (1.0-2/d) or any SRV to open (1.0E-2). This review takes into consideration the actual time that the PORV block valve is

. closed during operation (80%) and it is assumed that, for 20% of an equilibrium cycle, the failure of the PORV to open, or of any SRV to open at any time, is a failure of the function " primary relief." Thus, the failure of the function " primary relief" is given by Percent of time that the failure of the PORV to open causes a peak pres-sure greater than 3,900 (base case: 20%)*

[ Fraction of the time PORV block valve is closed (0.8) + Failure of.PORV to open (1.0E-2)] +

Failure of any SRV to open (1.0E-2) = 1.7E-1/d.

B.3 BIN II ATWS SEQUENCES - BNL CD FREQUENCY: 1.2E-8/YR OPRA CD FREQUENCY: 1.8E-8/YR All sequences in this bin involve a transient initiator with failure to scram, followed by a small LOCA due to a stuck-open SRV with successful bora-tion, but failure of long-term cooling. One sequence dominates this bin:

ATWS sequence number 5: 1.0E-8/yr (0PRA = 1.5E-8/yr).

The small difference between BNL and the OPRA is due to the same factors as explained in the previous subsection.

B.4 BIN III ATWS SEQUENCES - BNL CD FREQUENCY: 6.9E-7/YR OPRA CD FREQUENCY: 2.8E-6/YR All sequences in this bin involve a transient with failure to scram, followed by a failure to inject borated water, with successful heat removal through the SGs. . The following are the dominant accident sequences:

ATWS sequence number 15 = 1.9E-7/yr (OPRA = 1.3E-6/yr).

ATWS sequence number 61 = 1.7E-7/yr (0PRA = 1.7E-8/yr).

B-2

ATWS sequence number 3 = 9.3E-8/yr (OPRA = 1.3E-7/yr) .

ATWS sequence number 2 = 9.3E-8/yr (0PRA = 1.3E-7/yr).

ATWS sequence number 46 = 6.6E-8/yr (OPRA = 4.8E-9/yr).

The OPRA also presents as one of the dominant sequences the ATWS sequence e number 14 with a frequency of 1.2E-6/yr.

The main differences between the BNL review and the OPRA are the follow-ing:

1. For the ATWS sequences numbers 14 cnd 15, the OPRA uses the wrong value for the failure to inject barated water and failure of long-term cooling. The value of 0.1, which in the OPRA is correct for the cases where a severe overpressure exists (peak pressure >3900 psig),

is used instead of 10-3 which is used in the OPRA for cases in which the peak pressure is less than 3500 psig. In this review, for the cases in which the peak pressure is about 3500 psig and the EFW is supplying feedwater for the SGs, a value equal to 2.0E-2 is used (mainly operator failure to provide boration). For the case 'where the MFW is in operation, this review uses the same value as the OPRA (10-3).

2 The frequency of the initiating events used for ATWS in the OPRA is bigger than that used in this review, as discussed before (details are given in Section 4 of this report).

3. The failure of the " primary relief" function in the OPRA (2.0E-2) is much smaller than that used in this review (see Subsection B.2).

In conclusion, the most important difference between the CD frequency calculated in this review and that in the OPRA is due to item 1 above, i.e.,

due to an error in the OPRA. If correct values haJ been used for failure to inject borated water, the OPRA CD frequency for this bin would be equal tu 3.3E-7/yr; this value is smaller than tnt obtained in this review.

B.5 BIN V ATWS SEQUENCES - ENL CD FREQUENCY: 3.6E-6/YR OPRA CD FREQUENCY: 1.7E-6/YR These sequences, which involve a transient with failure to scram, are characterized by a large primary-system pressure, which may exceed 3900 psig, due to: a) moderator temperature coefficient larger than the 95% value, or b) failure of primary relief, i .e., failure of the PORV or any of the SRVs to open, or c) failure of the MFW and partial failure of the EFW system (failure of the steam-driven pump or failure of one motor-driven pump). In all these sequences, a resulting~ primary-system rupture is postulated. Following the primary-system break, the failure of injection of borated water occurs, resulting in core damage. For all these sequences, a probability equal to 0.1 is used for failure of injection because of possible deformations in valves (this value is given by- the OPRA, and was accepted in this review). It is important to point out that B&W analysis indicates that no deformation will occur at about 3900 psig. The following are the dominant accident sequences for this bin:

B-3

~.

ATWS sequence number 9 = 2.1E-6/yr (0PRA = 3.1E-7/yr).

ATWS sequence number 12 -= 5.2E-7/yr (0PRA = 6.2E-7/yr).

ATWS sequence number 21 = 2.1E-7/yr (OPRA = 3.1E-8/yr).

