ML20195G968

From kanterella
Jump to navigation Jump to search
Analyses Re Fort St Vrain DBA-2 Core Damage Frequency
ML20195G968
Person / Time
Site: Fort Saint Vrain Xcel Energy icon.png
Issue date: 08/11/1987
From: Hurrell S, Minarick J
SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:
Shared Package
ML20151M154 List:
References
NUDOCS 8801110119
Download: ML20195G968 (49)
v  d  e


Text

- .

ANALYSES RELATED TO FORT SAINT VRAIN DBA-2 CORE DAMAGE FREQUENCY Prepared By Science Applicattors International Corporation ,

S. J. Hurrell J. W. Minarick Prepared For Oak Ridge National Laboratory l

August 11, 1987 Y

l v-

.,- - , , , , - - , , , , n. - -, , - , , ,, - , , , , , , , , . , - - , . - , , , , , , ,n.., ._ .., ,----, , ,,,,-----,.,---,,-,._-,..,..--,--,___,,,mn,--,-,---,n.-- ~.-..

1.0 INTRODUCTION

The Design Basis Depressurization Accident at Fort St. Vrain is characterized as Design Basis Accident No. 2 (DBA-2) in Section 14.11 of the Updated Final Safety Analysis Report (1). This accident consists of a sudden failure of both closures in a PCRV penetration so that the primary coolant system is rapidly depressurized and potential for air ingress is developed.

The Updated Final Safety Analysis Report (FSAR) estimates the probat,ility of a DBA-2 at 1 x 10~9/ year and treats it as a hypothetical accident. Since the accident was treated as hypothetical, the failure rates for systems necessary to provide decay heat removal were never addressed.

Public Service of Colorado (PSC) estimates the DBA-2 frequency based on a British assessment of PWR steel pressure vessel integrity (2). Using a median failure rate of I x 10~7 per vessel-year, the PSC calculation divides the vessel failure rate b, 4e number of penetrations in a PWR vessel (100) to get a failure rate per penetration of 1 x 10 /per d penetration-year.

The PSC calculation then multiplies this number by:

o The number of large penetrations in the Fort St. Vrain vessel (57),and o A conditional probability (0.02) that given the primary closure fails the secondary closure fails.

The resulting frequency of DBA-2 is estimated at 1 x 10'9 per year.

As part of this task, a literature review was completed to identify other sources of information regarding the failure rate for pre-stressed concrete reactor vessels (PCRVs). Two sources provided information pertinent to this task. A Nuclear _ Safety article compared pressure vessel failure statistics from a number of different studies (3). This article listed pressure vessel 1

disruptive failure rates between 7.4 x 10 4/ year and 3 x 10 6/ year. These values are somewnat higher than the data used by PSC from WASH-1400. A German document (4) reviewed the GA AIPA study (5) on the HTGR-ll60. An abstract of this document noted that "failure of large PCRV closures are significant and cannot, as in AIPA, be excluded". It should be noted that the AIPA study was conducted on an HTGR design with single penetration closures and a containment structure. .

D. L. Moses (6) developed an alternate value for the frequency of DBA-2.

Moses' estimate multiplies a higher frequency of 4 x 10-6 per reactor year for each penetration by:

o The number of large penetrations (60), and o A conditional probability (0.1) that given the primary closure fails the secondary closure fails.

The resulting frequency estimate for DBA-2 is 3 x 10-5 per reactor year.

Since reliable data regarding the failure rate of PCRVs was not available, this task performed a probabilistic risk analysis (PRA) of the plants response to a rapid depressurization as described in Section 14.11 of the FSAR. This analysis permits evaluation.of an upper tound for the PCRV failure rate based on an assumed acceptable core damage frequency for the DBA-2 initiator. Simplified estimates of offsite consequences are also provided in terms of upper bound PCRV failure rate.

2 I . . .

2.0 DBA-2 ACCIDENT SEQUENCE FREQUENCY ESTIMATION The mini-PRA examined the ability of plant systems to provide core cooling. following a DBA-2. An event tree (Figure 1) was constructed to address plant response and addressed:

o If the penetration impacted involves a, steam generator loop, o If the operator trips the wrong steam generator loop, o If a loss of offsite power occurs as a result of the plant trip.

The probability of a penetration rupture impacting a steam generator penetration is estimated from Table 1 at 0.22. The probability that the operator trips the wrong loop and fails to recognize and recover from this error is conservatively assumed to be 0.01. The operator should be able to tell shortly into the accident whether or not core cooling is taking place.

If core cooling is not taking place, the operator can take action to restore the correct loop. The likelihood of a loss of offsite power following trip was estimated to % 1E-3. All these astimates must be considered screening estimates, and are considered conservative considering the recovery time periods available.

In the event of a depressurization involving a steam generator penetration and an operator error in tripping the intact steam generator loop (with failure to recover from the error), it was be assumed that without heat removal through the steam generators the core will exceed the temperature at which damage occurs. If the operator recovers from his error or the penetration failure does not impact a steam genewitor loop, the failure of plant systems to cool the core was ascertained by solution of the fault tree  !

described in Att'.chment A for LOOP and non-LOOP situations.

3

e #

4 9 l

ll _ ,e .4 . - - -

===--

't 1 i,

11 ii ,si III .11 i, ii lliilI ilIl  !

l 1 i p

sil:  !  !

i 5h i- 2 , i '

!aj "Il- 3  :  :  :

P it i

-  ; i e

a l  ! -

l 8 l -

! 5 l f

{ ,

I l

4 t-

TABLE 1. PCRV Penetrations Leakage Leakage 2

Penetration Type Number ID (in) Area (in ) Rate (lb/sec)

Top Access 1 46 59 160 Refueling 37 19 . 17 51 Steam Generator 12 ,, 40 52 152" Circulator 4 40 53 155 Bottom Access _1 70 87 254 55 Given a penetration closure rupture, the probability that a steam generator loop would be impacted is 12/55 - 0.22.

