ML20203J858
| ML20203J858 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 01/31/1998 |
| From: | DUKE POWER CO. |
| To: | |
| Shared Package | |
| ML20203J855 | List: |
| References | |
| NUDOCS 9803040323 | |
| Download: ML20203J858 (350) | |
Text
.
s t
CATAWBA NUCLEAR STATION PRA Revision 2 Summary Report January 1998 Controlled Copy # 1 NRC Headquarters -
b Duke EdPower.
A Duke Energy Company p
$$$$ So$$ItaI PDR J
( .
L CATAWBA NUCLEAR STATION PRA Revision 2 Summary Report January 1998 Controlled Copy #,1?? _
I NRC Headquartersu.-
i
!pdPower.Duke A Duke Energy Company I
t jBR388!!3188lha
4 4
)
l l l
1 CATAWBA NUCLEAR STATION :
1 :
PRA Revision 2 Summary Report January 1998 l
l b Duke l
EdPower.
- A Duke Energy Company i
l i
I 8
FOREWARD This is the 1997 update of the Probabilistic Risk Assessment (PRA) study of Catawb3 Nuclear Station. This update is designated as Revision 2 since it constitutes a revision to two previous studies- the original Catawba PRA and the subsequent update of the original study (designated as Revision 1), which was used to satisfy the NRC's IPE requirement.
For developing the 1997 update, the plant configuration and procedures existing in 1996 formed the basis. The system and equipment reliability and availability data were based on plant specific data for the period 1/91 - 6/95 on risk-significant equipment. For initiating events, plant-specific data and certain generic data for the period for the period 1980 - 1995 formed the database.
The Revision 2 study employed the traditional event tree-fault tree methodelogy to conduct the systems analysis. However, a more state-of-the-art integration scheme was used to couple the mar.y event tree end point sequences with the fault tree models and the human recovery functions. Also, a large number of sensitidty studies have been done to derive insights on risk-significant systems, equipment failures, operator actions, and others. These enhancements were made to make the PRA model more suitable for the current environment of increased risk-informed plant operation and problem-solving. As is the case with the earlier studies, the Revision 2 study niso included the thermal-hydraulics and source term analysis of the reactor coolant and containment systems (known as the Level 2 analysis) and the analysis of the public health risk by considering the population,1990 census data, and meteorological data (known as the Level 3 analysis). Furthermore, the external event analysis presented in this study is consistent with the IPEEE results reported to the NRC in response to Supplement 4 of NRC GL 88-20.
iii
I As is the case with the previous revisions, the reliability data, core melt frequency, and risk results presented in this PRA are for an " average" plant configuration, representing the "at-power" and hot shutdown conditions. For the cold shutdown and refueling modes, a separate PRA (based on the ORAM methodology) is utilized at this time.
The data, results, and conclusions presented in this report supersede those presented in the 1992 PRA/IPE report. Nevenheless, the the t 91ume PRA/IPE report can be used to obtain general information on plant systems and thar arrangements.
The 1997 update utilized five PRA engineers and two technical support personnel. hi addition, two Project Managers (Mike Barrett and Rob Boyer) provided : project l
coordination and technical management functions of this effort.
P. M. Abraham, Section Manager I
Severe Accident Analysis December 1997 I
I I
I I
I
- 1 1
iV
TABLE OF CONTENTS 1.0
SUMMARY
..........................................................................................................1
^
1.1 I n trod o c ti o n . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Core Damage Frequency Development...... ............ .................. ....... ......................... 2 4
- 1.3 Contai nm en t Performance .. .. . . . . .... . . .. . . . . . .. .. .. .. . . . ... . . . . . . . .. . .... .. . . .. . .. . . . . . . . .. . . . . . . . . . . .... . . ... . 4 1.4 Publi c H ealth Cons e qu enc es . . . . . . . . . . . . .. .... . ... . .. .. . . . .. .... .. . . . . .. .. .. . . .. .. . . . . . . ... .. . .... . . .. .. .. ... . .. . . . 5 1.5 Large Early Release Frequency (LERF)........ .............................................................. 6
, . 1.6Results..................................................................................................................6 2.0 INTRO D UCTI ON ....... ......... .. ........ ...... ........ ...................... ..... ....... .. I 2.1 Objective....................................................................................................................1 2.2 Plan t Desc riptio n ... . . . . . . .. . . . ... .. . . . .. . . . .. . . .. . .... . ... .. . . .... . .. . . . . .. . . .. .. . . . . .. . . . ... . . . . .. . . . . . .. . . . . . . . . ... .. . . 2 J
2.3 Intended Use Of This Report.... ...... .. ......... ............ ... . .. ....... ............... .. .. ...... ... ......... 2 2.4 Gene ral M ethodol ogy . . . . . . .. .... . . . .... . .. . . . . . . . . . .. .... . . . . . . . .. . ... ... .. . . . .. . .. . . . . . .. .. . .. .. . . . . . . .. . .. .... . . 3 4
3.0 CORE D AMAGE FREQUENCY DEVELOPMENT . ......... ....... ......... .. .1 3.1 Data Develop men t .. . .. . . ...... .. .. . . . ... . . . . .. .. . .. ... .. . . . . . . . ... ... . . .. .. . . . . . . . . . .. . . . . .. . . .. . ... .. . . .. .. .. 1
+
3.1.1 Equipment Data Collection .......... ............ ... ..... ............... ........... ... ............ 1 3 .1.2 Initiato r Devel op me nt. . . . . ... .. . . .. . . . . .. . . . . . . . .. .. . . . . .. . ... . . . . .. . . . . . . . . .. . . . . .. ... . . . ...... .. . . 2 i 3.1.3 Common Cause Development.. ............. ........ .... ... ......... ... ........ .. . ........ . ...... ... 8 3.1.4 Human Reliability Analysis ....... .. ........ ............. .. .. ...... ..... ... .. . ................. .... . . !'
i 3.1.5 Plant Specific Experience......... .... .......... .... .... ............. .................. ...... . ..... 12 3.2 Internal Event Model Development ........... ....... ........ . ... . ............. ............... ........ 13 3 .2.1 System s Analys is . . . ... .. .. .. . . .. . . .. . .. . . . .. .. . . . . . . . ... .. . .. ...... .. . . ... . .. . . .... . . . . .. . .. 13 3.2.2 Accident Sequence Development........... ... ...................... ... ......... ........ ....... I 9 3.3 External Event Model Development .. ............. . ........ .. . .. . ...................... ....... ..... 27 3.3. I Seismic Analysis . .. .... ......................... . .... ........................................28 3 .3.2 Intemal Fire . . . . . . . . .. . . .. . . . . . .. .. . . . . . ... . ... . .. ... .. .. .. .. . ... . . . . . . . . . . . . ........ . . .. . . . . . . 2 9 3 . 3.3 To m ad o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . .... .. . . .. 2 9 3.4 Integrated Plant Model ............ ... . .....................................................30 3 .5 M ethodology . .. . . . . . . . .. . . .. . . . . .. . .. . .. ... ..... . .. . . . . . . . .. . .. .. . . . . .. . . . . . . . . . . . . . . .. 32 y
I 4.0 CO NTAI N M ENT P E RFO RM AN C E ....................................................................... 1 4.1 Containment Event Tree (CET) Model Development . ... . ... ................ .................... 1
( D ata D e velop m e nt . . . . . . . . . . . . . . . . . .. . . . . . . . . . .. .. . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . .. . . . . ...................4 .....
4 . 3 M e th odol o gy . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.0 P U B LI C II EALTil CONS E Q U EN CES ............................................ .................... 1 5.1 M od el De vel op m ent . . .. . . . . . . . . . . . .. . . . . . . ... . . . .... . . . . . . . . . . . . . . . . . . .. . . . ... . . . . ... . . . . . . . . . .. . . . . . . . . .. .. . . . . ... . 1 5.2 Data Developm e nt . . . . . . ... . . . . . . .. . . .. . . . . . . . . .. . . .. .. . . .. . . . . .. . . . . . . . . .. . . ....................................2 5 .3 M e th od o l o gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 5.4 Large Early Release Frequency (LERF).......... .......................... .... . . .. ......... ......... 4 6.0RESULTS.........................................................................................I 6.1 Core Dama ge Frequ en cy .. . .. ... . . . . .. . . . . . .. .. .. ... . . . .. . . . . . . . .. . .. .. ... .. . . . . . . . . . . ... . . .. .. . . . . . . . . . . . .. . I 6.1.1 Int ernal E ven ts . . . . . . .. . . . . . . . . . . .. . ... . . . . . . . . . . . . .. . . . . . . . .. .. .. . . . . . . .. .. . .. . . . . . . . . . . . 2 6.1.2 Ext e rnal E vents . . . .. . .. . . . . . . . . . . . ... . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . . . . . . . 8 l
6.1.2 Total........................................................................................9 6.2 Containment Performance ......... ......... . .. . .... . ..... . .. ..... ... .. .............. .. .... ... ..... .. 13 6.3 Publ i c H ealth Risks . . . . . . .. .. . . . . . . . . . . . . . ... . . .. . . . . . . . . . . . . . . . . . . .. . . .. . .. . . . . . . . .. . . .. . .. . .. . . .. . . I 7 6.4 Large Early Release Frequency.. .. ..... . ..... ..................................................20 6.5 Sensitivity Studies ......... .. ... ............ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......20 7.0 R E FE RE N C E S ... ... .................... . .... ............. ... ..................... ....... ..... ................. 1 Appendix A System Model Summaries Appendix B External Events Analysis 1
I I
I I
VI a l
. _ . . _ . . _ _ . _ . . _ _ . _ . - _ _ . ~ . _ . . _ _ . . _ . _ _ . _ _ . . _
f LIST OF TAELES 3.1.1-1 Equipment Failure Rates 3.1.2-1 Final Initiating Event List 3.1.5-1 Plant-Specific and Bayesian-Updated Failure Rates 3.5-1 Core Melt Bin Designations l
3.5 2 Containment Safeguards Designations .
4 4.3-1 Catawba Release Category Cross Reference 6.1-1 Summary of Core Damage Frequency Results by Initiator 6.1 2 Summary of Core Damage Frequency Results by Plant Damage State 6.1.3-1 Top 100 CDF Cut Sets for Internal Initiators 6.1.32 Top 100 CDF Cut Sets for External Initiators E
6.1.3-3 Basic Event Importance Listing l 6.2-1 Summary of Containment Analysis Results 6.3 1 Summary of Risk Results for Internal Initiators 6.3-2 Summary of Risk Results for External Initiators 2
6.3-3 Summary of Risk Results for All Initiators 1
v 1
a 1
vii
LIST OF FIGURES 3.2.1-1 Catawba Reactor Coolant System Simplified Diagram l
3.2.1-2 Catawba Containment and Reactor Building - Simplified Diagram 3.3.21 Small LOCA Event Tree 3.3.2-2 Medium LOCA Event Tree 3.3.2-3 Large LOCA Event Tree 3.3.2-4 Transient Event Tree 3.3.25 Steam Generator Tube Rupture Event Tree 4.1-1 Catawba Containment Event Tree 6.1 1 Percent Contribution to Core Damage Frequency by Initiator 6.1-2 Probability Density Distribution 6.1-3 Cumulative Probability Distribution e
iX
i Acronyms t
AC- Alternating Current i
ASP Auxiliary Shutdown Panel l ATWS Anticipated Transient Without Scram FWST Refueling Water Storage Tank CA Auxiliafy Feedwater System CAFTA Computer Aided Fault Tree Analysis a
CCDF Complimentary Cumulative Distribution Function
- CIS Containment Isolation State -
CMB- Core Melt Bin CRAC2 Calculations of Reactor Accident Consequences Version 2 i.
CSS Containment Safeguards State 4
DC Direct Current '
-D/G Diesel Generator RHR Residual Heat Removal 4
ECC Emergency Core Cooling i
ECCS Emergency Core Cooling System EHM Hydrogen Mitigation System EPC Essential Auxiliary PowerSystem EPRI Electric Power Research Institute l EPZ Emergency Planning Zone r FSAR Final Safety Analysis Report i
GL Generic Letter HPME High Pressure Melt Ejection HPR High Pressure Recirculation
-HVAC Heating, Ventilation, and Air Conditioning l
Xi i
t
I Acronyms I&C Instmmentation and Control IPE Individual Plant Examination IPEEE Individual Plant Examination for External Events l ISLOCA Interfacing-Systems Loss of Coolant Accident KC Component Cooling System j kV Kilovolt LL Large LOCA LOCA Loss of Coclant Accident LOOP Loss of Offsite Power i MAAP ML Modular Accident Analysis Program Medium LOCA l
MWt Megawatt Thermal ND Residual Heat Removal System ,
NI Safety Injection System l
NRC Nuclear Regulatory Commission NS Containment Spray System NSSS Nuclear Steam Supply System NV Chemical and Volume Control System PDS Plant Damage State ,
PORV Power-Operated Relief Valve PRA Probabilistic Risk Assessment PSIG Pounds per Square Inch Gage PWR Pressurized Water Reactor RC Release Category RCM Release Category Matrix RCP Reactor Coolant Pump RCS Reactor Coolant System RN Nuclear Service Water System I
Xii I
Acronyms RPS Reactor Protection System RPV Reactor Pressure Vessel SGTR Steam Generator Tube Rupture SL Small LOCA SRV Safety Relief Valve SSF Safe Shutdown Facility SSS Standby Shutdown System TDP Turbine Driven Pump VI Instrument Air System VQ Containment Air Release and Addition System VX Containment Air Return and Hydrogen Skimmer System WL Liquid Waste System Xiii
1.0 SUMM ARY 1.1 Introduction Since the Catawba IPE submittal, Duke Power has been developing applications that utilize the information contained in the Catawba PRA/IPE models. It was recognized that updating of the PRA/IPE would be necessary in order to continue to use the Catawba IPE information. In 1996, Duke Power decided to perform another update of the Catawba PRA. Like the previous update in 1992, the purpose of this update was to:
. Incorporate plant changes since the time of the last update
. Continue to improve assumptions ud documentation
. Make use of plant experience and data since 1991 Enhance the Catawba models to better support PRA applications The Catawba update was completed in October 1997 and, like the 1992 update, constitutes a full-scope, Level 3 PRA with the analysis of both the intemal and external events.
This summary report will present the high level results of the update. The detailed information is kept in system notebooks located in the Severe Accident Analysis section. This method of reporting results makes it easier to perform periodic updates of the Catawba IPE, The Catawba update study tasks included the traditional PRA tasks ofinitiating event analysis, systems analysis, data analysis, human reliability analysis, accident sequence quantification, in-plant consequence analysis, and ex-plant consequence analysis. The methodology utilized is generally consistent with the PRA Procedures Guide (Ref.
2.1). The initiating events ana!ysis in combination with the systems analysis produce the accident sequences leading to a core damage condition. The sequences are 11
I quantified by utilizing the results of the data analysis and the human reliability analysis. The quantified sequences are then binned into specific plant damage state groups and fed through the consequence analysis taskt to obtain quantitative fission product release potential and the risk reults.
1.2 Core Damage Frequency Development For this revision of the PRA, generic equipment data are obtained primarily from the SAROS Generic Eauinment Failure Rate Database (Ref. 3.1). This database aggregates many sources of generic data, such as other nuclear plant PRAs, WASH-1400,IEEE-500, and INEL's Generic Component Failure Data Base For Licht Witer and Liauid Sodium Reactor PRAs (EGG-SSRE 8875).
For the key components, plant-specific equipment data is compiled from PIP database, INPO LER database, NPRDS and other sources as needed. The data covers the six year period from 1989 through 1995 for both Catawba units and includes data related to component failure, number of demands ar run hot.rs, and maintenance l
unavailability. Plant-specific failure rates are calculated and combined with generi:
industry data using a Dayesian-update.
The yearly frequencies of the intemal initiating events selected for the PRA are calculated by either of two means: fault tree modeling or empirical data analysis.
Fault tree models are developed for failures of specific systems at Catawba: Fault on Bus 1 ETA, loss ofInstrument Air, Loss of PS, Loss of KC, and Interfacing-Systems LOCA. The remaining intemal initiating events are quantified from empirical data.
Operating experience for U. S. PWRs from 1980 through 1987 previously compiled for Reference 3.2 is combined with the data collected from the years 1988 through June 1995 for this update. There are 14 ca. :dar years in the time span under consideration. A Catawba specific capacity factor of 0.90 has been used.
1-2
Common cause events identified during the development of system models are quantified based on methods and procedures provided in NUREG/CR-4780 (Ref.
3.19) and related documents. Because of the rnity of common cause events, industry generic information is used to q.iantify common cause basic events modeled in the system fault trees.
The main purpose of the Catawba PRA HRA update is to validate the results of the previous Catawba PRA HRA and te provide quantification of any new human reliability events modeled as a result of the update. The validation process involves re.-examination of the original Catawba human error events with a combination of different modeling techniques. Applicable procedures are reviewed and, when necessary, station training personnel have been contacted.
The initiating events arialysis identifies the accident initiators of interest for this plant and examines the response of the plant to each of the initiators. The plant response analysis defines the structure of the event trees necessary to depict the functional requirements of the mitigating systems for each unique class of accident initiators.
The top events of these functional event trees are those functions necessary to keep the reactor core in a safe condition. The end states of these functional event trees define the combination of success or failures of functions following the initi:. tor and fall into either a ' safe core' or a ' core damage' condition. The core damage end states are the functional sequences ofinterest and they are identified and grouped into plant-damage state bins of unique characteristics with respect to the accident progression, containment response, and release potential.
The plant systems which make up the top events of the functional event trees are analyzed in the systems analysis using detailed fault trees. Fault trees are developed for both the front-line and the support systems. Accident sequences are constructed by linking the system models with the appropriate event tree functions using the event 1-3
I tree top logie and solved using the CAFTA computer code. System fault trees and accident sequences are numerically solved by utilizing the results of the data analysis (initiating even: data and equipment failure data) and the human reliability analysis.
1.3 Containment Performance I
The consequence analysis for the Catawba PRA utilizes a method that is consistent with the PRA Procedures Guide (NUREG-2300) and NUREG-1150. This method includes Plant Damage State (PDS) definition and quantification, Containment Event Tree (CET) development, CET quantification and Release Category definition.
Core melt sequences from the core damage frequency analysis are grouped into bins identified as Plant Damage States (PDSs). The sequences within a PDS have similar characteristics with respect to either containment event tree quantification or fission product release behavior. The PDS frequency is the sum of the ind 'idual sequence frequencies assigned to that PDS.
Duke Pcwer's approach to containment event i re (CET) development is to include I
only those events or questions which have a direct impact on the release category definition. The top events are developed where necessary with large decision trees in l
order to quantify the probability for those top events. This method allows each CET end point to represent a separate release category while also allowing a significant level of detail in the quantification.
The CET is solved by propagating each PDS through the CET. CET branch probabilities are determined either directly from the PDS or from the solution of the appropriate decision tree. Basic event probabilities are assigned based on a combination ot':
- PDS characteristics, I
1-4 I
4
l l
- hand calculations, e computer code analyses, e
recent severc accident research (experiments and analysis) results, and e plant-specific information.
Since the CET contains only questions related to fission product release characteristics, the release categories are defined by the CET end points and their paths through the tree. The sequence most representative of each released category is analyzed with the MAAP code to determine release magnitudes.
1.4 Public IIcalth Consequences The offsite consequence analysis is done using the CRAC2 consequence model.
Release category source term information and the site-related information are used as input to the CRAC2 computer code to calculate consequences for each release category.
The CRAC2 model describes the progression of radioactive material released from the containment following a core melt accident. The model predicts the interaction of this radioactive material with the environment and people. The CRAC2 model takes into account factors such as population, meteorology and evacuation strategies.
The CRAC2 model calculates public health consequences in the form of Early Fatalities, Early injuries, Latent Fatalities, Thyroid Cancers and Whole-Body Person-Rem. The final risk results are a culmination of the CRAC2 health consequences, the CET Release Category frequencies, and the PDS frequencies.
1-5
I 1.5 I,arge Early Release Frequency (LERF)
The large early release frequency has become a standard surrogate to a full level 3 PRA for the assessment of health risks associated with a nuclear plant. For completeness and to facilitate discussion of these results as they relate to other studies, the LERF for Catawba has been calculated. The large early release frequency has been determined by considering the potential for early fatalities. The CRAC2 results for each release category are used to determine the poteritial for early fatalities and thus determine which frequencies to include in LERF.
l I
1.6 Results lne Catawba IPE update has resulted in a comprehensive, systematic examination of the plant for potential severe acciJents. The study has identified the accident sequences of most influence in the calculated overall core damage probability.
l Total CDF The total core damage frequency has been calculated to be 4.7E-05 per year.
Intemal CDF I
The overall core damage frequency for the intemal events has been calculated to be 3.2E-05 per year. Among the internal events, small LOCAs (with a core melt frequency of 1.lE-05/yr.), intemal floods (also at 1.lE-05/yr.) and the T10 (loss of 5 l KC) transient (with a core melt frequency of 4.lE-06/yr.), are assessed to be the
! dominant accident initiators.
I I
I 1-6
L External CDF L
The core damage frequency for the external events is calculated to be 1.5E-05/yr., of which the seismic event contributes 8.5E-06/yr. and the fires f
contribute 5.2E-06/yr.
Containment Failure Modes With regard to the fissien product release potential, it has been found that the dominate containment end state is no containment failure, followed by late containment failure as a result of over-pressurization. The availability of the containment spray is the most important factor in keeping the containment intact. The following are the summary results for the containment performance analysis:
Containment Failure Mode Contribution
( No Containment Failure 31.2 %
Basemat Meltthrough 5.2%
Late Containment Failure 53.7 %
Early Containment Failure 8.9%
Containment Isolation Failure 0.4%
Containment Bypass 0.5%
The public health risk is dominated by release categories 6.02 (Late catastrophic Containment Failure), 5.01 (Early Containm.nt Failure) and 2.04 (ISLOCA). The early fatalities and injuries are dominated by the ISLOCA while the whole-body person-rem and cancers are dominated by the late and early containment failures.
Release category 6.04 (late over-pressurization) also contributes significantly to the latent health effects.
(
\
1-7
I' The public health risk results (total for internal and external initiators) are summarized in the following table.
1 Health Effect # ner year '
Early Fatalities 4.0E-05 Early injuries 3.2E-04 Latent Fatalities 4.8E-03 Thyroiil Cancers 1.2E-02 Whole-Body Person-Rem 7.2E+01 In general, the risk measures are calculated to result in only very low risk to the health I
and safety of the public.
l Larce Early Release Freauency (LERF)
J The large early release frequency for Catawba has been calculated to be 4.3E-07/yr.
This result is dominated by the contribution from the ISLOCA and the seismic events. )
I I
I l 5 I
I l
I I
1-8 I
2.0 INTRODUCTION
2.1 Objective in 1984 Duke Power began work on the first Catawba Probabilistic Risk Assessment (PRA). Subsequently, in April 1991, Duke Power initiated a large-scale review and update of the original study to include various enhancements based on improved knowledge of PRA techniques. Following the final issuance of the NRC Generic Letter 88-20 in August 1989, Duke Power Company decided to utilize the updated Catawba PRA/IPE to meet the requirements of the generic letter.
Since the Catawba IPE submittal, Duke Power has been developing applications that utilize the information contained in the Catawba mod:Is. It was recognized that updating of the PRA would be necessary in order to continue to use the Catawba IPE information. In 1996, Duke Power decided to perform another update of the Catawbs PRA. Like the previous update in 1992, the pmpose of this update was to:
e incorporate plant changes since the time of the last update, e continue to improve assump; ions and documentation, e make use of plant experience and data since 1990, and enhance the Catawba models to better support PRA applications.
The Catawba update was completed in September 1997 and, like the 1992 update, constitutes a full-scope, Level 3 PRA with the analysis of both 'he internal and extemal events'.
This summary report presents the high level results of the update. The detailed information is kept in system notebooks located in the Severe Accident Analysis
' The external event analysis was done as part of the McGuire IPEEE submittal in December 1995.
2-1
I Section This method of reporting results makes it easier to perform periodic updates ll of the Catawba IPE.
l 2.2 Plant Description Catawba Unit 1, a nuclear power plant with n Westinghouse pressurized water reactor, is one of two such units comprising the Catawba Nuclear Station. The statiou consists of two reactor buildings, and two auxiliary buildings, one each for Units 1 and 2. Each containment is a free standing steel containment of the ice condenser design within a pre-stressed concrete Reactor Building. At full power the unit produces 3411 MWt, generating about i180 MWe net. The plant was designed and constructed by Duke Power.
The nuclear steam supply system has four loops connected in parallel to the reactor vessel. Each loop consists of a reactor coolant pump, cold leg, hot leg, and an inverted u-tube steam generator. The reactor and the nuclear steam supply system are contained within the steel containment. The emergency core cooling (ECC) systems, which provide shutdown core heat removal and long term reactivity control, and other auxiliary systems are housed in the auxiliary building. The Turbine Building houses the steam and power con. rsion systems, and additional auxiliary systems.
l I
Located on Lake Wylie, the station uses forced draft cooling tower: for condenser cooling.
2.3 Intended Use Of This Report I
i Unlike the Catawba IPE submittal, this summary report is the only published documentation for the Catawba update. All detailed information has been removed and is kept in system notebooks located within the Severe Accident Analysis Section.
I 2-2
It is intended that there be enough detail in this summary report to understand the scope of the Catawba update and provide results pertinent to the use of PRA applications at the Catawba Nuclear Station.
I 2.4 General Methodology The Catawba update study tasks included the traditional PRA tasks ofinitiating event analysis, systems analysis, data analysis, human reliability analysis, accident sequence quantification,in-plant consequence analysis, and ex-plant consequence analysis. The methodology utilized is generally consistent with the PRA Procedures Guide (Ref.
2.1). The initiating events analysis combines with the systems analysis to produce the accident sequences leading to a core damage condition. The sequences are quantified by utilizing the results of the data analysis and the human reliability analysis. The quantified sequences are then binned into specific plant damage state groups and fed through the consequence analysis tasks to obtain quantitative fission product release potential and the risk results.
A series of sensitivity studie3 are performed to provide additional insights.
2-3
i 3.0 CORE DAMAGR FREQUENCY DEVELOPMENT
, 3.1 Data Development 3.1.1- Equipment Data Collection This section lists the sources of equipment data used to quantify the Catawba PRA fault tree and event tree models.
For this revision of the PRA, generic equipment data are obtained primarily from the SAROS Generic Eauipment Failure Rate Database (Ref. 3.1). Previously, EPRI's Advance Light Water Reactor Utility Reauirements Document. Vol. II, had been used extensively as a source for generic data for the McGuire and Catawba PRAs.
Because this data is considered proprietary, Duke has switched to an alternative source for generic failure rate data. The new generic failure rate database was developed by SAROS, Inc. This database aggregates many sou.ces of generic data, -
such as other nuclear plant PRAs, WASH-1400, IEEE-500, and-INEL's Generic Component Failure Data Base For Licht Water and Liauid Sodium Reactor PRAs (EGG SSRE-8875).
Plant-specific equipment data for key equipment are compiled from the following sources:
- Problem Investigation Reports (PIRs),
- Problem Investigation /rocess Reports (PIPS),
- INPO's LER Database,
- - Nuclear Plant Reliability Data System (NPRDS),
- Catawba Work Management System (WMS) Database,
- Safety System Unavailability Monitoring (SSUM) Database,
- Reactor Operator Logs, and e Fquipment Run Time (ERT) reports.
3-1 l
l a---. _ _ _ - -- - - _ - - - - -- - - ---
I I
The data covers the period from 1/91 through 6/95 for both Catawba units and includes data related to component failure, number of demands or mn hou.s, and maintenance unavailability. Plant specific failure rates are calculated and combined with generic industry data using a Bayesian update. Table 3.1.1-1 lists the equipment l failure rates used in this analysis.
1 For the testing / maintenance unavailability events, screening values such as 1.0E-2 or gj 1.0E-3 (for infrequent maintenance) are often used. With the use of these screening values, there is a greater likelihood that maintenance events show up in the final cut l
sets. In some cases where maintenance unavailability is a major contributor for the sequences ofinterest, plant-specific unavailabilities are used.
l 3.1.2 Jnitiator Development i
Initiating Event Identification Identifying the initiating events for accident sequences is one of the first tasks in any Probabilistic Kisk Assessment. The objective of tu task is to provide a l
comprehensive set of all realistic and physically possitle potential accident initiators.
A comprehensive iist of accident-initiating events is required to ensure that all important sequences are examined. Initiating events ce be divided into four classes.
These are:
- 1. Loss of Coolant Accident (LOCA)- An unmntrolled breach in the primary system integrity which results in a loss of primary coolant.
- 2. Transients - Any event either by equipment failure or human action which disrupts power operation sufficiently to trip the reactor and require a mitigating action to
/
maintain vital plant parameters.
3-2
- 3. Steam Generator Tube Rupture (SGTR)- A primary leak in the steam genera:or which is beyond the capacity of the charging pumps.
- 4. Extemal Events - An event occurrence not directly related to plant operation, e.g.,
an earthquake, flood, or tomado.
Floods which result from sources internal to the plant were required to be considered in each plants IPE. For purposes of this re cort, the intemal floods are treated as intemal events. The intemal CDF results for Catawba are then comparable (in terms of the events included) to the IPE results of plants that do not perform an extemal events analysis. The intemal initiating events are discussed in this section, while extemal events are discussed in Section 3.3.
Initiating Event Grouping For this PRA update, the initiating events compiled for the previous PRA update formed the starting point. To ensure completeness a literature search of indu.ary experience infcrmation (Licensee Event Repons and Significant Operating Experience Reports) and of available other PRAs was made. This review confirmed that the existing final list of initiators (see Table 3.1.2-1) continues to be the appropriate initiators ofinterest for Catawba.
Initiating Event Frequencies The yearly frequencies of the internal initiating events selected for the PRA are calculated by either of two means: fault tree modeling or empirical data analysis.
Fault tree models are developed for failures of specific systems at Catawba: Fault on Bus 1 ETA, Loss ofInstrument Air, Loss of RN, Loss of KC, and Interfacing-Systems LOCA. The remaining internal initiating events are quantified from empirical data.
3-3
______-------J
I Table 3.1.21 lists the initiators and their frequencies. There are many similarities between the hicGuire and Catawba Nuclear Stations. Where appropriate the experier.cc of these two plants is grouped together as combined experience for the purposes of estimating initiating event frequencies. The combined experience for the two plants is 33.3 reactor-years (18.5 for hicGuire and 14.8 for Catawba). These frequencies are used in both plant PRA updates. A Catawba specific capacity facto. of g
0.90 is assumed.
Operating experience for U. S. PWRs through 1989 has been taken from I
Reference 3.2 and combined with the additional data from 1S89 through June 1995 for this update. There are 14 calendar years in the time span under consideration.
The PWR experience has been calculated to be 824.1 reactor years.
l Those initiating events, large and medium LOCAs, that did not occur during the period had their frequencies estimated using the chi-squared variate at the 50%
cumulative probability level approach as described in Reference 3.9.
Tl. Reactor Trin hicGuire ar.d Catawba have experienced a total of 69 reactor trip events from power operation which are not counted in other initiator estegones in the 33.3 years under consideration. The frequency of Tl is estimated at 1.9/yr.
T2. Loss of Load hicGuire and Catawba have experienced a total of 17 loss ofload events from power operation in the 33.3 years under consideration. The frequency of T2 is estimated at 0.46/>T.
T3. Loss of Offsite Power The loss of offsite power free wy has been estimated from information in EPRI TR-g 106306, Reference 3.3. U.nlating with the Catawba specific experience of 1 I 1 3-4
L occurrence, the LOOP frequency is estimated to be 3.59E-02/yr. During the time period for data collection for this analysis, Catawba did not experience my LOOPS.
However, in February of 1996 a LOOP did occur at Catawba. This event has been counted in the analysis as though it had occurred prior to 12/31/95, which is the cutofT point for the data collection.
T4. Loss of Main Feedwater A loss of main feedwater initiator is a total loss main feedwater. McGuire and Catawba have experienced 18 of these events in the 33.3 years under consideration.
The frequency for T4 is estimated at 0.49/yr.
TS Excessive Feedwater This initiating event is an overcooling transient caused by main feedwater that lowers RCS pressure below the ESFAS setpoint for safety injection. This transient behaves mut like the Tl when feedwater isolates as designed and like a T13 if feedwater isolation fails. Since the frequencies of the T1 and T13 are expected to be much higher than would be evaluated for an excessive feedwater event, no independent TS initiator frequency is developed.
T6. Secondary Liner Dreak inside Containment There have been two industry events of this type, one at Maine Yankee in January cf 1983, and one at Indian Point 2 in November of 1973. The prior frequency is calculated to be 2.43E-03/ry. Updating with the McGuire/ Catawba experience of 0 occurrences and the plant specific capacity factor, the initiating event frequency is estimated to be 2.09E-03/yr.
- 17. Feedwater Line Break Outside Containment A review ofindustry operating experience has produced one event of this type (Surry 2 in December of 1986). Updating with the McGuire/ Catawba experience of 0 35
I occurrences and the plant specific capacity factor, the initiating event frequency is estimated to be 1.06E-03/yr.
T8. Steamline Break Outside Containmen_t A review ofindustry operating experience has produced two occurrence of this type -
- a 1984 extraction steam line break at Calvert Cliffs and an August 1992 event at North Anna. Updating with the McGuire/ Catawba experience of 0 occunences and the plant specific capacity factor, the initiating event frequency is estimated to be g
2.09E 03/yr.
T9. Loss of Nuclear Service Water The frequency of this initiating event was derived directly from the fault tree with an estimated frequency of 3.00E-04/yr.
l T10. Loss of Component Cooline Water I
The frequency of this initiating event was derived directly from the fault tree with an estimated frequency of 6.40E-04/yr.
Tl1. I ass of Operatinc 4160 V ae Essential Bus I
The failure of bus 1 ETA during power operation would result in a failur: to supply power to several normally operating loads. The frequency for this event is derived from a fault tree solution and is estimated at 3.78E-03/yr.
1
- T12. Loss ofinstrument Air I The frequency of this initiating event was derived directly from the fault tree with an l estimated frequency of 2.0E-01/yr.
T13 Inadvertent Safecuards Actuation This initiating event is an inadvertent safety injection actuation. McGuire and Catawba have experienced 3 of these events. The resulting frequency is 8.11E-02/yr.
I 36 l
T14. Loss of Vital I&C Bus A loss of one of the two vital buses (IEDA or lEDD) by itself would not cause a transient. (It would render the control power to the associated train of equipment unavailable.) Therefore, loss of a vital I&C bus is not considered to be an initiator.
LL.1,arce Break I OCA Frecuenev No LOCAs have occurred in the industry that would be classified in the large or medium size categories. The chi squared variate at the 50% cumulative probability level with one degree of freedom is used to calculate an estimated frequency for LOCAs that are "noi small". With zero occurrences in 824.1 reactor-years an estimated mean frequency of 2.76E-4 per reactor-year is calculated for LOCAs larger than a small LOCA. This frequency is assumed to be partitioned between the large and medium LOCAs in a 50/50 split. Assuming a capacity factor of 0.9 the resulting large LOCA frequency is estimated to be 1.2E-04 per ye-r.
ML. Medium Break LOCA Freauency The calculation is the same as for the large LOCA. The initiating event frequency is estimated to be 1.2E-04 per year.
SL Small Break LOCA Frequency The frequency is based on three events in the industry: one at Zion in 1975, one at H.
B. Robinson 2 ir.1975 (an RCP seal failure) and one at Arkansas Nuclear One in 1980 (an RCP seal failure). Updating with the McGuire/ Catawba experience of 0 occunences and the plant specific capacity factor, the initiating event frequency is estimated to be 3.07E-3/>T.
Y. Steam Generator Tube Rupture Eight significant Nbe ruptures have been found in a review of industry operating experience: March 1993 at Palo Verde 2, March 1989 at McGuire, July 1987 at North 3-7
)
Anna, May 1984 at Fort Calhoun, and January 1982 at Ginna, October 1979 at Prairie Island, September 1976 at Surry 2, February 1975 at Point Beach. Updating with the McGuire/ Catawba experience of I occurrence and the plant specific capacity factor, the initiating event frequency is estimated to be 1.16E 2/yr.
ISI.OCA. Interfacinc-Systems LOCA The ISLOCA frequency is detemiined by fault tree solution. The initiator frequency and core damage frequency are one and the same. The initiator frequency for the g
ISLOCA is 2.SE-07/yr.
RPV. Reactor Pressure Vessel Runture Reactor pressure vessel rupture, beyond the capacity of the ECC Systems, was investigated as a potential initiator. Reference 3.14 recognizes the potential for l
rupture and estimates its median frequency at lE 7 per vessel. year, with an error factor of 10 and a lognormal distribution. Reference 3.5 used this infomiation, and information from other sources, to estimate the mean frequency of failure at 1.lE 6, with a lognonnal distribution. Based on these references, the mean frequency for this initiator is estimated at lE-6, with an error factor of 10. This number is used as a scoping value and is intended to include random failure as well as pressurized thermal shock considerations.
3.1.3 Common Cause Development I
A common cause failure event is an event resulting in multiple failures of a specified set of components du: to a shared cause. Shared features include: same manufacturer, same design, same maintenance procedures, same operating practices, same environmental conditions, etc. Common cause failure events are important, since they have the potential to effectively defeat the single failure criterion that underpins the design of nuclear power plants.
3-8
h!
Common cause events identified during the development of system models are quantified based on methods and procedures provided in NUREG/CR-4780 (Ref.
3.19) and related documents. Becauae of the rarity of common cause events, industry generic information is used to quantify most common cause basic events modeled in s the system fault trees. Ilowever, in the case of the Catawba RN pump discharge valves, a plant specific analysis is perfonned to estimate common cause parameters using industry and Catawba specific common cause event data.
t The common cause basic event probabilities are calculated by multiplying the component " independent" failure probabilities by a common cause multiplier. The common cause multipliers were derived using the Multiple Greek Letter method using generic parameter values from industry sources and the Catawba specific RN pump discharge valve parameters.
3.1.4 Iluman Reliability Analysis Introduction The scope of the Catawba PRA IIRA update is to validate the results of the previous Catawba PRA IIRA and to provide quantification of any new human reliability events modeled as a result of the update. The validation process involved reexamination of the original Catawba human error events with a combination of different modeling techniques. Applicable procedures are reviewed and, when necessary, station training personnel have been contacted, in most cases, the human reliability event values used in the original version of the Catawba PRA/IPE were found to be rcnonable. liowever, some actions were re-quantified with either higher or lower values based on new information or modeling considerations of newer IIRA techniques.
3-9
I I
Methodology g
Several types of human reliability events are modeled. The main division of these events is between pre initiator events and post initiator eventf. Post initiator events are further divided on the basis of whether or not they are proceduralized. For this g
study, these events are designated by the last three letters of the basic event name as follows:
g
- LIIE This designates a pre-initiator human error.
- DilE This designates a proceduralized post initiator human error.
- RIIE This designates a non proceduralized post initiator human error, or a failur to recover that is based on historical data (e.g., offsite power recovery).
l Pre Initiator Event Ouantification A inodel for pre initiator events was developed for the Keowee PRA at Duke. This model is based on numbers from the TIIERP manual (Reference 3.15).
Quantification of a pre-initiator event based on this model is based on such factors as independent verification, functional testing, tag-out steps and checks during shift tumover and rounds.
I Four classifications were identified in the Keowee analysis for the pre-initiator human reliability events. These are:
Error Classification Error Probability
- 1. Post maintenance errors for components which are 3.2E 3 g
independently verified, but are neither functionally tested nor checked during the daily rounds.
- 2. Post maintenance errors for components which are not 3.2E-4 functionally tested but are checked on the daily rounds.
I 3 10 I
Error Classification Error Probability
- 3. Post maintenance criors for components which are 2.6E 4 functionally tested.
- 4. Post maintenance errors for components which are 5.2E 5 functionally tested and which have red tags (or keys) associated with their maintenance.
in the previous Catawba PRA, most of the pre-initiator events were assigned a value of 3.0E 3 based on a factored version of the TilERP model. This value roughly corresponds to Keowee PRA case one (above), it is deemed to be a reasonable screening vslue for most Catawba pre initiator events. Some Catawba PRA pre-initiator human reliability events were especially important to the analysis. These were evaluated using the HRA model presented in the Keowee PRA report.
Post Initiator iluman Reliability Events The purpose of the post initiator human reliability analysis for the Catawba PRA is to verify the results of the previous PRA revision and to provide quantification of any new post initiator events for this revision. If the values used in the post-initiator human reliability analysis of the previous revision of the PRA are verified to be reasonable, they are retained.
The verification of human reliability event quantification is based on human error modeling techniques, plant data, or judgment. A procedure review is performed for each event to determine where in the procedures each action is required.
The choice of method for verification of values assigned to proceduralized events depended on whether the human reliability event in question could be characterized as
" time critical." Judgment (and a previous estimate of timing considerations) is used to determine which actions can be considered to be time critical. For these actions, timing estimates are verified, and quantifications are verified using a time reliability 3-11
I model (Reference 3.16). For proceduralized actions which are not considered to be time critical, quantification is verified using a cause based decision tree model (Reference 3.17), in this model, particular features of procedures are used to arrive at human error probabilities.
The " action phase" of each event is also considered as a factor in verification and g
quantification. All events with steps performed outside of the control room have an assessment of the action phase.
g A three tiered approach is utilized for action phase modeling in the Catawba PRA. A l
value of 3.0E 3 is added to the human error probability for actions which are judged to be simple operations of one clearly labeled component. A value of 1.0E-2 is added to simple actions where several components are operated. A value of 5.0E 2 is added l
for more complex actions. These values are based on judgment and past experience and are high compared to values listed in the TIJERP manual for errors associated with manual valves (see Reference 3.15 Table 14-1). liigher values are assigned if appropriate.
I Most of the non-proceduralized actions included in the Catawba PRA are quantified based on data from simulator exercises of applicable sequences. The quantification of these events is updated using newer data. Quantification of remaining non-proceduralized actions is verified by comparing these other IIRA quantified actions.
3.1.5 Plant Specifle Experience I
I As mentioned in Section 3.1.1, plant equipment failures, demand or run hour experience, and maintenance unavailabilities have been reviewed for the period from 1/91 through 6/95. Plant-specific failure rates are determined and then combined with 1
generic industry data using a Bayesian update. These Bayesian updated failure rates are used in the Catawba PRA models.
3-12 l
1
Table 3.1.51 provides a compilation of the plant specific and Bayesian updated failure rates.
3.2 Internal Event Model Development 3.2.1 Systems Analysis Overview This section is intended to provide an overview of the major plant systems. Appendix A provides summary descriptions of the PRA results for each system.
Reactor and Reactor Coolant System Catawba Unit 1 has a four loop Westinghouse nuclear steam supply system, shown in Figure 3.2.1-1.
The nuclear steam supply system has four loops connected to the reactor vessel. Each loop consists of a reactor coolant pump, cold leg, hot leg, and an inverted u tube steam generator.
During operation, the RCS pressure is controlled by electric heaters in the pressurizer and pressurizer sprays. The pressurizer also provides a surge volume to accommodate fluctuations in reactor coolant volume, in addition, the pressurizer is equipped with 3 power operated relief valves (PORVs) : hat open at 2335 psig and three safety relief valves set to open at 2500 psig, that protect the RCS against overpressure. The PORVs can also be operated manually from the control room to reduce RCS pressure or to provide a path for decay heat removal under some conditions.
3-13
I heirtlle and Contre' Systems The Reactor Protection System monitors parameters associated with normal operation and initiates a gravity insenion of the control rods when a transient condition causes one or more of the parameter setpoints to be exceeded. The Engineered Safety Features Actuation System (ESFAS) activates the emergency core cooling systems and the containment safety features designed to mitigate accident conditions.
Emercency C6re Cooline Systems The Emergency Core Cooling Systems consist of the Chemical and Volume Control (NV) System, the Safety Injection (NV) System (which includes the cold leg l
accumulators), and the Residual Heat Removal (ND) System. These systems keep the core suberitical and cooled under a variety of conditions.
l The NV system consists of two high head centrifugal pumps that provide injection flow in the event of various small or intermediate LOCAs. It is automatically actuated by a Safety Injection (SI) signal from the ESFAS on low pressure in the RCS or high pressure in the containment, drawing suction from the refueling water storage tank (FWST). Following depletion of the FWST. the NV pumps can be aligned to the discharge of the ND pumps during sump recirculation. This swap is accomplished manually. One of the NV pumps also operates continuously to provide normal charging flow to the RCS and seal injection flow to the seals of the reactor coolant pumps. The NV system permits continuous letdown of a portion of the reactor coolant for purification and the control of boric acid concentration. The NV system can also be manually actuated to provide core heat removal when the subcooling margin in the RCS is inadequate (e.g., after a total loss of steam generator feedwater).
The NI system consists of two trains of intermediate head pumps that provide injection flow in the event of various intermediate LOCAs. These pumps are actuated on an SI signal and draw suction from the FWST. Following depletion of the FWST, g
l l
I 3 14
the N1 pumps can be aligned to the discharge of the ND pumps during sump recirculation. This swap is accomplished manually.
There are four cold leg accumulators that provide a passive means ofinjection. The Cold Leg Accumulators perfomi no normal function; they are designed to reflood the reactor core aller the initial blowdown phase of a LOCA. Their primary purpose is to limit peak cladding temperatures to within licensing criteria for design basis accidents.
The ND system consists of two trains. It injects FWST water into cold legs at low pressures and high flow rates to maintain core heat removal for large break LOCAs.
When the FWST inventory is depleted, the ND system draws suction from the containment sump; the switchover to this recirculation mode of cooling is accomplished automatically with manual swap as a backup. Each ND train is equipped with a heat exchanger for the long term removal of decay heat. The ND system also provides shutdown decay heat cooling, taking suction from an RCS hot leg.
Containment Safety Features The containment safety features include the Containment Spray (NS) System, the Containment Air Retum and Ilydrogen Skimmer (VX) System, the Hydrogen Mitigation System (EHM), the Containment Isolation System (CIS), and the ice condenser, part of the NF system. Together they maintain the integrity of the containment building under accident conditions.
The NS system consists of two pumps in parallel trains that draw suction from the FWST and spray water into the upper containment atmosphere upon actuation on a high high reactor building pressure signal. In addition to condensing the steam in the containment resulting from a LOCA, the sprays semb radionuclides from the containment atmosphere.
3 15
_ _ - _ _ . - ~-
I I
The VX system consists of two air return fans and two hydrogen skimmer fans with their associated dampers and valves. These fans are started on the high high containraent pressure signal. The hydrogen skimmer fans provide a means to control the hydrogen concentration in certain dead ended containment compartments for the design basis LOCA. They perform no essential function to mitigate a core damage accident are not included in the PRA. The Containment Air Return Fans provide a means to circulate the containment atmosphere from the upper to lower containment g
to provide forced flow through the ice condenser.
The Elihi system includes 70 glow plug igniters Jivided into 2 redundant trains.
I These igniters are located throughout the containment and provide the means to burn l
any accumulated hydrogen at low concentration, approximately 5% by volume. The hydrogen is thereby prevented from accumulating to concentrations that may result in a containment challenge if ignited. The pressure rise resulting from combustion at l
low concentrations does not challenge the containment integrity. This system is manually initiated.
The CIS isolates all penetrations connecting the containment to the outside I
environment and any fluid penetrations that do not provide a safety function under accident conditions.
Steam and Power Conversion Systems The power conversion system consists of the hiain Steam (Shi) System, the Condensate (Chi) System, and the hiain Feedwater (CF) System. Together these 1
l systems provide the means to remove energy from the reactor coolant system and deliver that energy to the turbine-generator for power generation or deliver it to the condenser or the atmosphere for decay heat removal. Additionally, the Auxiliary Feedwater (CA) System provides a backup source of feedwater to the steam g
generators should main feedwater be lost.
I 3 16 I
For the PRA, the primary functions of the Shi System are to:
e deliver steam to the main and auxiliary feedwater pump turbines, e
provide a means for steam relief to the condenser or the atmosphere, e provide for containment isolation, and e provide steam generator over pressure protection.
The primary function of the Chi and CF Systems, from the PRA perspective, is to provide a source of feedwater to the generators to remove decay heat following certain transients.
Sunnort Systems The systems described above rely to varying degrees on other systems to provide electricity or compressed air for motive and control power and to provide component cooling.
The Nuclear Service Water (RN) System is a once through system that is shared by both Catawba units. The system has four low-pressure high-capacity pumps, two per train. It provides the heat sink for the Component Cooling (KC) System, and NS heat exchangers as well as the Diesel Generator cooling heat exchanger. The RN System also provides an assured source of auxiliary feedwater when it is aligned to the suction of the CA pumps.
The Component Cooling o 6) System is a closed loop system, with heat rejected to the RN system through one Leat exchanger per train. The system has four pumps, two per train. It cools the seals of the reactor coolant numps (in conjunction with the NV system), and the ND heat exchanger. In addition, the KC system provides motor anNor bearing cooling for the NV, and NI pumps and seal cooling to the ND pumps.
3 17
I During power operation, auxiliary power for the plant electrical loads is provided from the unit turbine generator through auxiliary transformers ITI A and IT2A for train A and ITIB and IT2B for + rain B (EPA System) to four independent 6.9 kV ac switchgear assemblies (EPB System) Two of these supply power to the essential 4.16 kV ac switchgear assemblies ETA and ETB which are part of the EPC System.
All essential plant loads are powered from the switchgear and their associated motor g
control centers and panclboards, in case of a loss of offsite power, ETA and ETB cach receive emergency power from an associated diesel generator.
g Instrumentation and control power are provided by the AC r..d DC Vital l
Instrumentation and Control Power Systems, EPO and EPL. The EPL System provides 125 V de to station loads including the de/ac inverters for the EPO System.
l The EPL system consists of four de distribution centers.
The Instrument Air (VI) System provides clean dry compressed air for both of the Catawba units. Three centrifugal and three reciprocating compressors provide air at 100 psig to the units. The essential header of the VI System supplies air to the primary and secondary power operated relief valves (PORVs) and the main steam isolation valves. Other plant loads are supplied through the non essential header.
Standby Shutdown Facility I
Alternative shutdown cooling means are available from the Standby Shutdown Facility (SSF). The SSF has an independent diesel generator and is capable of supplying steam generator cooling water via the CA turbine driven pump and reactor coolant and makeup for both units. The suction source for seal injection and RCS makeup is taken from the spent fuel pool. The SSF is designed primarily for use in security events. The SSF is manually initiated and operated.
I I
3 18
3.2.2 Accident Sequence Development The objective of this task is to provide a comprehensive development of core damage sequences by considering the accident initiators and the subsequent failure of the necessary core cooling functions. By definition, an initiating event is the beginning point of a sequence. A comprehensive list of accident initiating events is required to ensure that all important sequences are examined, as discussed in Section 3.1.2. The internal initiating events are divided into five broad classes. These are:
Loss of Coolant Accident (LOCA)- An uncontrolled breach in the primary system integrity which results in a loss of primary coolant to the containment e Transients An event which either by equipment failure or human action disrupts power operation sufficiently to trip the reactor and require a mitigating action to maintain vital plant parameters, e.g., loss of offsite power, loss of main feedwater, steamline break.
Steam Generator Tube Rupture (SGTR) - A primary leak in the steam generator which is beyond the capacity of the charging pumps.
. Interfacing Systems LOCA A failure outside of containment of a system connected to the primary system causing a loss of coolant accident that bypasses the containment.
e Intemal Floods Failures of plant piping that results in loss of required equipment / systems as a result of submergence plant equipment.
These events, when combined with mitigating system failures, have the potential to lead to core damage. The purpose of the mitigating systems is to maintain certain safety functions such as decay heat removal, RCS inventory, and suberiticality. To evaluate the many possible plant response scenarios, event tree methodology is used.
Event trees describe the possible end states that will result from the combinations of mitigating system failures and successes. Event trees identify those functions that are required to mitigate the initiating event. Failures of one or more of these functions 3 19
I can lead to a core damage accident. Each function is supponed by one or more plant systems that operate to provide the function. The fault trees for these systems are combined to calculate the failure probability for the function.
Loss of Coolant Accidents (LOCAs)
A Loss of Coclant Accident (LOCA)is a breach of Reactor Coolant System integrity.
Because of the immediate demands placed on the Emergency Core Cooling Systems g
(ECCS) when a LOCA occurs, LOCA initiating events are treated separately from other initiating events in the Catawba PRA. The LOCA event trees discussed in this l
section represent LOCA initiated events. The event trees for the Loss of Coolant Accidents are given in Figures 3.2.2-1 through 3.2.2 3. LOCAs are divided into three l
classifications based on the systems that are required to function to prevent core damage.
l Small LOCAs Small LOCAs range in size from 3/8 inch to 2.0 inches in diameter. Small LOCAs are characterized by breaks causing primary system losses that:
. exceed the capacity of normal makeup flow, and e provide insufficient decay heat removal to depressurize the Reactor Coolant System if secondary side heat removal (SSHR) is unavailable.
i Reactor Coolant System leakage from a 3/8 inch break corresponds to the normal l
makeup capacity of one centrifugal charging pump.
For breaks less than 2.0 inches in diameter, the Reactor Coolant System will not I depressurize if SSHR is unavailable. Instead, Reactor Coolant System pressure increases until the PORV and safety relief valve (SRV) setpoints are reached.
I 3 20
If SSilR is not available, two pressurizer PORVs must be opened in order to reduce RCS pressure so the NV or Ni pumps can provide adequate injection flow.
Leigs_pnd Medium LOCAs Large and medium LOCA events are similar in that the breaks are large enough to remove sufficient decay heat without the use of SSilR. The large break LOCA (at least 5 inches in diameter) depressurizes the Reactor Coolant System below the ND System shutoff head pressure; and, therefore, the ND System is used for injection.
The rnedium LOCA (between 2 and 5 inches in diameter), however, does not depressurize to the ND operating conditions, and the NV or NI Systems are required for injection.
Two of four cold leg accumulators are found to bt :...essary to prevent core damage in the event of the worst postulated (design basis) break. Since one accumulator is assumed to discharge out the break, three of the four accumulators must function in order to assure that two deliver water to the vessel. One train of the ND System is also required to provide coolant makeup and remove decay heat. Determination of the upper break size for the medium LOCAs yielded a medium to large LOCA break division of 5 inches (break diameter).
For a 5 inch cold leg break, one of the four NV and Ni pumps is sufficient to prevent core melt.
The injection success eriteria for the LOCAs are summarized as follows:
Small LOCA - one NV or Ni pump with SSliR, or one NV or Ni pump and two of three pressurizer POR; ,, without SSliR.
- Medium LOCA - one NV or NI pump, and Large LOCA - one ND pump and three of four cold leg accumulators.
3 21
I Transients By definition, each transient initiating event requires either an automatic or manual reactor trip. Those transients which do not result in a successful reactor trip, anticipated transients without scram (ATWS), are also discussed in this section. The reactor trip places demands on the systems required to maintain core cooling. The g
transient event tree, Figure 3.2;2-4, is based on the requirements of the functions needed to respond to a plant trip and represents the potential outcomes of success or g
failure of these functions. These outcomes detemiine whether or not the core melts.
A transient can lead to core melt by either a loss of adequate decay heat removal or a loss of primary coolant that is not mitigated.
l Plant Transient Responiq I
The plant trip initiating event (TI) represents the events which lead to a reactor trip but do not have any important, unique features that impact plant systems availability or that inherently challenge primary integrity. The event begins by generating a reactor trip followed by a turbine trip. The trip of the reactor drops reactor power to the decay heat level. Typically, main feedwater trips following a reactor trip and is restored to service. If main feedwater is not restored, auxiliary feedwawr is used to supply the steam generators. Thus, following a plant trip, the plant stabilizes at hot standby conditions usin'g the steam generators to provide decay heat removal.
I Some initiating events have unique effects on the plant and can affect system availability. These effects will be discussed below. Any aspect of the transient not discussed below is assumed to behave as a normal reactor trip.
The loss ofload initiator (T2) is defined as a sudden reduction in steam demand such as a turbine trip or runback that for some reason does not lead directly to a reactor l
trip.
l l
I 3 22
l The loss of offsite power initiator (T3) is defined as a total loss of offsite power to the unit. Since power is lost to all 6.9 kV loads, the reactor coolant pumps begin to coast down and main feedwater is lost. The reduction in Reactor Coolant System flow Icwers the primary to secondary heat transfer rate. The heat not transferred to the s':cara generators is absorbed in the primary coolant causing primary temperature and f pressure to rise. Mamtaining decay heat removal via the steam generators and RCP seal stegrity with seal cooling are priorities for preventing a possible progression to ccte damage.'
The loss of main feedwater initiator (T4) is defined as a total loss of main feedwater flow. The loss of feedwater flow causes the steam generator level to drop and both the primary and secondary pressures and temperatures to rise. The rise in Reactor Ceolant System pressure generates a pressure peak which may challenge the primary relief valves. A LOCA will occur if one of the primary relief valves fails to rescat. A failure to trip the reactor results in an ATWS event.
An independent excessive main feedwater initiator (TS) initiator frequency and analysis has not been generated, as explained in Section 3.1.2.
The secondary line break inside containment initiator (T6) is a rupture of the main steam or main feedwater line within the containment structure. The rupture of the secondary lire will cause a rapid cooling of the Reactor Coolant System and initiation i of safety injection. The rise in containment pressure will result in the actuation of containment sprays and the containment air return fans. For this analysis it is assumed that the ruptured steam generator is not available for heat removal since continued feeding would aggravate the overcooling.
The main feedwater line break outside containment initiator (T7) is a rupture of the main feedwater line. Because there is no rise in containment pressure, the 3
3-23
containment safeguards system do not actuate. For this analysis it is assumed that the ruptured steam generator is not available for heat removal.
The steam line break outside containment initiator (T8) is a rupture of the rnain steam line outside of the containment structure. The mpture of the steam line will cause a rapid cooling of the Reactor Coolant System and initiation of safety injection.
g Because there is no rise in containment pressure, the containment safeguards system do not actuate. For this analysis it is assumed that the ruptured steam generator is not g
available for heat removal since continued feeding would aggravate the overcooling.
The loss of nuclear service water (RN) initiator (T9) is defined as a failure of the I
operating train of RN and a failure of all standby pumps to function. The Catawba RN system is shared between the two units. Each unit has an A train and B train l
pump each of which can supply both units. Upon failure of the RN System, the reactor coolant pump motor coolers will lose cooling. The loss of cooling to the RCP l
motors requires that the reactor and the RCPs be tripped. Failure of the RN System will cause a loss of cooling to all of the essential loads. The Standby Shutdown Facility is used to provide reactor coolant pump seal injection and to feed the steam generators via the turbine driven CA pump.
The loss of component cooling water initiator (TIO) is a loss of the operating train of the KC system and failure of the standby pumps. The KC system cools the reactor coolant pump thermal baniers and, therefore, its loss is expected to result in a reactor trip within a few minutes. The loss of KC results in failure of the cooling to all of the essential pumps and the ND heat exchanger.
The loss of the operating 4160 V ac essential bus initiator (Tll) fails Switchgear lETA. It is assumed that all of the normally operating systems, e.g. NV, KC, and RN, lose the operating train and that the standby train is demanded. The failure of g
I 3 24
this bus climinates much of the safety system redundancy by failing power to one train of essential equipment.
The loss of instrument air initiator (T12) is the failure of the VI System. The loss of VI cause. a loss of main feedwater and trips the reactor.
The inadvertent safety injection initiator (T13) is an inadvertent initiation of the ECCS Systems. The Reactor Coolant System inventory increases due to the addition of water by the ECCS pumps. The insurge of water causes Reactor Coolant System pressure to increase and may lead to the challenge of the primary relief valves. If safety injection is not terminated before a relief valve is lifted, a LOCA may result if the relief valve does not rescat, and in the case of the PORV, the block valve is not closed by manual action.
The loss of vital instrumentation and control power bus (Tl4) initiator frequency and analysis has not been generated, as explained in Section 3.1.2.
Anticipated Transients Without Scram (ATWS) events result when the reactor protection system fails to bring the reactor suberitical when a reactor trip is needed.
Of particular concem is a primary system pressure spike which under the worst conditions, may exceed the capacity of the reactor coolant systems weakest components. The transient effects are generally determined by the heet transfer to the steam generators, the core power response, and the capacity of the relief valves. -
The loss of main feedwater initiating event is the limiting case transient for determining the ATWS core damage potential. The potential for the ATWS event to lead to core damage is greatly influenced by the existence of an unfavorable moderator temperature coefficient. The moderator temperature coefficient is conservatively assumed to be more positive than a value shown by analysis to be acceptable 50% of the time.
3 25
I Steam Generator Tube Rt'ptures (SGTRs)
The tube ruptures considered in the PRA are those with flow rates in excess of 100 gpm. Flow rates smaller than this magnitude are compensated for by normal makeup and plant shutdown is a controlled evolution. The SGTR event tree, Figure 3.2.24, is based on the requirements of the functions needed to respond to an SGTR and represents the potential outcomes of success or failure of these functions. These g
outcomes determine whether or not the core melts. An SGTR can lead to core melt by either a loss of adequate decay heat removal or a loss of primary coolant that is not mitigated.
l Interfacing Systems LOCA (ISLOCA)
I The term " interfacing-systems LOCA" refers to a class of loss of coolant accidents I
that are postulated to occur when the valves or other pressure boundary components that isolate lower pressure piping from the Reactor Coolant System (RCS) pressure boundary fail, thus exposing the 1-ver pressure piping to the full RCS pressure. Pipe rupture is postulated to occur when the hoop stresses exceed the ultimate tensile strength of the pipe material. If the failure occurs outside the containment, the lost reactor coolant is not retumed to the Reactor Building emergency cump for recirculation, and no suction source would be available for the injection pumps upon depletion of the refueling water storage tank, thus leading to core melt. In addition, a release path to the atmosphere is established, making thir event a potentially impor1 ant contributor to risk.
No event tree is constructed for the ISLOCA initiator. All ISLOCAs are assumed to result in a core damage accident. This assumption is made because recirculation is going to fail and it is assumed that an adequate continued source ofinjection can not be made available.
3 26 I
The ISLOCA analysis determined that the following pathways are significant contributors to the interfacing systems LOCA frequency:
- NDIB, ND2A, ND36D, and ND37A (ND pump suction from the hot legs)
= 1.4E-07 Nil 73 A, Nil 78B (ND pump discharge to the cold legs) = 1.1E-07 Reactor Pressure Vessel Rupture (RPV)
Like the ISLOCA the RPV event is assumed to result in core damage. It is assumed that the emergency core cooling systems are ineffective if the RV is not intact.
Flooding (Internal)
The flooding analysis consisted of,1) identification of critical areas,2) calculation of flood rates,3) development of flood probabilities,4) identification of critical flood levels,5) assessment of human response, and 6) inclusion of the flood initiator eveats into the appropriate system and logic models. The Turbine Building (TB)is identified as the most critical area. Floods in the Turbine Building can cause a loss of offsite power due to partial submergence of tiansformers in the basement of the TB.
'an iment Airis also lost as a consequence of the flooding. The Auxiliary Feedwater (CA) pump room is another important area of concem. Floods in this room have the potential to submerge the CA pumps as well as the Auxiliary Shutdown Panel (ASP).
Flooding of the ASP ean result in loss of some system controlled from the panel.
3.3 External Event Model Development This section provides an overviev' of the extemal events analysis. Appendix B provides a summary for each of the three major extemal events.
3 27
1 1
I The original Catawba PRA report and i' subsequent updates performed an evaluation of external events, with three events identified for a detailed review:
- Seismic Events
- Fiics
- Tornadoes g
A variety of methodologies are employed to derive the overall frequencies for these events.
l I
3.3.1 Seismic Analysis Overview l
The seismic analysis for Catawba involves a fairly complex process. The first step in the analysis is to obtain a site specific seismic hazard cun'e. This curve represents the l
likelihood of ground motions of varying rnagnitudes. Fragility curves are then developed for key plant structures and components. These fragility curves are used to l
detennine the conditional probability of failure as a function of ground acceleration.
A seismic event tree is then developed, along with supporting top logic and system fault trees. The event tree is used to develop the event sequences. The final step involves combining the fragility curves with the event sequences of interest, and convoluting 3is failure probability with the site seismicity using the SEISM computer code.
I The cut set results from SEISM are assigned plant damage states and the total frequency of cut sets contributing to a plant damage state is determined. Tids i
frequency is then assigned to a dummy event " Seismic event results in plant damage state X" and the event with a seismic initiator flag is added to the cut sets from the integrated fault tree solution.
3 28
3.3.2 Fire Overview Consideration of common cause failute due to fires is an important aspec* of overall plant risk. A fire can initiate a transient by damsging a component necessary for normal plant operation, and, at the sarne time, damage components necessary to safe shutdown functions. The fire analysis generally shows how well a plant design separates the components of redundant safe shutdown functions for protection against postulated fires.
The fire analysis coasists for x steps. These are: (1) identification of critical zones, (2) development of the initiating event frequency for each critical zone, (3) evaluation of detection and suppression capabilities in the critical zones, and (4) introduction of the fire initiating events into the system fault tree models and transient top logic so tha$ the failures represented by each initiator are captured.
3.3.3 Tornado Overview The primary consequence of a tomado strike at the Catawba site is a loss of offsite power. In addition, stronger tornadoes have the potential to cause damage to the SSF and the Diesel Generator rooms as a result of missles generated by the tornado.. The analysis for the tomado sequences is very much like the analysis for the LOOP initiator except that the potential for consequential damage of the D/Gs and the SSF are considered and offsite power is assumed non recoverable.
b 3 29
I 3.4 Integrated Plant Model As described in the revious sections, the Level 1 PRA consists of many individual system models and models that represent extemal events. Ilowever, in order to g
cempute the core damage frequency, all the :nodels must be combined together to represent the overall plant. This is referred to as the " Integrated Plant Model".
For the Catawba PRA, Rev 2, the integrated plant model is built from the following individuat models:
System Models Event Models I
ac Power ISLOCA Instrument Air SGTR Component Cooling Water LOCA Nuclear Service Water ATWS de Power Transients Auxiliary Feedwater RPV Rupture ESFAS Chen4ical and Volume Control Safety injection Residual }{ cat Removal Reactor Protection SSF Reactor Coolant I
In addition, the following models are developed in order to assess the containment safeguards availability, however, these models have no direct impact on CDF and are not incleded in the integrated tree.
3-30
Containment Spray Containment Air Retum liydrogen Mitigation The seismic model is not included in the integraced plant model due to the special nature of the seismic knalysis(see Section 3.3.1). Section 3.5 describes the details of how the integrated model is built.
The integrated plant model can then be used to generate a single set of cut sets that represent the core damage frequency minus the seismic contribution. This makes it very efficient for modelers to perform sensitivity studies without having to deal with all the individual models.
Although the integrated model represents the plant as a whole, by using the CAFTA software (see Section 3.5) the modeler can also specify to generate a set of cut sets for any intermediate gate within the model. This would allow the modeler to perform sensitivity studies on a section of the integrated tree (for example, solve for only the ND cut sets) without needing to go to the individual system models. The difference in solving the integrated plant model at an intermediate gate, say ND, and using the ND system model is that the integrated model has all the connections to the support systems. The cut sets, therefore, will include failures of these support systems at the component level. In contrast, if the modeler uses the ND system model, support systems are generally represented as transfer gates and only the transfer gate appears in the cut sets.
I A single integrated plant model is also needed for use in PSA applications that are developed. Such an application may require a " resolve" of the PRA to generate a new CDF. llaving a single integrated plant model makes this process very simple for these applications. It should be noted, however, that the process of generating a CDF value is more than just generating a new set of cut sets. Any application that is 3-31
I developed to use the integrated plaat model must account for the effect on the seismic calculation and the possibility that new cut sets are generated the need to be reviewed for validity and recovery potential.
I 3.5 Methodology I
Software The Core Damage Frequency (CDF) is calculated using the CAFTA software. All the individual models are built using the CAFTA Fault Tree Editor. All the fault trees reference one database for the failure data. This database is maintamed using the CAFTA Database Editor. Cut sets are generated using the CAFTA CQUANT computer code. The CAFTA Cut Set Editor is used to view the cut sets and obtain the importance measures. Recoveries, not included in the fault trees, are added to the cut sets using the CAFTA QRecover program. Other small utility codes and various text files are also u:ed as necessary.
l Building the Integrated Model I
Since the system models are individual CAFTA fault trees, a process is aveloped to I
" merge" all the fault trees together. Top logic fault tree models are constructed to represent the accident sequences ofinterest, the end points of the event trees. These top logic models have transfers to the individual system models needed to represent the safety function failures necessary for the core damage sequence. After merging the fault trees, a check for unused top events, lost transfers and circular logic is performed. The resulting " plant model" is saved as the integrated fault tree for CDF calculations. All changes to the system models are done in the individual fault tree files and then the integrated model is rebuilt. This helps to maintain configuration control between the system notebooks and the integrated model.
t 3-32 !
l
\
l Solving the Integrated Model The first step in the calculation of the CDF is to solve the integrated model at the appropriate truncation level. For the Catawba PRA, the truncation 1: vel is set at 1.0E-
- 08. In addition, the ISLOCA and SGTR gates are solved down to IE-10 due to the low frequency of the cut sets and the risk imponance of these as containment bypsss sequences.
The resulting cut sets are then examined for validity. Rules are then developed for removing cut sets with, for example, double maintenance or double initiators and any other condition that would make for an invalid cut set. Then rules are developed for adding recoveries to appropriate cut sets. All of these rules (invalid and recoveries) are then used by the QRecover program to modify the integrated solve cut sets.
Containment Isolation Designation A containment isolation failure occurs independently of the core damage sequence.
After developing valid, recovered core damage cut sets, the cut sets are then examined for potential containment isolation failures (based v.. failures of other systems and initiators). This information is needed to properly " bin" the cut sets for the Level 2/3 work. Again, rules are developed and used by the QRecover program to apply the isolation failures to the core damage cut sets. The resulting cut sets with the isolation failure evert attached are retained to a truncation limit of IE-10 and merged with the
" isolated" core damage cut sets from the integrated solve.
3-33
I Integration of Seismic Results Since the seismic CDF and cut sets are developed with the use of the SEISM computer code (see Appendix B), these cut sets are merged with the cut sets developed from the integrated non-seismic solve.
Plant Damage State Designation The final step is to assign a Plant Damage State (PDS) designation to all the final cut I
sets. This step is required in order to perform the Level 2/3 work of the PRA. The PDS designation is a combination ofinformation about the Core Melt Bin (CMB) and the status of containment safeguards and containment isolation.
l The CMB is the first of the three characteristics which define the plant damage state.
The CMB definition describes the status of the RCS and associat.ed systems at the onset of core damage. Table 3.5-1 list the CMB designations along with their definitions.
The containment safeguards state is ~the second of the three characteristics which I
define the PDS. The containment safeguards state describes the status of systems that provide some form of containment protective function. These systems include containment spray (NS), containment air return (VX), and hydrogen igniters (EHM).
Table 3.5-2 lists the containment safeguards designations along with their definitions.
The third and final PDS characteristic is the status of containment isolation.
Containment isolation is critical to preventing fission product release to the environment. The designations for the PDSs are:
. isolated e smallisolation failure e large isolation failure 3-34
Table 3.5 2 lists the containment isolation designations along with their definitions.
As with the recoveries, rules are developed for adding a PDS event to the cut sets by inspecting the cut sets and determining the status of containment systems. Then
" recovery" rules are developed for each PDS and QRecover is used to automatically apply the PDS event to the cut sets.
4 4
3-35
Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page I of 8 Type Code Description Failure Rate Units Source ALF Air Filter Fails 1.80E-06 /hr SAROS (AFF)
AVC Air Operated Valve Fails To Close 2.20E4)3 /d SAROS (AVC)
AVO Air Operated Valve Fails To Open 2.20E-03 /d SAROS (AVN)
AVT Air Operated Valve Transfers Position 2.70E-06 /hr SAROS (AVK)
BCF Battery Charger Fails 1.83E-05 /hr Bayesian Update BDF DC Power Bus Fails 1.43E-06 /hr Bayesian Update BIIF 4 KV Or Greater Ifigh Voltage AC Power Bus Fails 4.65E-07 /hr Bayesian Update BilM 4 KV Or Greater Ifigh Voltage AC Power Bus In Maintenance 1.00E-03 /d Screening Value BID Bistable Fails To Operate 2.80E-07 /d IEEE 5001984 p.628 BIT Bistable Transfers Position 2.10E-07 /hr IEEE 5001984 pg 628 BLF 600 V Or Less AC Power Bus Fails L34 ~5 /hr Bayesian Update BLM 600 V Or Less AC Power Bus In Maintenance 1.00E-03 /d Screening value l
BYF Battery Fails 3.20E-03 /d SAROS (BTD) i C4C 4 KV AC Circuit Breaker Fails To Close 1.20E-03 /d SAROS (CBC)
C40 4 KV AC Circuit Breaker Fails To Open 3.00E-04 /d SAROS (CBN)
Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page 2 of 8 Type Code Description Failure Rate Units Source C4T 4 KV AC Circuit Breaker Transfers Position 1.90E-06 /hr SAROS (CBR)
CDT DC Circuit Breaker Transfers Position 1.90E-06 /*r SAROS (CBR)
CLC Low Voltage Circuit Breaker Fails To Close 1.20E-03 /d SAROS (CBC)
CLO Low Voltage Circuit Breaker Fails To Open 1.20E-03 /d SAROS (CBN)
CLT Low Voltage Circuit BreakerTransfers Position 1.90E-06 /hr SAROS (CBR)
CMM Air Compressor Unavailable Due To Maintenance CMR Air Compressor Fails To Run 1.50E-04 /hr SAROS (AMF)
CMS Air Compressor Fails To Start 2.90E-02 /d SAROS (AMA)
COM Common Cause Failure 2.00E-05 /hr Bayesian Update l CPR Centrifugal Charging Pump Fails To Run CPS Centrifugal Charging Pump Fails To Start 1.39E-03 /d Bayesian Update CRR Chiller Fails To Run 4.90E-05 /hr SAROS (ACF)
CVC Check Valve Fails To Close 9.70E-04 /d SAROS (CVC) l CVO Check Valve Fails To Open 1.90E-04 /d SAROS (CVN)
CVR Check Valve Ruptures 7.60E-08 /hr OPRA Rev. I i
Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page 3 of S Type Code Description Failure Rate Units Source CVT Check Valve Transfers Closed 4.50E-07 /hr SAROS (CVK)
DBO Check Damper Fails To Open 2.69E-04 /d Seabrook PSA D.7 DCR Diesel Air Compressor Fails To Run ForThe Required Time 1.40E-02 /hr Plant-Specific DCS Diesel Air Compressor Fails To Start 5.00E-03 /d Plant-Specific DEX Un-Developed Event DGR Diesel Generator Fails To Run 1.86E-03 /hr Bayesian Update DGS Diesel Generator Fails To Start 7.43E-03 /d Bayesian Update DilE Dynamic lluman Error 1.00E-01 /d Screening Value Only DMO Damper Fails To Open 3.50E-03 /d SAROS (MDC)
DMT Damper Spurious Operation 3.00E-07 /hr SAROS (MDK)
DPR SSF Reactor Coolant Makeup Pump Fails To Run 2.40E-05 /hr Bayesian Update DPS SSF Reactor Coolant Makeup Pump Fails To Start 2.80E-03 /d Bayesian Update DYC Time Delay Relay Fails To Close 1.90E-04 /d SAROS (RED)
DYT Time Delay Relay Spurious Operation 1.00E-06 /hr SAROS (REK)
EPK Electro-Pneumatic Module Output Fails liigh 1.90E-06 /hr IEEE 5001984 p.722
Table 3.1.1-1 Rev. 2 Equipment Faihire Rates Page 4 of 8 Type Code Description Failure Rate Units Source EPL Electro-Pneumatic Module Output Fails Low 7.90E-07 /hr IEEE 5001984 p.722 FLF Filter / Strainer Fails 1.20E-05 /hr SAROS (FLP)
FNR Fan Fails To Run 9.10E-06 /hr SAROS (MFF)
FNS Fan Fails To Start 3.50E-03 /d SAROS (MFA)
FTK Flow Transmitter Output Fails Iligh 1.30E-06 /hr ALWR FUF Fuse Fails 6.30E-07 /hr SAROS (CFR)
GPR Generic Pump Fails To Run 2.40E-05 /hr SAROS (MPF)
GPS Generic Pump Fails To Start 3.10E-03 /d SAROS (MPA) j llPR Safety injection Pump Fails To Run 3.90E-05 /hr Bayesian Update llPS Safety injection Pump Fails To Start 6.41E-04 /d Bayesian Update IIXF lleat Exchanger Fails 3.40E-06 /hr SAROS (IIXP) ,
1 IVF Invener Fails 2.85E-05 /hr Bayesian Update l
KVT Manual Plug Valve Transfers Position 8.00E-09 /hr Assumed VVT/10 LIIE Latent lluma- rror 1.00E-02 /d Screening Value Only l
LLD Limit Switch Fails 5.50E-07 /d IEEE 5001984 p.214 l
l m m M M M M M M M M M g g g g m l
Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page 5 of 8 Type Code Description Failure Rate Units Source LLT Limit Switch Spurious Operation 8.80E-07 /hr IEEE 5001984 p.214 LMF Logic Module Fails To Function 1.80E-06 /hr SAROS (LCF)
LPR Residual Ileat Removal Pump Fails To Run 8.35E-05 /hr Bayesian Update LPS Residual lleat Removal Pump Fails To Start 1.59E-03 /d Bayesian Update LTF Level Transmitter Fails 4.60E-07 /hr IEEE-5001984 p. 588 l
LTK Level Transmitter Output Fails Ifigh 5.00E-06 /hr ALWR I LTL Level Transmitter Output Fails Low 5.00E-06 /hr ALWR MPR Motor-Driven Auxiliary Feedwater Pump Fails To Run 2.25E-05 /hr Bayesian Update MPS Motor-Driven Auxiliary Feedwater Pump Fails To Start 1.20E-03 /d Bayesian Update MVC Motor Operated Valve Fails To Close 3.50E-03 /d SAROS (MVC)
MVO Motor Operated Valve Fails To Open 3.50E-03 /d SAROS (MVN)
MVR Motor Operated Valve Transfers Position 4.30E-08 /hr SAROS (MVK)
MVT Motor Operated Valve Transfers Position 3.70E-07 /hr SAROS (MVK)
ORF Orifice Is Plugged 8.60E-09 /hr NSAC/60 Table A14-1 A ORR Orifice Ruptures 2.70E-08 /hr Millstone Unit 3 PSS i I
n.u
Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page 6 of 8 Type Code Description Failure Rate Units Source OVC PORV Fails to Reclose 2.50E-02 /d ALWR OVO PORV Fails to Open 7.00E-03 /d ALWR POF 120 V AC Regulated Power Supply Fails 5.88E-06 /hr IEEE 5001984 p.660 PPR Component Cooling Water Pump Fails To Run 1.60E-05 /hr Bayesian Update PPS Component Cooling Water Pump Fails To Start 9.68E-04 /d Bayesian Update PRC Pilot-Operated Relief Valve 3RC-66 Fails To Close 1.80E-02 /d SAROS (RZQ)
FRO Pilot-Operated Relief Valve 3RC-66 Fails To Open 6.30E-03 /d SAROS (RZN)
PSC Pressure S witch Fails To Close 2.60E-04 /d SAROS (PSD)
PSO Pressure Switch Fails To Open 2.60E-04 /d SAROS (PSD)
PTK . ressure Transmitter Output Fails Iligh 1.50E-06 /hr SAROS (Irril)
TYrL Pressure Transmitter Output Fails Low I.50E-06 /hr SAROS (IYrL)
RGT Self Regulating Valve Spurious Operation 2.70E-06 /hr SAROS (AVK)
RVC Safety Relief Valve Fails To Rescat 7.50E-03 /d SAROS (RXT)
RVO Safety Relief Valve Fails To Open 3.00E-04 /d SAROS (RXN)
RVT Safety Relief Valve Spurious Operation 1.70E-06 /hr SAROS (RVR) m M M ' M M M m m M M l
Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page 7 of 8 Type Code Description Failure Rate Units Source RYD Relay Fails To Operate 1.90E-04 /d SAROS (RED)
RYT Relay Spurious Operation 1.00E-06 /hr SAROS (REK)
SDR SSF Diesel Generator Fails to Run 1.68E-03 /hr Plant-Specific SDS SSF Diesel Generator Fails to Start 5.40E-03 /d Plant-Specific SVO Solenoid Valve Fails To Open 2.80E-03 /d SAROS (SVN)
SVT Solenoid Valve Transfers Position 4.10E-07 /hr SAROS (SVK)
SWC Control Switch Fails To Close 1.00E-05 /d EGG-SSRE-8875 Tbl 4 SWT Control Switch Spurious Operation 1.00E-06 /hr EGG-SSRE-8875 Tbl 4 T4F 4 KV / 600 V AC Transformer Fails 1.00E-07 /hr Plant-Specific TEF Transformer Fails to Function 8.00E-07 /hr SAROS (T6F)
TilF liigh Voltage Transformer Fails 2.10E-06 /hr SAROS (TIF)
TKF Tank Fails 7.50E-07 /hr SAROS (TKG)
TLF 600 V / 208 V AC Transformer Fails 1.90E-06 /hr SAROS (T6F)
TPR Turbine Driven Auxiliary Feedwater Pump Fails To Run 3.60E-03 /hr Bayesian Update TPS Turbine Driven Auxiliary Feedwater Pump Fails To Start 2.46E-03 /d Bayesian Update
1 Table 3.1.1-1 Rev. 2 Equipment Failure Rates Page 8 of 8 Type Code Description Failure Rate Units -
Source TRM Train Maintenance TTL Temperature Transmitter Output Fails Low 9.30E-07 /hr SAROS (TTD)
TVT Temperature Control Valve Spurious Operation 4.20E-08 /hr Scabrk PRA Tbl 6.2-1 VVT Manual Valve Transfers Position 8.00E-08 /hr SAROS (XVK)
WPR Nuclear Service Water Pump Fails To Run 1.49E-05 /hr Bayesian Update WPS Nuclear Service Water Pump Fails To Start 2.09E-03 /d Bayesian Update ZPR Containment Spray Pump Fails To Run 2.39E-05 /hr Plant-Specific ZPS Containment Spray Pump Fails To Start 4.75E-03 /d Plant-Specific l
l 1
g g g m M M M M M M M M M l g g
Tcble 3.1.1-2 Rev. 2 l
Maintenance Events Page 1 of 3 Event Name Description Probability AV100DCDCM Diesel Air Compressor is In Maintenance 1.00E-02 AVICMPDCMM Centrifugal Compressor D In Maintenance 3.00E-02 AVSCPIATRM Maintenance on Station Air Compressor A 9.40E-02 AVSCPIBTRM Maintenance on Station Air Compressor B 9.40E-02 DDDIEBABLM Battery lEBA Is in a Testing or Maintenance 1.28E-02 Mode DDDlEBBBLM Battery lEBB Is in a Testing or Maintenance 1.28E-02 Mode DDDlEBCBLM Battery lEBC Is in a Testing or Maintenance 1.28E-02 Mode DDDlEBDBLM .