ATWS sequence number 67 = 1.9E-7/yr (OPRA = 3.8E-3/yr). -

ATWS sequence number 27 = 1.4E-7/yr (0PRA = 1.4E-7/yr).

ATWS sequence number 73 = 1.3E-7/yr (0PRA = 2.1E-7/yr).

The main difference between this review and the OPRA comes from ATWS se-quence number 9. This difference is caused by the probability used for fail-ure of the function " primary relief." As discussed in Section B.1, the OPRA uses a value of 2.0E-2, while in this review a -value of 0.17 is used. Note that, as discussed before, the value used in this review is subject to judg-ment and a sensitivity of total CD to this value will be provided in Section-B.8 B.6 BIN VI ATWS SEQUENCES - BNL CD FREQUENCY: 3.4E-6/YR OPRA CD FREQUENCY: 1.5E-6/YR The sequences in this bin are very similar to the 'ones described in Sec-tion B.4 with the following differences: in this bin the injection of bortted water is successful but .the long-term cooling fails. The dominant accident sequences are:

ATWS sequence number 8 = 1.9E-6/yr (OPRA = 2.8E-7/yr).

ATWS seque m number 11 = 4.7E-7/yr (OPRA = 5.6E-7/yr).

ATWS sequence .. .mber 20 = 1.9E-7/yr (0PRA = 2.8E-8/yr).

ATWS sequence namber 66 = 1.7E-7/yr (OPRA = 3.4E-8/yr).

ATWS sequence number 26 = 1.3E-7/yr (OPRA = 1.5E-7/yr).

ATWS sequence number 72 = 1.2E-7/yr (OPRA = 1.9E-7/yr).

The main difference between this review and the OPRA comes from sequence number .8 and, as in the previous section, it is caused by changes in the fail-ure of the function " pressure relief."

B.7 SENSITIVITY ANALYSIS As discussed in Section B.1 a sensitivity analysis to assess the effect of some parameters on ATWS CD frequency was performed, and the results are given below.- The base case is that for which the CD frequency is given in the preceding sections; i.e., the total ATWS CD frequency is equal to 7.7E-6/yr for the base case.

B.7.1 Primary Relief Function In the base case, it was assumed that Oconee-3 was operating with the PORV b.ock valve closed for about 80% of the time the plant is in operation, and that for 20% of an equilibrium cycle the failure of the PORV to open may result in a peak pressure higher than 3900 psig. If this fraction of time is changed to 10% or 50%, the impact on the total ATWS core damage frequency (CD) is the following:

. Base Case (20%): CD = 7.7E-6/yr.-

. 10%: CD = 5.4E-6/yr.

B-4

. 50%: CD = 1.5E-5/yr.

Note that, on the basis of the reactivity coefficients for an equilibrium cycle for Oconee-3, it is the judgment of the reviewer that the fraction of the time in which the peak pressure may be larger than 3900 psig will be smaller than that used in the base case (20%).

B.7.2 Failure to Inject Borated Water (2CS peak pressure <3500 nsig)

In the OPRA, a value of 10 3 was used for the probability of failure to inject borated water for the cases in which the peak pressure will be smaller than 3500 psig. The same value used in the OPRA was used in this review for cases in which the MFW system remains on line, and a value of 2.0E-2 was used otherwise.

If for all the above cases a probability of failure equal to 5.0E-2 (a value used in the NRC ATWS task force analysis) is used, the total ATWS core damage frequency will change from 7.7E-6/yr to 1.5E-5/yr.

Note again that the values used in the base case are the more approp.riate values in the opinion of the reviewer.

B 7.3 Failure to Inject Borated Water and Failure of Long-Term Cooling (RCS peak pressure >3900 psig).

In the OPRA, and in this review (base case), a value of 10 1 was used for the probability of failure to inject borated water, .or the failure of long-term cooling for cases in which the peak pressure may exceed 3900 psig and a

.LOCA will result. These values were used because of the probability of defor-mation of valves in the injection paths. If these. values are changed from 0.1 to 0.2, the total core damage frequency will change from 7.7E-6/yr to about 1.5E-5/yr.

B.8

SUMMARY

The dominant ATWS eccident sequences were presented in previous sections, together with a comparison with the OPRA; in Table B.1 of the BNL review, ATWS core damage frequency for each of transient initiators and for each bin is given.

To summarize, the ATWS core damage frequency given in the OPRA is equal to 6.0E-6/yr; however..if this frequency is corrected to take into account an error in the probabilities given in sequences 14 and 15 event tree for ATWS turt,ine trip (0PRA, Appendix E, Figure E-1), the correct OPRA core damage fre-quency would be equal to about 3.6E-6/yr. This CD frequency is to be compared with the value of 7.7E-6/yr calculated in the base case of this review. Note that if the PORV block valve is open during all times the plant is in opera-tion, as stated in a Nov 26, 1985 letter from H. B. Tucker (DPC) to H. R. Den-ton (NRC), the ATWS core damage frequency calculated in this review is equal to about 3.4E-6/yr.