Note: According to the FSAR, none of the penetration ruptures will cause the circulators to fail.

5

Note that, based on a review of the Fort St. Vrain design, it was concluded that a loss of offsite power (as an initiating event) would not appreciably increase the likelihood of a subsequent DBA-2 event. Because of this, event sequences initiated by LOOP were not included in this task. Event sequences associated with a LOOP resulting from the plant trip associated with the DBA-2 accident were addressed in the analysis.

l l

I 6

I 3.0 08A-2 FAULT TREE OVERV!EW A fault tree (Attachment A) was developed to address two of the branches of the DBA-2 event tree (Figure 1), continued helium circulation and heat removal via SG loop. Because of the Fort St. Vrain design, these two branches are strongly coupled.

The top event evaluated in the fault tree in Attachment A is "loss of core cooling in loop A". Following a design basis depressurization accident (DBA-2), it is assumed that the operator would trip one of the two reactor coolant loops, and loop A was arbitrarily chosen for analysis.

Loss of core cooling in a loop will result from loss of heat removal from the loop's steam generator gr from loss of helium recirculation i'n the loop.

The presence of a loop divider baffle in the lower plenum of the reactor vessel would prevent the operation of loop A's circulators with loop B's steam generators for successful heat removal.

Loss of heat removal frt,m the steam generator in a loop will result if normal feedwater is lost and emergency feedwater is lost. Normal feedwater folluwing DBA-2 is supplied from either one motor-driven boiler feed pump or from one of two turbine driven boiler feed pumps. It should be noted that the motor driven boiler feed pump is not diesel backed so that a loss of offsite power will result in unavailability of this pump. Technical specifications require that an auxiliary boiler or backup auxiliary boiler be on-line when the motor-driven boiler feed pump is out-of-service. Emergency feedwater may

.be supplied via:

I o One of two firewater pumps (one motor and one diesel),

o One of two 60% capacity condensate pumps, l

o Two of two 12.5% capacity condensate pumps, or 7

l

o Two of two auxiliary boiler feed pumps.

This feedwater is supplied through an emergency feedwater line directly to the steam generator. The 12. 5/, capacity condensate. pumps are the only actor-driven pumps in this group which are diesel backed.  ;

loss of helium recirculation in a loop will result if both circulators in )

the loop fail to run on steam drive And if one of the two circulators fails to '

run on pelton-wheel drive. The primary cause for failure to power both circulators on steam drive is the loss of steam. Steam may be supplied from the bypass flash tank or from the auxiliary boilers. However, the auxiliary boilers must be fired and available within one hour after the initiator occurs, which is considered marginal. Failure to power both circulators on pelton wheel (water) drive can result from a circulator tailure to start or run on water drive or from a failure of the nitrogen pressurization system to provide sufficient overpressure to prevent flashing of thd feedwater as it hits the pelton wheel.

In order to power the circulators on pelton wheel following DBA-2, one of l

l the boiler feed pumps must be available. Although other pumps may be used to l turn the circulators under pressurized conditions, the pelton wheel must be turned at 8000 rpm following depressurization in order to provide heat removal. Only the boiler feed pumps have sufficient capacity to turn the pelton wheels at this velocity.

l For non-LOOP situations, the fault tree was developed under the assumption that power was available. For LOOP situations, power was assumed available to diesel-powered equipment.

8

4.0 FAULT TREE SOLUTION The fault tree characterized in Attachment A was solved for a number of different cases in order to determine the impact of alternate plant states and equipment unavailabilities on the DBA-2 accident.

Cases for which the DBA-2 fault tree were solved include:

Case A Base Case Solution Case B Loss of Offsite Power Case C Circulators on Pelton Wheel Drive Case D Hotor-Operated Boiler Feed Pump Unavailable Case E Auxiliary Boilers Unavailable The fault tree solution yields the minimal cut sets for which the top event is satisfied along with a probability for each cut set and for all cut sets.

Case A. Base Case Solution Case A addressed the plant with offsite power available and the motor-driven feed pump and auxiliary boiler assumed potentially available (not forced unavailable as in Cases 0 and E). Cut sets for this case (without consideration of event probabilities) are listed in Table 2.

For the probabilities actually employed in the analysis, the most probable cut sets for this case involve the loss of steam from the steam generator or from the bypass flash tank coupled with failure of the auxiliary boilers to provide steam and failure of the circulators to start on pelton wheel drive. The auxiliary boilers may fail due to mechanical problems or the boilers may be unavailable due to test and maintenance. This combination of events accounts for the eight most probable cut sets. The sum of minimum cut set probabilities was 3.1 x 10'4, 9

TABLE 2. Base Case Solution Cut Sets GNOTNK IAUXMF IBAUHF JCIRAF GNOTNK IAUXMF IBAUHF JCIRBF GNOSTM IAUXMF IBAUHF JCIRAF GNOSTM IAUXMF IBAUHF JCIRBF GNOSTM IAUXHF IBAUBT JCIRBF GNOTNK IAUXMF IBAUBT JCIRAF GNOTNK IAUXMF IBAUBT . JCIRBF GNOSTM IAUXMF IBAUBT JCIRAF ,

Note: Basic events are de' scribed and probability estimates provided in Atthchment B. Fc,r the basic events described above, the following definitions apply:

GNOTNK Bypass Flash Tank Failure GNOSTM No steam Delivered from Steam Generator IAUXMF Auxiliary Boiler Mechanical Failure IBAUMF Backup Boiler Mechanical Failure JCIRAF Circulator A Fails to Start on Water Drive JCIRBF Circulator B Fails to Start on Water Drive -

10

Case B. Loss of Offsite Power Case B reflects plant response assumirg a loss of offsite power (LOOP) following DBA-2. The two most probable cut sets for this case involved failure nf the 12.5% condensate pumps to start and run coupled with failure of the diesel-driven fire water pump. The next six most probable cut sets involved combinations of these components because of failure or unavailability of the component due to test and maintenance. The sum of the minimum cut set probabilities for this case is 1.5 x 10-3 ,

Three ' additional cases were developed to explore the impact of selected plant states on the estimated probability of core damage.

Case C. Circulators on Pelton Wheel Drive Case C assumed the circulators were powered by pelton wheel and resulted in eight single cut sts including:

o Circulator Fails to Start on Water Drive (2 cut sets) o Circulator Valves Fail to Open (2 cut sets) o Nitrogen Supply Valves to Circulator Fail to Open (1 cut set) o Circulator Fails to Run (2 cut sets) o No Nitrogen Initially in Bottles (1 cut set)

The sum of the cut set probabilities for this case is 1.3 x 10-1 ,

Case D. Motor-Ocerated Boiler Feed Pumo Unavailable The dominant cut sets for the case in which the motor-operated boiler feed pump' was assumed unavailable case are identical to those from the base case. So the contribution to the loss of core cooling from the motor-operated 11

l boiler feed pump is below the threshold of the truncation limit which was 1 x 10 . ,

I l

Case E. Auxiliary Boilers Unavailable In the case involving the assumed unavailability of both auxiliary boilers, the most probable cut sets involve double failures. The four most l probable of'these were the loss of the bypass or loss of steam from the steam generator coupled with failure of the circulators to start on water drive.

The next four most probable cut sets involved failure of the circulator valves to open. The sum of the cut set probabilities for this case is 2.8 x 10-3 ,

As part of the solution process, importance calculations were performed to identify which basic events are the dominant contributors to the top event probability. For the base case solution, the dominant contributors in decreasing order of importance are:

o Failure of the auxiliary boiler o Failure of,the backup auxiliary boiler .

o No steam delivered from the steam generator o Circulators fail to start and run on water drive o Bypass flash tank failure o Backup auxiliary boiler unavailable due to test and maintenance It should be noted that the probabilities used for basic events in the solution of the fault tree were screening values. Prograssnatic constraints prevented development of plant specific values for these probabilities. In order to further define the contributors to and the numeric value of the core damage frequency for the DBA-2 initiator, it is recomended that plant specific values be developed for basic events in the fault tree.

12

]

5.0 CORE DAMAGE FREQUENCY AND SIMPLIFIED CONSEQUENCE ESTIMATION It was not possible to develop a reliable estimate for the DBA-2 initiator frequency as a part of this effort. In lieu of this, the frequency of core damage and assumed subsequent release was estimated using the conditional probability of core damage given the initiator developed from the event tree and fault tree described earlier.

Based on an assumed DBA-2 frequency A , the minimal cut set probabilities for the base and LOOP cases, the branch probabilities identified on the event tree (Figure 1), a core damage frequency (excluding the undeveloped ATWS sequence) was calculated to be:

A * (-1)

  • 0.001
  • 0.01 (Seq. I)

+A * (-1)

  • 0.001
  • 0.22 * (-1)
  • 1.5 x 10-3 (Seq. 3, 4)

+A * (-1)

  • 0.001
  • 0.78
  • 1.5 x 10-3 (Seq. 6, 7)

+A * (-1) * (-1)

  • 0.22
  • 0.01 (Seq. 8)

+A * (-1) * (-1)

  • 0.22 * (-1)
  • 3.1 x 10~4 (Seq. 10, 11)

+A * (-1) * (-1)

  • 0.78
  • 3.1 x 10~4 (Seq. 13, 14), or 2.5 x 10-3 ,3 The core damage frequency for an assumed range of initiator frequencies is shown in Figure 2. As can be seen, for a core damage frequency of 10 6/yr, a frequency for the DBA-2 initiator of 4 x 10-4/yr is estimated. This value is consistent with the highest pressure vessel failure rate discussed in Reference 3. A DBA-2 initiator frequency of 3 x 10-6/yr (the lowest pressure vessel failure rate identified in Reference 3) results in a , core damage frequency estimate of 8 x 10-9/yr.

The dominant sequence (by an order of magnitude) is sequence 8, which involves a DBA 2 initiator associated with a steam generator penetration 13

~ .

6-r E o 1 t a

lt dr I

_ f o

n i

o t

c n

f u

a S

y s

a E c 1 n c y

_ e n u

q e e

r u

q

_. F e r

f r

f o e g

l s a e

dr m I a d

2-4 e i - A r o

E B c 1 D dey ,

anc t

i meu t

sq Er fe 2

r e

u

_ ig 3- F

- - - - - E 1

5- 6- 7- 8 9

E E E E E 1 1 1 1 1 Si $ FiE EsO *x6 3E*=

~

_a

, 1

l l

combined with an operator error in incorrectly identifying the correct loop to trip. If procedures exist which would substantially reduce the operator error probability assumed for this sequence (such that the sequence was no longer an important contributor to the core dasage end state), then a value of 3 x 10'3/yr for the DBA-2 initiator frequency would still result in an associated core damage frequency of 1 x 10'0/yr.