Battery lEBD Is in a Testing or Maintenance 1.28E-02 Mode EKSMDPATRM Train A Motor Driven Pump Start Function in 3.80E-03 Maintenance EKSMDPBTRM Train B Motor Driven Pump Start Function in 3.80E-03 Maintenance EKSTATDTRM Train A Turbine Driven Pump Start Function 3.80E-03 in Maintenance EKSTOMATRM Train A SS Function in Maintenance 3.80E-03 EKSTOMBTRM Train B SS Function in Maintenance 3.80E-03 FCA0TDPTRM Turbine Driven Pump Train in Maintenance or 5.00E-03 Testing FCAMDPATRM CA Motor Driven Pump Train I A in 5.00E-03 Maintenance or Testing
~
FCAMDPBTRM CA Motor-Driven Pump Train 1B in 5.00E-03 Maintenance or Testing FWL01AITRM Sump Pump 1 A1 in Testing or Maintenance 1.50E-02 FWLOIA2TRM Sump Pump 1 A2 in Testing or Maintenance 1.50E-02 HNVCCPBTRM CCP 1B in Maintenance 1.00E-02 INITRIATRM NI Header l A in Maintenance 5.00E-03 INITRIBTRM NI Header IB in Maintenance 5.00E-03 JDG001ATRM Diesel Generator I A In Maintenance Or 1.00E-02 Testing JDG001BTRM Diesel Generator 1B In Maintenance Or 1.00E-02 Testing KKC001BTRM KC Train 1B in Maintenance 2.00E-02 KKC01A2TRM KC Pumo I A2 in Testing or Maintenance 1.33E-03 KKC01BITRM KC Pur p IBl in Testing or Maintenance 1.33E-03 KKC01B2TRM KC Pump IB2 in Testing or Maintenance 1.33E-03
Table 3.1.1-2 Rev. 2 Maintenance Events Page 2 of 3 Event Name Description Probability I
LNDTRIATRM ND Train A in Maintenance 5.00E-03 LNDTRIBTRM ND Train iB in Maintenance 5.00E-03 NACSLXGBLM 600 V ac Motor Control Center SLXG in 1.00E-03 Maintenance NACSMXGBLM 600 V Or Less AC Power Bus SMXG in 1.00E-03 1 NADSKPGBLM NNV0SSFTRM Maintenance 120 V ac Panel Board SKPG in Maintenance Standby Shutdown Facility Flow Components 1.00E-03 1.50E-02 l
in Maintenance NSSF0DGTRM SSF Diesel Generator in Maintenance or 1.50E-02 Testing PA2ELXABLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 E
Center 2ELXA E PA2ELXBBLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 Center 2ELXB PA2EMXCBLM Unscheduled . Maintenance on 600 V ac MCC 1.00E-03 2EMXC PA2EMXDBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 2EMXD PA2EMXHBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 2EMXH PA2EMXPBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 l
2EMXP PA2EMXQBLM Unscheduled Maintenance nn 600 V ac MCC 1.00E-03 2EMXQ PA2EMXRBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 g 2EMXD E PA CIETBBHM 4160 V ac Switchgear IETB Is Unavailable 2.00E-03 PACILXIBLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 Center ILXI PACISLCBLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 PAC 2LXHBLM Center ISLXC Unscheduled Maintenance on 600 V ac Load 1.00E-03 l Center 2LXH PAC 2SLCBLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 Center 2SLXC PACELXABLM 600 V ac Load Center IELXA In Maintenance 1.00E-03 g PACELXBBLM 600 V ac Load Center 1ELXB Unavailable 1.00E-03 5 PACELXCBLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 I
l Table 3.1.1-2 Rev. 2 Maintenance Events Page 3 of 3 Event Name DescrIDtIOR Probability Center IELXC PACELXDBLM Unscheduled Maintenance on 600 V ac Load 1.00E-03 Center 1ELXD PACEMXABLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 IEMXA PACEMXBB,LM 600 V ac Motor Control Center IEMXB 1.00E-03 Unavailable PACEMXCBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 lEMXC PACEMXDBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 IEMXD PACEMXEBLM 600 V ac MCC IEMXE in Maintenance 1.00E-03 PACEMXFBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 IEMXF PACEMXGBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 IEMXG PACEMXIBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 lEMXI PACEMXJBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 lEMXJ PACEMXKBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 lEMXK PACEMXLBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 1EMXL PACEMXOBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 lEMXO PACEMXQBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 1EMXQ PACEMXRBLM Unscheduled Maintenance on 600 V ac MCC 1.00E-03 IEMXR PACEMXSBLM Unscheduled Maintenance on 600 '/ ac MCC 1.00E-03 lEMXS WRNPMlBTRM RN Pump Train 1B in Testing or Maintenance 1.33E-02 WRNPM2ATRM RN Pump Train 2A in Testing or Maintenance 1.33E-02 WRNPM2BTRM RN Pump Train 2B in Testing or Maintenance 1.33E-02
r I
Table 3.1.2-1 Rev. 2 FinalInitiating Event list !
Initiator Description Frequency (per year)
Tl Reactor Trip 1.9 _
T2 Loss Of Load 0.46 T3 Loss of Offsite Power 3.59E-02 T4 Loss Of Main Feedwater 0.49 T5 Excessive Main Feedwater Initiating Event 0.0 T6 Secondary Line Break Inside Containment 2.09E-03 E
T7 FDW Line Break Outside Containment 1.06E-03 5 T8 Steamline Break Outside Containment 2.09E-03 _
T9 Loss Of RN 3.0E-04 T10 Loss Of KC 6.4E-04 Tl1 Loss Of 4160 V Essential Bus 3.78E-03 T12 Loss OfInstrument Air 2.0E-01 T13 Inadvertent SS Actuation 8.llE-02 T14 Loss Of VitalI&C 0.0 g LL Large LOCA 2.47E-04 3 ML Medium LOCA 2.47E-04 SL Small LOCA 3.07E-03 RPV E
Reactor Pressure Vessel Rupture IE-06 W Y Steam Generator Tube Rupture 1.16E-02 ISLOCA Inter-facing Systems LOCA 2.5E-07 CAPRFLD Aux. Shutdown Panel Lost Due To Flood 2.7E-07 TORNF4 Plant Struck By F4 Or F5 Tornado 9.49E-05 TORNSW Tomado Causes LOOP 3.8E-04 FACTB All Consuming TB Fire Initiating Event 1.7E-05 FASP Aux. Shutdown Panel Fire Causes Loss Of KC 1.69E-08 g FCBLR Cable Room Fire Causes A Loss Of KC 9.56E-06 3 FCR Control Room Fire Causes A Loss Of KC 2.14E-06 FDG Fire Causes A Loss Of The A Train Diesel 1.55E-02 FETB ETB Fire Initiating Event 8.91 E-07 FKC KC Power Cable Initiating Event 4.78E-05 FRN FRTSWG Fire In RN Pump House Causes A Loss Of RN Fire Causes A Loss Of Reactor Trip Switchgear 1.33E-07 1.78E-04 l
FVIC Vital I&C Fire Causes A Loss Of 1EDD 1.78E-04 SEISMIC E
Seismic Event N/A E I
I
Table 3.1.3-1 Rev. 2 Common Cause Failure Events Page1of4 Event Name Description Probability AVICMPRCOM Common Cause Failure of Centrifugal 1.80E-04 Compressors to Run AVSCMPRCOM Common Cause Failure of Station Air 1.80E-04 Compressors to Run AVSCMPSCOM Common Cause Failure of Station Air 2.90E-03 Compressors to Stan DDCHGRACOM Common Cause Failure of Chargers lECA and 2.20E-05 IECS DDCHGRBCOM Common Cause Failure of Chargers 1ECB and 2.20E-05 1ECS DDCHGRCCOM Common Cause Failure of Chargers 1ECC and 2.20E-05 1ECS DDCHGRDCOM Common Cause Failure of Chargers IECD and 2.20E-05 1ECS ECNSENSCOM Common Cause Failure of 2 Containment 9.72E-04 Pressure Transmitters EKSAl21COM Common Cause Failu*e of Master Relays 1.90E-05 K501 A and K521 A EKSB121COM Common Cause Failure of Master Relays 1.90E-05 K501B and K521B EKSK501COM Common Cause Failure of Master Relays 1.90E-05 K501 A and K501B EKSK516COM Common Cause Failure of Master Relays 1.90E-05 K516A and K516B EKSLAMRCOM Common Cause Failure of 3 SG A Level 8.10E-07 Transmitters EKSLBMRCOM Common Cause Failure of 3 SG B Level 8.10E-07 Transmitters EKSLCMRCOM Comraon Cause Failure of 3 SG C Level 8.10E-07 Transmitters EKSLDMRCOM Common Cause Failure of 3 SG D Level 8.10E-07 Transmitters EKSPSENCOM ' Common Cause Failure of 2 Steamline 1.69E-04 Pressure Transmitters EKSSLGCCOM Common Cause Failure of SS Logic Modules 1.08E-06 EPZSENSCOM Common Cause Failure of 3 Pressurizer 4.57E-05 Pressure Transmitters
, FCACLMSCOM Common Cause Failure of RN Sources Due to 1.00E-02 Clams
Tcble 3.1.3-1 Rev. 2 Common Cause Failure Events Page 2 of 4 Event Name Description Probability I I
FCAMDPRCOM Common Cause Failure of Both Motor Driven 2.70E-05 E Pumps to Run 5 FCAMDPSCOM Common Cause Failure of Both Motor Driven 9.48E-05 Pumps to Start FCAPTRCCOM Common Cause Failure of 2 of 3 Pressure 1.69E-04 Transmitters FCARNIACOM Common Cause Failure of Pressure 1.69E-04 Transmitters (RN 1 A)
FCARN1BCOM Common Cause Failure of Pressure 1.69E-04 Transmitters (RN IB)
FCASG24COM Common Cause Failure of 2 of 4 SG Level 3.60E-06 Instmments g FCASG34COM Common Cause Failure of 3 of 4 SG Level 9.72E-07 3 Instruments FSA0CCACOM Common-Cause Failure of Steam Line AOV's 1.94E-04 to Open FWLIARNCOM Common Cause Failure of Sump Pumps to 2.88E-05 Run FWLIASTCOM Common Cause Failure of Sump Pumps to 3.10E-04 Start HNVOCCPCOM Comblon Cause Failure of NV Pumps to Start 2.23E-04 HNVCCPRCOM Common Cause Failure of NV Pumps to Run 2.98E-05 HNVFWSMCOM Common Cause Failure of FWST Isolation 1.75E-04 Valves HNVSTPMCOM Common Cause Failure of Stop Valves 1.75E-04 INIONDMCOM Common Cause Failure of Flow Line Valves 1.75E-04 g INIOXCMCOM Common Cause Failure of Miniflow Line 1.75E-04 5 Valves IN10XOMCOM Common Cause Failure of Both Isolation Valves 1.75E-04 5W INIPRUNCOM Common Cause Failure Of Both NI Pumps to 5.80E-05 Run INIPSTRCOM Common Cause Failure Of Both NI Pumps to 8.97E-05 Start JDGIASTCOM Common Cause Failure of Die:;el Generator to 1.49E-04 Start JDG1RUNCOM Common Cause Failure of Diesel Generator to 3.26E-03 Run i
I
Tcble 3.1.3-1 Rev. 2 Common Cause Failure Events Page 3 of 4 Event Name DescrIDtlOn Probability JRNMOVSCOM Common Cause Failure fo RN Motor Operated L75E-04 Valves to Open JVGSVLACOM Common Cause Failure of DG 1 A Starting Air 2.80E-04 Solenoid Valves JVGSVLBCOM Common Cause Failure of DG 1B Staning Air 2.80E-04 Solenoid Valves KKCORUNCOM Common Cause Failure of KC Pumps to Run KKC3/3SCOM Common Caase Failure of 3 Of 3 KC Pumps to Start LFWLVTRCOM Common Cause Failure of FWST Level 4.67E-05 Transmitters LKC566COM C i ommon Cause Failure of Cooling Water 1.75E-04 Valves KC56 & KC81 LNDMINICOM Common Cause Failure of ND Miniflow 1.75E-04 Motor Operated Valves LNDMOVSCOM Common Cause Failure of Recirculation 1.75E-04 Suction Valves LNDPRUNCOM Common Cause Failure of the ND Pumps to 5.21E-05 Run LNDPSTRCOM Common Cause Failure of the ND Pumps to 2.23E-04 Stan QRPBKRSCOM Reactor Trip Breaker Common Cause Failure 1.60E-05 QRPDRVRCOM Undervoltage Driver Common Cause Failure 6.12E-05 QRPSHNTCOM Shunt Coil Common Cause Failure 9.98E-06 QRPUVCLCOM Undervoltage Coil Common Cause Failure 6.28E-05 RNCPORVCOM Common Cause Failure of PORVs to Open on 5.54E 04 Demand RNCPUMPCOM Common Cause Failure of NC Pumps to Run 2.88E-05 RNCSPRACOM Common Cause Air Operated Valve Failure to 1.94E-04 Open RNIRNCMCOM Common Cause Failure of Motor Operated 1.75E-04 Valve to Open UNV1210COM Common Cause Failure of Valves NVI A,2A, 1.45E-04
& 10A WRN3MOVCOM Common Cause Failure of 3 Pump Discharge 9.45E-05 Valves To Open .-
WRNABPRCOM Common Cause Failure of RN Pump to Run 1.86E-06 WRNABPSCOM Common Cause Failure of RN Pumps to Start 1.63E-04 WRNABSTCOM Common Cause Failure of RN Strainers 2.88E-06
Table 3.1.3-1 Rev. 2 Common Cause Failure Events Page 4 of 4 Event Narge Description Probability WRNDISCCOM Common Cause Failure of RN53B,54 A,57A, 1.19E-04 and 843B to Close WRNLTABCOM Common Cause Failure of Level Transmitters 1.20E-06 in RN Pits A & B WRNPMOVCOM Common Cause Failure of RN Pump 2.38E-05 Discharge Valves To Open WRNPSCRCOM Common Cause Failure of Pumphouse Screens 2.88E-05 Due to Plugging WRNSNWPCOM Common Cause Failure of SNSWP Supply 1.75E-04 5 Valves to Open E
YSMMSIVCOM Common Cause Failure of 4 of 4 MSIVs to 1.23E-04 Close g YSVPORVCOM Common Cause Failure of SG PORVs to Onen 1.94E-04 , W I
I I
I I
I I
I I
I1 s
I
t
- r. Tcble 3.1.4-1 Rev. 2 L
c Latent Human Error Events L
Event Name Description Probability AV100DCLHE Diesel Compressor is Left Unavailable After 3.00E-03 Testing or Maintenance AVICMPDLHE Centrifugal Compressor D Unavailable Due to 1.00E-03 Latent Human Enor AVSCPIALHE Station Air Compressor A Fails Due to Latent 1.00E 03 Human Error AVSCPIBLHE Station Air Compressor B Fails Due to Latent 1.00E-03 Human Error AVSLINELHE Latent Humsn Error Fails VS Backup to VI 3.00E-03 FCA0RNOLHE Latent Human Error Causes Swap to Assured 3.00E-03 Suction Source FCA0TDPLHE' Latent Human Error Fails Turbine Driven 3.00E-03 Pump FCAMDPALHE Latent Human Error Fails Motor Driven Pump 3.00E-03 lA FCAMDPBLHE Latent Human Error Fails MDP IB 3.00E-03 FWLSUMPLHE Latent Human Error Fails Sump Pumps 3.00E-03 HNVCCPBLHE Latent Human Error Fails CCP 1B 3.00E-03 INITRIALHE NI Train I A Fails Due to Latent Human Error 3.00E-03 INITRIBLHE NI Train IB Fails Due to Latent Human Error 3.00E-03 JDG001ALHE Latent Human Error on Diesel Generator I A 3.00E-03 JDG001BLHE Latent Human Error on Diesel Generator IB 3.00E-03 KKC001BLHE Latent Human Error on KC Train 1B 3.00E-03 KKC01A2LHE Latent Human Error Fails KC 1 A2 Pump Train 3.00E-03 LNDMV33LHE Latent Human Error - Flow Diversion, Mnl 3.00E-05 Viv IND33 Left Open LNDTRIALHE Train l A Failure Due to Latent Human Error 3.00E-03 LNDTRIBLHE ND Train IB Fails Due to Latent Human Error 3.00E-03 NSS0SSFLHE Latent Human Error Fails The SSF 3.00E-03 SNSDRNVLHE Drains From Upper To Lower Containment 1.80E-05 I Are Closed UNIl83BLHE Motor Operated Valve nil 83B Left Open 3.00E-03 WRNPMIBLHE Latent Human Error Fails RN Pump 1B- 3.00E-03 WRNPM2ALHE Latent Human Error Fails RN Pump 2A 3.00E-03 WRNPM2BLHE Latent Human Error Fails RN Pump 2B 3.00E-03
Tcble 3.1.4-2 Rev. 2 1
Post-Initiator Human Error Events "
Page 1 of 2 Event Name Description Probability AV100DCDHE Operators Fail to Manually Align Diesel 1.60E-02 g Compressor 5 AVIDRYRDHE Operators Fail to Take Recovery Action For 1.00E-02 Loss of Dryers Within An Hour EKSFAS0DHE Operators Fail To Respond to ESFAS Relay 1.00E-01 Failure EKSFASIDHE Operators Fail To Respond to ESFAS Failure 4.00E-03 FCAHOTWDHE Failure to Defeat the Low Suction Pressure 1.00E-03 Trip on Auxiliary Feedwater Pumps Pri FCATHRODHE Operator Fails to Manually Throttle the 1.00E-03 Auxiliary FW Flow HNV00YVDHE Failure to Align YV Cooling to NV Pumps 1.00E-02 g KKCSTNBDHE Operator Fails to Start The Standby KC Train 1.00E-03 W ND0RWSTDHE Failure to Refill FWST 1.50E-02 NNVSSFADHE Failure to Initiate SSF Seal Injection - Non 3.00E-02 LOOP Event NNVSSFBDHE Failure to Initiate SSF Seal Injection - LOOP 1.00E-01 Event POPXCONDHE Failure to Cross Connect Offsite Power 2.60E-01 Between Units (Unit 2 Fallure Included).
QRODSINDHE Failure to Drive Control Rods if the Reactor 1.00E-01 Dosen't Trip Following an ATWS QRPMTRPDHE Operator Fails to 1,;anually Scram the Reactor 1.00E-02 g RNCBLKVDHE Operators Fail to Recognize and Close Block 1.00E-03 g Valve RNDISCHDHE Recovery of RN Discharge Path 1.00E-02 g RVIPORVDHE Operators Fail to Restore VI to PORVs or 8.00E-03 m Alien Backup Nitrogen TFBI.D01DHE Operators Fail to Establish Feed and Bleed 1.00E-02 Cooling TR'lCIRCDHE Operators Fail to Establish High Pressure 3.20E-03 l Recirculation
~TTHROTibHE Operators Fail to Prevent ECCS Challenge to 1.00E-01 PORVs TTHROT3DHE Operators Fail to Prevent ECCS Challenge to 1.00E-01 SRVs UNil73ADHE Operators Fail To Close Motor Operated Valve 8.60E-03 Nil 73 A I
Table 3.1.4-2 Rev. 2 Post-Initiator Human Error Events Page 2 of 2 Event Name Description Probability UNil78BDHE Operators Fail To Close Motor Operated Valve 8.60E-03 Nil 78B WRNPMSTDHE Operator Fails to Start RN Pump 1.00E-03 YAGkCOLDHE Operators Fail to Aggressively Depressurize 1.00E-03 Using Secondary PORVs Following SGTR YODRAINDHE Operators Fail to Isolate Steam Drain Line 1.00E-01 AC01DGRRHE Failure to Recover LOOP (DG S Fail +DG R 2.05E-02 Fail, SSHR Avail, RCP Seal LOCA) '
AC02DGRRHE Failure to Recover LO 3P (Double DG R Fail, 1.38E-02 '
ACO2DGSRHE Failure to Recover LOOP (Double DG S Fail, 7.18E-02 SSHR Avail, RCP Seal LOCA)
ACBIDGRRHE Failure to Recover LOOP (DG S Fail + DG R 4,16E-02 Fail, No SSHR, No F & B)
ACB2DGRRHE Failure to Recover LOOP (Double DG R Fail, 2.23E-02 No SSHR, No F & B)
ACCIDGRRHE Failure to Recover LOOi' (DG S Fail + DG R 2.65E-02 Fail, No SSHR, No F & B. TDP Pit Fid)
ACt2DGRRHE Failure to Recover LOOP (Double DG Run 1.59E-02 Fail, No SSHR, No F & B. TDP Pit Fid)
DDCIECSRHE Operators Fail to Swap to the Standby Battery 1.00E-02 Charger RPVFAILRHE Failure To Prevent Core Damage Following 1.00E+00 Reactor Vessel Rupture SMAN00lRHE Failure to Recover FWST LT Faibre (S, M 1.00E-01 LOCA)
SMAN002RHE Failure to Recover FWST LT Failure (Large 5.00E-01 LOCA)
TCF000lRIIE Failure to Restore Main Feedwater After Plant 5.00E-02 Trip TCF0002RHE Failure to Restore Main Feedwater After Loss 2.00E-01 ofFeedwater
b Table 3.1.5-1 Rev. 2 Plant-Specific and Bayesian-Updated Failure Rates Page 1 of 6 SYSTEM / COMPONENT Total Total Run Est. Maint. Calculated Plant Generic Bayesian Type Demands Time Unavailability Specific Failure Failure Rate Updated Code (Hrs.) (IIrs.) Rate Generic Failure Rate M2 (EST.) (EST.) (SSUM)
ND Pumps 468 13866.0
- Start Failures = 0
- Run Failures = 5 4.86E-04 4.86E-04 3.10E-03 1.59E-03 LPS Start Failure Rate (/d) = (note 1) 3.61E-04 3.6I E-04 2.40E-05 8.38E-05 LPR Run Failure Rate (/hr) =
Unavailability ('7c) = 0.4 LPM M (EST.) (EST.) (SSUM)
NI Pumps 1899 934.9
- Start Failures = 0
- Run Failures = 1 1.20E-04 1.20E-04 3.10E-03 6.41E-04 IIPS l Start Failure Rate (/d) = (note 1) 1.07E-03 1.07E-03 2.40E-05 3.90E-05 HPR Run Failure Rate (/hr) =
Unavailability (%) = 0.2 HPM CA (EST.) (EST.) (SSUM)
MDCA Pumps 783.0 4299.41 l
- Start Failures = 0
- Run Failures = 0 Start Failure Rate (/d) = (note 1) 2.91 E-04 2.91 E-04 3.10E-03 1.20E-03 MPS Run Failure Rate (/hr) = (note 1) 5.29E-05 5.29E-05 2.40E-05 2.25E-05 MPR l Unavailability (%) = l 0.2 MPM e M M M M M M M M M M g g g m e e a M !
Table 3.1.5-1 Rev. 2 Plant-Specific and Bayesian-Updated Failure Rates Page 2 cf 6 SYSTEM / COMPONENT Total Total Run Est. Maint. Calculated Plant Generic Bayesian Type Demands Time Unavailability Specific Failure Failure Rate Updated Code (Hrs.) (Hrs.) Rate Generic Failure Rate TDCA Pumps 669 230.63
- Start Failures = 0
- Run Failures = 1 Start Failure Rate (/d) = (notel) 3.40E-04 3.40E-04 . 2.10E-02 2.46E-03 TPS Run Failure Rate (/hr) = 4.34E-03 4.34E-03 1.30E-03 3.60E-03 TPR Unavailability (%) = 0.2 TPM AC Power (EST.)
4KV or Greater High Voltage AC Pow N/A
- Failures = 0 Calendar Time, firs (l/91 - 6/95) = 157680.0 Failure Rate (/hr) = (note 1) 1.44E-06 1.44E-06 5.30E-07 4.65E-07 BHY Unavailability (%) = (note 2) 0.1 BHM 600vac or Less AC wer Hus Fails N/A
- Failures = 2 Calendar Time,IIrs (1/91 - 6/95) = 1497960.0 Failure Rate (/hr) = (note 3) 1.34E-06 1.34E-06 3.60E-07 NA BLF Unavailability (%) = (note 2) 0.1 BLM
Table 3.1.5-1 Rev. 2 Plant-Specific and Bayesian-Updated Failure Rates Page 3 or6 SYSTEM / COMPONENT Total Total Run Est. Maint. Calculated Plant Generic Bayesian Type Demands Time Unavailability Specific Failure Failure Rate Updated Code (Ifrs.) (Ilrs.) Rate Generic Failure Rate DC Power (EST.)
Battery Charger Falls N/A N/A
- Failures = 12 Calendar Time, IIrs (l/91 - 6/95) = 630720.0 Failure Rate (/hr) = 1.90E-05 1.90E-05 1.!OE-05 1.83E-05 BCF inverter Falls N/A
- Failures = 4 Calendar Time, lirs (1/91 - 6/95) = 315360.0 Failure Rate (/hr) = 1.27E-05 1.27E-05 2.90E-05 2.85E-05 IVF Unavailability (%) = 1.0 IVM 125dc Distribution Center Failure N/A
- Failures = 1 Calendar Time, Ifrs (I/91 - 6/95) = 157680.0 Failure Rate (/hr) = 6.34E-06 6.34E-06 6.10E-07 1.43E-06 BDF Unavailability (%) = (note 2) 0.1 BDM l
i
Table 3.1.5-1 Rev. 2 Plant-Specific and Bayesian-Updated Failure Rates Page 4 of 6 SYSTEM / COMPONENT Total Total Run Est. Maint. Calculated Plant Generic Bayesian Type Demands Time Unavailability Specific Failu e Fai!ure Rate Updated Code (Hrs.) (Hrs.) Rate Generic Failure
_ Rate EN (ES'l .) (EST.) (SSUM)
RN Pumps 719 39375.0
- Start Failures = 1
- Run Failures = 0 Start Failure Rate (/d) = 1.39E-03 1.39E-03 3.108-03 2.09E-03 WPS Run Failure Rate (/hr) = (note 1) 5.78E-06 5.78E-06 2.40E-05 1.49E-05 WPR Unavailability (7c) = 0.5 WPM SSF (EST.) (Ea f.) (SSUM)
SSF D/G 77 57.4 0 Start Failures = 0
- Run Failures = 0 -
Start Failure Rate (/d) = (note 1) 2.97E-03 2.97E-03 1.80E-02 5.40E-03 SDS Run Failure Rate (/hr) = (note 1) 3.97E-03 3.97E-03 2.30E-03 1.68E-03 SDR Unavailability (%) = 1.5 SDM SSF RCMU Pumps 53 10.6
- Start Failures = 0 0 Run Failures = 0 Start Failure Rate (/d) = (note 1) 4.30E-03 4.30E-03 3.10E-03 2.80E-03 DPS Run Failure Rate (/hr) = (note 1) 2.15E-02 2.15E-02 2.40E-05 2.40E-05 DPR Unavailability (7o) = 1.1 DPM
Table 3.1.5-1 Rev. 2 Plant-Specific and Bayesian-Updated Failure Rates Page 5 of 6 SYSTEM / COMPONENT Total Total Run Est. Maint. Calculated Plant Generic Bayesian Type Demands Time Unavailability Specific Failure Failure Rate Updated Code (IIrs.) (llrs.) Rate Generic Failure Rate N_V_ (EST.) (EST.) (SSUM)
NV Pump 611 63094.50 ;
- Start Failures = 0 l
- Run Failures = 1 Start Failure Rate (/d) = (note 1) 3.72E-04 3.72E-04 3.10E-03 1.39E-03 CPS Run Failure Rate (/hr) = 1.58E-05 1.58E-05 2.40E-05 2.00E-05 CPR Unavailability (%) = 0.1 CPM KC (EST.) (EST.) (SSUM)
KC Pump 1089 157500.0
- Start Failures = 0
- Run Failures = 2 Start Failure Rate (/d) = (note /) 2.09E-04 2.09E-04 3.10E-03 9.68E-04 PPS Run Failure Rate (/hr) = 1.27E-05 1.27E-05 2.40E-05 1.60E-05 PPR Unavailability (%) = 0.4 PPM N_S (EST.) (EST.)
NS Pump 249 396.0
- Start Failures = 2
- Run Failures = 0 .
Start Failure Rate (/d) = 8.04E-03 8.(ME-03 3.10E-03 4.75E-03 ZPS Run Failure Rate (/hr) = (note /) 5.74E-04 5.74E-04 2.40E-05 2.39E-05 ZPR Unavailability (%) = 0.6 ZPM g g g m e m M M M M M M M M M M M g g
Tabic 3.1.5-1 Rev. 2 Plant-Specific and Bayesian-Updated Failure Rates Page 6 cf 6 SYSTEM / CONIPONENT Total Total Run Est. 3 faint Calculated Plant Generic Bayesian Type Demands Time Unavailability Specilie Failure Failure Rate Updated Code (IIrs.) (Ifrs.) Rate ,
Generic Failure Rate Diesel Generator (SSPI) (SSPI) (SSUM)
Diesel Generator 585 1109.5
- Start Failures = 4 -
- Run Failures = 2 Start Failure Rate (/d) = 6.Fjd-03 6.84E-03 1.80E-02 7.43E-03 DGS Run Failure Rate (/hr) = 1.80E-03 1.80E-03 2.30E-03 1.86E4)3 DGR Unarailability (%) = 0.9 DGM NOTES I - The Chi-Squared method was used to estimate a failure rate vnh no failures having been recorded where:
Demand Failure Rate = 0.455 / 2 * (no. of demands)
Run Failure Rate = 0.455 / 2 * 'no. of run hoursj 2 - Actual at-power maintenance is zem but vill use estimated value of 0.1 percent for model.
3 - It appears that breaker transfers are not included in the generic failure rates thus the plant specific failure rate will be used vice the bayesian updated failure rate.
I Table 3.5-1 Rev. 2 Core Melt Bin Designations l Core Melt Hin Core Melt Hin Core Melt Ilin Core Melt Hin Definition Number Definition Number i LL, if LL,ERF 14 CR. IF, SGU S g 2 15 CR IF. SOU R g 3 LL, LRF 16 CR, ERF, SGU.S 17 CR, ERF, SOU R 4 ML, IF 18 CR, LRF 5 ML. ERF 6 ML, LRF 19 IML,IF SGA 20 IML,IF, SOU S 7
SL, IF, SG A 21 IM L, IF, SGU-R l
=
8 SL, IF, SGU S 22 IML, ERF, SG A IML, LRF, SOA g 9 SL, IF, SGU R 23 IML, ERF. SGU S 3 10 SL, LRF, SG A SL, 24 IML, ERF, SOU R ERF, SO A g
25 IML, LRF, SGU S IML, g LRF, SGU R 11 SL, ERF, SGU-S .
12 SL, ERF, SGU R 26 SGTR 13 SL, LRF, SOU S SL, 27 ISL l
=
LRF, SGU R First Definition identiner RCS I eakace Information I
SL = Small LOCA ML = Medium LOCA LL = Large LOCA
=
CR Cycling Relief Valve SGTR = Steam Generator Tube Rupture ISL =
Interfacing Systems LOCA IML =
Induced Medium LOCA Second Definition identifier - Loss of RCS Makeun Canability IF = Injection Failure ERF =
Recirculation Switchover Failure LRF =
Recirculation Run Failure Third Definition Identifier Condition of Secondary Side Heat Removal SGA = Steam generators are available
=
g SGU S Steam generators are not available because of a start failure of the feedwater systems g
SGU R = Steam generators are not available because of a run failure of the feedwater systems I
l Table 3.5-2 Rev. 2 Containment Safeguards Designations Containment Safeguards Designation Definition A Fans, Igniters, Containment sprays available in both injection and recirculation modes w/IlX B Fans, Igniters, Containment sprays available in both injection and recirculation modes w/o IIX C Fans, Igniters, Containment sprays available in injection -
D Fans, Igniters E Fans, Containment sprays available in both injectia and recirculation modes w/IIX F Fans, Containment spreys available in both injection and recirculation modes w/o llX G Fans, Containment sprays available in injection 11 Fans 1 Igniters, Containment sprays available in both injection and recirculation modes
~ w/IlX J Igniters, Containment sprays available in both injection and recirculation modes w/o llX K Igniters, Containment sprays available in injection
, _L Igniters M Containment sprays available in both injection and recirculation modes w/IIX N Containment sprays available in both injection and recirculation modes w/o IIX
_O Containment sprays available in injection P No containment safeguards available Containment Isolation Designations ContainmenYlsolation Designation Definition l_ Containment is isolated S Smallisolation failure (< 6 inches)
> L _, Large isolation failure Ga 6 inches)
d
!$atot W
v m v
f\ -
Pttitutttta u =
p ,p v s g5 1
tB J
b >
V (r N i
"$ 15
.,5 %
.. ~
1(LCf01 Figure 3.2.1-1 Rev. 2 Catawba Reactor Coolant System - Simplified Diagram
I t
DOME
. I 1 COMPARTMENT gi g'
s
/
/
/ N \
I i
\
/
\ .
top OtCK POLAR CRANE Doons g r) ,
m
-.L g
rn mb -
" v l I k
~
I
--_)
Euu y
- CR ANE WALL-l I
CONTAINMENT
- L' e i I '
g o f5!!f. l 12
- e. l l
hll IN TE R M E DI A T E DECK ocoRs I ,_ ,,, _ ,,,, *1 l
= l l
' g o u
! l l -
l '
~m l '
l B
W {,
2 l
! CONTROL F.00 ORIVE l
1 1 E l l l 9 o l MISSILE DHIELO 80 7 . ICE
,l
' g I
LOWU KEWW l NLET 000Rs t \ i l
l CONDENSER
" .l j g
}-A - - J% l .
o .
ENUM 1
/c I t.__J - - ,
i i
ACC Rep J t__7 '
l _
YENTIL ATING 3 _
f } i, l] l FAN
,..ih
~
l * ' * "A"'"'
ND
-* .&- l )G6 d'[ .9g i
.a i I I
RE. ACTOR h
I I"L
/ u 9_
i p
a
---~~--.i
- h. I
- l
/ _ lllt gl l
g LOYtER I l l RCP a RE ACTOR COOL ANT PUMP g
COMPARTMENT I I -
l [ 80 = STEAM OENERATOR L.- .- _ ,l l ACC s ACCVWUL ATOR Figure 3.2.12 Rev. 2 Catawba Containment and Reactor Building - Simplllled Diagram I
I
Small LOCA SSHR PORV Bleed injection Primary Reliefs Recirculation initiator Succeeds Path Succeeds Succeeds Close Succeeds Sequence Core Melt Name Bin S B P U Q(R) X NCM N/A SX 10 SU 7 NCM N/A SBX 11,12,13 SBU 8,9 SBQ(R)U 4 SBP 14,15 i
SBPQ(R) 5,6 Figure 3.3.2-1 Rev. 2 - Small LOCA Event Tree
l l Medium LOCA Injection Recirculation '
l Initiator Succeeds Succeeds Sequence Core Melt M U X NCM N/A I i
MX 5,6 ;
i MU 4 l
Figure 3.3.2-2 Rev. 2 - Medium LOCA Event Tree ,
I t
l e
Mn A 3, e
rB i /
N 2 1 o
C e
c e ne M e em ua C X U r qN N L L T e t n
S e v
E n A os C i
t d O ae L l
u c c ec X e g
r r i
ceSu . a L
R 2
v e
n ds R i
t e oe 3-c c U 2 j ec 3 i
nuS 3 e
r u
g i
F A
Cr Oot La i L et gin r i a
L llllll!
O 8 Recirculation Transient SSHR Primary ,f ,
injection Reactor Trip Reliefs Close Succeeds Succeeds hM Initiator Succeeds y,, yg 3, S unce Name Bin K B Q(R) Q(S) P U X T
NCN WA NCH wA TAS)X 10.22 TQS)U 7,19 NCN N/A TO(R)X 5,6 TQ(R)U 4 NCM HiA TBX 16,17,18.23,24,25 TBU 14,15,20,21 TGP 14,15,20,21 NCM MA TBQ(S)X 11.12,13.22,24,25 TBQ(S)U 8,9,20,21 TBQS)P 8,9,20,21 NCE WA TBQR)X 5,6 TBQ(R)U 4 ATWS 1 Figure 3.3.2-4 Rev. 2 - Transient Event Tree y=e muu mur num sua muu aus uma em aus num aus e uns aus sua sus umu l
- ~ *'
SGTR- SSHR Injection PZR PORV Recirc. Secondary initiator Succeeds Succeeds Closes Succeeds Depres. e Cm M S S Name Bin Y B U P D1 D2 Q O X D3 NCM N/A NC4 N/A NCH N!A YD1QX 10 NCM N/A YD1QOX 26 NCM N/A NCM N/A YD1D2OO3 26 NCM N/A NCM N/A YUOO3 26 NCM NIA YBX 23,24,25 NCM NIA YBOX 26 YBP 14,15 YBPO 26 YBU 8,5,20,21 YBUO 26 Figure 3.3.2-5 Rev. 2 - Steam Generator Tube Rupture Event Tree
4.0 CONTAINMENT PERFORMANCE 4.1 Containment Event Tree (CET) Model Development The purpose of the CET is to quantify the containment failure modes and the radionuclide releases. Those phenomena which have a significant effect on the radionuclide release fractions or the timing, energy, or duration of the release are included in the tree as top events. The PDSs are inputs to the CET, and the pathways that the PDSs trace as they progress through the tree depend on how they influence the various phenomena modeled in the tree. Because each split fraction is based on probabilities, each PDS can appear in more than one release category, and each release category can have a contribution from more than one PDS.
The CET is developed in a similar fashion to the PRA systems plant model (see Section 3.4). An event tree, shown in Figure 4.1 1, is developed with the top events representing those events that can affect the release of fission products to the environment. This includes potential containment failure modes and other phenomena can that affect the fission product release characteristics. The CET containment failure modes are discussed below.
Containment Bypass Containment bypass due to either a steam generator tube rupture or an interfacing systems LOCA is considered in the analysis. The SGTRs and ISLOCAs are assigned to unique core melt bins (CMBs).
In addition to the containment bypasses resulting from tube rupture initiating events, the possibility of tube ruptures being induced during the core degradation process is included in the analysis. These induced tube ruptures may result from either forced or natural circulation of hot gases in the reactor coolant system.
4-1
I I
Containment Isolation Failures Information on the status of containment isolation is included in the cut sets (see Section 3.5) which are developed in the calculation of the CDF. This information .
includes the isolation failure size and location.
Containment Over-pressure Containment over pressure due to steam generation, hydrogen combustion, and direct g
containment heating are considered in the analysis. Steam generation could be either rapid, as might occur at the time of reactor vessel failure, or slow, as would be expected during a boil off of the cavity water. Also, interaction between the molten l
core and the concrete can result in the creation of non-condensable gases which also have the potential to over pressurize the containment.
l The ultimate pressure capacity of the Catawba containment has been evaluated. The I
calculation addressed the failure of the containment shell and all its appurtenances. A containment failure distribution is developed in a manner similar to that of NUREG/CR 1891.
Reported tests of various containment designs have shown that free standing steel containments may fait catastrophically. The containment event tree considers the potential for both catastrophic and benign (large leakage) containment failure modes. E in this analysis, 90% of the late over-pressurization failures are assumed to be catastrophic.
I I
4-2 I
liasemat Meltthrough Ilasemat meltthrough occurs when core debris is retained in the cavity and attacks the concrete basemat of the reactor building. Without the presence of water (dry cavity sequence), the core material will start to ablate the concrete basemat. Since Catawba has a siliceous based concrete, the generation of non condensable gases is low. Even with the presence of water (wet cavity sequence), there is some small chance that the debris is not coolable such that concrete attack continues.
Direct Contact of Corium With The Containment The possibility that molten core material may come into direct contact with the contairment shell as a result of a high pressure melt ejection (IIPME) is considered.
This analysis considers the potential for corium to travel up the incore instrument tunnel, penetrate the seal table, and accumulate in the incore room in contact with the containment shell.
No Containment Failure This containment " failure mode" represents fission product releases similar to design basis leak intes.
Other factors that influence fission product release characteristics include:
e the arnount of fission products released after the molten core has left the reactor vessel (due to core-concrete interaction), and e the arr.ount of fission product scrubbing the is available.
The end states of the CET designate fission product Release Categories (RCs) that determine the release characteristics of the fission products. The containment event 4-3
I tree results in 42 distinct release categories. The broad classifications for these release categories are:
e 9.0x no containment failure
- 8.0x basemat meltthrough containment failure e 7.0x late benign containment failure e 6 0x - late catastrophic containment failure e 5.0x early catastrophic containment failure e
4.'0x - small containment isolation failure 3.0x large containment isolation failure l
e 2.0x interfacing systems LOCA e 1.0x - steam generator tube rupture I
The entire CET is then developed as a decision tree (similar to a fault tree except that the logic is focused on success) with the top gates representing the different release categories. The top events are then further developed in the decision tree to account for the different phenomena that can lead to a particular containment failure. An example would be modeling the potential for a bdogen burn or over pressurization of the containment building due to steam generation.
Using the quantification matrix (see Section 4.2), the CET decision tree can be solved for each PDS. This will result in a Release Category Matrix (RCM) that shows the distribution of each PDS within the defined release categories. The RCM is then used to develop the fission product release data used to assess the offsite consequences (see Section 5).
4.2 Data Development The PRA containment model was developed in a similar fashion to the systems analysis portion of the PRA (see Section 4.1 for a more detailed discussion). The I
4-4 I
model consists of a Containment Event Tree (CET) that is represented as one large logic tree. Therefore, the model ultimately results in msny basic events that are quantified and used to solve the CET. In addition, since the same CET model is used to quantify the effects of all the possible plant damage states (PDS), the basic events used in the CET need to be quantified separately for each PDS.
This results in the creation of the CET Quantification Matrix which lists each CET basic event value for each PDS. This matrix is developed by assigning a value for each basic event relative to the PDS in question. In some cases, the basic event may be generic to all PDSs and therefore would have only one value.
The CET basic events are focused on:
. the general availability of containment systems, e
" confidence factors" associated with different core melt sequence phenomena, and e the general information on the status of the reactor system and containment (pressure, temperature, etc.).
The quantification of CET basic events is done by assessing the " likelihood" of the event occurring given a certain PDS. This quantification breaks down to:
- Certain = 1.0
. Almost Certain = 0.999 e 1.ikely = 0.99/0.9
. Unknown = 0.5
- Unlikely = 0.1 / 0.01
- Very Unlikely = 0.001 e impossible = 0.0 45
I Quantification of the basic events requires:
e information from the system level cut sets as represented in the PDS designation, e
information taken from MAAP calculations (see Section 4.3) used to model the PDS sequences, e
information about operator actions or recovery actions during core melt g
sequences,and e technical reports on the various containment phenomena, as well as other analyses such as NUREG 1150.
l The final quantification matrix is then used to solve the CET in order to assess the I
fission product release characteristics for each PDS.
l 4.3 Methodology Considerable use is made of the Modular Accident Analysis hogram (MAAP) code I
for the in plant consequence analysis. The version of MAAP used is MAAP 3B revision 16. MAAP results are especially important in performing the CET l
quantification and are used to evaluate:
e time to vessel failure, e time of containment failure due to steam overpressure, e hydrogen concentrations, and e wet or dry cavity determination.
The CET model is developed using the CAFTA software and solved using a Duke Power program developed using the EPRI Risk and Reliability software. The program, RCMGEN, interfaces with the CET CAFTA databases and decision trees and uses the SAIC ,e 4 ROB program to solve the decision tree for the CET end-poin'.s and branch probabilities. The GTPROB program is used due to the 4-6 I
L F
L quantification of the CET basic events, hiany of the data values are large numbers b (numbers greater than 0.1) which result in inaccuracies for typical cut set generators that assume small numbers and truncate the boolean expressions.
L The output of the RChiGEN program is the Release Category hiatrix (RChi) which shows the distribution of each PDS within the defined release categories. Table 4.31 provides a cross reference for containment failure modes, the resulting release category definitions and the type of accident sequence.
[
[
C
[
[
[
[
{
(
'(
( 47
(
L r
L Table 4.31 Rev. 2 McGuire Release Category Cross Reference
[
Containment Failure Release Type of Accident Sequence
( Mode Category Containment 13ypass 2.01 - 2.04 Interfacing Systerns LOCA Containment Isolation Failure
{
3.01 3,04 Large Isolation Failure
( 4.01 4.08 Small isolation Failure Early Containment Failurc 5.02 Early Failure With Ex vessel Release Late Containment Failure 6.01 - 6.08 Late Catastrophic Containment Failure 7.01 - 7.04 Late Denign Containment Failure Basemat Meltthrough 8.01 8.02 Containment Failure Due To Concrete Attack and Penetration m.
No Containment Failure 9.01 - 9.04 Containment Does Not Fail
{
l
\ - - - - -
l l. l I 1 r
r c
. .m=nmm . ee,.r m..,Mn.U . . ,
.ee=,m..r= . s* . e5 e .
c eccc o . .
a g m W3 - m=maM.9 n
9 s o
.c .c m m . = . . . . .e c. . m M . .c .c .cc c eC Cc m a . w .c .cecct . . m . . . E . .cccCcC.c
. . . a c . . .e . . .ccCCe r
i s-7 n s 5
n w ',_
m u.
s -
I1 l e
t m s u
- c. *p.
m.
t i- ; e m e s
a L
e r
u T w g, . t g
n y e n .
Fi n! .- i1 .- iI Ii - I1 iI E
v t
o , n m g e m
r ,
_ n i
e r t a
1 u n
.t. o r n, t
C m .
2 mr t
- o. i, v
e s *
- R e
- 1 o
- 1 r -
4 e
r
. u m g r
c i
F m
r .
e z
c r :
s a -
r m s
a e s.
a
- l s .
o e . -
c r
5.0 PUBLIC llEALTil CONSEQUENCES 5.1 Model Development The offsite consequences are calculated using the CRAC2 consequence model. This program models the transport of radioactive material released from the containment following a core melt accident. The model predicts the mteraction of this radioactive material with the environment and people.
The CRAC2 model takes into account factors such as:
e population, e site characteristics, e meteorology, and e evacuation strategies.
The CRAC2 model estimates the public health consequences in the following five areas.
Early Fatalities This risk is characterized by fatalities that occur within one year of exposure. These fatalities are estimated on the basis of exposure to the bone marrow, lungs, ad gastrointestinal tract.
l Early injuries l
This risk is defined as nonfatal, noncarcinogenic illness that appears within one year of tne exposure and require medical attention or hospital treatment.
51
I Latent Fatalltles This risk is defined as latent cancer fatalities occurring due to both initial and chronic exposure. This includes the early exposure to the radioactive cloud, chronic exposure to ground contamination, inhalation, and ingestion.
Thyroid Nodules This risk is defmed as any thyroid effects incurred from both initial and chronic exposure.
Whole-Hody Person Reru This risk is defined as the surn of the whole body iose received by the population within 500 miles of the Catawba site. .
l I
5.2 Data Development The offsite consequences are modeled using the CRAC2 computer code (see Section 5.3). The input for '.his code consists of plant specific population and meteorology data as well as the fission product release fractions calculated using the MAAP computer code.
l The input liles for the CRAC2 computer code include the plant specific population I
and meteorology. The population input file har been updated with the 1990 census information.
I The other input to CRAC2 is the release fractions of the fission products to the environment. The Release Category Matrix (RCM), developed as part of the containment performance portion of the PRA (see Section 4.3), is used to determine gl g
52 I'
(
(
what type of core melt sequence best represents each release category. These accident sequences are then modeled with hiAAP and the resulting fission product release fractions are retrieved from the hiAAP output.
( 5.3 Methodology The final risk results of the PRA are determined using a corrbination of computer codes and inputs from the other portions of the PRA study. The main computer code
[
for modeling the offsite consequences is CRAC2. CRAC2 calculates the conditional frequency of occurrence for each of the health effects identified in Section 5.1.
As mentioned in Section 5.1, CRAC2 requires the release fractione of the fission products as input. The release category matrix gives the contribution of each PDS to each release category. A PDS may contribute to more than one release category, and each release category may have a contribution from more than one PDS: The fission product source tenn for a release category is therefore determined by reviewing the contributing PDSs and selecting the most representative sequence in general, this
( will be the PDS that contributes the most to the release category frequency. In some cases two or more PDSs will make nearly equal contributions. In these cases, the
( PDSs will be reviewed to see if one of the PDSs would result in a more conservative offsite consequence calculation, usually due to a more rapid progression to recctor
( vessel et containment failure. The more conservative sequence is selected in these cases.
f The most representative sequence from each release category is then analyzed using
{ the hiAAP code to establish the release fractions of the fission product species. The fission product groups from the hiAAP code are mapped into the CRAC2 input groups in the following manner.
53 1
I CRAC2 INPUT MAAP OUTPUT Xe Noble Gases (FP species 1) 1 Csl and Rbl(FP species 2)
Cs Rb Csoli(FP species 6)
Te Sb Greater of Sb or the sum of TeO2 and Te2 (FP species 10 or 3 and 1I )
Da Ba0 (FP species 7)
Ru moo 2(FP species 5)
La '
lanthanides (FP species 8)
Sr Sr(FP species 4)
The results of all three podions of the PRA are now combined using a risk calculation spreadsheet. This spreadsheet takes as input the conditional probability matrix from the Level I portion of the PRA (PDS frequencies), the release category matrix from l
th'e Level 2 portion of the PRA (PDS distribution within each release category) and the results of the CRAC2 (health effects from each release category). The spreadrheet produces several forms of output bot l
I I
I 5-4 I
Table 6.1-1 Rev. 2 Summary of Core Damage Frequency Results f altlating Event Frequency Total Frequency internal 3.2E 05 Transients Reactor Trip (TI) 1.7E 07 Loss of Load (T2) 4.5E 08 Loss of Offsite Power (T3) 4.2E-07 Loss ofMain Feedwater(T4) 1.4E 07 Secondary Line Break Inside Containment (T6) 1.0E 07 Loss of Nuclear Service Water (T9) 1.9E-06 Loss of Component Cooling Water (TIO) 4.lE 06 Loss of 4160 V ac Essential Bus (Til) 1.0E 06 Loss ofinstmment Air (T12) 4.8E 08 Inadvertent Safety injection (T13) 1.9E 07 Other Transients <lE 8 Transient Total 8.lE 06 Loss of Coolant Accidents Small 1.1E 05 Medium 4.9E 07 Large 6.8E 08 LOCA Total 1.2E 05 Intemal Flood 1.1E 05 Anticipated Transient Without Scram 1.5E 07 Reactor Vessel Rupture 1.0E-06 Inter facing Systems LOCA 2.5E 07 Steam Generator Tube Rupture 1.8E-09 Ext: mal 1.5E-05 Seismic 8.5E-06 Tornado 1.0E 06 Fire 5.2E 06 Total Core Damage Frequency 4.7E-05
I l Table 6.1-2 Rev. 2 Summary of Core Damage Frequency Results by Plant Damage State P!mnt Damagg, Freauency Percent of CDF 14Al I.68E-07 0.4096 I
14D1 1.21 E-08 0.00 % g 14PI 5.90E-09 0.00 % g 14PL 8.42E 10 0.00 %
ISAI 5.66E-07 1.20t6 15D1 4.34 E-07 0.90 %
15P1 3.51 E-06 7.50 %
l
=
15PS 2.850 09 0.00 %
19DI 5.95E 06 12.80 %
l 19DS 9.33E 10 0.00 % W lAl 1.18E 06 2.50 %
lAS 1.75E 10 0.00 % g IP! 4.21 E-09 0.00 % g i IPL 1.26E 08 0 00 %
20P1 8.42E 10 0.00 %
l 21DI l.74E-07 0.4096 22Al 5.72E 07 1.20%
22Cl 1.04E 05 22.30 %
22CS 3.80E 09 0.00 %
23D1 1.02E-06 2.20 %
24Al 2.28E 08 0.00 %
24Cl 2.18E 08 0.00% g 24DI 4.12 E-06 8.80 % 3
, 24DS 1.25E 09 0.00 %
26DI 1.84E49 0.00 %
27DI 2.50E-07 0.50 %
j 2Cl 2.10E-08 0.00 %
2D! 2.02E 08 0.00 %
l 4DI 4.22E 08 0.10 %
l 4P1 1.73E 07 0.40 %
l 4PS 1.07E 10 0.00 %
l $Al 8.98E 08 0.20 % $
l SCI 4.53E-07 1.00 % 5 5CS 6.72E-l 1 0.00 %
$DI 4.55E-07 1.00 % g 7DI 8.37E-07 1.80 % g 7PI 1.51 E-05 32.40 %
7PL 7.49E 08 0.20 %
7PS 1.25E 08 0.00 %
8P1 8.24 E-07 1.80 %
8PL 8.99E-08 0.20?6 I .
l l
I
6.0 RESULTS The two major classes of results produced by a probabilistic risk assessment are core '
damage frequency and public health risk. The core damage frequency is the result of the plant systems analyses. Those combinations of component failures and human actions that lead to a core melt are identifici and the likelihood of their occurrence computed. Section 6.1 presents the core damage frequency results for Catawb Nuclear Station, Unit 1. Public health risk is obtained by combining the core damage frequency analysis with an analysis of core damage consequences. This consequence analysis consists of a determination of the level and likelihood of radioactivity released to the environ:neut for the various core damage sequences and an evaluation of the health effects resulting from each release. The containment performance results are described in Section 6.2. Public health risk results are presented in Section 6.3. In addition to simply presenting the results, Sections 6.1 through 6.3 also provide a discussion of those plant characteristics that were found to significantly affect the Catawba core damage frequency as well as the risk it poses to the public health.
Risk assessment provides a valuable understanding of the relative strengths and weaknesses of a plant design and operation, it is recognized, however, that in performing risk assessment studies, the process of estimating the frequency of relatively rare events is subject to varying degrees of tmeertainty Depending on the source of the uncertainty, it may be appropriate to either quantitatively or qualitatively assess the impact of the uncertainty. Section 6.4 provides a discussion of the uncertainties associated with this study as well as other sensitivity studies perfonned.
6.1 Core Damage Frequency The calculated mean annual core damage frequency (CDF)is approximately 4.7E 05.
A listing of the contributors to core damage by initiating event is provided in Table 64
(
I 6.1 1. These results are pictorially presented in Figure 6.11 for initiators representing at least 0.5% of the total CDF. Sections 6.1.1 and 6.1.2 describe the results for internal and extemal initiating events, respectively. A discussion of those plant characteristics that significantly affect the calculated core damage frequency is presented in Section 7.0.
I 6.1.1 Internal Events I
Approximately 68% of the calculated core damage frequency for Catawba Unit I is attributabic to internal initiating events. The dominant component failures and/or human errors required to produce a core damage for each initiating event are g
described in this section. The calculated annual core damage frequency due to intemal events is approximately 3.2E-05/yr.
g' Plant Transienti Approximately 17% of the total core damage frequency and 25% of the internally.
generated core damage frequency are initiated by various plant transients that involve a successful reactor scram. A discussion of the core damage characteristics of each plant transient with an estimated annual core damage frequency greater than 1.0E-l 08/yr is provided in the following paragraphs. The calculated annual core damage frequency due to plant transients, involving successful reactor scram, is approximate!y 8 lE-06/yr.
Reactor Trip (T1)
The calculated annual core damage frequency resulting from a routine reactor trip is approximately 1.7E-07/yr. This initiating event accounts for 0.4% of the total CDF and 0.5% of the intemal CDF. The dominant sequences are those where main feedwater is not recovered following a trip, and there is a common cause failure of the 62
CA suction sources or other CA failures. Operator failure to initiate feed and bled leads to core damage.
Loss of Load (T2)
The calculated ennual core damage frequency resulting from a loss ofload is 4.5E-08/yr. This initiating event accounts for 0.1% of the total CDF and approximately 0.1% of the internal CDF. The dominant sequences are those where main feedwater is not recovered following a trip, and CA fails due to support system failures. The support system failures also lead to ECCS failures and this results in core damage.
Loss of Offsite Power (T3)
The calculated annual core damage frequency resulting from a loss of offsite power is approximately 4.2E 07/yr. This initiating event accounts for 0.9% of the total CDF m.d 1.3% of the internal CDF. In the dominant sequences, the LOOP is followed by diesel generator failure (mostly run failures) with hardware ano human errors associated with the SSF. The resulting RCP seal LOCA leads to core damage when offsite power is not recovered prior to core damage.
Loss of Main Feedwater (T4)
The calculated annual core damage frequency resulting from a loss of main feedwater is approximately 1.4E-07/yr. This initiating event accounts for approximately 0.3%
of the total CDF and approximately 0.4% of the internal CDF. The most likely sequence of events are the same as those associated with the reactor trip, feedwater is not recovered following the trip, and there is a common cause failure of the CA suction sources or other CA failures. Operator failure to initiate feed and bleed leads to core damage.
6-3
I Secondary Line Break Inside Containment @ s The calculated annual core damage frequency resulting from a secondary line break inside containment is approximately 1.0F. 07/yr. This initiating event accounts for approximately 0.2% of the total CDF and approximately 0.3% of the internal CDF.
The most likely sequence of events are a loss of all secondary side heat removal due to hardware failures and KC system maintenance. Operator failure to initiate teed and bleed leads to core damage.
Loss of Nuclear Service Water (T9)
The calculated annual core damage frequency retulting from a loss of low pressure service water is approximately 1.9E-06/yr. This initiating event accounts for 4.0% of l
the t .tal CDF and 5.8% of the internal CDF. In the dominant sequences, the loss of RN is followed by failure to restore main feedwater and failure of the turbine driven l
CA pump. Feed and bleed fails in the recirculation phase without RN and this leads to core damage.
I Loss of Component Cooling Water (TIO)
I The calculated annual core damage frequency resulting from a loss of Component Cooling is approximately 4.lE-07/yr. This initiating event accounts for 8.7% of the total CDF and 12.8% of the intemal CDF. In the dominant sequences, the loss of KC is followed by a failure to restore main feedwater and failure of the CA turbine driven pump. Feed and bleed fails in the recirculation phase without KC and this leads to core damage.
Loss of Operuting 4160 V ac Bus (T11)
I I
6-4 I
The calculated annual core damage freque ncy resulting from a loss of the operating 4160 V ac bus (lETA)is approximately L0E-06/yr. This initiating event accounts for 2.3% of the total CDF and 3.3% of the internal CDF. In the dominant sequences, the loss of the bus is combined with maintenance on bus iETB, and followed by failure of the SSF due to human enor or hardware failure. The resulting RCP seal LOCA leads to core damage.
Loss ofInstrument Air (TI2)
The calculated annual core damage frequency resulting from a loss ofinstrument air is approximately 4.8E-08/yr. This initiating event accounts for 0.1% of the total CDF and approximately 0.2% of the intemal CDF. In the dominant sequence, the loss of VI
_ is followed by a challenge to the pressurizer relief valve which sticks open.. Operator
} failure to initiate high pressure recirculation and this leads to core damage.
1 Inadvertent Safety Injection (T13)
The calculated annual core damage frequency resulting from an inadvertent SI is approximately 1.9E-07/yr. This it itiating event accounts for 0.4% of the total CDF and 0.6% of the intemal CDF. In the dominant sequences, tne inadvertent Si is followed by failures of the CA system either directly or through support systems.
Failure of feed and bleed leads to core damage.
Loss of Cool.mt Accidents Approximately 25% of the total core damage frequency and 37% of the intema; event core damage frequency are initiated by various size LOCAs. A discussion of the core damage chancteristics of each LOCA size is provided in the following paragraphs.
The calculated annual core damage frequency due to LOCA initiating events is 1.2E-05/yr.
6-5
l l
Small Break LOCA The calculated annual core damage frequency resulting from small break LOCA initiating events is approximately 1.lE-05/yr. This initiating event accounts for approximately 24% of the total CDF and 35% of the internal CDF. The most likely sequence of events consists of a small break LOCA with successful high pressure injection but a failure of the operators to establish high pressure recirculation. The NV and NI pumps must " piggyback" onto the ND System to function in the recirculation mode. Other importan: sequences include various hardware failures leading to a loss of recirculation or injection capability.
l Medium Break LOCA I
The calculated annual core damage frequency resulting from medium break LOCA I
initiating events is approximately 4.9E 07/yr. This initiating event accounts for approximatelyl.1% of the total CDF and 1.6% of the intemal CDF. The most likely sequence of events consists of a medium break LOCA with successful high pressure injection but a failure of the operators to establish high presstue recirculation. The NV and NI pumps must " piggyback" onto the ND System to function in the recirculation mode. Other important sequences include various hardware failures leading to a loss of recirculation or injection capability.
Large Break LOCA The calculated annual core damage frequency resulting from large break LOCA initiating events is approximately 6.8E-08/yr. This initiating event accounts for approximately 0.1% of the total CDF and 0.2% of the internal CDF. The most likely sequence of events consists of a large break LOCA with a common cause failure of the ND pumps or the sump recirculation valves.
I<
6-6 I
D- - _
Anticipated Transients Without Scram (ATWS)
The calculated annual core damage frequency due to ATWS events is approximately 1.5E-07/yr. This initiating event accounts for approximately 0.3% of the total CDF and approximately 0.5% of the internal CDF. An ATWS event begins as a nomial transient, such as a loss of main feedwater or loss of load. However. a subsequent failure of the Reactor Protection System to .nram the reactor leads to a severe mismatch of power versus heat removal. The result is a temperature and pressure surge within the Reactor Coc' ant System that may challenge the system's integrity.
The most likely sequence of events consists of this failure combined with a loss of main feedwater. If the moderator temperature coefficient is not sufficiently negative, the RCS is assumed to overpressurize and fait catastrophically, while at the same time failing emergency injection. A moderater temperature coefficient in the unfavorable range is conservatively assumed to exist 50% of,the time to allow for core design changes. 1 Steam Generator Tube Ruptures (SGTR) i The calculated annual core damage frequency due to SGTP. events is approximately 1.8E-9/yr. This initiating is an insignificant contributor to the CDF.
Interfacing-Systems LOCA The calculated annual core damage frequency due to interfacing-system LOCAs is approximately 2.5E-07/yr. This accounts for approximately 0.5% of the otal core
& mage frequency and approximately 0.8% of the intemal core damage frequency.
An interfacing-systems LOCA occurs when a Reactor Coolant System pressure boundary failure, usually through a valve, results in the over-pressurization of an interfacing system. Although typically low in frequency, this class of accident is 6-7
I important to risk since the over-pressurized system is usually located in the Auxiliary Building. Therefore, any subsequent release of radioactivity bypasses the containment.
Reactor Pressure Vessel Failure The calculated annual core damage frequency due to a reactor pressure vessel failure is 1.0E-06/yr. This initiating event accounts for 2.1% of the total CDF and 3.1% of the internal CDF. The initiating event is assumed to lead directly to core melt because water inventory can not be maintained l
Flooding (internal)
The calculated core damage frequency due to intemal flooding is approximately 1.lE-05/yr. This accounts for approximately 23% of the total CDF and 34% of the intemal CDF. The dominant flooding sequence consists of a flood in the Turbine Building.
This is followed by D/G failures and failure to provide either seal injection or CA via the SSF. The resulting seal LOCA or feed and bleed failure results in core damage.
The CA pump room flood followed by a failure to restore main feedwater is also a contributing sequence.
6.1.2 External Events I
I Approximately 32% of the calculated annual core damage frequency for Catawba Unit 1 is attributable to external initiating events. The dominant component failures and/or human errors required to produce a core melt for each initiating event are described in this section. The calculated annual core damage frequency due to external events , approximately 1.5E-05/yr.
6-8 I!
l-Seismic Events
[
The calcalated annual core damage frequency resulting from a seismic event is approximately 8,42E-06 / vr. This value represents approximately 58% of the extemal contribution to the overall plant core melt probability. The governing accident y sequences involve the failure of the 4160V ac switchgear and the SSPS cabinets (86%
contribution to CMF). The remaining cut sets involve responses to a loss of off-site power.
L ..
Tornadoes The calculated annual core damage frequency resulting from tomadoes impacting Catawba is approximately 1.0E-06/yr. This initiating event accounts for 2.2% of the total CDF and 7.0% of the extemal CDF. The dominant sequence of events consists of a tomado induced loss of offsite power followed by D/G failures and failure of the SSF. The D/G and SSF failures may be independent or a result of tomado induced damage. No credit is assumed for offsite power recovery following a tomado. {
Fires l The calculated annual core damage frequency due to fire is approximately 5.2E-06/yr.
This accounts for approximately 11% of the total CDF and 35% of the extemal CDF.
The dominant sequences are fires that result in loss of KC with failure of the SSF.
6.1.3 Total The core damage frequency results summarized in the previous sections indicate that there is a commonality among all significant accident sequences: operator error or the failure of major support systems. These systems are primarily ac power, component cooling, and nuclear service water. As will be seen in the next section, failure of 6-9
, u
I these systems is doubly important since their failure also significantly impairs containment safeguards. A review of the core damage results with regard to the design and operation of Catawba reveals numerous aspects of the plant that have an important effect on the calculated core damage frequency. The most important of these features are briefly described below.
Reactor Coolant Pump Seals The maintenance of injection and cooling for the reactor coolant pump seals is important in many sequences. Failure to maintain injection and cooling exposes the g seals to high temperature and pressure. Exposure to these conditions for an extended period of time inevitably results in failure of the seals, which in effect is a LOCA.
Some information is available regarding the performance of Westinghouse seals under severe conditions. Nevertheless, various assumptions on seal performance are necessary for risk analysis purposes. This study incorporates the most recent l
Westinghouse model for reactor coolant pump seal failures given a loss of seal injection and thermal barrier cooling. The failure model for reactor coolant pump seals is important because it defines the time available for station personnel to restore cooling and thus prevent a seal LOCA. Recent estimates ofleakage rate vary between 21 and 480 gpm per pump, depending upon the potential thermal and hydraulic events which can occur following loss of both support systems. A significant percentage of 8 the total core damage frequency (~45%) is attributable to sequences involving RCP seal LOCAs.
I The dominant sequences that result in RCP seal LOCAs are the LOOP initiated sequences and the loss of the service water system initiated sequences. Because of the uncertainty in RCP seal performance under these conditions, expeditious actuation of the SSF standby makeup pump is desirable. Clear procedural guidance is important to assure high reliability of this action.
I 1 6-10 '
Standby Shutdmyn Facility A unique safety feature of the Catawba Nuclear Station is the Standby Shutdown Facility (SSF). The SSF is an independent structure located on the Catawba site that contains its own dedicated diesel generator. This facility houses the Standby i
Shutdown System (SSS), which provides a means of bringing the unit to safe hot shutdown condition, in the event the normal plant safety systems are. The manually activated SSS can maintain the plant in hot shutdown condition until damage control measures are instituted to bring the unit to a cold shutdown condition.
The SSS design provides a totally independent means of reactor coolant pump seal cooling, and thus an additional level of reactor coolant pump seal LOCA protection.
This additional level of protection is very important in mitigating sequences that result in total failure of major support systems.
Maintenance Unavailability of Important Systems A number of maintenance activities are prominent in the results. In some cases screening values have been used for the maintenance unavailabilities. In particular the ac and de bus maintenance values are conservatively high screening values of 0.1% unavailability, ~9 hours per year while at power. Switchgear IETB maintenance is the most important maintenance event. This event in combination with the Tl1 (loss of operating 4160 V ac bus) initiator and SSF failure is a significant contributor to the calculated core damage frequency.
The SSF maintenance is also important. The RCM flow path is the most significant but the SSF D/G maintenance also contributes.
The diesel generator maintenance events are also important maintenance events in the results.
6-11
_ _ _ _ _ _ _ . \
I I
Maintenance of the RN system is also among the top maintenance events in importance.
Titrbine Building The prediction of the likelihood of a flood is difficult. However, the loss of offsite power (and th'e assumed inability to restore offsite power) that results from the turbine g
building flood makes this an important contributor to the calculated CDF.
Ability to Crosstle Between Units or Systems Crossties between units is an important mitigating feature for Catawba. Since most I
LOOP events are expected to affect only one unit, the ability to cross connect offsite power between units is an important mitigating feature for these transients.
lluman Actions Insights I
I A review of the importance measures for the various post-initiator human actions produced the following observations.
Recirculation Switch-over The leading contributor to the LOCA core damage frequency is the failure of the operators to properly swap to the high pressure recirculation mode of cooling for either a small or medium break LOCA.
SSF Human Actions One of the most important human events modeled in the Catawba PRA is the manual activation of the SSF. This action is important in mitigating many of the potential g
I l 6-12
core damage sequences identified by the PRA. Activation of the SSF is important for many initiators, especially for the LOOP and loss of RN sequences.
Cross Connectine Between Units Failures to recover offsite power from an unaffected unit is an important mitigating action in the PRA.
NV Pumn Backun Cooline Failures to provide backup cooling to the NV pumps for loss of KC scenarios is an important mitigating action in the PRA. The hardware modifications to make this backup cooling available have not yet been made at Catawba, however, this modification is planned and credit for this capability has been assumed in the analysis. The proposed modification makes an int nt contribution to keeping the internal event CDF at the currently estimated low . alue of 3.2E-05/ year.
6.2 Containment Performance As stated in Section 4, the following containment failure modes were considered in this analysis:
+ Containment bypass (ISLOCA and SGTR)
. Isolation Failures (large and small)
- Early Containment Failures Late Containment Failures (catastrophic and benign)
- Basemat meltthrough
. No Containment failure Table 6.2-1 displays the frequencies of the different containment failure modes for internal initiators, external initiators, and the combined total. The following insights can be drawn from the table.
6-13
I I
No Containment Failure This is the dominant containment failure end state for Catawba. The containment remains intact for 47% of the total CDF,62% for internal initiators, and 26% for the extemal initiators. In order for the containment to remain intact, sequences in this category must have the containment sprays for the entire sequence or recovered after initial failure, Sequences that start with a failure of the containment sprays are examined for a possible late reco try. If the containment survives for longer thm 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />, then there is a chance of recovering containment sprays (for example by g restoring ac power). The seismic and tomado initiators are assumed to lose offsite power and no recovery is credited for the seismic initiator. This assumption accounts for the larger fraction of the extemals that result in containment failure. Sequences that are not recovered will end up being basemat meltthroughs or late over-pressurizations.
l Basemat Meltthrough I
Basemat meltthrough is calculated to occur for about 5% of the total CDF, with 7%
I for the internal sequences, and 3% for the extemal. For the majority of accident sequences, the core debris will be trapped in the cavity with water covering the debris.
In a large fraction of the CDF, the refueling water storage tank (FWST) remains full due to failure ofinjection and spray. Following vessel failure the FWST is expected to drain through the ND system into the failed vessel and, therefore, fill the cavity with water. This situation is likely to prevent basemat meltthrough but the eventual boiling of the inventory in the cavity will become a challenge to tne containment as the ice is depleted. In other sequences the injection of the FWST inventory in addition to the ice melt allows the water that accumulates in the lower containment to -
overflow into the cavity through the RCS penetrations in the biological shield wall.
I 6-14 I
Late Over-pressurization Late over pressurization is calculated to occur for about 40% of the total CDF, with 28% for the internal sequences, and 57% for the external. The sequences in this category are those where containment sprays are and not recovered, This leads to the buildup of pressure from steam and nan-condensable over many hours until the containment fails. Most of these sequences have the core material in the cavity with an overlying water pool. The resulting steam generation pressurizes the containment following depletion of the ice in the ice condenser. Although over-pressurization can occur from non-condensable gas build up (due to concrete ablation), these dry cavity sequences can also lead to a basemat meltthrough before over-pressurization. As mention earlier 90% of the late over-pressure failures are assumed to be catastrophic in nature.
Early Cc..tainment Failure Early containment failure is calculated to occur for about 7% of the total CDF, with 3% for the internal sequences, and 14% for the external, The dominant containment challenges that result in early containment failure (within 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of reactor vessel failure) are hydrogen combustion and direct contact of corium in the containment.
4 -
Since many core damage sequences have a loss of all ac power, the igniters are unavailable to control the accumulation of hydrogen in the containment. The resulting high hydrogen concentrations can cause containment over-pressurizations.
All early containment failures- are assumed to be catastrophic failures of the containment structure. A significant fraction of the core damage sequences also result in reactor vessel failure at intermediate to high RCS pressures. Direct contact of corium with the containment shell is a contributing failure mechanism for these sequences.
6-15
_ _ _ _ _ _ _ _ _ _ _ _ l
I Other mechanisms that challenge the containment ez.rly such as direct containment heating and rapid steam generation are calculated to occur at very low frequencies relative the two mechanisms discussed above.
Isolation Failure A containment isolation failure is calculated to occur for about 0.4% of the total CDF, with 0.2% for the internal sequences, and 0.8% for the external. The larger fraction g
for the extemal events is driven by the frequent loss of ac power that occurs in these sequences. Failure to manually isolate the containment ventilation unit condensate drain line results in an air to-air pathway from the containment to the auxiliary building. Other random isolation failures do occur for all sequences but these are small contributors to the overall frequency.
l I
Containment Bypass A containment bypass is calculated to occur for about 0.5% of the total CDF, with I
0.8% for the intemal sequences, and less than 0.01%% for the extemal. Sequences in this category include ISLOCAs and Steam Generator Tube Ruptures (SGTR). The internal frequency is dominated by the occurrence of an ISLOCA. Approximately 10% of the internal frequency is a result of induced steam generator tul,e ruptures.
The SGTR initiator makes an insignificant contribution to this containment failure mode. The external frequency is a result ofinduced steam generator tube ruptures.
I In summary, the frequency of a significant early release is low, approximately 4% of I the core melt frequency. Of this 4%, most is from isolation failures due to external events.
Most of the core melt frequency is dominated by late, low energy releases with the .
dominate category being basemat meltthrough at 46%.
I1 6-16 I
I 6.3 Public Health Risks Of the 42 possible release categories, 34 had non-zero frequencies. Of these, 4 release categories tended to dominate all of the health effects. These are:
- RC2.04 ISLOCA
- RC5.01 Early containment failure e
RC6.01 Late containment failure, with fission product scrubbing, with no fission product revaporization release RC6.02 Lee containment feilure, without fission product scrubbing, with a fission product revaporization release Tables 6.3-1 through 6.3-3 provide the distribution of risk based on the containment failure state. ,
Early Fatality Risk Release category 2.04, an ISLOCA, is the dominate contributor to the early fatality risk, contributing 92%. For this release category, the fission product releases are very high since containment is bypassed, and there is insufficient warning time for
' evacuation prior to the release. However, ISLOCA sequences tend to have lower frequencies of occurrence which helps to keep the early fatality risk low overall.
Release category 3.05, a large containment isolation failure, contributes 5.7% of the-early fatality risk. This release category takes no credit for fission product scrubbing.
6-17
I Early Injury Risk As with the early fatalities, this health risk is dominated by release category 2.04, contributing 83%. For this release category, the fission product releases are very high since containment is bypassed, and there is msufficient warning time for evacuation prior to the release.
Release categories 5.01, early containment failure, and 3.05 also contribute g
significantly to the early injury frequency,6.6% and 3.5% respectively.
Latent Fatality Risk I
In this risk category, approximately 57% of the latent fatalities are from release I
categories 6.01 through 6.04, late containment failures. The majority of this risk is l
from RC 6.02. The sequences dominating RC 6.02 are sequences involving loss of all ac power or loss of KC. A wet cavity, following reactor vessel failure, with no containment spray leads to a long term over-pressurization of the containment when containment spray is not recovered.
Release category 5.01 contributes 28% of the latent fatahties. The sequences dominating release cat'egory 5.01 are seismically induced station blackouts. Station blackouts as a result of tornadoes, LOOPS, and the loss of the operating 4 kV bus (Tl1) initiator are the other major contributors. The loss of the hydrogen mitigation system due to the loss of all ac power allows hydrogen combustion events to lead to containment failure. Additional containment failure potential exists form corium contact with the containment wall due to the inability to completely depressurize the reactor coolant system.
Release category 2.04, ISLOCA, contributes 8.8% of the latent fatalities.
I 6-18 I
l Thyroid Nodule Risk In this risk categon, approximately 30% of the thyroid nodule risk is from release category 5.01. The sequences dominating release category 5.01 are seismically induced station blackouts. Station blackouts as a result of tomadoes, LOOPS, and the loss of the operating 4 kV bus (Til) initiator are the other major contributors. The loss of the hydrogen mitigation system due to the loss of all ac power allows hydrogen combustion events to lead to containment fr.ilure. Additional containment failure potential exists form corium contact with the containment wall due to the inability to completely depressurize the reactor coolant system.
Approximately 42% of the thyroid nodule risk is from late containment failures, release categories 6.01 through 6.04. The majority cf this risk is from RC 6.02. The sequences dominating RC 6.02 are sequences involving loss of all ac power or loss of KC A wet cavity, following reactor vessel failure, with no containment spray leads to a long term over-pressurization of the containment when containment spray is not recovered. i Approximately 16% of the thyroid nodule risk is from RC 2.04, the ISLOCA. For this release category, the fission product releases are v:ry high since containment is bypassed, and there is insufficient warriing time for evacuation prior to the release.
Whole-Body Person-Rem in this risk category, approximately 59% of the whole-body person-rem are from late containment failures, release categories 6.01 through 6.04. The majority of this risk is from RC 6.02. The sequences dominating RC 6.02 are sequences involving loss of all ac power or loss of KC. A wet cavity, following reactor vessel failure, with no containment spray leads to a long term over-pressurization of the containment when containment spray is not recovered.
l 6-19
I I
Approximately 29% of the whole-body person-rem are from release category 5.01.
The sequences dominating release category 5.01 are seismically induced station blackouts. Station blackouts as a result of tomadoes, LOOPS, and the loss of the operating 4 kV bus (Til) initiator are the other major contributors. The loss of the hydrogen mitigation system due to the loss of all ac power allows hydrogen combustion events to lead to coritainment failure. Additional containment failure potential exists form corium contact with the containment wall due to the inability to completely depressurize the reactor coolant system.
The remaining contribution comes mostly from the ISLOCA, approximately 7%.
I I
6.4 Large Early Release Freq9 +.y The large early release frequency is calculated to be 4.3E-07/yr. This frequency is the sum of the frequencies of those release categories identified as having a meaningful potential for early fatalities. The ISLOCA and seismic initiators are the dominant g
contributors. The intemal and extemal components of the LERF are 2.5E-07/yr, and 1.8E-07/yr, respectively.
6.5 Sensitivity Studies i
Sensitivity studies have been performed and the results are summarized below.
Maintenance I
Maintenance activities result in plant equipment and systems being unavailable when I
needed. Two variations are evaluated with respect to the maintenance values.
I 6-20 I
If all "at pcwer" maintenance were eliminated (all maintenance probabilities set to 0.0) the overall core damage probability is reduced to 3.lE-05/yr for the non vismic core damage frequency. This represents an approximately 17% reduction from the base case non seismic contribution of approximately 3.8E 05/yr. The seismic results have been shown to be relatively insensitive to the maintenance values over the range of expected unavailabilities.
If all maintenance unavailabilities are assumed to take on the values associated with the maintenance rule availability objectives, the calculated CDF increases to approximately 1.0E-04/yr a 163% increase over the base case CDF. It is unreasonable however to assume that this increased maintenance would be experienced by all systems at the same time. As before, this result does not include any impact from the seismic CDF.
Iluman Errors ,
The sensitivity of the results to the human error probabilities is investigated by considering three new values for the human reliability events. All of the HRA events are assumed to simultaneously take on values 5 times higher than the base case value, five times lower than the base case value, or a value of zero. The CDF results for the non-seismic contribution to the CDF are calculated for cach case, and these results are presented in the following table.
IIRA Value Resulting CDF Change in CDF from base case Nominal 3.8E-05 --
High Value 1.3E-04 +242%
Low Value 2.3E-05 -39%
0 2.0E-05 -47%
6-21 1
I It is seen from the table that the non-seismic CDF results are sensitive to the values calculated for the human error probabilities.