A limited sensitivity analysis was also performed ~in this review (see Section B.7) and the resultant CD frequencies obtained vary from 5.4E-6/yr to 1.5E-5/y r.

B-5

To provide some perspective, the ATWS core damage frequencies obtained in PRAs performed for.B&W plants are given below:

Crystal River -5.0E-7/yr (RPS failure = 1.5E-5/d).

ANO -2.8E-6/yr (RPS failure = 4.0E-6/d).

Oconee RSSMAP -8.0E-6/yr (RPS failure = 2.6E-5/yr).

Midland - very small .

NRC Task Force Analysis - 8.0E-5/yr.

Note that since not all the above PRAs present separate results for ATWS,

.the above CD frequencies are based on the dominant sequences. Note also that the assumptions used to obtain the ATWS core damage frequency are different in all the above PRAs.

Table B.1 ATWS Core Damage Frequency in the BNL Review

- Base Case - Total CD Frequency: 7.7E-6/yr T*T T*

E TCV* Tp*

Bin I 1.1E-8 2.5E-10 3.6E-10 9.2E-10 Bin II 1.1E-8 2.5E-10 3.6E-10 9.2E-10 Bin III 3.9E-7 4.7E-8 6.9E-8 1.8E-7 Bin V 3.0E-6 1.4E-7 1.4E-7 3.7E-7 Bin VI 2.8E-6 9.0E-8 1.3E-7 3.4E-7 Total 6.2E 2.8E-7 3.4E-7 8.9E-7

• TT - Turbine Trip.

TE - LOOP.

TCV - Loss of Condenser Vacuum.

TF - Loss of Main Feedwater.

B-6

Turone inp Mam Ernergency Primary ,'$,,'I Borated Sequence TWS

• {"''"

, ,,, feedwater feedwater ),,,, relief ,,co,,o water y

con,mg number

,nn frequency ben 1 M l'0-' 2 9.3Er8 m 10-3 3 9.3E-8 p 4 OK(a)

,g., 1'0-' 5 1.0E-8 is

'O

6 1.0E-8 I 7 OK(b) 1.7 x 10-1 8 1.9E-6 W to-'

9 2.IE-6 V 09 to

,,g., I '0 ' OK(b) 11 4.7E-7 VI 10-' 5.21.7 12 y 13 OK(b)

'0 09 I4 9*lt"9 I cn O 2 x 10-2 1.9E-7 is m 3w 10-Sper demand 16 OK(b) 10 -1 l in - 3 17 1.0E-9 si x 4.8 yr-i 10 -2 18 1.0E.9 1 19 OK(b) l10 20 1.9E.7 09 VI

'0 - '

21 2.lE-7 V 22 OK(b)

, , ,g., l'0-'

23 4.7E.8 VI 0-'

24 5.2E-8 V 09 25 R(b) 10 - ' I* ~

10-'

27 1.4E-7 V Note: OK = no core melt or LOCA OK{a) = relief valve LOCA with successful mi*igatiort OK(b) = pressure-boundary LOCA with successful mitigation Figure B.1 Scoptng event tree for turbine trip with failure to scram.

- , . _ . .. -- . ,__ -~.r. _

m . .-- ._. __ . . , _ . ._ _

Loss of

• " O'"#Y ary hn ywg Emer0ency Primary ' y Borated l'"9- Sequence with failure power fWwater ,,,,, relief ** " "

secured _c g freq y to scram 0

'10 -3 09 29 2.2E-9 - til 2 x 10-2 30 4.5E-8 - 881

'10 -3 I E(8) 10 - ' 32 2.5E-10 82 10 -8 33 2.5E-10 1 09 ,

" ,, 34 E(b) 0.9 1. 7 x 10- 35 4.7E-8 V

. as 5.2E-8' V 09 3r OK(b)

"" 10 _ ,

4 x 10-8 38 1.lE-8 vt

• 10 - '

, os 3e 1.3E-8 Y 09 10

" 0-' 40 R(b) 41 3.2E-8 VI 3 m to-Sper osmand 10 - '

J s 0.12'yr-I 42 3.5E-8 V 43 3.6E-4 V Note: OK = no cora melt or LOCA

, OK(a) = relief-valve LOCA with successful mitigatiori L

OK(b) = pressure-boundary LOCA with sucesssful mitigation i . Figure B.2 Scoping event tree for. loss of offsite power with failure to scram.