Simplified estimates for 'o'ffsite consequences were also developed'. These utilized conservative FSAR Chapter 14(I) release estimates in one case and modifications to these estimates reflecting current Ft. Saint Vrain performance in another. FSAR Table 14.11-1 provides estimated maximum hypothetical accident (MHA) doses as follows:

Total Duration Dose frem)

At Exclusion At low Population Tvoe of Dose Area Boundary Zone Boundary Whole body gamma (WBG) 2.5 0.073 Thyroid 5.0 0.30 Bone 0.075 0.006 Using the range of values specified in Reference (3) for pressure vessel failure (7.4 x 10 3 x 10-6, these bound all other estimates described in Section 1.0), and the probability of core damage given pressure vessel failure developed earlier (2.5 x 10-3), the following dose rates are estimated, assuming MHA doses.

Total Duration Dose Rate f rem /_vr)

At Exclusion At low Population Tvoe of Dose Area Boundarv Zone Boundarv  ;

Whole body gamma (WBG) 4.6x10 1.9x10-8 1.4x10 5.5x10-10 Thyroid 9.2x10 3.8x10-8 5.6x10~7 - 2.3x10*9 Bone 1.4x10'7 - 5.6x10-10 1.1x10 4.5x10-Il 15

Consideration of actual fission product activities for Ft. Saint Vrain results in substantially lower dose rates. D. L. Moses (7) estimates whole body and thyroid doses to be a factor of 100 less than MHA doses, and bone doses a factor of 1000 less than MHA doses. Considering these factors, a pressure vessel failure frequency greater than 8 x 10-5 would be required for any dose rate to be greater than 10-8 Rea/yr. .This failure frequency is of the same order of magnitude as LWR reactor coolant piping and considerably greater than LWR pressure vessel failure frequencies utilized in contemporary PRAs.  ;

Note that the above dose estimates are conservative in that factors usually addressed in a PRA, such as confinement performance and non-conservative dispersion models have not been utilized.

I 16

l i

REFERENCES

1. Fort St. Vrain Nuclear Generatina Station Uodated Final Safety Analysis Reoort, Public Service of Colorado, Revision 4.
2. Letter from L. L. Parme to A. J. Kennedy. "Frequency of Large Leaks in FSV," ttachment to GP-2700, November 8, 1985.
3. Bush, S. H. "Reliability of Piping in Light-Water Reactors," Nuclear Safety, Vol. 7, No. 5, October 1976.
4. Kroeger, W. , et al . Safety Study for Kiah Temoerature Reactors Under German Site Conditions, Juel-Spez-19, Kernforschunganlage Juelich G.m.B.H, August 1978.
5. General Atomic Company. HTGR Accident Initiation and Proaression Analysis Status Reoort, GA-A 15000, San Diego, CA April 1978.
6. Personal cosseunication between D. L. Moses and S. J. Hurrell. A sumary of D. L. Moses work can be found in the ORNL May 1986 monthly report to the NRC Office for Analysis and Evaluation of Operational data.
7. Personal cosusunication between D. L. Moses and J. W. Minarick, July 27, 1987.

17

ATTACHMENT A FAULT TREE FOR LOSS OF CORE COOLING IN LOOP A (DBA 2 INITIATOR)  !

This attachment provides the fault tree developed to model failure to mitigate )

a DBA 2 initiator at Fort Saint Vrain. The fault tree was developed under the assumption that cooling was required in the 'A' loop following such an event.

References to other sections of the fault tree are shaded; the referenced gate is indicated below the shaded element. The top gate on each page of the fault tree is listed below, first in page order and then in gate identifier order.

In addition, the fault tree logic in tabular form can be found in Table A-1 on page A-25.

Fault Tree Too Gates Listed by Paae Number fdLt.g fiFig Paae A-LOSCOL Loss of Core Cooling in Loop A 3 GHFDFL Loss of Norral Feedwater Flow 4 HEF0FL Loss of Emergency Feedwater Flow 5 IFIRCS Failure to Power One of Two Circulators (Steam) 6 JFCIRW Failure to Power Two of Two Circulators (Water) 7 GMDBFP Loss of Motor Driven Feed Pump 8 GTDBFP Loss of Turbine Driven Feed 9 GLGCDP Two of Two 60% Condensate Pumps Fail 10 GSMCOP One of Two 12.5% Condensate Pumps Fail 11 HAUSUF Pump Suction Source Fails 12 GAUXFP1 Auxiliary Boiler Feed Pump A Fails 13 GAUXFP2 Auxiliary Boiler Feed Pump B Fails 14 ICIRAS Loss of Circulator A on Steam Power 15 GLSTMH 150 psig Steam Header Fails to Supply Steam 16 JNITOP Nitrogen Overpressure Unavailable 17 JCIRAW Loss of Circulator A on Water Drive 18 GBFPSU Loss of Boiler Feed Pump Suction 19 GNSUCS Loss of Suction Water Source 20 IBFTFS Bypass Flash Tank Fails to Provide Steam 21 IAUB0F Auxiliary Boiler Fails to Supply 150 psig Header 22 IBAUBF Backup Auxiliary Boiler Fails to Supply 150 psig Header 23 GAUXFF Boiler Feed Fails 24 A-1