Uncertainty in risk assessment studies the process by which the frequency of rare events is predicted is subject to varying degrees of uncertainty. These sources of uncertainty include the frequency and consequences of initiating events (especially the external g
events), basic event data, modeling, and human reliability analysis. The core damage frequency calculated in this analysis is a point estimate of the CDF. Uncertainty g bands in the database are estimated and a probabuity distribution is obtained for the calculated CDF. The results of this calculation are given in Figures 6.1-2 and 6.13.
Initiator Frequencies l
Some initiating events analyzed in the PRA are sufficiently rare that no occurrences of these events have been experienced by the industry. There is no generally accepted procedure for estimating the frequencies of these rare events. These initiators are the large and medium LOCAs (LL and ML). As noted in Section 3.1.2, these frequencies have been calculated using the chi-squared variate at the 50% cumulative probability level with one degree of freedom. This sensitivity study evaluates the CDF impact of applying alternative approaches to estimating these initiator frequencies. The first estimate is the posterior mean if the industry experience is used to update an assumed noninformative prior distribution as described in the PRA Procedures Guide (NUREG/CR-2300), and the second estimate is the chi-squared variate using 2 I degrees of freedom instead of 1 for the median estirr ite. These two approaches provide initiator frequency estimates that are higher than the base case value by factors of approximately 2 and 3 respectively.
I I) 6-22 5
The result show an increase in the overall CDF of approximately 9.6E-07,2.1%, and 1.6E-06,3.4%, for the two new estimates. These modest increases in the CDF for these fairly large increases in. initiator frequency are expected since the ML and LL initiators play a moderate role in the overall CDF.
Common Cause Failure Probabilities The sensitivity of the McGuire PRA CDF to variations in the common cause failure rates is evaluated with this study. The PRA results are recalculated for common cause failure rates that are higher than the base case value, lower than the base case value, and assume a value of 0. The maximum and minimum values for each event are assumed to equal the 95* and 5* percentile values of a lognormal distribution with an assumed error factor of 10 and a mean value equal to the nominal basic event value.
The non seismic core damage frequency impact for the range investigated is presented in the following table.
CCF Value Resulting CDF Change in CDF from base case Nominal 3.8E-05 -
High Value 5.5E-05 +47%
Low Value 3.3E-05 -14%
0 3.3E-05 -14%
The low values investigated are sufficiently small that the result is the same as for the 0 value case. Overall, the PRA results are not very sensitive to the CCF values over the range investigated.
6-23 l
i
I System and Train Importance As part of the McGuire PRA solution, importance calculations are done for individual components, human actions, etc. (all basic events in the model). Unfortunately, deriving the same importance information for a system train or an entire system is not as straight forvard. Therefore, this study investigctes the impact on the overall CDF of havmg various systems / trains not available.
I The following table shows the relative ranking of systems and trains / components as found in the results of this sensitivity study: g Systems Ratio of new CDF to base case 4160 V ac Power (EPC) 8.9E+05 Nuclear Service Water (RN) 6.8E+04 Component Cooling (KC) 6.8E +04 VitalI&C (EPL) 1.3E+04 Auxiliary Feedwater(CA) 3.3E+02 Chemical Volume and Control (NV) 8.9E+00 Instrument Air (VI) 8.3 E+01 Diesel Generators (EQA) 4.4E+01 Residual Heat Removal (ND) 10E+01 Standby Shutdown Facility (SSF) 4.2E+00 Safety Injection (NI) 1.1 E+00 I
Truncation Limit The base case truncation limit used for this analysis is 1E-08. With the base case core damage frequency result at 4.7E-03/ year, the truncation limit is not quite 4 orders of I'
6-24 I
magnitude below the CDF as is often recommended. The purpose of this sensitivity study is to evaluate the magnitude of the change in CDF that might be expected if a lower truncation limit had been used through the solution process. Therefore, the integrated fault tree is resolved to a tmncation limit of 4.7E-09.
The lower truncation limit results in an increase in the calculated CDF of approximately 9%. This magnitude of change is not significant and is within the uncertainty of the CDF calculation. The new basic events that are included in the new cut sets are representative of the same safety functions that are found in the base case solve and no new risk significant functions are identified.
Population Zone and Evacuation Effectiveness Two sensitivity studies were performed as part of the off site consequence analysis, and their results are presented in the table below. The first study involved a change to the evacuation model. The base case Catawba PRA assumed that 5 percent of the population within the Emergency Planning Zone (EPZ) would delay evacuation for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after being warned to evacuate. For the sensitivity study, this evacuation group was changed to 0.5 percent of the population within the EPZ. In other words, the population which does not participate in the evacuation was reduced by a factor of ten.
The second study involved a change to the population exposed to the latent health effects calculation. The base case Catawba PRA included health effects in the population within 2000 miles of the plant. This sensitivity study calculated only those health effects experienced in the population within 50 miles.
The results of the two studies are presented in the following table. The information in this table is combined for both sensitivity studies. The two columns of data on Early Fatalities and Injuries contain information for the first sensitivity study on the 6-25
I evacuation model. The last three columns (latent fatalities, thyroid, and whole-body person-rem) pertain to the second sensitivity study on population data. The reason for combining the two sensitivity study results in one table is that the early fatalities and injuries are the only two columns of data that changes when modifying the evacuation model. The same applies for the last three columns (latent fatalities, thyroid, and whole-body person-rem) in which this data is the only changes noticed when modifying the population model. The percentages in parentheses represent the amount the frequencies decreased from the base case results.
g Core Damage Early Early Latent Thyroid Whole-Body Frequency Fatalities injuries Fatalities Cancers Person Rem Internal 3.2 E-05 2.08E-05 2.74E-04 1.52E 03 4.19E-03 2.30E+0!
(44%) (5%) (44%) (40%) (43%)
External 1.5 E-05 4.82E-07 2.55E-05 1.20E-03 2.89E-03 1.91E+01 (82%) (20%) (42%) (40%) (40%)
Total 4.7E-05 2.13 E-05 3.00E-04 2.72E-03 7.08E-03 4.21E+01 (46%) (6%) (43%) (40%) (42%)
I I
I I
L g I
I I t 6-26 I'
Tcble 6.1.3-3 Rev. 2 Basic Event Importance Listing p,g gio (Sorted by F-V)
)
Event Name F-V RRW- RAW ML Medium LOCA 1.lE-02 1.0E+00 8.9E+01 JDG001ADGS Die.sel Generator I A Fails To Start 9.lE-03 1.0E400 2.2E+ 00 T3 LOOP 9.0E-03 1.0E+00 1.2E+00 JDG001 ATRM Diesel Generator 1 A in Maintenance Or Testing 8.6E-03 1.0E+00 1.9E+00 l
JDG001BTRM Diesel Generator 1 B In Maintenance OrTesting 8.6E-03 1.0E400 1.9E+00 JDG001BDGS Diesel Generator IB Fails To Start 7.lE-03 1.0E+00 2.0E+00 NNV0865MVO Motor-Operated Valve INV865 Fails to Open 6.7E-03 1.0E+00 2.9E+00 NNV0872MVO Motor-Operated Valve INV872A Fails to Open 6.7E-03 1.0E+00 2.9E+00 FCA0TDPTRM Turbine Driven Pump Train in Maintenance or Testing 6.5 E-03 1.0E+00 2.3 E+00 TORNF4 Plant Struck By F4 Or F5 Tornado 6.2E-03 1.0E+00 6.7E+01 FWL01AITRM Sump Pump l Al in Testing or Maintenance 6.2E-03 1.0E400 1.4E+00 LND001ALPR ND Pump I A Fails to Run 6.0E-03 1.0E400 4.0E+ 00 NSSF0DGTRM SSF Diesel Generator in Maintenance or Tesing 6.0E-03 1.0E+00 1.4E+00 NSS0SSFLilE Latent Iluman Error Fails The SSF 5.5E-03 1.0E400 2.8E400 POPXCONDIIE Failure to Cross Connect Offsite Power Between Units (Unit 2 Fallure 5.5E-03 1.0E+00 1.0E+00 Included).
ISLOCA ISLOCA Occurs 5.4E-03 1.0E+00 1.0E400 NNVOSMPDPS SSF Reactor Coolant Makeup Pump Fails To Start On Demand 5.2E-03 1.0E+00 2.8E+ 00 KKC01 A2LIIE Latent lluman Error Fails KC I A2 Pump Train 4.9E-03 1.0E+00 2.6E+00 T4 Loss Of Main Feedwater 4.7E-03 1.0E+00 1.0E+00 JLD01 AIFLF Diesel Engine Lube Oil Strainer 1 AI Fails 4.5E-03 1.0E+00 2.0E+00 NNV0876MVT Motor-Operated Valve INV876 Transfers Position 4.5E-03 1.0E+00 2.8E+00 NNV0877MVT Motor Operated Valve INV877 Transfers Position 4.5E-03 1.0E+00 2.8E+00 KKC3/3SCOM Common Cause Failure of 3 Of 3 KC Pumps to Start 4.4 E-03 1.0E+00 6.7E+01 TI3 Inadvertent SS Actuation 4.lE-03 1.0E+00 1.lE+00 JDGMDGBDEX Tomado Generated Missle Penetrates DG Building 4.1E-03 1.0E+00 3.0E+ 00 FCAMDPALIIE Latent fluman Error Fails Motor Driven Pump I A 4.0E-03 1.0E+00 2.3E+00
Tcble 6.1.3-3 Rev. 2 Basic Event Importance Listing p,g g io (Sorted by F-V)
~
Event Name F-V RRW RAW FSA00CVAVT Control Valve ISACV Transfers Position 3.9E-03 1.0E400 2.3E400 FSA00SVAVT Stop Valve ISASV Transfers Position 3.9E-03 1.0E+00 _2.3E4 00 FWLOS48AVT Air Operated Valve 1WL848 Transfers Position 3.9E-03 1.0E+00 2.3E400 FCA0TDPLIIE Latent lluman Error Fails Turbine Driven Pump 3.8E-03 1.0E+00 2.3E400 FWLSUMPLIIE Latent lluman Error Fails Sump Pumps 3.8E-03 1.0E400 2.3 E+00 KKC001BLIIE Latent lluman Error on KC Train iB 3.7E-03 1.0E+00 2.2E+00 FCACLMSCOM Common Cause Failure of RN Sources Due to Clams 3.6E-03 1.0E+00 1.4E+00 FCA0RNOLIIE Latent lluman Error Causes Swap to Assured Suction Source 3.6E-03 1.0E+00 2.2E400 Tl Reactor Trip 3.6E-b3 1.0E+00 1.0E400 PACBOFTDEX Blackout Following Trip 3.6E-03 1.0E+00 4.5E+00 LNDPRUNCOM Common Cause Failure of the ND Pumos to Run 3.4E-03 1.0E+00 6.7E401 JLD01BlFLF uiesel Engine Lube Oil Strainer IBl Fails 3.3E-03 1.0E+00 1.7E+00 ATWS ATWS 3.3E-03 1.0E+00 1.0E400 ME Moderator Temperature Coefficient Unfavorable 3.3 E-03 1.0E+00 1.1E400 LND001BLPR ND Pump 1B Fails to Run 3.lE-03 1.0E+00 2.6E+00 NVKAllUICRR SSF Air llandling Unit Fails to Run ,,
3.lE-03 1.0E+00 2.7E+ 00 TCF0002 Rile Failure to Restore Main Feedwater After Loss of Feedwater 3.0E-03 1.0E+00 1.0E+00 DDCIEBABYF 125 V dc Vital I & C Battery IEBA Fails on Demand 3.0E-03 1.0E+00 1.9E400 FCA0TDPTPS CA TDP Fails to Start 2.9E-03 1.0E+00 2.2E400 JRN232AMVO Motor Operated Valve 1RN232A Fails to Open 2.8E-03 1.0E+00 1.8E+00 JVD01 AIFNS Fan 1 A1 Fails To Start 2.8E-03 1.0E400 1.8E400 JVD01 A2FNS Fan i A2 Fails To Start 2.8E-03 1.0E400 1.SE400 JVDDSFIDMO Damper 1-DSF ID Fails to Open 2.8E-03 1.0E+00 1.8E400 JVDDSF3 DMO - Damper 1-DSF D3 Fails to Open 2.8 E-03 1.0E400 1.8E+00 FCR Control Room Fire Causes A Loss Of KC 2.7E-03 1.0E+00 1.2E+03 NSS24VDBCF 24 V Charger Failure Prior to Event Drains SSF DG Battery 2.7E-03 1.0E+00 1.4 E' 00 T2 Loss Of Load 2.6E-03 1.0E+ 00 ' 0E400
]
l m M M M M M M M M M M M i g m e e e e e i
-m _
Tcble 6.1.3-3 Rev. 2 Basic Event Importance Listing p,g ,m (Sorted by F-V)
Event Name F-V RRW RAW JDG00BABYF Bat'ery IDGBA Fails 2.6E-03 1.0E+00 1.8E400 JRNMOVSCOM Common Cause Failure fo RN Motor Operated Valves to Open 2.6E-03 1.0E400 1.6E+01 JDG001 ALIIE Latent Human Error on Diesel Generator I A 2.4E-03 1.0E+00 1.8E+00 WRNPMOVCOM Common Cause Failure of RN Pump Discharge Valves To Open 2.4E-03 1.0E+00 1.0E+02 TFBLD0lDilE Operators Fail to Establish Feed and Bleed Cooling 2.3 E-03 1.0E+00 1.2E+00 NDCSDB2DEX Battery SDSB2 Depletes 2.3 E-03 1.0E+00 1.0E+00 NDCSDC2BCF Battery Charger SDSC2 Fails 2.3 E-03 1.0E400 i.3E+00 FACTB All Consuming TB Fire Initiating Event 2.2E-03 1.0E+00 1.3E+02 JFD0022SVO Soicaoid Valve IFD22 Fails to Open 2.2E-03 1.0E+00 1.8E400 T6 Secondary Line Break Inside Containment 2.2E-03 1.0E+00 2. l E+00 ACB2DGRRIIE Failure to Recover LOOP (Double DG R Fail, No SSilR, No F & B) 2.1E-03 1.0E+00 1.1 E+00 ZWLM221DilE Failure to Manually Close WL-869B Aner Loss of Power 2.lE-03 1.0E400 1.2E400 JRN292BMVO Motor Operated Valve IRN292B Fails to Open 2.lE-03 1.0E+00 1.6E+00 JVD01BIFNS Fan iB1 Fails To Start 2.IE-03 1.0E+00 1.6E+00 JVD01B2FNS Fan 1B2 Fails To Start 2.lE-03 1.0E+00 1.6E+00 JVDDSF7 DMO Damper 1-DSF D7 Fails to Open 2.lE-03 1.0E+00 1.6E+00 JVDDSF9 DMO Damper 1-DSF D9 Fails to Open 7 lE-03 1.0E+00 1.6E+00 KKC01 A2PPS KC Pump 1 A2 Fails to Start 2.0E-03 1.0E400 3.lE400 NSS00DGSDS SSF Diesel Generator Fails to Start 2.0E-03 1.0E400 1.4E400 JDGI ASTCOM Common Cause Failure of Diesel Generator to Start 2.0E-03 1.0E+00 1.4E+01 DDCIEBDBYF 125 V de Vital I & C Battery lEBD Fails on Demand 1.9E-03 1.0E+00 1.6E+00 '
JDG00BBBYF Battery IEDGB Fails 1.9E-03 1.0E+00 1.6E400 RVIPORVDilE Operators Fail to Restore VI to PORVs or Align Backup Nitrogen 1.8E-03 1.0E+00 1.2E+GO JDG001BLIIE Latent Iluman Error on Diesel Generator I B 1.8E-03 1.0E+00 1.6E400 NADOFOFFLF Filter (Fuel Oil) Restricts Flow 1.8E-03 1.0E+00 1.4E+00 C8PL Seismic Event Causes Plant Damage State 8PL 1.8E-03 1.0E+00 2.2E+04
Tcble 6.1.3-3 Rev. 2 Basic Event Importance Listing p, g io (Sorted by F-V)
Event Name F-V RRW RAW AC01DGRhllE i milure to Recover LOOP (DG S Fail +DG R Fail, SSIIR Avail, RCP Seal 1.7E-03 1.0E+00 1.1 E+ 00 LOCA)
JFD0062SVO Solenoid Valve IFD62 Fails to Open 1.6E-03 i.0E400 1.6E+00 QRODSINDIIE Failure to Drive Control Rods if the Reactor Dosen't Trip Following an ATWS 1.6E-03 1.0E+00 1.0E+00 QRPBKRSCOM Reactor Trip Breaker Common Cause Failure 1.6E-03 1.0E+00 1.0E+02 FWL5860LTL Sump Level Transmitter 1WLLS5860 Fails Low 1.6E-03 1.0E+00 1.3E400 UND037AMVR Motor Operated Valve ND37A Ruptures 1.6E-03 L0E+00 9.3E400 UND001BMVR Motor Operated Valve ND1B Ruptures 1.5E-03 1.0E+00 5.0E+00 UND002AMVR Motor Operated Valve ND2A Ruptures 1.5E-03 1.0E+ 00 9.l E400 l UND036BMVR Motor Operated Valve ND36B Ruptures 1.5E-03 1.0E+00 5.0E+00 LL Large LOCA 1.5E-03 1.0E+00 1.3 E+01 l
LNDPSTRCOM Common Cause Failure of the ND Pumps to Start 1.4 E-0.3 1.0E+00 7.l E400 FCAMDPAMPS Motor Driven Pump i A Fails to Start 1.4E-03 1.0E400 2.l E+0G l FCAMDPATRM CA Motor Driven Pump Train I A in Maintenance or Testing 1.3E-03 1.0E+00 1.3E+00 {
CA Motor-Driven Pump Train 1B in Maintenance orTesting FCAMDPBTRM 1.3 E-03 1.0E+00 1.3 E+ 00 i i
IFWFWSTTKF FWST Fails 1.2E-03 1.0E+00 6.7E+01 )
JFD5070LTK Level Transmitter I FDLS5070 Fails Iligh 1.2E-03 1.0E400 1.6E+00 WRNLSOAFLF RN Lube Injection Strainer A Fails 1.2E-03 1.0E400 5.0E400 AC02DGRRIIE Failure to Recover LOOP (Double DG R Fail, SSIIR Avail, RCP Seal LOCA) 1.2E-03 1.0E+00 1.lE+00 KPNO35I AVT Air Operated Valve 1RN35i Transfers Position 1.1E-03 1.0E+00 1.8E+00 EKSFASODilE Operators Fail To Respond to ESFAS Relay Failure I.lE-03 1.0E+00 1.0S+00 NVK0D4ADMO SSF Diesel Combustion Air Inlet Damper 4A Fails to Open 1.lE-03 1.0E400 1.3E+00, NVKOD4BDMO SSF Diesel Combustion Air Inlet Damper 4B Fails to Open 1.lE-03 1.0E+00 1.3E400 NVKDGEXDMO SSF Diesel Exhaust Damper Fails to Open 1.lE-03 1.0E400 1.3E+00 RNCOSRVRVC SRV Fails to Rescat on a Transient 1.0E-03 1.0E+00 1.lE400 Tl2 Loss OfInstrument Air 1.0E-03 1.0E+00 1.0E400 TNCOST2DEX SRV Opens on T2, T3, T4, T7, T12, PACBOFTDEX When PORVS are 1.0E-03 1.0E400 1.lE400 g g g g m M M M M M M M M W W M M M
Tcbic 6.1.3-3 Rev. 2 Basic Event Importance Listing p,g ,,
(Sorted by F-V)
Event Name F-V RRW RAW NACSI,XGBLM 600 V ac Motor Control Center SLXG in Maintenance 1.0E-03 1.0E +00 2.0E+00 NACSMXGBLM 600 V Or Less AC Power Bus SMXG in Maintenarce 1.0E-03 1.0E+00 2.0E+00 NADSKPGBLM 120 V ac Panel Board SKPG in Maintenance 1.0E-03 1.0E+00 2.0E+00 PACEMXSBLM Unscheduled Maintenance on 600 V ac MCC IEMXS 1.0E-03 1.0E+00 2.0E+00 QRPRODSDEX Insufficient Number of Control Rods Drop into Core on Scram 1.0E-03 1.0E+00 1.0E403 NDCSDB1BYF Battery SDSPI Fails to Function 1.0E-03 1.0E+00 !.3E+00 NSS0SSBBYF Battery (24 V Diesel Start) Fails to Function 1.0E-03 1.0E+00 1.3 E+00 NADOSTPGPS Standby Service Pump (Day Tank) Fails To Start On Demand 9.8E-04 1.0E+00 1.3E+ 00 IFD5210LTK Level Transmitter IFDLSS210 Fails Iligh 9.4E-04 1.0E+00 1.5E+00 KKCORUNCOM Common Cause Failure of KC Pumps to Run 9.2E-04 1.0E+00 4.6E+02 LNDMOVSCOM Common Cause Failure of Recirculation Section Valves 9.0E-04 1.0E400 6.2E+00 FWL01 AIGPS Sump Pump 1 A1 Fails to Start 8.8E-04 1.0E+00 1.3E+00 FCA0056AVT Air Operated Valve ICA56 Transfers Position 8.5E-04 1.0E+00 1.8E+00
- FCA0060AVT Air Operated Valve ICA60 Transfers Position 8.5E-04 1.0E+00 1.8E+00 UNI 173ADilE Operators Fail To Close Motor Operated Valve N1173A 8.0E-04 1.0E400 1.1 E+00 UNil78BDIIE Operators Fail To Close Motor Operated Valve nil 78B 8.0E-04 1.0E+00 1.1E+00 KKC648ADEX Slave Relay K648A Fglyfe to Operate 7.7E-04 1.0E+00 1.2E+00 KKC649ADEX Slave Relay K649A F
- bre to Operate 7.7E-04 1.0E400 1.2E+00 LND025AMVO Motor Operated Valve IND25A Fails to Open 7.1E-04 1.0E400 1.2E+00 LNIl85AMVO Motor Operated Valve INil85A Fails to Open 7.1 E-04 1.0E+00 1.2E+ 00 IIND028AMVO Motor Operated Valve IND28A Fails to Open 7.lE-04 1.0E400 1.2E400 IINVCCPBTRM CCP IB in Maintenance 7.lE-04 1.0E+00 1lE+00 LNDTRI ATRM ND Train A in Maintenance 6.6E-04 1.0E+00 1.lE+00 LNDTRIBTRM ND Train IB in Maintenance 6.6E-04 1.0E400 1.1E+00 JKD001 AIIXF Cooling Water lleat Exchanger i A Fails 6.4E-04 1.0E400 1.5E+00_.
JKD001BIIXF Cooling Water lleat Exchanger iB Fails 6.4E-04 1.0E+00 1.5E+09 JLD001BilXF Lube Oil llent Exchanger LDIB Fails to Function 6.4 E-04 1.0E400 1.5E+00
l Tcble 6.1.3-3 Rev. 2 Basic Event importance Listing p, (Sorted by F-V)
Event Name F-V RRW RAW FCAMDPBLilE Latent !!uman Error Fails MDP IB 6.3 E-04 LOE+00 1.2 E+00 QRPDRVRCOM Undervoltage Driver Common Cause Failure 6.2E-04 1.0E+00 1.IE+0i
'QRPMTRPDIIE Operator Fails to Manually Scram the Reactor 6.2F-04 1.0E+00 1.lE+00 QRPNORMDEX RPS in Normal Configuration 6.2E-04 1.0E+00 1.0E+00 WRNLS0BFLF RN Lube Injection Strainer B Fails 6.2E-04 i.0E+00 8.5E+00 FACSF2CCLT Circuit Breaker IEMXS-F02C Transfers Position 6.lE-04 1.0E+00 1.3E+00 NNVOSMPDPR SSF Reactor Coolant Makeup Pump Fails To Run 5.9E-04 1.0E+00 2.0E+ 00 JDGEA18C4C Breaker ETA-18 Fails to Close 5.7E-04 1.0E+00 1.5E+00 JDGEB18C4C Breaker ETB-18 Fails to Close 5.7E-04 1.0E+00 1.5E+ 00 UN10060CVR Check Valve NI60 Ruptures 5.6E-04 1.0E+00 1.8E+00 UN10071CVR Check Valve N171 Ruptures 5.6E-04 1.0E+00 1.8E+00 UNibO82CVR Check Valve NI82 Rurtures 5.6E-04 1.0E+0c L8E+00 l UN10094CVR Check Valve NI94 Ruptures 5.6EM 1.0E+00 1.8E+00 WRNABPRCOM Common Cause Failure of RN Pump to Run 5.6E-04 1.0E+00 3.0E+02 NACSKPGBLF 120 V AC Power Bus SKPG Fails 5.4E-04 1.0E+00 2.0E+00 KKC01 AIPPR KC Pump l Al Fails to Run 5.lE-04 1.0E+00 2.3E+LO KKC01 A2PPR KC Pur,p 1 A2 Fails to Run 5.1E-04 1.0E+00 2.3E+00 UN10175CVC Check Valve NI175 Fails To Close 5.0E-04 1.0E+00 1.2E+00 UNIOl76CVC Check Valve NI176 Fails To Close 5.0E-04 1.0E+00 1.2E+00
[iNI0180CVC Check Valve Nil 80 Fails To Close 5.0E-04 1.0E+00 1.2E+00 UN10181CVC Check Valve NII81 Fails To Close 5.0E-04 1.0E400 1.2E+00 KKC001AIIXF KC Ilx I A Fails to Function 4.8E-04 1.0E+00 6.9E40 LND059BMVO Motor Operated Valve iND59B Fails to Ope, 4.6E-04 1.0E+00 1.1E+00 ITNil84BMVO Motor Operated Valve INil84B Fails To Open 4.6E@ 1.0E+00 1.IE+00 INil36BMVO Motor Operated Valve 1 Nil 36B Fails to Open 4.6E-04 1.0E+00 1.1E400 INIONDMCOM Common Cause Failure of Flow Line Valves 4.5E-04 1.0E+00 3.6E400 INIOXCMCOM Common Cause Failure of MiniHow Line Valves 4.5E-04 1.0E+00 3.6E+00 g g g m W W W M M M M M M M M M M g g
Tcble 6.1.3-3 Rev. 2 Basic Event Importance Listing g (Sorted by F-V)
Event Name F-V RRW RAW LNDMINICOM Common Cause Failure of ND Miniflow Motor Operated Valves 4.5E-04 1.0E+00 3.6E+00 LNDTRI ALIIE Train 1 A Failure Due to Latent Iluman Error 4.0E-04 1.0E+00 1.lE+00 LNDTRIBLilE ND Train I B Fails Due to Latent Iluman Error 4.0E-04 1.0E+00 1.lE+00 FETB ETB Fire initiating Eveni 3.0E-04 1.0E+00 43E+02 RV10371RGT Regulator Valve iVI371 Fails to Operate 3.7E-04 1.0E+00 1.0E+00 RVIO372RGT Regulator Valve iVI372 Fails to Operate 3.7E-04 1.0E+00 1.0E+00 FCA0021VVT Locked Open Manual Valve ICA21 Transfers Position 33E-04 1.0E+00 1.6E+00 UNil73AMVC Motor Operated Valve Nil 73 Fails To Close On Demand 3.2E-04 1.0E+00 1.1E+00 UNIl78BMVC Motor Operated Valve NII78B Fails To Close On Demand 3.2E-04 L0E+00 1.1 E400 LFWLVTRCOM Common Cause Fai*ure of FWST Level Transmitters 3.lE-04 1.0E+00 7.6E+00 SM AN001RIIE Failure to Recover FWST LT Failure (S, M LOCA) 3.1E-04 1.0E+00 1.0E+00 CIPL Seismic Event Causes Plant Damage State IR. 2.7E-04 1.OE+00 2.2E+04 NSFTORNDEX Conditional Probability ofTomado Wind or Missile Damage to the SSF 2.7E-04 1.0E+00 LOE400 PACEMXEBLM 600 V ac MCC IEMXE in Maintenance 2.7E-04 1.0E400 I 13Ev00
~PACEMXFBLM Unscheduled Maintenance on 600 V ae MCC IEMXF 2.7E-04 1.0E400 ! !3E+00 CAPRFLD Aux. Shutdown Panel Lost Due To Flood 2.6E-04 1.0E400 s.7E*02 ACO2DGSRIIE Failure to Recover LOOP (Double DG S Fail. SSilR Avail, RCP Seal LOCA) 2.5E-04 1.0E+00 1.0E+00 FWL01A2GPR Sump Pump i A2 Fails to Run 2.5E-04 1.0E+00 1.0E+00 FCAMDPBMPS Motor Driven Pump IB Fails to Start 2.5E-04 1.0E+00 1.2E+00 MAINTRULE The Maintenenca Combination Is Not Permitted By the Maintenence Rule 2.5E-04 1.0E+00 1.0E+00 Matrix ACCIDGRRIIE Failure to Rec 9ver LOOP (DG S Fail + DG R Fail, No'SSIIR, No F & B, TDP 2.4E-04 1.0E+00 1.0E+00 Pit FId)
NACOXGICLO 600 V ac Breaker ISLXG-4B (from XFMR ISTXG) Fails to Open 2.4E-04 1.0E+00 1.2E+00 NACXGDGCLC 600 V ac Breaker 1SLXG-5B (from SSF DG) Fails to Close 2.4E-04 1.0E+00 1.2E+00 FCA0040AVT Air Operated Valve ICA40 Transfers Position 2.2E-04 1.0E+00 1.2E+00 FCA0044AVT Air Operated Valve ICA44 Transfers Position 2.2E-04 1.0E+00 1.2E+00 l
Tcble 6.1.3-3 Rev. 2 Basic Event Importance Listing py , g io (Sorted by F-V)
Event Name F-V RRW RAW NDORWSTDIIE Failure to Refill FWST 2.2E-04 1.0E+00 1.0E+00 Cl4PI Seismic Event Causes Plant Damage State 14PI 13E-04 1.0E400 2.2E+04 ClPI Seismic Event Causes Plant Damage State 1PI 9.0E-05 1.0E+00 2.2E+04 ZCIWLMVCOM Common Cause Failure Of M221 Motor Operated Valves To Close 7.2E-05 1.0E+00 1.4E+00 UN10175CVR Check Valve Nil 75 Ruptures 5.8E-05 1.0E+00 1.2E+00 UNIOl76CVR Check Valve Nil 76 Ruptures 5.8E-05 1.0E+00 1.2E+00 UN10180CVR Check Valve Nil 80 Ruptures 5.8E-05 1.3E400 1.2E+00 UNIOl81CVR Check Vaive NII81 P.uptures 5.8E-05 1.0E+00 1.2E+0C ZCISMLLLilE Latent Iluman Error Results in a Small CI Failure 4.8E-05 1.0E+00 1.5E+00 Y SGTR 3.9E-05 1.0E+00 1.0E+00 UND036BMVT Motor Operated Valve ND36B Transfers Open 3.6E-05 1.0E+00 5.0E+00 UNil83BLIIE Motor Operated Valve nil 83B Left Open 2.9E-05 1.0E+00 1.0E+ 00 RNC032BPRC PORV INC32B Fails to Rescat 2.7E-05 1.0E400 1.0E+00 TIIIROTIDilE Operators Fail to Prevent ECCS Challenge to PORVs 2.7E-05 1.0E+00 1.0E400 Cl4PL Seismic Event Causes Plant Damage State 14PL 1.8E-05 1.0E+00 2.2E+04 C20PI Seismic Event Causes Plant Damage State 20PI 1.8E-05 1.0E+00 2.2E+04 UN10125CVR Check Valve Nil 25 Ruptures 1.4E-05 1.0i.+00 1.0E+00 UN10126CVR Check Valve Nil 26 Ruptures 1.4E-05 1.0E+00 1.0E400_
UN10129CVR Check Valve NI129 Ruptures 1.4E-05 1.0E+00 1.0E %
UNIOl34CVR Check Valve Nil 34 Ruptures 1.4E-05 1.0E+00 1.0E+t ZCILWERLIIE Iluman Error Fails Emergency Personnel llatch Isolation IJE-05 1.0E r00 l 13E+00 ZCIUPERLIIE Iluman Error Fails Upper Personnel llatch Isolation 13E-05 1.0E+00 13E+00 YODRAINDilE Operators Fail to isolate Steam Drain Line 1.2E-05 1.0E+00 1.0E+00 UNV0014RVO Relief Valve NV14 Fails To Open 1.0E-05 1.0E+00 1.0E+00 UNV0158MVT Motor Operated Valve NV158 Transfers Position 1.0E-05 1.0E+00 1.0E+00 UNV1210COM Common Cause Failure of Valves NVI A. 2A. & 10A 1.0E-05 1.0E +O 1.1E+00 INil15AMVC Motor Operated Valve INilISA Fails to Close 3.lE-06 1.0E+00 1.0E+00 g g g g g m M M M M M M M M M M M M E
Tcble 6.13-3 Rev.2 Basic Event Importance Listing % ,, , , ,
(Sorted by F-V)
Event Name F-V RRW RAW INil44AMVC Motor Operated Valve INIl44A Fails to Close 3.1E-05 1.0E+00 1.0E+00 LKC056AMVO Motor Operated Valve IKC56A to ND Hx 1 A Fails to Open 3.1E-06 1.0E+00 1.0E+00 LKC057AAVT Air Operated Viv IKC57A Transfers Position 2.7E-06 1.0E+00 1.0E+00 ZWLS67AMVC Motor Operated Valve 1)VL867A Fails To Close 2.6E-06 1.0E+00 1.0E+00 ZWL869BMVC Motor Operated Valve I a L869B Fails To Close 2.6E-06 1.0E+00 1.0E+00 FCAIIOTWDIIE Failure to Defeat the Low Suction Pressure Trip on Auxiliary Feedwater Pumps 2.5E-06 1.0E+00 1.0E+00 s
i I
i l l
f l
I
Table 6.2-1 Rev. 2 Summary of Containment Analysis Results Containment Enti State Internal External Total Containment Bvpass 2.7E-07 2.1 E-09 2.7E-07 0.8% 0.0% 0.6%
Isolation Failure 1.2E-08 1.8E-07 2.0E-07 0.0% 1.2% 0.4 %
Early Containment Failure 2.2E-06 2.0E-06 4.2E-06 6.8% 13.8 % 9.0%
Late Containment Failure 13E-05 1.2E-05 2 5E-05 423 % 80.2 % 54.3% ,
Basemat Me:tthrough 2.0E-06 3.5E-07 2.4E-06 6.4*4 2.4 % 5.1%
No Containment Failure 1.4E-05 3.5E-07 1.4E-05 43.6 % 2.4 % 30.5 %
Total 3.2E-05 1.5E-05 4.7E-05 1
m e m m m m W M M M M M M M M M M M i
Table 6.1.3-1 Rev. 2
""8" ' **
Top 100 Cut Sets for Internal Initiators I Plant Cut Set Event Name Event Description Event Damage Probability Probability State ,._
22CI 9.82E-06 SL Small LOCA 3.07E-03 TRECIRCDiiE Opera: ors Fail to Establish liigh Pressure Recirculation 3.20E-03 2401 2.49E-06 T10 Loss Of KC 6.40E45 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 TCF000lRIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 24DI 1.17E-06 T9 Loss Of RN 3.00E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 TCF000lRilE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 iAl 1.00E-06 RPV RV Rupture 1.00E-06 RPVFAILRIIE Failure To Prevent Core Damage Following Reactor Vessel Rupture 1.00E+00 7PI 9.13 E-07 FTB Turbine Building Flood Initiating Event 2.80E-03 JDGIRUNCOM Common Cause Failure 'of Diesel Generator to Run 3.26E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 15PI 7.10E-07 FFG Turbine Building Flood Initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01
Tabic 6.1.3-1 Rev. 2
%2sn Top 100 Cut Sets for Internal Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7P1 5.58E-07 FTB Turbine Buildmg Flood initiating Eveat 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 15PI 4.34E-07 FTB Turbine Building Flood Initieting Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.ME-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 SCI 3.84E-07 ML Medium LOCA 1.20E-(M TRECIRCDIIE Operators Fail to Establish liigh Pressure Recirculation 3.20E-03 7PI 3.68E-07 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03 E-02 24DI 2.94E-07 Tl1 Loss Of 4160 V Essential Bus 3.78E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 KKC001BTRM KC Train IB in Maintenance 2.00E-02 TCF00nlRIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat Aller Relieving Liquid 9.00E-01 5DI 2.76E-07 T10 Loss Of KC 6.40E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 TCF0001 Rile Failure to Restore Main Feedweter Afler Plant Trip 5.00E-02 TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 1.00E-01 g g g g 3 m M M M M M M M M M M M M M
Table 6.1.3-1 Rev. 2 "8* '
- Top 100 Cut Sets for Internal Initiators Plant Cut Set Event Namt Event Description Event Damage Probability Probability State 7DI 2.50E-07 FTB Turbme Buildmg Flood initiating Event 2.80E-03 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 KKC001BTRM KC Train IB in Maintenance 2.00E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 2.27E-07 Tl1 Loss Of4160 V Essential Bus 3.78E-03 NNVSSFADilE Failure to initiate SSF Seal injection - Non LOOP Event 3.00E-02 PAClETBBilM 4160 V ac Switchgear IETB Is Unavailable 2.00E-03
-PACBOFTDEX Blackout Following Trip 9.99E-01 7PI 2.25E-07 FTB Turbine Building Flood initiating Es ent 2.80E-03 JDG001ADGR Diesel Generatar I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 I NSS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 22Cl 2.05E-07 SL Small LOCA 3.07E-03 KKC3/3SCOM Common Cause Failure of 3 Of 3 KC Pumps to Start 6.68E-05 15DI 1.94E-07 FTB Turbine Building Flood initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 KKC001BTRM KC Train 1B in Maintenance 2.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 19DI 1.92E-07 T10 Loss Of KC 6.40E-04 IINV00YVDilE Failure to Align YV Cooling to NV Pumps 1.00E-02 NNVSSFADilE Failure to Initiate SSF Seal Injection - Non LOOP Event 3.00E-02
-PACBOFTDEX Blackout Following Trip 9.99E-01 22Cl I.84E-07 SL Small LOCA 3.07E-03 KKC001BTRM KC Train IB in Maintenance 2.00E-02 KKC01 A.2LIIE Latent Iluman Error Fails KC I A2 Pump Train 3.00E-03
l l
l Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators "*" # "7 '
Plant Cut Set Event Name Event Description Event Damage Probability Probability State 22Al 1.60E-0 ) SL Small LOCA 3.07E-03 LNDPRUNCOM Common Cause Failure of the ND Pumps to Run 5.21 E-05 23DI 1.44E-07 T10 Loss Of KC 6.40E-04 FC/.0TDPTRM Turbine Driven Pump Train in Maintenance or Testing 5.00E-03 TCF0001 Rile Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 ;
7PI 1.37E-07 eIu Turbine Building Flood initiating Event 2.80E-03 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNV0SSITRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 7PI 1.37E-07 eIu Turbine Building Flood Initiating Event 2.80E-03 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSSF0DGTRM SSF Diesel Generator in Maintenance or Tesing 1.50E-02 5DI 1.30E-07 T9 Loss Of RN 3.00E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 TCF000lRIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02 TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 1.00E-01 7PI 1.25E-07 P1u Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator IB In Maintenance Or Testing 1.00E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 1.25E-07 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001ATRM Diesel Generator I A In Maintenance Or Testing 1.00E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 m m W M M M M M M M M M M M M M M M M
_ _ _ ~ _
Table 6.13-1 Rev. 2 Top 100 Cu6 Sets for Internal Initiators % 5on7 s
N Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7P1 1.24E-07 FTB Turbine Buildmg Flood Initiatmg Event 2.80E-03 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow I.35E-02 15PI I.23E-07 FTB Turbine Building Flood initiating Event 2.80E-03 FWLOIAITRM Sump Pump i Al in Testing or Maintenance 1.50E-02 JDGIRUNCOM Lommon Cause Failure of Diesel Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 22Al I.23E-07 SL Small LOCA 3.07E-03 KKC001BTRM KC Train iB in Maintenance 2.00E-02 LND001ALPR ND Pump 1 A Fails to Run 2.00E-03 7PI 1.02E-07 TlI Loss Of4160 V Essential Bus 3.78E-03 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 1.35E-02 PAClETBBHM 4160 V ac Switchgear IETB Is Unavailable 2.00E-03 7DI 1.01 E-07 FTB Turbine Building Flood initiating Event 2.80E-03 JDG001ADGR Diesel Generator 1 A Fails to Run 4.46E-02 KKC00lBTRM KC Train IB in Maintenance 2.00E-02 NSS00DGSDR SSF Diesel Ger.erator Fails to Run 4.03E-02 15PI 9.72E-08 FTB Turbine Building Flood initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64F-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator i B in Maintenance Or Testing 1.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators **' "7 Plant Cut Set Event Name Event Description Event Damage Probability Probability State I5sl 9.72E-08 1TB Turbine Buildmg Flood Imtiatmg Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ATRM Diesel Generator I A in Maintenance Or Testing 1.00E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 19DI 9.60E-08 T10 Loss Of KC 6.40E-04 IINV00YVDilE Failure to Align YV Cooling to NV Pumps 1.00E-02 NNVOSSFTRM Standby Shutdown Facility Flow Components in Ma;ntenance 1.50E-02 7PI 9.29E-08 FTB Turbine Buildmg Flood initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGS Diesel Generator 1B Fails To Start 7.43 E-03 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event I.00E-01 7PI 9.29E-08 FTB Turbine Building Flood initiating Event 2.80E-03 JDG001ADGS Diesel Generator I A Fails To Start 7.43 E-03 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NNVSSFBDIIE Failure to initiate SSF Seal injection - LOOP Event 1.00E-01 19DI 8.99E-08 T9 Loss Of RN 3.00E-04 IINV00YVDilE Failure to Align YV Cooling to NV Pumps 1.00E-02 NNVSSFADilE Failure to Initiate SSF Seal Injection - Non LOOP Event 3.00E-02
-PACBOFTDEX Blackout Following Trip 9.99E-01 23DI 8.77E-08 T10 Loss Of KC 6.40E-04 FSA00CVAVT Control Valve ISACV Transfers Position 3.05E-03 TCF000lRIIE Failure to Restore Main Feedwater Afler Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 M M m M M M M M M M M W1 M M M M M M
Table 6.1.3-1 ReV. 2 Top 100 Cut Sets for Internal Initiators # ""7 Plant Cut Set Event Name Event Description Event Damage Probability Probability State 23D1 8.77E-08 T10 Loss Of KC -
6.40E-04 FSA00SVAVT Stop Valve ISASV Transfers Position 3.05E-03 TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat Afler Relieving Liquid 9.00E-01 23DI 8.77E-08 T10 Loss Of KC 6.40E-04 FWLOS48AVT Air Operated Valve IWL848 Transfers Position 1 3.03E-03 TCF000lRIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 Ifi'i 8.66E-08 T10 Loss Of KC 6.40E-04 ilINV00YVDilE Failure to Align YV Cooling to NV Pumps 1.00E-02 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 135E-02 23DI 8.64E-08 TIO Loss Of KC 6.40E-04 FCA0TDPLIIE Latent Iluman Error Fails Turbine Driven Pump 3.00E-03 TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 23DI 8.64E-08 T10 Loss Of KC 6.40E-04 FWLSUMPLilE Latent !!uman Error Fails Sump Pumps 3.00E-03
,TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7PI 8.54E-08 T3 LOOP 3.59E-02 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 WRNPMOVCOM Common Cause Failure of RN Pemp Discharge Valves To Open 238E-05 7I 1 837E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fail.;To Run 4.46E-02 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 L________ _ ___
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators "^****
Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7PI 8.37E-08 FTB Turbine Buildmg Flood Imtiatmg Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 NSSF0DGTRM SSF Diesel Generator in Maintenance or Tesing 1.50E-02 4PI 7.89E-08 P1U Turbine Building Flood Initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG1RUNCOM Common Cause Failure of D;esel Generator to Run 3.26E-03 TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 1.00E-01 7PI 7.55E-08 eIu Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generater iB Fails To Run 4.46E-02 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 1.35E-02 ISPI 7.53E-08 FTB Turbine Building Flood initiating Event 2.SOE-03 FWLOIAITRM Sump Pump I AI in Testing or Maintenance 1.50E-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 15PI 7.22E-08 FTB Turbine Building Flood initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGS Diesel Generator IB Fails To Start 7.43E-03 l-TNCOSRVDEX Pressurizer SRV Fails To Rescet After Relieving Liquid 9.00E-01 M M M M M M M M M M M M M M M
Table 6.1.3-1 ReV. 2 Top 100 Cut Sets for Internal Initiators # "7 Plant Cut Set Event Name Event Description Event Damage Probability Probability State ISPI 7.22E-08 FTB Turbine Bu:Idmg Flood Imtiatmg Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGS Diesel Generator 1 A Fails To Start 7.43 E-03 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat AHer Relieving Liquid 9.00E-01 27DI 7.09E-08 ISLOCA ISLOCA Occurs 1.00E+00 UND001BMVR Motor Operated Valve NDIB Ruptures 3.77E-04 UND002AMVR Motor Operated Valve ND2A Ruptures 1.88E-04 27DI 7.09E-08 ISLOCA ISLOCA Occurs 1.00E400 UND036BMVR Motor Operated Valve ND36B Ruptures 3.77E-04 UND037AMVR Motor Operated Valve ND37A Ruptures I.88E-04 23DI 7.0EE-08 T10 Loss Of KC 6.40E-04 FCA0TDPTPS CA TDP Fails to Start 2.46E-03 TCF0001RIIE Failure to Restore Main Feedwater ARer Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Reseat ARer Relieving Liquid 9.00E-01 23DI 6.75E-08 T9 Loss Of RN 3.00E-04 FCA0TDPTRM Turbine Driven Pump Train in Maintenance or Testing 5.00E-03 TCF0001RIIE Failure to Restore Main Feedwater ARer Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat ARer Relieving Liqdd 9.00E-01 7PI 6.61 E-08 FTB Turbine Building Hood inNa^ing Event 2.80E-03 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NDCSDB2DEX Battery SDSB2 Depletes 1.00E+00 NDCSDC2BCF Battery Charger SDSC2 Fails 7.25E-03 7PI 6.61E-08 . FTB Tu bine Building Flood initiating Event 2.SOE-03 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run , 326E-03 NSS24VDBCF 24 V Charger Failure Prior to Event Drains SSF DG Batterv l 7.25E-03
Tabic 6.1.3-1 Rev. 2 l
! Top 100 Cut Sets for Internal Initiators Plant Cat Set Event Name Event Description Event Damage Probability Probability State 19DI 6.40E-08 T10 Loss Of KC -
6A0E-04 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 PACBOFTDEX Blackout Following Trip 1.00E-03 7PI 6.24E-08 T3 LOOP 3.59E-02 AC01DGRRIIE Failure to Recover LOOP (DG S Fail +DG R Fail. SSIIR Avail, RCP Seal LOCA 2.05E-02 JDG1RUNCOM Common Cause Failure of Diese* Generator to Run - 3.26E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 POPXCONDIIE Failure to Cross Connect Offsite Power Between Units (Unit 2 Failure included). 2.60E-01 l 22CI 5.94 E-CS SL Small LOCA 3.07E-03 K.KC001BTRM KC Train 1B in Maintenance 2.00E-02 KKC01A2PPS KC Pump i A2 Fails to Start 9.68E-04 7PI 5.94E-08 FTB Turbine Building Flood Ir.itiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JLD01BIFLF Diesel Engine Lube Oil Strainer iBI Fails 4.75E-03 NNVSSFBDilE Failure to initiate SSF Seal Injection - LOOP Event I.00E-01 7Pi 5.94E-08 FFB Turbine Buildmg Flood Initiating Event 2.80E-03 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 JLD01AIFLF Diesel Engine Lube Oil Strainer 1 Al Fails 4.75E-03 NNVSSFBDilE Failure to initiate SSF Seal Injection - LOOP Event 1.00E-01 19DI 5.53E-08 SL Small LOCA 3.07E-03 IFWFWSTTKF FWST Fails 1.80E-05
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators * " *
- Plant Cat Set Event Name Event Description Event Damage Probability ProbabiH:v State 15P1 5.28E-08 T3 LOOP 3.59E-02 ACB2DGRRilE Failure to Recover LOOP (Double DG R Fail, No SSIIR. No F & B) 2.23E-02 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 POPXCONDIIE Failure to C.ms Connect Offsite Power Between Units (Unit 2 Failure included). 2.60E-01
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7PI 5.04E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator iB In Maintenance Or Testing 1.00E-02 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 7PI 5.04E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001ATRM Diesel Generator I A In Maintenance Or Testing 1.00E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 NOS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 21DI 4.98E-08 T10 Loss Of KC 6.40E-04 FCAODPTPR Turbine Driven Pump Fails to Run 8.64E-02 PACBOFTDEX Blackout Following Trip I.00E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7PI 4.93E-08 FTB Turbine Building Flood Initir. ting Event 2.80E-03 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSS00DGSDS SSF Diesel Generator Fails to Start 5.40E-03 7PI 4.90E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JRNMC ISCOM Common Cause Failure fo R.N Motor Operated Valves to Open 1.75E-04 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators % 2 em Plant Cut Set Event Name Event Description Event Damage Probability Probability State ISAI 4.86E-08 FTB Turbine Buildmg Flood Imtiating Event 2.80E FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 FCAMDPATRM CA Motor Driven Pump Train 1 A in Maintenance or Testing 5.00E-03 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 ISAI 4.86E-08 tin Turbine Building Flood initiating Event 2.SOE-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 FCAMDPBTRM CA Motor-Driven Pump Train IB in Maintenance orTesting 5.00E-03 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 ;
-TNCOSRVDEX Pressuiizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 4PI 4.82E-08 FTB Turbine Building Flood initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 1.00E-01 5CI 4.8E-08 TI2 Loss OfInstrument Air 2.00E-01 RNCOSRVRVC SRV Fails to Rescat on a Transient 7.50E-03 TNCQST2DEX SRV Opens on T2, T3, T4, T7, T12, PACBOFTDEX When PORVS are 1.00E-02 TRECIRCDiiE Operators Fail to Establish IIigh Pressure Recirculation 3.20E-03 15P1 4.63E-08 FTB Turbine Building Flood initiating Event 2.80E-03 FWL5860LTL Sump Level Transmitter IWLLS5860 Fails Low 5.64E-03 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 326E-03 ;
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 i
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators * "*"7 Plant Cut Set Event Name Event Description Event Damage Probability Pr;ici::::y State 15PI 4.62E-08 1-TB Turbme Bmidmg Flood Imtiatmg Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator I A Fails tc, Run 4.46E-02 JLD01BIFLF Diesel Engine Lube Oil Strainer IBI Fails 4.75E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Reliesing Liquid 9.00E-01 15PI 4.62E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 JLD01AIFLF Diesel Engine Lube Oil Strainer 1 Al Fails 4.75E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 ISAI 4.57E-08 T4 Loss Of Main Feedwater 4.90E-01 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 FCAMDPALIIE Latent Iluman Error Fails Motor Driven Pump 1 A 3.00E-03 PACIETBBIIM 4160 V ac Switchgear IETB Is Unavailabic 2.00E-03 TCF0002RIIE Failure to Restore Main Feedwater Afler Loss ofFeedwater 2.00E-01
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 19DI 4.5E-08 T9 Loss Of RN 3.00E-04 IINV00YVDilE Failure to Align YV Cooling to NV Pumps I.00E-02 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 ISAI 4.43 E-08 TI ReactorTrip I.90E+00 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 FCAMDPALIIE Latent Iluman Error Fails Motor Driven Pump I A 3.00E-03 PAClETBBHM 4160 V ac Switchgear IETB Is Unavailable 2.00E-03 TCF000lRIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01
( . . - . . . . - . . - . _
I Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators "*** ' #
- Plant Cut Set Event Name Event Description Event Damage Probability Probability State 24DI 4.41 E-08 TlI Loss Of 4160 V Essential Bus 3.78E-03 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 KKC001BLIIE Latent Iluman Error on KC Train IB 3.00E-03 TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7PI 4.37E-08 rIu Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JRN292BMVO Motor Operated Valve 1RN292B Fails to Open 3.50E-03 NNVSSFBDlIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 4.37E-08 tIu Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 JVD01BlFNS Fan 181 Fails To Start 3.50E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 4.37E-08 eIu Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JVD01B2FNS Fan 1B2 Fails To Start 3.50E-03 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 4.37E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 JVDDSF7 DMO Damper 1-DSF D7 Fails to Open 3.50E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 4.37E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001ADGR Diesel Generater I A Fails to Run 4.46E-02 JVDDSF9 DMO Damper 1-DSF D9 Fails to Open 3.50E-03 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event I.00E-01 m W W W W M M M M M M M M i
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators Plant Cut Set Event Name Event Description Evt.at Damage Probability Probability State 7P1 437E-08 FTB Turbine Buildmg Flood Imtiatmg Event 2.80E-03 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 JRN232AMVO Motor Operated Valve 1 RN232A Fails to Open 3.50E-03 NNVSSFDDHE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 437E-08 FTB Turbine Building Flood initiating Event 2.80E-03 JDG001BDGR Diesel Generator iB FailsTo Run 4.46E-02 JVD01AlFNS Fan 1 Al Fails To Start 3.50E-03 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 437E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 JVD01A2FNS Fan 1 A2 Fails To Start 3.50E-03 NNVSSFBDlIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 437E-08 FTB Turbine Building riood Initiating Event 2.80E-03 JDG00lBDGR Diesel Generator IB Fails To Run 4.46E-02 JVDDSFIDMO Damper 1-DSF 1D Fails to Open 3.50E-03 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 437E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG001BDGR Diesel GenerMor IB Fails To Run 4.46E-02 JVDDSF3 DMO Damper 1-IssT D3 Fails to Open 3.50E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI '
434E-08 FTB Turbine Building Flood Initiating Event 2.80E-03 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NAD0FOFFLF Filter (Fuel Oil) Restricts Flow 4.75E-03 7P 4.17E-08 FTB Turbine Building Flood initiating Event 2.80E-03 JDGIASTCOM Common Cause Failure of Diesel Generator to Start 1.49E-04 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01
Table 6.1.3-1 Rev. 2 Top 100 Cut Sets for Internal Initiators ""' "'
Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7DI 4.16E-08 FTB Turbmc Buildmg Flood Imtiating Event 2.80E-03 JDG001ADGS Diesel Generator I A Fails To Start 7.43E-03 KKC001BTRM KC Train IB in Maintenance 2.00E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 l 23DI 4.11 E-08 T9 Loss Of RN 3.00E-04 FSA00CVAVT Control Valve ISACV Transfers Position 3.05E-03 TCF000lRIIE Failure to Restore Main Feedwater ADer Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 23DI 4.11 E-08 T9 Loss Of RN 3.00E-04 FSA00SVAVT Stop Valve ISASV Transfers Position 3.05E-03 TCF0001RIIE Failure to Restore Main Feedwater ARer Plant Trip 5.00E-02
-TNCOSRVDEX ' Pressurizer SRV Fails To Rescat Afler Relieving Liquid 9.00E-01 23DI 4.1IE-08 T9 Loss Of RN 3.00E-04 FWLO848AVT Air Operated Valve 1WL848 Transfers Position 3.05E-03 TCF0001RIIE Failure to Restore Main Feedwater Aner Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat Aner Reliesing Liquid 9.00E-01 15PI 4.11 E-08 ITB Turbine Building Flood Initiating Event 2.80E-03 FCA0TDPTRM Turbine Driven Pump Train in Maintenance or Testing 5.00E-03 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat ARer Relieving Liquid 9.00E-01 19DI 4.06E-08 T9 Loss Of RN 3.00E-04 IINV00YVDilE Failure to Align YV Cooling to NV Pumps 1.00E-02 NNVSMUPFLF Filter (Standby M c :up Pump) Restricts Flow I .35E-02 g m W M M M M M M M M
Tabic 6.1.3-1 Rev. 2
"***' * '7 Top 100 Cut Sets for Internal Initiators Plant Cut Set Event Name Event Description Event Dama;;e Probability Probability State 23D1 4.05E-08 T9 Loss Of RN 3.00E-04 FCA0TDPLIIE Latent Iluman Error Fails Turbine Driven Pump 3.00E-03 TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 23DI 4.05E-08 T9 Loss Of RN 3.00E-04 FWiSUMPLIIE Latent Iluman Error Fails Sump Pumps 3.00E-03 TCF0001 Rile Failure to Restore Main Feedwater Afler Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01
I Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators * * '
- Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7PI 7.49E-06 SEISMIC Seismic Initiator I.00E+00 C7PI Seismic Event Causes Plant Damage State 7PI 7.49E-06 19DI I.43 E-06 FKC KC Power Cable Initiating Event 4.78E-05 NNVSSFADilE Failure to Initiate SSF Seal Injection - Non LOOP Event 3.00E-02
-PACBOFTDEX Blackout Following Trip 9.99E-01 8PI 8.24E-07 SEISMIC Seismic In..iator 1.00E+00 C8PI Seismic Event Causes Plant Damage State SPI 8.24E-07 19DI 7.17E-07 FKC KC Power Cable Initiating Event 4.78E-05 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 19DI 6.47E-07 FKC KC Power Cable Initiating Event 4.78E-05 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow I.35E-02 19DI 2.87E-07 FCBLPs Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NNVSSFADilE Failure to Initiate SSF Seal Injection - Non LOOP Event 3.00E-02
-PACBOFTDEX Blackout Following Trip 9.99E-01 7PI 1.90E-07 TORNF4 Plant Struck By F4 Or F5 Tomado 9.49E-05 JDGMDGBDEX Tomado Generated Missle Penetrates DG Building 2.00E-03 19DI I.86E-07 FKC KC Power Cable Initiating Event 4.78E-05 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 TCF000lRIIE Failure to Restore Main Feedwater Aner Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat ARer Relieving Liquid 9.00E-0; 19DI 1.67E-07 FKC KC Power Cable Initiating Event 4.78E-05 NNV0865MVO Motor-Operated Valve 1NV865 Fails to Open 3.50E-03 19DI 1.67E-07 FKC KC Power Cable Initiating Event 4.78E-05 NNV0872MVO Motor-Operated Valve iNV872A Fails to Open 3.50E-03 19DI 1.43E-07 FCBLR Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 M M M M M M M M M M
Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators % 2 em Plant Cut Set Event Name Event Description Event Damage Probability Probability State 19DI 1.43E-07 FKC KC Power Cable Imtratmg Event 4.78E-05 NSSOSSFLIIE Latent Iluman Error Fails The SSF 3.00E-03 19DI 1.34E-07 FKC KC Power Ca~ ole Initiating Event 4.78E-05 NNVOSh1PDPS SSF Reactor Coolant hiakeup Pump Fails To Start On Demand 2.80E-03 19DI 1.29E-07 FCBLR Cable Room Fire Causes A Loss Of Component Ceoling Water 9.56E-06 NNVSh1UPFLF Filter (Standby hiakeup Pump) Restricts Flow I .35E-02 7PI 1.24E-07 TORNSW Tomado Causes LOOP 3.80E-04 JDG1RUNCOh! Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 19DI 1.17E-07 FKC KC Power Cable Initiating Event 4.78E-05 NNV0876N1VT hiotor-Operated Valve INV876 Transfers Position 2.44E-03 19PI 1.17E-07 FKC KC Power Cable Initiating Event 4.78E-05 NNV0877h1VT Ntotor Operated Valve iNV877 Transfers Position 2.44E-03 15PI 9.63 E-08 TOR.NSW Tomado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG1RUNCOh! Common Cause Failure of Dies:1 Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 19DI 8.43 E-08 FKC KC Power Cable initiating Event 4.78E-05 NVKAIIUICRR SSF Air Ilandling Unit Fails to Run 1.76E-03 8PL 8.17E-08 SEISN11C Seismic Initiator 1.00E+00 C8PL Seismic Event Causes Piant Damage State 8PL 8.17E-08 7PI 7.57E-08 TORNSW Tomado Causes LOOP 3.80E-04 3DG001ADGR Diesel Generator i A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 l NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01
Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators *3d" Plant Cut Set Event Name Event De eription Evcat Damage Probability Probability State 7PL 7.49E-08 SEISMIC Seismic Initiator I .00E+00 C7PI Seismic Event Causes Plant Damage State 7PI 7.49E-06 ZWLM221DIIE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 19DI 6.41 E-08 FCR Control Room Fire Causes A Loss Of KC 2.14E-06 NNVSSFADIIE Failure to Initiate SSF Seal Injection - Non LOOP Event 3.00E-02
-PACBOFTDEX Blackout Following Trip 9.99E-01 15PI 5.89E-08 TORNSW Tomado Causes LOOP , 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7PI 5.54E-08 FACI 13 All Consuming TB Fire Initiating Event 1.70E-05 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 7PI 4.99E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDGIRUNCOM Common Cause Failure of Diesel Ger.crator to Run 3.26E-03 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 19DI 4.78E-08 FKC KC Power Cable Initiating Event 4.78E-05 NACSLXGBLM 600 V ae Motor Control Center SLXG in Maintenance I.00E-03 19DI 4.78E-08 FKC KC Power Cable Initiating Event 4.78E-05 NACSMXGBLM 600 V Or Less AC Power Bus SMXG in Maintenance 1.00E-03 19DI 4.78E-08 FKC KC Power Cable Initiating Event 4.78E-05 NADSKPGBLM 120 V ae Panel Board SKPG in Mainten.mee 1.00E-03 19DI 4.78E-08 FKC KC Power Cable Initiating Event 4.7SE-05 PACEMXSBLM Unscheduled Maintenance on 600 V ae MCC IEMXS I.00E-03 l
l M E M M M M E M M
Table 6.13-2 Rev. 2 Top 100 Cut Sets for External Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State 21D1 3.72E-08 FCBLR Cable Room Fire Causes A Loss Of Component Coolmg Water 9.56E-06 FCA0TDPTPR Tmbine Driven Pump Fails to Run 8.64E-02 TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7DI 339E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDGOOIADGR Diesel Generator 1 A Fails to Run 4.46E-02 KKC001BTRM KC Train IB in Maintenance 2.00E-02 NNVSSFBDilE Failure to initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 339E-08 FACTB All Consuming TB Fire Initiating Event I.70E-05 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 19DI 335E-08 FCBLR Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NNV0865MVO Motor-Operated Valve INV865 Fails to Open 3.50E-03 19DI 335E-08 FCBLR Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NNV0872MVO Motor-Operated Valve 1NV872A Fails to Open 3.50E-03 19DI 3.21 E-08 FCR Control Room Fire Causes A Loss Of KC 2.14E-06 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 7PI 3.09E-08 TORNF4 Plant Struck By F4 Or F5 Tomado 9.49E-05 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVSSFUDilE Failure to Initiate SSF Seal Injection - LOOP Event I.00E-01 7PI 3.05E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator 1 A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03 E-02
Tabic 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators "**'*
Plant Cut Set i Event Name Event Description Event Damage Probability Probability State ,
19DI 2.96E-08 FCR Control Room Fire Causes A Loss Of KC 2.14E-06 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 1.35E-02 19DI 2.87E-08 FCBLR Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NSS0SSFLilE Latent Iluman Error Fa 1s The SSF 3.00E-03 19DI 2.75E-08 FKC KC Power Cable Initiating Event 4.78E-05 NNVOSMPDPR SSF Reactor Coolant Makeup Pump Fails To Run 5.76E-04 19DI 2.68E-08 FCBLR Cable Room Fire Causes A Loss Of Component Coohng Water 9.56E-06 NNVOSMPDPS SSF Reactor Coolant Makeup Pump Fails To Start On Demand 2.80E-03 l 15PI 2.64E-08 TORNSW Tornado Ceases LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64 E-02 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 KKC001BTRM KC Train 1B in Maintenance 2.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat Afler Relieving Liquid 9.00E-01 19DI 2.54E-08 FKC KC Power Cable Initiating Event 4.78E-05 i NACSKPGBLF 120 V AC Power Bus SKPG Fails 5.31 E-04 15PI 2.41 E-08 TORNF4 Plant Struck By F4 Or F5 Tomado 9.49E-05 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 t JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat ARer Relieving Liquid 9.00E-01 19DI 2.33 E-08 FCBLR Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NNV0876MVT Motor-Operated Valve INV876 Transfers Position 2.44E-03 19DI 2.33 E-08 FCBLR Cable Room Fire Causes A Loss Of Component Cooling Wa'.cr 9.56E-06 NNV0877MVT Motor Operated Valve iNV877 Transfers Posaion 2.44E-03 m m m m M M M M M M M
Table 6.1.3-2 Rev. 2 i "8* '
- Top 100 Cut Sets for External Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State 4DI 2.06E-08 FKC KC Power Cable Imtratmg Event 4.78E-05 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 TCF0001RIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02 4
TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 1.00E-01 7PI 1.89E-08 TORNF4 Plant Struck By F4 Or F5 Tomado 9.49E-05 JDG001 ADGR Diesel Generator i A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 1.86E-08 TORNSW Tomado Causes LOOP 3.80E-04 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 7PI I.86E-08 TORNSW Tomado Causes LOOP 3.80E-04 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSSF0DGTRM SSF Diesel Generator in Maintenance orTesing I.50E-02 7DI 1.78E-08 FETB L'TB Fire Initiating Event 8.91 E-07 K.KC001BTRM KC Train IB in Maintenanec 2.00E-02 7PI 1.70E-08 TORNSW Tomado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator IB In Maintenance Or Testing 1.00E-02 NNVSSFBDIIE Failure to Initiate SSF Seal injection - LOOP Event 1.00E-01 7PI 1.70E-08 TORNSW Tomado Causes LOOP 3.802-04 JDG001ATRM Diesel Generator I A In Maintenance Or Testing I.00E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NNVSSFBDilE Failure to initiate SSF Seal Injection - LOOP Event 1.00E-01 19DI 1.69E-08 FCULR Cable Room Fire Causes A Loss Of Component Cooling Water 9.56E-06 NVKAIIUICRR SSF Air llandling Unit Fails to Run 1.76E-03
Table 6.1.3-2 Rev. 2 Page 7 em Top 100 Cut Sets for External Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7PI 1.68 E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVSMUPFLF Filter (S:andby Makeup Pump) Restricts Flow 1.35E-02 15PI 1.67E-08 TORNSW Tornado Causes LOOP 3.80E-04 FWL01AITRM Sump Pump I A1 in Testing or Maintenance 1.50E-02 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7DI 1.52E-08 FACTB All Consuming TB Fire Initiating Event 1.70E-05 JOG 001ADGR Diesel Generator I A Fails to Run 4.46E-02 KKC001BTRM KC Train 1B in Maintenance 2.00E-02 15PI 1.47E-08 TORNF4 Plant Struck By F4 Or F5 Tornado 9.49E-05 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator 1 A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7P1 1.37E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 KKC001BTRM KC Train IB in Maintenance 2.00E-02 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 15PI 1.32E-08 TORNSW Tornado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator IB In Maintenance Or Testing 1.00E-02 l 9.00E-01
-TNCOSRVDEX Pressurizer SRV Fails To Reseat After Relieving Liquid l
M M M M M M M g g g m M M M
W Table 6.1.3-2 Rev. 2 l
Page s om Top 100 Cut Sets for External Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State ._.._ __.
15P1 1.32E-08 TORNSW Tornado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 q JDG001ATRM Diesel Generator i A In Maintenance Or Testing 1.00E-02
- JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 7PI 1.26E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E 2 JDG001BDGS Diesel Generator iB Fails To Start 7.43E-03 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PI 1.26E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADGS Diesel Generator I A Fails To Start 7.43 E-03 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 NNVSSFBDilE Failure to Initiate SSF S sl Injection - LOOP Event , gf-01 IPL 1.26E-08 SEISMIC Seismic Initiator &".400 ClPL Seismic Event Causes Plant Damage State IPL i .26E-08 7PI 1.25 E-08 TORNF4 Plant Struck By F4 Or F5 Tornado 9.49E-05 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03 E-v2 7PI 1.24E-08 TORNSW Tornado Causes LOOP ' SOE-04 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSFTORNDEX Conditional Probability ofTorr Vo Wind or Missile Damage to the SSF 1.00E-02 7PI 1.14 E-08 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 i NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 l
Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators "***'*
Plant Cut Set Event Name Event Description Event Damsge Probability Probability State 7P1 1.14E-08 TORNSW Tomado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 NSSF0DGTRM SSF Diesel Generator in Maintenance or Tesing 1.50E-02 19DI 1.08E-08 FKC KC Power Cable Initiating Event 4.7FS-05 FCA0TDPTRM Turbine Driven Pump Train in Maintenance or Testing 5.00E-03 TCF000lRIIE Failure to Restore Main Feedwater After Plant Trip 5.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 4P1 1.07E-08 TORNSW Tornado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDGlRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 TNCOSRVDEX Pressurizer SRV Fails To Reseat After Relieving Liquid 1.00E-01 7PI 1.02E-08 TORNSW Toinado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator 1 A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 1.35E-02 15PI 1.02E-08 TORNSW Tomado Causes LOOP 3.80E-04 FWL01 AITRM Sump Pump 1 A1 in Testing or Maintenance 1.50E-02 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 ftPL 8.241i-09 SEISMIC Seismic Initiator 1.00E+00 C8PI Seismic Event Causes Plant Damage State 8P1 8.24E-07 ZWLM221DIIE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 14PI 5.90E-09 SEISMIC Seismic Initiator 1.00E+00 l Cl4P1 Seismic Event Causes Plant Damage State 14PI 5.90E-09 g g M M M M M M M M M
m Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators "*8* *
- Plant Cut Set Event Name Event Description Event Damage Probability Probability State 1P1 4.21 E-09 SEISMIC Seismic initiator 1.00E+00 ClPI Seismic Event Causes Plant Damage State IPI 4.21 E-09 j 7PS 1.24 E-09 TORNSW Tornado Causes LOOP 3.80E-04 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVSSFDDIIE Failure to initiate SSF Seal injection - LOOP Event 1.00E-01 ZWLM221DIIE Failure to Manually I'ose WL-869B After Loss of Power 1.00E-02 I5PS 9.63E-10 TORNSW Tornado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Reseat After Relieving Liquid 9.09E-01 ZWLM221DIIE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 14PL 8.42E-10 SEISMIC Seismic initiator 1.00E+0C Cl4PL Seismic Event Causes Plant Damage State 14PL 8.42E-10 20P1 8.42E-10 SEISMIC Seismic bitiator 1.00E+00 C20PI Seismic Event Cruses Plant Damage State 20PI 8.42E-10 7PS 7.57E-10 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A. Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NNVSSFDDIIE Failure to initiate SSF Seal injection - LOOP Event 1.00E-01 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 7PS 7.49E-10 SEISMIC Seismic initiator 1.00E+00 C7PI Scismic Event Causes Plant Damage State 7PI 7.49E-06 ZCISMLLLIIE Latent Iluman Error Results in a Small Cl Failure 1.00E-04
\
Table 6.1.3-2 Rev. 2
""8* " "
- Top 100 Cut Sets for External initiators Plant Cut Set I vent Name Event Description Event Damage Probability Probability State I5PS 5.89E-10 TORNSW Tornado Causes LC'JP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator i A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 l -TNCOSRVDEX Pressurizer SRV Fails To Reseat After Relieving Liquid 9.00E-01 ZWLM221DIIE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 7PS 4.99E-10 TORNSW Tomado Causes LOOP 3.80E-04 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03
- NSS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 7PS 3.05E-10 TORNSW To nado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02
! JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NSS00DGSDR SSF Diesel Generator Fails to Run 4.03E-02 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 19DS 2.51 E-10 FKC KC Power Cable Initiating Event 4.78E-05 NNVSSFADIIE Failure to Initiate SSF Seal Injection - Non LOOP Event 3.00E-02
-PACBOFTDEX Blackout Following Trip 9.99E-01 ZCIWLMVCOM Common Cause Failure Of M221 Motor Operated Valves To Close 1.75E-04 7PS 1.86E-10 TORNSW Temado Causes LOOP 3.80E-04 JDGIRUNCOM Common Cause Failure of Diesel Gt.nerator to Run 3.26E-03 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 1.50E-02 ZWLM221DIlE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 g M M M M M M M M M M M g M M
Table 6.1.3-2 Rev. 2 Page i2 om Top 100 Cut Sets for External Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State 7PS 1.86E-10 TORNSW Tornado Causes LOOP 3.80E-04 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSSF0DGTRM SSF Diesel Generator in Maintenance or Tesing 1.50E-02 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 7PS 1.70E-10 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ADOR Diesel Generator I A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator IB in Maintenance Or Testing 1.00E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 7PS 1.70E-10 TORNSW Tornado Causes LOOP 3.80E-04 JDG001ATRM Diesel Generator I A in Maintenance Or Testing 1.00E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 7PS 1.68E-10 TORNSW Tornado Causes LOOP 3.80E-04 JDGIRUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 1.35E-02 ZWLM221DilE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 15PS 1.67E-10 TORNSW Tomado Causes LOOP 3.80504 FWLOI AITRM Sump Pump 1 A1 in Testing or Maintenance 1.50E-02 JDG1RUNCOM Common Cause Failure of Diesel Generator to Ren 3.26E-03
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 ZWLM221DIIE Failure to Manually Close WL-869B Afler Loss of Power 1.00E-02 1-- --- -<--l-.- r---, , - , - .
.m -
1., . '- .. -L -
. . . . II'd- ..i '.r.1.. . . .-i.- - -
---i-,l;
)
Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators Plant Cut Set Event Name Event Description Event Damage Probability Probability State 19DS 1.43 E-10 FKC KC Power Cable Initiating Event 4.78E-05 NNVSSFADIIE Failure to Initiate SSF Seal Ir.jection - Non LOOP Evm' 3.00f.-02
-PACBOFTDEX Blackout Fo.' lowing Trip 9.99E-01 ZCISMLLLIIF Latent Ilumar; Error Results in a Small Cl Failure 1.00E-04 I5PS 1.32E-10 TORNSW Tomado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ADGR Diesel Generator 1 A Fails to Run 4.46E-02 JDG001BTRM Diesel Generator iB In Maintenance Or Testing 1.00E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat After Relieving Liquid 9.00E-01 ZWLM221DilE Failure to Manually Close WL-869B Aner Loss of Power 1.00E-02 15PS 1.32E-10 TORNSW Tomado Causes LOOP 3.80E-04 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 JDG001ATRM Diesel Generator i A In Maintenance Or Testing 1.00E-02 JDG001BDGR Diesel Generator iB Fails To Run 4.46E-02
-TNCOSRVDEX Pressurizer SRV Fails To Rescat Aner Relieving Liquid 9.00E-01 ZWLM221DilE Failure to Manually Close WL-860B After Loss of Power 1.00E-02 7PS 1.26E-10 TORNSW Tomado Causes LOOP 3.80E-04 JDG001 ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGS Diesel Generator IB Fails To Start 7.43 E-03 NNVSSFBDIIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 ZWLM221DIIE Failure to Manually Close WL-869B Aner Loss of Power 1.00E-02 7PS 1.26E-10 TORNSW Tomado Causes LOOP 3.80E-04 JDG001ADGS Diesel Generator I A Fails To Start 7.43 E-03 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02
(
NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 ZWLM221DlIE Failure to Manually Close WL-869B After Loss of Power 1.00E-02
- - - - == - == - - - == = = = =
l
Table 6.1.3-2 Rev. 2 Top 100 Cut Sets for External Initiators ""8* '4 "4 Plant Cut Set Event Name Event Description Event Damage Probability Probability State 19DS 1.25E-10 FKC KC Power Cable Ine ' ting Event 4.78E-05 NNVOSSFTRM Standby Shutdown 1 L iity Flow Components in Maintenance 1.50E-02 ZCIWLMVCOM Common Cause Fail.,: Of M221 Motor Operated Valves To Close 1.75E-04 7PS 1.24E-10 TORNSW Tomado Causes LOOP 3.80E-04 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 3.26E-03 NSFTORNDEX Conditional Probability of Tomado Wind or Missile Damage to the SSF 1.00E-02 .
ZWLM22!DIIE Failure to Manually Close WL-869B After Loss of Power 1.00E-02 NNVSSFBDlIE Failure to Initiate SSF Seal Injection - LOOP Event 1.00E-01 7PS 1.14E-10 TORNSW Tomado Causes LOOP 3.80E-04 JDG001ADGR Diesel Generator I A Fails to Run 4.46E-02 JDG001BDGR Diesel Generator IB Fails To Run 4.46E-02 NNV0SSFTRM Standby Shutdown Faci l4 Flow Components in Maunc.r~- 1.50E-02 ZWLM221DilE Failure to Manually Close WL-869B Afler Loss of Power 1.00E-02
Tcble 6L.1.3-3 Rev. 2 Basic Event Importance Listing Pagel d io (Sorted by F-V)
Event Name F-V RRW RAW SL Small LOCA 2.4E-01 1.3E400 7.8E+01 FTB Turbine Building Flood Initiating Event 2.3 E-01 1.3 E+00 8.3E401 TRECIRCDIIE Operators Fail to Establish Iligh Pressure Recirculation 2.2E-01 1.3E+00 7.0E+01 FCA0TDPTPR Turbine Driven Pump Fails to Run t .9E-01 1.2E+ 00 3.0E+00 SEISMIC Seismic Initiator 1.8E-01 1.2E+00 1.0E+ 00 C7PI Seismic Event Causes Plant Damage State 7PI 1.6E-01 1.2E+00 2.2E+04 TCF000lRilE Failure to Restore Main Feedwater After Plant Trip 1.3E-01 1.lE+00 3.5E+ 00 JDG001 ADGR Diesel Generator 1 A Fails to Run 1.lE-01 1.lE+00 3.4 E400 NNVSSFBDilE Failure to Initiate SSF Seal Injection - LOOP Event 9.3 E-02 1.lE+00 1.8E+00 JDG001BDGR Diesel Generator 1 B Fails To Run 9.0E-02 1. l E+00 2.9E400 FKC KC Power Cable Initiating Event 9.0E-02 1.lE+00 1.8E+ 03 JDG1RUNCOM Common Cause Failure of Diesel Generator to Run 8.8E-02 1.tE+00 2.8 E+ 01 T10 Loss Of KC 3.7E-02 1.lE400 1.4E+02 KKC001BTRM KC Train 1B in Maintenance 5.2E-02 1.lE+00 3.5E+00 NNVSSFADilE Failure to Initiate SSF Seal Injection - Non LOOP Event 5.0E-02 1.lE+00 2.6E400 T9 Loss Of RN .
4.0E-02 1.0E+00 1.3E402 NSS00DGSDR SSF Diesel Generator Fails to Run 3.lE-02 1.0E+00 1.7E+00 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts Flow 3.0E-02 1.0E+00 3.2E400 NNVOSSFTRM Standby Shutdown Facility Flow Components in Maintenance 2.9E-02 1.0E+00 2.9E+00 Tl1 Loss Of 4160 V Essential Bus 2.3 E-02 1.0E400 6.9E+00 RPV RV Rupture 2.2E-02 1.0E+00 2.2E404 RPVFAILRIIE Failure To Prevent Core Damage Following Reactor Vessel Rupture 2.2E-02 1.0E+00 1.0E+ 00 PAClETBBIIM 4160 V ac Switchgear IETB Is Unavailable 1.8E-02 1.0E+ 00 1.0E401 C8PI Seismic Event Causes Plant Damage State 8PI 1.8E-02 1.0E+00 2.2E+04 FCBLR Cable Room Fire Causes A Loss OfComponent Cooling Water 1.7E-02 1.0E400 1.7E+03 TORNSW Tornado Causes LOOP 1.6E-02 1.0E+00 4.3E401 IINV00YVDilE Failure to Align YV Cooling to NV Pumps 1.6E-02 1.0E+00 2.6E+00 g g g g m e e m M M M M M M M M M
Table 6.3-1 %v. 2
SUMMARY
OF RISK RESULTS FOR INTERNAL INITIATORS Early Early Latent Thyroid Whole-Body Containment End States Fatalities / Yr injuries / Yr Fatalities IYr Cancers./ Yr Person-Rem / Yr Steam Generator Tube Rupture 1.79E-07 7.61E-07 3.00E-06 1.71E-05 4.28E-02 0.48 % 0.26 % 0.11 % 0.25% 0.11 %
ISLOCA 3.65E-05 2.67E-04 4.20E-04 ,1.91 E-03 4.72E+00 98.82 % 92.65% 15.46 % -27.30 % 11.66 %
lsolation Failure 2.34E-11 1.15E-09 1.07E-07 3.17E-07 1.68E-03 0.00 % 0.00 % 0.00 % 0.00 % 0.00 %
Early Containment Failure 1.10E-07 1.11E-05 7.21E-04 1.86E-03 1.10E+01 0.30% 3.86 % 26.56 % 26.61 % 27.25%
Late Containment Failure 1.46E-07 9.31 E-06 1.56E-03 3.17E-03 2.46E+01 0.40% 3.23% 57.61 % 45.41 % 60.73 %
Basemat Meltthrough 0.00E+00 0.00E+00 5.32E-06 2.67E-05 7.39E-02 0.00 % 0.00 % 0.20% 0.38 % 0.18 %
No Containment Failure 0.00E+00 0.00E+00 1.61E-06 3.69E-06 2.54E-02 0.00 % 0.00 % 0.06 % 0.05% 0.06 %
TOTAL 3.69E-05 2.88E-04 2.71E-03 6.98E-03 4.05E+01 c_-
Table 6.3-2 Rev. 2
SUMMARY
OF RISK RESULTS FOR EXTERNAL INITIATORS Early Early Latent Thyroid Whole-Body Containment End States Fatalities / Yr injuries / Yr Fatalities / Yr Cancers / Yr Person-Rem / Yr Steam Generator Tube Rupture 1.03E-07 4.36E-07 1.74E-06 9.93E-06 2.49E-02 ,
3.87 % 1.37 % 0 08 % 0.21 % 0.08 %
ISLOCA 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00E+00 0.00 % 0.00 % 0.00 % 0 00 % 0.00 %
isolation Failure 2.28E-06 1.11E-05 8.51E-05 4.04E-04 1.17E+00 85.71 % 34.88 % 4.16 % 8.44 % 3.67 %
Early Containment Failure 1.03E-07 1.04E-05 6.74E-04 1.74E-03 1.03E+01 3.88 % 32.66 % 32.92 % 36.25 % 32.48 %
Late Containment Failure 1.74E-07 9.90E-06 .