I L

4

_ , _ . _ m ~ m-- - . _ . ._ .m. . . .

k J

Loss of cy *T acuu 3 ,

Primary g Borated Sequence , , m

. with failure value I'N8I secured water number bin cooling 9, Y

to scram 10 -3 0.9 45 3.2E-9 6.'l 2 x 10 2

1. 6.6E-8 Ill 47 10 , l10-2 48 OK(a) 11 '

3.6E-10 10 -3 I

0.9 3.6E-10 10 - '

0.9 l 7 x 10-3 5 6 - VI 10 - '

52 7.5E-8 V 53 OK(b) 1 4 x 10 - l 10 - 5 54 1.6E-8 VI 10 - '

55 1.8E 8 _v 3 x 10 - Sper demand 1

Y e

x 0.12 yr.:

0.9 M 10-s l 10 - 1 OK(b) 57 4.6E-8 VI 10 - ' .

58 . 5.lE 8 V Note: OK = no core melt or LOCA OK(a) = relief-vahre LOCA with successful mitigalicn OK(b) = pressure-boundary LOCA with successful mitigation Figure B.3 Scoping event tree for loss of condenser vacuum with failure to scram.

i

_ _ . . ~ . . _ , -- - -. .. ._ _

l Loss of

, ,',",,, Turbine Emer9ency . Primary ary Borated Sequence feedw. ster g an , TWS mth failure trip

,, relref water number tHn sMurM e ,,g 9,q y to scram

,n.3 59 OK 0.9 60 8.1E-9 III 2 x 10 2 61 1. 7E-7 lil

=io.3 62 OK(a) to-' 63 9.2E-10 H 10 -3 64 9.2E-10 8 1.7 u 10 3 5 '0 ' '

09 g , y, 10 - '

67 1.9E-7 v 09 68

',n., OK(b) 4 x 10-2 69 4.2E-8 vt 10 - '

70 4.6E.8 y 08 71 OK(b) y to-' = ,o . i 72 ' 1.2E-7 VI 10 4 5 73 1.3E-7 y 30 w 10 - $ per oemano x 0.43 yr-I 0.9 5 x 10-3 -'d_, 74 Ot(b) 75 5.8E-9 vi 10 - '

76 6.4E 9 y Note: OK = no core melt or LOCA OK(a) = relief valve LOCA with successful mitigation OK(bs = pressure boundary LOCA with successful mitigation Figure B.4 Scoping event tree for loss of main feedwater with failure to scram.

i

.. = u . ucu.. .....ro., co o ....o., -..... r,oc .,... . ,,

' NUREG/CR-4374, Vol. 1 k',b'a\' ,.u .m... ...... BIBLIOGRAPHIC DATA SHEET

...~,1.oc BNL-NUREG-51917 -

,/

, ,,, a .~o

... a , u . . . . <m ,

A Review'of the Oconee-3 Probabilistic Risk Assessment: nternal Events, Core. Damage Frequency [

,,,,,,,,,,,, Jan,ua ry 1986

\ , . m ...,0.,,uvio N. A. Hanan, D. Ilberg, D. Xue, R. G. Fitzpatrick, o.,, ....

T-L. Chu N / March  ! 1986

, .. o... o .s.. 4. .o .... .~o .. 6,,o .oo. u ,- <.

\ /

Brookha' ten National Laboratory ... o ... ..

Upton,liew York 11973 i*  ;

FIN A-3797

/

.._,....-.....-...............-..c- . . . . . . . . . - ,

Division of Safety Review and Oversight f Technical Office of Nuclear Reactor Regulation /

U.S. Nuclear Regulatory Coninissions /

Washington, DC 20555 sa surea ..=,.. ,.so,as

( .

t/

,Y, 3 .el ..c, sJED ese .r on.# ,

< s A review of the Oconee-3 Probabilistic Risk Assessment (0PRA) was conducted with the broad objective of contribution of the internally-ge,1erated accidents to theuency freq/ of evaluating \theThe review included a tech-core, damage.

nical assessment of the 'assumptic,ns and methods used in the OPRA study. The BNL staff reevaluated the mainf results of the study within the sccpr aad general

, including both qualitative and quantitative analyses of methodological accident initiators, framework,/

and accident sequences which result in core damage.The effect of uncertainties > was considered throughout. the review process, and the uncertainty bands fcr the core damage frequency were, quantified.

/l \t

- S 4

/ 4%

/ '%

r y

/ h

/ \

s j '*#.L'?"

Nuclear power plant core damage frequency t Unlimited

~

Oconee Unit /3 reliability \

ProbabilisficRiskAssessment(PRA) operating experience  % , , , , , ,,, , , , , , , , , , , , , , , , , ,

.,o ~,....so .. o.ovi... .iraeETassified

'Un

, r -,

~

Unclassified

, , ~-n ,o. ..s u

, $ P.eC .

- -- , -- _ . - -- , - , - -