Fault Tree Too Gates Listed by Gate Identifier D M Pace A-GAUXFF . Boiler Feed Fails 24 GAUXFP1 Auxiliary Boiler Feed Pump A Fails 13 GAUXFP2 Auxiliary Boiler Feed Pump B Falls 14 GBFPSU Loss of Boiler Feed Pump Suction 19 GLGCDP Two of Two 60% Condensate Pumps Fall 10 GLSTMH 150 psig Steam Header Fails to Supply Steam 16 GMDBFP Loss of Motor Driven Feed Pump 8 GNFDFL Loss of Normal Feedwater Flow 4 GNSUCS Loss of Suction Water Source 20 GSHCDP One of Two 12.5% Condensate Pumps Fail 11 GTDBFP Loss of Turbine Driven Feed 9 HAUSUF Pump Suction Source Fails 12 HEFDFL Loss of Emergency Feedwater Flow 5 IAUBOF Auxiliary Boiler Fails to Supply 150 psig Header 22 IBAUBF Backup Auxiliary Boiler Fails to Supply 150 psig Header 23 IBFTFS Bypass Flash Tank Fails to Provide Steam 21 ICIRAS Loss of Circulator A on Steam Power 15 IFIRCS Failure to Power One of Two Circulators (Steam) 6 JCIRAW Loss of Circulator A on Wate.- Drive 18 JFCIRW Failure to Power Two of Two Circulators (Water) 7 JH1 TOP Nitrogen Overpressure Unavailable 17 LOSCOL Loss of Core Cooling in Loop A 3 A-2 l

CPERATOR REQUIREDTO TRIP LOSS OF M ALTERNATE LOOP FOLLOWWG COOLNG N LOOPA DEPRESSURIZATK)N, LOOP A ARBITRARILY CHOSEN FOR ANALYSIS LOSCOL LOSS OF HEAT LOSS OF HELA)M REMOV/L FROM '

RECRClA.ATION STEAM LOOPA GENERATOR LOOPA O f3 LCHTRM togg op FAILURE TO POWER FALURE TOPOWER LOSS OF NORMAL 1OF2 2OF2 FEEDWATER FLOW

  • FEEDWATERFLOW CANTORS CMMNS (STEAM) (WATER) cefEFL A

HEFDFL

/\

FIRCS A

JFCIRW A-3

LOSS OF NOf%%L FEEDWATERrW m F3 I

LOSS OF M3 TOR LOSS OF TURBINE DrWEN BOLER DRNEN BOILER FEED PUw FEED A A A-4

LOSS OF FJERGENOY FEEDWATER FLOW FEFDR. F 3 l

2OF2 2 OF 2 60% 1 OF 212.5% 1 OF 2 AUX FREWATER CONDENSATE CONDENSATE BOLER FEED PUMPS FAIL PUMPS Fall PUMPS FAIL PUMPS Fall A _

A CIRCULATING PUMP PUMPS Fall FUMP FAILS SUCTION WATER Pli FAILS SOURCE FAILS HCWPFA l HAUSUF l AUX BOILER AUXBOltnR dESEL FEED PUMP A FEED PUW B WTOR FRE PUMP FAILS FA!LS PUMP FAILS FAILS i GAUXFP1 GAUXFP2 DESEL OUMP OUT T/M FOFWPT /\

DeSEL mTORFnE $

PUMP PUMP WCH o WW FALURE p FAILURE HDFWPF N --

y M3 TOR Fr i PUMP IN T/M HWWPT A-5

FALUE TO PCYER I

~

10F 2 CIRCULATORS (STEAM)

IRRCS f 3 I I LOGS & LOSS OF CIRCULATOR A ON CIRCULATOR B CN STEAM POWER g ICIRAS 150 psig STEAM CRCULATOR B HEADER FAILS TO CIRCS FA:LS TO RUN SUPPLY STEAM ON WATER N ICIR8F GLSThH ZWTRDRV A-6

FA! LURE TO POWER 20F2 CRCULATORS (WATER)

JFCRW I I LOSS OF BOTH NITROGEN CIRCULATORS ON CNERPRESSURE WATER DRNE UNAVAILABLE l l A

JNITOP LOSS OF LOSS OF CIRCULATOR A ON CRCULATOR B ON WATER DRIVE WATER DRNE A'

JCIRAW I l l LOSS OF WATER CIRCUU, TOR B B CIRCULATOR N TO FAILS TO START VALVES Fall TO CIRCULATOR B OPEN (WTR) r3 JCIRBF JCIRBV

~

I l LOSSw mTOR toss w m m DRMEN BO4.ER N NS BOU.R FEED FAILS TO RUN g

PUWS ICIR8F A-7

e S 8 &

8 LOSS OF hCTOR DRIVEN BOLER FEED PUW GM)BFP

/\ /\

  • wm L BFP O MECH NOT O .

FAILURE AVAll P 2 LOOP NP LOSS OF BolLER FEED PUW SUCTON GBFPSU A-8 i

O b 0 0 LOSSOF TUFENE DRIVEN Bot.ER FEED GTDBFP BOTH TD-BFP FAIL SUCTON r3 CEFPSU l l TD BFP A TD BFP B FAILS FAILS TD BFP A TD-BFP TD-BFP B TD BFP MECH A IN MECH B IN FALURE T/M FAILURE T/M l

GTBFPA GTBPAT GTBFPB GTBPST l

i A-9 l

i l

I, i

+' j 2 OF 2 60%

- CONDENSATE PUMPS FAIL G4 COP

/\ BOTH 60%

LOSS OF SUC110N LOSS OF CONDENSATE WATEASOURCE OFFSITE PUMPS FAIL PONER r3 2 LOOP l I ,

GNSUCS 60% 60 %

COPOENSATE COM)Ef! SATE PUMP A FAILS PUMP B FAILS GLOCPA GLGCPB 1

i l

I

(

A-10

1 OF 212.5%

CONDENSATE

/ PUMPS FAILS GSMCOP [

O}

I LOSS OF 1 2 12.5*/.