1.29E-03 2.63E-03 2.02E+01 6.54 % 31.09 % 62.79% 55.01 % G3 73%
Basemat Meltthrough 0.00E+00 0.00E+00 9.28E-07 4.57E-06 1.29E-02 0.00 % 0.00 % 0.05 % 0.10% 0.04 %
No Containment Failure 0.00E+ 00 0.00E+00 2.80E-08 9.96E-08 4.39E-04 0.00 % 0.00 % 0.00 % 0.00 % 0.00 %
TOTAL 2.66E-06 3.18E-05 2.05E-03 4.79E-03 3.18E+01 M M M M M E E E E E E E E g g g g M M
Table 6.3-3 Rev. 2
SUMMARY
OF RISK RESULTS FOR ALL INITIATORS Early Early Latent Thyroid Whole-Body Containment End States Fatalities / Yr injuries / Yr Fatalities / Yr Cancers / Yr Person-Rem / Yr Steam Generator Tube Rupture 2.82E-07 1.20E-06 4.74E-06 2.71E-05 6.76E-02 0.71 % 0.37% 0.10% 0.23% 0.09 %
ISLOCA 3.65E-05 2.67E-04 4.20E-04 1.91E-03 4.72E+00 92.18 % 83.44 % 8.81 % 16.19 % 6.54 %
lsolation Failure 2.28E-06 1.11E-05 8.52E-05 4.05E-04 1.17c+00 5.76 % 3.47% 1.79 % 3.44 % 1.62 %
Early Containment Failure 2.13E-07 2.15E-05 1.39E-03 3.59E-03 2.13E+01 C ~ * *6 6.72 % 29.29% 30.53 % 29.55%
Late Containment Failure 3.20 -07 1.92E-05 2.85E-03 5.80E-03 4.48E+01 0.81 % 6.00 % 59.84 % 49.32 % 62.05 %
Basemat Meltthrough 0.00E+00 0.00E+00 6.24E-06 3.09E-05 8.69E-02 0.00 % 0.00 % 0.13% 0.26 % 0.12 %
No Containment Failure 0.00E+00 0.00E+00 - 1.64E-06 3.78E-06 2.58E-02 0.00 % 0.00 % 0.03 % 0.03 % 0.04 %
TOTAL 3.96E-05 3.20E-04 4.76E-03 1.18E-02 7.22E+01
2 - - . - - - - - _- --
Figurc 6.1-1 Rev. 2 Percent Contribution to Core Damage Frequency by Initiator All Others Fire 0.5%
Transients (non-LOOP) 16.5%
Tornado 2.2%
Loss of Offsite Power 0.9%
Seisinic 18.2%
LOCAs Reactor Vessel Rupture 25.0%
2.1%
Anticipated Transient Internal Flood Without Scram 23.0 % 0.3%
Total CDF = 4.7E-05/yr
)
M 55545 12 00400+0 EEEEEEE
--0 +
19296320 0 8.0.0.2 41318145 3 6 3.0 .
M M
n o 3 t
ia 4
i E
n D v
e s S e
tr 0
1 M e
a%05a%%ds r e n -
M559dwn@
- - - n a e oua tk M (* ISSKS -
M F M D
C a
b w
a M
t a
C r
o M F
n y o
] c i t
n c e n 4
0-E u
q F
u M 0 e r
. 1 F y t
i
. s n
D e M y
t i
l
. i b
b a M
. o r
P 2-1 M
6 e
r u
i F
g m
[ 5 m
0-t E 0
1 m
m m
DenSit Y m
m 1lllll 1 l 1 lll)1 llll , lill llJlllll
r 3
r 4 i
E 0
. 1 r
e F
D C
c .
a b
w t
a a
c C
r W o
F n
y i o
e c t n c 4 e n 4 u q u i E 0 e F
. r y 1
F m .
i l
i t
b a
b
. or
, P
. e i
v t
. l a
u
-c m u
C 3-1 6
e r
u g
i c F 5
0-n i E
0 1
0 9 8 7 6 5 d 3 2 1 o.
1 0 0 O 0 0 O' 0 0 0 o cum aIi Ve Pg ObabE 1 i 1 y i
l
l
7.0 REFERENCES
Section 2.0 i
2.1 PRA Procedures Guide, NUREG/CR-2300, Office of Nuclear Regulatory Research,- U.S. Nuclear Regulatory Commission, Washington, D.C., January 1983.
Section 3.0 3.1 SAROS Generic Eauinment Failure Rate Database. SAAG File No. 342, Duke Power Co., November 1995, 3.2 Licensed Operating Reactors Status Summary Report, NUREG-0020, Volume 14, U.S. Nuclear Regulatory Commission, Washington, DC, January 1990.
3.3 Losses of Off-Site Power at U.S. Nuclear Power Plants - Through 1995. EPRI '
TR-106306, Electric Power Research Institute, Palo Alto, CA, April 1996.
3.4 Licensee Event Report 50-261/75-9, H. B. Robinson Unit 2, May 1975.
3.5 NSAC,60, A Probabilistic Risk Assessment of McGuire Unit 3, Duke Power and the Nuclear Safety Analysis Center, Palo Alto, CA, June 1984.
3.6 Kitzmiller, J. T. and Frost, D. R. Westinghouse Owners Group Trip Reduction and Assessment Program, Westinghouse Inadvertent Plant Trip Experience January 1987 through December 1987, WCAP 11779, Westinghouse Electric Company, Pittsburgh, PA, March 1988.
7-1
I 3.7 PRA Procedures Guide, NUREG/CR-2300, Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission, Washington, D.C., January 1983.
3.8 More, J. H., et al., Value Impact Analysis of Recommendations Concerning Steam Generator Tube Degradations and Rupture Events, Science Applications Inc. McLean, Virginia,1983.
3.9 Advanced Licht Water Reactor Reauirements Document. Appendix A PRA Key I
bssumptions and Groundrules. Rev.1, Electric Power Research Institute, Palo Alto, CA, August 1990.
3.10 Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical I
Findings Related to Unresolved Safety issue A-44, NUREG-1032, U.S. Nuclear Regulatory Commission, Washington, DC, May 1985.
l 3.11 Proceedings: Main Coolant Pump Diagnostics, EPRI NP-6116, Electric Power I
Research Institute, Palo Alto, CA, December 1988.
3.12 Licensee Event Report 313-80015, Arkansas Nuclear One - 1, May 1980.
3.13 Pipe Break Frequency Estimation for Nuclear Power Plants, NUREG/CR-4407, U.S. Nuclear Regulatory Commission, Washington, DC, May 1987.
3.14 Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400, NUREG-75/014, U.S. Nuclear Regulatory Commission, Washington, DC,1975.
I I
22 g
3.15 Swain, A. D., H. E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on Nuclear Plant Applications Final Report. Sandia National Laboratories,NUREG/CR-1278, August,1983.
3.16 Hannaman, G. W., Spurgin, A. J., Lukic, Y. D., Human Cognitive Reliability Model for PRA Analysis, NUS-4531, December 1994.
3.17 Pany, G. W., Lydell B. O. Y., An Acoroach to the Analysis of Operator Actions in Probabilistic Risk Assessment. Halliburton NUS Environmental Corp, Gaithersburg, Maryland, EPRI-TR-100259, October 1992, c
3.18 Vlahopolus, C., et al., A Loss of Offsite Power Recovery Model, Anticipated and
. Abnonnal Transients in Nuclear Power Plants Topical Meeting, Atlanta, Georgia, April 1987.
3.19 A. Mosleh, et al., Procedures for Treatinn Common Cause Failures in Safety and Reliability Studies, Vol.1, NUREG/CR-4780 (EPRI NP-5613), January 1988.
7-3
s . . ' - - - - - - -
I 4
Appendix A System NIodel Summaries n - - - _ - _ - _ _ . _ _ _
Table of Contents A.1 Residual Heat Removal System A.2 Safety Injection System
- A.3 Chemical and Volume Control System A.4 Reactor Coolant System A.5 Auxiliary Feedwater System A.6 Nuclear Service Water System A.7 Component Cooling System A.8 Standby Shutdown System A.9 Essential ac Power System A.10 Diesel Generators and Load Sequencers A.11 AC and DC Vital Instrumentation and Control Power Systems A.12 Engineered Safety Features Actuation System A.13 Instrument Air System A.14 Containment Air Return And Hydrogen Skimmer System A.15 Hydrogen Mitigation System A.16 Containment Spray System A.17 Containment Isolation A.18 Reactor Protection System A.19 Interfacing-Systems LOCA Analysis iii
{
A.1 Residual Heat Removal System
System Description
The Residual Heat Removal (ND) System is illustrated in Figure A.1-1. The system provides water to the reactor core for cooling and inventory after the NC System has been depressurized. The primary function of the ND system is to provide a large volume ofinjection water in the event of a large LOCA. It also provides head to the safety injection (NI) and centrifugal changing (NV) pumps, during the recirculation mode, from the containment emergency sump. The ND System is comprised of two redundant trains of equipment, each capable of delivering adequate flow for core cooling and safe cooldown. Although each train is separate, with redundant components, piping and valves exist to cross-connect trains at various points to circumvent failed train components.
Each train consists of a pump, heat exchanger, valves, and associated piping. For this analysis, the ND System includes portions of components from other systems: valves FW27A,28,55B, 56 are part of the FWST suction flowpath; valves Nil 84B and 185A are part of the recirculation suction flowpath; and valves nil 73A,178B,17' 176,180,181,60,71,82 and 94 make up the ND flowpath into the NC cold legs.
Figure A.1-2 provides a composite diagram of all three emergency core cooling systems for Catawba - ND, NV and NI.
During normal plant operation, the ND System is in standby. The primary function of the ND System is to remove heat from the core and NC System during plant cooldown and refueling operations. The ND System can be placed in operation during a plant shutdown when NC System pressure and temperature are approximately 385 psig and less than 350'F, respectively. Once in operation, the system is designed to reduce NC System temperature to 140*F within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />, with both trains in operation. Cooldown proceeds more slowly with one train in service; A.1-1
I however, acceptable plant conditions can be reached following an accident with only one train operating.
The ND pumps are identical, venical, centrifugal pumps. Miniflow lincs are employed to protect the pumps from potential low flow induced overheating and vibration. Any time the ND pumps are running they must provide flow to the reactor or circulate flow within the train to avoid damage to the pumps.
The ND System is called upon to operate in two distinct phases of an accident:
injection and recirculation. Each phase differs in the sources of water to the pumps and in the cooling requirements for the ND heat exchangers.
l Regardless of the source, the ND System operates to inject water into the four NC I
cold legs and eventually to the reactor core. The pumps are started automatically on the receipt of a safety injection (SS) signal. If the NC System does not depressurize to the ND shutoff limit, the pumps recirculate flow through the miniflow lines to prevent pump damage.
During the injection mode, the ND system will receive water from the FWST and I
inject into the four cold leg injection paths. The system is normally aligned to the FWST and only a pump-start signal is required to initiate cold leg injection. While ND injection flow passes through the ND heat exchanger, no cooling water (KC) is required during the injection mode since the FWST inventory is already at a substantially lower temperature. :
Following depletion of the FV!ST, water is then taken from the containment sump and recirculated through the ND heat exchanger to the NC System cold legs. If the Containment Spray (NS) System heat exchangers are available then the ND heat exchangers are not necessary in the recirculation phase.
I 1 A.1-2
Once the FWST reaches its low-low level setpoint, containment sump valves INIl84B and INIl85A automatically open to allow the ND pumps to take suction directly from the sump inventory. Once valves nil 84B and nil 85A are fully open, valves IFW27A and IFW55B receive an automatic closure signal to isolate the FWST. This action prevents the contaminated sump water from enteting the FWST.
This mode of ND operation is defined as the recirculation mode, In some instances during a small or medium LOCA, the NC System pressure is not reduced below the ND pump shutoff head before the FWST is depleted. In this case, the NI and NV pumps are aligned to take suction from the ND heat exchanger discharge since the sump does not supply adequate NPSli for the NI or NV pumps. This sequence is identified as high pressure recirculation and :,till requires KC cooling to the ND heat exchangers.
System Success Criteria Successful performance of the ND System is defined differently for each phase of operation:
- 1. Iniection: one ND pump injecting FWST water from one train into the NC system until the FWST is depleted.
- 2. Recirculation: one ND pump injecting containment emergency sump water from one train into the NC System for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. One ND heat exchanger with KC cooling is required. One NS heat exchanger with RN cooling can remove sufficient heat from the sump inventory if KC cooling to the ND heat exchangers fails.
A.1-3
I Major Assumptions 1
- 1. Based on information contained in NUREG/CR-3394, Probabilistic Assessment of Recirculation Sump Blockage Due to Loss of Coolant Accidents, the probability of sump blockage by debris is considered negligible. Also, Catawba utilizes very little fibrous insulation, which has the greatest potential for causing screen blockage. Instead, mirror insulation is mostly used, which is not likely to cause sump blockage.
g
- 2. Valves IND32A and IND65B are closed as part of the switchover to recirculation procedure. However, failure to perform this action does not fail l
the system in the recirculation mode.
l
- 3. For each train there are two injection lines each with '.wo check valves in series. The probability of two check valves failing to open on demand is relatively small. When the two injection lines are 'anded,' this train failure drops far below other train failures and becomes insignificant. Therefore, individual injection paths are not modeled.
- 4. Failure of system drain valves are considered probabilistically insignificant.
- 5. If a component fails during the injection phase of operation, it is assumed failed during the recirculation phase.
l
- 6. The total injection and recirculation mission time is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. '
I
- 7. Failure of 3 out of 4 FWST level transmitters will fail the low FWST alarm and the switchover from injection to recirculation mode. However, these transmitters are not modeled individually since independent failure of 3 1
I A.1-4
transmitters is probabilistically insignificant compared to the common cause failure of the transmitters.
System Reliability Results Dominant cut sets and the dominant contributors to system failure are listed in the tables below; The total failure probability of the ND System in the injection mode is calculated to be 5.3E-04. System failures in the injection phase are dominated by common cause failures of the ND pumps to start on demand, unintended closure of air operated valve IND026, and ND pump train unavailability due to maintenance.
The total failure probability of the ND System in the recirculation mode is calculated to be 1.5E-03. System failures in the recirculation phase are dominated by common cause failure of ND pump miniflow line motor operated valves, common cause failure of recirculation suction valves (INIl84B & INIl85A), and common cause failure of ~
the FWST level transmitters.
The ND System in the injection mode is highly reliable as designed and operated due to the redundancy in the design and the fact that the system is in standby and only requires the pumps to start.
The reliability of the ND System in the recirculation phase is affected by the necessity of suction swapover. For high pressure recirculation, the necessity of the ND pump miniflow lines to open contributes to the unavailability of the ND System.
A.1-5
I I
Top Cut Sets For Gate L1001: Failure of ND During Injection Event Name Event Description Event I Probability Cut Set Probability 2.22E-04 LNDPSTRCOM Common Cause Failure of the ND Pumps 2.22E-04 to Start l
E 3.00E 05 LNDMV33LHE Latent Human Error Flow Diversion, 3.00E-05 Mnl Viv IND33 Left Open g 1.80E-05 IFWFWSTTKF FWST Fails 1.80E-05 g 1.52E-05 LND0060AVT Air Operated Valve IND60 Transfers 3.05E-03 Closed LNDTRIATRM ND Train A in Maintenance 5.00E-03 1.52E-05 LND0026AVT Air Operated Valve IND26 Transfers 3.05E J3 Closed LNDTRI BTRM, ND Train 1B in Maintenance 5.00E 03 1.52E-05 LKC082BAVT Air Operated Viv IKC82B Transfers 3.05E-03 Position LNDTRI ATRM ND Tram A in Maintenance 5.00E43 g 1.50E-05 LNDTRIALHE Train l A Failure Due to Latent Human 3.00E-03 3 Error LNDTRIBTRM ND Train 1B in Maintenance 5.00E-03 1.50E 05 LNDTRIATRM ND Train A in Maintenance 5.00E-03 LNDTRIBLHE ND Train IB Fails Due to Latent Human 3.00E-03 Error 1.33E-05 LNS038BMVT Motor Operated Valve INS 38B Transfers 1.33E-05
.Open la 1.33 E-05 LNS043AMVT Flow Diversion: Motor Operated Valve 1.33 E-05 1NS43 A Transfers Open g 9.30E-06 LND0026AVT Air Operated Valve IND26 Transfers 3.05E-03 g Closed LND0060AVT Air Operated Valve IND60 Transfers 3.05E-03 g I 0E-06 Closed g
LKC082BAVT Air Operated VIv 1KC82B Transfers 3.05E-03 Position LND0026AVT Air Operated Valve IND26 Transfers 3.05E-03 l Closed W 9.15 E-06 LND0060AVT Air Operated Valve IND60 Transfers 3.05E-03 Closed g LNDTRIALHE Train I A Failure Due to Latent Human 3.00E-03 g Error 9.15 E-06 LND0026AVT Air Operated Valve IND26 Transfers 3.05E-03 l Closed LNDTRIBLHE ND Train IB Fails Due to Latent Human 3.00E-03 Error 9.15E-06 LKC082BAVT Air Operated Viv IKC82B Transfers 3.05E-03 Position l
E LNDTRIALHE Train I A Failure Due to Latent Human 3.00E-03 Error Total Gate Probability = 5.3E-04 l
A.1-6
l l
f Top Cut Sets For Gate L100R: Failure of ND During Recirculation Cut Set Event Name Event Description Event Probability Probability 1.75E-04 LNDMOVSCOM Common Cause Failure of Recirculation 1.75E-04 Suction Valves 1.75E-04 LKC5681COM Common Cause Failure of KC Supply 1.75E-04 Valves 1.75E-04 LNDMINICOM Common Cause Failure of ND Minillow I.75E-04 Motor Operated Valves 1.40E-04 LFWLVTRCOM Common Cause Failure of FWST Level 1.40E-04 Transmitters 5.23E-05 LNDPRUNCOM Common Cause Failure of the ND Pumps 5.23E-05 to Run 1.80E-05 SNSDRNVLHE Drains From Upper To Lower 1.80E 05 Containment C;osed 1.75 E-05 LNDTRIATRM ND Train A in Maintenance 5.00E-03 LNil84BMVO Motor Operated Valve INil84D Fai'.s To 3.50E-03 Open 1.75E-05 LND059BMVO Motor Operated Valve IND59B ' ails to 3.50E-03 Open LNDTRI ATRM ZD Train A in Maintenance 5.00E-03 1.75E-05 LKC056AMVO Motor Operated Vaive 1KC56A to ND 3.50E-03 Hx 1 A Fails to Open LNDTRIBTRM ND Train IB in Maintenance 5.00E-03 1.75E-05 LNDTRIBTRM ND Tra;n IB in Maintenance 5.00E-03 LNil85AMVO Motor Operated Valve INil85A Fails to 3.50E-03 Open 1.75E-05 LND025AMVO Motor Operate d Valve IND25A Fails to 3.50E-03 Open LNDTRIBTRM ND Train IB in Maintenance 5.00E-03 1.75E-05 LKC081BMVO Motor Operated Valve IKC81B to ND 3.50E-03 Hx IB Fails to Open
, LNDTRI ATRM ND Train A in Maintenance 5.00E-03 1.52E 05 LKC057AAVT .\ir Operated Viv IKC57A Transfers 3.05E-03 Position LNDTRIBTRM ND Train 1B in Maintenance 5 30E-03 Total Gate Probability = 1.5E-03 A.1-7
I I
Importance Table For Gate L100I: Failure of ND During Injection Event Name Event Description FV RAW LNDPSTRCOM Common Cause Failure of the ND Pumps 41.8 % 1880.0 LNDTRIATRM to Start ND Train A in Maintenance g
12.0 % 24.8 g LND0026AVT Air Operated Valve IND26 Transfers 10.2 % 34.1 Closed g LNDTRIALIIE Train I A Failure Due to Latent Human 10.0 % 34.1 g Error LNDTRIBTRM ND Train iB in Maintenance 9.1% 19.0 LKC082BAVT Air Operated Viv IKC82B Transfers 8.4% 28.3 Position l
m LND0060AVT Air Operated Valve IND60 Transfers 8.4% 28.3 Closed g
LNDTRIBLHE ND Train IB Fails Due to Latent Human 8.3% 28.3 E Error LNDMV33LHE Latent Human En ir - Flow Diversion, 5.7% 1880.0 g Mnl Viv IND33 Left Open LND001 ALPS ND Pump I A Fails to Start g
5.3% 34.2 LND001BLPS ND Pump IB Fails to Start 4.4 % 28.4 IFWFWSTTKF FWST Fails 3.4% 1880.0 I
I I
I I
I I
I I 1 A.1-8
l l
l Importance Table For Gate L100R: Failure of ND During Recirculation Esent Name l Esent Description T.V RAW LKC5681COM Common Cause Iailure of KC Supply 12.096 686 0 Valves LNDMINICOM Common Cause iallure of ND Minillow 12.096 686.0 Motor Operated Valves LNDMDVSCOM Common Cause f ailure of Retirculation 12.09. 686.0 Suction Valves LFWLVTRCOM Common Cause f ailure of FWST Level 9.696 686.0 Transmitters LKC056AMVO Motor Operated Valve IKC56A to ND 7.3th 21.5 lix 1 A Fails to Open LND025AMVO Motor Operated Vsive IND25A fails to 7.3t6 21.5 Open LNil85AMVO Motor Operated Vahe INil85 A fails to 7.39s 21.5 Open LKC08111MVO Motor Operated Valve IKC8111 to ND 7.394 21.4 lix 1B Fails to Open LND05 711MVO Mctor Operated Valve INDS911 Fails to 7.396 21.4 Open LNl:84BMVO Motor Operated Valve INil848 f ails To 7.396 21.4 Own LKC057AAVT Air Operated Viv IKC57A Transfers , 6.49s 21.5 Position MDT RIST RM ND Train IB in M*intenance 53* b 12.7 LNDTRI AT RM ND Train A in Maintenance 4.996 10.7 LND001 ALPR ND Pump i A Fails to l'un 44'i 22.6 LND00lllLPR ND Pump til fails to Run 4.494 22.5 LKC082BAVT Air Operated Viv IKC82B Transfers 3.6* 6 12.7 Position LND0060AVT Air Operated Valve IND60 Transfers 3.696 12.7 Closed LNDPRUNCOM Common Cause Failure of the ND Pumps 3.6% s 686.0 to Run LNDTRIBLHE ND 1 rain IB Iails Due to Ctent fluman 3.6* . 12.7 Frror LND5040FTK ND Pump i A Recirculation Flow 3.2* b 22 6 Transmitter 5040 Fails LND5050FTK ND Pump IB Recirculation Flow 3.2t h 22.5 Transmitter 5050 Fails A.1-9
I TO NC LOOP B (HOT LEG)
M PUMP 1ND18%[ 1ND25A DtSCHARGE 1ND2A@] g 1ND19 KC M
r 1ND26 FU 1M173A Q~~b 1M175 e
1N:32 g
TO N" TRAIN u [F" u SS C W
- 1ND67 ND PUMP ND A* VS 1M105A @][ 1M28 1ND28@3( TO NV 4' n g
@ t PUMPS
$ 1ND32A iM176 1M94 1FW27A SS-K M PUMP Tl 1ND * @[ TO FWST DISCHARGE E @ TO AUX PZR 1NDS1 1
1 LC (TESTUNE)
SPRAY FC TO NC SUMP Q b ; LOOPS B & C g c' UMP
@)(1FW558 1ND91 [D] 'n (HOT LEGS) om
' ^ "
TO NS TO NS @)(1NDG50 TO 1M1048@][** Z1N58 g O SPRAYS a 3 Ss 1ND53 KC 1M181 1M60 "So '"^'" : i g
_ @-h-480" ND PUMP I
ND HX 18 R ," ,
1M1168 1Miao 1M71 1t4D37A @[ _
1ND598 M PUMP 1ND368 @)[ DMA TO NC LOOP C (HOT LEG)
Figure A.1-1 Rev. 2 Residual Heat Removal System Simphred Diagram A.1-10 M M M M M M M M M M M l g g g m M M M M i
A Nv21e a To acP COLD LEG ACCUMULATORS C
cm
$ nv294 @ -*A. 1 D l hhh C 1I B l! A !
s70 S N- N -N- _.,c -*8$ V wm O -N- nv27o g e
$ Nv254 x m2 o g w,og l
- ,,D o mess ursa m3ss g344 NV290 Nr59 Js l
5 M sp33 NO TEST UNE -kC ( . N --+ A
,rWsse y Mm
{
mas Niso y [TrXW47A Nsse N IES
~
W . 'W8 e 34E FYCTA NS43A Mtes M71 o
' W56 fMM7 NO MMFLOW @~~~] Aux 1LIAm J wet ,
, N-+ c h M d tooP s HOT @@ rvm NoisA ,
- Mt71 NtS2 U
h LEG FOR RHR r , ,
g a aow ,os7 ,en NO26l
[lK =mq ,%g.m r,
g" [DX ** "
' N--> D CONTAINMENT E 85A - ND32A M94 u .3 TO NS g, ND61 ND650 e e TO HO7 l SUCTONS ,
(g t.its48 r, IDE m aas 'I.
1006 NS18 ._ g - ! /_ Mt81 LOOP"C' HOT LEG FOR RHR hk _
ND53 M1788 7 _ ,
- 3
_n _.
g NOMNMLOW
"# Ns3ss
-PG- utass@
M3338 A M
f
- ""7
$ ToHoT E
2 03A m ts M52 M MIMFLOW LNE ,, , , g,
-,- - 43 - ,.
4 m144A
.h $, _ toHoT
- r
' LEGS M135B M148 M149 M*528 Figure A.1-2 Rev. 2 Simphred ECCS Composite Degram A.1-i l
A.2 Safety injection System
System Description
The Safety injection (NI) Sptem, a portion of the Emergency Core Cooling (ECCS)
System, is designed to provide emergency core cooling in order to prevent unacceptable fuel damage and to assure that the core remains in pla. md substantially intact in case of a loss of coolons (LOCA) or steam break accidem. The NI portion of ECCS is required for primary bseak cases where the Reactor Coolant (NC) System pressure remains above the operating pressures of the ND system pumps. The NI System is also designed to provide core cooling by " feed and bleed" following a loss of secondary side heat removal.
The NI System (Figure A.21) is comprised of two motor-driven pumps and associated components. The two NI pumps have an intermediate discharge head (approximately 1500 psig at shutoff). The design flow of the N1 pumps is 400 gpm at approximately 1100 psig with a maximum flow of 650 gpm. A composite diagram of the ECCS is provided in Figure A.2-2.
During normal operation, the system is in standby with the pumps off and all valves, except check valves, open for the injection mode of operation. The system is nonnally aligned for cold leg injection but is capable of supplying flow to either the cold legs or the hot legs of all four loops. The pumps start automatically on receipt of a safety injection actuation (SS) signal. They are protected by a miniflow line during cold leg injection. Miniflow from each pump passes through r flow restricting orific:
to a common retum header to the FWST. These miniflow lines are closed as part of the switchover sequence from injection to recirculation to prevent the flow of potentially contaminated sump water to the FWST.
A.2-1
I During injection, the FWST supplies borated water which the N1 pumps ultimately deliver to the NC cold legs via the ten inch CLA discharge lines. Both pumps provide flow to a common cold leg injection header which then branches to four lines, one for each NC loop. A throttle valve in each branch line permits adjustment to limit runout flow with one pump operating and to equalize flow through each line. The branch line flows are equalized in order to minimize the flow lost if any one branch line g
breaks.
The cold leg accumulators are designed as a passive standby system which is comprised of four accumulator tanks. The four CLAs are connected to each of their respective NC cold legs via a ten inch injection header containing a normally open l
motor operated valve (MOV) and two check valves in series. These accumulators contain borated water which is pressurized (to approximately 600 psig) with a l
nitrogen cover gas. If NC pressure decreases below the CLA pressure, the check valves open and the nitrogen expands to force the borated water into the NC cold leg.
l This portion of NI is specially intended to be effective for large NC breaks. The CLAs are sized such that three CLAs with a minimum volume in each tank are suflicient, following a large NC break, to limit the peak fuel cladding temperature to less than or equal the maximum allowable. This conservatively assumes that the water from one of the three is lost out the break.
During recirculation, emergency cooling water is supplied to the NC cold legs to continuously remove decay heat from the core over an extended period of time.
During recirculation, the N1 pumps are realigned by operator action to take suction from the discharge of the ND System and deliver flow through the same flowpath as during injection. The ND pumps take suction directly from the containment emergency sump. On low low FWST level, the ND System is automatically aligned to the containment emergency sump and isolated from the FWST.
I A.2 2
Upon receipt of the "SS" signal, the N1 pumps start, with suction aligned to the FWST. Until NC System pressure drops below the shutoff head of the N1 pumps, they avoid damage mode by pumping through the miniflow lines back to the FWST.
Once the NC iystem pressure drops, the isolating check valves open and cold leg injection begins. When the NC System pressure falls to less than the CLA pressure, the check valves for the CLAs open and the CLA water is also injected.
When the FWST low level setpoint is reached, the crew must act to switch over to recirculation mode. In recirculation mode, suction to the Ni pumps is provided V the ND System. On low FWST level, the ND System is automatically aligned to the Containment Recirculation Sump and isolated from the FWST.
For NI System operation in the recirculation mode, the crew must first close the miniflow line valves (Nil 15A, Nil 44A, and Nil 478) to avoid pumping contaminated water from the sump to the FWST. Next, they open the valves (N1332A and NI333B) in the crossover line to the Chemical and Volume Control (NV) System main header.
Then they open the ND System isolation valves (ND28A and Nil 36B). This action will align the Ni pump suction to the ND heat exchanger discharge. Finally, the FWST isolation valve (N11008)is closed to completely separate the FWST from the systems in recirculation mode.
System Success Criteria One Ni pump injecting to two cold legs is sufficient for NI success in its emergency injection or recirculation mode for small and medium LOCAs.
Successful operation of the cold leg accumulators is two of four accumulators injecting into the NC system for large LOCAs. This is conservatively interpreted as requiring flow into the injection lines from 3 out of 4 accumulators so that inventory of one can spill out the break.
A.2-3
I I
Major Assumptions
- 1. Due to normal isolation from the Nitrogen System, failures associated with this system leading to failure of the NI System are not modeled.
- 2. Due to their small maximum relief capacity, NI System relief valves are not significant potential flow diversion paths and are not modeled.
- 3. Success of the NI System does not require the switchover to hot leg recirculation. Cold leg recirculation is assumed to be suilicient to prevent core l
damage.
l
- 4. Ni pump miniflow line failures are assumed to make an insignificant '
contribution to system failure. Sequences that require NI have a low enough RCS pressure to permit flow.
- 5. Motor-operated valves with power removed are considered as manual valves for determination of transfer position f-ilure mode.
I
- 6. Due to pipe size and flow restrictors, failure to isolate the miniflow lines during injection is not considered to be a failure of the NI System. However, this failure is modeled in the recirculation mode to satisfy interlock logic to open valve INil368.
- 1. A component that fails during injection remains failed during recirculation.
- 8. Because of the low probability of failing three or more injection paths, individual injection lines to the cold legs are not modeled for injection success l
I A.2-4
during a small or medium LOCA. The injection lines are modeled in the event tree top logic for feed and bleed cooling.
System Hellability Results The top cut sets and dominant contributors to failure for the NI System, in the injection and recirculation mode, as well as CLA injection, are given in the tables below.
Valve failures in the common FWST suction and injection lines along with the common cause failure of the NI pumps to start dominate the failure of Ni during injection.
Common cause failure of the MOVs in the ND to N1 " piggyback" lines and NI miniflow lines dominate NI failures during the recirculation mode.
CLA injection is highly reliable with a passive failure of the accumulator tank dominating failure.
The NI System's high reliability is apparent from review of the cut sets Reliability of the high pressure injection and recirculation is further increased by the existence of the two train NV System. A source of single failure points in the NI System is the existence of common FWST suction valve and a common injection valve. The reliability is improved by requiring power to be removed from MOVs IN11008 and INil62A to ree.2ce the likelihood of spurious closing of these valves while the system is in standby.
A.2-5
I Top Cut Sets For Gate IA: NI Pumps Fall Injection Cul Set Lsenl Name Es ent Description Esent g Probability 5.28E 04 lbil62AVVT Motor Operated Vah>e INil62A Probability g 5.28E-04 Transfers Closed 1.90E-04 IN!0101CVO Check Valve INil0! Fails to Open 1.90E-04 9.02E 05 IN1100BVVT Motor Operated Valve INil00B 9.02 E-05 l
W Transfers Closed 9.00E-05 INIPST RCOM Coinmon Cause Fa. lure Of Both NI 9.00E-05 g Pumps to Start g 1.80E-05 IFWFWST1KF FWST Fails 1.80E-05 1.50E-05 INITRIALHE NI Train 1 A Fails Due to Latent fluman 3.00E-03 g INITRIBTRM Error NI Header iB in Maintenance
~
5.00E-03 g
1.50E-05 INITRI ATRM Ni lleader i A in Mairtenance 5.00E-03 INITRIBLHE NI Train IB Fails Due to Latent human 3.00E-03 l Error M i 08E-05 IN10101CV' Check Valve INil01 Transfers Closed 1.08 E-05 9.00E-06 INITRIALHE NI Train 1 A Failr Due to Latent Human 3.00E 03 g Error 3 INITRIBLHE NI Train IB Fails Due to Latent fluman 3.00E-03 Error g 3.20E-06 IN1001 AHPS Ni Pump i A Fails to Start 6.41E 04 g INITRIBTRM NI Herder 1B in Maintenance 5.00E-03 3.20E-06 Wl001 BHPS NI Pump 1 B Fails to Start 6.41E 04 INITRI ATRM NI Header I A in Maintenance 5.00E-03 T64E-06 IN10149VVT Manual Valve INil49 Transfers Closed 5.28E 04 l
=
INITRI ATRM NI Header I A in Maintenance 5.00E 03 2 64E-06 IN10117VVT Manual Valve INill7 Transfers Closed 5.28 E-04 g INITRIBTRM NI Header 1B in Maintenance 5.00E-03 5 2.09E 06 INil03AMVT Motor Operated Valve ' Nil 03 A 4.17E-04 Transfers Closed g IN:TR1BTRM NI Header iB in Maintenance 5.00E-03 g 2.09E-06 IN1135BMVT Motor Operated Valve INil35B 4.17E-04 Transfers Closed l INITRI ATRM NI Header 1 A in Maintenance 5.00E-03 1.92 E-06 IN1001 BLIPS NI Pump 1B Fails to Start 6.41 E-04 INITRIALHE NI Train I A Fails Due to Latent Human 3.00E 03 Error 1.92 E-06 IN1001 AHPS NI Pump I A Fails to Start 6.41 E-04 l
W INITRIBLHE NI Train IB Fails Due to Latent Human 3.00E-03
! Error l
i Total Gate Probability = 1.01E-03 I
I I
A.2 6 g
l u
Top Cut Sets For Gate IAR: NI Pumps Fall Recirculat10n l Cut Set Event Name Es ent Description Event Probability Probability 1.80E-04 INIOXCMCOM Common Cause Failure of Miniflow Line 1.800 04 Valves 1.80E 44 IN10NDMCOM Common Cause failure of Flow Line 1.80E-04 Valves 4.68 E-06 IN1001BilPR NI Pump 1B I ails to Run 9.36E-04 INilRI ATRM NI Ileader l A in Maintenance 5 00E 03 4.68 E-06 IN!001 AllPR NI Pump i A Fails to Run 9.36E 04 INITRillTRM NI Header 18 in Maintenance 5.00E-03 2.81 E-06 IN1001 AHPR NI Pump I A Fails to Run 9.36 E-04 INITRIBLHE NI Train IB Fails Due to Latent fluman 3.00E-03 Error 2.81 E-06 IN1001BHPR NI Pump 1B Fails to Run 9.36E-04 INITRIALHE NI Train i A Fails Due to Latent lluma i 3.00E 03 Error 2.40E 06 INIPRUNCOM Common Cause failure Of Both Ni 2 40E-06 Pumps to Run 8.761:-07 IN100l AllPR NI Pump i A Fails to Run 9.36E 04 INIO01BHPR NI Pump IB Fails to Run 9.36E-04 6.30E 07 IN10XOMCOM Common Cause Failure of Both isolation 1.80E-04 Valves INil36BMVO Motor Operated Yalve INil36B Fails to 3.50E 03 Ogn -
6.001:-07 IN1001 AHPR NI Pump I A Fails to Run 9.36E-04 IN1001 BilPS NI Pump 1B Fails to Start 6.41 E-04 6 00E-07 IN1001 AHPS NI Pump I A Fails to Sta' 6.41 E-04 IN100lilllPR NI Pump 1B Fails to Run 9.36E-04 4.94 E-07 IN1001 AHPR Ni Pump I A Fails to Run 9.36E-04 IN10149VVT Manual Valve INil49 Transfers Closed 5.28E-04 4.94 E-07 IN1001BilPR N1 Pump iB Fails to Run 9.36E-04 IN10117VVT Manual Valve INil17 Transfers Closed 5.28E44 3.901: 07 INIO0lBHPR Ni Pump 1B Feils to Run 9.36E-04 IN1103AMVT Motor Operated Valve INil03A 4.17E-04 Transfers Closed 3.90E-07 INIO0l AllPR NI Pump I A Fails to Run 9.36E-04 INil35BMVT Motor 0;> crated Valve INil35B 4.17E-04 Transfers Closed 1.78 E-07 IN1001BHPR Ni Pump 1B Fails to Run 9.36E-04 IN10116CVO Check Vahe INil16 Fails to Open 1.90E-04 1.78E-07 IN1001 AHPR Ni Pump 1 A Faik to Run 9.36 E-04 IN10148CVO Check Vahe INil48 Fails to Open 1.90E-04 Total Gate Probability = 3.84E-04 A.2-7
I Top Cut Sets For Gate 1100: No Accumulator Flow To 3 Of 4 Cold Legs Cut Set Event Name Event Description Esent Probability 3 2.43E 05 INIACCATKF Accumulator A Fails Probability g 4.93 E-03 INI ACCCT KF Accumulator C Fails 4.93 E-03 2.43 E-05 INIACCBTKF Accumulator B Falls 4.93E 03 INIACCCTKF Accumulator C Fails 4.93E 03 2.43 E-05 INIACCCTKF Accumulator C Fails 4.93E 03 INIACCDTKF Accumulator D Fails 4.93 E-03 2.43 E-05 INIACCATKF Accumulator A Fails 4.93 E-03 INIACCHTKF Accumulator 11 Fails 4.93E 03 2.43 E-05 INIACCATKF Accumulator A Fails 4.93 E-03 INIACCDTKF Accumulator D Fails 4.93 E-03 l
=
2.43 E-05 INIACCBTKF Accumulator B Fails 4 93E-03 INIACCDTKF Accumuhtor D Fails 4.93 E-03 2.590 06 IN1076AVVT Motor Operated Valve IN176A Transfers 5.26E 04 l
m Closed i
INIACCATKF Accumulator A Fails 4.93E 03 2.59E 06 IN1054AVVT Motor Operated Valve IN154A Transfers 5.26E-04 Closed INIACCCTKF Accumulator C Fails 4.93 E-03 2.59E-06 IN1076AVVT Motor Operated Valve IN176A Transfers 5.26E-04 Closed INIACCBTKF Accumulator B rails 4.93E 03 2.59E 06 IN!054AVVT Motor Operated Valve IN154A Transfers 5.26E-04 Closed l
=
INIACCBTKF Accumulator B Fails 4.93 E-03 2.59E-06 IN1088BVVT Motor Operated Valve IN188B Transfers 5.26E-04 g Closed g INIACCATKF Accumulator A Fails 4.93 E-03 2.59E-06 IN1054AVVT Motor Operated Valve IN154 A Transfers 5.26E 04 g Closed g INIACCDTKF Accumulator D Fails 4.93E-03 2.59E-06 IN1065BVVT Motor Operated Valve IN165B Transfers 5.26E 04 g Closed INIACCATKF Accumulator A Fails 4.93 E-03 B
2.59E-06 IN10658VVT Motor Operated Valve IN165B Transfers 5.26 E-04 Closed INIACCDTKF Accumulator D Fails l
5 4.93E 03 2.59E-06 IN1076AVVT Motor Operated Valve IN176A Transfers 5.26E 04 Closed INIACCDTKF Accumulator D Fails 4.93 E-03 l
Total Gate Probability = 2.06E-04 l
l
, I l
I A.2-S l
l
Importance Table For Gate IA: NI Pumps FallInjection Event Name Event Description F-V RAW INil62AVVT Motor Operated Valve INil62A $2.20% 989.0 Transfers Closed IN10101CVO Check Valve INil01 Fails to Open 18.80t s 989.0 IN1100BVVT Motor Operated Valve IN11000 8.91% 989.0 Transfers Closed INIPSTRCOM Common Cause Failure Of Both NI 8.8996 989.0 pumps to Start INITRI AlllE NI Train I A Fails Due to Latent fluman 3.12*6 11.4 Error INITRIBLilE NI Train IB Fails Due to Latent fluman 3.10% 11.3 Enor Importance Table For Gate IAR: NI PLmps Fall Recirculation Esent Name Description F.V RAW INIONDMCOM Common Cause Failure of Flow Line 46.90?6 2610.0 Valves IN10XCMCOM Common Cause Failure of Minillow Line 46.9096 2610.0 Valves Importance Table For Gate 1100: No Accumulator Flow To 3 Of 4 Cold Legs Event Name Event Description F.V RAW INIACCATKF Accumulator A Fails 42.10% 85.5 INIACCBTKT Accumulator il Fails 42.10 % 85.5 INIACCCTKF Accumulator C Fails 42.10 % 85.5 INIACCDTKF Accumulator D Fails 42.10 % 85.5 IN1054AVVT Motor Operated Valve IN154 A Transfers 4.48% 85.5 Closed IN1065BVVT Motor Operated Valve IN!65B Transfers 4.48% 85.5 Closed IN1076AVVT Motor Operated Valve IN176A Transfers I48'. 85.5 Closed IN1088BVVT Motor Operated Valve IN1888 Transfers 4.48% 85.5 Closed l
A.2-9
y' "
/ FROM ND HEAT N EXCHANGER 1A l 1NI3348 1NV813 1NO28A 1Nt333B M[ @[ 1Nf332A '
D 1NtS9 NV SUPPLY ACCUMULATOR 1A} N HEADER l 1NIS4A @
@ O 8** '"". ' 8 x 1N1117 g,eg 1N1164h g
1N160 PUMP 1 A E3 LO O NOotsCHARGE 1N1118A Q 1Nt166 Q COLD LEG B 1Nt103A Q 1N1114 7 HOLD UP g 61 @
TNI101
'"" # O A' N ACCUMULATOR 18 FWST TU 1N3?O 1N16SB k f
- LO FWST 1N11478 Q
1NI1008 1N1162A 1Nt81
'"" " -N X [ACCUUULATOR 1C 1N176A k j 171 1NI1358 Q 1NM43 [ .
1NM508 g 1N11702Y D t s E3 NO DISCHARGE -
N m Ye x$ coto t,,,
@ TNM48 TN1149 1N1168 *Nt169 TNf94 1N!342 [- @
PUMP 18 1"368 M[ ACCUMULATOR 10 p 1N:888 to 1NG3 jg ND HEAT EXCHANGER 18 Figure A.2-1 Rev. 2 Safety Injection System Simplified Diagram A.2-10 g g g g m M M M M M M M M M M M M M M
y TO RCP COLD LEG ACCUMULATORS m NV218 4
$$ ~'
f g C "*
-h 6KNV294 h 4 A, D ll C l! B ii A s *sIE. @
Q
-rw h N M -+85
->C M108 -> M54A CCP M888 M76A M658 l NV290 M59
> N u
! U33 ND TEST UNE
- ,64
', WA rwS58 m M ,.s w6o
% M147A NS3 NS20A 4I334: FW27A 7'
NS43A Mis 6 { {h67 I g79 O e o
FW56 ND MfMFLOW ~~] AuxlUAM -
,[ M81 j j,Q-,C o LOOP "Er HOT hh,, N ND25A
] , , *yt N h
LEG FOR RHR 7 5 h .
g _ s ,
ND10 ND67 ND19 NO26 MW M176 CONTAINMENT r,
M185A
(
M W32A M N 'WO M94 N TO NS u g, TO HOT
(
es es b[ gg ih N0658 -
e M1848 ' N M1838 l 1000 NS18 .... -
l / M1Et LOOPT HOT LEG FOR RHR hh r'
ND53 N 60 gg 7gg ai ND MIMFLOW M1368 N 3338 A
- ""7 j . TO HOT M103A Mn6 M PAIN: FLOW LtNE ,, , , q
"15^ M143 M114 n g g,, g M144A , TO HOT M135B M148 M149 M15113 Figure A.2-2 Rev. 2 Simphfed ECCS Composite Diagram A.2-II
A.3 Chemical and Volume Control System
System Description
The Chemical and Volume Control (NV) System, as analyzed, is shown in Figure A.3-1. The NV System is designed to provide (i) Reactor Coolant (NC) System normal charging and letdown flow in order to maintain a programmed water level in the pressurizer, (ii) seal injection flow to the NC pump seals, (iii) NC System chemical control and purification and (iv) emergency charging capability following an accident. Ilowever, for this PRA analysis, only NV System operation following an initiating event is modeled. Following an initiating event or accident, this system is designed to provide NC pump seal injection, safety injection and high pressure retirculation. The NV System makes up the highest pressure portion of the y Emergency Core Cooling System (ECCS). For seal injection, the NV pumps draw -
l suction from either the volume control tank (VCT) or the refueling water storage tank (FWST) and deliver flow through the seal water injection filters to each of the four NC pumps. During safety injection, the NV pumps draw suction from the FWST and deliver flow through a separate injection line to each of the four NC System cold legs.
The injection fiow line includes parallel motor operated isolation valves (IN19A and IN110B) which must open to pass flow to the NC System. High pressure recirculation requires the NV pumps to draw suction from the discharge of the Residual Heat Removal (ND) System heat exchangers. Flow from ND heat exchanger A passes $ rough isolation valve IND28A to the common NV pump suction header. Flow from ND heat exchanger IB must pass through the NI/NV crossover header to reach the NV System.
The NV pump system consists of and two high pressure centrifugal charging pumps (CCPs) with associated valves, filters, tanks and piping. The CCPs are designed to maintain seal charging and are sized to provide safety injection. Each CCP can 1
A.3-1
I-supply 150 gpm at 2670 psig or a maximum of 625 gpm at pressures below 645 psig.
The CCPs pumps have a minimum flow recirculation lines for pump protection.
Three sources of water are available as suction to the NV pumps. The VCT is a small 3
(400 ft ) tank which receives make up from the Reactor Makeup Water Storage Tank (RMWST). The VCT is designed to accommodate inventory fluctuations in the primary system and to provide surge capacity following load transients. The FWST l
provides sufdcient inventory and flow capacity for safety injection during a loss of coolant accident or for "fe,cd and bleed" cooling following a loss of secondary side l
heat removal (SSHR). There is a minimum of 363,000 gallons available in the FWST. When the FWST is depleted, the NV suction is aligned to the discharge of the ND system heat exchangers for high pressure recirculation mode. The ND system provides long term recirculation capability by taking sucticn from the containment sump.
During normal operation, one charging pump is operating with the other charging pump in standby. Flow is automatical'y controlled through air-operated valve INV294. A constant normal letdown flow is maintained and passed through a purification system in order to control NC System chemistry. Normal make up to the primary system is directed through the normal charging line. The remaining flow is diverted to the four RCP seals which require 8 gpm each.
Suction is normally maintained from the VCT. If a low level is reached in the VCT, makeup to the VCT from the RMWST is automatically initiated. If a low-low level is reached, suction is transferred automatically from the VCT to the FWST.
l The emergency ftmetion of the NV System is to provide safety injection to the primary system following a loss of coolant accident or following a loss of secondary l
side heat removal for feed and bleed cooling. Seal charging flow must also be l
I A.3-2 g
i 3 l
rnamtained in accident situations in order to prevent the accident from developing into a small LOCA.
Following an SS signal, both CCPs will receive a start signal. Suction will be transferred to the FWST automatically. The normal make up line will be isolated and the safety injection line isolation valves (NI9A and N110D) will open allowing flow to the cold legs. Seal injection is maintained in the same manner as during normal operation. If normal power is interrupted, the operating charging pump will be required to restart. Otherwise, the operating pump will continue operating.
Following a loss of normal power, both CCPs will be loaded on emergency power and will receive a start signal. The SS flow line isolation valves will not open on a blackout signal and thus normal make up and seal charging will be maintained as during normal operation. '
Upon FWST depletion, the suction of the CCPs must be transferred to the discharge of the ND heat exchangers. Valves IND28A and INil36B can be used to align the ND 1 A or IB heat exchanger outlets to the charging pump suction header. There is no automatic signal to open IND28A; therefore, switchover must be accomplished manually. High pressure recirculation is maintained with the ND pumps drawing suction from the containment sump pumping through the heat exchangers and supplying cooled water to NV and Ni pump suction lines.
System Success Criteria Success of the NV system consists of three separate functional criteria. For success of the seal injection portion of the fault tree, flow must be maintained to all four NC pump seals. Iailure of flo,v to any one of these, coupled with a failure of KC cooling to the NC pump thermal barrier, is assumed to result in a reactor coolant pump seal LOCA. One NV pump injecting into two cold legs is sufficient for NV success in its
- emergency injection or recirculation mode for small and medium LOCAs.
A.3-3 l
I I
Major Assumptions
- 1. Blockar,e of the seal water retum lines will not result in seal degradation. The seal injection flow will continue to cool the seal assembly and prevent potential seal degradation. Flow rates will increase either through seals 2 and g
3 or into the NC System.
- 2. Flow through the CCP miniflow lines is not necessary for pump start success.
I
- 3. Failure of seal injectica flow counted with a failure of KC cooling to the NC I
pump thermal barrier is assumed to result in a seal LOCA.
l
- 4. I oss of power will fail the VCT because its instrumentation is non essential and suction will switch to the FWST.
- 5. The A train CCP is considered as the operating NV train.
I
- 6. Following a loss of power, the A train pump must start and check valves must reopen.
- 7. A component that fails during injection remains failed during recirculation.
- 8. Because of the interlock with FWST valves, it is considered unlikely that the VCT valves will inadvertently close upon a tank level switch failure.
- 9. Because of the low probability of failing three or more injection paths, individual injection lines to the cold legs are not modeled for injection success during a small or medium LOCA.
I A.3-4
- 10. An attemate supply of cooling to the NV pumps, on loss of KC, is available and can be placed in service by operator action. The hardware modifications to support this recovery action are not yet implemented, but a modification is planned.
System Reliability Results The dominant contributors system failure for each mode of NV System operation are listed in the tables below.
For the seal injection mode the dominant contributors involve the injection filter, pump run failures and individual check valves. During the injection phase, failure of FWST suction line valves and the common injection line valves (INil2, INV254, IN19A, IN1100, INV232A :NV2338) to open account for over 94% of failure probability. The major contributors to recirculation mode failure involve common cause failures of the " piggyback" MOVs Nil 36B and ND28A, failure of the Ni miniflow valves to close (Nill 5A,144A,147B) and centrifugal charging purnp run failures.
T A.3 5
I Top Cut Sets For Gate 112: NY Pumps Fall Seal Injection
)
Cut $ct Event Name Enent Description Esent Proba bility Probability 2.88E-04 HNV001 AFLF beal Water injection Filter i A Plugged 2.88E-04 6.48E-05 llNV0294AVT Air Operated Valve INV2941ransfers %.48 E-05 Closed 2.98E-05 ilNVCCPRCOM Common Cause failure of NV Pumps to 2.98E 05 Run 1.08E 05 ilNV0079CVT Check Valve INV79 Transfers Position 1.08E-05 g 1.08E 05 HNV0068CVT Check Valve INV68 Transfers Position 1.08E-05 3 1.08E-05 IINV0493CVT Check Valve INV493 Transfers Position 1.08E 05 1.08E-05 IINV0060CVT Check Valve INV60 Transfers Position 1.08E 05 g 1.08E-05 IINV0495CVT Check Valve INV495 Transfers Position 1.08E-05 g 1.08E-05 IINV0071CVT Check Valve INV071 Transfers Position 1.08E-05 1.08 E-05 IINV0494CVT Check Valve INV494 Transfers Position 1.08E-05 1.08E-05 llNV0229CVT Check Valve INV229 Transfers Position 1.08 E-05 1.08E 05 HNV0082CVT Check Valve INV82 Transfers Position 1.08E 05 1.08E-05 HNV0049CVT Check Valve INV49 Transfers Position 1.08E 05 1.08 E-05 IINV0046CVT Check Valve INV46 Transfers Position 1.0$E 05 1.08E 05 IINV0057CVT Check Valve INV57 Transfers Position 1.08 E-05 l
W l.08E-05 llNV0492CVT Check Valve INV492 Transfers Position 1.08 E-05 8.88E-06 HNV077AMVT Motor Operated Valve INV77 Transfers 8.88 E-06 Closed 8.88E-06 ilNV055AMVT Motor Operated Valve INV55 Transfers 8.88 E-06 Closed 8.88E-06 HNV066AMVT Motor Operated Valve INV66 Transfers 8.88 E-06 Closed 8.88E-06 HNVl88AMVT Motor Operated Valve INV188A 8.88E-06 Transfers Closed Total Gate Probability = 6.12E-04 l
I I
I I
A.3-6
Top Cut Sets For Gate HITOP: NV Pumps Fall Safety injection i
Cut Set Esent Name Eteist Ikseription Event Probability Probability 1.90E-04 HNV0254CVO Check Valve INV254 Fails to Open 1.90E-04 1.90E-04 11N10012CVO Check Valve INil2 Fails to Open 1.90E-04 1.750 04 IINVFWSMCOM Common Cause failure (,f FWST l.75E-04 Isolation Valves 1.75E-04 HNVSTPMCOM Common Cause Failure of Stop Valves I .75 E-04 1.80E-05 IFWFWSTTKF FWST Fails 1.80E 05 1.23E 05 IINV252AMVO Motor Operated Valve INV252A Fails to 3.50E-03 Open
~
liNV253BMVO Motor Operated Valve INV253B Fails to 3.50E-03 Open 1.23E 05 IIN1009AMVO Motor Operated Valve IN19A Fails to 3.50E 03 Open IIN1010BMVO Motor Operated Valve INil0li Fails to 3.50E 03 Open 108E 05 IIN19012CVT Check Valve INil2 Transfers Position 1.08E 05 1.08E 05 IINV0254CVT Check Valve INV254 Transfers Position 1.08E-05 2.40E-07 HNVCCPBTRM CCP IB in Maintenance 1.00E 02 JDGLSA2RYT Spurious Operation of Load Shed Relay 2.40E-05 LSA2 1.08E 07 IINV0270CVT Check Valve INV270 Transfers Position 1.08E 05 HNVCCPBTRM CCP IB in Maintenance 1.00E-02 7.20E-08 IINVCCPBLHE Latent Human Error Fails CCP IB 3.00E 03 JDGLSA2RYT Spurious Operation of Load Shed Relay 2.40E 05 LSA2 3.34E 08 liNVCCPBCPS CCP 1B Fails to Start 1.39E-03 JDGLSA2RYT Spurious Operation of Load Shed Relay 2.40E-05 LSA2 3.24E 08 HNV0270CVT Check Valve INV270 Transfers Position 1.08 E-05 HNVCCPBLilE Latent Human Error fails CCP IB 3.00E-03 3.l lE-08 IIN1009AMVT Motor Operated Valve IN19A Transfers 8.88E-06 Closed
!!N1010BMVO Motor Operated Valve INil0B Fails to 3.50E 03 Open 3.l l E-08 HN1009AMVO Motor Operated Valve IN19A Fails to 3.50E 03 Open llN1010BMVT Motor Operated Valve IN110B Transfers 8.88E 06 Closed 3.l lE-08 HNV252AMVO Motor Operated Valve INV252A Fails to 3.50E-03 Open HNV253BMVT ' Motor Operated Valve INV253B 8.88E 06 Transfers Position 3.IIE 08 IINV252AMVT Motor Operated Valve INV252A 8.88E-06 Transfers Position llNV253BMVO Motor Operated Valve INV253B Fails to 3.50E-03 Open Total Gate Probability = 7.93E-04 A.3 7 i
U
I I
Top Cut Sets For Gate IIRTOP: NV Pumps Fall Recirculatl0n Cut Set Event Name Esent Description Esent Probability Probability 2.98E 05 llNYCCPRCOM Common Cause Failure of NV Pumps to 2.98E 05 g Run g 1.23E 05 IINV252AMVO' Motor Operated Yalve INV252A Falls to 3.50E 03 Open g ifNV253BMVO Motor Operated Valve INV253B Falls to Open 3.50E 03 g 1.08E 05 IfNV0254CVT Check Valve INV254 Transfers Position 1.08E 05 1.08E 05 llN10012CVT Check Valve INil2 Transfers Position 1.08 E-05 4.80E 06 IINVCCPACPR CCP 1 A Fails to Run 4.80E-04 l
=
IINVCCPflTRM CCP lit in Maintenance 1.00E 02 1.44 E-06 ffNVCCPACPR CCP 1 A fails to Run 4.80E-04 lINVCCPilLHE Latent Human Error fails CCP IB 3.00E-03 l
m 6 67E-07 IINVCCPACPR CCP I A Fails to Run 4.80E-04 IINVCCPBCPS CCP lil Fails to Start 1.39E-03 2.30E-07 liNVCCPACPR CCP I A Fails to Run 4.80E 04 liNVCCPHCPR CCP IH Fails to Run 4.80E 04 1.08E 07 HNV0270CVT Check Valve INV270 Transfers Position 1.08E-05 liNVCCPilTRM CCP lit in Maintenance 1.00E-02 1.07E 07 IINVOCCPCOM Common Cause Failure of NV Pumps to 2.23E44 Start IINYCCPACPR CCP I A Fails to Run 4.80E-04 9J 2E-08 IINV0290CVO Check Valve INV290 Fails to Open 1.00E 04 HNVCCPACPR CCP 1 A Fails to Run 4.80E-04 3.28E 08 DIDFFICCDT Circuit Breaker IEDF F01C Transfers 6.84E-05 Position llNVCCPACPR CCP 1 A Fails to Run 4.80E 04 3.24 E-08 liNV0270CVT Check Valve INV270 Transfers Position 1.08 E-05 liNVCCPilLllE Latent lluman Error Fails CCP lil 3.00E 03 3.l l E-08 liNV252AMVO Motor Operated Valve INV252A Fails to 3.50E-03 Open IINV253BMVT Motor Operated Valve INV253fl 8.88E-06 Transfers Position
- 3. I I E-08 IINV252AMVT Motor Operated Valve INV252A 8.88E-06 Transfers Position llNV253BMVO Motor Operated Valve INV253B Fails to 3.50E-03 Open
- 3. I I E-08 liN1000AMVT Motor Operated Valve IN19A Transfers 8.88 E-06 g flN1010BMVO Closed g Motor Operated Valve INil0B Fails to 3.50E-03 Open 3.I I E-08 HN1009AMVO Motor Operated Valve IN19A Fails to 3.50E-03 Open HN1010BMVT Motor Operated Valve INil0B Transfers 8.88E-06
, Closed Total Gate Probability = 7.14E-04 A.3 8
Importance Table For Gate 112: NV Pumps Fall Sealinjection Event Name Es ent Description FV RAW IINV00l AF 1.F Seal Water injection Filter I A Plucced 47. I's 1640.0 llNV0294AVT Air Operated Valve INV2941ransfers 10.696 1640.0 Closed liNVCCPRCOM Common Cause failure of NV Pumps to 4.9% 1640.0 Run liNVo046CVT Check Valve INV46 Transfers Position 1.896 1640.0 IINV0049CVT Check Valve INV49 Transfers Position 1.8% 1640.0 HNV0057CVT Check Valve INV57 Transfers Position 1.8% 1640.0 llNV0060CVT Check Valve INV60 Transfers Position 1.8% 1640.0 llNV0068CVT Check Valve INV68 Transfers Position 1.896 1640.0 IINV007lCVT Check Valve INV071 Transfers Position 1.8% 1640.0 IINV0079CVT Check Valve INV79 Transfers Position I.8% 1640.0 ilNV0082CVT Check Valve INV82 Transfers Position 1.8% 1640.0 llNV0229CVT Check Valve INV2291ransfers Position 1.8% 1640.0 IINV0492CVT Check Valve INV492 Transfers Position 1.8% 1640.0 liNV0493CVT Check Valve INV493 Transfers Position 1.894 1640.0 IINV0494CVT Check Valve INV494 Transfers Position 1.8% 1640.0 HNV0495CVT Check Valve INV495 Transfers Position 1.8% 1640.0 ilNV044AMVT Motor Operated Valve INV0044 A 8." s 1640.0 Transfers Closed IINV055AMVT Motor Operated Vahe INV55 Transfers 1.5's 1640.0 Closed IINV066AMVT Motor Operated Valve INV66 Transfers 1.5% 1640.0 Closed ilNV077AMVT Motor Operated Valve INV77 Transfers 1.5? 6 1640.0 Closed llNVl88AMVT Motor Operated Valve INVl88A 1.5' 6 1640.0 Transfers Closed llNV189BMVT Motor Operated Valve INV189B 1.5's 1640.0 Transfers Closed liNVCCPACPR CCP I A Fails to Run 1.2?. 26.2 IINVCCPilTRM CCP l11 in Maintenance 0.9* 6 1.9 A39
I importance Table For Gate IIITOP: NV Pumps Fall Safety injectl0n T3ent Name Event Description F.V RAW IINIO012CVO Check Valve INil2 Fails to Open 23.9Bs 1260.0 IINV0254CVO Check Valve INV254 Fails to Open 23.996 1260.0 llNVFWSMCOM Common Cause Iailure of FWS1 22/196 1260.0 Isolation Valves IINVSTPMCOM Common Cause I allure of Stop Valves 22.096 1260.0 IFWFWSTIKF FWST Fails 2.396 1260.0 ifN1009AMVO Motor Operated Valve IN19A Fails to 1.59s 5.4 g Open g IIN1010DMVO Motor Operated Valve IN110D Fails to 1.596 5.4 Open llNV252AMVO Motor Operated Valve INV252A Fails to 1.596 5.4 Open
!!NV253BMVO Motor Operated Valve INV253B Falls to 1.5' 6 5.4 Open llN10012CVT Check Valve INil2 Transfers Position 1.496 1260.0 IINV0254CVT Check Valve INV254 Transfers Position 1.4% 1260 0 IINVCCPilTRM CCP 111 in Maintenance 0.196 1.1 Importance Table For Gate IIRTOP: NV Pumps Fall Recirculation Event Name Esent Description F.V HAW llNV0254CVT Check Valse INV254 Transfers Position 15.196 14000.0 ilNVCCPACPR CCP I A Fails to Run ; 10.49b 216.5 IINVCCPB1 RM , CCP 1B in Maintenance 7.09 h 7.9 ilNVCCPBLilE t,atent lluman Error Fails CCP IB 2. l
- b 7.9 ilNVCCPBCPS CCP IB Fails to Start 0.99b 7.7 I
I I
u.io g
-i 1 I
.- -ce .
" U
>< lgi
- =
2P<
h X
l N X N *Q 's-a L J
- ==- -.
>< M L._ " .><, =
><= r U
e
=maecy.an
.J= o N 25e c-.so u.at = o= - =
- =C = - N, .X.
- .N .
- . C_
ame 3
r a N X Xa X x_ _J., U
== == ==r == n. == L. ;
, , , = = . ,
r ==e==
== b<
= -
N X
== .N N-
.m 2'Lm
,t
.3s r w r 1 m
m a== U ca-ew.
@ t ;
L 'b<
X N
^ X N
Oi i r
=
r 3
~": X L~l l I Ic. **~
9.
- ---b< 'd
.%%-a
,r ,
- - ~ cea
== m = r
- ----14 X m m - - -
com 2 .$"
j y'T' e Q
y m
r ,,
.c.
d 1c. a ><
- M eotete=
=
.A ,, m i 1 a x x we._-
ma " =
,,j 4",
' '- ,T,. W"" s
~. ,
m
' 4 ,. _.
x N
==
ws. __
==
r
- l l - - -
.su .a esEST.c.-.- D g _N, <i.'.".".*.**."
g.7 Figure A.3-1 Rev. 2 Chemical and Volume Controi System Simplified Diagram A3-1I
I I
I I
ll I g
XI ,
I l
I XI } I XI 1 XI ii i
~
, I xl a i <
) $ I e(
1 _
Jell
) 8 ig I
- i. l
.i i.
i,'
l E
XI XI 3 I
e ,
f l
- Xi m
i, I I
/\
f!
!rl I
A.4 Reactor Coolant System System De.scription The Reactor Coolant (NC) System is designed to transfer heat from 'he reactor core to the steam generators and to regulate pressure of the reactor coolant throughout the primary system. Since f:a principal focus of this analysis is the NC pressure control function, only the NC Pressure Control System design and operation are discussed here.
Pressure regulation is normally achieved by maintaining a volume of saturated steam / water in the pressurizer which accommodates fluctuations of system pressure caused by load transients. Pressure within the control volume is regulated by pressurizer heaters and sprays. If pressure increases are severe enough to exceed the capacity of normal pressure control, pressure relief valves are available. The three pressure control subsystems (i.e., precsurizer sprays, heaters, and relief valves) are located in the pressurizer, which is attached to the reactor coolant loop B hot leg (surge line) and loops A and B cold leg (spray lines). A simplified diagram is provided in Figure A.41.
The pressurizer heaters are used automatically or manually during normal operations.
Although they may function as expected during accident conditions, no credit is taken for the operability of the heaters.
There are three pressurizer PORVs which operate during a large power mismatch to prevent actuation of both the high pressure reactor trip and the safety relief val"es.
The PORVs can be actuated automatically or by remote manual control. There is a motor-operated block valve associated with each PORV to ensure that each relief path can be closed.
A.4 1
I Three safety relief valves (SRVs) are provided as a m:ans of pressure relief.
Operation of the PORVs normally prevents the use of the SRVs. The SRVs cannot be isolated, as this would negate tbait priar.ary function of vessel protection.
The PORVs and SRVs all discharge into a common head:r leading to the pressurizer relief tank (PRT). The PRT is equipped with a spray line and a rupture disc for large pressure releases.
I There are two air-operated spray valves that are used to initiate normal pressurizer spray. The spray valves can be actuated automatically or by remote manual control.
The pressurizer spray lines are connected to NC System loops A and B. The differential pressure between the surge line and spray lin: connections to the cold leg provide the driving force for adequate spray flow rates. Therefore, spray flow l
requires at least one NC pump in loop A or B to be operating. An auxiliary pressurizer spray path from the NV system also exista, llowever, this spray path is normally isolated and is used primarily during shutdown conditions.
l During normal operation, the NC pumps circulate pressurized water through the reactor vessel and the four coolant loops. The water, which serves as a coolant, moderator, and solvent for boric acid, is heated as it passes through the core. It then flows to the steam generators, where the heat is transferred, and retums tc the reactor coolant pumps to repeat the cycle.
The pressurizer provides a volume in which saturated water liquid and vapor are maintained in equilibrium to control system pressure. During a pressure increase, the pressurizer sprays deliver colder water from two NC cold legs to condense steam and lower pressure. During pressure decreases, the pressurizer electric heaters activate to increase NC pressure.
I I
A.4 2
Abnonnally large pressure changes are normally accommodated by lifting one PORV (NC34A). The signal to actuate this PORV is provided by a pressure controller in an anticipatory rnanner. PORVs NC328 and NC36B are actuated by a direct pressure k
signal of 2335 psig. Pressure increases beyond the capacity of the PORVs will signal a high pressure reactor trip and could result in the lifting of an SRV at 2485 psig.
During any type of transient, the NC Pressure Control System continuously attempts to maintain a balanced steam water interface in the pressurizer in order to minimize pressure fluctuations. Certain postulated transients, however, will disrupt normal
[
function of the NC Pressure Control Syste n and they are discussed below.
On a loss of the instrument Air (VI) System, the primary source of motive power for the PORVs and pressurizer spray valves is not available. Under these conditions, pressurizer spray is lost. Ilowever, a backup nitrogen supply from the cold leg
{ accumulators is available for two of the PORVs. This backup source requires operator action from the control room for alignment and requires opening two motor-( operated valves.
{ During a loss of offsite power, the VI System would receive power from the blackout busses as long as no LOCA was present. The NC pumps are unavailable following a loss of offsite power. Therefore, pressurizer spray will be unavailable to provide pressure reduction.
During a station blackout (loss of all ac power) only the safety relief valves are available to prevent primary system over-pressurization since operation of a motor-operated valve is required to align backup nitrogen to a PORV.
d s
1 A.4-3
I System Success Criteria The NC Pressure Control System is required in the top logic for the trancient, LOCA, and SGTR event trees. In all event trees, success is postulated in terms of proper pressure relief or control. The fault trees, therefore, model various failures of NC Pressure Control System relief valves to open and close as expected as well m failures of pressurizer spray.
Major Assumptions I
- 1. Failure of any NC pump support system is assumed to fail the pump.
- 2. Because plaat operating experience shows that PORV leakage occurs, it is I
assumed that one block valve is closed 20% of the time.
- 3. If a block valve is closed, the operator is assumed to always attempt to open it for feed and bleed operation. However, no credit is given for an operator opening a ! !ack valve to mitigate pressure transients.
- 4. Successful feed and bleed is assumed to require that 2 PORVs be open.
- 6. The failure of all three SRVs to open is statistically insignificant and is not modeled.
- 7. Test-induced failures (LHEs) for normally operational equipment are not included in the NC models because it is assumed that any errors induced by testing would be discovered immediately during startup.
A.4-4
- 8. The potential for multiple PORV failures as a result of sharing of pressure ,
signals is assumed to be bounded by the PORV common cause failure event.
- 9. It is recognized that YV normally provides cooling water to the NC pump stator air cooler, llowever, since the YV system is not modeled in the PRA,
. and the RN system prosides automatic backup cooling, the RN alignment is modeled.
System Reliability Results The dominant contributor to the top gates involving failure of the PORVs to open (R100, R200, R400) is the common cause failure of all three PORVs. All NC pressure ccntrol subsystems modeled (PORVs, pressurizer spray, auxiliary pressurizer spray) require VI for successful operation. Failures in the VI System will directly '
impact all method, if NC System pressure control. Individual hardware failures do not dominate these failure proE bilities, which implies a reliable design for this system. The NC Pressure Contro' system is highly integrated with other codels for the plant and its reliability may change under different operating or testing conditions. '
h A.4-5 n - ___
I Top Cut Sets For Gate R100: Three PORVs Fall To Open Under Iligh Pressure Cut Set Esent Name Event Description Event g Probability Probability 5.54 E-04 RNCPORVCOM Common Cause Failure of PORVs to B
5.54 E-04 Open on Demand 5.28E-04 RV10462VVT Manual Valve IVI" Transfers Closed 5.28 E-04 l
W 5.28E-04 RVi3386VVT Manual valve !VI386 Transfers Closed 5.28E-04 5.28E-04 RV10">00VVT Manual Valve IVI300 Transfers Closed 5.28E-04 1.33E 05 RV1077BMVT Motor Operated Valve IVl77B Transfers 133E-05 l Closed E I .08 E-05 RV:0079CVT Check Valve IVl79 Transfers Closed 1.08E-05 7.94 E-06 RNC032BPRO PORV 1NC32B Fails to Open 6 30E-03 g RNC033ADEX Block Valve INC33.\ is Closed During 2.00E-01 g Operation RNC036BPRO PORV 1NC36B Fails to Open 6.30E-03 7.94 E-06 RNC031BDEX Block Valve INC31B is Closed During 2.00E-01 Operation RNC034APRO PORV INC34 A Fails to Open 6.30E-03 RNC036BPRO PORV INC36B Fails to Open 6.30E-03 l 7.94 E-06 RNC032BPRO PORV INC32B Fails to Open 6.30E-03 E RNC034APRO PORV INC34A Fails to Open 6.30E-03 RNC035BDEX Block Valve iNC35B is Closed During 2.00E-01 Ooeration 7.60E-06 RNC031BDEX Block Valve INC31B is Closed During 2.00E-01 Operation RNC035BDEX Block Valve INC35B is Closed During 2.00E-01 Operation RV10367CVO Check Valve IV1367 Fr:% to Open 1.90E-04 7.60E-M RNC033ADEX Block Valve INC33 A i. Closed During 2.00E-01 l Operation E RNC035BDEX Block Valve INC350 is Closed During 2.00E-01 Operation RVIO368CVO Check Valve IVl368 Fails to Open 1.90E-04 Total Gate Probability = 2.21E-03 I
I I
I A.4-6
I Top Cut Sets For Gate R200: Two PORVs Fall To Open To Establish Feed And Bleed CutSet Event Name Esent Description ent Probability Probability 5.54 E-04 RNCPORVCOM Common Cause Failure of PORVs to 5.54 E-04 Open on Demand 3.97E-05 RNC034APRO PORV INC34 A Fails to Open 630E-03 RNC036BPRO PORV 1NC36B Fails to Open 630E-03 3.97E-05 RNC032BPRO PORV 1NC32B Fails to Open 630E-03 l RNC034APRO PORV INC34 A Fails to Open 630E-03 l 3.97 E-05 RNC032BPRO PORV INC32B Fails to Open 630E-03 RNC036BPRO PORV INC36B Fails to Open 630E-03 9.40E-06 RV10372RGT Regulator Valve IV1372 Fails to Operate 1.78 E-02 f RV10386VVT Manual Valve IV1386 Transfers Closed 5.28 E-04 9.40E 06 RV10371RGT Regulator Valve IV1371 Fails to Operate 1.78E 02 RV10462VVT Manual Valve IV1462 Transfers Closed 5.28 E-04 9.40E-06 RV10372RGT Regulator Valve IVl372 Fails to Operate 1.78 E-02 RV10462VVT Manual Valve IVl462 Transfers Closed 5.2E E-04 9.40E-06 RV10300VVT Manual Valve iV1300 Transfers Closed 5.28E-04 RV10372RGT Regulator Valve iVl372 Fails to Operate 1.78 E-02 9.40E-06 RV10371RGT Regulator Valve IVl371 Fails to Operate 1.78E-02 RV10386VVT Manual Valve iVl386 Transfers Closed 5.28E-04 9.40E-06 RV10300VVT Manual Valve IVl300 Transfers Closed 2f E 04 RV10371 RGT Regulator Valve IVl371 Fails to Operate 1 M E-02 4.4 I E-06 RNC034APRO PORV INC34A Fails to Open 630E 03 RNC035BDEX Block Valve INC35B is Closed During 2.00E-01 f Operation RNC035BMVO Motor Operated Valve INC35B Fails to 3.50E-03 Open 4.4 I E-06 RNC03iBDEX Block Valve iNC31B is Closed During 2.00E-0i
{ Operation RNC031BMVO Motor Operated Valve INC' " ails to 3.50E-03 g Open i RNC034APRO PORV INC34A Fails to Ope;. 6.30E-03 4.41 E-06 RNC032BPRO PORV INC32B Fails to Open 630E-03 RNC035BDEX Block Valve INC35B is Closed During 2.00E-01 Operation RNC035BMVO Motor Operated Valve INC35B Fails to 3.50E-03 Open 4.41 E-06 RNC033ADEX Block Valve INC33A is Closed During 2.00E-01 Operation RNC033AMVO Motor Operated Valve INC33A Fails to ~3.50E-03 Open RNC036BPRO PORV INC36B Fails to Open 6.30E-03 Total Gate Probability = 8.36E-04 A.4-7
I Top Cut Sets For Gate R300: One PORV Falls To Rescat After Opening Cut Set Esent Name Event Description Event Prohnhility 3
6.30E-05 Probability _ g RNC035BMVC Motor Operated Valve INC35B Fails to 3.50E-03 Close RNC036BPRC PORV INC36B Fails to Resent 1.80E-02 6.30E-05 RNC033AMVC Motor Operated Valve INC33A Fails to 3.50E-03 Close RNC034APRC IN RV 1NC34A Fails to Rescat 1.80E-02 g 6.30E-05 RNC03IBMVC Motor Operated Valve INC31B Fails to 3.50E-03 5 Close RNC032BPRC IORV INC328 Fails to Rescat 1.80E-02 1.80E-05 RNC036BPRC PORV INC36B Fails to Rescat 1.80E-02 RNCBLKVDHE Operators Fail to Recognize and Close 1.00E-03 Block Valve 1.80E-05 RNC032BPRC PORV INC32B Fails to Rescat 1.80E-02 RNCBLKVDHE Operators fail to Recopize and Close 1.00E-03 Block Valve 1.80E-05 RNC034APRC PORV INC)4A Fails to Rescat 1.80E-02 RNCBLKVDHE Operators Fail to Recognize and Close l
1.00E-03 5 l Block Valve ,
Total Gate Probability = 2.43E-04 I
I I
I I
I I
I I
I, 1 A.4-8
Top Cut Sets For Gate R400: Three PORVs Fall To Open On Operator Demand Cut Set Event Name Event Description Event l Probability Probability
! 5.54 E-04 RNCPORVCOM Common Cause Feilure of PORVs to 5.54E-04 Open on Demand 4.22 E-06 RV10300VVT Manual Valve 1Vl300 Transfers Closed 5.28E-04 RVIPORVDHE Operators Fail to Restore Vi to PORVs or 8.00E 03 Align Backup Nitrogen 4.22E-06 RV10462VVT Manual Valve IV1462 Transfers Closed 5.28 E-04 RVIPORVDHE Operators Fail to Restore VI to PORVs or 8.00E-03 Align Backup Nitrogen 4.22E-06 RVIO386VVT Manual Valve iV1386 Transfers Closed 5.28E 04 RVIPORVDHE Operators Fail to Restore VI to PORVs or 8.00E-03 Align Backup Nitrogen 2.50E-07 RNC032BPRO PORV INC32B Fails to Open 6.30E-03 RNC034APRO PORV INC34A Fails to Open 6.30E 03 RNC036BPRO PORV INC36B Fails to Open 6.30E-03 1.67E-07 RV10371 ROT Regulator Valve IVl371 Fails to Operate 1.78E-02 RVIO372RGT Regulator Valve IV1372 Fails to Operate 1.78E-02 RV10386VVT Manual Valve 1V1386 Transfers Closed 5.28E-04 ,
1.67E-07 RV10371RGT Regulator Valve IVl371 Fails to Operate 1.78E-02 RVIO372RGT Regulator Valve 1V1372 Fails to Operate 1.78E-02 RVIO462VVT Manual Valve iVI462 Transfers Closed 5.28E-04 1.67E-07 RV10300VVT Manual Valve IV1300 Transfers Closed 5.28E-04 RV10371 RGT Regulator Valve IVl371 Fails to Operate 1.78E-02 RV10372RGT Regulator Valve IV1372 Fails to Operate I .78 E-02 1.06E-07 RV1077BMVT Motor Operated Valve IVl77B Transfers 1.33E-05 Closed RVIPORVDHE Operators Fail to Restore VI to PORVs or 8.00E-03 Align Backup Nitrogen 9.24E-08 RNIRNCMCO.'- Common Cause Failure of Motor 1,75E-04
' 3perated Valve to Open RV10462VVT Manual Valve IV1462 Transfers Closed 5.28E-04 9.24 E-OR RNIRNCMCOM Common Cause Failure of Motor 1.75E-04 Operated Valve to Open RV10300VVT Manual Valve IV1300 Transfers Closed 5.28 E-04 9.24E-08 RNIRNCMCOM Common Cause Failure of Motor 1.75E-04 Operated Valve tc. Open RVIO386VVT Manual Valve 1V1386 Transfers Closed 5.28 E-04 Total Gate Probability = 5.70E-04 A.4-9 D
Top Cut Sets For Gate R500: Failure Of Normal Pressurizer Spray Cut Set Event Name Esent Description Event Probability E Probability i
2.88 E-04 RRNSTRAFLF RN Stniner to NC Pump Motors Fails 2.88E-04 E
2 12E-04 RDCPCCSPOF 120 V ac Regulated Power to PCC5 Faik 2.12E-04 1.94 E-04 RNCSPRACOM Common Cause Air Operated Valve 1.94 E-04 Failure to Open 6.48E-05 RRNOC04AVT Air Operated Valve IRNC04 Transfers 6.48 E-05 Closed 6.48 E-05 RRNOA83AVT Air Operated Valve IRNA83 Transfers
_ l 6.48E 05 E Closed 2.88E-05 RNCPUMPCOM Common Cause Failure of NC Pumps to 2.88E-05 g 1.33E 05 Run g RV1077BMVT Motor Operated Valve IVl77B Transfers 1.33E 05 Closed 1.08 E-05 RRNOC28CVT Check Valve IRNC28 Transfers Closed 1.08E-05 108E-05 RV10079CVT Check Valve IVl79 Transfers Closed 1.08E-05 1.08 E-05 RRN0438CVT Check Valve IRN438 Transfers Closed 1.08E-05 8.88E-06 RRN437BMVT Motor Operated Valve 1RN4378 8.88E-06 Transfers Closed 8.88E 06 RRN484AMVT Motor Operated Valve IRN484A 8.88 E-06 Transfers Closed i 8.88 E-06 RRN487BMVT Motor Operated Valve IRN487B E 8.88E-M I g
Transfers Closed 4.84E-06 RNC0027AVO Air Operated Valve INC27 Fails to Open 2.20E-03 RNC0029AVO Air Operated Valve INC29 Fails to Open 2.20E-03 2.88E-06 RV10080VVT Manual Valve IV189 Transfers Closed 2.88E-06 2.88E-06 RVIOO75VVT Manual Valve IVI75 Transfers Closed 2.88E-06 1.92E-06 RRN0483VVT Manual Valve IRN483 Transfers Closed 1.92 E-06 1.92 E-06 RRN0489VVT Manual Valve IRN489 Transfers Closed 1.92 E-06 1.92 E-06 RRN0440VVT Manual Valve IRN440 Transfers Clos (d 1.92E-06 _
l .92 E-06 RRN0435VVT 1.27 E-06 RNC001 BGPR Manual Valve 1RN435 Transfers Closed Reactor Coolant Pump 1B Fails to Run 1.92 E-06 g 5.76E-04 g RNC0027AVO Air Operated Valve INC27 Fails to Open 2.20E-03 Total Gate Probability = 9.47E-04 I
I I
I Il A.4-10
Top Cut Sets For Gate R600: Failure Of Auxiliary Pressurizer Spray Cut Set Event Name Event Description E5ent Probability Probability
- 3.50E 03 RNV314BMVO Motor Operated Valve INV314B Fails to 3.50E-03 Reopen 3.50E-03 RNVG3EMVO Motor Operated Valve INV3.