SUCTON PUMPS FAILS WATER I

LOSS OF 12.5% 12.5%

LOSS OF SUCTON PUMP A PUMP B FLASH TANK WATER FAILS FAILS SOUR"E WATER GtGJCS ,

l 12.5% PUMP 12.5% PUMP 12.5% PUMP 12.5% PUMP A ECH A IN T/M B WCH B IN T/M ggg FALUN l FAILURE STEAM GEPEMTOR GSWUA GSWAT GSPUB GSMPBT FLASH T/ NK TO COND SUCTON FLOWPATH R.OCED GLOFTK A-11

[. .. . . .

.. . .- l l

l 1

PUhr SUCTION .

SOURCE FALS r3 HAUSUF I

I I NE LOSS OF BFP UN SUCTION TANKS FAL GCSTFA G8FPSU P

4 A-12

)

. . l l

1 AUX BotIR FEED PUMP A FAILS GAUXFP1 o,

4 e I ~

AUX PUMP A AUX PUMP AIN

/N hECH FALURE T/M LOOP HAUPAF HAUPAT o

9 i

A-13 1

l l

l I

4 a 6- ee- 2 - 4 a -- h 9 8 e e i

i i

4 t

M k@ '

PUMP B FAILS GAUXFP2 s

I AUX PUMP B AUX PUMP B IN WCH FAILURE T/M LOOP HAUP9F HAUPBT 2LCOP A-14

S i

LOSSOF CIRCULATOR A ON STEAM POYEP ICIRAS I i

/\ CIRCULATOR A 150 psig STEAM HEADER FAILS TO FAILS TO RUN CIRCS SUPPLY STEAM CN WATER ICIRAF 2WrRCAV a

4 A-15

150 psig STEAM HEADER FMLS TO SUPPLY STEAM r3 GLSThM AUXILIARY BOILER BYPASS FLASH SYSTEM FAILS TO TANK FAILS TO SUPPLY 150psig SUPPLY STEAM WADER A

2 OF 2 AUX A ,e,T,S BolLERS Fall SYSTEM UNAVAIL.

ABLE A

ZAUXS.R I _

I AUXILIARY BOLER BACKUP FAILS TO SUPPLY AUXLtARY BolLER 150 psig HEADER FAILS TO SUPPLY j j 150 psig HEADER i A A l

t l

1 1 A-16 1

1

4 9 0 8

_ CMUTHESSLFE UNAVAILABLE JNITOP 4

NITROGEN TO UNAVA!L OF NO NITROGEN CRCULATOR NimOGENOVER INITIALLY IN VALVES FAllTO 24 HRS BOTTLES CPEN r3 JNICVF JNIBTT l

BOTTLES FAllTO NWE N pgit FOR 24 HRS JNEOT COWRESSOR A COWNSSOR B WCH FALURE ECH FAILURE (DOP JNICPA JNICFB 2 LOOP A-17 i

9 4 4 9

'e CIRCULATOR A ON WATER DRIVE JCIRAW

' I I LOSS OF WATER CIRCULATOR A A CIRCULATOR DRIVE TO FAILS TO START VALVES FAllTO CIRCULATOR A WR) OPEN r3 JCIRAF JCIRAV l l LOSS Or uoTOR LOSS OF MTH TUR8NE DRNEN CIRCULATOR A DRIVEN bog g gp BOLER FEED FAILS TO RUN PUhPS A A -

N GTDOFP A-18

A- J LOSS OF BOILER FEED PUW SUCTION r3 m 2 OF 2 60% 1 OF 212.5%

CONDENSATE CorOENSATE PUMPS FAIL PUMPS Fall e

A-19

mid 4 9

. e I

1 1

l LOSS OF

_ SUCTION WATER sot.RCE r3 GNSUCS I

l l CONDENSATE HOTWELLWATER STORAGE TANK DEPLETED FA!LS MAKEUP TO HOME11 GHTWLD COtOENSATE CONDENSATE TANK STORAGE TANK TO HOTWELL FAILS MAKEUP FAILS GCSTFA GCTFHW l

l l

A-20

y- t e b BYPASS FLASH TANK FAILS TO PROVIDE STEAM IBFTFS UNN BYPASS FLASH SMA TANK FAILURE GEMRATOR l

[ A-21 l

0 e 9 O AUXIUARY BOfLER

- FALS TO SUPPLY 150 p4 HEADER IAUBOF AUXiuARY BOLER AUXLIARY BOILER AUXILIARY BOILER WCHANICE FEED FALS OUT TM FALURE

/\ IAUXMF IAUXBT i

l A-22

BACKUP AUXILIARY BOILER FAILSTO

~

SUPPLY 150 psig HEADER IBAUSF w

BACKUP BotLER MEM,Cg BACKUP BOILER OUT BOLERFEED FALS T/M FAILURE

/\ IBAUMF IBAUBT GAUXFF j

A-23

- - - - ~ .

4 9 e S FAILS GAUFF FAILURE OF 2 OF PUW SUCTION 2MM SOURCE FALS PUWS r3

/g\

muF l

AUX BOLER FEED AUX BOLER FEED PUMP A FAILS PUMP B FAILS A A GAUXFP1 MN A-24

i

+ .