- ca ils to 3.50E-03 Open 3.f0E-03 RNV312AMVO Motor Operated Valve INV312A Fails to 3.50E-03 Open 1.90E-04 RNV0038CVO Check Valve INV38 Fails to Opea 1.90E-04 1.90E-04 RNV0022CVO Check Valve INV22 Fails to Open 1.90E 04 6.48E-05 .
RNV0309AVT Air Operated Valve INV309 Transfers 6.48E-05 Closed 8.88E-06 RNV312AMVT Motor Operated Valve INV312A 8.88E-06
. Transfers Closed 8.88E-06 RNV314BMVT Motor Operated Valve INV314B 8.88E 06 Transfers Closed 8.88E-06 RNV037AMVT Motor Operated Valve INV37A 8.88E-06 Transfers Closed 1.92E-06
- RNV0831VVT Manual Valve INV831 Transfers Closed 1.92 E-06 1.92 E-06 RNV0308VVT Manual Valve INV308 Transfers Closed 1.92E-06 1.92 E-06 RNV0310VVT Manual Valve INV310}ransfers Closed 1.92 E-06 Total Gate Probability = 1.09E-02 Importance Table For Gate R100: Three PORVs Fall To Open Under High Pressure Event Name Event Description F-V RAW RN^PORVCOM Common Cause Failure of PORVs to 25.0 % 451.8 Open on Demand RV10300VVT Manual Valve iV1300 Transfers Closed 23.8 % 451.8 RV10386VVT Manual Valve IVl386 Transfers Closed 23.8 % 451.8 RV10462VVT , Manual Valve IVI462 Transfers Closed 23.8 % 451.8 RNC035BDEX Block Valve INC35B is Closed During 1.2% 1.1 Operation RNC036BPRO PORV INC36B Fails to Open 0.8% 2.3 A.4-11
I importance Table For Gate R200: Two PORVs Fall To Open To Establish Feed And Bleed Esent Name Event Description FV RAW RNCPORVCOM Common Cause Failure of PORVs to 66.2 % 1200.0 Open on Demana RNC032BPRO PORV INC32B Fails to Open E
12.4% 20.4 5 RNCO34APRO PORV INC34A Fails to Open 12.4 % 20.4 RNC036BPRO PORV INC36B Fails to Open 11.2% 18.5 RV10300VVT Manual Valve IVl300 Transfers Closed 4.2% 77.9 RV10386VVT Manual Valve IVI386 Transfers Closed 4.2% 77.9 RV10462VVT Manual Valve IV1462 Transfers Closed 4.2% 77.9 RV10371RGT Reguhtor Valve IVl371 Fails to Operate 3.6% 3.0 RV10372RGT Regulator Valve IV1372 Fails to Operate 3.5% 3.0 RNC031BDEX Block Valve INC31B is Closed During 2.3% 1.1 Operation RVIPORVDHE Operators Fail to Restore VI to PORVs or 1.7%
l W
3.1 Alien Backup Nitrogen RNC035BDEX Block Valve INC35B is Closed During 1.5% 1.1 Operation E
g RNC031BMVO Motor Operated Valve INC31B Fails to 1.4% 4.9 Open a
RNC033ADEX Block Valve INC33A is Closed During Operation 1.4% 1.1 g RNC033AMVO Motor Operated Valve INC33 A Fails.to 1.4% 4.9 Open
_RNC035BMVO Motor Operated Valve INC35B Fails to 1.2% 4.5 l
m Open PIEMXD Loss of Power on 600 V ac Motor 1.2% l.0 g Control Center 1EMXD g RNC031BMVT Motor Operated Valve INC31B Transfers 0.8% 20.5 Closed I
Importance Table For Gate R300: One PORY Fails To Reseat After Opening Event Name Event Description F-V RAW RNC034APRC PtaV INC34A Fa is to Rescat 33.3 % 19.2 RNC036BPRC PORV INC36B Iftils to Rescat 33.3 % 19.2 RNC031BMVC Motor Operated V2ve INC31B Fails to 25.9 % 74.8 Close RNC033AMVC Motor Operated Valve INC33 A Fails to 25.9 % 74.8 Close RFC035BMVC Motor Operated Valve INC35B Fails to 25.9 % 74.8 g Close 5 RNCBLKVDHE Operators Fail to Recognize and Close 22.2 % 219.0 Block Valve I l A.4-12 '
Importance Table For Gate R400: Three PORVs Fall To Open On Onerator Demand
~ Event Name Esent Description F-V RAW RNCPORVCOM Common Cause Failure of PORVs to 97.3 % 1760.0 Open on Demand RVIPOP,VDilE Operators fail to Restore VI to PORVs or 2.3% 3.8 Align Backup Nitrogen RV10300VVT Manual Valve IV1300 Transfers Closed 0.9% 17.1 Importance Table For Gate R500: Failure Of Normal Pressurizer Spray Event Name Event Description F-V RAW RDCPCC5POF 120 V ac Regulated Power to PCC5 Fails 22.4 % 1060.0 RNCSPRACOM Common Cause Air Operated Valve 20.5 % 1060.0 Failure to Open RRNOA83AVT Air Operated Valve IRNA83 Transfers 6.8% 1060.0 Closed RRNOC04AVT Air Operated Valve IRNC04 Transfers 6.8% 1060.0 Closed RNCPUMPCOM Common Cause Failure of NC Pumps to 3.0% 1060.0 Run RV1077BMVT Motor Operated Valve 1Vl77B Transfers 1.4% 1060.0 Closed RRN0438CVT Check Valve IRN438 Transfers Closed 1.1% 1060.0 i RRNOC28CVT Check Valve IRNC28 Transfers Closed 1.1% 1060.0 RV10079CVT Check Valve IV179 Transfers Closed 1.1 % 1060.0 RRN437BMVT Motor Operated Valve IRN437B 0.9% 1060.0 Transfers Closed Importance Table For Gate R600: Failure Of Auxiliary Pressurizer Spray Event Name Event Description F-V RAW RNV037AMVO Motor Operated Valve INV37A Fails to 31.8% 91.5 Open RNV312AMVO Motor Operated Valve INV312A Fails to 31.8% 91.5 Open RNV314BMVO Motor Operated Valve INV314B Fails to 31.8 % 91.5 Reopen RNV0022CVO Check Valve INV22 rails to Open 1.7% 91.5 RNV0038CVO Check Valve INV38 Fails to Open 1.7% 91.5 RNV0309AVT Air Operated Valve INV309 Transfers 0.6% 91.5 Closed A.4-13
-r o u i j j hh @ A =_,
=. xx ,ooo T
0 ti[a [w c siNo l e,
uX '/ a->--><--.-.- X M '"*""
=, ex -- BK ->>- ax-> - F- -
Stoa r 'a 1 2 3 er .,=,, u ,,,
T-PRESSURIZER y SICLOOP A 7 car FC tratav plE f DEATER v
E"cle Figure A.4-1 Rev. 2 Reactor Coolant System Simp :fied Diagram A.4-14 g g g g g M M M M M M M M M M M M W
A.S Auxillwry Feedwater System
System Description
l The primary purpose of the Auxiliary Feedwater (CA) System is to provide a backmp feedwater supply to the steam generators in any of the following events:
e a loss of offsite power, e a trip of both mr.in feedwater pumps ,
e a safety injection signal, or e
a two of four low-low level in any one S/G (MD pumps start) or any two (turbine-driven pump starts) of four steam geacrators.
The CA System consists of two motor-driven pumps, one turbine-driven pump and their associated piping, valves, and controis. Each motor-driven pump supplies feedwater to two SGs; pump 1 A supplies SGs l A and IB and pump IB supplies SGs IC and ID. However, one motor-driven pump can supply four SGs by use of crossover valves. The turbine-driven pump supplies feedwater to four SGs.
Simplified diagrams of the CA System are shown in Figures A.5-1, A.5-2, A.5-3, and A.5-4.
Success of the CA System requires that at least one of the three CA pumps delivers feedwater at sufficient p essure and flow to two SGs unti conditions will allow the Residual Heat Removal (ND) System to be put into operati >n.
The two motor-driven CA pumps (MDPs) are cemrifugal pumps each having a 500 gpm flow capacity. The pumps are designed to deliver the minimum required flow to the steam generators within one minute of starting. The turbine-drivt CA pump (TDP)is also a centrifugal pump with a 1000 gpm discharge ccpacity. The turbine oil is cooled by a small portion of the discharge flow. The TDP turbine oil cooler flow 1
A.5-1 l
I I and a portion of the turbine seal water is routed to the TDP pit sump, and the sump is drained automatically by two Liquid Radwaste (WL) System sump pumps.
The steam supply for the pump turbine is drawn from the main steam lines of steam generators IB and IC. The steam supply lines join together to form a single steam header that brings steam to the pump turbine. The steam supplylines 1B and 1C each contain a piston-operated valve that opens automatically on a TDP start signal. The valve fails open on loss of power or instrument air. The turbine inlet steam header contains a steam stop valve and a control valve. The pump turbine exhaust is discharged to the atmosphere.
The feedwater piping downstream of the CA pumps is interconnected to allow any of the three pumps to feed any of the four steam generators. The MDP discharge lines are cross-connected by two normr.lly locked closed valves (ICAlll and ICAll2).
Downstream of the junction with the crossover header, each pump discharge line branches into two separate paths th c lead to different steam generators (MDP 1 A is normally aligned to SGs l A and IB; MDP IB to SGs IC and ID). By opening the two locked closed manual valves on the crossover, either of the two MDPs can be aligned to any of the steam generators. Air-operated control valves and motor-operated isolation valves in each of the discharge paths provide flow control to the steam generators. Downstream of the TDP, the discharge line breaks into four paths, one to each steam generator. Each path contains an air-operated flow control valve and a motor-operated isolation valve.
Five feedwater sources are available to the CA pumps. The preferred sources are the condensate-grade supplies in the upper surge tank (UST), the auxiliary feedwater condensate storage tank (CA CST), and the condenser hotwell. The combined feedwater supplies in these sources contain the quantity of feedwater required for the design basis shutdown. The CA pmp suction lines are normally aligned to these sources, but because these supplies are not safety-grade, the assured feedwater supply I
A.5-2 I
i to the CA pumps is provided by the safety-related portion of the Nuclear Service Water (RN) System. The CA pump suction lines are automatically aligned to the assured source on a low CA pump suction pressure (if the CA System has been automatically actuated). An cdditional feedwater source is the buried piping of the circulated cooling Water (RC) System. This source can be aligned in the SSF.
Each CA pump is located in a separate pit for NPSH requirements. To prcve.nt flooding of these pits, each MDP pit is supplied with a 50 gpm sump pump which discharges to the Liquid Radwaste (WL) System. Cooling water from the turbine oil cooler emptics directly into the TDP pit. If the sump water is not removed, failure of the TDP could occur as early as three hours. To prevent TDP failure due to flooding,
'the TDP pit is outfitted with two 50 gpm sump pumps that automatically start on high sump level.
The WL sump pumps in the TDP pit are powered from 600 V ac essential motor control centers. Sump pump 1 A1 is powered from train A essential power and sump pump 1 A2 is powered from train B essential power. Sump pump 1 A1 can also be !
powered from the Standby Shutdown Facility (SSF) diesel generator.
(-
System Success Criteria Success of the CA System is defined as one of the three CA pumps providing feedwater to at least two intact steam generators over the entire 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time.
Since each steam generator can receive flow from any of the three pumps, any successful pump flow path is a system success.
t Major Assumptions
- 1. Steam void formation in the CA pump supply lines due to operator failure to break condenser vacuum when aligning the CA pumps directly to the hotwell, A.5-3
I will not bind the CA pumps. Air entrainment in the CA pump supply lines, in I
t'te event of an operator failure to isolate the UST or the CST after supply depletion, will not bind the CA pumps. The resulting drop in the suction pressure will initiate automatic alignment to the assured sources. The pumps are expected to pass steam voids or entrained air bubbles without binding.
- 2. Failure of the two TDP pit sump pumps to drain the TDP pit will lead to TDP failure in approximately three hours.
- 3. F2ilure of the MDP pit sump pumps to operate will not fail the MDPs Water is expected to collect in the pits only when the pumps experience a mechanical failure that leads to a leak. The mechanica! failure of the pump is accounted for in the model.
- 4. A faulted SG will not fail its MDP due to pump run-out because travel stops I
on the flow control valves will limit flow.
- 5. The UST, the CA CST, and the hotwell have condensate supplies at normal operating levels at the beginning of the transient or LOCA.
I
System Reliability Results The analysis indicates that the dominate cause of system unreliability is due to common cause failures of the suction sources. This failure is predominately attributable to the possibility of fouling of the suction source due to water quality in the RN System. A swap to the assured source can be an automatic action or could be I,
1 A.5-4 '
caused by operator error. If the assured source is fouled, it could cause failure of the system by clogging the CA p trap discharge valves or the control valves.
Operator errors on the suction alignments are also important contributors to failure of the normal CA suction sources followed by failures of the suction valves to the normal sources Failure of the TDP to mn and maintenance on the TDP are also important contributors along with common cause failure of the MDPs to start. However, these events are less important than the failures mentioned above.
In the plant model, the reliance on sump pumps to draw water from the TDP sump to prevent flooding of the TDP poses an additional source of system unreliability. The sump pump is required during blackout conditions and during these times the sump pumps are inoperable unless power can be aligned from the Standby Shutdown System (SSF). If power cannot be aligned to the sump pumps then TDP pit flooding will occur in approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
A listing of dominate cut sets for the CA System are shown in the table below,
' followed by a listing of the most important system, component, or operator failure events ranked in order of contribution to the total system failure probability.
A.5-5
-_a
l I
( Top Cut Sets For Gate F1: Loss of Auxiliary Feedwater Flow To 3 of 4 Steam Generators
- l C:it Set inputs Description Event Probability Probability 3.00E-05 FCAORNOLHE Latent Human Error Causes Swap to 3.00E-03 l Assurco Suction Source W FCACLMSCOM Common Cause Failure of RN Sources 1.00E-02 Due to Clams g 1.00E-05 FCACLMSCOM Common Cause Failure of RN Sources Due to Clanis 1.00E-02 E FCAHOTWDHE Failure to Defeat the Low Suction 1.00E-03 Pressure Trip on Auxiliary Feedwater Pumps Pri =
8.19E-06 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64 E-02 FCAMDPSCOM Common Cause Failure of Both Motor 9.48E-05 l Driven Pumps to Start 5 2.33 E-06 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64 E-02 FCAMDPRCOM Cortunon Cause Failure of Both Motor 2.70E-05 g Driven Pumps to Run g 1.90E-06 FCA000lCVO Check Valve ICAl Fails to Open 1.90E-04 FCACLMSCOM Common Cause Failure of RN Sources 1.00E-02 Due to Clams 1.90E-06 FCA0003CVO Check Valve ICA3 Fails to Open 1.90E-04 FCACLMSCOM Common Cause Failure of RN Sources 1.00E-02 Due to Clams 1.00E-06 FCA000$CVO Check Valve ICA5 Fails to Open 1.90E-04 FCACLMSCOM Common Cause Failure of RN Sources 1.00E-02 Due to C8ams g 1.47E-06 FCA0004MVT Motor Operated Valve ICA4 Transfers 1.47E-04 Position E
FCACLMSCOM Common Cause Failure of RN Sources 1.00E-02 Due to C!ams 1.47 E-06 FCA0006MVT Motor Operated Valve ICA6 Transfers 1.47E-04 Position FCACLMSCOM Common Cause Failure of RN Sources Due to Clam;.
1.00E-02 g W
l.30E-06 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64E-02 FCAMDPATRM CA Motor Driven Pump Train 1 A in 5.00E-03 g Maintenance or Testing FCAMDPBLHE Latent Human Error Fails MDP 1B 3.00E-03 5
1.30E-06 FCA0TDPTPR Turbine Driven Pump Fails to Run 8.64 E-02 FCAMDPALHE Latent Human Error Fails Motor Driven 3.00E-03 Pump 1 A FCAMDPBTRM CA Motor-Driven Pump Train IB in 5.00E-03 Maintenance or Testing Total Gate Probability = 7.94E-05 I:
I A.5-6
Importance Table For Gate FTOP: Loss of Auxiliary Feedwater Flow To 3 of 4 Steam Generators Event Name Esent Description F.V RAW FCACLMSCOM Common Cause Failure of RN Sources 65.2'6 65.46 Due to Clams FCAORNOLiiE Letent lluman Error Causes Swap to 40f 135.85 Assured Suction Source FCA0TDPTPR Turbine Driven Pump Fails to Run 31.6 % 4.34 FCAHOTWDHE Failure to Defeat the Low Suction 13.5 % 136.12 Pressure Trip on Auxiliary Feedwater Pumps Pri FCAMDPSCOM Common Cause Failure of Both Motor 13.0 % 1.34E+03 Driven Pumps to Start FCAMDPATRM CA Motor Drisen Pump Train 1 A in 4.6% 10.13 Maintenance or Testing FCAMDPBTRM CA Motor-Driven Pump Train IB in 4.6% 10.13 Maintenance or Testing FCAMDPALHE Latent Human Error Fails Motor Driven 4.4 % 15.54 Pump 1 A FCAMDPBLHE Latent Human Error Fails MDP IB 4.4% 15.54 FCAMDPRCOM Common Cause Failure of Both Motor 3.1% 1.14 E+03 Driven Pumps to Run FCA000lCVO Check Valve ICAl Fails to Open 2.4% 126.43 FCA0003CVO Check Valve ICA3 Fails to Open 2.4 % 126.43 FCA0005CVO Check Valve ICA5 Fails to Open 2.4 % 126.43 FCA0004MVT Motor Operated Valve ICA4 Transfers 1.8% 126.43 Position
'FCA0006MVT Motor Operated Valse ICA6 Transfers 1.831 126.43 Position FCA0174MVO Motor Operated Valve ICAl74 Fails To 1.5% 5.32 Open FCA0175MVO Motor Operated Valve ICAl75 Fails To 1.5% 5.32 Open FCAMDPAMPS Motor Driven Pump 1 A Fails to Start 1.5 % 13.27 FCAMDPBMPS Motor Driven Pump IB Fails to Start 1.5% 13.27 FCM0374VVT Locked Open Manual Valve ICM374 1.1% 126.44 Transfers Position FCS0019VVT Locked Open Manual Valve ICS19 1.1% 126.44 Transfers Position FCS0069VVT Locked Open Manual Valve ICS69 1.1% 126 44 Transfers Position FCA0040AVT Air Operated Valve ICA40 Transfers 1.1% 10.96 Position FCA0414AVT /.ir Operated Valve IC.A4 i Transfers 1.1% 10.96 Positic,n FCA0056AVT Air Operated Valve ICA56 Transfers 1..% 10.96 Position FCA0060AVT Air Operated Valve ICA60 Transfers 1.1% 10.96 Position NDCSPl4CLT Circuit Breaker SDSPI-4 Transfers 0.9% 5.33 Position A.5-7 J
Note 3 Note 3 . Motor-Driven
/ CA Purnp 1A Hotwell 1B M N scAiiA sh 2 im374 tw scA2 Hotwett 1C Note 2 None3 Upper Surge Tank 1A b n N
be
/
M t r-Dnven CA Pump 18 N icAse icAio Upper Surge Tank 10
% scsts icAs icA4 Note 3 n n TuhDnven g' . CA Pump Aux Fdw Condensate N 1M7A 1G8 Storage Tank teses icAs icAs r,
p 1CA15A RN Essential \ m g.
Header 1A / ,p{2 m 1 b t72 icA1l6A 5 -
1b es RN Essential \ $ ,
Header 1B
/ y ' e $ 171 these RC Pipirtg \ N (SSF Source) / tcA17e 1cA174 1 cat 73 1 cat 75 p g Note 2: Checkvatve intemals Removed Note 3: Power removed with valve fuity open Figure A.5-1 Auxiliary Feedwater(CA) System Sheet 1 of 2 A.5-8 m m m m M M M N M M M M M M
- y y m
FO Motor-Driven E O , , , , . . _
CA Pump 1A 123 1CA80A 1CA61 1CA82A 1A w
0 'FO MDP 1A Suchon h
/ (g ICA27 1CA87
-X to E N
1CA25 -
1CA55 1CA56A 1CA57 1CA58A 1CA111)[
Eu's FO Motor-Driven tw12][ , , ,,,s,,
CA Pump 18 1CA43 1CA448 1CA45 1CA468 18 to ,s a -
MDP1B ,
LO (gg 1CA32 1CA88 LO E suction 1CA30 ( --X N
- 1 N 1CA408 1CA41 1CA428 FO ^
- 1CA631CA64AB 1CA65 N 1CA668
' 'u' ic
,s nn, n FO '
Turbine-Driven ,s ,s CA Pump
TDP ,
1CA20 1CA21 LO SG ***" <wy Suction 1CA19
- v. (
W N 1CA471CA48AB 1CA49 1CA50A a
io
/ N FO A j
-N LO N
h X
Atmosphe;; y 1CA351CA36AB 1CA37 1CA38A 1SACV 1SASV X X $,,FOX
-14 1SA6 1SAS 1SA4 r0
-tn 1SA3 1SA2 x
1SA1 Figure A.5-1 Auxiliary Feedwater(CA) System Sheet 2 of 2 A.5-9
l l '
iG,1 A g e r
teEe t
n1 g er r se sd a er h se sd ha EaeISc Ea er sc C
K HD C K HD _
4 5 s
p m
1 A
1 A u XCK XCK P 1 1 A C
n e
i v
r 0
3 XCAK 2
7 A
XCK D
t r
o 1 1 o M
9 2
1 T
o r
e 7
gCAK ZCAK
- t a 0 1
W -
1 1 g
in 5
A _
lo o
C nAr e e1 lo v
ipo r
nBe e1l v
ipo r
r o W 2- _
DmC r u r
- DmC r ur 5
oPo oPo A t t e
ig 8 0 F 2 7 A
XCK XCAK 1 1 _
2 1
3 1
A XCK XACK 1 1
/ N laA t
i n1 er sep ly lab y i
t n1 er fp se sdp sdp u Ea eSu Ea eS C
K H C K H 1 1I lll
N : Tousi 1CA28 - 1CA29 g g to MDP 1A g 1CA2 CA87 Succon y 1CA25 Motor-Dnven N - : To usT 1CA33 1CA34 CA Pump 1B
- ToSw m h e MDP 18 te a 1CA32 1CA88 Suchon i 1CA30 k
- To m TurtWne-Dnven ICA23 1CA24 Note 1: The TDP Condensate Eductor CA Pump is non-func$onal and has been to
" abandoned in place'.
e To Steam Generators TOP to 1CA23 1CA21 y
Suction 1CA19 TOP CoMacsase LC w w "
m i i i Ds - ... N u 1CA214 T 1CA215 1dA278 15379 - To usT
% Turtme Lthe od Cooier ph[g g See Figure A.5-4 for de aas of the Top sump TDP SuT System Figure A.5-3 CA System Recirculation Path Ta llST And Lube Oil Coohng A.5-11
To Containment To %
Floot And hin Tad Equenw nt Sump n a
1WL8A84 y A 5 1WL847 LC J FO YN
- 1WLB46 To Turbme g
1WL844 1WL427 1WL845 1WL848 1 EMF 52 ,
FC Radiaten _
Montor X 1WLB31 [1WLB33
[ 1WL830 [1WL832 1A2 r,om TDP F1A1 I Lube Od cose, Sump Pumps To TDP l r Condensate Feuctor my wynsmey m & e- e
' ~
4 ;: . .. $Us . 1 A Q<;.37
- m < >
fc TDP Sump 1
Figure A.5-3 CA Turbine-Driven Pump Sump A.5-12
1 A.6 Nuclear Senice Water System
System Description
The Nuclear Service Water (RN) System consists of five sections which work together to supply service water to various systems and heat loads, snd return effluent back to its source. In order of flow, these are:
- Source and intake Section
- RN Pumphouse Section
- Main Supply Section
- Heat Exchanger Section
- Main Return Section The Civil Structures which comprise the source and intake section are the standby y nuclear service water dam, standby nuclear service water intake structure, nuclear senice water intake structure and the standby nuclear service water pond. The RN System is served by two bodies of water, Lake Wylie and the SNSWP. Lake Wylie serves at the non-safety class, non-seismic, normal source of nuclear senice water.
The SNSWP is a Category I seismically designed structure with sufficient water to bring the station to cold shutdown following a LOCA on one unit and normal cooldown on the other unit. During normal plant operation nuclear service water is drawn from Lake Wylie via the nuclear service water intake stmeture. A single line carries the nuclear senice water from the stmeture to the RN pumphouse. The intake line is sized to cany the flow required for a Unit cooldown with the other unit operating at 100 percent power.
Outside the RN pumphouse wall the intake line splits. A single line enters each pumphouse pit. Inside each pit, the lines are secured by two motor-operated valves in series, each powered from separate normal and assu ed power supplies. This A.6-1 l
I .
I configuration assures at least one valve will function following a loss of Lake Wylie to prevent diversion of the SNSWP inventory to a " dry" Lake Wylie. If Lake Wylie is lost for any reason, nuclear sen' ice water will be drawn from the standby nuclear senice water pond via the standby nuclear service water intake structure. Two transport lines are routed from the nuclear service water intake structure to the RN pumphouse, one for each pumphouse pit.
The nuclear service water pumps and associated components are housed in a pump g structure located adjacent to Lake Wylie and the SNSWP. The RN Pumphouse is designed to protect the RN pumps. The Pumphouse is a Category I seismically designed concrete structure capable of withstanding a safe shutdown earthquake, l
tomado missile, or maximum probable. flood. It contains two separate pits from which independent channels of RN pumps draw suction. The train 'A'section is physically l
separated from the train 'B' section by a concrete wa!!. Flow enters each pit from either Lake Wylie or the SNSWP and is diffused by a wall perforated with 3" holes.
l Flowing beck to the pumps, the water is strained by 1" x 1" removable lattice screens that can be pulled out in sections by a monorail hoist. The operating floor of the RN Pumphouse is located above maximum flood level. The RN pump motors, RN strainers, and electric motor operators for the pit isolation valves are located on this level. Four RN pumps supply nuclear service water to the entire station. The pumps are numbered 1 A, 2A, IB, and 2B to identify their normal and emergency power sources. Pumps l A and 2A draw water from the 'A' pit and discharge into a common train 'A' supply header that serves both units. Likewise, pumps 1B and 2B draw water from the 'B' pit and discharge into a common train 'B' supply header that serves both units. Each RN pu:np was originally sized to supply the flow requirements of one essential train in the ESF sump recirculation mode. Under the original design, both pumps would be necessary for an RN loop to be operable. Subsequent analysis has shown that one RN pump can meet the flow requirements of one essential loop with l
one unit in the ESF sump recirculatior mode and the other unit in an extended shutdown.
I A.6-2
-With the RN system flow balanced to support one pump operation, the following assumptions can be made about RN pump capabilities:
- 1. One operating RN pump can supply one essential loop.
- 2. Two operating RN pumps can supply one essential loop (two essential headers) and both nonessential headers, or two RN pumps can supply the total flow demands of one unit with limited flow to the other unit.
- 3. Three operating RN pumps can supply flow to all six RN headers.
Lubrication flow to the RN pumps is continuously provided regardless of whether a pump is operating or not. The RN pump motor coolers and upper bearing oil coolers receive flow only when the respective pump is operating. A motor-operated valve in the supply line to the RN pump motor auxiliaries is inter!ccked to open whr. the i pump starts, and close when the pump stops. 1 Four nuclear service water strainers (RN strainers) remove debris and large particles i
from nuclear service water. Each strainer receives flow from the RN pump cf '
corresponding train.
Redundant underground pipes convey nuclear service water from the RN Pumphouse to the Auxiliary and Diesel Buildings. The discharge lines from RN numps IA and 2A are combined into a single train 'A' supply line, and the discharge lines from RN pumps IB and 2B are combined into a single train 'B' supply line. The RN cupply lines split into essential and nonessential headers at the Auxiliary Building. Each unit has two essential headers and one nonessential header. Essential supply headers are also provided to the Diesel Buildings.
A.6-3
I The Unit I crossover provides a flowpath between the 'l A' and 'lB' essential supply headers. The Unit 2 crossover provides a flowpath between the '2A' and '2B' l essential supply headers. The RN nonessential headers receive flow from the Umt I and Unit 2 crossovers. With this arrangement, the flow from any RN pump can be directed to any RN header on either unit.
Essential headers 'l A', *2A', and nonessential heade s 1 and 2 discharge into RN retum header 'A'. Essential headers 'lB' and '2B' discharge into RN return header B.
RN retum header 'A' can discharge to SNSWP retum line 'A' or to the RL retum line RN retum header 'B' discharges to SNSWP return line 'B'. A crossover connects RN retum header 'A' and RN return header 'B'. The crossover is open whenever the RN System is aligned to Lake Wylie.
l RN retum lines from the Diesel Buildings are routed directly to the SNSWP retum lines and the RL return line. Diesel generator engine cooling water retum lines 'l A' and '2A' discharge to SNSWP return line 'A', and diesel generator engine cooling water return lines 'lB' and '2B' discharge to SNSWP return line 'B'. Non-safety diesel generator engine cooling water return lines are routed to the RL retum line.
System Success Criteria The top event success criteria is defined as the ability of the RN System to supply flow to essential equipment. Individual heat exchangers and valves, while a part of the RN flow path, are included in the fault trees for the systems of the component being served. There are five top gates in this analysis. Top gates W1 and W2 represent the failure to provide sufficient flow to the Unit I diesel generator water coolers. W3 and W4 represent the failure to provide sufficient flow to the Unit I essential headers while W5 represents the failure of sufficient flow to the non-essential header.
I I l A.6-4 i
Major Assumptions
- 1. The RN pumps and their respective discharge valves se interlocked such that when a pump is operating, its discharge valve is open and when the pump is not operating, its discharge valve is closed. It is assumed, however, that an open discharge valve (i.e., pump operating) does not go fully closed during a LOOP event. Per discussions with the system engineer, even though the valves would begin to close when power is removed during a LOOP, the controls are ruch that if the valve were closing and commanded to reopen when power is restored, the valve begins t open from that point rather than going fully closed first. Since the time span between the LOOP and the sequencer reload is very short, it is not expected that the valves would have time to go fully closed following a LOOP event.
- 2. The RN pump filter-strainers are req ired to operate during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time.
- 3. The modification to remove the tube injection strainer dependency between common train pumps has been included in the analysis. With this modification, the pump shafts are no longer lubricated through the injection strainer during operation.
- 4. RN pump 1 A is the operating ",mp and is supplying cooling to Unit i and Unit 2 loads.
- 5. Both RN pumphouse pits are aligned to Lake Wylie.
- 6. RN pumps 1B,2A and 2B are in standby.
- 7. Loss of flow through any pum, .ooling line is assumed to fail the pump.
A.6-5
I I
- 8. Motor operated valves 1(2)RN67A and 1(2)RN69B are open and physically i blocked from inadvertent operation.
1
- 9. Motor-operated valves 1(2)RN847A and 1(2)RN849B failing to close on swap to SNSWP will not fail flow to the diesel generator coolers. Flow through g
these valves is small enough that it would take a large amourt of time to drain the SNSWP to a level below the Technical Specification limit.
g
- 10. In order to determine reasonable exposure times for the system components, assuming the l A RN pump to be in operation and a weekly rotation l
(approximately), it is assumed that the pumps are rotated in the following order: l A 2A, IB, 28. Thus, 2A components are assumed to have been l
operating 3 weeks previously,10 - two weeks, and 2B the previous week.
Even though actual operation may vary, this renders a good representation of exp isure time distribution.
System Reliability Results The top cut sets and dominant contributors to failure for RN flow to the diesel generator cooling waterjackets, the essential headers and the non-essential header are listed in the following tables. The cut set listings indicate that the dominant failure modes for flow to these headers are vrdve failures in the discharge path as well as plugging of the intake Pit debris screens and pump lube 'ajection strainers. Also significant to the faihue of these three headers is the c.,mmon cause failure of the RN pumps to run.
I I
I A.6 6
Review For Initiating Events The total loss of RN initiator, T9, is calculated by combining the five top gates (Wl, W2, W3, W4, WS) into a single top event. All events pertaining to train 'l A' are converted from a 24 hr. mission time to an annualized basis (8760 hrs.) and multiplied by a 0.9 capacity factor, resulting in a mission t4 of 7884 hrs. After re-solving, the resulting initiator frequency became 2.98E-0. ..
4 A.6-7
I Top Cut Sets For Gate W1: Loss of RN Flow Through Diesel Generator I A Water Cooler Cut Set Esent Name Event Description Event Probability Probability _~
8.88E-06 WRN847AMVT Motor Operated Valve IRN847A 8.88E-06 4.54 E-06 WRN846AMVO Transfers Position Motor Operated Valve IRE 6A Fails to g
3.50E-03 g Open WRNPSCBFLF RN Pump intake Pit B Debris Screen 1.30L 03 g I .86E-06 WRNABPRCOM Plugs Common Cause failure of RN Pump to 1.86E-06 g
Run 1.01E 06 WRN846AMVO Motor Operated Valve IRN846A Fails to 3.50E-03 Open WRNPSCAFLF RN Pump Intake Pit A Debris Screen 1.88E-04 Plugs E
3.73 E-07 WRNLSOAFLF RN Lube injection Strainer A Fails 2.88E-04 g WRNLSOBFLF RN Lube injection Strainer B Fails 1.30E-03 2.46 E-07 WRN1846RYD Contact Di(Closes on Emerg. Low Pit 1.90E-04 g Level) Fails to Close WRNPSCBFLF RN Pump Intake Pit B Debris Screen !.30E-03 5
Plugs 1.40E-07 WRN006BMVT Motor Operated Valve IRN6B Transfers 4.00E 05 Position WRN846AMVO Motor Operated Valve IRN846A Fails to 3.50E-03 WRN005AMVT Open g
1.40E-07 Motor Operated Valve IRN5A Transfers 4.00E-05 g Position WRN846AMVO Motor Operated Valve IRN846A Fails to 3.50E-03 Open 1.0l E-07 WRN84CAMVO Motor Operated Valve IRN846A Fails to 3.50E 03 Open WRNPSCRCOM Common Cause Failure of Pumphouse 2.88E-05 Screens Due to Plugging l
5 5.83E-08 WRN001 AWPR RN Pump i A Fails to Run 3.58 E-04 WRNADPSCOM Common Cause Failure of RN Pumps to 1.63E-04 3 Start g 5.47E-08 WRN1846RYD Contact DI (Closes on Emerg. Low Pit 1.90E-04 Level) Fails to Close WRNPSCAFLF RN Pump Intake Pit A Debris Screen 2.88E-04 Plues 4.69E-08 WRNABPSCOM Common Cause Failure of RN Pune to 1.63E-04 Start WRNLSOAFLF RN Lube injection Strainer A Fails 2.88 E-04 l
3 3.38E-08 WRN001 AWPR RN Pump I A Fails to Run 3.58F-04 WRN3MOVCOM Common Cause Failure of 3 Pump 9.45E-0)
Discharge Valves To Open Total Gate Probability = 1.73E-05 I
A.6-8
Top Cut Sets For Gate W3: Loss of RN Flow Through Essential IIcader I A Cut het Esent Name Es ent Description Esent
! Probability Probability 8.88E 06 V'"N843BMVT Motor Operated Valve IRN843B 8.88E-06 Transfers Position 8.88E 06 WRN057AMVT Motor Operated Valve IRN57A 8.88E 06 Transfers Position 4.540-06 WRN153 AMVO Motor Operated Valve IRN63A f ails to 3.50E 03 Open WRNPSCBFl.F RN Pump Intake Pit B Debris Screen 1.30E-03 Plugs 1.86E 06 WRNABPRCOM Common Cause Failure of RN Pump to 1.86E 06 Run 1.0lE 06 WRN163AMVO Motor Operated Valve IRN63 A Fails to 3.50E 03 Open WRNP.r AFLF RN Pump intake Pit A Deoris Screen 2.88E 04 Plugs 3.73E 07 WRNLSOAFLF RN Lube injection Strainer A Fails 2.88 E-04 WRNLS0BFLF RN Lube injection Stral.ier B Fails 1.30E-03 l 2.46E-07 WRN163ARYD Contact DI(Closes on Emerg. Low Pit 1.90E-04 Level) Fails to Clost WRNPSCBFLF RN Pump Intake Pit B Debnis Screen 1.30E-03 Plugs 1.54 E 07 WRNDISCCOM Common Cause Failure of RN53B,54 A, 1.19E 04 57A. and 843B to Close WRNPSCBFLF RN Pump Intake Pit B Debris Screin 1.30E-03 Plugs 1.40E 07 WRN005AMVT Motor Operated Valve IRN5A Tra1sfers 4.00 E-05 Position WRN163AMVO Motor Operated Valve IRN63A Fails to 3.50E-03 Open 1.40E-07 WRN006BMVT Motor Operated Valve IRN6B T'ansfers 4.00E 05 Positica WRN163AMVO Motor Operated Valve IRN63 A Fails to 3.50E 03 Open 1.0l E-07 WRN163AMVO Motor Operated Valve IRN63A Fails to 3.50E 03 Open WRNPSCRCOM Common Cause Failure of Pumphouse 2.88E-05 Screens Due to Plugging 5.83 E-08 WRN001 AWPR RN Pump 1 A Fails to Run 3.58E-04 WRNABPSCOM Common Cause Failure of RN Pumps to 1.63E-04 Start 5.47E 08 WRN163ARYD Contact DI(Closes on Ernerg. Low Pit 1.90E-04 Level) Fails to Close WRNPSCAFLF RN Pump Intake . A Debris Screen 2.88E-04 Plugs 4.69E-08 WRNADPSCOM Common Cause Failure of RN Pumps to 1.63E-04 Start WRNLSOAFLF FN Lube injection Strainer A Fails 2.88E-04 Total Gate Probability = 2.64E-05 A.6 9
I Tcp Cut Sets For Gate W5: Loss of RN Flow Through Non Essenllallieader Cut $ct Esent Name Esen Description Event l Probability Probability B 8.88E-06 WRN049AMVT ' ** tor Operated Valve IRN49A 8,88 E-06 hansfers Pesition g 8.R8E-06 WRN050BMVT Motor Operated Valve IRN50B Transfers Position 8.88 E-06 5 8.88E-06 WRN057AMVT Motor Operated Valve IRN57A 8.88E-06 Transfers Position 8.88E-06 WRN051 AMVT Motor Operated Valve IRN51 A 8.88E-06 Transfers Position 8.88E-06 WRN052BMVT Motor Operated Valve IRN52il Transfers 8.88E 06 l Position W 8.88E 06 WRN843BMVT Motor Operated Valve IRN843B 8.88E 06 Transfers Position g 4.55 E-06 % RN163 AMVO Motor Operated Valve IRN63A Fails to 3.50E-03 g Open WRNPSCBFLF RN Pump intake Pit B Debris Screen 1.30E-03 Plugs 1.86E-06 WRNABPRCOM CommerICause failure of RN Pump to 1.86E 06 Run 1.01 E-06 WRN163 AMVO Motcr Operated Valve IRN63A Fails to 3.50E-03 l Open 5 WRNPSCAFLF RN Pump Intake Pit A Debris Screen 2.88 E-04 Plugs g 3.74 E-07 WRNLSOAFLF RN Lube Iniection Strainer A Fails 2.88 E-04 g WRNLSOBFLF RN Lube injection Strainer B Fails 1.30E-03 2.47E 07 WRN163 ARYD Contact D1(Closes on Emerg Low Pit 1.90E-04 Level) Fails to Close l WRNPSCBFLF RN Pump Intake Pit B Debris Screen 1.30E-03 =
Plugs 1.55E 07 WRNDISCCOM Common Cause Failure of RN53B,54A, 1.19E-04
$7A. and 843B to Close E
g WRNPSCBFLF RN Pump intake Pit B Debris Screen 1.30E-03 Plugs 1.40E-07 % RN005AMVT Motor Operated Valve IRNSA Transfers 4.00E-05 Position
% RN163AMVO Motor Operated Valve IRN63A Fails to 3.50E-03 Open 1.40E-07 l
W WRN006BMVT Motor Operated Valve IRN6B Transfers 4.00E-05 Position WRN163AMVO Motor Operated Valve IRN63A Fails to 3.50E-03 g Open g 1.01 E-07 WRN163AMVO Motor Operated Valve IRN63 A Fails to 3.50E-03 Open g WRNPSCRCOM Common Cause Failure of Pumphouse 2.88E-05 g Screens Due to Plugging Total Gate Probability = 6.20E-05 I
A.6-10
Importance Table For Gate Wl: 1,oss of RN Flow Through
( Diesel Generator I A Water Cooler Esent Name Fsent Description F.V RAW WRN847AMVT Moto' Operated Valve IRN847A 50.3ts 56600
( WRN846AMVO Transfers Position Motor Operated Valve IRN846A f ails to 33.9'i 97.4
~
Open WRNPSCllFLF RN Putnp intake Pit 11 Debris Screen 27,1?6 210 Plugs WRNAllPRCOM Common Cause failure of RN Purnp to 10.594 56600 Run WRNPSCAILF, RN Pump Intake Pit A Debris Screen 6.096 210 Plugs WRNI.SOAl LF RN Lube injection St.ainer A Fails 3.0?s 104 WRNLS0llF1.F RN Lube injection Strainer 11 Fails 2.1 % 17.3 WRN1846RYD Contact DI (Closes on Emerg. Low Pit 1.7? b 90.6 1.evel) Fails to Close Importance Table For Gate W3: Loss of RN Flow Through Essential IIcader l A ~
Event Name Esent Description F.V RAW WRN057AMVT Motor Operated Valve IRN57A 33.236 37400 Transfers Position WRN84311MYT Motor Operated Valve IRN84311 33.2?6 37400 Transfers Position WRN163 AM VO Motor Operated Valse IRN63A Fails to 22.4th 64.8 Open WRNPSCilF LF RN Pump Intake Pit il Debris Screen 18.5 % 143 Plugs WRNAllPRCOM Common Cause failure of RN Pump to 7.0% 37400 Run WRNPSCAFLF RN Pump intake Pit A Debris Screen 4,1% 143 Plugs WRNLSOAFLF RN Lube injection Strainer A Faits 2.09 b 69.o WRNLS0llFLF RN Lube injection Strainer il Fails 1.4? b i 1.8 s.d l1
I importance Table For Gate W5: Loss of'RN Flow Through i Non-Essential licader F. vent Name F. vent Description FV RAW WRN049AMVT Motor Operated Valve IRN49A 14.396 16100 l
Transfers Position WRN050BMVT Motor Operated Valve IRN50B Transfers 14.39e 16100 g WRN051 AMVT Position 3
Motor Operated Valve IRN51 A 14.3th 16100
! Transfers Position WRN052BMVT Motor Operated Valve IRN52B Transfers 14.3th 16100 Position WRN057AMVT Motor Operated Valve IRN57A 14.346 16100 Transfers Position WRN843BMVT Motor Operated Valve IRN843B 14.3tb 16100 Transfers Position WRN163AMVO Motor Operated Valve IRN63A fails to 9.6?b 28.4 E
, Open g WPWPSCBFLF RN Pump Intake Pit B Debris Screen 7.9* b-62.1 Plugs WRNADPRCOM Common Cause failure of RN Pump to 3.094 16100 Run WRNPSCAFLF RN Pump intake Pit A Debris Screen 1.8t h 62.1 Plugs I
I I
I I
I I
I I
A.6-12 Il
Top Cut Sets For T9 Initiator: Loss of RN Cut Set Dent Name Event Description Esent ProbablH:y Probability 3.00E-05 WRNADPRCOM Common Cause Failure of RN Purnp to 3.00E 05 Run 1.23 L-04 WRNLSOAFLF RN Lube injection Strainer A Fails 9.46E-02 WRNLSOBF LF RN Lube Injection Strainer B F ails 1.30E-03 1.9 ] E-05 WRN001 AWPR RN Pump i A Fails to Run 1.17E 01 WRNADPSCOM Common Cause failure of AN Pumps to 1.63E 04 Start 1.54E-05 WRNABPSCOM Common Cause Failure of RN Pumps to 1.63E-04
, Start WRNLSOAFLF RN Lube Injection Strainer A Fails 9.46E-02 1.1 l E-05 WRN001 AWPR RN Pump I A Fails to Run 1.17E-01 WRN3MOVCOM Common Cause Failure of Discharge 9.45E-05 Valves to Open When RN F ump is Started 8.94 E-06 WRN3MOVCOM Common Cause Failure of Discharge 9.45E-05 Valves to Open When RN Pump is Started WRNLSOAFLF RN Lube injection Strainer A Fails 9.46E 02 8.51 E-06 WRLOO54MVT Motor Operated Valve iRL54 Transfers 2.92E-03
_ Position WRLOO62MVT Motor Operated Valve IRL62 Transfers 2.92E 03 Position Total Gate Probability = 1.98E-04 Importance Table For T9 initiator: Loss of RN bent Name Dent Description F-V RAW WRNLSOAFLF RN I ube injection Strainer A Fails 68.8?& 7.6 _
WRNLSOBFLF RN Lube injec* ion Strainer B Fails 44.196 339.0 WRNABPSCOM Commcn Cause Failure of RN Pumps to 14.3?6 806.0 Start WRN001 AWPR RN Pun'.p I A Fails to Run 11.596 1.9 WRNABPRCOM Common Cause Failure of RN Pump to 10.196 3360.0 Run WRN3MOVCOM Common Cause Failure of 3 Pump 8.l? b 793.0 Discharce Valves To Open WRNPM2BTRM RN Pump Train 2B in Testing or 5.8th 5.3 Maintenance WRNPMIDTRM RN Pump Train IB in Testing or 5.7?6 5.2 Maintenance A.6 13
_ Desel1GeneratorCoonr pq g '
Water Hesder 1A Inta6e Pt 8 G Nde1 Ndet
{1A N
N- 1A 'gp'o (E W Esweaf Header 1A
- D t
'""'h* '
,s C 1RNIA 1 N2B g A RN Pw9ps C@ C W N g ' 2A Mf M
Lo L SP C
"h m
{2A Nc'e ,
tRN47A
- Essenhai Heeder 18 Note t Valve doses on Emerg Low Levet n Eeer RN PR Note 2: Vahre opens on Emerg Low Lewes e Eeer RN Pt
,s DeseliGenerator CooEs Water Header 18 S re #
- DesesiGenerator Coose Water Header 2A SP O
- EsserJat Header 2A 7A RN Pump sp Intake Pg 2RN4SB h1 P P (18
,D,, ,,7 1B Qg to oc 2RNasA 2RNsos
. RN , sp 3,N swainers B RN Pumps sp $ 2RN47A Note
,48,1,,
1
[2B N M-2B Qg* #""
- Esseneet Header 28 LE tc
_ DesetiGenerator Cooar Wawr Header 28 FIGURE A 6-1 Nuclear Serwce Water System (RN) SuMy to RN Headerr A.6-14 m m m m M M M M M M M M M
RN Pure.o Upcer Bearmo Comer u
1b ** 1ENl1A \ - RN Pump 2A 1RNA90 gg g ' Lube W RN Pump
" ' 1A I B Pump Lute
-- IN215 I I InsM: mon Stramer Ffom b1take SN WP 1$ 44 1 4 36 1 01
~ ~
gg 1RNC21 RN %
Intake PW g $1ramer I g 1 i3A ,
T A LO UC-1RN30A 1RN31 1RNE04 9
To RN N pm RN Pump Upper Trash Bask at Beanna Coder u
l thW910 1(Nb . RN Pump 29 5 1RC ' Lutie tyschon 1RNA9{,
RN Pump
- - I RN Pump Lube e
-- M'24 i 18 l kyecton Strane Fm m
~4 8 g$ {1RNC17 1RN23 RN Pump RN RNC22 Intake Ps g space,
! 1 B H % ,i e rB 4 ,Rf3, =
'*Tr"#"
RN Pump LO u From U ut 2 1RN4CB 1Rb _
RNE06 FIGURE A6-2 Nuclear Sennce Water System (RN) Cootmg to RN Pm To RN N,pw Trash Basket l
A.6-!5
1 '
M M
M M
M r
r e s
e d m e e e H
A 1
G D
HD la t
n e
sA s
2 5
1 E'
C M
R 1
.C R 7 3 1
E h N R
A 1
r M 1
(
5 y d a
e c e 3
5 8
4 H
MNR 9
uNR 9 1 e
1 1 5 4
ii w-M s
E 6 1 & 1 5 A A -
er ub err nae 3
8 O d 4
4 d
4 1
1 6 mA g ,N c
E-.
g goo n mc Et r xRN 1 F
d 51 k1 O
nx 1 o
t a
r r
A r A F e G
DSA GaNt 8 3 4 n DSA 4 e xNR 1 G
t N
t 2 j
1 1 le s
M A 'g e
NN1
'g D
)
N R(
r ete r m ma e a e
r t tag a rWloe g
en
. t s
tem H H tem y
EteO A Ha t S GkC 1
C C DaJ c S*
NE Y E K E r te M a
e em W se e c
ots Sy n r
S 8
3 d
A e,C S e
r M
2 5rso a 3
yRN Af lc e
3O A 1 A A u o 7 N
,4r e
9 h
@m 4 6 mR2R 3-O S
R 9 8 .M N 1 1
D 1 1 6 R
N 1 A 1
wk 1 E R
U G
8 M
y F ep A lap
' tu r
G eS D
m s
sA E 1r e
M o md F oa beH
i .
.g is n
'b
8o e,5 a a
b k $
I E
- i e a ~
i 3
X!~
~
k 3 b n g! R - Go - $ 3 hi 5 Y XI EE N ON
~ ~
5 4 8
ida O gg j
. i.-
l
- - a k
kS "5h il : . S
$e g
f._l i
83 iie
$.4j fe !]1
. s 3, a
l x!
"i.k 9
s *
.O
- 4 R no e ex~ ex;
, e ,
V;5 es e4 2 4 s. <
b
, 8 N. }!
E
-r
RCP Motor Coasers(Fig A64) a From Unt 1 NMEssen6r' Sd W "
Header Supply 1 1RN382 tb Reaprocateg
{1RNE46 C W Pung Fhad Onve Cooler SS
'L C
][1RN379 TR 18 To estrument A" Ws M]' ,,
I" LNt1 M ssen6af Header W tbe 1 7 Fuel Handhng u Area vent AHu ,m
/
1 ' 1 11 2 1A Aus Buddng _ u Vent AHU 1RN3'63 1 54 1 55 1 55 1 7 1A Aux. Bundmg u 1R53h FIGURE A 6-5 Nudear Service Water System (RN) Non-Essentral Header A.6-18
.. g g g e m M M M M M M M M
.1:
r n
o 9 4 8 0 =
4 C la ..
, N N b
- R R 8 n
ns M, de 1 1 r
[" g wUsD oe Er 1 Q Tn o d O Nea o d 1
F H 8
7 P
m SC R 1
P s S C r e
m R 1 lo o
3 8 C r
t o
1 o
m M P
C 1 9 R 1 1 m 0 1 1
1 w@ 1
)
N R
(
m s t e
r s le S y
9 o
/ o r e
1
" N C t 6
" r a k .
B WC h o A
' g 1
A1 '9 t
o W M M e c
P ivr C e R S
- r a
e 6
9 2 1 N du o
d'N
) N N 1 1
!R1 '
1 6 -
6 A
E
- 0 R
U 1 G I
F
_ M R
1 8
7 R
1 5
3 r
3 e y 8 n 1 talp5) ^ a i
1 dep- " :
r ne u6 a 5 UsSs A [
1 mEeg o
FwaF r
NH e( 6]
From DG HX 1A Noee 2 NL - 1 gj[tRN846A g{tRN847A Note 2 From Essenhet s To SMSvw Header 1A 3gg e ,' Traws A Dschaqpe C C From Und 1 ,
NomEs* west 1 Header 1 1A 1 To Leur h Note 1 Note 1 IU81 AYO 1 From Essenhal , . s
' 38 1 7A 1R98538 1sm5e4 1
% 1 2 1RN8899 From DIG HX 1B ) ) Note 2 @][2RN84eA fecte 2@][tRN#4eC fsces 1 From OfG HX 2A } } }
2RN647A Noen 2
' s
- To S*SWP 1EN3se ' Tract 8 Dscharge From Essenbal h 2A 3p 3p C C from Urut 2 NonEssental Header 1A From Essental Note i Header 28 2RN34sg Note 2%[2RN8488 From DIG HX 28 .
Note 1: Valve closes on Emerg. Low Level in Either RN PR Note 2: Valve opens on Emerg. Lew Level in Either RN FIGtJRE A 6-7 Nudear Service Water System (RN) Drscharge Frorn RN A.6-20 W W W W W 'M M M M M M
A.7 Component Cooling System
System Description
The Component Cooling (KC) System is a closed loop system that serves as an intermediate system and as a second boundary between the Reactor Coolant (NC)
System and the Nuclear Service Water (RN) System. The KC System provides cooling to the essential primary unit components during nonnal operation and under accident conditions, and supplies cooling to the nonessential loads in the Reactor and Auxiliary Buildings during normal operation.
The KC Syr.cm consists of two redundant cooling headers. Each header contains two component cooling pumps, one heat exchanger and associated loads. During nomial operation, either train can provide cooling to both train I A and train IB essential headers. Cooling water may also be supplied to the nonessential headers from either train and,likewise, retumed to either train. A simplified diagram of the KC System is provided in Figure A.7-1 and a simplified diagram of the KC essential and non-essential headers is provided in Figures A.7 2 to A.7 5. RN cooling to the KC heat exchangers is shown in Figure A.7-6.
During normal operation, one KC pump and heat exchanger are aligned to supply cooling water to various nonessential equipment. The remaining pump and the other train of KC serve as backups. The RN heat exchanger cools KC, which, in turn, cools its required loads.
In the event of a safety injection (SS) signal, all four KC pumps receive a start signal.
(flowever, only two KC pumps and one KC heat exchanger are r: quired to cool the essential loads.) All valves in the standby train are normall/ open. The four RN System pumps also start on an SS signal, assuring flow to the KC heat exchangers.
A.7-1
All the crossover lines remain open until an additional low level signal from the FWST occurs.
On low low Refueling Water Storage Tank (FWST) level following either an SS signal or a high high containment pressure (SP) signal, the normally closed inlet valves to each train of the Residual lleat Removal (ND) System heat exchangers are actuated to open, adding significant heat load to the KC System pumps. In addition, valves IKC3A, IKCI8B,1KC228B and 1KC230A close to isolate the reactor building nonessential header and valves IKCI A, IKC28, IKC50A and 1K53B close to isolate the auxiliary building nonessential header. Reactor building isolation removes flow to the NC pump thernal barriers, the NC pump upper and lower coolers, and provides train separation. The reactor building header is also capable of isolation by three motor-operated containment isolation valves.
l The KC System response to a loss of offsite power condition is similar to the response I
to an SS signal, except that the KC pumps restart on the operating train following the loading of the diesel generator.
system Success Criteria I
I Success of the KC System is considered to be the operation of one train of KC.
During normal operation, one train consists of.o.nt KC pump and its corresponding heat exchanger (pump train A and B discharges are not cross-connected). For ES operation, once KC train separation occurs and the ND heat exchanger is aligned, one train consists of two operating KC pumps with one operable heat exchanger.
Major Assumptious
- 1. KC header l A is assumed to be in operation when an accident occurs, and KC header iB is assumed to be in the standby mode.
A.7-2 I
- 2. The failure of either intake valve (lKC50A or IKC53B) and either discharge valve (lKCI A or iKC2B) to close on a given signal results in the diversion of a large amount of flow to the auxiliary building nonessential header. This, in turn, is assumed to result in inadequate cooling flow to the essential header (if ND heat exchanger cooling is required).
- 3. It is assumed that one KC pump provides adequate flow to the system loads as long as cooling to the ND heat exchanger is not required.
- 4. The reactor building nonessential header valves close on an SS signal followed by a low FWST level signal or on an SP signal, thus isolating KC cooling to the NC pump thermal barriers. Rcestablishment of cooling water to the thermal barriers after isolation is considered to be a potential recovery action.
- 5. The KC surge tank is not modeled because its failure is assumed to be probabilistically insignificant.
System Reliability Results Dominant cut sets for loss of KC to essential header l A and non-essential reactor building header are listed in the tables below. The cut sets have been generated assuming an SP signal has occurred.
The dominant contributors to the failure of flow to essential headers lA and IB are latent human error associated with KC train l A2, KC and RN train unavaiability due to maintenance, and KC pump start failures.
A.7-3
The dominant contributors to the failure of flow to the non essential reactor building header are KC train maintenance, common cause failure of the standby KC pumps to start, and latent human error on KC train I A2.
Review For Initiating Events This discussion documents the calculation of the T10 initiator: loss of the Component Cooling Water (KC) system during normal operation.
During normal operation, the Component Cooling Water (KC) system cools the reactor coolant pump thennat barriers and bearing oil coolers, among other loads. A loss of KC will result in a trip to all NC pumps, followed by a reactor trip. Thus, the loss of KC flow in the reactor building header is not significantly different from the reactor trip initiator,71. However,if a valve in the RB header were to transfer closed, a total loss of KC has not occurred, since flow would still be available to ND heat exchangers and AB no.) essential header. Therefore, the scope of the initiator analysis is different from that of the system solve, since the essential headers perf,nn no normal function (except to provide the ficwpath to the KC pump coolers these valves are modeled under the pump logic).
The following assumptions are made in determining the loss of KC initiator.
- Train 'l Al' is the operating pump train; pump trains 'l A2,' 'lB1,' and 'lB2' are in standby.
- Jhe mission time for the operating pump train (I Al) is one year times a -
nominal capacity factor of 0.9 (i.e.,7884 hrs).
- The mission times for components in the standby pump trains are the same as in the system solve.
- The success criteria requires the operation of one pump and its corresponding heat exchanger (pump train A and B discharges are not cross-connected).
l A.7-4
To determine th:: T10 frequency, the following changes are made to the KC system model:
e delete tree tops a snd K2 since the essential headers P-rform no normal function (the excepi n is the flowpath to the KC pump coolers) e delete gates K2000/3000 (Loss of KC Hx 1E/l A and a Train A/B Pump) and K2310 (ESFAS signal present) and basic event T10 since they're not valid for the initiator e
change gate K5000 from a COM3 gate to an AND gate, since, for the initiator, all 4 pumps must fail to fail KC e
add KKCSTNBDHE (Operators Fail to Start a Standby KC Pump) to gates K8025/9025/10025 (KC Pump 1 A2/lBl/lB2 Fails to Start) e set factors associated with train l Al to 7884 e
add gates K2200/3200 (KC surge line failures) to pump train A1, A2/B1, B2 logic since these valid failures were removed by the previous changes e delete blackout logic since it is not applicable for the initiator Using the Loss of KC System initiator fault tree, the frequency of the T10 initiator is calculated to be 6.4E-4. The dominant cutsets and most imponant basic events from the T10 solution are ident: Sed in the tables below.
A A.7-5
I Top Cut Sets For Gate K!: Loss of KC to EssentialIIcader I A Cut Set Event Name Event Description Event g Probability Probability g
6.70E-05 KKC3/3SCOM Common Cat
- cailure of a of 3 KC 6.70E-05 Pumps to Sta" 6 00E-05 KKC001BTRM KC Train 1B iQiain nance
- 2.00E-02 KKC01A2LHE Latent Human Error Fails KC 1 A2 Pump 3.00E-03 Train 1.94 E-05 KKC001BTRM KC Train IB in Maintenance 2.00E-02 KKC01A2PPS KC Pump i A2 Fails to Start 9.68E-04 9.00E-06 KKC001 BLHE Latent lluman Error Fails KC Train IB 3.00E-03 KKC0l A2LilE Latent Human Error Fails KC I A2 Pump 3.00E-03 g Train 7.68E 06 KKC001BTRM KC Train IB in Maintenance E
2.00E 02 KKC01 AIPPR. - KC Pump i Al Fails to Run 3.84E-04 7.68 E-06 KKC001 BTRM KC Train IB in Maintenance 2.00E-02 KKC01 A2PPR KC Pump 1 A2 Fails to Run 3.84 E-04 4.29E-06 KKC01A2LilE Latent Human Error Fails KC 1 A2 Pump 3.00E-03 Train KRNO351 AVT Air Operated Valve IRN351 Transfers 1.43 E-03 Position 3.99E 06 KKC001 BLHE Latent Human Error Fails KC Train IB 3.00E-03 KKC01 A2TRM KC Pump 1 A2 in Testing or Maintenance 1.33E 03 3.99E-06 KKC01A2LHE Latent Human Error Fails KC 1 A2 Pump 3.00E-03 Train KKC01 B2TRM KC Pump 182 in Testing or Maintenance 1.33 E-03 3.99E-06 KKC01A2LHE Latent Human Error Fails KC 1 A2 Pump 3.00E-03 Train KKColBITRM KC Pump 1B1 in Testing or Maintenance 1.33 E-03 l
3.80E-06 KKC0008CVO Check Valve IKC8 Fails to Open 1.90E-04 5 KKC001 BTRM KC Train iB in Maintenance 2.00E-02 2.90E-06 KKC001 BLHE Latent Human Error Fails KC Train IB 3.00E-03 KKC01 A2PPS KC Pump 1 A2 Fails to Start 9.68E-04 Total Gate Probability = 2.52E-4 A 7-6 t-_______
Top Cut Sets For Gate K3: Loss of KC to Non Essential RB llender Cut Set Event Name Event Description Esent Probability Probability 1.08 E-05 KKC0340CVT Check Valve IKC3401ransfers Position 1.0$ E-05 8.88E 06 KKC425AMVT Motor Operated Valve IKC425A 8.88E 06 Transfers Position 8.88E-06 KKC338DMVT Motor Operated Valve IKC338B 8.88E 06 Transfers Position 8.88E-06 KKC424BMVT Motor Operated Valve IKC424B 8.88E-06 Transfers Position 2.l l E 06 KKC0821VVT Manual Valve IKC821 Transfers Position 2.llE 06 2.1IE-06 KKC0336VVT Manual Valve IKC336 Transfers Position 2.1 I E-06 ,
2.1 I E-06 KKCO235VVT Manual Valve IKC235 Transfers Position 2.1IE 06 2.1IE-06 KKC0342VVT Manual Valve IKC342 Transfers Position 2. l l E-06 2.00E-06 KKCORUNCOM Common Cause Failure of KC Pumps to 2.00E-06 Run 1.63 E-06 KKC)01 AHXF KC Hx 1 A Fails to Function 8.16E 05 KKC001 BTRM KC Train IB in Maintenance 2.00 E-02 1.30E 06 KKC001BTRM KC Train IB in Maintenance 2.00E-02 KRN0291AVT Air Operated Valve IRN2911ransfers 6.48E-05 Position 3.84 E-07 KKC01 AIPPR KC Pump I AI Fails to Run 3.84 E-04 KKCSTNBDHE Operators Fail to Align Standby KC 1.00E-03 Pump Train 1.78 E-07 KKC00lBTRM KC Train IB in Maintenance 2 00E-0?
KRN287AMVT Motor Operated Valve IRN287A 8.88 E-06 Transfers Position 1.17E 07 KKC00l AllXF KC Hx I A Fails to Function 8.16E-05 KRN0351 AVT Air Operated Valve IRN351 Transfers 1.43E-03 Position 9.27E-68 KRN0291AVT Air Operated Valve IRN291 Transfers 6.48 E-05 Positien KRN0351 AVT Air Operated Valve IRN351 Transfers 1.43 E-03 Position 8.16E-08 KKC001 AHXF KC Hx 1 A Fails to Function 8.16E-05 KKCSTNBDHE Operators Fail to Align Standby KC l .00E-03 Pump Train 6.48 E-08 KKCSTNBDHE Operators Fail to Align Standby KC l .00E-03 Pump Train KRN0291AVT Air Operated Valve IRN291 Transfers 6.48E-05 Position 4.22E-08 KKC001 'TRM KC Train IB in Maintenance 2.00E-02 KKCAO VVT Essential Header I A Return Valve 2.llE-06 IRCA14 Transfers Position 4.22 E-08 KKC001BTRM KC Train IB in Maintenance 2.00E-02 KKCA012VVT Essential Header I A Supply Valve 2.llE-06 IKCAl2 Transfers Position 5
Total Gate Probability = 5.21E-5 A.7-7
Importance Table For Gate Kl: Loss of KC to EssentialIIcader I A Event Name Esent Description F.V RAW KKC001BTRM KC Train tilin Maintenance 43.2 % 22 KKC01 A2LilE Latent lluman Error Fails KC I A2 Pump 37.3 % 124 Train KKC3/3SCOM Common Causerailure of ? of 3 KC 26.6 % 3970 Pumps to Start KKC01 A2PPS KC Pump I A2 Fails to Start 12.0 % 124 KKC00lllLilE Latent Human Error fails KC Train ill 826 28 KKC01 AIPPR KC Pump 1 AI i ails to Run 4.8% 124 KKC0l A2PPR KC Pump 1 A2 Falls to Run 4.8% 124 KKC01 A2T RM KC Pump 1 A2 in Testing or Maintenance 4.6% 35 KRNO351 AVT Air Operated Valve IRN351 Transfers 3.8% 28 Position KKC0lillTRM KC Pump 1B1 in Testing or Maintenance 2.9% 22 KKColB2TRM KC Pump 1B2 in Testing or Maintenance 2.9% 21 KKC01BIPPS KC Pump iB1 Fails to Start 2.6% 28 KKLOlB2PPS KC Pump 182 Fails to Start 2.6% 28 KKC0008CVO Check Valve i KC8 Fails to Open 2.3% 122 Importance Table For Gate K3: Loss of KC to Non-Essential RB IIcader
' Event Name Esent Description F.V RAW KKC0340CVT Check Valve iKC340 Transfers Position 20.7 % 19200 KKC338BMVT Motor Operated Yalve IKC338B 17.1 % 19200 Trans yrs Position KKC424BMVT Motor Operated Valve IKC424B 17.1 % 19200 Transfers Position KKC425AMVT Motor Operated Valve IKC425A 17.1 % 19200 Transfers Position KKC00lilTRM KC Train !Ilin Maintenance 6.4 % 4 KKC0235VVT Manual Valve IKC235 Transfers Position 4.1% 19200
, KKC0336VVT Manual Valve 1KC336 Transfers Position 4.1 % 19200 KKC0342VVT Manual Valve IKC342 Transfers Position 4.1 % 19200 KKC082iVVT Manual Valve IRC821 Trmpfers Position 4.1 % 19200 KKCORUNCOM Common Cause railure el KC Pumps to 3.8% 19200 Run KKC001 AHXF KC Hx 1 A Fails to Function 3.6% 434 KRN0291 AVT Air Operated Valve IRN291 Transfers 2.8% 434 g Position g
I I
A.7-8 I
Top Cut Sets For Loss of KC System Initiator Cut set Event Name Event Description Event Probabil'ty Probability 1.61 E-04 KKC001 AKilX KC lix ! A I ails to function 8.04 E-03 KKC00lillRM KC Train lit in Maintenance 2.00E 02 1.26 E-04 K KC0l AI PPR KC Pump 1 Al Fails to Run 1.26E-01 KKCSTNBDilE Operators fail to Start a Standby KC 1.00E-03 Pump 5.83E 05 KKC001BTRM KC Train 111 in Maintenance 2.00E-02 KRN2U7AMVT Motor Operated Valve IRN287A 2.92E-03 Transfers Position 3.00E-05 KKC4/4RCOM Common Cause Failure of 4 of 4 KC 3.00E 05 Pumps to Run 2.41 E-05 KKC001 AKilX KC lix i A Fails to Function 8.04 E-03 KKC001BLilE 1.atent lluman Error Fails KC Train 1B 3.00E 03 1.99E-05 JDGLSA2RYT Spurious Operation of Load Shed Relay 7.88E-03 LSA2 KKC001 BTRM KC Train tilin Maintenance 2.00E 02 KKC01 A IPPR KC Pump I AI Fails to Run 1.26E Ol Total Gate Probability = 6.4E-4 Importance Table For Loss of KC System Initiator Esent Name Esent Description l' V RAW KKC001 BTRM KC Tram lit in Maintenance 52.996 27 KKC001 AKHX KC lit 1 A Fails to Function 30.954 39 KKC01 AIPPR KC Pump 1 AI Fails to Run 26.9* h 3 KKCSTNBDHE Operators Fail to Start a Standby KC 24.19 b 236 Pump
< KRN287AMVT Motor Operated Valve IRN287A i1.236 39 Transfers Position KKC001BLHE Latent Human Error Fails KC Train IB 8.096 27 KKC4'4RCOM Common Cause Failure of 4 of 4 KC 4.796 1560 Pumps to Run JDGLSA2RYT Spurious Operation of Load Shed Relay 4.0?b 6 LSA2 KKC0031VVT Locked Open Manual Valve IKC31 2.7? b 39 Transfers Position KKC0032VVT Locked Open Manual Valve IKC32 2.7% 39 Transfers Position KKCA012VVT Essential Header l A Supply Vahe 2.7% 39 IKCA12 Transfers Position KKCA014VVT Essentiallleader I A Return Valve 2.7% 39 IRCA14 Transfers Position KRN0291VVT Air Operated Valve IRN291 Transfers 2.7% 39 Position KRN0837VVT Manual Valve IRN837 Transfers Position 2.7% 39 A.7 9
I I
I f l111! er
.!"i . .g3 g A A A i
- .i.
Isi Isi .i. i I
g I
isi Isi b I 66 b ei e1 g-G I
' t
'e E Xl l' jIf s i X l! E v; s;v J u eXi eXi 3 E
, = g u est ess 2%i exi e !l a
i 2r Zi 2i Zi i
m:l Tl ?
es v es ?!Ts:l es v es U I 2%i 2%i s%; 9%i
, g
< 2 T t 2 e l i
~
i i x gg Wi ! i
~
I
! I-9-9 e e e i 5
Vi.l Es.t 9 l 9-9 9 s I ge e4 I l di oillL\ !,e 11 3,3 .g.
kV lal I
I
)
lIsb El Al !"I Al I!I a
exi xixixix1xix1xixixi ,
i 3
- I :i :: 1 ::1 :1 ::1 ::1 :l :: ::l 1 E
m 1.1 g
,8 --
?
g =
, . I j 3 1 J t a Mi e i
@j Oj MI i,
% i
, e ,
e,
%,i Ol. Oj . ;
! Dj . .
E n e 1 ei:1 xi xi xi xi xi xi x1 xi x1 x1 x1 }
VI
/hl
3 I
I I
1 1]:
!5 n I 81 181 g
Al dh D
ext i
xix1x!x1xix1xiAlAl ,
I i i
- 1 ::l ::1 ::l ::1 ::l ::1 ::1 ::l ::1
{
x g
?
N l
, i 3 3 i 3 g Eg Mi' ! @j @j MI M i #
@! - - ! y l 1
3 i I i j) @ O O i N
.. 4 S:l "xl xl yi yi yi yl xi yi y1 yi y! $ l yi I Al I lli l I
I
n .
~
. e r g* c oi n .c =
ds* - A, am eu Rs - d r
e a
X - r
~
d H
e c u s
lARio t
e n g, e s
s E-
- . n "c o
- _ N g
m ld X <* 78
<= 4 ,,
u i
Iw I >* X3W C
>= 0_
B r
t o
c r
eo n r a e
e r .
o t
o e
m, m- u, d a M- . p m
R r o ne gd r . ur : 3 oc *;* ' me Pe 1 4m m g
g pe n
.C ps .
- e uc Ps e c.
a e g[1 s
.a
.. e.m n A dm i
ml t
a . oa ys r
as uc.9 1
- a. me c--
os oB lo.
oe tmS c-r p cre rw Ce r
a o ih )
ep c u eo r p o p c
.T
. C c L tcu a n K(
n e n R g O O n F h
' F 7 e , o
" o N*
4 C
m 9
N_. C t
n
= = e X=c N= n op
" 5 7
m o
X Nc*" XCW 3
C
- - N_
2 r gs , v to c E insr.u. -
e l d R eu o e aMnH_ 4-RB N ,
7 Xmw , s u ,
A
, t c
_ r g- e r
a o u A ca inm y-t
- g ig F
RBeu ,
1 '
l ReaCtw FO Buddmg \ x .
1C x Non-Ess.
no,. k ,,,
,c, ,c,, mem Reactor Coolant Pwnp Masor upp- s.-mo Com, N 1C
=cm =cn.
Reactor Coolant Pwnp Motor L ser BearmgCooler
-OG N O ic ><
acm >=cu.
V =cm =cusa Reactor Cootert Pwnp Thermal B-ner FO
-OG , X
.c= .cas =c.co n aorCeoeart PwapMcnor upp- e.- ,Coow Reactor
- BWing m
X /1D r'
Nonfss.
"c'" "C'"
,, , ,.,, Hd .
- n. acier Cootart Pump Motor tower s. arms coow
-04 N 1D ><
.c. . =cm V me cm n.-$or Coows Pwnp Thermet Bamer Figurr. A.7-5 Rev. 2 Component Cooling (KC) System: Reactor Building Non-Essential Header A.7-14 m m M M M M M M M M M M M m M M M M .
1 m
_ le
_ kAe f.
n1 e n er
- se .o n&"
En e .*
sdm NH R
E*
n*
R"
+) r e
g n
a h
c x
a E
t a
c H
w b .
C K
o t
g in lo o
e C cn - N a - R m:
t e
s 5 y 1 S -
) 7 O A K
(
g g
A , in lh lo 1 ,
"< o l
l C
t n
e n
o p
m o
C 2
m . v e e c
n . R a . 6-7 A
e r
u ig F
\/ N/
saA h
n1 eres e"
n n
s e Ea em sd HH es s&'
s e
n*
R n"
((11
A.8 Standby Shutdown System
System Description
The Standby Shutdown (SS) System is housed in the Standby Shutdown Facility (SSF). The relevant portions of this system are shown in Figures A.8-1 through A.8-
- 3. The SS System is designed to provide an alternate and independent means to achieve and maintain hot standby conditions.
The SS System consists mainly of one diesel generator set and supporting equipment, two standby makeup pumps (one per unit), strainers, valves and associated piping.
The standby makeup pump is located in the reactor building annulus to supply makeup to the Reactor Coolant (NC) System should the normal charging system be unavailable. The pump provides a means cf makeup to the NC System to recover normal system leakage, NC pump seal leakage, and additional flow for system makeup. This portion of the SS System is shown in Figure A.8-1.
The standby makeup pump delivers water from the spent fuel pool to the NC System at the rate of 26 gpm. Approximately 18 gpm is required for seal leakage and 8 gym for NC System makeup and boration. This makeup will be through the NC pump seals. The standby makeup pump is a positive displacement pump driven by an induction motor, powered by the SSF power supply. The pump is located sufficiently below the spent fuel pool to assure that adequate net positive suction head is available.
A strainer is p>ovided downstream of the pump to prevent damage to the NC pump seals. A common SS System injectior header with associated valves splits to feed the four seal injection lines.
A.8-1
The existing turbine-driven auxiliary feedwater pump is utilized to maintain adequate secondary side heat removal. The water in the embedded condenser circulating water l
pipe can be utilized to maintain hot standby for at least 3.5 days.
The 600/120 V ac Standby Shutdown Facility Auxiliary Power System (Figure A.8-2) provides an attemate and independent supply of ac power to loads required to achieve and maintain a hot standby condition for one or both units. This system includes 6900/600 V ac load center transformer ISTXG; 600 V ac load center ISLXG; 600 V ac,875 kVA diesel generator D/G (train C); 600 V ac motor control center SMXG and an inverter supplied 12'O V ac system. This portion of the SSF is shown in Figure A.8-2.
The SSF 600 V ae load center ISLXG normally receives power from 6900 V ac switchgear ITA through transformer ISTXG. An attemate power supply to the SSF load center is available by means of the SSF diesel generator should the normal source be out of service as the result of either equipment preventative maintenance, equipment failures, or a station blackout condition.
l The SSF attemate power supply consists of an independent. diesel-electric generating I
unit. The auxiliaries required to assure proper operation of the diesel generator unit are supplied with power from the appropriate buses (600 V ac,120 V ac or 125 V de) of the SSF Power System. The diesel-electric generating unit is rated for continuous operation at approximately 700 kW, and the design load level for the system does not exceed this continuous rating.
An independent Fuel Oil System, complete with a separate underground storage tank and a one hour day tank, is supplied for the diesel-electric generating umt. The underground storage tank is sized to operate the diesel generator for a period of at least 3.5 days. The day tank size is based upon the fuel oil storage required to start the unit successfully, and to allow for orderly shutdown of the diesel unit upon loss of I,
A.8-2 I
oil from the main storage tank. This portion of the SS System is shown in Figure A.8-3.
The 250/125 V de Standby Shutdown Facility Auxiliary Power System (ETM)
(Figure A.8-2) consists of 250/125 V de distribution center SDSP; 125 V de batteries SDSB1, SDSB2, and SDBS; battery chargers SDSCl, SDSC2 and SDCS; and 125 V de power panelboards SDSP1 and SDSP2, The battery / battery chargers are used as corbination sets, t$vo sets for normal senice ar.d one set for stadby use.
The SSF HVAC Syster consists of three wall mounted fan: with motor-operated dampers, two exhaust fans, six room heaters and an air handling unit. Dampers are provided in the diesel room for combustion air to the diesel and diesel exhaust. The air handling unit supplies cooling to the SSF control room and ventilation to the SSF battery. This system is designed to maintain a minimum temperature in the facility of 60*F and a maximum of 125 F during diesel generator operation.
The SSF is not used during normal plant operation. Its function is to provid:: an attemate and independent means to achieve and maintain a hot standby condition for one or both units following postuimed fire and sabotage events.
During an emergency, the SSF is used to achieve and maintain hot standby on one or e both units. Opentors can establish nataral circulation in the NC System, initiate auxiliary feedwater and line up SS System valves either in the control room or locally, Plant control is then to be shifted to the SSF. Primary and secondary inventory is controlled and primary natural circulation is verified once SSF control is established.
System Success Criteria The top event success criteria of the SS System fault tree it successful injection to all four NC pump seals. Failure of flow to any one seal will result in system failure. The A.8-3
I SSF is also used to supply power to the auxiliary feedwater turbine-driven pump sum}> pump.
Major Assumptions l
l
- 1. Seal return flow valve INV89A is to be closed during operation of the SS System. However, failure of this valve to close has no negative impact on the ability to inject to the seals. Therefore, failure of valve INVC9A to close is not modeled. No other seal return failures are modeled.
- 2. Upon loss of control power, by failure of the 125 V de panelboard, SDSP2, I
the SS diesel generator fails.
l
- 3. The failure of the SSF fuel oil transfer system will cause the SSF diesel to fail.
l
- 4. Because normal NC pump seal injection has ceased when the standby makeup pump is started, all check valves to the NC pump seals close. Therefore, the l
check valves must reopen for NC pump seal injection from the standby makeup pump.
- 5. Losing the exbsust fan to the battery is assumed not 'a result in equipment I
failure if the air handling unit is working.
- 6. Loss of either outside air supply damper to the SSF diesel or c loss of the exhaust damper from the diesel is assumed to fail the diesel.
- 7. A failur:: of the SSF air handling unit is assumed to be noticed and corrected in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ifit occurs before the initiating event.
I I
A.8-4 I
o
- 8. A failure of SSF heaters in the "ON" position is not modeled because this would require independent component failure. af the thermostat and a control switch.
- 9. The standby makeup pump pulsation dampers are not modeled because of their assumed low probrbility of failure.
System Reliability Results A dominant failure mode associated with SSF operation for seal injection is the failure to start the SSF in the time required to avert a seal LOCA. For the case where the SSF diesel is not required, failure of the standby makeup pump to start, train maintenance, and transfer of the manual valves which isolate the standby makeup pump from the individual NC pump seals are the dominant hardware failures. For die case where the SSF diesel is required, the dominant hardware failures are associated with the SSF diesel. For power to the CA TDP sump pump hardreare failures are similar to those for the ca:e where the SSF dieselis required.
A.8-5
I Top Cut Sets For Gate N1: Failure Of SSF (non-LOOP Initiator)
Cut Set Event Name Event Description Event Probability 3 l
3.00E-02 NNVSSFADHE Failure to initiate SSF Seal injection -
Probability g 3.00E-02 Non LOOP Event 1.50E-02 NNVOSSFTRM Standby Shutdown Facilitv Flow 1.50E-02 Components in Maintenance 1.35E-02 NNVSMUPFLF Filter (Standby Makeup Pump) Restrict 3 1.35E-02 3.50E-03 NNV0865MVO Flow g Motor-Operated Valve INV865 Fails to 3.50E-03 5 Open 3.50E-03 NNV0872MVO Motor-Operated Valve 1NV872A Fails to 3.50E-03 E 3.00E-03 NSSOSSFLHE Open Latent Human Error Fails The SSF g
3.00E-03 2.80E-03 NNV0SMPDPS SSF Reactor Coolant Makeup Pump Fails 2.80E-03 To Start On Demand 2.44E-03 NNV0876MVT Motor-Operated Valve INV876 Transfers 2.44 E-03 =
Position 2.44 E-03 NNV0877MVT Motor Operated Valve INV877 Transfers Position 2.44E-03 g 3
1.76E-03 NVKAHUICRR SSF Air Handling Unit Fails to Run 1.76E-03 1.00E-03 NACSLXGBLM 600 V ac Motor Control Center SLXG in 1.00E-03 g 1.00E-03 PACEMXSBLM Maintenance g
Unscheduled Maintenance on 600 V ac 1.00E-03 MCCIEMXS 1.00E-03 NACSMXGBLM 600 V Or Less AC Power Bus SMXO in Maintenance 1.00E-03 l W
l .00E-03 NADSKPGBLM 120 V ac Panel Board SKPG in 1.00E-03 5.76E-04 Maintenance g NNVOSMPDPR SSF Reactor Coolant Makeup Pump Fails 5.76E-04 g To Run 5.31 E-04 NACSKPGBLF 120 V AC Power Bus SKPG Fails 5.31 E-04 1.90E-04 HNV0495CVO Check Valve INV495 Fails to Open 1.90E-04 1.90E-04 NNV0881CVO Check Valve INV881 Fails to Open 1.90E-04 1.90E-04 NNV0880CVO Check Valve INV880 Fails to Open 1.90E-04 1.90E-04 NNV0874CVO Check Valve iNV874 Fails to Open 1.90E-04 1.90E-04 HNV0082CVO Check Valve INV0082 Fails to Open 1.90E-04 1.90E-04 NNV0879CVO Check Valve INV879 Fails to Open 1.90E-04 1.90E-04 1.90E-04 HNV0060CVO HNV0071CVO Check Valve 1NV0060 Faib *o Open Check Valve INV0071 Fails to Open 1.90E-04 g 1.90E- 4 5 1.90E-04 HNV0494CVO Check Valve 1NV494 Fails to Open 1.90E-04 Total Gate Probability = 8.45E-02 I;
I I :
A.8-6
Importance Table For Gate N1: Failure Of SSF (non-LOOP Initiator)
Event Name Event Description FV RAW NNVOSSFTRM Standby Shutdown Facility Flow 16.5 % 11.8 Components in Maintenance NNVSMUPFLF Filter (Standby Makeup Pump) Restricts 14.8 % 11.8 Flow NNV0865MVO Motor-Operated Valve INV865 Falls to 3.8% 11.8 Open NNV0872MVO Motor-Operated Valve INV872A Fails to 3.8% 11.8 Open NSSOSSFLHE Latent Human Error Fails The SSF 3.3% 11.8 NNVOSMPDPS SSF Reactor Coolant Makeup Pump Fails 3.0% 11.8 To Start On Demand NNV0876MVT Motor-Operated Valve INV876 Transfers 2.7% 11.8 Position NNV0877MVT Motor Operated Valve INV877 Transfers 2.7% 11.8 Position NVKAHUICRR SSF Air Handling Unit Fails to Run 1.9% 11.8 NACSLXGBLM 600 V ac Motor Control Center SLXG in 1.1% 11.8 Maintenance NACSMXGBLM 600 V Or Less AC Power Bus SMXO in 1.1% 11.8 Maintenance NADSKPGBLM 120 V ac Panet Board SKPG in 1.1% 11.8 Maintenance PACEMXSBLM Unscheduled Maintenance on 600 V ac 1.1% 11.8 MCC IEMXS NNVOSMPDPR SSF Reactor Coolant Makeup Pump Fails 0.6% i 1.8 To Run A.8-7
I Top Cut Sets For Gate N1: Failure Of SSF (LOOP Initiator)
Cut Set Event Name Event Description Esent Probability Probability 1.00E-01 NNVSSFBDHE Failure to Initiate SSF Scal Injection - 1.00E-01 LOOP Event 1.50E-02 NNVOSSFTRM Standby Shutdown Facilitv Flow 1.50E-02 Components in Maintenance 1.35E-02 NNVSMUPFLF Filter (Standby Makeup Pump) Restricts 1.35E-02 Flow g 3.50E-03 NNV0872MVO Motor-Operated Valve INV872A Fails to 3.50E-03 3 Open 3.50E-03 NNV0865MVO Motor-Operated Valve INV865 Fails to 3.50E-03 Open 3.00E-03 NSSOSSFLHE Latent Human Error Fails The SSF 3.00E-03 2.80E-03 NNVOSMPDPS SSF Reactor Coolant Makeup Pump Fails 2.80E-03 To Start On Demand 3.44E-03 NNV0876MVT Motor-Operated Valve INV876 Transfers 2.44E-03 Position 2.44 E-03 NNV0877MVT Motor Operated Valve INV877 Transfers 2.44E-03 Position E
3 1.76E-03 NVKAHUICRR SSF Air Handling Unit Fails to Run 1.76E-03 1.00E-03 NACSLXGBLM 600 V a: Motor Control Center SLXG in 1.00E-03 Maintenance 1.00E-03 NACSMXGBLM 600 V Or Less AC Power Bus SMXG in 1.00E-03 Maintenance 1.00E-03 NADSKPGBLM 120 V ac Panel Board SKPG in Maintenance 1.00E-03 l B
1.00E-03 PACEMXSBLM Unscheduled Mainten?nce on 600 V ac 1.00E-03 MCCIEMXS E 5.76E-04 NNVOSMPDPR SSF Reactor Coolant Makeup Pump Fails To Run 5.76E-04 5 5.31 E-04 NACSKPGBLF 120 V AC Power Bus SKPG Fau., 5.31 E-04 1.90E-04 HNV0493CVO Check Valve 1NV493 Fails to Open 1.90E-04 1.90E-04 NNV0880CVO Check Valve 1NV880 Fails to Open 1.90E-04 1.90E-04 HNV0060CVO Check Valve INV0060 Fails to Open 1.90E-04 1.90E-04 HNV0495CVO Check Valve 1NV495 Fails to Open 1.90E-04 1.90E-04 NNV088iCVO Check Valve 1NV88I Fails to Open 1.90E-04 1.90E-04 NSS00F2RYD isolation Device F2 Fails to Operate on 1.90E-04 1.90E-04 NNV0879CVO Demand Check Valve !NV879 Fails to Open g
1.90E-04 g 1.90E-04 NNV0874CVO Check Valve INV874 Fails to Open 1.90E-04 1.90E-04 NSS00KCRYD Relay KC Fails to Operate on Demand 1.90E-04 g 1.90E-04 HNV0494CVO Check Valve INV494 Fails to Open 1.90E-04 g 1.90E-04 HNV0071CVO Check Valve INV0071 Fails to Open 1.90E-04 1.90E-04 NSSONElRYD lsolation Device NEl Fails to Operate on 1.90E-04 Demand 1.90E-04 NNV0867CVO Check Valve 1NV867 Fails to Open 1.90E.04 1.90E-04 HNV0492CVO Check Valve iNV492 Fails to Open 1.90E 04 Total Gate Probability = 1.51E-01 I j 1
A.8-8
L r-Importance Table For Gate N1: Failure Of SSF (LOCP Initiator)
Event Name Event DEeription F-V RAW NNVSSFBDHE Failure to Initiate SSF Seat injection - 62.7 % 6.6 LOOP Event NNV0SSFTRM Standby Shutdown Facility Flow 8.6% 6.6 Components in Mainte.nua NNVSMUPFLF Filter (Standby Makeup Pump) Restricts 7.7% 6.6 Flow NNV0865MVO Motor-Operated Valve INV865 Fails to 2.0% 6.6 Open NNV0872MVO Motor-Gp rated Valve INV872A Fails to 2.0% 6.6 ,
Open NSSOSSFLHE Latent Human Error Fails The SSF 1.7% 6.6 NNVOSMPDPS SSF Reactor Coolant Makeup Pump Fails 1.6% 6.6 To Start On Demand NNV0876MVT Motor-Operated Valve INV876 Transfers 1.4% 6.6 Position NNV0877MVT Motor Operated Valve INV877 Transfers 1.4% 6.6
[ Position NVKAHU ICRR SSF Air Handling Unit Fails to Run 1.0% 6.6
[
A.8-9
I I
in i
. EJ
,$ @ g
_i i
alie
_i_ l E I i.
I
- i. < _i _
g g_ '
mla 'i_
I i~ . ._ , ; i.
Q
" g 11
{ g .i : .I U.I : .i
. BXi . !
I
_I' __
a Zi ZI ZI Zi i B t
i.
t.
E o
R !l! "(Xl
-(XI
-(Xi
" 2(Xi
"* i E
i3 l
- = e
/- ;5 @al; !! 1 9 9 9 9 c !v c tv 0 is e e p r- m
- as ,, 1
- g 4 7
EEl:
c- ' L- L-I a i
- $ Zi Z! ZI 0 Zi s ZI Zi n I b.- - -
i ZI Zi i r
so Xi 1
^
e v li : XI e : X! ! Xi ! Xi 5 a
@_#"i -T i.\- i.\' i,\
i,\ --
' a iu" - IN l/ XI j/
- XI j/
^
XI g/ ^
XI I
- m g
I hI **
-l7 ='l-l! ~[
ls
'72
- t. ! ln g
I
!!g if !< l- !- 1-I, I
!:I -+ v c- I
-rla r E
!- 1 l
8le n
~
- = ""
d n I j -
,g f I Jh g rd
~
i e : "'a
!., l r x
8l .
i lii =
8llq*
m i- l tw A" a
v
-[ ll 1
- - o _
g
! II ! o a
n ~- rj 5
=
=
1 u. <
- vumia $
g l P ~~s -
r i.
A v6 P p E, "nas? oh c <
r I5 5 i e
!s
~
gh ~
^ ^
= .5 JB *.=,i "T
u-l ~^ r : :=#.
^
9@
~
E n I ~n ; w"~;*%
~ -
- uim. -
g
- # ' 1"4"j ?" oesAvvIN" s
- l ~m
- ; dTin le :_- Io =
- ._se
- ~%.
i
~
g 8 -
g 8 el #
. . sg 9h 88 o
l W
W
", M 2'
M
" M N ,,,
M
< m v
a r
g M a
i
- D w
l F
o M l
asn i O
te et ue pr
)
w :
= l e
u M p
, ~
F l
e 2
- s 1
- : " ie -
8 D
F A M
-- S S
< e 2 Nt p a
v M
e
- R
- 3-
< 8 A M O e r
u g
t KN t
O A L sNK L P L T A
G > N AG M
,EU A Y 9 sA A suT 0 0
, 7 0
,F D 6
~
0 w
M
(
"' l. - Ip. M
~
Z M
y l_ :
4 <
M M
M Ii llll(l l llll l ll)lfi
A.9 Essential de Power System
System Description
l Figures A.9-1 to A.9-4 show the one line diagrams for the onsite ac power system, including the Essential Auxiliary Power System. The essential power system is divided into two redundant trains.
Each train of the Unit Main Power (EPA) Systems is connected to the 230 kV ac switchyard through a step-up transformer and two power circuit breakers (PCBs) located in the switchyard. A generator breaker is provided on each train. The generator breaker and step-up transforrar on each train is capable of carrying approximately 50% of the generator rated output. Currently, the unit is operated at less than the generator rating. Each train of the main power system can accommodate approximately 65% of current operating power level and this is used as the unit runback setting.
1 The EPB System receives power from the EPA System through auxiliary transformers ITI A and IT2A for train A and ITIB and IT2B for train B. The 6.9 kV ac normal auxiliary power is supplied through switchgear assemblies, ITA, ITB, ITC, and ITD.
. Each switchgear has a designated normal and standby power supply. The two power trains are physically separated by means of switchgear location, cabling, and buswork.
The 4160 V ac Essential Auxiliary Power (EPC) System consists of two independent 4100 V ac switchgear assemblies, IETA and IETB, and their associated diesel generators. Each switchgear is supplied by its respective 6.9 kV ac auxiliary power switchgear through a 6.9/4.16 kV ac station euxiliary uansformer (I ATC, I ATD, or shared transformers SATA and SATB). A kirk-key interlock scheme is provided to prevent the simultaneous feeding of two switchgear by a shared transformer and also to prevent the paralleling of the normal and shared power sources.
A.9-1
I i E The 600 V ac EPE System associrted with each unit consists of two redundant safety trains, A and B. The system consists of four essential load centers, associated load center transformers, one shared standby load center transformer per train and fifteen motor control centers. The load centers, their transformers, and motor control centers are:
Load Centers:'
IELXA, IELXB, IELXC, l'ELXD Load Center Transformers:
IETXA, IETXB, IETXC, IETXD, LFTXE, IETXF Motor Control Centers:
l lEMXA, IEMXB, IEMXC, IEMXD, IEMXE, IEMXF, IEMXG, IEMXI, IEMXJ, h
IEMXK, IEMXL, IEMXO, IEMXQ, I EMXR, I EMXS Each of the two one-and-a-half enaed load centers per train is normally fed from a I
different load center transformer connected to a common 4160 V ac essential switchgear. A spare essential load center transformer is provided for the load cente:s on each train and can be manually connected by a breaker to either load center should the normal load center transformer be unavailable.
I In addition, the load centers supply five 120 V ac panelboards through the associated motor control centers. These panelboards are IEKPB, IEKPE, IEKPF, IEKPG, and IElGI. These panelboards include a 600/120 V ac transformer. The system also I
A.9-2 I
includes two single phase panelboards each having its own 600/208 V ac transformer.
These panelboards are IEKPJ and IEKPY.
Following a turbine trip, the generator is allowed to motor for three seconds before the generator breakers are tripped. Once the generator has been disconnected, power is supplied to the station auxiliaries through the switchyard and main step-up transfomiers.
When nomial power is lost to a 4.16 kV ac essential switchgear (blackout), all loads and incoming breakers will be automatically disconnected from the switchgear (with the exception of the load center feeder breakers) and the diesel generator unit will be ;
.e started. Load centers are disconnected from the switchgear at the load center feeder breaker located between the load center transformer and the load center itself. Within ten seconds following the loss of normal power, the diesel generatoi will be automatically connected to its respective 4.16 kV ac essential switchgear. The switchgear load breakers will automatically reclose in sequence as described in appendix A.10 for those loads required within 11 minutes. Loads not required until later than 1I minutes are loaded manually.
When normal power is lost to the 4.16 kV ac essential switchgear, coupled with a loss I
of coolant accident (LOCA), the same procedure described for a blackout will be followed except that a different loading sequence will be initiated, as specified in appendix A.10.
In the event of a LOCA when normal power is available to the 4.16 kV ac essential switchgear, the diesel generators will be started automatically and kept running in a standby condition for a minimum of one hour. All operating loads required for a LOCA will remain energized and other loads required for a LOCA will be sequenced on to their respective buses.
A.9-3 1
I System Success Criteria Success for each bus or motor control center is considued to be the availability of power over the mission time of 24 hourr. following an initiating event..
Major Assumptions
- 1. The Essential Auxiliary Power Systems are normally on line. Breakers are assumed to be positioned as shown in Figure A.9-1 prior to any incident.
- 2. The controls for the 6900 V ac switchgear are placed in the " automatic mode."
I
- 3. No Unit I loads are assumed powered by Unit 2 power through the shared I
transformers. Recovery from Unit 2 is considered in the LOOP recovery modeling.
- 4. Failures related to transferring of mcoming and feeder breakers are not I
explicitly modeled. Plant roecific data is used in th: calculation of the BLM type code and these fail - .luded in that type code calculation.
I
- 5. Since the A train is assumed in the other systems to be the normally operating train, no maintenance is assigned to lETA. The maintenance value for IETB is assumed to be twice the screening value,2E-03.
- 6. The ETB fire initiating event is modeled as occurring on lETA. This is the more conservative approach since ETA is assumed to be powering the operating trains and therefore a plant transient results.
I I!
A.9-4 I
Review for Initiating Events The loss of the operating bus initiator (Tl1) is computed from the ac power system fault tree. The solution is converted from a failure probability for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission to a frequency per year. A capacity factor of 0.9 is assumed in the calculations. The resulting frequency for the Tl 1 initiator is 3.8E-03/ year.
System Reliability Results The fault tree solution results are presented for selected top events in the tree that are representative of the overall results. The failure of the panelboards and motor control centers is dominated by the assumed maintenance unavailability of 1.0E-03/ year, approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. As this is an unavailability at power this screening value is probably an over estimate of the true unavailability.
In addition to the panelboard and motor control center reliability tables, the loss of all ac power frequency is also calculated and included for information. A loss of all ac power may result from the loss of offsite power (LOOP) initiator, a tomado, or one of several other internal initiating events. It is important to remember that the loss of ac power cut sets are recovered in the core damage frequency calculation with the SSF and the offsite power recoveries. The core damage frequency due to loss of all ac power is significantly less than the loss of all ac power frequency presented in this appendix.
I A.9-5
I Top Cut Sets For Gate PIEKPB: Loss of Power on 120 V ac Power Panelboard IEKPB Cut Set Events Event Description Event Probability Probability 2.00E-03 PAClETBBHM Unscheduled Maintenance on IETB 2.00E-03 1.00E-03 PACELX'BLM Unscheduled Maintenance on Load 1.00E-03 l
5 Center IELXB 1.00E-03 PACIEKPBBLM Unscheduled Maintenance on 120 V ac 1.00E-03 E Panelboard IEKPB g 1.00E-03 PACMLXBBLM Unscheduled Maintenance on 600 V ac 1.00E-03 MCCIEMXB l.00E-03 PACEMXHBLM Unscheduled Maintenance on MCC 1.00E-03 lEMXH "
5.04 E-05 PACETXBTHF Transformer IEXTB Fails 5.04 E-05 3.22E-05 PACEKPBBLF 120 V ac Power Panelboard IEKPB Fails 3.22E-05 3.22E-05 PACEMXBBLF Bus Fault on 600 V ac MCC IEMXB 3.22E-05 l
5 Total Gate Probability = 5.15E-03 Top Cut Sets For Gate PIEMXL: Loss of Power on Unit 1600 V ac MCC IEMXL Cut Set Events Event Description I bre?
Probability ifygbility 2.00E-03 PAClETBBHM Unscheduled Maintenance on IETB e G-03 1.00E-03 PACEI XDBLM Unscheduled Maintenance on Load 1.00E-03 E
Center IEMXD 5
1.00E-03 PACEMXLBLM Unscheduled Maintenance on MCC 1.00E-03 a IEMXD 5.04E-05 PACETXDTHF 1. .nsformer I EXTD Fails 5.04 E-05 E 3.22E-05 PACEMXLBLF Bus Fault on 600 V ac Motor Control 3.22E-05 Center IEMXL 1.12E-05 PACELXDBHF Bus Fault on 600 V ac Load Center 1.12E-05 IELXD 1.12E-05 PACIETBBHF 4160 V ac Switchgear 1ETB Fails 1.12 E-05 Total Gate Probability = 4.10E-03 l I
I I 1 A.9-6 I
8 _
Importance Table For PIEKPB: Loss of Power on 120 V ac Power Panelboard IEKPB Event Name Event Description FV RAW PAClETBBHM Unscheduled Maintenance on IETB 38.7% 194.3 PACEKPBBLM Unscheduled Maintenance on 120 V ac 19.3 % 194.3 Panelboard IEKPB PACELXBBLM Unscheduled Maintenance on Load 19.3 % 194.3 Center IELXB
~PACEMXBCLM Unscheduled Maintenance on MCC 19.3 % 194.3 lEMXB PACETXBT 'r Transforrner IEXTB Fails 1.0% 194.3 PACEKPBBLF 120 V ac Power Panelboard IEKPB Fails 0.6% 194.3 PACEMXBBLF Bus Fault on 600 V ac MCC IEMXB 0.6% 194.3 PACEKTBTFF 600!!20 V ac Transforrner IEKTB Fails 0.4% 194.3 PAClETBBHF 4160 V ac Switchgear IETB Fails 0.2% 194.3 PACELXBBHF Bus Fault on 600 V ac Load Center 0.2% 194.3
, IELXB Importance Table For Gate PIEMXL: Loss of Power on Unit 1600 V ac MCC IEMXL l Event Name Event Description F-V RAW I PACIETBBHM Unscheduled Maintenance on IETB 4.87E-01 243.78 PACEMXLBLM Unscheduled Maintenance on MCC 2.43 E-01 243.78 lEMXL PACELXDBLM Unscheduled Maintenance on Load 2.43E-01 243.78 Center IELXD PACETXDTHF Transforrner IETXD Fails 1.22 E-02 243.78 PACEMXLBLF 600 V ac Motor Control Center IEMXL 7.81 E-03 243.78
, Fails PACIETBBHF 4160 V ac Switchs -IETB Fails 2.71 E-03 243.78 PACEGDBLF 600 V ac Load Center IELXD Fails 2.71 E-03 243.78 A.9-7
I Top Ten Cut Sets For A Loss of All ac Power
- Inputs Description Event Probability Probability 1 T3 LOOP 3.59E-02 JDG1RUNCOM Common Cause Failure of Diesel 3.26E-03 1,17E-04 Generator to Run 2 T3 LOOP 3.59E-02 JDG001 ADGR Diesel Generator l A Fails to Run 4.46E-02 7.15E-05 JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 3 T3 LOOP 3.59E-02 l
B JDG001 ADGR Diesel Generator 1 A Fails to Run 4.46E-02 1.60E-05 JDG001BTRM Diesel Generator IB in Maintenance Or 1.00E-02 B
Testing g 4 T3 LOOP 3.59E-02 JDG001ATRM Diesel Generator I A in Maintenance Or 1.00E-02 1.60E-05 Testing JDG001BDGR Diesel Generator 1B Fails To Run 4.46E-02 5 T3 LOOP 3.59E-02 JDG001 ADGR Diesel Generator i A Fails to Run 4.46E-02 1.19E-05
.IDG001BDGS Diesel Generator iB Fails To Start 7.43 E-03 6 T3 LOOP 3.59E-02 JDG001 ADGS Diesel Generator I A Fails To Start 7.43 E-03 1.19E-05 g JDG001BDGR Diesel Genetator 1B Fails To Run 4.46E-02 5 7 FTB Turbine Building Flood Initiating Event 2.80E-03 9.13 E-06 JDG1RUNCOM Common Cause Failure of Diesel 3.26E-03 Generator to Run 8 T3 LOOP 3.59E-02 JDG001 ADGR Diesel Generator I A Fails to Run 4.46E-02 7.62E-05 JLD01BIFLF Diesel Engine Lube Oil Strainer iB1 4.75E-03 Fails 9 T3 LOOP 3.59E-02 JDG001BDGR Diesel Generator 1 B Fails To Run 4.46E-02 7.62 E-06 JLD01AIFLF Diesel Engine Lube Oil Strainer I Al 4.75E-03 E
as Falls 10 Tl1 Loss Of 4160 V Essential Bus 3.78E-03 PAClETBBHM 4160 V ac Switchgear IETB is 2.00E-03 7.56E-06 Unavailabic Total Frequency = 5.98E-04/ year I
I I
I-A.9-8 I
Importance Table For Events L 4 ding to A Loss of All ac Power Top 13 Events Event Name Event Description FV RAW T33 LOOP 88.4 % 24.57 JDG001 ADGR Diesel Generator 1 A Fails To Run 33.6 % 8.19 JDG001BDGR Jiesel Generator 1B Fails to Run 32.8 % 8 JDG1RUNCOM Common Cause Failure of Diesel Generator 22.4 % 69.18 to Run JDG001ATRM Diesel Generator i A in Main.enance Or 7.0% 7.95 Testing FTB Turbine Building Flood initiating Event 7.0% 25.66 JDG001BTRM Diesel Generator 1 B in Maintenance Or 6.3% 7.74 Testing JUG 001ADGS Diesel Generator I A Fails To Start 5.2% 7.88 JDG001BDGS Diesel Generator IB Fails To Start 5.0% 7.68 JLD01A1FLF Diesel Engine Lube Oil Strainer i AI Fails 3.3% 7.96 JLD01B1FLF Diesel Engine Lube Oil Strainer iBI Fails 3.2% 7.75 PACIETBBilM 4160 V ac Switchgear IETB Is Unavailable 2.5% 13.58 PACBOFTDEX Blackout Following Trip 2.4% 24.83 A.9-9 i
l li j{Il W
W M
X n" T S
M 1
Y) i 1
~.
_ D X M T
S n"
B 1
T 1
1 Y) 1 5
M F
X n,
g M' 0 '
)
I T
I Y) 0 r 0 e M
n V 0
A I
l w
o M
0 T D P 1
9 T y y
k
'v k V 6
m~ A 1
1 ia r
Y) M l
0
- k
- D ix 3
2 4
2 4 2 6 m'V T 1
i D
A u
m' a l
o c 0 ) X nB 1
)6 m*
0 9
~ I T 1
m r2
~tae r
o 6
1 Y)g p D No of M
r
. ( V1 n ~ "' ,) k e 0 1
- 9. ag 1 de n 6P 9 1
it -
0' &mn A M n 0 S ieat u .
X Mys T
nA 2 S n8 1 1
0^ V 0
1
) v M
)d 0 1
e
- 9 6
R
~
~
"^ V '
v*#
k O G
T X
1 9
g M M 0 0
4 2 O ' '
- S G A e M v
v V
- '6 0
9 2
T s I I
) 1 A
Y)h 1 S
r u
ig F
- k k 0 1 X
- 0 3
k 4
2 4
2 NM' '
T 1 m m'7 2
A 2
T m
1 Y) .
~.
1 A
X m
) T
- 1 I S
/. A T
1 Y) S 1 m n' 8 1
1 C
Y) v T 0 p~
A 61 4
T E
1 W
m a
m 1l ll[ I lll l 1 l ll ll 1ll
w -. _
G G G O
~) .I .) _)
1TB I m I) 1TC n I 1 1 1 1 1 1 1 1 1 1 STXB SATB <a 1TXN $ 1TXB 1TXC,, ATA TXC 1TXGj 1TXE
) ) ) ) ) ) ) ) ) )
1S B 1LXC TA 1TD 1h 1 E 2ETB Switchya Auxiliary )
Control Power 1LXC Figure A.9-1 Rev. 2 Main & 6.9 kV Normal Auxiliary Power System Page 2 of 2 A.9-11
11 J ll)I \II l{If\l !{il\
W
_ W K
) X u
M E E C 1 X
L E
)
1 l
)
m m M
e
"_ { I t
s Y y
_ ) ) P k S l m 9 K E l c
o r
e M 1 r e w
_ o
,IN I t
n P
_ O y
e la it n
M
_ N l K- e
_ ) * > P kr s u , I K s
_ I
- E i
K E X
M 1
s e
c a
M E t o
1 n V C e 0
_ 0 X G D M T
E m
E
)
yK P
6 d
n 1 _
2 O E a 1
)1 TE X
_ N l m
)
1 r o
e w M T _ - G P E _ - X O ,
y 2 1 _ - M X r 1 Ei ) > -
A M ia 9 T
E
)
i " $ _
_. )
- 1 I
E il x
u A M 1
mm 1 A
_ l a
it
_ n e
s M
A
)1 T A
E P
E s
c a M X
T
_ ,) , * >
I K V E _ E
- E 1 0 1 _ X 6
_ M 1 E
1 4
A e
_ n
_ O ia
_ N T r
_ 'Q m
_7 k X 2
) ) ) .
~
1 o " I M v e
_ C E R
X 1 A
X L
1
)
)
m M E
O X
MO 2-9 a
E 1
_ 1 1 m SN A
) L
) p), ,
S er u g l
) ,
)
m , "
) v'lXM ig A E F X 1 M
E g
1 g
g
,l lll ,
E
) X M
E D 1 X
L E
1 )
) A m
1 t
e s
y
- ) k S A o r f
c e
- o lr w e o
,,I p .
t n P
- - yI la
- O -e it n
- N J - K- e
- ) e > P - k s
[ IK ir s J m E -- K E
- X 1 c
- M E
- es a 1 to V D - n 0 ,
- B e 0 X X D 6 T -
L E -
E d
n 1
- a A
)1 F X
2 O p)N
^
o r
e w
o T - - H P E - - X y 3 B
I
- - M ia r 1
) $ - - E 9 T 1 " -
2 l
i x
E *, - ) A 1 -
u A
- la it
- n
- e s
T)1 B
- F E
s c
X ) P a
- e > K T -
I E V E -
F m 0 1 X 1 6
- M 1 4
- E
- 1 B
- n
- O ia
- N r T
- R riip X 2
) ) )
" I I M v
- D E e
- B ) X 1 R
- X A I M 3-L E
- )
E A o 1 9
- 1
) )
A
" o , e B r u
) ) e P mT>I ig I
K F B E X 1 M
E 1
-l
1ATC ,, 1ATD A
7)1GTA A) A)1GTB A) 1FTA 1 1 11 ETA 1RB 1 1 1 1ETB '
I I 1 TXI [,,, I 1TXH [u , I'
,)
)
1LXI ~ 1LXH
)) )) ) ,) < ) )
) y) >HP1A ) y) 3HPiB 1MXO 1MXP 1LXB 1LXA i g) ") ) ")
1 MXF.
1LXN 1LXG A o I o i f f f 1MXW 1MXX l
Figure A.9-4 Rev. 2 4160 V ac Blackout Power System A.9-14
- - - - - - - - - == - - - - -
A.10 Diesel Generators and Load Sequencers
System Description
The Diesel Generators and Load Sequencers (DGLS) System consists of two independent diesel electric generator units, each capable of providing adequate power to supply essential loads via its train-dedicated 4160 V ac essential auxiliary power bus when normal power to the bus is interrupted. The system has two primary modes of operation. The priority mode is initiated by an SS signal from the Engineered Safety Features Actuation System (ESFAS). When this occurs with normal auxiliary power through the auxiliary transformers available, the diesel generators are started automatically. At the same time the required loads are connected to the normal power source through load sequencer ' ' 0CA" logic shown in Figure A.101. The diesel generators continue to run unloaded in order to be immediately available in case a loss of power on the essential busses occurs.
The other mode is actuated by a two-out-of three phase undervoltage signal sensed on the 4160 V ac eesential auxiliary power bus. The load sequencer Parts the diesel gens stor, sheds all loads from the associated essential and blackout busses, connects the diesel generator to the essential bus, and then loads the diesel generator according to " blackout" logic shown in Figure A.10-2.
When both sequencer actuation conditions are present concurrently, the load shed is accomplished, the diesel generator breaker is closed, and then the diesel generator is loaded according to "LOCA" logic to actuate the required components.
Each diesel generator is supported by several independent subsystems including the following:
A.10-1
- 4.x - -
1 1
- 1. Diesel Generator Engine Lube Oil System (LD), which circulates cooled, filtered oil through the engine during operation for lubrication and heat removal. l l
l
- 2. Diesel Generator Engine Cooling Water (KD) System, which supplies cooling '
for LD, the diesel Jacket, intake, and exhaust. It is a closed system cooled by the Nuclear Service Water (RN) System.
- 3. Diesel Generau,r Engine Fuel Oil (FD) System, wisich supplies fuel to the diesel engine.
- 4. Diesel Generator Starting Air (VG) System, which provides the starting power for the diesel engine. It provides pressurized air to the cylinders for rotation of the engine until combustion occurs. VG also provides the control air for g diesel operation.
- 5. Diesel Generator Room licating and Ventilating (VD) System, which provides I
uormal" and " emergency" ventilation for the diesel generator room. The l
" emergency" ventilation mode uses two 50 percent tapacity fans during diesel operation.
- 6. 125 V de Diesel Generator Control power System, which provides power to the diesel's fuel oil booster pump, generator field flashing, and the control loads required for the diesel starting operation.
- 7. Diesel Generator Load Sequencing System (load sequencer), which functions to start the diesel generator and to energize blackout and/or LOCA loads in a specific sequence so that the diesel generator or the auxiliary transformer is not overloaded.
I A.10-2 I
I The diesels have redundant start cire.its, each including an emergency start diesel relay. The air start is initiated by a blackout signal or an SS signal which picks up sequencer actuated relays. When safety interlocks and starting logic are satisfied starting air is admitted to the diesel through so.s > a <alves.
For the safety injection sequence, the load sequencer is initiated by an SS signal from ESFAS (Section A.12) through an ESFAS slave relay. Immediately, engineered safeguards (ESG) auxiliary relays are picked up and causo "LOCA" logic to control the system. The following functions are perfomted by the ESG auxiliary relays.
- 1. The ESG auxiliary relays are locked in and cannot be geset until after the SS signal is removed.
- 2. The blackout relay is locked out so that blackout loads are not be enabled.
- 3. An 8 second logic timer is energized in order to earlier enable load shed and the close signal for the diesel generator breaker in the event a blackout occurs.
t
- 4. All the sequence timers are energized except blackout only timers so that SS loads can start being connected to the energized essential bus after the SS signal occurs.
- 5. Sequencer actuated relays are picked up to initiate the diesel start operation.
- 6. Accelerated sequence relays are picked up.
- 7. The " Blackout" and/or "LOCA" logic relay is picked up. This provides ioading logic for loads required for both SS and blackout conditions. --
A.10-3 a
I; Since normal power to the essential bus is never lost in this case, load sequencing can begin immediately after the SS signal is received. All LOCA loads may be started or enabled in as little as 20 seconds. If one of the advance timers should fail, the next load to be sequenced on will be controlled by its committed sequence timer. The diesel generator starts and comes up to speed while load sequencing is in progress. l The diesel generator continues to run unloaded in standby during this event.
A blackout sequence is initiated by two-out-of three undervoltage devices sensing less g
than 3500 V ac on an essential bus. After 8.5 second< the blackout is verified and the
" Blackout" sequence contimies as follows.
- 1. The " Blackout" and/or "LOCA" logic relay is actuated providing loading logic l
for loads required for both SS and blackout conditions.
- 2. The blackout logic relays are actuated. These relays provide permissive start signals to blackout loads at the motor control centers which enables the loads to start when the loading relays of the associated load centers are later picked up. One blackout logic relay trips the essential bus normal or attemate incoming breaker.
- 3. All 4160 V ac loads are load sh?d.
I
- 4. At 9.5 seconds - The diesel generator breaker IETA18 closes when the 430 RPM relay actuates. The accelerated sequence can be actuated through the 98% speed relay and the undervoltage relay with at least 92.5 percent rated voltage on the essential bus.
- 5. At 10 seconds - The maximum sequence timer times out and energizes the conunitted sequence timers.
E' A.10-4 r
- 6. Optimally, for the blackout condition all blackout loads can be loaded or enabled in 30 seconds through the accelerated loading sequence.
System Success Criteria The DGLS provides two basic functions. The first is to provide emergency power to the Essential Auxiliary ac Power System following a loss of offsite power event.
Success is defined as providing, applying, and maintaining the emergency power on the bus for the mission time. The second function of the DGLS is to actuate the loading relays of the load sequencer. A top event is defined for the operation of each of these relays. These top events are necessary in support of the various safety systems and their support systems for the automatic application of motive power after an SS signal from ESFAS or after a bhckout event.
Scauencer Enabled Maior Loads Actuating Device /(Time)
Loading Breaker Accelerated Committed Relay Affected Load Sequence Sequence RAI IELXA4B 600V Essential Load Center AAl/(t0) STI A/(1 see) lELXA lELXC4B 600V Essential Load Center i lELXC RA2 lETAl2 Centrifugal Charging Pump ATAl/(2 sec) ST2A/(2 sec) lA RA3 IETAll Safety injection Pump 1 A ATA2/(4 see) ST3A/(5 sec)
- RA4 lETA9 Residual Heat Removal ATAl/(6 sec) ST4A/(10 sec)
Pump l A
' RAS lETA8 Containment spray Pump ATA2/(8 sec) ST5A/(15 sec) i lA (
A.10-5
I Actuating Device /(Time)
Loading Breaker Accelerated Committed Relay Aff ected Load Sequence Sequence RA6 lETA6 Component Cooling Pump ATAS/(E%10 ST6A/(20 sec) 1Ai sec) lETA7 Component Cooling Pump (B/O-6 sec) 1A2 RA7 lETA14 Nuclear Service Water Pump ATA6/(SS-12 ST7A/(25 sec) 1A rec)
RA8 lETA13 Auxiliary Feedwater Pump ATA7/(SS 14 ST8A/(30 see) lA sec)
"RA9 2FTA2 Main Fire Protection Pump ATA8/(12 ST9A/(40 sec)
C sec)
"RB9 IFTB2 Main Fire Protection Pump ATB8/(12 ST9B/(40 see)
B sec)
"RA10 Various Blackout Loads ATA9/(14 ST10A/(50 sec)
I see)
I RAll IEMXK- Hydrogen Recombiner ATA10/(16 STil A/(9 min F07C Electric Power Supply see) 50 see)
RAl2 lETAl7 Control Room Area Chiller ATAll/(18 ST12A/(10 min Compressor see) 50 see)
P.A13 ILXISA Instrument Air Compressc ATAl2/(20 ST13A/(11 min sec) 50 see)
Not Actuated for Blackout (B\0) Conditions Not Actuated for SS Conditions Major Assumptions
- 1. The diesel-driven tube oil pump is cor.sidered an integral part of the diesel. Its failure is assumed to be implic;t in the plant-specific diesel generator failure data. Several other parts of the DGLS are treated similarly. These components include the diesel driven fuel oil pump, the generator itself, the A.10-6
voltage regulator, the govemor/ actuator, the turbochargers, the speed switches, the Air Intake and Exhaust System, the Crankcase Vacuum System, and diesel engine intemals.
- 2. The KD keep warm pump is normally used when the diesel is in standby; it is assumed to be unnecessary during emergency operation.
- 3. Diesel start is assumed successful if at least one starting air solenoid valve opens when the start signal is received.
- 4. Prior to an event initiator, it in assumed that lETA is receiving normal power through breaker lETA3.
- 5. It is assumed that when a successful start occurs, rated speed and voltage is attained enabling the accelerated requence relays. ,
- 6. Complete aad shed is assumed to occur when the load shed relays function.
- 7. It is assumed that the equencer is not in test at event initiation. Although an automatic test reset is designed into the sequencer, it is not modeled since the sequencer is in test for a very small portion ofits time in standby. Spurious actuation of test relays are included in the model.
- 8. After sequencer initiation occurs, the completion of all sequencer functions will be completed within a ma).imum time of twelve minutes. Any spurious s
ciectrical component operation which could interrupt the completion of sequencer operation during this short time has very low probability. Thus, spurious failures dwing sequencer timing are assumed insignificant and have not been meluded in the model.
A.10-7 7 V
I System Reliability Hesults The cut sets and importance tables from the DGLS fault tree solution for train A components are provided in the tables that follow. Failures of train B components are similar to those of train A. Gates JRA1 through JRA13 solutions represent the failures that can prevent loading relay operatior. independent of diesel generator failme. The solution of top event J110A includes anything that can prevent emergency power from being applied to lETA after a blackout has occurred and anything that can g
disrupt power on 1 ETA after the diesel generator is closed in on the bus.
The most significant failure modes involve failure of the diesels to run for the mission time and unavailability due to maintenance.
l I
I I
I I
I I
I I
I A.10 8 g
[
l Top Cut Sets For Gate JRA1,2,3 (Given LOCA): Sequencer Load Relay RAI,2,3 Falls Cut Set Esent Nn . Event Description Event Probability Probability 1.90E-04 ESSSIGNAL SS Condition Exists 1.00E+00 JDGESA2RYD Relay ESGAX2 Fails to Pick Up I.90E 04 1.90E-04 JDGRA01(2,3)RYD Sequencer Load Relay RA1(2,3) Fails to 1.90E-04 Pick Up 2.28E 05 JDGEDA6CDT Circuit Breaker IEDE F01F Transfers 2.28E 05 Open 1.20E-05 JDG5GBISWT Reset Switch $GB Transfers Position 1.20E 05 1.20E'05 JDGDTSARYT Defesi Test Relay TRA2 Spuriously Picks 1.20E 05 Up 1.20E-05 JDGEG4ISWT Reset Switch EG41 Transfers Position 1.20E 05 1.20E-05 JDGRRA2RYT Reset Relay RRA Spuriously Picks Up I.20E oS 1.20E 05 JDGTSAIRYT Test Relay TSAI Spuriously Picks Up 1.20E-05 7.20E-07 JDOTRAIDYT Relay TRAI Spuriously Picks Up 1.20E-05 7.20E-07 JDGTRA2DYT Sequencer Reset Relay 1 RA2 Spuriously 1.20E 05 Picks Up 6.08E 10 JDGI AA1RYD Relay AAl Fails to Pick Up 1.90E 04 JDGSTi(2,3)ADYC Sequencer Timer Delay STI(2,3)A Fails 3.20E-06 to Pick Up t
Total Gate Probability = 4.64E-04
_ =
A.10 9
1 II I Importance Table For Gate JRAl(Given LOCA Exists)
I' Event Narne Event Description F-V RAW ESSSibNAI. SS Condition Exists .
40.9% l.00E+00 JDGESA2RYD ESG Aux. Relay Ct:(ESGAX2) Fails to 40.9% 2.15E+03 g JDGEDA6CDT Pick U p g
Circuit Breaker IEDE F01F Transfers 4.9% 2.15E+03 Open JDG5GBISWT keset Switch $GB(PB3) Transfers 2.6% 2.15 E+03 Positfon JDGDTSARYT Defeat Test Relay KK(DTSA) Spuriously 2.6% 2.15F .s Picks Up g JDGEG4lSWT Reset Switch EG41(PBI) Transfers 2.6% 2.15E+03 5 Pouuon JDGIAAIRYD Relay EA(AAI) Fails to Fick Up 0.0* b 1.0'E*00 g JDG00BABYF Batten IDGBA Fails 00% 1.00E+00 g JDG00BACDT Output Breaker from Battery IDGBA 0.0% l.00E+00 Transfers Open JDGI AFARYD Relay FA Fails to Pick Up at 98?b Rated 0.0* 6 1.00E+00 Speed JDG1BOARYD Relay GD(BOA) Fails to Pick Up 0.0% l.00E+00 JDGIBOARYT Blackout Relay GD(BOA) Spuriously 0.0% l.00E+00 Picks Up l
3 JDGIMSARYT Maintenance Mode Select Relay MSA 0.0% l.00E+00 Spuriously Picks Up
- g JDGIRGARYD Diesel Generator I A Restart Relay ifG(RGA) Fails to Pick Up 0.0% l.00E+00 g JDG27AXRYD Undervoltage Relay CB(127AX) Fails to 0.0% l.00E+00 Reset JDG27AXRYT Undervohage Relay CB(127AX) 0.0% l.00E+00 l
W Spuriously Picks Up JDG27XARYD Undervoltage Relay 127XA Fails to 0.0% l.00E+00 O wrate E
3 JDG27YARYD Undervoltage Relay 127YA Fails to 0.0% l.00E+00 Operate JDG27ZARYD Unden'ottage Relay 127ZA Fails to 0.0% l.00E+00 Operate JDG7XAXRYD Undervoltage Relay GH(127XAX) Fails 0.0% l.00E+00 to Pick Up JDG7YAXRYD Undervoltage Relay GF(l.'. r AX) Fails 0.0% l.00E+00 to Pick Up JDG7ZAXRYD Undervoltage Relay GE(127ZAX) Fails to Pick Up 0.0% l.00E+00* g g
i JDGBCA4CDT Diesel Battery Charger Cabinet I A 0.0% l.00E+00 Breaker CB4 Transfers Position JDGCPIABDF Diesel Generator Control Panel I A Bus 0.0% l.00E400 Fault I
l A.10-10
(
Top Cut Sets For Gate JRA1 (Given Blackout): Sequencer Load Relay RAI Falls Cut Set Event Name Event Description Event Probability Probability 1.90E 04 JDGIBOARYD Relay BOA Fails to Pick Up 1.90E-04 PBOA Loss of Power on Essential Bus ITA 1.00E+00
' 30E-04 i
JDGRA0lRYD Sequencer Load Relay RAI fails to Pick 1.90E 04 UP 2.28E-05 JDGEDA6CDT Circuit Breake lEDE.F0lf Transfers 2.28E-05 Open 1.20E-05 JDG5GBISWT Reset Switch 5GB Transfers Position 1.20E-05 1.20E-05 JDGDISARYT Defeat Test Relay DTSA Spuriously 1.20E-05 M.sUp '
l.20E-05 JDGEG41SWT Retet Switch EG41 Transfers Position 1.20E 05 1.20E-05 JDGRRA2RYT Reset Relay RRA Spuriously Picks Up I.20E-05 1.20E-05 JDOTSAIRYT Test Relay TSAi Spuriously Picks Up I.20E 05 3.20E-06 JDGLTIADYC Logic Timer RelayLTI A Fails to Pick Up 3.20E-06 PSOA Loss of Power on Essential Bus ITA 1.00E+00 3.20E-06 JDGL12ADYC Logic Timer RelayLT2B Fails to Pick Up 3.20E-06 PBOA Loss of Power on Essential Bus 1TA 1.00E+00 7.20E 07 JDGTRAIDYT Relay TRAI Spuriously Picks Up 7.20E-07 7.20E-07 JDGTRA2DYT Sequencer Reset Relay TRA7. Spuriously 7.20.E-07 Picks Up 6.08E-07 JDG00BABYF Battery IDGBA Fails 3.20E-03 JDGI AAIRYD Relay AA1 fails to Pick Up I.90E-04 PbOA Loss of Power on Essential Bus ITA 1.00E+00 6.08E-07 JDG00BABYF Battery IDGBA Fails 3.20E-03 JDGIAFARYD Relay FA Fails to Pick Up at 98% Rated 1.90E-04 Speed PBOA Loss of Power on Essential Bus ITA 1.00E+00 6.08E 07 JDG00BABYF Battery IDGBA Fails 3.20E-03 JDG27AXRYD Undervoltage Relay 127AX Fails to Reset 1.90E-04 PBOA Loss of Power on Essential Bus iTA 1.00E+00 Total Gate Probability = 4.74E-04 A.10-11 J
I Importance TaNe For Gate JRAl(Blackout)
_ Event Name PBOA Es ent Description Loss of Normal Power Supply to IETA F.V RAW g 42.1% l.00E+00 g JDGIBOARYD Relay GD(BOA) Fails to Pick Up 40.1% 2.1 I E+03 JDGRA0lRYD Sequencer Load Relay FA(RAl) Fails to 40.1% 2.l l E+03 g Pick Up g JDGEDA6CDT Circuit Breaker IEDE F0lf Transfers 4.8% 2.l l E+03 Open JDG5GBISWT Reset Switch $GB(PB3) Transfers 2.5% 2.1 IE4 03 Positior; JDGDTSARYT Defeat Test Relay KK(DTSA) Spuriously 2.5% 2.1 I E+03 Picks Up JDCEG4lSWT B
Reset Switch EG41(PBI) Transfers 2.5% 2.l l E+03 5 Position JDGRRA2RYT Reset Relay EB(RRA) Spu.iously Picks 2.5% 2.1 I E+03 g Up
~ g JDGTSA1RYT Test Relay KA(TSA1) Spuriously Picks 2.5% 2.1 l E+03 Up JDGLTIADYC Logic Timer Relay FD(LTI A) Fails to 0.7% 2.l lE+03 Pick Up l
=
JDGLT2ADYC Logic Timer Relay AE(LT2B) Fails tc 0,7% 2. l l E+03 Pick Up JDG00BABYF Battery IDGBA Fails 0.5% 2.62 E+00 JDGTRAIDYT Relay HF(TRAI) Spuriously Picks Up 0.2% 2. l l E+03 JDGTRA2DYT Sequencer Reset Relay HB(TRA2p
- 0.2% 2.1 I E+03 g JDGI AAlRYD Spuriously Picks Up Relay EA( AAI) Fails to Pick Up g
0.1 % 8.55 E+00 JDGIAFARYD Relay FA Fails to Pick Up at 98% Rated 0.1% 8.55 E+00 Speed JDG27AXRYD Undervoltage Relay CB(127AX) Fails to 0.1% 8.55E+00 Reset JDGLRA2RYD Blackout or LOCA Logic Relay 0.1% 8.55E+00 g
_G9(LRA2) Fails to Pick Up 3 JDGIRGARYD Diesd Generator l A Restart Relay 0.0% 2.60E+00 11 0 _ .A) Fails to Pick Up JDG27XARYD Undervoltage Relay 127XA Fails to 0.0% 2.60E+00 Operate JDG27YARYD Undervoltage Relay 127YA Fails to 0.0% 2.60E+00 Operate JDG27ZARYD Undervoltage Relay 127ZA Fails to 0.0% 2.60E+00 Operate JDG7XAXRYD Undervoltage Relay Gil(127XAX) Fails to Pick Up 0.0% 2.60E+00 g 3
JDG7YAXRYD Undervoltage Relay GF(127YAX) Fails 0.0% 2.60E+00 to Pick Up JDG7ZAXRYD Undervoltage Relay GE(127ZAX) Fails 0.0% 2.60E+00 to Pick Up JDGSAAIRYD Sequencer Actuated Relay AA(SAAI) 0.0% 2.60E+00 Fails to Pick Up JDGTSA6RYT Test Relay KF(TSA6) Spuriously Picks 0.0% 7.75 E+00 l
=
Up I
A.10-12
L Top Cut Sets For Gate JRA2 (Given Blackout): Sequencer Load Relay RA2 Falls Cut Set Esent Name l Event Description Esent Probability , Probability 1.90E-04 JDGIBOARYD Relay BOA Fails to Pick Up 1.90E-04 PBOA Loss of Power on Essential Bus ITA 1.00E+00 1.90E 04 JDGRA0lRYD Sequencer Load Relay RAI Fails to Pick 1.90E-04 Up
{ ~~
2.28E-05 JDGEDA6CDT Circuit Breaker IEDE F0lf Transfers 2.28E-05 Open l 1.20E-0! JDG5GBISWT Reset Swatch 50B Transfers Position 1.20E-05 1.20E 05 JDGDTSARYT Defeat Test Relay DTSh Spuriously 1.20E-05 Picks Up 3 1.20E-05 JDGEG41SWT Reset Switch EG41 Transfers Position 1.20E-05
[ 1.20E-05 JDGRRA2RYT Reset Relay RRA Spuriously Picks Up I.20E-05
, 1.20E 05 JDGTSAIRYT Te t Relay TSAl Spuriously Picks Up I.20E 05 3.20E-06 JIXiLTIADYC Logic Timer Rela >LTI A Fails to Pick Up 3.20E-06 PBOA Loss of Power on Essential Bus 1TA 1.00E %
3.20E-06 JDGLT2ADYC Logic Timer Rela > LT2B Fails to Pick Up 3.20E-06 >
PBOA Loss of Power ot. Essential Bus 1TA 1.00E+00 7.20E 07 JDGTRAIDYT Relay TRAI Spuriously Picks Up 7.20E-07
, 7.20E-07 JDOTRA2DYT Sequencer Reset Relay TRA2 Spuriously 7.20E-07 Picks Up 6.08E 07 JDG00BABYF Battery IDGBA Fails 3.20E 03 JDGI AAIRYD Relay AAl Fails to Pick Up 1.90E-04 PBOA Loss of Power on Essential Btu ITA 1.00E+00 6.08E-07 JDG00BABYF Battery IDGBA Fails 3.20E-03 JDGIAFARYD Relay FA Fails to Pick Up at 98% Rated 1.90E-04 Speed PBOA Loss of Power on Essential Bus ITA 1.00E+00 Total Gate Probability = 4.74E-04 A.1013
I Top Cut Sets For Gate JRA3 (Given Blackout): Sequencer Load Relay RA3 Il Falls Cut Set Event Name Event Description Event Probability Probability 1.90E 04 JDGIBCARYD Relay BOA Fails to Pick Up 1.90E-04 PBOA Loss of Power on Essential Bus 1TA 1.00E+00
~
1.90E 04 JDGRA0lRYD Sequencer Load Relay RAI Fails to Pick 1.90E-04 Up 2.28E-05 JDGEDA6CDT Circuit B. '*ker IEDE-F0lf Transfers 2.28E-05 Open 1.20E-05 JDG5GBISWT' Reset Switen5GB Transfers Position 1.20E 05 120E 05 JDGDTSARYT Defeat Test Relay DTSA Spuriously 1.20E-05 Picks Up g
1.20E-05 JDGEG41SWT Reset Switch EG41 Transfers Position L20E-05 E 1.20E-05 JDGRRA2RYT Reset Relay RRA Spuriously Picks Up i 20E-05 1.20E-05 JDGTSAIRYT lest Relay TSAI Spuriously Picks Up 1.20E-05 3.20E-06 JDGLT!ADYC Logic Timer RelayLTI A Fails to Pick Up 320E 06 PBOA Loss of Power on Essential Bus 1TA 1.00E+00 3.20E-06 JDGLT2ADYC Logic Timer Rela >LT2B Fails to Pick Up 3.20E-06 PBOA Loss of Power on Essential Bus 1TA 1.00E+00 7.20E 07 JDGTRAIDYT Relay TRAI Spuriously Picks Up 7.20E-07 7.20E-07 JDGTRA2DYT Sequencer Reset Relay TRA2 Spuriously 7.20E-07 Picks Up E
u 6.08 E-07 JDG00BABYF Battery IDGBA Fails 320E-03 JDGl AAIRYD Relay AA1 Fails to Pick Up 1.90E-04 PBOA Loss of Power on Essential Bus ITA 1.00E+00 6.08E-07 JDG00BABYF Battery IDGBA Fails 320E-03 JDG1AFARYD Relay FA Fails to Pick Up at 98% Rated 1.90E-04 Speed PBOA Loss of Power on Essential Bus iTA 1.00E+00 Total Gate Probability = t 75E-04 I
, I A.10-14 g
u
Top Cut Sets For Gate J110A: Emergency Power to IETA Falls Cut Set Event Name Event Description Event Probability l Probability ;
4.46E-02 JDG001 ADGR Diesel Generator i A Fails to Run 4.46E-02 1.00E 02 JDG001 ATRM Diesel Generator l A in Maintenance Or 1.00E-02 Testing 7.43 E-03 JDG001 ADGS Diesel Generator 1 A Fails To Start 7.43E 03 4,75E-03 JLD01 AIFLF Diesel Engine Lube Oil Stralmr I AI 4.75E-03 Fails 3.50E 03 JVD01 A2FNS Fan I A2 Fails To Start 3.50E-03 3.50E-03 JVDDSFIDMO Damper I DSF ID Fails to Open 3.50E 03 3.50E-03 JVDDSF3 DMO Damper 1 DSF D3 Falls to Open 3.50E-03 3.50E-03 JRN232AMVO Mo'.or Operated Valve IRN232A Fails to 3.50E 03 Open
' "3.50 E-03 JVD01 AIFNS Fan 1 A 1 Falls To Start 3.50E 03 3.20E-03 JIX300BABYF Batterv ID')BA Fails 3.20E-03 3.20E 03 JDG001AlllE Latent lluman Error on Diesel Generator 3.20E-03 1A 2.80E-03 ?FD0022SVO Solenoid Valve IFD22 Fa!!s to Open 2.80E 03 1.98E 03 JFD5070LTK I.evel Transminer 1 FDLS5070 Falls liigh I .98 E-03 1.35 E-03 JKD001AHXF Cooling Water Heat Exchanger I A Fails 1.35 E-03 1.20E-03 JDGEA 18C4C Breaker ETA 18 Fails to Close 1.20F 03 3.96E 04 JDGilRAARYT ESG Aux Relay HRA(AAJ Transfers 3.96E44 Position 3.68E 04 JKD5160TFL Temperature Transmitter KD5160 Output 3.68E-04 ,
Fails Lew 3.48 E-04 JDGIRlrNCOM Common Cause Failure of Diesel 3.48 E-04 Generator to Run ,
3.00E 04 JDGETA3C40 4160 V ac Breaker ETA 3 Fails to Open 3.00E-04 '
2.88E 04 JFD001 AFLF Fuel Oil Filter i A Fails 2.88E 04
> 2.88E 04 JVN0082FLF Intake Air Filter 082 Fails 2.88E 04 2.88 E-04 JLD001AFLF Filter LDI A Restricts Flow 2.88E-04 2.88E 04 JVN008l FLF Intake Air Filter OSI Fails 2.88E 04 2.88E 04 JFDPSIAFLF Diesel Generator Fuel Oil Pump Strainer 2.88E-04 1 A Fails 2.18E 04 JVD01 A1FNR Fan i A1 Fails To Run 2.18E-04 2.18E-04 JVD01 A2FNR Fan l A2 Fails To Run 2.18 E-04 2.00E-04 JRNMOVSCOM Common Cause Failure of RN Motor 2.00E-04 Operated Valves to Open 1.90F.04 JKD0006CVO Check Valve IKD6 Fails to Open 1.90E-04
- m Total Gate Probability = 1.01E-01 A.10-15
-w a_. _ _ _ . - . _
I I
=
, =
- ,,v.i I E .---
neimmal 1.
j =
l riv. i_ [
g niiv;v,a g
_ = , , o i. . ,
g g tii, gmi j g
- i '" ' $
ruv,[>co i g en ., =
- -. i.
KR hevivm I 85 }._
m
=
l .a i.
n,mm t
]3 g
, 8 t - . g m _ y sa i. ,
g 2 s
g j i (rv2vuil
, $g B a =: ,a-,s .=
_t <
a b TTTE ,
' l(tviviaa l N 11111
=
- m.
t= -
iuvinevi
" g ' -
8;
=
lievivm l
- f. I vin i 4
(
}
3 3 ,
=
[ rv. i. , g Itiviv m l I i luvenud f viv.
Q iVW l VZD l
- h "
1
, ,v. ,
1 ! E !!!5! -
5 .! . !. . . . . . s 3
! =
IIIiiIIII } }
I i
ii _ l I
I
eundB -
~
I i 2 ? E q t ? ?
2 i r i r i V 1r i r i r i r 11 i
i r s s r i i
=h3 T
, i a 8k 3 i $ $ $ ! $$$! ! f 1_ _ 1 1 111111iii =
1 1 1 1 1 s _! -
I 11m,i I I
[ustmaiwl Ia 8- ij } is.. m .i eeg
] ,
1 8 ga 8 -
i
(:Bl 8lE a5 11vmi 5 EE df 8-l G
7, -
s 3*
5
,- 6 l 11YS1 1 is((e h
= -
=.
1[li i i 8- ~ 111 -! l 5 a e el vle s
e ,
m TTTj
= - -
I " I I I T 28 _ ..I s,
'[
b
-s a R a n h h 8
= n e
fo s
u $ _34_ s@8,la e i vu, ;
\ Vg i ao l uvul)dv l ggo
@ SgS i ,,n i ss s e S@<g e g [uvu{wv i e -
______-__-_a
e A
l'y^1(pm=
7- toes
- s= =.
PRELLEE OIL STRAINER
- - ~=
N N =A '
z' ,h j1A2 t w e '"- t, C'r
,.g.
it.Det s ep <
tteE vt -- ..
, swnP - -~ m, v
~py . o .
. -a 3 . s. m.- :
OiEsEt -
,J % > ;j '
uCNEPATOR '
paEtusE -
y ;>; :-
- --l-f rx,
'; ;& b--
On. .
FILTER ~:' ~. : r, ,
'# *-C-n y
_3 . ,
_g ,_ f <
+&.~4
<e .,
r.,
// G.,
a-c m i i enu _
m y cn e
}{sm DIESEL ENG3NE SMELUBEOIL ENGINE 08WE gafff DIESEL ENGesE PUW" LUBE CIL
, LUBE OIL PUMP COOLER tamm .. -
{ etem i,
g,e v.}msEt ENoiNE LUBE Oc
, suuP rem i LUBEOIL N TRANsrta PUMP X -
~3E 3E- - -Z w talEDLt3BE CE m ? a ; Tastes 3E TsNR o
= I I Figure A.10-3 Rev. 2 Desel Generator E xyne Lube Oil System A.I 0-18 g g g g m M M M M M E E E
e
" i
" XDx i R
E T"
A y W' g T
E A K V C
A A
J 7
O T
O D P
1 8
gDK m
e t
t sy S
R r E
T t e
A a A W# W 1 g TN E n
,{ K C
A r
o J o C
5 e
n ND" ig n
- E E T1P r 9 EP o KD t 1
r O e
JT LS E R S
Yrt i
K 1
n e
I.
A E O G I TE L
=
DA 2 le W s L
1 R e 0EL l D EO B
UO % 2 R L C v
r KE i e
A
" l A
o r
u ig F
i g ?
i R
O L T EA R SR KLE EE f
NO ON AO E BC G T FR EE L T F r,,'
A ll
1A1{ -. O M ,--------- ------ --------- -- ----- -- --------------------- .
srDes trD2a : : ;
FUEL Ott STORxOE 't AKS O O
~ 1FC47 1FD22 1FD48 [
FC :
l jtA2:
C 1FD86 W
1FD21
[ i I
1
, m i :
A i v -
1FD29 ~
I l l F0
- PUMP 1A ts :
ENGINE DRIVEN STRANER 8"
{
FUEL OIL PUMP 1FD25
] _
{
to 1 . nn 1A : C FD 1A 1FD33 A'
1FD32 l l
3 O FD tFD30
{1A FILTER BOOSTER FD PUMP 1A BOOSTER STRANER PUMP FUEL OfL DAY TANK C!ESEL GENERATOR M :
wm, Figure A.10-5, Rev. 2 Diesel Generator Engine Fuel Oil System A.10-20 m m W m W M M M M M M M M M M M M
tvat
~ ~ ~ ' '
M h -
.se Amt CoasP.Esscm gag ,mg U M,55 tat SAS ut M.E.8CE.
TAT
>d gy MM48 sv-o SFPtsta,0 pg yg,
. A,_
g-,,
J:.TvG11 fWGTF u
tvGtF TvGtS e e t
- m. . var m. ==
9P 840>., .AssK OsESEL GEssE.4,Oer SA L..T .Asr.
~
Jk
$ Wa1R 2
8 ns , van +-Dc A A
,,
M== e
(
m m ,vo -
,, m,. ,.o. .
4==
J, _:#
mn
. ,,_ ,.s. _ , _
gvGa.
e,,,._. ===
1A2 M => ,, 4
_g h,v t g "' _' "'"" . Es- -
! M "
.. A.
v p
.so,,- e.n. m. .
SEPE.A,0.
FkJ ure A.10-6 Rev. 2 Diesel Generator Engine Starting Air System A.10-21
i i
E b! <
f .
%l :: L F,
1DSF-D-3 yFAN l
hE Y '
%l :
1DSF-D-1 M VENT FAN 1A2 I
t t
I I
Figure A.10-7, Rev. 2 Diesel Generator Engine Building Ventilation System i
f A.10-22 i e e e e m m m M M M !
itMXE itMXF se ;oc usv oc AUItuARv AUKILAARY Powt= Powen mAniny eArfany inonA spoos
~
')
~
DSTR$UTION CENTER inooA .=__ ) @$fRfeUTION.
soon CENTER 1,
I) j inv oc usv oc mestt ') asstL ')
AUIPwn AUR Pwn aAnemy Cxanoin o ) -
mAntav Cuanotn ")
}
1 DOCA 1DGCB
') -4*
'l" soof.A -4* soar..
_4 ___g .
<i I
s- -
g no tA co se CONTROL CONTROL PANEL PANEL
') ') ") ') ') ';)
'1j!a
' !! a 11
.I 51 ilI II Figure A.1M, Rev. 2 Desel Generator Control Power A.10-23
A.ll AC and DC Vital Instrumentation and Control Power Systems Systems Descript!on The 120 V ac Vital Instrumentation and Control (l&C) Power (EPG) System and tne 125 V de Vital Instrumentation and Control Power (EPL) System are designed to provide a reliable and continuous source of power to equipment required for start up, nonnal operation, and orderly sh'it down of the unit. In the event of a loss of offsite power (LOOP) or blackout (no voltage on the 4 kV ac Essential Buses) this equipment is required to safely shutdown the plant.
The EPG System provides four normally independent channels of power for reactor control and instatmentation for each unit as shown on the simplified diagrams (Figures A.11-1 and A.11-2). The system is designed so that 3 of the 4 channel-designated sources are required for safe operation, and a loss of any two of these sources will result in a unit shutdown. The system is comprised of channels A, B, C and D as follows:
hianual Channel jitatic Inverter Bypass Switch Panelboard A lEIA 1EhiA lERPA B 1EIB 1EhiB 1ERPB C 1EIC 1EhiC 1ERPC D 1EID lEh1D 1ERPD Train A loads are fed from channels A and C, and train B loads are fed from channels B and D.
Each static inverter i.; fed from an independent EPL System distribution center. If an inverter has to be removed from service, a manual bypass switch (rnake before break) is A.11-1
I used to transfer the affected panelboard to Regulated Power Distribution Center IVRD without power interruption. This attemate source is capable of supplying power to only one channel at a time. A Kirk Key interlock scheme on all four feeder breakers allows only one breaker to be closed at a time. IVRD is supplied power from 600 V ac motor l
control center (MCC) IMXM through voltage regulator IVRR and transformer IVRT.
Other than when an inverter is removed from service, the operation of the EPG System is l
identical for all modes of plant operation.
The EPL System is divided into four independent and physically separated channels as follows: ,
I 125 V de 125 V de Battery Distribution Power Channel Battery Charcer Center Panelboard A lEBA lECA lEDA lEPA B 1 EBB IECB IEDB lEPB C IEBC IECC IEDC IEPC D lEBD lECD 1EDD lEPD A spare battery charger can be connected to any one of the four channels as needed, should the normal charger have to be removed from service. Each battery charger is sized g
to cany its own individual continuous load plus the 125 V de continuous load and inverter loads of another charger in the same train in a backup capacity, if required. Each battery has adequate capacity to carry their own loads, plus the loads of the other same l
train battery in a backup capacity for two hours.
To assure high availability of power and to protect against loss of de due to a fire in the control complex, the loads on 1EDE and 1EDF distribution centers which are required for l
plant shutdown are supplied power from two sources through auctioneering diode A.ll-2 I
i assemblies. The two 125 V de sources are the EPL System and the 125 V de Essential r
Diesel Auxiliary Powcr (EPQ) System. if either 125 V de power source is lost, the L
distribution centers (IEDE, IEDF) will continue to receive power from the remaining source.
During normal operation, the static inverters are fed by the respective 125 V de vital I&C distribution centers. The inverters supply ac power to their respective 120 V ac power
( panelboards through manual transfer switches which are in the " normal" inverter-to load position. Also, the battery chargers provide power to their respective distribution centers
( and maintain their respective batteries at float conditions. The 125 V de distribution centers supply power to the 125 V de power panelboards, the static inverters and the
( auctioneering diode assemblies. If a nonnat battery charger fails or must be removed from service, spare battery charger IECS may be connened by closing the appropriate f circuit breakers to keep the battery float charged and to provide power to normal charger loads. If a battery must be removed from service, *he affected distribution center bus tie breakers are closed This closure allows the remaining battery to provide backup power for both buses, should power be lost from the chargers.
System Success Criteria Success is defined as a continuous supply of power to the 120 V ac and 125 V de vital loads for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following an initiating event. Following a LOOP, the essential motor control centers feeding the 125 V de sital I&C battery chargers will be load shed and re-energize after 11 seconds by the diesel generator load sequencer. The vital batteries maintain power on their associated distribution centers while the battery chargers are de-energized. Since power is maintained on the vital distribution centers, the static inverters and their 120 V ac vital panelboards also remain energized.
[
l A.ll 3
I Major Assumptions
- 1. If a battery charger is lost, the battery has the capability to supply power to the respective distribution center for two hours.
- 2. The assumed mission time for the EPG and EPL Systems during transient and I
LOCA conditions is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This time is consistent with the quantification procedures applied to mechanical systems, but is conservative for this system because individual loads may require control power only in the early stages of the transient or LOCA. Failures of 120 V ac and 125 V de power will be closely examined during the cut set review to determine the applicability of the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time.
I System Reliability Results I
The tables that follow list the dominant cut sets are important contributors to panelboard and distribution center failure. Fault tree results are presented for IERPA, lEDE and IEPA. Results for the other buses are similar.
I I
I I
I A.11-4 l l
I
Top Cut Sets For Gate DIERI%: Loss of Power on 120 V sc Panelbocrd 1ERPA Cut Set Event Name Event Desuption Event Prc,bability Probabilic
. , 6.84 E-04 DAClEIAIVF 120 V ac Vital Power Inyciter IEIA Fails 6.84 E-04 l
4.44 E-05 DDCIEBADEX Battery lEBA Depletes after Two Hours 1.00E+00 DDCilGRACOM Common Cause Failure of Chargers 4.44E 05 lECA and IECS e
~
3.43E-05 DDCIEDABDF 125 V de Vital I&C Pwr Dist. Ctr.1 IDA 3.43E 05 Fa;is
~
3.22E-05 DACERPABLF 120 V ac Panelboard 1ERPA Fails 3.22E-05 2.4bE-05 DAClEMASWT Manual Bypass Switch LEMA Transfers 2.40E-0 <
Position 6.40E-06 DDCIEBABYF 125 V de VitalI&C Batery IEBA TJs 3.20E-03 on Demand Tl1 Loss of Operating 4160 V ac E . 2.00E-03 4.39E-% DDCIEBADEX Battery lEBA Depletes after Two . lours 1.00E+00 ;
DDCIECABCF 125 V de Vital IAC Pwr Battery Charger 1.83E-05
? ECA Fails
~
. DDCIECSRHE Operators Fail to Activate Standby 103E-02 Charger, l.40E-06 DDCIEBABYF 125 v dc VitalI&C 3;ttery lEBA Fails 3.20E-03 on Demand
'~
DDCIECABCF 125 V de Vital I&C Pwr Battery Charger 1.83E-05 1ECA Fails 5.84E-07 DDCTIEACDT Circuit Breaker 5.)A F03B Transfers 1.90E-06 Position DDDIEBABLM Battery IEBA is in a Testing or 1.28E-02 Maintenance Mode
~5'.8J E-07 DDCTIECCDT Circuit Breaker IErK-F03B Transfers 1.90E-02 Position DDDlEBABLM Battery 1EBA is in a Testing or 1.28E-02 Maintenar.:e Mode ma Total Gate Probability = 8.34E-6 4 A.11-5 i
- m. - - - - - - - - -
T10 Cut Sets For Gate DIEDE: Loss of Power on 125 V de Distribution Center 1EDE Cut Set ' Event Name Event Description Event Proba bility Probability 3.43E 15 DDCIEDEBDF 125 V de Vital 1&C Pwr Dist. Ctr. lEDE 3.43E-05 Fails 2.08E-09 DDCEADACDT Auctioneering Diode Assembly lEADA 4.56E-05 Fails DDCVADACDT Auctioneering Diode Assembly 1VADA 4.56E-05 Fails 2.02E-09 DDCHGRACOM Common Cause Failure of Chargers 4.44 t-va IECA and IECS DDCVADACDT Auctioneering Diode A;sembly IVADA 4.56E-05 Fails DDCIEBADEX Battery 1EBA Depletes after Two Hours 1.00E+00 1.56E-09 DDCIEDARDF 125 V de Vital 1&C PwT Dist. Ctr. IED A 3.43E-05 Fails DDCVADACDT Auctioneering Diode /.ssembly IVADA 4.56E-05 Fails
) 2.92E 10 DDCIEBABYF 125 V de Vital I&C Batery lEBA Fails 3.20E-03 on Demand DDCVADACDT Auctioneering Diode Assembly IVADA 4.56E-05 Fails Til Loss of Operating 4160 V ac Bus 2.00E-03 2.00E-10 DDCIEBADEX Battery lEBA Depletes after Two Hours 1.00E+00 DDCIECABCF 125 V de VitalI&C Battery Charger 3.20E 03 lECA Fails DC"lECSRHE Operators Fail to Activate Standby 1.00E-02 Charger.
DDCVADACDT Auctioneering Diode Assembly IVADA 4.56E-05 Fails y
Total Gate Probability = 3.43E-05 I
A.11-6 [
Il
Top Cut Sets For Gate D1 EPA: Loss of Power on 125 V de Distribution Center DIEPA Cut Set Event Name Event Description Event Probability Probability 4.44 E-05 DDCHGF \COM Corarnon Cause failure of Chargers 4.44E-05 lECA and IECS DDCIEBADE"X Battery lEBA Depletes cfter Two Hours 1.00E+00 3.43E 05 DDCIEDABDF 125 V de Vital 1&C PwT Dist. Cir.1 EDA 3.43E-05 Fails 3.43E-05 DDCIEPABDF 125 V ac Vital Panelboard iEPA Fails 3.43E-05 4.39E-06 DDCIEBADEX Battery lEBA Depletes after Two Hours 1.00E+00 DDCIEL \BCF 125 V de VitalI&C Battery Charger 3.20E-03 1ECA Fails DDCIECSRHE Operators Fail to Activa:e St.rdby 1.00E-02 Charger.
1.41 E-06 DDCIECABCF 125 V dc VitalI&C Battery Charger 3.20E-03 lECA Fails DDCIEBABYF 125 V de VitalI&C Battery lEBA Fails . 3.20E-03 on Demand 5.84E-07 DDDIEBABLM Battery IEBA is in a Testing or 1.28 E-02 '
Maintenance Mode DDCTIECCDT Circuit Breaker I EDC-F076 Eransfers 1.90E-02 Position 5.84E-07 DDDIEBABLM Battery !EBA Is in a Testing or 1.28E-02 Maintenance Mode CDCTIEACDT Circuit Breaker IEDA F03B Transfers 1.90E-06 Position 5.68E-07 DDDIEBABLM Battery lEBA Is in a Testing or 1.28E-02 ~
Maintenance Mode DDCHGRCCOM - Common Cause Failure of Chargers 4.44E-05 1ECA and 1ECS DDCIEBCDEX Battery 1EBC Depletes after Two Hours 1.00E+00 Total Gate Probability = 1.28E-04 A.11-7 i
a J
Importance Tabit: for Gate DIERPA: Los af Power on 120 V ac Panelboard IERPA Event Name Event Description F-V RAW DAClEIAIVF 120 V ac Vital Power Inverter lEIA Fails 82.7 % 1.21E+03 DDC!EBADEX Battery IEBA Depletes after Two Hours 5.9% l.00E+00 DDCCHGRACOM Common Cause Failure of Chargers 5.4% 1.21E+03 IECA and IECS DDCIEDABDF 125 V de Vital I&C Distribution Center d.1% 1.21E+03 lEDA Fails DACERPABLF 120 V ac Panelboard iERPA Fails 3.9% 1.21E+03 DACIEMASWT Manual Bypass Switch IEMA Transfers 2.9% 1.21E+03 Posit ion DDCIEBABYF 125 V de Vital I&C 3attery lEBA Fails 0.2% 1.58E+00 on Demand DDCIECABCF 125 V de Vital 1&C Battery Charger 0.7% 1.69E+01 1ECA Fails DDCIEC5'RHE Operators Fail to Activate Standby 0.5% 1.53 E+00 Charger.
'DDDlEBABLM Battery 1EBA is in a Testing or 0.3% 1.20E+00 Maintenance Mode I
I
> I
- I I
I I
A.11-8 I
[
Itaportance Table for Gate DIEDE: Loss of Power on 125 Y de Distribution Center 1EPE Event Name Event Description F-Y RAW DDCIEDEBDF 125 V de Vital 1&C PwT Dist. Ctr. lEDE 100.0 % 2.91E -04 Fails DDCVADACDT Auctioneering Diode Assembly IVADA 0.0% 4.94 E+00 Fails DDCIEBADEX Batt'.ty IEBA Depletes afte 'Iwo Hours 0.0% l.00E+00 DDCEADACCT Auctioneering Diode Assembly lEADA 00% 2.33 E+00
( Fails DDCHGRACOM Common Cause Failure of Chargers 0.0% 2.33E+00 lECA and IECS DDCIEDABDF 125 V de Vital 1&C Distribution Center 0.0% 2.33E+00 lEDA Fails DDCIEBABYF 125 V de Vital I&C Battery'l! ... A Fails 0.0*'. 1.00E+00 on Demand
[
h Importance Table for Gate DIEPA: Loss of Power on 125 V de Vital I&C Panelboard IEPA Event Name Event Descriptica F-V RAW DDCIEBADEX Battery lEB A Depletes after Two Hours 38.3 % l.00E+00 DDCHGRACOM Com non Cause Failure of Chargers 34.8 % 7.82E +03 IECA and IECS DDCIEDABDF 125 V de Vital I&C Distribution Center 26.8% 7.F2E +03
{
1 EDA Fails DdCIEPABDF 125 V de VitalI&C Panelboard lEPA 26.8% 7.82E +03 Fails DDCIEBABYF 125 V de VitalI&C Battery lEBA Fails 6.2% 2.015+01 on Demand t
[
{
l A.ll-9 ll /L _
- e. . < .
y coev uCc temA O ,,,,,e,,,,,c,, 4 mucC ww mucC em 4 y
Ac conein PNL SfMS
,g g 126WDC WYAt mcBAT1Env 125VDC VITAt 1&C 125VDC VITAL 8&C EC mAviewv
T'~~ ]
CHARGERjfCA ~
T BATTERY 1EBA 9
/ " {" / BATTERY 1EBC T me wCC F
Fe34 Fm Fm' Fm NC . NC ,, NC , ,
NC a g 92SvDC WTAL EC SPARE
-y satTew CHAROER
,, 125VDC L;:ST. wCs 125VDC DtST. ,,
'ME M^ F9tD NC ) CTR.1 EDA FesC Fasc FO3S F999 Fetc F933 CTR 1EDC FS3C F99C we )
1 F. j j j j F..A i j j j F
-)1 -)................-) -)1 ,) ,)
-) m) 1)
~
1 AUC7NERING AUCTONFFW II ocoe DooE TRAse 5 WTAt esc Asseuety Assruety Powen system ovAoA teADA 120VAv REG PWR.
125VDC ,,
DISTRIBUTION "C ) OfST. CTR.1VRD l
f) CENTER 1EDE f ,_AC ...
Feie toe Feta Fe+C Fe e
- .mc .
FotA l 7018 Puun INWERTER l
e w f w f l S PWR WsVERTER TEC fila eg
.,,)
p/ ;<
',) ',)
- ***; **#* .}
- 125VDC VITAL t&C 125VDC VITAL t&C POWER NR 1P 1r PANELBOARD N EL M D 10 To l 1 EPA 11MB SEMo 1EPC i
uANuAt eveAss A K mNuat avpAss 120VAC POWER sMCH etMA
'f ---
f, SWWTCHtfMC 120VA(* PNR PANELBOARD PANEt.SOARD 1*RPA 1ERPC
,v So0V MCC 1MxW Figure A.11-1 Rev. 2 AC & DC Vital Instrumentation and Control Power Systems, Train A A.ll-10 M M M M M M M M g g g m m m m M M M
= _ .cc .~ ; ,_ - _ m ,. ,
ac re.em put iews In 12 125VOC VITAL R&C r,v v'
- -. r .5VDC AT1ERvVITAL.S&C 1E . (' ' - - - - - _",- - - ---AT1ER,,eeD (' ' r- c . .c.
== a,.
(1, m-,. (<
- (4,-
(1,
,t ,,
,_e-.
.c -
125VDC DST. T* 125vDC DST. .
nc CTR 1EDB C*R.1EDD (,e,c "48R QS (J , ,c .c ,,,. c e l ,
I- 1 I I (1.= (I
- - - ,- (1r -
(I (!+ . . . .. I ". .'.
(I .(i... .-.s_ .(i.(1 _.
TRAM A vtTAL IRC D. De00E PC.ER SYSTEM AS.SE4AT
- Ar,if.t.M.ET v
120VAC REG.
PWR 125VDC
, DST. CTR. IVRD "C DSTRIBUTION
C l
,.,. p.,o F.,A F.sc F.,
(f CENTER 1EDF (f
.c .. .c _
(j...(j (j (j (j
.~... .... ... ~.
POVKR POWER PANELBOARD [ [ FANELBOARD 1EPB ,cua .uc 1EPO
- K WANUS* .@AS$
120VAC POW.IR wara.s,at
- c. v.ra.ss
f f new .ie 1MM NMR PANELBOARD -
PANEL 90ARD 1 EROS
.inanr evn, aoteravac. 4 1ERPD vot,r.neo
.ODv McC itaxu Figu 3 A.11-2 Rev. 2 AC & DC Vital instrumentation and Control Power System, Train B
-A.ll-ll l
1
A.12 Engineered Safety Features Actuation System
System Description
In the event of a limiting fault, the engineered safety features (ESF) and support systems are needed to protect the reactor core aad ensure containment integrity.