TABLE A-1. Fault Tree Logic in Tabular Fors LOSCOL + LOHTRM LOHERC JCIRAW + JLDWCA JCIRAF JCIRAV ICIRAF JLDWCA

  • GMDBFP GTDBFP JNITOP + JNICVF JNCOMP JNIBTT JNCOMF
  • JNICPA -JNICPB ZLOOP HFWPUD + HDFWPF HDFWPT HFWPUM + HMFWPF HMFWPT ZLOOP HABFPF + HABFPS HAUSUF -

HABFPS + HAUPAF HAUPBF HAUPAT HAUPBT ZLOOP HAUSUF

  • GCSTFA GBFPSU IFIRCS
  • ICIRAS ICIRBS IBFTFS + GNOSTM GNOTNK ICIRBS + ICIRBF GLSTMH ZWTRDRV GLSTMH + IABOSF IBFTFS IABOSF + IBABOF ZAUXBLR IBABOF
  • IAUBOF IBAUBF IAUSOF + GAUXFF IAUXMF IAUXBT ICIRAS + ZWTRDRV ICIRAF GLSTMH GATBFP + GTBFPA GTBPAT JFCIRW + JBCIRW JNITOP JBCIRW + JCIRAW JCIRBW JCIRBW + JLDWCB JCIRBF JCIRBV ICIRBF JLDWCB
  • GMDSFP GTDBFP LOHTRM
  • GNFDFL HEFDFL LOHERC
  • IFIRCS JFCIRW GNFDFL
  • GMDBFP GTDBFP GMDBFP + ZMTRBFP ZLOOP GBFPSU GMBFPF GTDBFP + GABFPF GBFPSU GABFPF
  • GATBFP GBTBFP

, GBFPSU

  • GLGCDP GSMCDP GBTBFP + GTBFPB GTBPBT GSMCDP + GLSUCW GSMPUF GLSUCW
  • GNSUCS GLOFTW 6 GSMPUF + GSMPAF GSMPBF l GSMPAF + GSMPUA GSMPAT

! GSMPBF + GSMPUB GSMPBT GLGCDP + GNSUCS ZLOOP GLGCPF GNSUCS

  • GHTWLD GCTFMU l GCTFMU + GCSTFA GCTFHW l GLGCPF
  • GLGCPA GLGCPB l HEFDFL
  • HBFWPF GLGCDP GSMCDP HABFPF HBFWPF + HFWPUF HCWPFA HFWPUF e HFWPUD HFWPUM IBAUBF + GAUXFF IBAUMF IBAUBT GLOFTW + GNOSTM GLOFTK GAUXFF + GAUXFP HAUSUF GAUXFP
  • GAUXFP1 GAUXFP2 l

GAUXFP1 + HAUPAF HAUPAT ZLOOP GAUXFP2 + HAUPBF HAUPBT ZLOOP JNCOMP

  • JNCOMF JNIBOT l

A-25 l

4 .

ATTACHMENT e BASIC EVENT PROBABILITY ESTIMATES Table B-1 lists the probability values utilized in the fault tree model. All values are screening values and were developed from plant-specific information. This is followed by notes which provide assumptions utilized in developing the failure probabilities.

8-1

TABLE B-1. Basic Event Probability Estimates )

l l

l Basic Event Notes

1. Condensate Storage Tanks Fail to Deliver Flow (GCSTFA). Failure of the condensate storage tanks to deliver flow over an assumed mission time of 24 hrs is considered low. A value of IE-5 has been utilized in the analysis.
2. Condensate Storage Tank to Hotwell Makeup Fails (GCTFHW). This probability is assumed dominated by valve failures to operate. A value of 0.01 1s assumed.
3. Hotwell Water Depleted (GHTWLD). The likelihood of depleting the condenser hotwell over the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time is assumed to be 1.0.
4. Sixty Percent Condensate Pump Fails (GLGCPA, GLGCPB). Both 60%

condensate pumps are assumed operating at the time of the initiator. The pump failure probability was based on the probability of failing to run for an assumed 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission. Using a value of SE-5/hr for motor driven pumps results in an estimate of 1.2E-3. Given the failure to run of one condensate pump, a conditional probability of 0.01 was assumed for the second pump.

5. Flash Tank to Condensate Pump Suction Flowpath Blocked (GLOFTK). This probability is assumed to be dominated by valve failures tc operata. A value of 0.01 was assumed.
6. Motor Driven Boiler Feed Pump Mechanical Failure (GMBFPF). The motor driven boiler feed pump was assumed to be in a standby status at the time of the initiator. Because of this, its failure probability is dominatt '

by the likelihood of failing to start. A value of 0.01 was assumed.

7. No Steam Delivered from Steam Generator (GNOSTM). This probability is assumed to be dominated by valve failures to operate. A value of 0.01 was assumed.
8. Bypass Flash Tank Failure (GNOThK). This probability is assumed to be dominated by va'ive failures associated with the flash tank. A value of 0.01 was assumed.
9. Twelve and One-Half Percent Condensate Pump in Test and Maintenance (GSMPAT, GSMPBT). Each pump was assvaed unavailable due to test and maintenance for four hours / month. This results in an unavailability of 4/720 or 0.006.

, B-2

. l.

TABLE 8-1. Basic Event Probability Estimates (Continued)

Basic Event Notes

10. Twelve and One-Half Percent Condensate Pump Fails to Start and Run (GSMPUA, GSMPUB .

time of the ev)ent.These pumps The were failure assumed in probability fora the standby first status pumpatwasthe assumed dominated by fat. lure to start; a typical failure to start probability of 0.01 was utilized. The conditional of the second pump failing to start, given the first fails to start was assumed to be 0.1.