The Engineered Safety Features Actuation System (ESFAS) is a dual train control system providing for timely auuation of these systems, either by operator action or automatically, when fault conditions are detected as plant parameters deteriorate. Figure A.12-1 is an illustration of the functional logic of one complete ESFAS train.
Figure A.12-2 is a simplified block diagram of the ESFAS and the Reactor Protection System (RPS), which share some of the process instrumentation. In the process sensor portion, certain plant parameters selected as evidential of fault con &tions are measured. Each parameter is monitored in three or four redundant analog channels. An individual channel contains a sensor / transmitter, a loop power supply, and a bistable ou'put device (controller). When the measured variable reaches its specified limit (bistable setpoint), the channel output changes state (turns off or turns on).
Once a fault is detected, " solid state logic" sections of the Solid State Protection i System (SSPS) perform three important functions. First, the fault is verified throug's coincidence logic circuits. This prevents inadvertent ESFAS actuation by failure of a single analog channel, and it facilitates the testing and maintenance of a single channel. Second, blocking logic is applied to prevent actuation dming startup and shutdown operations. Deliberate human action in conjunction with system interlocks it necessary to apply the blocking functions. Lastly, actuation signals are produced to activate the required safety systems.
A.12-1
l l
I The channelized outputs of the process sensors are input to two identical SSPS trains through parallel SSPS input relays. The digital SSPS signals are processed through the coincidence and the blocking logic circuits and output actuation signals are sent to relay circuits which in tum energize the output slave relays.
The slave relays energize the control circuits for the appropriate ESF and support system component sets.
I Simplified diagrams ofimportant function actuation signal circuits are provided in Figt.re A.12-3 through A.12'-5.
The ESFAS is an instrumentation and control system. The Process Control System (PCS) provides the operator with complete information pertinent to system status. All NSSS measured variables which can cause a reactor trip or ESFAS actuation are either indicated or recorded for every channel.
l The SSPS has annunciators, status lights and events recorder input signals wmch I
indicate the condition of bistable input signals, and the status of the various blocking, permissive and acmation functions Each of the two trains of the SSPS is continuously monitored by the general waming alarm reactor trip subsystem.
The waming circuits are actuated, if undesirable train conditions are set up by improper alignment of testing systems, circuit malfunction, or failure. A trouble condition in a logic train is indicated in the control room. If any one of the conditions exists in train A at the same time one of the conditions exists in train B, the general waming alarm circuits will automatically trip the reactor.
The manual block features associated with pressurizer and steam line safety injection signals provide the operator with the means to block initiatic,n of safety injection during startup and shutdown. Automatic removal of the b'ock occurs when plant condition.; require the protection sys+em to be functional.
I A.12-2
l k-Manual actuation from the control board for containment isolation phase A, safety injection, and spray initiation / containment isolation phase B is provided by operating either the train A or train B switches for these functions. Manual controls providing switchover from the injection to the recirculation phase after a loss of coolant accident are also provided. There are four individual main stearn isolation valve control switches on the control board. Each switch will isolate one of the main steam lines. In addition, there are two system level switches. The train A switch or the train B switch will actuate all four sets cf main steam line isolation and bypass valves. Also, it is possible for individual ESF equipment to be actuated m. aually from the control board.
Systein Success Criteria
{ -
{ The ESFAS is required for actuation and lineups of several systems during transients and LOCAs. System success is def ned as complete operation of the i
{ specified slave relay. The fault trees, ther.rore, model failures of required slave ;
relays to actuate on demand.
L Major Assumptions
- 1. Boundary conditions include normal plant operation with Reactor Coolant
( System pressure above the P 11 permissive intetlock setpoint (1955 psig).
- 2. SSPS logic trains are assumed to be unavailable during train testing and maintenance periods.
Review for initiating Events The inadvertent actuation of ESFAS has been identified as an initiating event.
(- A.12-3
I I
System Reliability Results I
The fault tree results for reiay K601 A are included in the following tables. These result are representative of results for the other slave relays in the ESFAS. Failure of the ESFAS slave relays is dominated by the maintenance unavailability for the respective train. The individual relay failures are also important.
I I
I I
I I
I I
I I
I I
A.12-4 I
s Top Cut Sets For Gate E601A: ESFAS Slave Relay K601 A Falls to Actuate on SS Conditions Cut Set l Esen* Name Event Description Event Probal,ility Probability
! 3.80E-03 EKSTOMATRM Train A SS Functic n in Maintenance 3.80E-03 l SL Small LOCA 1.00E+00 l 1.90E-04 EKS501AKYD ESFAS Master Relay K501 A Fails to 1.90E-04 l Pick Up SL Small LOCA 1.00E+00 1.90E-04 EKS601ARYD ESFAS Slave Relay K601 A Fails to Pick 1.90E-04 Up
> SL Small LOCA 1.00E+00 1.90E-05 EKSAl21COM Common Cause Failure of Master Relays 1.90E-05 K501 A and K521 A SL Small LOCA 1.00E+00 1.90E-05 EKSK501COM Common Cause Failure of Master Relays 1.90E-05 K501 A and K501B SL omall LOCA 1.00E+00 5.18E-06 EKSA313LMF Universal Logic Modu'.e A313 Fails to 1.30E-03 Generate SS Signal EKSFASIDHE Operatots Fail To Respond to ESFAS 4.00E-03 Failure Si, Small LOCA 1.00Ea0 '
4.80E-06 EKSFASIDHE Operators Fai! To Respond to ESFAS 4.00E-03 Failure EKSSPEADEX Train A SS Relay Driver in Safeguards 1.20E-03 Output Module A516 Fails SL- Small LOCA 1.00E+00 o
Total Gate Probability = 4.23E-03 Importance Table For E601 A: ESFAS Slave Relay K601 A Falls to Actuate on SS Conditions Event Name Event Description F-V RAW EKSTOMATRM Train A SS Function in Maintenance 89.9 % 2.37E+02 EKS501ARYD ESFAS Master Relay K501 A Fails to Pick 15% 2.37E+02 Up EKS601ARYD ESFAS Slave Relay K601 A Fails to Pick Up 4.5% 2.37E+02 EKSA121COM Common Cause Failure of Master Relays 0.4% 2.37E+02 K501 A and K521 A EKSK501COM Common Cause Failure of Master Relays 0.4% 2.37E+02 K501 A and K5CIB EKSFASIDHE Operators Fail To Respond to ESFAS 0.2% 1.59E+00 Failure EKSA313LMF Universal Logic Module A313 Fails to 0.1% 1.94E+00 Generate SS Sienal
!: EKS'SRDADEX Train A SS Relay P n.:in Sarcguards 0.1% 1.94E+00 l_ Output Module A516 Fails A.12-5
I I
BLACK OUT l g g sTARY DEsEt GENERAtop 7 as l Tm LOW l Doonouse wATra or St+ eon l MAme FE;.twATun esotATm i
l REACTOR TRIP (P-4) l tw m mTim SG LEVEL LOOP 1 ,
m j/
-l O TURBINE TRIP
- ow r - .
7, service WATER tsste S/G LEVEL LOOP 2
- ij s' Ant nao Aux rw stae g contow - . .
9
- - notate to stowoowN a S/G LEVEL LOOP 3 l "O* *' ;' sT&T TD Au174N Ptae t I v i
- REACTOR TRIP SS LEVEL LOOP 4 t - J
- ow . 2/4 3
- t SAFETY INJECTION
- CoNTesqNT 3(sp pgcyc Rwst tsvtt ow g
cm moau m%
acaton i]j m con' mot mu veNTtArcwe MT*
- j m coNTAeMENT sPMAY coNTamMENT PRE &suRE L]
1$> AhNULUs VENTLADoN l coNTAnseNT Am eAntrts "0"
] m y coNTApSENT AA RETL" 4 1
g l
coNTApMENT VENTtAnoN g
PRtssuntztm PRsssvRe4ow ; l sTtAM UNE PREsSURt 3 l
n = - . - - , .
l mATa > eon l
ml coNTAeaeENTmotATm y -
NE A CONTROL PANEL D . coNTeneNT eat 4 ton MANUAL SAFETY INJ!CTION MANUAL SPRAY ACTUATION h '
Ne MANUAL PHASE 'A' ISOLATION I MANUAL STEAM LINE ISOLATION ;
Figure A.12-1, Rev. 2 ESFAS Simplified Functional Logic I
A.12-6 I
l1 i il l s
A NS I "S AD 'C RR R TA S A E T Y TGU U
U PLA G AE NE AE VF I A I R T
C S C A A =
,, 1 Ye
,1
@+
m C. k, a hjg% r I
l
. G. g
.L O.
. E _.
.T Ye @a k h ,,
E f,
ia D
k c
lo A.
T.. h, B
. S S t n
Ye e
. D. .
k, n
_@ +
IL-. 1 e
(0.,
v p
. S.
O..
m o
C l*c D .
'. S C+ A Nc-l _
F S
E L L L L 2 N E{
Jl El J
E v
E1
- J e
m N l
- 1 1 V R 7-A 1 I A
e H H H H 2, 2 C C C C 2
- 1
- : : : 1 A
A l\1 Il l e r
u
\t l / ig m l F/ F
'T E
/
vOl CV 1 i 1 l 1
I
~~
T N
-~ CS I ON A RE T PS N x
t llll
a --
SENSOR LOOPS LOGIC PROCESSORS MASTER f SLAVE RELAYS i s u 83 ne vne
- T _-_
CONTAINMENT PRESSURE K33o A210
~
K430 A517 - - A517 - -
A417 -4 PRESSURf2ER K201 PRESSURE - A416 A419 -
K444 ~5 118 Vac (BLOCK) - A313 - A516 - AC GROUND PRESSURE LOW-BLOCK I A411 . K622 m2 I
(P-11)
K315 .
)
LOW K133 K503 l -
STEAMLINE .
r247 l K607 A213 A308 A516
-l.HNr PRESSURE l
- IM K417 ] . ...... . ... ...,
N Loort K502
-- DC GROUND K612
-4K522
" ' V"*
se cROuno Figure A.12-3. Rev. 2 ESFAS Functional Logic Diagram: SS Signal Actuation A.12-8 M M E M E E E E E E E E m m m M M M M
, b c c a a V V 8 8 1 1 1 1 I
N Y 6' O A I
4 R 24T 6
K A
L O
4 6 %SNO K
P T I i
Y S NT I
" EA A B MU L 5 " 3 NT E 2 I C n R
E 6%SEA K D 4
6%T K
AA N
o it a
V H N u A P U O t c
L O C A S R la I
= = r n R s
- GC==.- ig E =.
. e S T c . A -
S d -
- P A V S M 8 4
} [
- c m
5 - d a 0 -
V r 5 g K ~
8 4
ia D
l [ ic g
i 9
1 L
o 5 . 9-6 K la 2 1 n 5
A o
it 1
c n A S u R - F O S S A S F E S C E O o j
g R o 2 P n n v Ci e
G
~
R O 4, L 2 1
A e
r h'
l l u
I d E ig F
I
~DN 7 6 9 9 S 3 1 2 2 U P T 1 2 3 4 O N HE K K K K R O E GR O G L MI NH U C S D R I AHS O TGE S NI R N
E OHP H u V S C i l I
. I
' l
1 l
SENSOR LOOPS LOGIC PROCESSORS RELAYS I II Ii I K150 - ..-- . .I -
I .
ND ll K230 ...- - -
..- l :
MOTOR-DRIVEN
- CA PUMP ACTUATION A203 8
- lll : K633 K331
- l- .
' l :
4K515 4s voc I ( FROM S/G'S B. C, D ) A517 Z l
- K516
. IV K407 - - STEAM
- l GENERATOR tow. tow :
L_ @ .
K634 da ve WATER LEVEL h 118 Vac
- TuRe:NE-oRivEN
- i. .. ... .. ... . . .. ... ............ . .. ... .. .
TYPICAL OF ONE STEAM CA PUMP ACTUATION GENERATOR
=
AC GROUND Figure A.12-5, Rev. 2 EdFAS Functional Logic Diagram: Emergency Feedwater Actuation A.12-10 l
M M M M M M M M m m m m m e e m M M M
_ _120 Vac Vital l&C Power 1ERPA _
} 1ERPBI l IERPCl l 1ERPD l l TRAIN A TRAIN B SLAVE
= - ~
RELAYS 48 Vdc 15 Vdc 48 Vdc 15 Vdc POWER POWER POWER POWER SUPPLY SUPPLY SUPPLY SUPPLY
- 1 #1 #1 #1
. SSPS SSPS
" LOGIC *
- LOGIC
- 48 Vdc 15 Vdc 48 Vdc 15 Vdc POWER POWER POWER POWER SUPPLY SUPPLY St SUPPLY
- 2 #2 .. #2 a a 4 n INPUT RELAYS
- CHANNELI :
CHANNElli :
CHANNEL lli ;
- CHANNEL IV
Figure A.12-6, Rev. 2 ESFAS Electrical Power Sources A.12-11 l
A.13 Instrument Air System
)
System Description s The Instniment Air (VI) System provides clean, dry, compressed air to both Catawba units. The Instrument Air System serves as a support system to various plant equipment used in the mitigation of accident sequences. Three tv.o-stage oil. free centrifugal compressors (D, E, and F) each supply instrume,t air at a flow ratt of approximately 1500 icfm.
Each compressor package inchides an inlet filter, a lubrication system, intercooler, aftercooler, and two moisture separators. Incoming air is compressed in a two-stage process. Tne hot compressed air enters the intercooler and moisture sepwator which remove the heat and moisture generated dcring the first compression stage. After leaving the second stage, the hot compressed air enters an aftercooler and water separator which, again, remove the heat and moisture generated in the second compiession stage. The air leaving the compressors discha;ges into their respective instrument air receivers.
After passing through the air receivers, moisture is further removed from the instrument air by one of two coalescing prefilters. The air is then dried to a dewpoint of-40 F by two desiccant drvers piped in parallel. The air then passes through one of two afterfilters. Downstreaa of the afterfilters, the VI System forms a common header which supplies air to the plant.
The VI System also supplies air to the Station Air (VS) header. In the event of low pressure in the VI System, the VS System is aute natically isolated from VI by a self contained, back pressure control valve, IVI500. If the VI System pressure drops below 80 psig, valve IV1500 will close to terminate air supply to the VS System while maintaining supply to tne VI System. VS is capable of supplying compressed A.13-1
I air to VI upon loss of instrument air header pressure. When the header pressure drops below 76 psig, valve IVS78 (yns to allow backup from the VS compressors. The air supplica from VS passes through two oil removal filters prior to entering the VI System.
L A portable diesel compressor can be aligned to VI as an attemate supply of suitable instrumer.t air. The connectisn for this compressor is located outside Turbine Building No. 2 and is synonymous widi the connection for the Integrated Leak Rate Test (ILRT) comr.ressor. A desiccant dryer and after filter are provided for this connection. The air leaving the portable diesel com:ressor dryer has a design g dewpoint of-40 F.
b Air o. the primary and secondary power-operated relief valves (PORVs) and the main steam isolation valves (MSIVs) is supplied from tl ; VI compressors. Figure A.13-2 shows a simplified drawing for the Unit I headers containing the air supply to the PORVs and MSIVs. Each MSN has its own separate air tank.
System Success Criteria Success of the Instrument Air System is defined as providing a sufficient amount of air pressure available for the various system components. The top event in this analysis represents a loss of VI.
Major Assumptions
- 1. The porti;ie integrated leak rate test compressor is not ured to support peak l instrument air loads. I
- 2. The station air to instrument air tie line is never tested.
II A.13-2 '
- 3. Two of three centrifugal compressors (D, E, and F) are run in base mode with the remaining compressor ready in standby.
- 4. The 'A' prefilter and afterfilter trains are in service with the 'B' trains valved out.
- 5. There are no technical specification requirements for the insaument air system. Therefore, more than one compressor can be in maintenance at any a en time.
- 6. Dryers are not modeled because of their low probability of failure. Their contribution to system failure is assumed te 1 e insignificant.
- 7. Passive components such as air receivers and piping are not modeled because of their low failure probability. Their contribution to system failure is assumed to be insignificant. '
- 8. No credit is taken for air receivers as a potential air source. They are modeled as part of the piping.
- 9. A mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is assumed for the Instrument Air System.
- 10. Either the portable diesel compressor or Soth VS compressors are assumed to meet the capacity of one centrifugal compressor.
I 1. The portable diesel compressor alone can not supply the instrument air needs of both units; therefore, failures which affect all primary compressors (loss of KR or power) are assumed to fail the VI System.
- 12. The VS compressors are assumed to not have been called upon for a month.
A.13-3
l I
This results in exposure times comparable with the standby centrifugal compressor.
System Reliability Results The dominan cut sets for failure of the VI System are shown in the following table.
I I
I I
I I
I e
I I
I I
I El A.13-4
Top Cut Sets For Gate A100: Unit 1 Instrument Air Header Falls Cut Set Event Name Event Description Event Probshility Probability 1.00E-03 AKRFAILDEX Loss of Recirculating Cooling Water 1.00E-03 System 5.30E-05 AVICONTDEX Contamination in the VI Headers Fail All 5.30E-05 Instrument Air 4.56E-05 AVilK25CLT 120 V ac Breaker !KPW 25 Transfers 4.56E-05 Open 4.32E-05 AVIDAFAALF Dryer Afterfilter A Fails 4.32E 05 4.32 E-05 AVIDPFAALF LWer Prefilter A Fails 4.32 E-05 3.78E-Of AVILEAKDEX Uncontained Leaks in the VI Headers Fail 3.78E-05 AllInstrument Air 3.22E-05 AAClKPWBLF 120 V ac Power Panelt L d IKPW Fails 3.22E-05 5.69E-06 AV100DCDCR Diesel Air Compressor Fails To Run For 3.36E-01 The Ree ired Time AVICMPRCOM Common Cause Failure of Centrifugal 1.80E-04 Compressors to Run AVSCPIATRM Maintenance on Station Air Compressor 9.40E-02 A
5.69E-06 AV100DCDCR Diesel Air Compressor Fails To Run For 3.36E-0 The Required Time AVICMPRCOM Common Cause Failure of Centrifugal 1.80E-04 Compressors to Run AVSCPIBTRM Maintenance on Station Air Compressor 9.40E-02 B
3.41 E-06 AV100DCDCR Diesel Air Compressor Fails To Run For 3.36E-01 The Required Time AVICMPDCMM Centrifugal Compressor D in 3.00E-02 Maintenance AVICMPFCMR Centrifugal Compressor F Fails To Run 3.60E-03 AVSCPI ATRM Mainnnance on Station Air Compressor 9.40E-02
~
3.41 E-06 AV100DCDCR Diesel Air Compressor Fails To Run For s.30E-01 The Required Time AVICMPDCMM Centrifugal Compressor D in 3.00E-02 Maintenance AVICMPECMR Centrifugal Compressor E Fails To Run 3.60E-03 AVSCPIATRM Maintenance on Station Air Compressor 9.40E-02 A
3.41 E-06 AV100DCDCR Diesel Air Compressor Fails To Run For 3.36E-01 The Required Time AVICMPDCMM Centrifugal Compressor D In 3.00E-02 Maintenance AVICMPFCMR Centrifugal Compressor F Fails To Run 3.60E-03 AVSCPIBTRM Maintenance on Station Air Compressor 9.40E-02 B
Total Gate Probability = 1.34E-03 A.13-5 n ., . , . - - - - - A
The dominant contributors to system failure are shown in the table below. The dominant contributor is a loss of the KR System since this event will fail all of the VI and VS compressors, leaving only the portable diesel compressor which would be unable to meet system demands on its own.
Importance Table For Gate A100: Unit 1 Instrument Air Header Falls Event Npe Event Deacription F-V RAW AKRFAILDEX Loss of Recirculating Cooling Water 74.5 % 746 System AV100DCDCR Diesel Air Compresse Fails To Run for 4.8% l.09 The Required Time AVICONTDEX Contamination in the VI Headers Fail All 4.0% 746 l
5 Instmment Air AvilK25CLT 120 V ac Breaker IKPW 25 Transfers Open 3.4% 746 g g
AVIDAFAALF Dryer Afterfilter A Fails 3.2% 746 AVIDPFAALF Dryer Prefilter A Fails 3.2% 746 AVILEAKDEX Uncontained Leaks in the VI Headers Fail 2.8% 746 AllInstrument Air AAClKPWBLF 120 V ac Power Panelboard IKPW Fails 2.4 % 746 AViCMPECMR Centrifugal Compressor E Fails To Run 1.9% 6.20 AVICMPFCMR Centrifugal Compressor F Fails To Run 1.9% 6.20 AVSCPIATRM Maintenance on Station Air Compressor 1.8% 1.17 A g AVSCPIBTRM Maintenance on Station Air Compressor 1.8% 1.17 W B
AVICMPDCMM Centrifugal Compressor D in 1.7% 1.54 g Maintenance g AVICMPDCMS Comprescor D Fails To Start On Demand 1.6% 1.54 AVICMPRCOM Common Cause Failure of Centrifugal 1.3 % 72.5 Compressors to Run I
I I
I I
A.13-6 I
s> <r 1
%v*,%+@
IMAGE EVALUATION TEST TARGET'(MT-3) j/ #h p 4)QNW
% %,h[8 O
l.0 lf 82 En lf 9 241 i.i [!-OLE l.8
'lwi=it I.25 1.4 l 1.6 l=
4 150mm >
< 6" >
4
>%># 7/1I4, v /<$
<a:4*
4 su w@b,@
PHOTOGRAPHIC SCIENCES CORPORATION j h 770 BASKET ROAD 6[4(4* (t I P.O. BOX 338 s {
WEBSTER, NEW YORK 14580 p,6g ~
- s. (716) 265-1600 ,
, 1l, lll l i l 'llll !
r
~
r" N We
- A 2 4 8 s D D t '
s '
s 3 1 i
E, *
) )j r '
e
) ) ] b e rieA e
Ac R
e v
r.**
A*. *
)
2 f
o
&A
' r i 1 ,
- e ( e
- A
" R v
ie e
o C a
7 d P g
a
$ls7 1 E, (
( m 1
t e _
s y
) )j S 7
r ' ir '
o u7 rt ear r
- A 7-s e t 3
e 0 .i v saaA p te'. n 1 w** e N d i 1 9 0 s 7 We S
- m u
A '
9 4
Vl 0
5 l
V o
s v
i 2
s v
[( f( t r
s 1 t t t s
I n
4 ~
i r
e Yv ' lo 1 o -
t@3 i t c I 1
{
2 2 s
O A 4
Nvs Nivt V
I 1 E
R E
U i G I
F ' .
j s 4 r
o - b p m
~
0
(
0 8 r
te d
F t
r te H
1 C
o
@ ; 0 4
ev s
M O MF l i
O ,
i.
n r Mg V
r.
a F
t i
F r
te b
t i
2 1
,,.r.
, ,. M6
/
7F r
e t
t b
n 3 o
tir 6
taA S
e
. t ,
Prefmer A 1G 88 FC Prefmer B
1% B9 E nhoust t vi487 l utdaer 1 6
%was 3 9, gg rm em Chambe Ch e
%J %J 0 1 (F A 2) 1593 Afterfiner A -
1V159 M 16134 '
13 N 1
=
17'8 8 Y 97 m,
Anerfmere 1215m5 m, M N1VO98 y g,9 17818 EEEEE 17t678 E she'est
. f** 1 5 88 Mamer IV6'b2 1 3 Portabe Compre s 1 8 1 7 1 5 cd.76. '/*' cheCe w) <J Mos iVD r Neo4 1viso Iv os FIGURE A.13-1 Instrument Air System (Page 2 of 2)
A.13-8 m a e e e e m M M m M M M M M M M M
8 6
3 8 V Y2 T oR3 TOC A 1
o B c PN t 1 i 1 v i
vi v
i v i
s s s s V6 8 u u u u oR3 L o o o o T T T T TOC; PN : : : :
1 A 2 V4 oR3 TOC v PN1 6 t
!3 V
I 6
t t g t o
1 y gA e v n i0e V I8, v se s 1 3
s T '
S'y '
i T '
u T.
1 u w W , 1 u w 0
A g
_sC A i
r 2
1 8
I A
V t 1 n
{ e
{
m
, , u g
',g g 9 , r 1
y, , ,
t s
n
, I 1
t i 9-3 ,
n 3 9 , ,
U V
C 1 v
c
'g ,
y, ,
M, M, 1
A 2
- - H B B H 3 B D A A D 1
- 7 - A B
A Q B A E 1
H 8 D A B H A D R
U 6 T G I
nD e
F 1 1 4
8 8
v t
X 3
Y 1
J 1
r 3, 1 e tsd*g n ae UH p
l
1 l
l A.14 ConPment Air Return And Hydrogen Skimmer System
System Description
The Containment Air Return And Hydrogen Skimmer (VX) System performs two functions. First, the containment air retum fans ensure the rapid return of air from upper to lower containment after an initial loss of coolant accident (LOCA) blowdown. Second, for the design basis accident, the hydrogen skimmer fans ensure that there is adequate mixing of the containment atmosphere from dead-ended compartments to prevent hydrogen pocketing.
The .. mment air retum fan portion of the VX System consists of two redundant air headers, each consisting of a 40,000 cfm fan, a backdraft damper, an isolation damper, and three bypass dampers. The bypass dampers are only used during tests; the isolation damper is used for control of air flow between upper and lower containment. A simplified diagram of the air return fan headers is provided in Figure A.14-1.
The containment hydrogen skimmer portion of the VX System is not needed for severe accidents. The purpose of the hydrogen skimmer system is to maintain hydrogen concentration below the lower flammability limit of 4 volume percent within dead-ended compartments in the event of a design basis accident. This is accomplished by drawing air from these compartments and discharging it into the containment. During a severe accident the hydrogen concentration will exceed 4 volume percent in these dead-ended compartments even with the hydrogen skimmer system operating. Therefore, this part of the VX System is not modeled.
The containment air retum subsystem is normally not in operation. The system does not operate to provide any normal ventilation requirement.
A.14-1
I; The containment air retum subsystem automatically starts given an SP signal,
Provided all interlocks are met, the isolation dampers open m ten seconds and the fans ,
start in mne minutes. The air return fans provida several functions such as circulating containment atmosphere through the ice condenser for pressure control and scrubbing of fission products, and ensures a well mixed containment atmosphere for hydrogen control.
System Success Crit:ria The success criteria of the air return fans is one of ttvo headers operating to mitigate g post accident conditions inside the containment.
Major Assumptions I
1, The containment pressure instruments for the damper and fan interlocks could I
fail low between tests without being noticed.
l
! 2. It is assumed that whenever the VX System is required to operate, conditions exist which generate an SP signal.
3.
I Failure of dampers to open due to failures oflimit and torque switches which
- are part of the operator are incluoed in the damper failure data, l
l l
- 4. The containment pressure is assumed to remain above the CPCS setpoint l l throughout the mission time. Therefore, multiple demands during the mission time are not considered.
- 5. The VX fans are assumed to remain operable following containment phenomenological events (i.e., hydrogen burns, DCH, etc.).
1 I
l A.14-2 g l
g
System Reliability Results The dominant contributors to VX System failure are the common cause failures of VX isolation dampers to open on demand and of the air retum fans to start.
Top Cut Sets For Gate BVXTOP: VX System Falls l Cut Set Event Name Event Description Event Probability Probability 3.50E-04 BVXDMPRCOM Common Cause Failure of Dampers to 3.50E-04 j Open 3.50E-04 BVXFANSCOM Common Cause Failure of Fans to Start 3.50E-04 1.00E-04 BVX000ALHE Latent Human Error VX Train A 1.00E-02 i
BVX000BLHE Latent Human Error VX Train B 1.00E-02 3.50E-05 BVX000BLHE Latent Human Error VX Train B 1.00E BVXOOTAFNS FarvBlower (Air Return 1 A) Fails to Surt 3.50E-03 3.50E-05 BVX000ALHE Latent Human Enror VX Train A 1.00E-02 BVXARF4 DMO ARF.D-4 Fail To Open 0.50E-03 3.50E-05 BVX000ALHE Latent Human Error VX Train A 1.00E-02 BVXFANBFNS CARF.lB Fails To Start 3.50E-03 3.50E-05 BVX000BLHE Latent Human Error VX Train B 1.00E-02 BVXARF2 DMO ARF D-2 Fails To Open 3.50E-03 1.81E-05 BVX000ATRM Air Return Fan Header A Unavailable 1.81 E-03 Due to Maintenance BVX000BLHE Latent Human Error VX Train B 1.00E-02 1.81 E-05 BVX000ALHE Latem Human Error VX Train A 1.00E-02 BVX000BTRM Air Return Fan Header B Unavailable 1.81E-03 Due to Maintenance 1.69E-05 BNS$160PTL Pressure Transmitter INSPT5160 Fails 1.69E-03 Low BVX000BLHF Latent Human Error VX Train B 1.00E-02 1.69E-05 BNS$240PTL Pressure Transmitter INSPT5240 Fails 1.69E-03 Low BVX000ALHE Latent Human Error VX Train A 1.00E-02 1.69E-05 BNS$250PTL Pressure Transmitter INSPT5250 Fails 1.69E-03 Low BVX000ALHE Latent Human Error VX Train A 1.00E-02 1.69E-05 BNS$170PTL Ptessure Transmitter INSPT5170 Fails 1.69E-03 Lc v BVX000BLHE Lateni Human Error VX Train B 1.00E-02 Total Gate Probability = 1.36E-03 j
A.14-3
I Importance Table For Gate BVXTOP: VX System Falls Esent Name Event Description FV RAW g BVXDMPRCOM Common Cause Failure of Dampers to 25.7 % 735.4 Open 5'l BVXFANSCOM Common Cause Failure of Fans to Start 25.7% 735.4 BVX000ALHE Latent Human Error VX Train A 18.7 % 19.3 BVX000BLHE Latent Human Error VX Train B 18.7 % 19.3 =
BVXOOTAFNS Fan' Blower (Air Return 1 A) Fails to Start 6.6% 19.5 l BVXARF2 DMO ARF D-2 Fails To Open 6.6%
BVXARF4 DMO ARF-D-4 Fails To Open 19.5 gl 6.6% 19.5 m BVXFANBFNS. CARF-1B Fails To Start 6.6% 19.5 BVX000ATRh Air Return Fan Header A Unavailable 3.4% 19.5 Due to Maintenance BVX000BTRM Air Return Fan Header B Unavailable 3.4% 19.5 Due to Maintenance BNS5160PTL Pressure Transmitter INSPT5160 Fails 3.2% 19.5 Low BNS$170PTL Pressure Transmitter INSPT "'O Fails 3.2% 19.5 Low BNS5240PTL Pressure Transmitter INSPT5240 Fails 3.2% 19.5 Low BNS$250PTL Pressure Transmitter INSPT5250 Fails 3.29. 19.5 E BVXFANRCOM Low g Common Cause Failure of Fans to Run 'l 0.8% 735.4 I
I l I I
l I l
I I
A.14-4 I
". g .our.o
.o
~ *' _.~,
A R,R.EY.U.fMB N
, - .. c \ N N
.
.w.
co-=== i k
1A \ s.
1r N T N
" N to N N navu.=e=n w : Ng - - N . m. toum.,
co-answer g -
ce=== e a N "" ", "1" N
-h \
//// - 5 n*C v
O,C ////
RETURN TO UPPER CONTAINRIENT
,C
.FC c ==
i O \\\\ n ,e O g- \\\\ U" g-N ftST DAes.te N neru== ro N . mare. N vmn : N :
- N merv== vo w e=
co-antee=T g N - couransmear N N N o N
_h h TVS.T.D,A, ESP,fR ft.97.O,d.ertR 5
C.o.NT,N asEN, N
..s .w
- eu =
x N . --.
, um. r (18 \ N co-marmur )
1R 63 Figure A.14-1 Rev. 2 Containment Air Return Subsystem Simplified Diagram A.14-5
(
l
. . . . . - - . . . . . - - - - - . . - . . - . . . - . - - - . . . . . . . ~ . . -..
L
l A.15 Ilydrogen Mitigation System
System Description
The Hydrogen lvutigation (EHM) System protects the containment from sudden
{
overpressurization, which can be caused by an uncontrolled ignition of hydrogen.
The EHM igniters (12 V ac glow plugs) maintain a low concentratica of hydrogen by continuously burning hydrogen at low concentration. This prevents the hydrogen
{ from reaching concentrations that could cause a containment pressure integrity concern due to hydrogen ignition.
As shown on the simplified electrical diagrams (Figure A.15-1), the EHM System consists of two redundant parallel circuits. Each circuit contrins 35 igniters, which are divided into eight groups. The hydrogen igniters are distributed throughout containment. Igniters from both circuits are mounted at each location to ensure at least one igniter is available.
Although the EHM System is necessary only for an inadequate core cooling event, it is energized at the first indication of a loss of coolant accident (LOCA) in order to assure that the igniters are operating prior top the accumulation of hydrogen to a significant concentration. Each circuit is manually energized by remotely closing the respective 600 V ac contactor from the control room. On c energized, the igniters will control hydrogen accumulation within the containment until the igniters are manually de-cr.ergized.
The EHM System is normally de-energized with all of the 16 igniter group circuit breakers closed. The 600 V ac contactors are normally open and are closed remotely from the control room to energize the system.
I The EHM System is shed from t1 "E power source in the event of a LOCA (SS signal) and is given a permissive to allow the contactors to be closed after all required i loads have been sequenced onto the diesel.
System Success Criteria The EHM System is designed with two completely independent circuits capable of controlling hydrogen concentration. Therefore, success of the EHM System is defined as one of two operable circuits. The top event for the EHM System is defined as failure of both circuits to function.
Major Assumptions
- 1. The EHM System operability is monitored in the control room through status lights.
- 2. There is no maintenance or testing unavailability which significantly impacts I
the availability of the EHM System.
- 3. Failures ofindividual igniter groups on a circuit do not impact the function of removing hydrogen from containment.
I
- 4. The probability of independent igniter failures, in sufficient number to fail a particular train, is considered negligible. Therefore, igniter failures are not modeled.
- 5. The probability of multiple breaker failures associated with igniter groups is considered negligible. Therefore igniter group breakers are not modeled.
I I
A.15-2 I
L
- 6. It is assumed that failure to de-energize the igniters following a test results in I system failure (LHE).
System Reliability Results The EHM System cut sets (see cut set table below) illustrate the high reliability of the system. Since the EHM System has two redundant trains, the only single point failure is the operator action required to energize each circuit. This dynamic human error is also the dominant cut set for the system. Other cut sets consist of independent failures of botis trains.
A.15 3
I Top Cut Sets For Gate EIIMFA!LS: Ilydrogen Mitigation System Falls i
Cut Set Event Name EventYe.eription Event Probability Probability 1.00E-03 XHM1 A1BDHE Operators Fail To Eriergize The leniters 1.00E-03 9.00E-06 XHMTRNALHE Latent Human Error Fails Train A 3.00E-03 XHMTRNELHE Latent Ht. man Error Fails Train B 3.00E-03 6.42 E-06 XHMF08ATLF 600!!20 V ac Transformer in MCC 2.14 E-03 l
=
IEMXB-F08A Fails XHMTRNALHE Latent Human Error Fails Train A 3.00E-03 g 6.42E-06 XHMF07ACLT 600 V ac Breaker IEMXI F07A 2.14E-03 g Transfers Position XHMTRNBLHE Latent Human Error Fails Train B 3.00E-03 g 6.42E-06 XHM0014TLF 600/120 V ac Transformer IXFMR0014 2.14E-03 g Fails XHMTRNALHE Latent Human Error Fails Train A 3.00E-03 6.42 E-06 XHM0013TLF 600/120 V ac Transformer IXFMR0013 2.14 E-03 Fails l
=
XHMTRNBLHE Latent Human Error Fails Train B 3.00E-03 6.42 E-06 XHMF08ACLT 600 V ac Breaker IEMXB-F08A 2.14 E-03 g Transfers PosMon 3 XHMTRNALHE Latent Hun:an Error Fails Train A 3.00E-03 6.42 E-06 XHMF07ATLF 600/120 V ac Transformer in MCC 2.14 E-03 g 1EMXI-F07A Fails g XHMTRNBLHE Latent Human Error Fails Train B 3.00E-03 4.58E-06 XHM0013TLF 600/120 V ac Transformer IXFMR0013 2.14E-03 Fails XHMF08ACLT 600 V ac Breaker IEMXB-F08A 2.14 E-03 l
=
Transfers Position 4.58E-06 XHMF07ATLF 600/120 V ac Transformer in MCC 2.14 E-03 E lEMXI F07A Fails 3 XHMF08ACLT 600 V ac Breaker IEMXB-F08A 2.14E-03 Transfers Position 4.58E-06 XHM0014TLF 600/120 V ac Transformer IXFMR0014 2.14E-03 Fails XHMF07ATLF 600/120 V ac Transformer in MCC 2.14E-03 IEMXI-F07A Fails 4.58 E-96 XHM00:4TLF 600/120 V ac Transformer IXFMR0014 2.14 E-03 l
=
Fails XHMF07ACLT 600 V ac Breaker IEMXI F07A 2.14E-03 Transfers Position 4.58 E-06 XHMF07ACLT 600 V ac Breaker IEMXI-F07A 2.14E-03 Transfers Position XHMF08ACLT 600 V ac Breaker IEMXB-F08A 2.14E-03 Transfers Position 4.58 E-06 XHMF07ACLT 600 V ac Breaker IEMXI-F07A 2.14E-03 Fransfers Position XHMF08ATLF 600/120 V ac Transformer in MCC 2.14 E-03 l
W iEMXB-F08A Fails Total Gate Probability = 1.20E-03 I
A.15-4 I
l Importance Table For Gate EHMFAILS: Hydrogen Mitigation System Falls Event Name Event Description F-V RAW XHM1 AlBDHE Operators Fail To Energize The Igmters 83.6 % 836.1 XHMTRNALHE Latent lluman Enor Fails Train A 3.5% 12.6 XHMTRNBLHE Latent Human Error Fails Train B 3.5% 12.6 XHM0013TLF 600/120 V ac Transformer IXFMR0013 2.5% 12.6 Fails XilM0014TLF 600/120 V ac Transformer IXFMR0014 2.5% 12.6 Fails XHMF07ACLT 600 V ac Breaker IEMXI F07A 2.5% 12.6 Transfers Position XHMF07ATLF 600/120 V ac Transformer in MCC 2.5% 12.6 f IEMXI F07A Fails XHMF08ACLT 600 V ac Breaker IEMXB-F08A 2.5% 12.6 Transfers Pos' tion XHMF08ATLF 600/120 V ac Transformer in MCC 2.5% 12.6
{ lEMXB F08A Fails XHMNW36SWT Control Switch NW36 Transfers Position 1.3% 12.6 XHMNW37SWT Control Switch NW37 Transfers Posi. ion 1.3% 12.6 XHMTRAMRYT Train A M Contacts Transfer Position 1.3% 12.6 XHMTRBMRYT Train B M Contacts Transfer Position f.3% 12.6 XHMB03AFUF Fuse 3A in MCC IEMXB-F08A Fails 0.8% 12.6 A.15-5
1
=
= = = -
A {i =
A
= = -
1 S 3 A 3 K{ I 8 7 S A K g K O M
1 A
_ N I
1 K
Al
_ A 4 I Kl I R
_ T A
1 Al 3 I R
Kl I K
B )
ly 2 P f A U o 2 3, OA 1 K g R 1 Gr e g
= = a 1
M = = A P
(
2 b K m
1 A 2
a r
g R
1 3 K ia O 8 M ly D P
= U d OA2 ie
= R f G
i A r lp s s s=
1
)
s 7 3 m
w 3C O1 i w wM GAR E S wi = (
m 6-
= e
)
3 t 5 x s y
1 CA S A HG 5
b1(
E n i
o C A t a
oA U ov sc2 T
M it g
- 1 A
i M
A 7 n 70O R e 3
1 K g R
M l ly o r
r P x !
U d 1
fO OA y R 7 H Gr A
S K
I 2
R v
e 1
, C -
'A 1 2 5 A
2 :
A 2 7o A 1 72 8 A
M- E R K
B er C f ('. f$ u A -
2 '
( g V
c 0 0 P F i
0 6 ' M 0 0 U 0
0 OA T
1 X S R
M, E
t(. 0 0< _
0 0 G 1 ~
r C
1 C
M- -
M 't( -
1ll l ll ll lfl
MCC 1EMXB 600VAC
$L JL ;D
(l ("' t ("' L TRAIN 1B e Nut 37A 34 ilj 1MC7 i
N O. .
-g 2A1 T -
c 1XFMR14A
- II 11 I l_,,
c' il 11 II
, WUV378 iMC7 = = K2B N.C.
2A2
-L- He = = co
--33 --
,,,M (1ESGsM3) (R913)
C O Kle K73 3 _-
-- ?=
<0000_O, 1XFMR0014 600I120VAC
~-
,M 00' MO42
( enR es ( enn 7s ( ,,, ,, [ ,,, ,,
Mes K78 x2e xis GROUP CROUP gq00P OROUP
,r es ir ,r rs ir ir 2e ir 1r is 1r Figtre A.15-1 Rev. 2 Hydrogen Mitigation System Simplified Diagram (Page 2 of 2)
A.15-7
A.16 Containment Spray System l
System Description
A simp'ified diagram of the Containment Spray (NS) System is shown in Figure A.16 1. The NS System is an engineered safety system 'vhich removes thermal energy from the containment in the event of a loss of coolant accident. The heat removal capability is designed to keep the containment pressure below 15 psig after all ice has melted and steam generated in the reactor : ore continues to be released to containment.
The NS System is comprised of two trains. Each train consists of a pump, heat exchanger, valves, spray headers and associated piping necessary to deliver flow to the NS spray headers. The NS System is designed to take flow from two separate sources: the Refueling Water Storage Tank (FWST) or the reactor containment sump.
When aligned to the FWST, the system is in the injection phase; while aligned to the containment sump, the system is operating in the recirculation phase.
The NS pumps are redundant,100% capacity centrifugal pumps. The pumps require motor cooling (KC System), electrical power for operation and controls, as well as extemal control signals for actuation. Each pump is rated at 3400 gpm with a design head of 390 ft.
The NS heat exchangers are vertical shell and U-tube type exchangers with shell-side cooling provided by the Nuclea Service Water (RN) System.
Key NS System valves are motor-operated and are normally closed. They open upon receipt of an SP signal from the ESFAS.
A.16-1
The NS Spray nozzles are located on six spray ririg headers in the upper containment.
Two spray ring headers serve each NS pump. One spray ring header serves each of the ND System pumps; however, that mode of containment spray is not modeled in this analysis.
The NS System operates only in emergency conditions and has no normal mode of operation.
The function of the Containment Spray System is performed in two modes of operation: injection and recirculation. During normal plant operation, the NS System is in a standby mode, with the NS pumps aligned to draw suction ftom the FWST.
The injection mode of the NS System is actuated by an SP signal. The SP signal starts the NS pumps and opens the discharge valves to the spray headers. If after l
receiving an SP signal, the containment pressure falls below the containment pressure setpoint, the NS pumps are automatically turned o,ff and the discharge valves closed.
If the pressure increases above the containment pressure setpoint after the pumps have stopped, the Containment Pressure Control System (CPCS) automatically restarts the pumps and opens the discharge valves.
System Success Criteria The three top events are defined as: failure to inject, failure to scrub during l recirculation, and failure to cool during recirculation. For each of the top events, the i
success criterion is defined as operation of one of two NS trains, with one of two l
headers in the operating train.
l I
I A.16-2
\. _ _ _ _
[
Major Assumption
[
- 1. The failure of the Nuclear Service Water System to supply cooling to the NS heat exchangers is assumed to result in a failure at the NS containment cooling function, but not the radionuclide scrubbing function.
- 2. The containment pressure instruments could fail low between tests without being noticed.
[
- 3. It is assumed that whenever the NS System is required to operate, conditions sist which generate an SP signal.
- 4. It is assumed that if a component fails during injection, it remains failed
{
during recirculation.
- 5. The total mission time for the injection and recirculation function is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- 6. Diversion of flow through the test header is not modeled. The possibility that
[ two locked-cic sed manual valves in series (INS 25 and INS 70, or INS 8 and INS 70) would transfer open is insigniticant when compared to other failure
( modes. In addition, an LHE on these valves is not considered since these valves are locked-closed.
f System Reliabilky Results System failures in the injection phase are dominated by common cause failure of the NS pumps to str.rt, common cause failure of the NS header supply valves to open and failure of the FWST.
A.16-3
l System failures in the scrubbing phase are dominated by common cause failure of the i recirculation suction valves (! nil 84B and INIl85A) to open and common cause failure of the FWST suction valves and sump suction valves. I, Major contributors for the recirculation phase are identical to those of the scrubbing phase with two additional events. The recirculation phase is dominated by the failure to manually open the NS heat exchanger RN isolation valves.
One important event in both the scrubbing and recirculation phase is that the drains I
from upper to lower .antainment are left closed due to latent human error. This would starve the surrp from water located in the upper containment and eventually cause the suction source to the ND and NS pumps during these phases to be depleted.
- I I
I I
l I A.16-4 I
Top Cut Sets For Gate SI: Containment Spray System In Injection Falls Cut Set Event Name Event Description Event Probability Probability 3.18E-04 SNSDABSCOM Common Ca.ase Failure of NS Pumps To 3.18E-04 Start 1.75E-04 SNSOHDRCOM Common Cause FailurEf MOV Spray 1. 75E-04 Header Valves To Open 2.38 E-05 SNS001BZPS NS Pump IB Fails To Start 4.75E 03 SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.00E-03 Maintenance
_2.38E-05 SNS001 AZPS NS Pump 1 A Fails To Start 4.75 E-03 SNSTRNBTRM NS Train IB Unavailable Due To Test Or 5.00E-03 Maintenance 2.26E-05 SNS001 AZPS NS Pump 1 A Fails To fm 4.75E-03 _
SNS001BZPS NS Pump IB Fails To Start 4.75 E-03 2.09E-05 SNS020AMVT Motor Operated Vahe INS 20A Trettsfers 4.17E-03 Closed SNSTRNBTRM NS Train IB Unavailable Dae To Ten Or 5.00E-03 Maintenance 1.98 E-05 SNS001BZPS NS Pump 1B Fails Ta Start 4.75F 03 SNS020AMVT Motor Operated Valve INS 20A Transfers 4.17E-03 Closed 1.80E-05 IF%TWSTTKF FWST Fails 1.80E-05 1.50E-05 SNRTRNALHE Latent Human Error Fails NS Train I A 3.00E-03 _
SNt.TRNBTRM NS Train 1B Unavailable Due To Test Or 5.00E-03 Maintenance 1.50E-05 l SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.00E-03 f Maintenance SNSTRNBLHE Latent Human Error Fails NS Train IB 3.00E-03 1.42E-05 SNS001AZPS NS Pump 1 A Fails To Start 4.75E-03 e.NSTRNBLHE Latent Human Error Fails NS Train IB 3.00E-03 1.42E-05 SNS001BZPS NS Pump iB Fails To Start 4.75 E-03 SNSTRNALHE Latent Human Error Fails NS Train I A 3.00E-03 1.25E-05 SNS020AMVT Motor Operated Valve INS 20A Transfers 4.17E-03 Closed SNSTRNBLHE Latent Puman Error Fails NS Train IB 3.00E-03 9.00E-06 SNSTRNALHE Latent Human Error Fails NS Train l A 3.00E-03 SNSTRNBLHE Latent Human Error Fails NS Train IB 3.00E-03 8.45 E-06 SNS5180PTL Pressure Transmitter INSPT5180 Fails 1.69E-03 Low
' SNSTRNBTRM NS Train IB Unavailable Due To Test Or 5.00E-03 Maintenance 8.45 E-06 SNS5270PTL Pressure Transmitter INSPT5270 Fails 1.69E-03 Low SNSTRNATRM NS Train l A Unavailable Due To Test Or 5.00E-03 Maintenance Total Gate Probability = 8.91E-04 A.16-5
I Top Cut Sets For Gate S2: Containtnent Spray System In Recirculation Falls For Scubbing Cut Set Event Name Event Description Event Probability Probability 1.75E-04 LNDMOVSCOM Common Cause Failure of Recirculation 1.75E-04 Suction Valves 1.75 E-04 SNSRWSCCOM Common Cause Failure of NS Suction 1.75E 04 Valves From RWST 1.00E-04 INIRECIDHE Operator Fails Recirculation Switchover 1.00E 04 2.09E-05 SNS020AMVT Motor Operated Valve INS 20A Transfers 4.17E-03 Closed l
a SNSTRNBTRM NS Train IB Unavailatle Due To Test Or 5.00E-03 Maintenance 1.80E-05 SNSDRNVLHE Drains Fron Upper To Lower 1.80E-05 Cor.:ainment Closed 1.75E-05 SNS018AMVO Motor Operated Valve INSl8A Fails To 3.50E-03 Open SNS'I RNBTRM NS Train IB Unavailable Due To Test Or 5.00E-03 Maintenance 1.75E 05 SNS003BMVC Motor Operated Valve INS 3B Fails To 3.50E-03 Close SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.00E-03 Maintenance g 1.75E-05 SNS001BMVO Motor Operated Valve INSIB Fails To Open 3.50E-03 g SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.00E-03 Maintenance 1.75E-05 SNS020AMVC Motor Operated Valve INS 20A Fails To 3.50E 03 Close SNSTRNBTRM NS Train IB Unavailable Duc To Test Or 5.00E-03 Maintenance 1.50E-05 SNSTRNALHE Latent Human Error Fails NS Train I A 3.00E-03 SNSTRNBTRM NS Train IB Unavailable Due To Test Or 5.00E-03 E Maintenance 1.50E-05 SNSTRNATRM g
NS Train I A Unavailable Due To Test Or 5.00E-03 Maintenance SNSTRNBLHE Latent Human Error Fails NS Train IB 3.00E-03 1.49E-05 SNSDABRCOM Common Cause Failure of NS Pumps To l
E 1.49E-05 Run 1.46E-05 SNS003BMVC Motor Operated Valve INS 3B Fails To 3.50E-03 Close E
3 SNS020AMVT Motor Operated Va!ve INS 20A Transfers 4.17E-03 Closed Total Gate Probability = 6.82E-04 A.16-6
Top Cut Sets For Gate S3: Containment Spray System In Recirculation Falls For Cooling Cut Set Event Name Event Description Event Probability Probability 1.00E-03 SNS01ABDHE Failure to Open the Nuclear Service 1.00E-03 Water isolation Valves for Containment Spray 1.75E-04 SNSRWSCCOM Common Cause Failure of NS Suction 1.75E-04 Valves From RWST 1.75 E-04 SRNOMOVCOM Common Cause Failure of Coolirg Water 1.75 E-04 Supply Valves 1.75 E-04 LNDMOVSCOM Common Cause Failure of Recirculation 1.75E-04 Suction Valves 1.00E-04 INiRECIDHE Operator Fails Recirculation Switchover 1.00E-04 2.09E-05 SNS020AMVT Motor Operated Valve INS 20A Transfers 4.17E-03 Closed SNSTRNBTRM NS Train IB Unavailable Duc To Test Or 5.00E-03 Maintenance i 1.80E-05 SNSDRNVLHE Drains From Upper To Lower 1.80E-05 l Containment Closed I
1.75E-05 SNS003BMVC Motor Ooerated Valve INS 3B Fails To 3.50E-03 Close SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.00E-03 Maintenance 1.75 E-05 SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.00E-03 Maintenance SRN229BMVO Motor Operated Valve IRN229A Fails to 3.50E 03 Open 1.75 E-05 SNS018AMVO Motor Operated Valve INS 18A Fails To 3.50E-03 Open SNSTRNBTRM NS Train IB Unavailable Due To Test Or 5.00E-03 Maintenance 1.75E-05 SNS020AMVC Motor Operated Valve INS 20A Fails To 3.50E-03 Close SNSTRNBTRM NS Train IB Unavailable Due To Test Or 5.00E-03 Maintenance 1.75 E-05 SNSTRNBTRM NS Traia IB Unavailable Duc To Test Or 5.00E-03 Maintenance SRN144AMVO Motor Operated Valve IRN144A Fails to 3.50E-03 Open 1.75 E-05 SNS001BMVO Motor Operated Valve INSIB Fails To 3.50E-03 Open SNSTRNATRM NS Train I A Unavailable Duc To Test Or 5.00E-03 Maintenance Total Gate Probability = 1.87E-03 A.16-7
I Importance Table For Gate S1: Containment Spray System In Injection Falls Event Nune Event Description FV RAW SNS0ABSCOM Common Cause Failure of US Pumps To 35.7 % 1120.0 Start SNSOHDRCOM Common Cause Failure of MOV Spray 19.6 % 1120.0 Header Valves To Open SNS001BZPS NS Pump 1B Fails To Start i 1.8% 25.4 SNS001 AZPS NS Pump I A Fails To Start 9.8% 21.4 SNSTRNBTRM NS Train IB Unavailable Duc To Test Or 9.6% 19.9 Maintenance SNS020AMVT Motor Operated Valve INS 20A Transfers 8.6% 21.4 Closed SNSTRNATRM NS Train I A Unavailable Due To Test Or 7.5% 15.9 Maintenance SNSTRNBLHE Latent Human Error Fails NS Train IB 7.4% 25.4 SNSTRNALHE Latent Human Error Fails NS Train 1 A 6.2% 21.4 SNS$260PTL Pressure Transmitter INSPT5260 Fails 4.2% 25.5 E Low g>
SNS$270PTL Pressure Transmitter INSPT5270 Fails 4.2% 23.5 Low SNS$180PTL, Pressure Transmitter INSPT5180 Fails 3.5% 21.5 Low SNS5190PTL Pressure Transmitter INSPT5190 Fails 3.5% 21.5 Low IFWFWSTrKF FWST Fails 2.0% 1120.0 l
m SNS001 BZPR NS Pump 1B Fails To Run 1.4 % 25.4 NS Pump 1 A Fails To Run SNS001 AZPR SNS003BMVT Motor Operated Valve INS 3B Transfers 1.2% 21.4 g 1.0% 25.5 Closed 5
SNS0004CVO Check Valve INS 4 Fails To Open 0.5% 25.3 I
Importance Table For Gate S2: Containment Spray System In Recirculation Falls For Scrubbing Event Name Event Description F-V RAW SNSRWSCCOM Common Cause Failure of NS Suction 15.4 % 878.8 Valves From RWST SNSTRNBTRM NS Train IB Unavailable Due To Test Or 9.5% 19.7 Maintenance INIRECIDHE Operator Fails Recirculation Switchover 8.8% 878.8 l
M SNS020AMVT Motor Operated Valve INS 20A Transfers 8A% 20.8 Closed SNS001BMVO Motor Operated Valve INSIB Fails To 8.2% 24.0 Open SNS003BMVC Motor Operated Valve INS 3B Fails To 8.2% 24.0 g SNSTRNATRM Close g
NS Train l A Unavailable Due To Test Or 7.9% 16.5 Maintenance A.16-8
Importance Table For Gate S3: Containment Spray System In Recirculation Falls For Cooling Esent Name Event Description F-V RAW SNS01ABDHE Failure to Open the Nuclear Service 38.3 % 383.7 Water Isolation Valves for Containment Spray LNDMOVSCOM Common Ca ise Failure of Recirculatien 6.7% 383.7 Suction Valves SNSRWSCCOM Common Cause Failure of NS Suction 6.7% 383.7 Valves From RWST SRN0MOVCOM Common Cause Failure of Cooling Water 6.7% 383.7 Supply Vages SNSTRNBTRM NS Train IB Unavailable Due To Test Or 5.7% 12.3 Maintenance SNSTRNATRM NS Train I A Unavailable Due To Test Or 5.0% 10.9 Maintenance INIRECIDHE Operator Fails Recirculation Switchover 3.8% 283.7 SNSTRNALHE Latent Human Error Fails NS Train I A 3.6% 12.8 SNSTRNBLHE Latent Human Error Fails NS Train I B 3.5% 12.6 l
SNS003BMVC Motor Operated Valve INS 3B Fails To 3.3% 10.2 Close SRN144AMVO Motor Operated Valve IRN144A Fails to 3.3% 10.2 Open SRN225BMVO Motor Operated Valve IRN225B Fails to '3.2% 10.0 Open SNS020AMVT Motor Operated Va!ve INS 20A Transfers 2.8% 7.7 e
Closed SNS018AMVO Motor Operated Valve INS 18A Fails To 2.8% 8,9 Open SRN148AMVO Motor Operated Valve IRN148A Fails to 2.8% 8.9 Open SNS00.JMVO Motor Operated Valve INSIB Fails To 2% 8.7 Open SNS$200PTL Pressure Transmitter INSPT5260 Fails 2.6% 15.9 Low SNS$270PTL Pressure Trrnsmitter INSPT5270 Fails 2.6% 15.9 Low SNS5180PTL Pressure Transmitter INSPT5180 Fails 2.3% 14.6 Low SNS5190PTL Pressure Transmitter INSPT5190 Fails 2.3% 14.6 Low SNS020AMVC Motor Operated Valve INS 20A Fails To 2.3% 7.6 Close SRN229BMVO Motor Operated Valve IRN229A Fails to 2.3% 7.4 Open SNSHX1BHXF Containment Spray Heat Exchanger IB 2.1% 15.9 Fails SNSHX1AHXF Containment Spray Heat Exchanger I A 1.9% 14.6 Fails A.16-9
mm.e m \ a e "ik" ,
e aaa 99.8 7'
h*0"C""C / , -
as 9 0
- s. a r e g
g k.j
-4+
TA m
@][=5a
_\. _n g --ta t- --
,_, x as 5. 5, a I a RWST ggi.s=
~
p TO RWrET
( l mos own ex _. ,
~1 g -.
mx x 4s --t + = N, _ y, o I o "YYa l
(
--', g Q l '
.L7. (j .
l
' @ -++
r, N .- ><..
naa l .
! E g "YY" l 4" a~ ) 4;
,,g, y, p_c ooo l Figure A.16-1 Rev. 2 Containment Spray System Diagram A.16-10 i
M M M M M M M M M M M
ii IiI il)j1illI l1 il l' C,
g 4 5 1
1 A A XCK 1 XCK s 1 p n.
u
- P 0 : 2 y 4
A 8 A
a r
xKC 1
NCK 1
S p
t n
9 3 1 e A 8 m xCK .
A NCM ia n l I
1 - 1 t -
n 6 S S S S o 1 D D C A
O A
O D
A D
A o A L L O O T L L L L A L g A A L I
T I
T 1
PRR A
I A I 8 ?
n T T N N M TO LE N N 1 l o
E S
E UO O E E PRR o S
S P MO S S M TO E L
S C S U O C P OO E E S S N E E t R
E R R R S M C n H
E E E N e T
H H H n O
T O
T O
T o p
O m
- : ? : o 8
3 O C S 2 A A xCK 1 XCK 1
v e
R 2-6 2 1 1 3 A 1 A A M
e r
MC 1 MC K 1 u ig F
\#
Y Y CL CL KP KP L P L P AU AU TIS A IS T B NR1 N R1 EE EE SD SD SA SA EE EE H H i
1
wa \ wa VM l VM RN144A RN148A RN835 NSHEAT EXCHANGER 1A ESSENTIAL RN \
HEADER SUPPLY 1A /
e oiHER ESSENTIAL LOADS ; ""
- , qg t l ,
V, i <
vm RN2258 RN2298 RN836 NS HEAT EXCHANGERTB ESSENTIAL RN \
HEADER SUPPLY 18 / ,
i SSE
- OTHER ESSENTIAL LOADS : : gRR ND F!gure A.16-3 Rev. 2 Nuclear Service Water Cooling To Containment Spray Heat Exchangers i
l A.16-12 l
t m M M M M M M M M M M M M M M M -
A.17 Containment Isolation
System Description
The function of containment isolation is to prevem release of radionuclides from the containmcat. There are two containment isolation signals. A phase A isolation is actuated by the automatic safety injection signal; phase B isolation, by the containment spray actuation signal derived from the high-high containment pressure signal. The phase A (ST) and phase B (SP) isolation signals close fluid line pene'. rations not required for engineered safety features operation. Purge line penetrations opening directly to the containment atmosphere are closed by a phase A isolation signal or by a high coutainment radiation signal (SH). Only those paths that are determined to be risk-significant have been moda'ed.
Since the analysis begins with the plant state immediately following a core damage sequence, it may be assumed that conditions demanding actuation of containment isolation exist. Thus, the absence of an isolation signal would only be the result of a failure, either in the mechanisins detecting a need for isolation, or in the isolation signal itself. If an ST signal has not been generated, then the rise in containment radiation will generate an SH :ignal to close the purge lines.
The Containment Purge (VP) System is used to purge the containment and the incore instrument room when tests or maintenance ere to be performed on equipment inside these areas. The VP system is shown schematically in Figure A.17-1. The VP System is not used during mrmal plant operation. During refueling, the VP System is used to reduce the concentration of airborne fission products in Containment to within acceptable levels, in order to allow personnel access. The VP System containment isolation valves are kept c'osed during normal plant operation.
A.17-1
I As shown on Figure A.171, the Containment Purge System is divided into two main portions. Supply and exhaust ducts pass through the Reactor Building at penetration; hi2001 and M2002 respectively. These ducts branch in the annulus to penetrations h1456, M432, M368, and M433 in upper containment, M357, M434 and M119 in lower contamment and M213 and M140 in the incore instrument room. On each side of each penetration through the containment, there is an electro pneumatic butterfly valve. The incore instrumentation inlet is a 12-inch penetration, all of the other VP System penetrations are 24 inches.
The Containment Air Release and Addition (VQ) System is utilized to maintain containment pressure between the limits specified in the Catawba Technical Specifications. The system is capable of maintaining the correct pressure during l
all operating modes including startup and shutdown. A schematic diagram of the VQ System is shown in Figure A.17-2. Containment isolation valves IVQ2A, l
IVQ3D, IVQl58, IVQl6A, and IVQl3 are controlled from the liVAC control panel in the main control room. The, close automatically on con ainment high l
pressure to isolate containment. Valve IVQ10 is ccntrolled by . manual loader located on the main control room liVAC panel, it closes automatically at 0 psig containment pressure decreasing and upon high radiation.
The Containnicat 11ydrogen Purge subsystem is utili7ed to reduce the post accident hydrogen concentration if the hydrogen recombiners fail and is not used during normal plant operation. The system consists of a hydrogen purge blower and a configuration of valves ta coritrol the discharge from containment to the annulus. The modeled part of the flydrogen Purge subsystem is shown in Figure A.17 .1 (his consists of two normally closed motor-operated valves IVY 17A Yl8B, air operated valve IVY 19 and the 4 inch line which passes through n ation M346.
I A.17 2 l
) Another system that potentially provides an air to-air pathway from containment is the Liquid Radwaste (WL) System. This system collects, segregates, and processes all radioactive and potentially radioactive liquids generated in the plant.
The WL System is divided into eight subsystems, three of which exit containment.
Only one of these subsystems, the Ventilation Unit Condensate Discharge Tank (VUCDT) Subsystem, has a pathway that can be a potentially significant contributor to risk.
The VUCDT Subsystem transfers the condensate from the containment ventilation units to a 5000 gallon tank in the Auxiliary Building. The VUCDT piping exits the Containment through penetration M221. Motor-operated isolation valves iWL867A and 1WL869B are located inside and outside of the Reactor Building, respectively, and close on receipt of an SP containment isolation signal. Air-operated valve IWL929 can also be used to isolate penetration M221. A schematic diagram of the VUCDT Subsystem is showr n Figure A.17-4.
f Two personnel airlocks provide eccess into the Reactor Building. Each airlock consists of two doors with plexiglass viewports, a telephone and P.A. speaker, a Volumetrics leak detection package, three push button control station two inflatable door seals and an airlock chamber. Each door is held shut with two 208 Y ac linear actuator door latches. Each door seal has an air supply and air tanks associated with it. Control room annunciators will sound if the seal for any airlock door dellates or if any airlock door is not fully closed. An annunciator alarm also sounds to indicate trouble with the airlock leak rate instrument.
System Success Criteria Containment isolation has succeeded when all penetrations and airlocks are isolated for the mission time. A penetration is considered isoleted if at least one A.17-3
I!
ofits isolation valves is fully closed. An airlock is considered isolated ifit has not been left open due to human error.
I Major Assumptions
- 1. Containment isolation penetration seals are assumed not to leak. This is based on the judgment that leakage past penetration seals would be very small/
- 2. Water in the loop s'eal of the VUCDT will be blown out by containment pressure during an accident.
I
- 3. The VQ System is in operation (valves open) 18% of the time. (This is based on observations by plant personnel.)
l
l
- 5. The circumstance where a nonnally open valve leaks significantly when closed is covered in the fails to close probability value.
- 6. A leak rate test is required to be perfonned on the containment purge valves after opening and reclosing. Because of this no latent human error is modeled for purge penetrations.
- 7. It is assumed that a small containment isolation failure could result from a latent human error. This was modeled without assigning the event to any particular flow path.
I I
A.17-4 I
r----- __ _ __-m_-_________m__.__________ _ _ __ _ _ _ _ _ -
System Reliability Results The following tables present the top cut sets for failure to isolate containment as well as the dominant basic events. These cut sets are generated with the containment isolation fault tree alone. That is, the support system fault trees have not been linked, therefore, the solution represents those cases where ac power is available.
Many core damage sequences are a result of failures of all ac power. For these sequences, penetrations requiring motoi operated valves to close become the dominant contributors to failure of the containment to isolate. The human error, ZWLM221DiiE - failure to isolate the WL System containment ventilation condensate line, is the most important contributor to containment failure probability for cases where no ac power is available.
A.17-5
I Top Cut Sets For Gate Z100: Containment holation Falls Cut Set Event Name Event Description Esent g Probability Probability 1.75 E-04 ZCIWLMVCOM Common Cause failure of M221 Motor 1.75 E-04 E
Operated Valves To Close 1.00E 04 ZCISMLLLi1E Latent llurnan Error Results in a Small Cl 1.00E-04 railure 5.00E 05 ZCILWERLilE iluman Error fails Emergency Personnel 5.00E-05 llatch Isolation g 5.00E 05 ZCIUPERLilE iluman Error fails Upper Personnel 5.00E 05 E
' latch Isolation 1.23 E-05 ZWL867AMVC Motor Operated Valve iWL867A falls 3.50E 03 g ZWL869BMVC To Close Motor Operated Valve IWL869B Falls g
3.50E 03 To Close 9.30E-06 ZVP001BAVT Air Operated Valve IVPIB T ransfers Open 3.05E 03 l W
ZVP002AAVT Air Operated Valve IVP2A Transfers 3.0$E 03 9.30E 06 ZVP003BAVT Open g Air Operated Valve IVP3B Transfers 3.05E 03 3 Open ZVP004AAVT Air Operated Valve IVP4 A Transfers 3.0$ E-03 g 9.30E-06 ZVP006BAVT Open Air Operated Valve IVP6B Transfers g
3.05E-03 Open ZVP007AAVT Air Operated Valve IVP7A Transfers 3.05E 03 Open 9.30E-06 ZVP008BAVT Air Operated Valve IVP8B Transfers 3.05 E-03 Open ZVP009AAVT Air Operated Valve IVP9A Transfers E Open 3.05E-03 E 9.30E-06 ZVP010AAVT Air Operated Valve IVP10A Transfers 3.05E-03 g Open ZVP0llBAVT Air Operated Valve IVPilB Transfers 3.05E-03 E
Open 9.30 E-06 ZVP012AAVT Air Operated Vahe IVP12A Transfers 3.05E-03 Open l
5 ZVP013BAVT Air Operated Valve IVP138 Transfers 3.0$E 03 9.30E 06 ZYP015AAVT Open Air Operated Valve IVPl5A Transfers g
3.0$E-03 3 Open ZVP016BAVT Air Operated Vahe 1VP16B Transfers 3.0$E-03 Open m
7.49E 06 ZACr05CCLT 600 V ac Breaker IEMXC F05C 2.14E 03 5 Transfers Position ZWL869BMVC Motor Operated Valve 1WL869B Fails 3.50E 03 To Close Total Gate Probability = 4.79E-04 I
A.17 6
Importance Table For PZ100: Containment Isolation Falls Esent Name Fsent Description F.V RAW ZCIWLMVCOM Common Cause Failure Of M221 Motor 36.6?6 2.09E+03 Operated Valves To Close ZCISMLLLilE Latent lluman Error Results in a Small Cl 20.9?6 2,99E403 Failure ZCILW1 RLilE iluman Enor f ails Emergency Personnel 10.4?6 2.09E+03 Itatch Isolation ZCIUPERLilE iluman Error fails Upper Personnel 10.4?6 2.09E+03 Itatch Isolation ZWL867AMVC Motor Operated Valve 1WL867A fails 4.4
- 6 1.36E+01 To Close ZWL869BMVC Motor Operated Valve iWL869B Fails 4.4?6 1.36E+01 To Close ZACI 05CCLT 600 V ac Breaker IEMXC F05C 2.796 1.36E+01 Transfers Position ZACF06CCLT 600 V ac Breaker IEMXD.F06C 2.7?6 1.36E+01 Transfers Position ZVP001BAVT Air Operated Valve IVPIB Transfers 1.9?6 7.35E+00 Open ZVP002AAVT Air Operated Valve IVP2A Transfers 1.9?6 7.3f E+00 Open ZVP003BAVT Air Operated Valve IVP3B Transfers 1.9*6 7.35E+00 Open ZVP004AAVT Air Operated Vahe IVP4A Transfers 1.9*6 7.35 E+00 Open l ZYP006BAVT Air Operated Vahe IVP6B Transfers
' 1.9? 6 7.35E+00 Open ZVP007AAVT Air Operated Valve IVP7A Transfers 1.996 7.35 E+00 Open ZVP008BAVT Air Operated Valve 1VP8B Transfers 1.9?6 7.35E+00 Open ZVP009AAVT Air Operated Valve iVP9A Transfers 1.996 7.35E+00 Open ZYP010AAVT Air Operated Vahe IVP10A Transfers 1.996 7.35E+00 Open ZVP0llBAVT Air Operated Valve IVPilB Transfers 1.9*6 7.35 E+00 Open ZVP012AAVT Air Operated Valve IVP12A Transfers 1.9?6 7.35 E+00 Open ZVP013BAVT Air Operated Valve IVPl3B Transfers 1.996 7.35 E+00 Open ZVP015AAVT Air Operated Vahe IVP15A Transfers 1.9*6 7.35 E+00 Open ZYP016BAVT Air Operated Valve 1VPl6B Transfers 1.9?6 7.35 E+00 Ogn A.17-7
N/
0 T_
O ~
5~ ~5 o z _, O.. __
~
&~ o"
? a'~ ( k- % &o# # o" 5g o"
1 n~ WI 7
-N --
ejr -- 5 M o*
- g g *
.., La L -~
-- 2,
- A. a, om b; f.
~
y s - _ _ _ _ ~ _ __ nifi a (m. s- *
- _ . r N Q&Qr-zz k g" o" A4 s
- 2#-
,;A.
- ,t_s(
Y: E,$
=f% W $.
9" R
=- -
i 5
~ ~
X"c a p o o o" o" e e 2xzz 7
7- 7
=Q 4x = = -
T T- 7- -
2 >.1,,
. a.-= c- c-
- 1-~ -2; m**, w w V % yx Figure A.17-1 Rev.2 Containment Purge System Simplified Diagram A.17-8 m e e e e e e m e m M M M M M M M M M
l l
)
We Ii m
A a s s r t
s z g Q i e a e
v - Q v < i t v D
{ vy R8 j c- t t
4% [
]p Z d e
%* c +_v_S+,
R
[
i f
i T 4 T c l p
S s i
m S
n i
o t
i X M d d
A d
On n a
e s
= N N a e
l e
R r
q i A
t n
e m
i n
t a
c n o
C C -
C 2 ve xC X X C X R x A X X A X 2 7
x P X X P X 1 r A i e r
C u C g A
2
_ 8 3 :
c i
F Q _ - 0 x c V T v BFs A v 4 M
[ c +_ R
- [
t
]}
g
[
v_9 -tsA ]p
[
4 r
c +_ R - 4 s r s
I l
,?
t i
- TVY29 4-i ST-K %(IVY 17A i i 1
cv cv t
_+_ _+_
i r l
1 ST-K %(1VY188 ,
t 4
r 1VY19
) L FO I
j u i
i i i i i
I I
Figure A.17-3 Rev. 2 Containment Hydrogen Purge System Simplified Diagram I
t i
i i
I I l A.17-10 !
i 1
M M M M M M M M M M M M M M M M M M M l
- i iim E
E llf 5
3 is
~.
n
, 1 8 g - E ?
=,
. g a a g
s 8 I.
- g. a q
i i g5 e 6 W -
3 C
'l + Bti Ei tu > i i, t
8 A i
B+ 2+i 2 ,h v g,
Ci 1
- i y > e e. 7 b '
m$ $
l c ;:: 4 m D .g m g 8a t 3
a c 5
1-c z
7 C
4 2
ii E
A.18 .leactor Protection System
System Description
The Reactor Protection System (RPS) provides the capability of rapid reactor shutdown through the release of control rods from their drive mechanisms, allowing the rods to fall by gravity into the reactor core. The system monitors diverse process variables related to the plant safety limits for DNBR, power density, and primary pressure. The RPS allo'ws continued operation cf the reactor within the predetermined boundaries of normal operation and, whenever a reactor trip parameter l boundary limit is approached, the RPS automatically trips the reactor. The system also includes a manual reactor trip capability.
The basic reactor protection system is shown in Figure A.181. It consists of an
( analog section made up of either three or four protective channels (depending on the function) for each reactor trip parameter, a digital section providing identical coincident logic in two trains, two undervoltage drivers, and two reactor trip breakers (RTBs).
The analog section is the input portion of the RPS. It includes measuring devices for neutren flux, temperature, pressure, fluid flow, and fluid level. It also includes operational status detectors such as undervoltage and underfrequency devices, pressure switches, breaker auxiliary contacts and valve position limit switches.
These, along with rignal conditioning devices, are used to develop signals proportional to the reactor trip parameters and signals indicative of unsafe plant conditions. Bistables are used to set the operational limits of the variable reactor trip parameters. The bistables supply 24 V de outputs for parameters within the nonnal ranse and 0 V de for a trip signal. Each bistable controls two separate relays, one associated with reactor trip logic train A and one associated with reactor trip logic train B.
A.18-1
I The Solid State Protection System (SSPS) is a dual train system which provides the coincident logic function of the RPS. The interface between the analog system and SSPS are the input relays. The actuating part of an input relay is in the analog section of the RPS and the relay contacts are in the digital SSPS section. The logic inputs are applied to universal logic cards containing coincident logic circuitry. Coincidence logic is performed in both trains for each reactor trip parameter.
Outputs of the universal logic cards are applied to the undervoltage driver, a solid state switching device. Any reactor trip signal from the coincidence logic will turn g
off that train's undervoltage driver. There is only one undenoltage driver card per train of SSPS. The undervoltage driver normally provides a 48 V de signal to a l
reactor trip breaker undervoltage coil and a shunt driver relay.
Each of the two protection trains opens a separate and independent reactor trip I
breaker, RTA or RTB. These two breakers are in series and connect three phase ac power from the rod drive motor generator sets to the rod drive power supply. A de undervoltage coil on each breaker holds a trip plunger out against its spring, keeping the breaker closed. When a reactor trip signal occurs, the normal 48 V de signal from the undervoltage driver goes to 0 V de. The undervoltage coil releases the trip plunger and the breaker opens. When the rod drive power is intermpted, the control rods are released. In addition, when the undervoltage driver output goes to 0 V de, the nomully energized shunt driver relay drops out and a normally open contact of the relay closes, applying 125 V de to a shunt trip device. Energizing the shunt trip device also opens the reactor trip breaker.
Manually initiating a reactor trip bypasses the logic and undervoltage driver card functions, directly de-energizing the unden oltage coil, and energizing the shunt trip device. The train A manual scram switch operates the train A breaker and the train B I
A.18-2 I
switch operates the train B breaker. Either switch operates the bypass breakers, which are used during testing.
During normal operation, the RPS is monitoring the reactor trip parameters, standing by to open the reactor trip breakers if operational limits are reached. The performance requirements are expressed in terms of maximum system response times, parameter measurement accuracies, and minimal ranges of measurement to be accommodated.
System Success Criteria The function of RPS is to shutt' awn the reactor before limiting conditions are reached.
it acts to limit core damage for infrequent faults and limits the energy generated in the core when limiting fault conditions are present.
The system is successful if at least one rod cluster control assembly (RCCA) drops into the core on the occurrence of an initiating event. This adds sufficient reactivity to preclude the peak pressure concems of an ATWS. i Success of the RPS is accomplished when either reactor protection train trips its respective reactor trip breaker.
Major Assumptions
- 1. Automatic and manual actuations are modeled. For the ATWS condition, manual actuation must be completed within one minute of the start of the transient.
- 2. A successful reactor trip signal to the undervoltage driver is assumed. For the ATWS limiting event, at least the following trip functions are assumed to be i
A.18 3
I challenged before a reactor trip will fail to mitigate progression of the ovemressurization transient:
(a) Presst,rizer high pressure )
(b) Overtemperature delta T (c) Pressurizer high water level (d) Low low steam generator water level (4) ;
Failure of the least reliable of these trip functions, through separate analysis, is less than 1.0E.5; therefore, failure of two or more trip functions is considered prc babilistically insignificant.
- 3. Inadvenent or spurious actuations are not failures and are not modeled.
I System Reliability Results I
The results confimi that the RPS is a highly reliable system, which makes the ATWS I
event a small contributor to the overall core melt risk. The common cause mechanical failure of the reactor trip breakers along with failure of'he operators to l
manually drive control rods and an insufficient number of control rods dropping into the core on a scram represent the major contributors to system unreliability, as shown in the following tables.
ATWS Initiator Assessment Failure of the RPS in conjunction with a transient which should cause a plant trip is called an Anticipated Transient Without Trip (ATWS) event, Under the worst conditions certain ATWS initiating transients develop primary pressure excursions l that exceed the reactor coolant system's limits leading to a loss of coolant accident.
These " worst conditions" include, either the failure to trip the turbine within approximately 60 seconds after a loss of main feedwater initiator, or a reactor moderator temperature coefficient that is insufficient to tum reactor power downward l
I A.18-4 I
before damaging pressures are reached. Two transient initiators, loss ofload (turbine trip) and loss of main feedwater, can develop the steep primary pressure transients necessary to exceed primary pressure limits. The ATWS event tree is shown in Figure A.18-4. The overpressurization sequences of from the ATWS event tree are as follows:
1 For a turbine trip initiator the sequence AiKE (6.12E-08) 2 For a Loss of main feedwater(LOFW) initiator A2KE (6.52E 08) 3 For a Loss of main feedwater (LOFW) initiator and A2TiK (1.30E 08) where:
Ai is the turbine trip initiator A2 is the LOFW initiator K is the failure of RPS E is the unfavorable moderator temperature coefficient Tiis the failure of AMSAC to trip the turbine Other core damaging sequences from the ATWS event tree which do not involve overpressunzation are described below. These sequences are of very low probability and do not contribute to the ca!culated CDF.
Scauence AKH The reactor is successfully shut down with failure to provide secondary side heat removal in time to prevent exceeding core thermal limits.
Stquence AKU The reactor continues power operation at a level that eraergency feedwater will support. The end state is stable, but the reactor is never fully shut down, so a core melt is conservatively assumed to occur.