11. Turbine Driven Boiler Feed Pump Mechanical Failure (GTBFPA, GTBFP3).

Both motor driven boiler feed pumps are assumed running at the time of the initiator. The pump failure probability was based on the likelihood of failing to run for an assumed 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission. Using a value of IE-4/hr for turbine driven pumps results in an estimate of 2.4E-3. Given the failure to run of one pemp, a conditional probability of 0.01 was for the second pump.

12. Turbine Driven Boiler Feed Pump in Test and Maintenance (GTBPAT, GTBPBT).

Both turbine driven boiler feed pumps are assumed operating at the time of the initiator. Because of this, the T/M unavailability for the pump is zero.

13. Auxility Boiler Feed Pump Mechanical Failure (HAUPAF, HAUPBF). The pump failure probability was assumed dominated by failures to start with an estimated probability of 0.01 for the first pump and 0.1 for the second pump, given the first pump failed.
14. Auxiliary Boiler Feed Pump Unavailable Due to Test and Maintenance (HAUPAT, HAUPBT). Each auxiliary boiler feed pump was assumed unavailable for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> / month. This results in an unavailability estimate of 0.03.
15. Circulating Water Pit Fails (HCWPFA). The circulating water pit provides water for the motor and diesel driven fire pumps. Failure is assumed unlikely; a failure probability of IE-5 is assumed.
16. Diesel Fire Pump Mechanical Failure (HDFWPF). The failure to start and run probability for this pump was estimated to be higher than for motor driven pumps but lower than that experienced by large emergency diesels.

A value of 0.03 was assumed.

17. Diesel Fire Pump in Test and Maintenance (HDFWPT). The diesel fire pump l was assumed unavailable due to test and maintenance for four hours / month, with a resulting unavailability of 0.006.

l l

B-3

r

, t? e TABLE 8-1. Basic Event Probability Estimates (Continued)

Basic Event Notes

18. Motor Driven Fire Pump Mechanical Failure (HMFWPF). The failure probability for this pump was assumed consistent with other motor driven pumps modeled in this study, 0.01/ demand.
19. Motor Fire Pump in Test or Maintenance (HMFWPT). This probability was assumed equivalent to that for the diesel fire pump, 0.006.
20. Auxiliary Boiler Unavailable Due to Test and Maintenance (IAUXBT). The auxiliary boiler was assumed unavailable due to test and maintenance for two days / month, resulting in a, unavailability estimate of 0.07.
21. Auxiliary Boiler Mechanical Failure (IAUXMF). For success, the auxiliary boiler must be fired and produce steam within approximately one hour after the initiator occurs. This time is believed to be marginal for the boiler, and a failure probability of 0.25 was assumed.
22. Backup Boiler Unavailable Due to Test and Maintenance (IBAUBT). The backu auxiliary boiler was assumed unavailable, primarily due to deferred maintenance, for four days / month, resulting in an unavailability of 0.13.
23. Backup Boiler Mechanical Failure (IBAVHF). The same probability as was used for the auxiliary boiler (see Note 21), 0.25/ demand, was noted for the backup boiler. Given failure of the auxiliary boiler, a conditional probability of 0.5 was assumed for the backup boiler.
24. Circulator Fails to Run (ICIRAF, ICIRBF). Prior to the initiating event, each circulator is assumed operating on steam drive. Failure to run addresses failure to continue to run on steam drive or failure to run on water drive, given successful start (see Note 25). The probability of failing to run was assumed to be 1E-4/hr. For a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time, this results in a failure to run probability of 2.4E-3. Given failure of one circulator to run, a conditional probability of 0.01 was assumed for the second.
25. Circulator Fails to Start (Water Drive) (JCIRAF, JCIRBF). The probability of a circulator failing to start and achieve operating speed on pelton wheel drive was assumed to be 0.05. Note that this value is consistent with industry experience with steam driven pumps, which may not be directly applicable. Given failure of one circulator to start on pelton wheel drive, a conditional . failure probability of 0.1 was assumed for the second.

l B-4

f 3

i .

, w. > a l

TABLE 8-1. Basic Event Prooability Cstimates (Continued)

Basic Event Notes

26. Circulator Valves Fail to Open (JCIRAV, JCIRBV). This event involves failure to correctly align valves associated with a circulator when switching to pelton wheel drive. The associated failure probability is assumed to be 0.01 for failure of valves associated with the first circulator, and 0.1 for failure of the valves associated with the second circulator, given failure of those associated with the first.
27. Nitrogen Bottles Fail to Provide Flow for 24 Hrs (JNIBOT). littrogen overpr6ssure is required when the circulators are powered by water to prevent hot feedwater from flashing to steam. Nitrogen is first supplied by bottles, and is then recovered from the system using compressors. The probability of exceeding the capacity of bottle storage over a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period is assumed to be 0.5.
28. Failure of Nitrogen Compressor (JNICPA, JNICPB). The failure of a
nitrogen compressor to start and run as required within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> I period is assumed to be 0.01 for the first compressor, and 0.1 for the second compressor given failure of the first.
29. Nitrogen Valves to Circulators Fail to Open (JNICVF). Failure of valves required to open to provide overpressure during pelton wheel drive was assumed to be 0.01.

! 30. Four house events were utilized in the fault tree: auxiliary %iler unavailable (ZAUXBLR), loss of offsite power (ZLOOP), motor driven boiler feed pump unavailable (ZMTRBFP) and circulators on water drive. These events initially set to false (probability = 0), were selecthely set true to model different plant conditions. M

31. No Nitrogen Initially in Bottles (JNISTT). No nitrogen in the bottles initially is consider probability of I x 10'p/ year.to be a low probability event and was given a l

B-5 l

.

Retrieved from "https://kanterella.com/w/index.php?title=ML20195G968&oldid=3039780"