A.18-5
1 l
Top Cutsets for Gate RPSCRAMI Reactor Falls to Scram Given Initiating I Event Cut Set Event Name bent Description D ent '
Prchability Probability I l.60E-06 QRODSINDilE Failure to Drive Control Rods if the 1.00E-01 l Reactor Doesn1 Trip Following an 5 ATWS QRPBKRSCOM Reactor Trip Breaker Common Cause 1.60E-05 g Failure g 1.00E-06 QRPRODSDEX Insufficient Number of Control Rods 1.00E-06 Drop into Core on Scram 6.10E48 QRPDRVRCOM Undervoltage Driver Common Cause 6.12E 05 Failure QRPMTRPDilE Operator Fails to Manually Scram the 1.00E-03 Reactor g QRPNORMDEX RPS in Normal Conficu . tion 9.97E 01 3 1.84 E-09 QRPDVRADEX Train A Undervoltage Driver Fails 6.12E-04 QRPMTRPDilE Operator fails to Manually Scram the 1.00E 03 3 Reactor g QRPTESTDEX RPS in Testing Configuration 3.00E-03 3.73E 10 QRPDVRADEX Train A Undervoltage Driver Fails 6.12 E-04 QRPDVRilDEX Train 11 Undervoltage Driver Fails 6.12E-04 QRPMTRPDilE Operator Falls to Manually Scram the 1.00E-03 Reactor QRPNORMDEX RPS in Normal Configuration 9.97E-01 3.29E 10 QRPDVRADEX Train A Undervoltage Driver Fails 612E-04 l
5 QRPMTRPDilE Operator Fails to Manually Scram the 1.00E-03 Reactor QRPNORMDEX RPS in Normal Configuration 9.97 E-01 QRPRTBilDEX Reactor Trip Breaker B Mechanical 5.40E-04 Failure 3.29E 10 QRPDVRBDEX Train B Undervoltage Driver fails 6.12E 04 QRPMTRPDHE Operator fails to Manually Scram the 1.00E-03 Reactor QRPNORMDEX RPS in Normal Conficuration 9.97E-01 l
QRPRTBADEX Reactor Trip Breaker A Mechanical 5.40E-04 5 Failure 2.91E 10 QRPMTRPDilE Operator Fails to Manually Scram the 1.00E 03 E Reactor RPS in Normal Configuration E
QRPNORMDEX 9.97E-01 QRPRTBADEX Reactor Trip Breaker A Mechanical 5.40E-04 Failure QRPRTBBDEX Reactor Trip Breaker B Mechanical 5.40E-04 Faihire Total Gate Probability = 2.66E-06 I
I I
A.18 6
4
! Importance Table for Gate RPSCRAM: Reactor Falls to Scram Given Initiating Event Event Name Event Description F.V RAW QRODSINDilE Failure to Drive Control Rods if the 60.1% 6 Reactor Doesn't Trip Following an ,
ATWS QRPBKRSCOM Reactor Trip Breaker Common cause 60.1 % 37500 Tallure QRPRODSDEX Insumcient Number of Control Rods 37.5 % 375000 Drop into Core on Scram QRPMTRPDilE Operator Falls to Manually Scram the 2.4% 25 Reactor QRPNORMDEX RPS in Normal Configuration 2.3% 1
] QRPDRYRCOM , Undervoltage Driver Common Cause 2.3% 376 I Failure i
I e 1
4 i
i a
1 A.18-7
I ANALOG INSTRUMENTATION LCKr.C CABINET REACTOR TRIP BREAKER l
I '
PRESSURE TRANS*MTTERS I I
' ROO CONTROL i TRAIN A t "A"UAL
/ \ TEST I
,N.ur REu YS
, RuCT= -
TRAIN A g-TEST- ~~~ -
~
p W N TAGE COR o,RTA C BYA SWTCH g atA DR1VER e NC - <>
SOLID I
. POWER l LwsT I (SOLID STATE) $ E }
ABLE - STATE : 8 18d "
SUPPLyg; 3 m LOGIC TRF '
- 125 -~ '*
R1B SN N N CHANNELI e I
p asa SHUNT COIL RELAY '
vDC i IV I
g 9 ' A6 sa
/ \ TEST
~
Tq l l Po*tTS R1A !
i NO YT ' '
f-TEST -- -
t 8
1
\
SWrTCH
~'
I MANUAL UNDERVOLTAGE I REACTOR TRF POWEp UNIT 4 18 t se -
MW1E - ygggg g CHANNEtli (SOUD STATE) W w p2e LOcc TRm i CO.
.i o,
- - cm : "c : COIL 3h m !
RELAY (NC) Oi OJ e R3s ss t 12s NO
/ \ TEST RTB -
BYB j P nTS lu a E
- COR COL l R1A NORuAuv NORMARY I IV 1 r- 'T = ""E="
Mw
- M ' **
'I ' "'3 " 50 -
~ -
SUPPLY g AuR.
Jg',;{ POWER ( BtSTABLE UNIT
- ' CLOSE ON DE-ENERGtZED DEENERGaZES TRPINPUT ON TRF ON TRP ENPUT
, l ENERGtZED l CONTACTS ROD CONTROL p uAuy l DEENERGIZES ON :
OSE 7pp MW ENERGuED s TRe INPUT OR DE-ENER I POWER FAILURE 8 4 ou 7,, GIZED a l TO RODS Fegure A.18-1 Rev. 2 Reacht Protecbon System SknpInfed Diagraft A.18-8 m M M M M M M M M M M W W m M M M M
- . . - . . . . - - . -. _ . - . - . - .-.-. - -.-..-. .- - - - - . - ~ - - .~ ~ .- - -
i i l
120 Vac Vital l&C Power 1ERPA 1ERPB q
) __ 1ERPC 1ERPD i
TRAIN A TRAIN B SLAVE 1
RELAYS ' ~ ~ ~
1 48 Vdc 15 Vdc 48 Vdc 15 Vdc
- POWER POWER POWER POWER SUPPLY SUPPLY SUPPLY SUPPLY
- 1 #1 #1 #1 4
SSPS SSPS
- LOGIC *
- LOGIC
- i 48 Vdc 15 Vdc 48 Vdc 15 Vdc POWER POWER POWER POWER SUPPLY SUPPLY SUPPLY SUPPLY
- #2 #2 #2 #2 l
t a a a a i
a
- ~, ,
s E
l- INPUT RELAYS CHANNELi e
! CHANNEL 11 :
- CHANNEL lil 4 l CHANNEL IV
Figure A.18-2, Rev. 2 RPS Electrical Power Sources A.18 9 i
, ~ , , - . - _ , , . - . . , - _ . - _ - , , . _ _ . . , , . . , , , . . . _ - - - ~ , - , - - .
e :
ANALOG INSTRUMENTATION LOGIC CABINET REACTOR TRIP BREAKER l l PRESSURE TRANStMTTERS
/ N
\ TEST RELAYS
- REACTOR TRF TRAM A 3 3 l l POINTS "'^ ' '
YT A TEST - - ~ CO' RTA SWITCH N ~'
N "1 l sotto l
- -R UNn , p S1Ay <som sTATr> , : ., )
I SN "'S'^"' -
l R2a toGE TRe l ,2s !
, RELAY (NC) , -IV I un hi e dI PRESSURE TRANSSMTTERS l
1r d I
/ \ TEST 8 I - '
- l l PO*CS R1A ! NO r1 YT l l gg;; - L _ _.
l l -
POWER 1RCT I g SUPPLY BtSTABLE -
t 3 TRAM 8 R1B ! v2s UV CHANNELII i
lE e
no CO 93
}
PRESSURE TRANSMITTERS l g O
, alUN BYB
/ \ TEST I e Colt l l POINTS YYI R1A ': 8 i
F - i TEST- - - - - 1 I SWRCH ALARM -'
8 :
POWER UNIT 3 i SUPPLY BISTABLE - I 8 CHANNEL Ill '
8 l
s
= i ROC CONTROL NORMALLY l SYSTEM ENERGtZED 8 I g I y DE-ENERGtZED lI ON TRP TO RODS Figure A.18-3. Rev. 2 Reactor Protecta System. Train B Testing Configuration A.I 8-10 W W W W M M M M M M M M M M M M M m
ll l
e m M M U B E a C K K K K N N D A A A 2
f o
U 1 e
g a
P
. e e
d r e
e c B T c t FS u n e
v l
e E b S a
r o
v W T
I a E 1 F -
C A 8 1
T - A M
s 2 d .
e v e e c
c u K R S 4 S
P 8 R 1 g A _
e r _
T T
u g _
i
^ F i
p r
T e
i n A br u
T
Loss of AMSAC Auxiliary RPS Succeeds MTC Favorable Feedwater gp Feedwater Succeeds Succeeds Sequence Succeeds Name A TT K E B U NCM ,
t l
NCM AKU AKB AKE l NCM !
ATTK t
I Figure A.18-4 Rev. 2 - ATWS Event Tree Page 2 of 2 A.18-12 M M M M M M M M M M M M M M M M e a ml
A.19 Interfacing Systems LOCA Analysis Introduction Numerous fluid interfaces exist between the Reactor Coolant (NC) System and its associated auxiliary systems. Each of these interfaces represents one or more pathways which can carry reactor coolant out of the containment. Since all of these auxiliary systems have at least portions which are designed for lower pressures than the NC design pressure of 2485 psig, failures of the components which isolate NC from the low pressure systems or personnel errors in assuring isolation can result in overpressurization events. If the overpressurization causes a fluid boundary failure, then a loss of coolant accident (LOCA) occurs. If the failure occurs outside containment, then the lost reactor coolant is not returned to the containment sump for recirculation, and no suction source will be available for the safety injection pumps A
upon depletion of the Refueling Water Storage Tank (FWST). In addition, a release path to the atmosphere is established, making this event a poter.:ially important contributor te risk.
Screening The number of pathways to be analyzed as potential interfacing systems LOCA (ISLOCA) pathways has been reduced significantly through a qualitative analysis.
The detailed analysis of many of the intcdaces is eliminated by showing that the consequences of any failures are not significant. Potential ISLOCA pathways are screened from detailed analysis if there are:
1, Flow restrictions which would restrict any leak that does occur to a rate below the capacity of normal charging.
A.19-1
I
- 2. No paths leading outside containment. A leak inside containment is l considered to be an ordinary LOCA.
l
- 3. If the path is a simple case of more than three normally closed valves (including check valves) in series. These cases are mled out as being improbable.
The four loop drains and the reactor vessel leak detection line lead to the NC drain g
tank located in lower containment. Any leak through these lines would lift relief valves that lead to the containment sump. Containment isolation valves in the path g from the NC drain tank to the recycle holdup tank would close on an ST (phase "A" isolation) signal. For these reasons, this path is climinated from detailed analysis.
l The sample lines (NM) from loop A and C hot legs, as shown in Figure A.191, and from the pressurizer, as shown in Figure A.19-2, can be eliminated from detailed analysis. - These are designed with flow restrictions sized such that flow from any break is less than the maximum flow from normal charging and makeup. These l
sample lines also have several isolation valves.
The reactor coolant pump seal return line has five possible pressure boundary failure points (Figure A.19 3). The first is a failure of valve INV101 A which isolates the reactor coolant pump seal bypass lines. A failure of this valve would not result in significant consequences, since the small line size and flow restricting orifices would reduce the flow to an insignificant rate. The other four possible failures are failures of the number I controlled leakoff seals on the four reactor coolant pumps. Failure of one of these seals will increase the controlled leakoff flow, but would not result in significant consequences, since the flow would be restricted due to the small clearances in the seal cavity.
I I
A.19-2
l i
Finally, the reactor coolant pump seal injection lines (Figure A.19 3), the low pressure portions
- the normal and attemate charging lines (Figure A.19-4), and the l
centrifugal charging pump (CCP) injection lines (Figure A.19 5) and the auxiliary pressurizer spray line (Figure A.19-4) are isolated from the NC System by numerous, nonnally closed valves, all of which would have to fail in order for a LOCA to occur.
f These pathways are screened out of further analysis based on assumption 3 above. !
Pressure Boundary at INil83B i
Valve INil838 is shown on Figure A.19 7. This valve isolates the path for ND recirculation to the reactor coolant hot legs. Two potential ISLOCA pathways are
- associated with the pressure boundary at INil83B, which is a normally closed, motor-operated valve (MOV). Each pathway has two check valves (INil34 and INil29 or INil26 and INil25) in series between NC hot legs B and C and the MOV j (INil83B). The LOCA could be caused by ruptures of all three valves or by ruptures of the two check valves with the MOV left open after its stroke timing test. Power is removed from the MOV during normal operation, so spurious transfer of valve '
- position is not considered to be applicable.
Pressure Boundary at IND2A and IND37A Valves INDiB and IND2A are shown on Figure A.19 7. These valves isolate a 12 inch line which leads from NC System hot leg B to the inlet of residual heat removal (ND) pump 1 A. In mode 1 (power operation), both valves are closed with power removed from their operators. The valve transfer failure mode is not considered for these valves. If one valve is left open, the other valve could rupture, or both valves could rupture.
I Valves IND36B and IND37A are shown on Figure A.19 7. These valves isolate a 12 inch line which leads from NC System hot leg A to the inlet of residual heat removal 1
A.19-3
I (ND) pump ID, In mode 1 (power operation), both valves are closed with power removed from the operator of valve ND37A only. The valve transfer failure mode is considered for valve ND36B. Since the auto closure interlocks for these four valves have been removed and there is an alarm indication in the control room for these valves being opened during Mode 1 (power operation), no human errors are applied to these valves. The exposure time for these valves is assumed to be 1 year for ruptures, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to detect and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to fix) for transfers.
Pressure Boundarles at INil73A and INil78B
'a normal discharge from the ND pumps flows to each of the four NC cold legs I
through one normally open MOV (INil73A or INil780) and two check valves, as shown in Figure A.19 6. The failure modes for the,e lines incluue the failure of two l
check valves or the failure of one check valve if the other fails to close. The failure rate for a check valve failing to close on demand is 1.0E-03. The failure of the upstream check valve in one of these paths to close would be noticeable because the increased accumulator pressure would cause a relief valve to lift. Therefore, only the l
failure of the downstream check valve to close must be considered. The maximum hoop stress due to pressurization of the ND discharge piping to the fell NC System design pressure would be 47,739 psi in the 8 inch schedule 20 pipe. This is con.
siderably less than tne ultimate tensile strength of the pipe material, which is 69,000 psi for SA312 Type 304 stainless steel at 650 degrees F. Therefore, it is appropriate to conclude that there will be no piping failure and the only pressure boundary failures due to this scenario would be relief valves opening, valve packing failures or gasket failures. The time to empty the FWST is greater than one hour for these leak paths.
l A failure of this nature would be detected using LOCA Outside Containment procedure (EP/1/A/5000/08). The probability of the operator failing to close MOV within one hour (UNil73ADiiE and UNil78BDifE)is 8.60E-03.
I A.19-4 I
Pressure Boundary at INIl62A The normal flow path from the safety injection pumps to each of the four cold legs is through an open MOV and two : heck valves as shown in Figure A.19 8. Possible modes of failure include check valve rupture or failure to close. Three demands are used to account for any unanticipated use of this systun.
The piping and compc 1ccts are not expected to fait due to overpressurization because tl e piping is hydrotested to 1.5 times its design pressure (2625 psig). Water hammer is not expected to occur since the piping and components are kept water solid.
Should either of these occur, relief valves INil19, INil61, and INil51 are expected to open and discharge to the recycle holdup tank. The relief valves would close when pressure decreased. If a relief valve should fail to close the operator can isolate flow by closing MOV INil62A. Because of the small design flow rate of these relief valves, this flow path has been screened from funher analysis.
Pressure Boundaries at INil21A and INil52B l Safety injection Pump train A discharges to hot legs B and C and Safety Injection Pump train B discharges to hot legs A and D. Each train is normally isolated from the NC System by two check valves and one closed MOV (lNI121 A and INil52B) as is shown in Figure A.19 8. The piping and components upstream of the MOV are hydrotested at 1.5 times the design pressure (2625 psig). Since these components are tested at pressure which is higher than the NC System design pressure, the piping and components are not expected to fail due to overpressurization from exposure to NC system pressure.
Water hammer is not expected to occur since the piping and components are kept water solid. If this event was to occur, relief valves INil19,1 nil 61, and INil51 would open and discharge to the recycle holdup tank. The relief valves would close A.19 5 l
v
when the pressure decreases to 1750 psig unless a relief valve fails to close. Because of the small design flow rate of these relief val res, this flowpath has been eliminated from further analysis.
Pressure Houndary at INV10A During normal power operation. there is a continuous flow of fluid through the letdown line. Pressure reduction takes place across the letdown orifices. A schematic diagram is shown in Figure A.19-4. An overpressurization event outside of gl containment could occur due to an inadvertent isoletior, of letdown flow in the lower g'
pressure piping, or a catastrophic failure of one of the letdown orifices. The lower pressure piping is protected froin overpressurization by relief valve INV14, which discharges to the pressurizer relief tank inside containment. This relief valve is sized l
to relieve the maximum flow from all three letdown orifices. If the relief valve failed to open during this event, an ISLOCA might occur.
l A catastrophic failure of a letdown orifice might also cause an ISLOCA through the letdown line. The relief valve INV14 does not have adequate capacity to handle an event such as this. A pressure boundary failure could occur outside containment as a l
result of this event, even if the relief valve opened.
Valve INV10A is designed to close automatically on low pressurizer level. This valve would have to fail to close in order for an ISLOCA to continue and have a po;sible consequence of core melt. Valves INVI A and INV2A also receive a signal to close on low pressurizer level providing further protection against an event such as this.
I I
A.19-6
I Pressure Boundaries at 1KC450, IEC362, IKC343, and 1KC411 Controlled seal leakage through the number 1 NC pump seal is cooled by the thermal barrier heat exchanger. Figure A.19-9 shows a schematic diagram of the thermal barrier and the component cooling (KC) supply. In the event of thermal barrier rupture, the KC System could be exposed to NC System pressure. The KC supply to the thermal barrier contains a check valve and piping, designed to withstand NC design pressure, to prevent back flow into the KC System during such an event. The lower pressure KC System piping also contains a iheck valve inside containment at the Reactor Building penetration. This 8 inch schedule 40 pipe is made of SA106 grade B carbon steel. The hoop stress in this pipe would be 36,600 psi, if pressurized to full NC System pressure. This is considerably less than the ultimate tensile strength of the material (60,000 psi), so it is conservative to assume that this pipe and check, valve inside, containment do not fail. In order for an ISLOCA to occur at this pressure boundary, a failure of the thermal barrier heat exchanger and a failurc of two check valves would have to occur.
Because an ISLOCA through this flow path would be restricted by the tube size in the reactor coolant pump thermal barrier, it would be relatively small. The capacity of the component cooling relief at the thermal barrier discharge is based on the maximum ,
flow rate of reactor coolant which could possiNv enter the KC system through a ruptured thermal barrier. This flow rate is 340 gem. The minimum amount of water
- required to be in the FWST (363,513 gallons) would last in excess of 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> at this flow rate. Since this should be sufficient time to cool down the NC system and isolate the leak, this flow path is not considered further.
A.19-7
I Pressure Boundaries at 1KC394A, IKC3648,1KC345A, and 1KC413B Controlled seal leakage through the number 1 NC pump seal is cooled by the thermal barrier heat exchanger. Figure A.19-9 shows a schematic diagram of the thermal barrier and KC return, in the event that the thermal barrier should rupture, the KC System could be exposed to NC System pressure. The KC retum contains an MOV which will automatically close on high flow such as in a thermal barrier mpture event.
This valve and the piping between the valve and thermal banier are designed to withstand NC System design pressure, in order that the flow of reactor coolant can be isolated. If the MOV should fail to close, the low pressure piping is further protected by relief valve IKC281, which discharges inside containment. The relief valve is l
sized to hand!c the maximum flow of a thermal barrier rupture. For an ISLOCA to occur at any of these pressure boundaries, the thermal banier would have to rupture, l
the MOV would have to fail to close, and the relief valve would have to fail to open.
l Because an ISLOCA through this flow path would be restricted by the tube size in the reactor coolant pump thermal barrier, it would be relatively small. The capacity of the component cooling relief at the thermal barrier discharge is based on the maximum flowrate of reactor coolant which could possibly enter the KC system through a ruptured thermal barrier. This flow rate is 340 gpm. The minimum amount of water required to be in thu TWST (363,513 gallons) would last in excess of 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> at this flow rate. Since this should be sufficient time to cool down the NC System and isolate the leak, this flow path is not considered further.
I I
I l A.19-8 l
Results and Limitations The frequency of the ISLOCA event at Catawba is the sum of the frequency of the ISLOCA through all of the individual flow paths. The ISLOCA is estimated to be: i Flow Path Freauency NI183B 1.4E-09 l
I ND letdowm lines 1.4E-07 NI173A, nil 78B 1.1E-07 NVil A,10A,13A 7.4E-11 Total = 2.5E-07 In the calculation of the ISLOCA frequer.cy, events of small probability- are i considered. This raises a concern about the e ffect of potential common cause events.
Air-operated valves INVI A, INV2A, and INV10A are designed to close on a low pressurizer level signal. In an ISLOCA sequence involving a break in the letdown line downstream, these valves would automatically close to terminate the loss of coolant. Any i valve can close to isolate the letdown line. Thus, all three valves must fail to close to fail to isolate the line. As an upper bound case, all three valves could be considered as identical. Considering that a great deal of independence is provided by NV10A since it is of a different type, manufacturer, and location, a lower common cause multiplier is justified. A multiplier of 0.01 is considered appropriate for this application. The close signal does come from a single level transmitter (1 of 3). However, the probability of it failing is very low since this would be the same transmitter which is normally controlling the letdown flow. If the transmitter failed A.19-9
prior to the event, the letdown flow would not balance with chargir,g flow and operators would discover this quickly. Thus, the exposure time on these transmitters is very short. Therefore, the common cause failure of all three air operated valves to close on demand is 2.20E-05.
It is assumed that all ISLOCAs result in core damage and containment bypass. Of the ISLOCA flow paths described above, the dominant paths are through INil73A and INIl78B and through IND2A and IND36B. The potential consequences of an ISLOCA through INil73A and INIl78B are the same as those of an ISLOCA through IND2A and IND36B. The leak rate and consequences through these two paths are significant and the entire ISLOCA frequency is conservatively assumed to l
result in the consequences associated with these paths. The breach of pressure boundary for these release paths is described below. The flow paths through ND2A and ND36B show up as important flow paths because only two valve failures are required for an ISLOCA to occur.
l Figure A.19-10 shows the potential leak points that may result from an ISLOCA through INIl7 A, INIl78B or IND2A. Calculations on the 12" letdown line and on the 18" pipe section to the containment sump valves indicate that the hoop stress, if these pipes are exposed to NC System operating pressure, is below the ultimate tensile strength of the pipe materials. Since the piping can withstand NC System pressure, it was assumed that the only prosure boundary failures would include relief u valces lifting, valve packing failures, flange gasket leaks and pump seal leaks.
I l A.19-10
Top Cut Sets For Gate UTOP: ISLOCA Occurs Cut Set Event Name Event Description Event Probability Probability 7.09E-08 UND001BMVR Motor Operated Valve NDIB Ruptures 3.77E 04 UND002AMVR Motor Operated Valve ND2A Ruptures 1.88 E-04 7.09E 08 UND036BMVR Motor Operated Valve ND36B Ruptures 3.77E-04 UND037AMVR Motor Operated Valve ND37A Ruptures 1.88E-04 1.67E-08 UN10071CVR Check Valve N171 Ruptures 6.66E-04 UN10180CVC Check Valve Nil 80 Fails To Close 2.91 E-03 UNil78BDHE Operators Fail To Close Motor Operated 8.60E-03 Valve NII78B 1.67E-08 UN10082CVR Check Valve N182 Ruptures 6.66E 04 UN10175CVC Check Valve Nil 75 Fails To Close 2.91E 03 UNil73ADHE Orcrators Fail To Close Motor Operated 8.60E-03 Valve Nil 73A 1.67E 08 UN10060CVR Check Valve N160 Ruptmes 6.66E-04 UN10181CVC Check Valve Nil 81 Fails To Close 2.91 E-03 UNil78BDHE Operators Fail To Close Motor Operated 8.60E-03 Valve Nil 78B 1.67E-08 UN10094CVR Check Valve N194 Ruptures 6.66E-04 UN10176CVC Check Valve Nil 76 Fails To Close 2.91E 03 UNil73ADHE Operators Fail To Close Motor Operated 8.60E-03 Valve Nil 73 A 6.78E-09 UN10094CVR Check Valve N194 Ruptures 6.66E-04 l
UN10176CVC Check Valve NI176 Fails To Close 2.91 E-03 UNil73AMVC Motor Operated Valve Nil 73 Fails To 3.50E 03 Close On Demand 6.78E 09 UN1007iCVR Check Valve N171 Ruptures 6.66E-04 UN10180CVC Check Valve Nil 80 Fails To C!nse 2.91 E-03 UNil78BMVC Motor Operated Valve Nil 78B Fails To 3.50E-03 Close On Demand 6.78 E-09 UNIOO82CVR Check Valve N182 Ruptures 6.66E-04 UN10175CVC Check Valve Nil 75 Fails To Close 2.91 E-03 UNil73AMVC Motor Operated Valve Nil 73 Fails To 3.50E-03 Close On Demand Total Gate Probability = 2.50E-07 A.19-11
I Importance Table For Gate UTOP: ISLOCA Occurs Event Name Event Description FV RAW UND037AMVR Motor Operated Valve ND37A Ruptures 29.0 % 1550.0 UND001BMVR Motor Operated Valve NDIB Ruptures 28.4 % 753.3 UND002AMVR Motor Operated Valve ND2A Ruptures 28.4 % 1510.0 UND036BMVR Motor Operated Valve ND36B Ruptures 28.4 % 753.3 UNil73 ADilE Operators Fail To Close Motcr Operated 14.9 % 18.1 Valve Nil 73 A UNI 178BDHE Operators Fail To Close Motor Operated 14.9 %
Valve NI178B 18.1 l
W UN10060CVR Check Valve N160 Ruptures 10.5 % 158.0 UN1007iCVR UN10082CVR Check Valve N171 Ruptures Lheck Valve N182 Ruptures 10.5 % 158.0 g 10.5 % 158.0 g UN10094CVR Check Valve N194 Ruptures 10.5 % 158.0 UN10175CVC Check Valve Nil 75 Fails To Close 9.4% 33.2 UN10176CVC Check Valve N1176 Fails To Close 9.4 % 33.2 UN10180CVC Check Valve Nil 80 Fails To Close 9.4 % 33.2 UNIOl 81CVC Check Valve Nil 81 Fails To Close 9.4 % 33.2 UNI 173 AMVC Motor Operated Valve Nil 73 Fails To 6.1% 18.2 Close On Demand l
=
UNil78BMVC Motor Operated Valve Nil 78B Fails To 6.1% 18.2 Close On Demand UNIOl75CVR Check Valve Nil 75 Ruptures 1.1 % 33.3 UN10176CVR Check Valve Nil 76 Ruptures 1.1% 33.3 UN!0180CVR Check Valve Nil 80 Ruptures 1.1% 33.3 UN10181CVR Check Valve Nil 81 Ruptures 1.1% 33.3 UND036BMVT Motor Operated Valve ND36B Transfers 0.7% 753.6 Open I
I I
I I
I I
I 1
A.19-12 '
l 11 l
=,
e s_ '
[
) ,'=
, ^
a n
m
> _. - J<
m g ' s a e Q .
i L
n g y l e
p
~ =g- -
m a 3
/\ S a",N^
1 g 9 e
N ' .
. 1 L
- 'r l s t A t
e o
H l
o 2 o
s .
l 2
v e
9 R
. /
= " ,e 2 T 2
f A
N m
2 e
t 1 9
X
/
[ 1 r i t 1
_N )
A e
r x_ 4 u g
g-- E- i s
F
'a l
@Ju s
a
. z R_
i i
P u
l I x,/,
l=I ,We ,
m.
a
= n A n
" S 2 i u
. ' =
' - r
- 2 8
9 N w s 8
_N/
k' X K i
/
1
$ i X f e
\EL S
_ m /TOH
> l ll!
I i
I a
xI co I
x1 h
b :p l E
- v-yq I m I b
^I Ise,zbivl 3 E
74 b y E $
X a g l os6 se,el j E v Isu 2 e -
_ ! a m a <
I I N h >< -N (-[ z g
b E -
_7_ i.e,zim i g l! _l!__ 5 b,
b, .e A
h EX! BKI l
X! Xi
/g /> I is !a I
I2*5 =l I - T TO SEAL X
e RETuR
... m, l l
-_ - o Wat N
N N : :a: ,,,,
l l x ,_,, , ,
REACTOR COOLANT l l PUMP 1 A (OTHER 3 RCP r -
I -
? TO RCP 18 TO RCP 1C rRom RcP1s ;
- TO RCP1D FROM RCP 1C ;
I rRO= RCP to
.N I
=
~
l non ce=r==
i b[ ***
2-i==
u y
Z (
TO SEAL
/\ .== RevuRn nec enna arme rue Figure A.19-3 Rev. 2 Reactor Coolant Pump Seal injection, Seal Bypass And Seal Return A.19-15
li i
i E
E m
w- r
=
E
/s
' s
. e
. n R_ i L
g E l
o T - , n o R ig s P g l i1 r
5
- : a r
s e g -l i i h 4
l 2 # " -
c C e M r t a
r n h*=
- r e
uc A l
o lt A M
= = a o s d
- ^ e n I
l=
i l t
o t
o s
s 4
2
,.lR_I $ , = =
l a
a i= l . , ,
R e "
l c
e ra m r
o M
o A=
O R_ . w t
n=
e N ,
x~
H w s s e
.- i L
n M n 6 r w 1 o -
d 9
/
' N_ x_ , I c t L
e 1
A M
o s s i
. s s
. e c
l e
2 4
$s E x M N_ d n
t d
a
. l l a
m_ ,
. Ii
.e t
t o m M
.. _~ ,
2 % D T
E r
o
!('
2_ Ih r t
1 S
E C
N 2
]m m
X E
R v
e m
4 P' .
' M UE $n, 9 1
m A.
' _. R_ PG GA NH t
R A
e r
' GC RS AO t
$n, u g
/;,,,
R_ H i
~
A'_
=
C C
e F
m
. P o , s Y
A a x_ eu P 5 R
g P e C t If 5
R o t
c Z o a e
P c t r o
t 1
r 1
o c
g g
g (hI l ( , lll~
lIl A s c o o
u e o o t u e t s t
at o t
o o o o t o o t
c c c c e: " "
2
/
1 1 1 1 Nm Nnw Nm, N""
N,,, ,
Nmu Nm m
N~~
s e
i n
r L e
g r
,- a h
c i
s v
D c " p
- m I I
- l u
= P _
l i l g
s a i n
g 7 r 1 a 9 h
C 1 e c l A
a g
f u
$a @=.
i t
r n
e C
2 v
e R
5-9 v 1
~
A
- e r
4 g u
i F
~ Nmw t
l 2 A 1
P 8
1 P
C l C
C s m
2 a
4 C
2 e 0; 2
2 2 I
2 l
=b- 1I N X"X M _ .- __
i ,
D ND PUMP 1 A g}X, I wi2*esl v4 v4 ,
l l24ss sool ]U==5 5 == lU== S-ll c
so- to-HOT LEGS , .~
- 1r ir
"** ' Etm COLD LEG C COLD LEG D l l CW - M i I ex_.
COLD LEG A COLD LEG B si aL
'*~ s.s v4g
]U==i Z == ]E== Z .2, l soq 24ssl l1
-e. - ev
,18W9 1 , 9899
- y. _ M_ _N M _. _
? .,
NDeumpis
_p. - l l Figure A.19-6 Rev. 2 Residual Heat Removal Pump Discharge And Cold Leg Recirculation Lines A.19-18 M M .
l L
_e z
I I t
.J l
>l
> g 3
\1 =l-- 81ll si o o e H H p p I! ll
{. -l -l- - l' -j- -l -l- ,
e a a e e e a R
[ =
~
a m
I
[ 4 4 1 7
- Ysi I E 11 - 6
, 4
[- 2
- : 3 Nj - z"I
. 2 m
[ sti-[ _
s:1-?= n g
a 4
4 m
C TI TI. yC N y ." .3 t
h sti xi zi a:l
[ a a
[-
- b
/\ /\
5 8
[ .-
[
[
[ -
l!!
M M
c m D e e a * .
oe o o ,
, o o
- o u E r '
t r s L g u t ' u, T t t '
o o , o o o, n e e M ,
, n M '
r : : , : :
- "' re '
"' r r N_. N ,, N .-
N N N.. .
N x~~
s e
n M
i L
, e g
m N N N== N__ N,,
No N N~~
r a
h c
is D
p m
u
. e P n 0 o 2-it v
c " . v e
vc '
c e 9
=
,"l l l
=
l l I I e =
l j
I n
y 1
A M l l l__. I l l t e
e m " e s
a =
f a
S 2
v e
l s ' i
, R
$ hE
. s e n . 8-u 2 e g ~~ a
- e. i 2
9 m si i
, 1 u T
' r u u A I
'g v l \
e
' r T, u 2 g 7 i F
s e "
. s
, s m e w
(
)}
g r -
v Q
rW:.
s 7 e : M N_,
yaw s =
M u --
r -
u -
M m.
l't l !l
~
s e
z C=
n=
s
_u.
~ a r _ e.C[.
=
= W . .p3 m
~ g
, ; ; ; - x s s ,
W _=ge_m g
~ m a
g a n
C l_ _
s E .oc
. g i
n l
8 1
C 1
D o o
v 1
P P P C
R C
R C
R C
r R
G t
t t
t i e
. O O O r R R R r F F F a
- B 6 :
l a
m r
m h T
e 1 2- -
- R E
I p 9 RC m 1
A1. R t n
eCAL t
a R
E 1,81 l
H88 o T 13 P o AC 1
C
, P(R r o
C t
- R c a
e m
r R
2 v.
e s
e e s
R m_ sc. C 9-8 1 1 D 9 1
P P P 1 C C C A R R R m O O O e r
T T
-e ~
u i
g e
s F m Ls a c
a r
V Cl
- =l
_ sA m .
a r
-- i-V _= - s A
C l-=l_
m r
4
a cv
] -1.-
. =
.a T i
} Rn,
+-d ,- - rr, v
<r l01-- 1 '#l>l1-04,.- --I O F-04
- _to,.-4 :
- ll- -<:
_ , . _. - tj
~
$ ND PUMP 1A @][ we,s
@X '**' tc. 4008, SUP ON FLANGE II l l K = ac
~h-> ~ ~ f*["
l0l g _L.L =
4,,, I i .,,,
EDX '===
u.
-.. lO: - 11<1-M% F--04-- - -1 O I-D4.
- to-i , :: :: '" c '"
NO PUMP 9 1\
. , q ..e.,
, c. l l. M]:-
! E 2@ lI . .
I .ES.
,u.
,Te2. .Te3.
=
_l_.
~
I 7
I tcv a cv Figure A.19-10 Rev. 2 Leak Points For ISLOCA Through 1ND178 And 1ND2AC A.19-22 m m -
M M M M M M M m m a
Appendix B ExternalEvents Analysis I
Table of Contents Page B.O Ext ern al M od el Develop men t ........... ........... ......... .................................................... 4 1
B.1 S ei s m i c A n s ly s 1s .. ... .......... ........ ..... ...... ...... ..................... ........ .............. .. .................. 6 B.I.1 Overview...............................................................................................................7 B .1.2 Pl ant In form ation . ... .. . . . . . .. . . . . .. . . . . . . . .. . .. .. .. . . . . . . . . . ... ... .. . .. . .. ...... . . .. ... . . . .. . . . . . .
B . I .3 I n fo rm atio n Sourc es . . .. ... . . . . . . .... . . . . .. .. .. . . . . . .. . . . . . . . . . . . . . .. ... .. . .. .. . . . . .. . . ... . ... . .
B . I . 4 Wa lk d o wn s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B.I.5 Evaluation of Component Fragilities and Failure Mode ......................................... I 1 B . I .6 Seismic Event / Fault Trees ......... . ... . ........ ......................................................... .... 13 B . l .6 Seismic Fault Tree S olution . .... ...................... .......... .......... ...... .......... ....... ........... 16 B . I . 7 Re sults and Con c l usion s . ... . .. . . ... . . . . . . . . . . . . . . . . . . . ... .... . . .. . . . . . . . . . .... . . . .. . . .. . . . .
B .2 I n t e rn al Fi re ............... . ........... ........................ ..... ............... ........ . .................... .... ... 19 B.2.1 Overview................................................................................................................,19 B.2.2 Identification O f Critical Fire Zones ...................... ....... ....................................... 19 B .2.3 R e sul ts and Conc l u sions . . . ... ... ... . .. . . . .. . . . . . . . . . . . . .. . . . .. . . . ... .. .. . ... . . . . .. . . . .. . . . . . . .
B.3 Tornado.....................................................................................................................31 B . 3 .1 O v e rvi e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .' . . . . . . . . . . . . . . . .
B .3 .2 M e th od olo gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B.3.3 Tornado Occurrence Frequencies ............... .................. . .. .................................. 3 3 B .3 .4 Tornado Win d E fTe ets . . . . . . .. . .. . .. . .. .. . . . . . . . .. .. . . . . . . ... . . . . . . .. .. . . ... . . ... .. . . . ... .. . . . .. .
B.3.5 Tornado Missile Simulation Analysis ............... ............ ..... ................... ............ 35 B.3.6 Limitations Of The An alysis..... .. ..... ....................... .. ............ .................. .............. 3 6 B .3.7 Results and Co n c l us i ons . . . . . . . . .. .. . . . . ... .. ....... ...... ........... . .. . . . .. . . . . . . . . . . ... .... .. .. . .. . .. .
B.3.8 Insights..................................................................................................................37 B .4 Re fe r e n ce s .... ....... ....................... . . ........ . ........ ............. .....................s. .. .. 4 1 B-1
l List of Tables Page Table B.3-1 Catawba Switchyard Strike Frequency 38 Table B.3-2 Catawba Plant Strike Frequency 38 List of Figures Page Figure B.1-1 Catawba Seismic Event Tree Error! Bookmark not defined.
1 1
B-3
l B.O Externs.1 Modci Development The original Catawba PRA/IPE report ano its subsequent update performed an evaluation of external events, with three events identified for a detailed review:
. Seismic Events
. Fires
. Tomadoes A variety of methodologies were employed to derive the overall frequencies for these events. The analyses are summarized below and are explained in detail in Catawba's Individual Plant Examination for Extemal Eveats (IPEEE) report (Ref. B.1).
I B-5
B.1 Seismic Analysis B.I.1 Overview This section describes the methods used to estimate the contribution to public health risk from seismic events at Catawba Unit 1. The analysis is consistent with the methodology described in NUREG/CR-2300 (Ref. B.2).
The analysis was performed in four steps:
- 1) The Catawba site was evaluated to obtain the seismic hazard in terms of the frequency of occurrence of ground motions of various magnitudes.
l
- 2) The capacities of important plant structures and equipment to withstand seismic events were evaluated to determine conditional probabilities c:' failure as a function of ground acceleration. These are commonly referred to as
" fragilities".
- 3) The event tree and fault tree models developed for the intemal initiating events were modified to reflect plant response to seismic events. These modified logic models were then solved to obtain Boolean expressions for the seismic event sequences ofinterest.
- 4) The Boolean expressions were quantified by convoluting the probabilistic site seismicity and the fragilities for the plant structures and equipment obtained in steps I and 2. The resulting sequence frequencies are then integrated into the overall Catawba PRA risk results.
B-7 e
I B.I.2 Plant Information The Catawba systems and components which are essential to the prevention or mitigation of accidents which could affect the public health and safety were d: signed to enable the facility to withstand the effects of natural forces including earthquakes.
The plant was designed to withstand both an Operating Basis Earthquake (OBE) and a Safe Shutdown Eanhquake (SSE). The structural design criteria for the SSE was based on 0.15g and the OBE on 0.08g peak horizontal ground accelerations for all Seismic Category I structures. Vertical accelerations of two-thirds of the corresponding horizontal values were used for both the OBE and SSE.
All major Seismic Category I structures are founded on competent rock or concrete fill extending to rock. The Unit 2 Refueling Water Storage Tank and associated containment wall are founded on partially weathered rock. They were conservatively g designed and analyzed as being on compacted fill with appropriate consideration of soil amplification in a seismic event. Localized portions of the Nuclear Service Water (RN) pipelines, and the RN conduit manholes are founded on partially weathered rock l
or compacted backfill. The buried Diesel Fuel Oil Tanks are founded on compacted fill extending a rock or partially weathered rock. Components on compacted backfill were designed to account for amplification of the seismic input through the soil from the bedrock. The effects of soil-structure interaction are considered negligible for structures founded on competent rock or fill extending to rock. The ground response spectra used in the design of the structures were developed by N. M. Newmark.
Artificial earthquake time-history records whose response spectra essentially envelop the smoothed ground response spectra were created for use in developing the in-structure floor response spectra used for equipment qualification.
The plant structures and equipment were originally divided into two categories according to their function and the degree of integrity required to protect the public.
These categories are Category I and non-Category I. Catawba Nuclear Station structures, systems, and components important to safety, as well as their foundations B-8
and supports, were designed to withstand the effects of an OBE and an SSE and were designated as Seismic Category I. The major seismic Category I structures include the following:
. Reactor Building .
. Auxiliary Building
. Diesel Generator Building Standby Nuclear Senice Water Pump Structure, Intake, and Discharge Structures, equipment and components which are important to plant operation, but are not essential for pre ~enting a design basis accident which would endanger the public health and safety, and are not essential for the mitigation of the consequences of these accidents, are classified as non-Category I. The Turbine Buildings are non-Category I structures. The Turbine Buildings are designed against collapse onto Category I structures due to SSE loads. Examples of non-Category I equipment include the off-site power, the station power transformers, the condenser hotwell and the hydrogen igniters. Non safety related equipment routed or located in seismic Category I buildings that present interaction concerns with safety equipment is designed to withstand the effects of the SSE so that the function of important equipment is not compromised.
B.I.3 Information Sources A structural analysis consultant, Structural Mechanics Associates, was used to develop the structural and equipment fragilities for the original fragility analysis. For the most part, results of existing analyses and evaluations of structures and equipment for the Catawba plant were utilized in this study. As part of the evaluation, some B-9
I limited analysis based on original design analysis loads was conducted to determine the expected seismic capacities of the important structures. The following bullets list the important sources used for the original fragility analysis:
e existing design basis dynamic analyses
. Final Safety Analysis Report e design reports
. United States Corps of Engineers shock test reports e specifications on the design of equipment e seismic quali'ication test reports e past earthquake experience I
B.I.4 Walkdowns Plant walkdowns are considered to be an important part of the seismic risk assessment. In support of this assessment, a number of walkdowns were conducted.
Walkdowns were performed to support the development of the initial Catawba PRA which included external events. The initial study was completed in 1987.
Walkdowns were also conducted to support the update of the Catawba PRA, submitted in 1992. Detailed walkdowns were conducted for Unit 2 and for items common to Units 1 and 2 in 1986 for the trial plant application of the EPRI Seismic Margin Methodology. Approximately 90 mechanical and electrical components and l
140 valves were walked down for the seismic margin assessment as documented in EPRI NP-6359 (Ref. B.3).
As a part of the IPEEE effort, extensive walkdowns were conducted in 1993 and 1994 I
consistent with the guidelines described in EPRI NP-6041 (Ref. B.4). Approximately 200 mechanical and electrical components and 250 valves were walked down on Catawba Unit 1. Approximately 10 mechanical and electrical components and 60 valves were walked down inside containment on Unit 2. Less rigorous walkdowns or B-10
"walkbys" were completed on another 50 mechanical and electrical components and 80 valves on Unit 2. Moreover, general area reviews were conducted within the plant to evaluate bulk distribution systems. Walkdowns were conducted inside containment for each unit, focusing on equipment list items located therein as well as
" containment performance" issues. Much more extensive walkdowns were performed outside of containment. Areas surveyed include the Auxiliary Building, Diesel Generator Building, the Main Steam & Feedwater Isolation Compartments (Doghouses) and Nuclear Service Water Pump Structure. The purposes of these walkdowns were to confirm the validity of the earlier equipment fragility assessments, to review equipment with respect to seismic experience caveats, to verify seismic adequacy of equipment anchorage, and to identify any other seismic concems such as potential seismic spatial interactions in the "as-built" plant configuration.
Definition of Failure i
For purposes ( f this study, scismic Category I stmetures are considered to have failed when inelastic deformations of the structure under seismic load potentially interfere with the operability of equipment attached to the structure. These limits on inelastic
- energy absogtion capacity (ductility limits) are estimated to correspond to the onset I
of significant structural damage, not necessarily stmeture collapse. Piping, as well as electrical, mechanical, and electromechanical equipment vital to mitigating the effect of earthquakes are considered to fail when they can no longer perform their designated functions. Relay chatter is an example of a functional failure for an electrical component. Also, rupture of pressure boundaries are considered failures. F or active equipment, the functional failure defirition usually governs since the equipment pressure boundaries are usually very conservatively designed for equipment such as pumps and valves.
B-11
I B.1.5 Evaluation of Component Fragilities and Failure Mode The seismic capacities of plant stmetures and components were developed by I
National Technical Systems (formerly Structural Mechanics Associates). The study (Ref. B.5) gives a detailed description of how the seismic capacities were derived.
l ~
The seismic capacity of the Standby Nuclear Service Water Pond Dam was develeped by Dr. Daniel Veneziano of MIT, a consultant to Law Engineering Testing Company.
The results of that study are reported in Reference B.6. The seismic capacities are presented in the final form of fragility curves, which express the conditional probability of failure as a function of ground acceleration. The previous Catawba seismic analysis contaired several components and structures necessary to bring the plant to a safe shutdown condition following a seismic event. As part of the IPEEE review process for seismic events, an evaluation was performed to review and confirm the previous analysis. A major part of this review entailed using the Seismic Margin Methodology for walking down and reviewing these items. The Seismic Margin Methodology guidelines provide generic conservative estimates of ground motion 1: 'ow which it is generally not necessary to perform a seismic margin review for particular elements. Therefore, for a given ground motion level, these guidelines list the elements which should, in general, be " screened out" from the margin review because of their generically good performance in earthquakes or seismic simulation tests at or above this level. This " screening out" was contingent on verifyini iuring plant walkdowns that the equipment met the caveats provided to insure that it is representative of equipment included in the earthquake experience data. In addition to the screening guidelines for the equipment, an anchorage assessment would also be conducted to verify that the anchorage is adequate for the specified ground motion.
Based upon this review, a majonty of the components and structures appearing in the l
previous seismic analysis were " screened out". Per Reference B.7, a sensitivity study was performed which removed these components / structures and determined that the l
analysis could be greatly simplified while retaining essentially the same dominant 1
i failure modes. Furthermore, the evaluation concluded that some of the fault tree I
B-12
random failures could also be removed since they do not contribute to the model solution.
B.I.6 Seismic Event / Fault Trees Event Tree The first step in determining the seismically-induced core damage frequency is the creation of an event tree. The event tree for the Catawba seismic analysis is shown in Figure B.1-1, The tree is structured similarly to the intemal initiator event trees and
- contains the same functional top events.
Supporting Fault Tree Logic The fault tree logic for the systems discussed below serve as the building blocks for the seismic event tree. The logic is based on tne system level fault trees found in the Catawba PRA/IPE report.
As mentioned in Section B.I.5, several of the components and structures used in this analysis were screened out due to their generically good performance in earthquakes or seismic simulation tests. However, per Reference B.8, a plant-level surrogate fragiFty should be included to represent the screened out elements. This surrogate element was placed in the 4160V ac gate logic (since its failure results in the failure of most of the components) and as a replacement for the SSPS cabinets and the battery racks (ta t.eep their 'AND' logic intact with other component failures).
Emercency Auxiliary Power System The fault tree includes failures of the 4160V ac switchgear due to failures from a loss of off-site power coupled with a diesel generator failure. Because of the relatively B-13
I low capacity of off-site power to withstand an carthquake, the diesels are required in most seismic sequences. The previous analysis also included a switchgear failure due to relay chatter; however, this has been screened out of the model as outlined above and replaced with a plant-level surrogate.
I Only non-seismic failures of the diesel generators are included in the fault tree since the individual components have been screened out as outlined above.
Encineered Safety Feature- Actuation System GSFAS)
As shown above, most of the power system components were screened out, thus, a failure of the ESFAS is represented as either a power failure from the 4160V ac switchgear or a signal logic failure. The signei logic failure occurs due to a failure of off-site power with a failure of the SSPS (represented by the plant level surrogate fragility).
Nuclear service Water System I Failures involving a loss of the RN System are represented by a failure of 4160V ac I
power. The RN System components and structures have relatively high seismic capacitie and are thus screened out.
Component Cooline System I
i Failure of KC is represented by a loss of 4160 V ac power. The KC pumps and heat exchangers have relatively high seismic capacities and are thus screened ou;. Since a loss of RN will also fail KC, a loss of ac power serves as a failure mode for both of these systems.
I I
B-14 1 Il l
Chernical and Volume Control Sys,tt.m The NV System senes both as a means of seal injection as well as emergency core cooling injection. The NV pumps are cooled by the RN System, and take suction from the FWST. Given the relatively high seismic capacity of the FWST and the NV charging pumps, a loss of 4160 V ac power, controls, or ESFAS capability fails NV.
Safety infection System The FWST failure is also a failure mode for this system. The NI pumps are cooled by the RN System and require both signal and power to be available. Given that the FWST and the Ni pumps have relatively high seismic capacities, NI fails on either a loss of 4160 V ac power or controls.
Auxiliary Feedwater System AuOiary i'eedwater fails either due to a failure of the pump support systems or their suction sources. The normal suction sources are the upper surge tanks, condenser hotwell, and condensate surage tank. An auxiliary suction source is the RN System.
Failure of RN can be caused by seismically induced foulir.g of the RN sources. The motor-driven pumps fail with either a loss of 4160 V ac power or controls; however, AFW will be available with the success of the turbine-driven pump. The turbine-ddven pump failures are denoted by a loss of the pump controls.
Residuallieat Removal System
, The ND System is used during high pressure recirculation. Failure of the support systems (via a loss of 4160 V ac power) will make the ND System inoperable.
B-15
I H.I.6 Seismle Fault Tree Solution l
The seirmic fault tree was solved using the CAFTA computer code. The resulting cut sets were reviewed and edited to remove invalid cut sets from the solution. They were then loaded into the SEISM computer code (Ref. B.9) to determine the overall probability for a seismically induced core melt.
The plant seismicity curve, component fragilities, and event sequences are inputs to SEISM in the calculation of the frequency of a seismically-induced core damage.
Component fragilities are combined, t. sing the event sequences, to obtain cut set fragilities. A third-order approximation of the sum of the cut set fragilities determines the plant fragility. The plant fragility is convoluted with the plant seismicity curve to g
derive the frequency of a seismically induced core damage.
SEISM uses this process in tvfo stages. In the first stage, best estimate values are used for the component fragilities and plant seismicity. This stage calculates a best l
estimme of the core damage frequency. In the second stage, the component fragilities are obtained by randomly sampling fragility values from the family of curves of each l
component. These fragility values are used as the component fragilities in calculating a sampled core damage frequency. This stage is repeated many times to obtain a l
sampled core damage frequency distribution.
I B.I.7 Results and Conclusions g
SEISM calculates the seismically-induced core damage frequency to be 8.42E-06 / vr.
This value represents approximately 58% of the external contribution to the overall plant core melt probability. As expected, the goveming accident sequences involve the failure of the plant level surrogates for the 4160V ac switchgear and the SSPS cabinets (86% contribution to CMF). The reraaining cut sets involve responses to a loss of off site power.
I B-16
ump Seal SSHR PORV Bleed injection Recirculation Seismic Event I".~ 5"'I Succeeds Path Succeeds Succeeds Succeeds Sequence Core Melt Maintained Name Bin C B Q(S) P U X l
i NCM N/A NCM N/A CQsX 10 CQsU 7 ;
NCM N/A l 1 !
CBX 16,17,18 i
CBU 14,15 CBP 14,15 NCM N/A CBQsX 11,12,13 CBQsu 8,9 i
CBQsP 8,9 Figure B.1-1 Rev. 2 - Seismic Event Tree 2
B-17
1 l
}
i
!- B.2 Internal Fire 1 :
N.2.1 Overview !
.1
, Consideration of common cause failure due to fires is an important aspect of overall plant risk. A fire can initiate a transient by damaging a component j necessary for normal plant operation, and, at the same time, damage components -
- necessary to safe shutdown functions. The fire analysis generally shows how well
~
i a plant design separates the components of redundant safe shutdown functions for i protection against postulated fires.
4 The firm analysis consists for four steps. These are: ' (1) identification of critical '
zones,(2) development of the initiating event frequency for each critical zone, (3) evaluation of defection and suppression capabilities in the critical zones and (4) development of the core damage cut sets by processing the fire initiating event ;
frequencies through fire development logic.
P i This section presents the results of analysis performed to evaluate the CDF '
- contribution due to fires at Catawba Nuclear Station.
t 1 r B.2.2 Identification Of Critical Fire Zones '
t Level 560 Auxiliary Building l
Lower Switchgear Room .
The lower switchgear room contains the B train essential 4160 V switchgear (IETB), a large transformer and load center and several motor control centers, it B 19
_,mm ...< , ,- , .,__v%,,,m,., , _ , . . - - - _ ., ,, ,,y y. , , _ ,g- , , , , _ , , _ mmmy--._,,_.-- ,_ -.,,,,,-,,-m,,mmm_,,,,_y . _,. ._ , ,_,.-,_.y ,--
I also contains part of the power cable for the SSF Standby Makeup pump. The ETB fire scenario is similar to initiating event Til (Loss of 4160 V switchgear) except that the SSF standby makeup pump is lost.
For a fire to actually cause a loss of the 4160 V switchgear and the SSF standby makeup pump cable, it is assumed to progress to a large fire. The resulting core damage frequency is 1.78E 08/yr.
A fire in this area could spread through the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> barrier (the ceiling) to the ETA I
switchgear room. Ilowever, the frequency of this is estimated to be less than 1.0E-08/yr.
l Load Sequencer Corridors I
A fire in a load sequencer corridor could load shed a 4160 V essential bus. This is I
not considered to be an initiating event because it can be recovered by de-energizing the sequencer and reloading the bus. This scenario was not considered funher in the PRA.
Level 543 Auxiliary Buildine Room 250,252,253,254,255 and 256, Auxiliary Feedwater Pump Room Level 543 of the Auxiliary Building is divided into two compartments. One compartment is a general area containing safety injection pumps, centrifugal charging pumps and some other equipment. The other compartment contains the auxiliary feedwater pumps, the auxiliary shutdown panel (ASP) and some other equipment.
I I
B 20
. l 1
t There are two parts to the ASP for each unit of Catawba. The train A part of the ASP is separated from the train B part by a three hour fire barrier. Circuits in the i
j ASP at Catawba are connected via optical isolation devices which are designed to keep circuit faults from affecting operating components. There is a rate of rise and ionization smoke detector in each ASP room. These detectors have alarms in 1 the control room. Fio extinguishment is manual, by CO2 extinguishers in each i i room. Additional extinguishers and a hose station are located in the space outside
- of the ASP roorns. For a fire to spread from one train of the auxiliary shutdown panel to the other, it must be a large fire and pass through or around the fire
, banier. Sequences associated with the ASP fire scenario are less than 1.0E 08/yr. ;
, before recoveries are added.
i j l.evel 504 Auxiliary Buildine i
j Room 573, Control Room 1
I- !
! The control room contains control circuits similar to those in the cable room. !
l During a control room fire, various pieces of equipment could be stopped, started, 1 repositioned or disabled by shorts or open circuits in these cables. Thus, there are numerous potential core damage scenarios that a lange control room fire could i
cause, For simplicity in the fire analysis, the control room fire frequency is l applied to the loss of component cooling scenario.
l t
Because of staged equipment in the control room and operator training, the .
- scenario of losing redundant trains of equipment in the control is judged to be
! much more likely than the scenario of evacuation of the control room (due to i
j smoke) before equipment is lost.
This control room is attended all of the time and is monitored by smoke detectors.
The resulting core damage frequency is 1.25E.07/yr.
B.21 l l l l J
I I
Room 571, Reactor Trip Switchgear This room is an electrical penetration room that contains reactor trip switchgear, Motor Generator (MG) sets and rod drive power supplies. The fire scenario associated with this area is a fire in one of the switchgear enclosures that causes a g
This area is thoroughly covered by early warning smoke detectors which alarm in the control room. Core damage sequences associated with this area are less than 1.0E 08/yr. before recoveries are added.
l Level 577 Auxiliary Buildine I
Room 481, Cable Room I
The cable room at Catawba contains control cables for equipment controlled in I
the control room. During a cable room fire, various pieces of equipment could be stopped, started, repositioned or disabled by shorts or open circuits in these cables. Thus, there are numerous potential core damage scenarios that a large cable room fire could cause. For simplicity in the fire analysis, the cable room fire frequency is applied to the loss of component cooling scenario.
The cable room is thoroughly covered with early warning smoke detectors. There is a manual fog mist system associated with this space, and it contains CO2 extinguishers and fire hose sta' ions. The resulting core damage frequency is 7.82E-07/yr.
I I
B 22
1.evel 560 Auxiliary Building VitalI& C Batteries The batteries associated with the Vital Instrumentation and Control Power (Vital I
& C) Systems are located in adjacent rooms on level 554 in the Auxiliary Building. Switchgear, inverters and battery chargers associated with this system are located outside of these rooms. The cable for the B train Centrifugal Charging pump passes through this area. The battery room walls are not committed fire barriers. Fire spread from here to the lower switchgear room through a three hour fire barrier could cause a loss of the SSF standby makeup pump.
The Vital I & C area is equipped with early warning ionization smoke detectors.
There are CO2 extinguishers and hose stations in the vicinity.
The loss of Vital Instrumentation and Control initiating event (T14) is defined as a loss of bus EDD. Bus EDD is located outside of the battery rooms for batteries EDD and EBC.
The fire in the Vital I & C area is also modeled as a loss of bus EDD. The fire is assumed to initiate in the bus itself. Only a small fire is required to cause a loss of this bus. Sequences associated with the loss of bus EDD (due to fire) are less ti.an 1.0E 08/yr, before recoveries are added. The loss of one Centrifugal Charging Pump does not add significantly to these sequences. The potential loss of the standby makeup pump due to fire spread through a three hour fire barrier is not a significant additional risk and is not modeled.
B-23
I Component Cooling Water (KC) Pumps The Unit I component cooling water (KC) pumps are on elevation 560' in the Auxiliary Building; the Unit 2 KC purnps are on elevation 577' The train A pumps are separated from the train B pumps by a three hour fire barrier. Fixed automatic water sprinklers with alarms in the control room and ionization fire g
detectors with alarms in the control room are provided for these areas.
During a walkdown of KC pump cables, it was discovered that the cables for train A and train B pumps pass close together with no intervening fire barrier. This situation is worse for the Unit 1 pumps because these cables are closest together l
and are not protected by the automatic water sprinklers (the Unit 2 pump cables are in the area covered by the sprinklers where they are close together.)
l The Unit I redundant train KC pump power cables pass within three feet of each I
other in a "short room" on elevation 568', This area does not contain any fire ignition sources and the cables themselves are the only combustible material present. These cables are of a type that have been demonstrated to be non-fire propagating. Station directives prohibit storing combustibles in this area and limit the possibility of transient combustibles being in this area.
This short room is considered to be thoroughly covered by early waming smoke detectors. Fire extinguishment would be by portable extinguishers and fire hoses.
Because of the limited amount of fire ignition sources or combustibles, this area is assigned the same fire event tree parameters as the cable room (although the cable room was assumed to be attended 1/3 of the time, no credit was taken for this in event tree parameters). The fire initiating event frequency for this area is also taken to be the same as for the cable room. Because the "short room" contains less combustible material and components than the cable room, using the cable I
B 24 g B!
J
room initiating event frequency should be conservative. The resulting core damas;e frequency from these sequences is 4.19E 06/yr.
The cables for the B train centrifugal charging (NV) pumps and the B residual heat removal (ND ) pumps for unit I are also near the component cooling pump cables. This does not result in significant risk (in addition to the loss of KC) because these pumps are assumed to be lost for loss of KC sequences.
Diesel Generator The diesel generator area is equipped with fixed temperature fire detectors and an automatic CO2 system which sounds an alarm in the control room when it activates.
Event tree parameters include an assumption that the diesel generator space is attended most of the time (because it its attended when the diesel is operating and a fire is more likely when the diesel is operating). Core damage frequency for sequences associated with the diesel area are less than 1.0E-08/yr. before recoveries are added.
Turbine Building The consequence of a catastrophic turbine building fire is the loss of the equipment in the turbine building. Besides the fire effects, some flooding and water spray from suppression systems and some smoke effects could be expected.
These secondary effects do not change the assumption that a large turbine building fire causes all equipment in the turbine building to be lost. For Catawba, this loss is equivalent to a long term loss of off site power. This also results in a loss of instrument air. Because the Unit 2 SSF standby makeup pump power cable passes B 25
I through the turbine building, the SSF standby mekeup pump is also assumed to be lost in turbine building fire sequences.
A review of fire event histories was done to gain insights which could be applied to the Catawba turbine building fire scenario. The latest available fire data base is an EPRI data base that includes fire data through 1989. This data base includes ninety-one turbine building fires at PWRs. Of these, fifteen occurred in the oil system of steam turbines. Of these, eleven occuned in the ten year period from g
1979 to the end of 1988. Because less serious fire events may go unreported, these reported events may all be considered to represent serious fires.
g During the ten year period from 1979 through 1988, there were 633 unit years for PWRs. Therefore, the frequency of a sciious fire involving a PWR steam turbine l
oil system is estimated to be 1.74E 02 per unit year. None of these fires l
progressed to a large turbine building oil fire. This frequency of smaller turbine oil fires is presented to give some idea of the potential for larger, all consuming, turbine building oil fires.
l More recent U. S. experience was also reviewed for applicability. This included I
reports of fires at Maine Yankee in August 1991, Salem 2 in November 1991, in Fermi 2 in December of 1993, and Zion 1 in April 1994 and July 1994. This review did not result in a different estimation of turbine fire frequency.
A description of the fire at C. N. Vandellos Unit 1 (10!!9/89) in Spain war also reviewed for insights, however because foreign unit years are not counted, foreign experience is not considered applicable.
To determine the frequency for an all consuming turbine building oil fire, the chi-squared distribution is used. The formula for this distribution allows one to estimate a frequency for an event, even though it may not have occurred during El o.2e l
the data period under consideration. Using the chi squared distnbution formula, the frequency for the all consuming turbine building fire event is 1.3E 04 per year.
Comping this frequency (1.3E-04) to the frequency of serious turbine building fires (1.74E-02, as determined above), this frequency would imply that approximately one out of every 100 serious fires in the turbine oil system will progress to an all consuming turbine building fire. This comparison is presented as a " reality check" for the initiating event frequency number.
An automatic preaction shnkler system on the turbine bearings and lube oil supply piping should function to cool the fire enough to prevent it from spreading throughout the building. It would be difficult for sprinklers to control the fire, l since many obstmetions will interfere with the ability of water to reach the pool i fire. Still, the cooling effect of the spray should enable firefighters to prevent spread of the fire to all three units. The failure rate of the spray in limiting the progression of the fire throughout the building is assumed to be about 10% (based on a value used in Reference B.10). If the fire can be prevented from spreading between units, it is assumed that equipment (emergency feedwater pumps) from other units can be used to mitigate the accident sequence on the unit where the fire has taken place. The 10% failure rate of the spray system is applied as a recovery to the large turbine building fire event to get a frequency of 1.3E-05 for initiating event FACTB, "All Consuming TB Fire Initiating Event." The resulting total core damage frequenay associated with these sequences is 1.04E 07/yr.
J 1
B 27
I Level $94 Service Building The instrument air compressors are located on the 594 level of the Service Building. The cable for the Unit 2 SSF Standby Makeup pump also passes g
through the Service Building.
There are no fire barriers between redundant instrument air compressors. There are some ionization smoke detectors (with alarms in the control room) in the area g of the reciprocal compresson. The resulting core damage frequency for sequences associated with a loss of instrument air event is less than 1.0E 08/yr.
l before recoveries are added.
I Reactor Building ,
Because of the limited consequences of a reactor building fire, no sequences I
associated with the reactor building have been presented. The discussion below represents equipment in the reactor building and considerations that keep this area from being a fire concern.
The Reactor Building contains the reactor coolant pumps, the pressurizer PORVs, the ND pump suction valves (NDI, ND2, ND36 and ND37), the letdown line, and the RCP seal injection return line. A fire in any of these components could lead to an initiating event. If a PORV inadvertently opens, it can be reclosed by de-energizing it from either inside or outside of the control room. There are no automatic valves in the portion of the seal injection lines inside containment. If the seal return line is blocked, valve NV93 would open, and no seal LOCA would occur. Valves ND2A and ND37A have cables routed in a fashion to prevent an g
l I B-28 I
, i i
I internal short due to a single fire from spuriously opening both of the ND isolation j valve and its alternative valve.
i j
l Valves NDIB, ND2A and ND37A normally have their breakers racked out in mode I to prevent these valves from opening as a result of a fire or security event.
A fire in a reactor coolant pump could result in a plant trip. This has not been analyzed because the frequency of this event is believed to be much less than the plant trip frequency used in the systems analysis.
- Reactor coolant pump motors at Catawba arc <he only very high voltage equipment identified during walkdowns which were not seismically mounted. A l seismic induced fire in a reactor coolant pump was dismist,cd as a concem during i
the walkdowns because sufficient equipment would still be available for decay heat removal during this scenario, j
Nuclear Service Water Pumn Stmeture I !
The train A Nucle.J Service % 4ter (RN) pumps for both units are separated from
- the train B pumps by a three hour fire bairier (with a fire door). The area is 4
covered by ionization smoke detectors. Alarms are provided locally and in the
- control room. Fire extinguishment in this area is by manual hose stations and l CO2 extinguishers.
A very large fire is required to challenge the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> barrier between nuclear service water trains. The core damage frequency for sequences associated with this scenario is less than 1.0E-08/yr. before recoveries are added.
1
.i i.
i i
B 29
. - , . - , , , . . . ~ , . - , - . _ , . _ , . - . . . . - . . . . , - ..__-.--- -.. - -
1 i
11.2.3 Results and Conclusions gl W
Catawba fire sequences are dominated by the component cooling pump power j cable fire scenario. The control room, cable room, and turbine building fire scenarios are also minor contributors. The resulting core damage frequency is g,
i 5.22E 06/yr.
I g
i 1
I I
I I
I I
! I
, I I
I I
i I
I B-30 i
H.3 Tornada B.3.1 Overview This section describes the pr'ocess of assessing potential plant vulnerabilities induced by high winds and tornadoes. Initially, three types of winds were considered for this study: hurricanes, tornadoes, and non tomadic (straight air flow) windstorms. Ilowever, Catawba 's inland location makes the probability of severe wind damage due to hurricanes very unlikely and the probability of damage to important components or structures flom non tornadic winds is low compared to that of tornadoes. For this reason, hurricanes and " straight windstorms" are not considered further. The primary purpose of this ast.essment is focused only on tornado damage events and the resulting core damage frequency.
The primary consequence of a tomade : c at de Catawba site is a loss of off.
site power (LOOP). Because of the rugged design of Catawba safety stmetures, no damage is postulated for most safety (QA 1) structures (See Reference B.!
Section 5.1 or Reference B.ll). An exception is the Diesel Generator Building which showed in previous missile analyses to have a very small probability of a damaging missile strike. Thus, a diesel generator tomado missile failure event is added to the to the diesel generator system logic to model this failure. Generfv, most tomado core-melt cut sets are identical to the regular LOOP (T3) initiator cut sets except that the T3 cut sets are assumed recoverable and the tornado cut sets are not recoverable.
During the NRC review of the Catawba IPEEE,it was noted that Duke had taken credit for the use of SSF for tornado event recovery although the SSF building
- .r.acture was not considered a " qualified" safety structure. Duke's response showed that the SSF structure was very rugged althcugh not qualified to the B 31
extreme design basis windspeeds or missiles. The impact of this assumption had only a small effect on the tornado results, failure of the SSF due to tomado winds has been incorporated into the present model.
The analysis primarily considers F 1 through F 5 tomado events whose winds impact either the switchyard or the portions of the transmission circuit that brings power frorn the switchyard into the plant. Ilowever, a separate estimation is made of the frequency of tomados that strike the plant site with the potential to cause g
tornado missile damage to important plant structures. Based on previous Catawba analyses using the TORMIS computer code, the conditional probability of missile g
damage to diesel generator building has been estimated and put into the diesel generator fault tree model. Potential tomado missile damage is also considered for the SSF which had not been considered in the previous missiles studies.
l I
H.3.2 Methodology This assessment is primarily an upjate to the Catawba PRA/IPE Rev. I tomado study and IPEEE update. The assessment process began with plant familiarization, review of plant design infomiation on tomado design, and a review of previous Catawba PRA/IPE tornado analyses.
To estimate the tornado core damage frequency, the plant transient model was I
modified to incorporate the switchyard tornado strike initiating event (TORNSW),
the plant tornado strike initiating event (TORNF4), and the potential failure of the SSF due to tornado damage. The plant strike frequency includes of the frequency l of F4 and F5 intensity tornados because only these intensity tornados have the strength to generate the damaging missiles ofinterest for the D/G building. The tornado results were then obtained as a part of the overall plant model solution.
l I D-32
H 3.3 Tornado Occurrence Frequeneles llistorical data provides the tornado occurrence frequency, per unit area, for a given region. The data used in this analysis is from a 45 year record (19501994) of all tornadoes within 125 nautical miles of the Catawba site. This data has been summarized in Table D.31 and Table D.3 2. A radius of 125 nautical miles corresponds to an area of approximately 65,000 square miles. This area can be divided into the number of reported tornadoes, over 45 years, to determine the frequency per square mile.
The frequency of tomado impact upon the pl nt and the switchyard is estimated using an " aerial probability model" that uses the dimensions and orientation of the target and the "mean damage width", "mean damage length", and directional distribution for tomados in each F scale (Reference D.12). The mean tornado lengths, widths, and directions are determined from the same historical data that used for the tomado occurrence frequency.
The Catawba switchyard target is modeled as a rectangle 900 feet wide by 2500 long with the long dimension running East West. From Table B.3-1, the resulting switchyaid tomado strike frequency (TORNSW) is 5.07E-04 /yr. The Catawba plant target is modeled as a rectangle 5000 feet wide by 6000 long with the short dimension mnning North South. From Table D.3 2, the total plant tomada strike frequency is 8.8E 04 /yr. However, the initiating event ofinterest only concems F4 and FS intensity tornadoes that can cause missile damage to the D/G building.
Thus, the F4 and F5 portion of tomado strike frequency is combined into a separate event frequency (TORNPLT) which has a value of 9.49E-05 /yr.
Because the SSF is functionally a backup ac power source to the emergency diesel genera:m following a loss of off site power, it is desirable to estimate the likelihood that the SSF would be damaged simultaneously with a tornado strike that damages the switchyard or the diesel generator building. A " point probability B 33
I model" was used to estimate the likelihood of tornados striking specific structures or components on the plant site (Reference B.13). This infonnation was used as one input to detennining the appropriate value for the conditional failure probability for the SSF if a tornado damages the switchyard, in the case of missile damage to the diesel generator building, the SSF is assumed to fail with a probability of 1.0. This assumption is based on the very close proximity of the Unit I diesel building and the SSF building, aad the fact that F4 or greater tornado winds are required to cause the missile damage while the SSF structure is assumed to fail under F4 intensity winds..
I H.3.4 Tornado Wind Effects The potential effects of tomado wind loadings on various plant structures and I
equipment have been examined in detail during previous Catawba studies. All safety related (Categoiy I) structures at Catawba are designed to withstand the wind loadings of a design basis tomado (360 mph) and tomado induced negative pressure differential (3 psi). The probability of tomadoes of this magnitude at Catawba is considered to be extremely small. Therefore, the effects of high winds on Catawba 's main plant structures is not considered further.
However, as previously mentioned, potential tomado damage to the SSF building had not been previously considered in previous tomado risk models. Although the SSF structure is not classified as a safety struct' ire and was not specifically designed for tornado wind loads, a review of the structural design features showed that it is very ruggedly constructed and could withstand substantial windspeeds without failure. The Catawba SSF building is a two-story structure whose exterior walls are built primarily from 12" concrete masonry units (" blocks"). The g l
l blocks are split ribbed with stacked coursing and reinforced vertically with #4 rebar spaced 16" o.c. and reinforced horizontally with extr heavy ladder type wall reinforcing spaced '6" o.c. vertically. The center void of each block (which also l
l B-34
contains the #4 rebar) is filled with type 'hi' monar. A large steel frame inner stmeture supports the concrete slab roof and several large overhead hoists. For the plant model, the failure of the SSF is assumed to have a wind capacity up to the threshold of an F 4 tornado.
A conditional probability of 0.01 was assumed for the likelihood that a tomado strike on the switchyard will also damage the SSF. This value was selected considering the relative frequency of F-4 (or greater) winds impacting a point target versus the total fiequency of F-4 tornados striking the switchyard, and the likelihood of missile damage from tornados nassing over the site (See Reference 11.1 4 ).
H.3.5 Tornado Missile Simulation Analysis Previous Catawba tomado analyses have used the TORhtlS computer code to evaluatu the effects of tornado missiles on the targets ofinterest. TORh!!S is a hionte Carlo simulation code which can model the response of a plant site to a tornado event and calculate the probability of missile strikes on specific targets.
The code randomly selects a tomado (including physical parameters) and a random path orientation and tracks the tomado across the plant site. If the tomado approaches a potential missile, the code (1) checks to see if the missile can be lifted, (2) determines the exit velocity and orientation, J) tracks the missile through the trajectory and (4) checks for a possible strike, if a strike occurs, the effects are analyzed and recorded. The code then outputs the probability of missile penetration of all examined structures.
The TORhilS code incorporates many plant design parameters including wall thickness, wall strength, building height, width and length, and material composition. The buildings are then defined in relation to a base point, which when combined with the above parameters results in a plant model.
B-35
I I
A site missile data list was obtained by surveying the plant site for potential missiles. These potential missiles can include any object which in the analyst's -
Judgment may cause plant damage. Examples of potential missiles are cars, trees, pipes, and fence posts.
Using the information described above, the TORMIS code was executed for '
tomadoes from F 1 to F 5. The results of these computer runs showed that '
missile damage events are not important contributors to plant risk for most plant structures due to their nigged design and construction. Ilowever, the analysis g' showed a small potential potential for missile damage to the diesel generator a building from missiles generated by F4 or greater intensity tornados. Therefore, a tornado missile damage event was included in the plant fault tree model in the diesel generator logic.
I B.3.6 Limitations Of The Analysis I
- 1. One of the largest sources of uncertainty is in the tornado data itself. The classification of tornado intensity and damage assessment is highly ,
1 subjective and has been notably inconsistent over the yects (Reference B.13).
- 2. The TORMIS analysis was made with a missile survey performed in the I
mid-1980s. Recent plant walkdowns provide some assurance that the conclusions from and the assumptions based on this missile analysis are l
still valid.
l
- 3. It is assumed that the human error probabilities used in plant model are not affected by any " collateral damage" caused by the tornado strike. In reality, there may be some increased operator stress related to responding to the SSF or other actions due to factors such as responding to other I
B-36 J
injured personnel, damaged hazardous material containers, or fires involving non safety related equipment or buildings.
H.3.7 Results and Conclusions The calculated annual core damage frequency resulting from tomadoes impacting Catawba is approximately 1.0E 06/yr. This initiating event accounts for 2.2% of the total CDF and 7% of the external CDF. The dominant sequence of events consists of a tornado induced loss of off site power followed by D/G failures and failure of the SSF. The risk contribution from tornado missile to the diesel generator building was small compared to random failure modes for the emergency diesel generators. No credit is assumed for off site power recovery following a tornado. This frequency is of the same magnitude as other pctential severe accidents such as seismic events, fires, floods, and other events.
H.3.8 Insights While the plant structures are well designed against the effects of tornado winds and missiles, tomado strike events are an important core melt risk contributor due to the inability to restore off site power in a timely manner. Following such an event the plant is fully dependent on it own emergency power system to run until the off site power circuit can be repaired or replaced.
Although, the SSF was not originally designed to withstand the effects of a tomado strike the manual activation of the SSF is important recovery action following a tomado event in case of diesel generator failure. However, the probability of tomado wind or missile damage to the SSF is relatively small compared to the probability of SSF due to human error, maintenance unavailability, and random failures of the SSF equipment.
B-37
Table B.3-1 Catawba Switchyard Strike Frequency Ongo Angle (a) p(q) a b Z, p(q)'Z, Z, p(q)'Z, (deg) (h) (h) (h) (h) (h) (h)
N O O009 900 2500 900 00 8 10 2500 00 22 50 NE 45 0 900 2500 2404.16 0 00 2404.16 0 00 E O O009 2500 900 2500 00 22.50 900 00 8 10 SE 45 0 021 2500 900 2404 16 50 49 2404.16 5049 S 0 0 098 900 2500 900 00 88.20 2500 00 245.00 SW 45 0 357 900 2500 2404.16 858.29 2404.16 858 29 VV 0 0 472 2500 900 2500 00 1180 00 900 00 424 80 NW 45 0 034 2500 900 2404.16 81.74 2404.16 81.74 Ip(0)*Z,= 2289.32 Ip(0)'Z:= 1690.92 ,
F Scale Wnd Speed Number Est. No. of Occurrence Mean Path Mean Path Ao Swyd Stnke Range (mph) Reported Unreported Rate (#/yr) Length (ml) Wdth (mi) Frequency (1950 94) Tomados 2 (lyr)
F.1 73 112 313 30 8 7.64 2 97 0.05 1.19E+ 00 1.40E-04 F2 113 157 156 15 6 3 81 6.37 0 09 2.72 E + 00 160E 04 F3 158-206 26 46 0.68 2057 0.20 1.09E+ 01 1.14E-04 F4 207 260 13 1.2 0.32 26 66 0 37 1.86E+01 9 05E-05 F5 261+ 0 23 ' O.1 0.01 33' 0 39 ? 2.37E+ 01 2.67E-06 P(l) = u(1)'A (l)/S Ao(l) =W(I)*L(l) + W(I)* 23,+ L(1)* 21 + A, Zri = E p(0)'Zi(0) 27: =Ep(0)*Z(0)
I S=65000 sq mi (125 NM circle)
- Note: Refer to Attachment 4 for estimation of unreported tornados.
- Note: No F 5 tomados were recorded during the entire 45 year period of data for the Catawba Plant. A Chi-square method was used to derive an equivalent number of tomados for the report period. The mean path length and width for F.5 g tornados are assumed values based on data for the eastem U.S. provided in u NUREG/CR-4461 (Table 6, p. 40)
I I
I B-38
t Table B.3-2 Catawba Plant Strike Frequency
. Orgn Ange(a) p(q) a b Z, p(q)'Z, 2, p(q)*Z, (deQ) (ft) (h) (ft) (ft) (ft) (ft)
N O 0.009 5000 6000 5000.00 45 00 6000 00 54.00 NE 45 0 5000 6000 7778.17 0.00 7778 17 0 00 E O O009 6000 5000 6000 00 54 00 5000 00 45 00
_SE 45 0 021 6000 5000 7778 17 163 34 7778.17 163.34 S 0 0 098 5000 6000 5000.00 490.00 6000 00 588 00 SW 45 0.357 5000 6000 7778.17 2776 81 7778.17 2776.81 W 0 0 472 6000 5000 6000 00 2832.00 5000 00 2360.00 NW 45 0 034 6000 5000 7778 17 264 46 7778.17 264 46 Ep(0)'Z,= 6625 6. Ip(0)'Z= 6251.61 F Sca!e Wod Number Est. No. of Occurrence Mean Path Mean Path Ao Plant Strike Speed Reported Unreported Rate (4/yr) Length (ml) Wdth (mi) Frequency Range (1950 94) Tomados (/yr)
(mph)
F1 73 112 313 30 8 7.64 2.97 0 05 4.15E + 00 4.88E-04 F2 113-157 156 15 6 3 81 6.37 0 09 3 07E+00 1.80E-04 F-3 158 206 26 46 0 68 20.57 0 20 1.12E+01 1.17E-04 F4 207 260 13 1.2 0 32 26.66 0.37 1.90E+01 9.22E-05 F5 261+ 0 23 t 0.1 0.01 33t 0.39 t 2.40E+01 2.71 E-06 F(l) = u(l)*A (l)/S Ao(l) = W(1)*L(I) + W(1)* Zu+ L(l)' Zr + A, Zn = E p(0)*25(0)
Zr =Ep(0)'Z(0)
S=65000 sq mi (125 NM circle)
(Note: Refer to Attachment 4 for estimation of unreported tornados.
1 Note: No F 5 tornados were recorded during the entire 45 year period of data for the Catawba Plant. A Chi square methoPyas used to derive an equivalent number of tornados for the report period Th6.nean path length and width for F 5 tornados are assumed values based on data for the eastern U.S. provided in NUREG/CR-4461 (Table 6, p. 40)
W B 39
B.4 References B.1 Duke Power Company, Catawba IPEEE Submittal Report, June 1,1994.
B.2 PRA Procedures Guide. NUREG/CR 2300, Volume 1, Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission, Washington, D.C., January 1983.
B.3 EPRI, NP 6359," Seismic Margin Assessment of the Catawba Nuclear Station", April 1989 B.4 EPRI, NP 6041, Rev. O and Rev.1,"A Methodology of Assessment of Nuclear Power 1 Plant Seismic Margin," October 1988 and August 1991 B.5 National Technical Systems, NTS 19202.01, " Seismic Fragilities of Structures and Components at the Catawba Nuclear Station," March 1986 B.6 Veneziano," Seismic Fragility of the SNSW Pond Dam at Catawba Nuclear Station,"
Massachusetts Institute of Technology, March 1983 B.7 P. T. Farish, Memo to File, PRA Update - Revised Seismic Analysis, File: 1 CNS-PRA, May 20,1996 B.8 Methodology for Developing Seismic Fragilities, EPRI Report TR 103959, prepared by Jack R. Benjamin & Associates, June 1994 B.9 Documentation of the Seismic Event impact Sequence Model(SEISM) Computer Code, PSA 84 17, Duke Power Company, September 1984.
B.10 Holmes, Wayne D., A Methodoloav for the Assessment of Risk of Maior Fire Loss in Multi- Unit Turbine generator Buildines, SFPE TR84 9.
B.I1 Catawba IPE Report, Section 3.4 .
B.12 Twisdale, L A., et al., " Tornado Missile Simulation and Design Methodology," NP.
2005, Electric Power Research lustitute, Palo Alto, CA August 1981.
B.13 Mcdonald, J.R., "A Methodology for Tomado Hazard Probability Assessment,"
NUREG/CR-3058, U. S. Nuclear Regulatory Commission, Washington, DC, October 1983.
B.14 Kanipe, L M., " Calculation Of Tomado Strike Probabilities For Catawba Nuclear Station," SAAG File # 374, Duke Power Company, Charlotte, NC, March 1996, 1
B-41
_--