ML20206C829
| ML20206C829 | |
| Person / Time | |
|---|---|
| Site: | Surry  |
| Issue date: | 11/30/1986 |
| From: | Bertucio R, Harper F, Quilici M, Young J SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1228 NUREG-CR-4550, NUREG-CR-4550-V03, NUREG-CR-4550-V3, SAND86-2084, NUDOCS 8704130170 | |
| Download: ML20206C829 (466) | |
Text
{{#Wiki_filter:_ _ _._ _ . .. ._ _ ._. _ s . 1 NUREG/CR-4550/Vol. 3 l SAND 86-2084
' AN Printed November 1986 .
l l l l 1 l Analysis of Core Damage l Frequency From Internal Events: Surry, Unit 1 . Robert C. Bertucio, Marc D. Quilici, Jonathan Young, ; Frederick T. Harper Prepared by Sarda Natmal Laboratores , Albuquerque, New Mexco 87185 and Liverrnore. Cahforrua 94550 for the Uruted States Department of Energy . under Contract DE-AC04-76DP00789 (
.~. [
'~4 .
,.^
f'
. iiil'bi;!Nhh,. -
3: f 4- '
+
+
x4 =
# .. g . .-
p , j
> 'q
't 3-
.w { . z _. '4 / g .,
l .;. .
.I .' 1 d ',, , :'i\'i \ _' f ;l l ~c , j~N\.?l '
.= ,r u
~
Prepared for U. S. NUCLEAR REGULATORY COMMISSION ~ S F29000(S G I) 8704130170 861130 PDR ADOCK O$000280
; PDR
A , c -< , L NOTICE This report was prepared as an account of work sponsored by an , agency of the United States Government. Neither the United l States Government nor any agency thereof, or an of their employ. ; ees, makes any warranty, expressed or impli , or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. Available from Superintendent of Documents U.S. Government Printing Office . Post Office Box 37082 I Washington, D.C. 20013-7982 and National Technical Information Service Springfield, VA 22161
f T {- NUREG/CR-4550/Vol. 3 SAND 86-2084 AN ANALYSIS OF CO'RE DAMAGE FREQUENCY FROM INTERNAL EVENTS: SURRY, UNIT 1 Robert C. Bertu Jonathan Young,gio,I Marc D. Quilici,I Frederick T. Harper Program Manager: Allen L. Camp 2 Principal Investigator: Frederick T. Harper Team Leader: Robert C. Bertucio Printed November 1986 Sandia National Laboratories Albuquerque, NM 87185 Operated by Sandia Corporation for the U.S. Department of Energy Prepared for Division of Reactor System Safety Office of Nuclear Regulatory Research i U.S. Nuclear Regulatory Commission l Washington, DC 20555 . l- Under Memorandum of Understanding DOE 40-550-75 NRC FIN A1228 < l 1 Energy incorporated 2 Sandia National Laboratories
V. 1 , I 1 4 9 s 4 Y 4 INTENTIONALLY LEFT BLANK l t i 4 3 11 1 1 4 i-
] - - - - --_-~_ , _ - - _ .._ _,;.. .... ,_ _ _ . . , _ _ _ , . _ _ _ , _ _ , _ , _ _ , _ _ , . _ , _ ,_ _
l ABSTRACT l h . This, document contains the accident sequence analyses for Surry, Unit 1; one of the - i reference plants being examined as part of the NUREG-il50 effort by the Nuclear Regulatory Commission (NRC). NUREG-il50 will document the risk of a selected group of nuclear. power plants. As part of that work, this report contains the overall core damage frequency estimate for Surry, Unit 1, and the accompanying plant damage state frequencies. Sensitivity and uncertainty analyses provide additional insights regarding the dominant contributors to the Surry core damage frequency estimate. The mean core damage frequency at Surry was calculated to be 2.6E-5 per year. Station blackout type accidents (loss of all AC power) were the largest contributors to core damage frequency,' accounting for approximately 35% of the total. The next type of dominant contributors were transient induced LOCAs caused by loss of electrical bus initiators.' These sequences account for 19% of core damage frequency. No other type : of sequence accounts for more than 10% of core damage frequency. l The numerical results are driven to some degree by modeling assumptions and data selection for issues such as reactor coolant pump seal LOCAs, common cause failure
- probabilities, and plant response to station blackout and loss of electrical bus initiators.
, The sensitivity studies explore the impact of alternate theories and- data on these issues. The results of the- uncertainty and sensitivity analyses should be considered before any future actions are taken based on this analysis. 4 l
)
e 4 lii l l
. - _ _ - , _ - , _- . , .-. .. .- . . . ~ . . - . _ . - - - -._.-. -
v .- - - - . . _. . . __. 3 t ( e INTENTIONALLY LEFT BLANK 1 F l i j i f 1 IV
-- - - - - - -- ~ . . _ . . _ . . , ,_ .
j
TABLE OF CONTENTS Section ~ Page L i s t o f Fi gure s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi.
. L is t o f T abl e s . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
- 1. . E X E C UTIV E S U M M A R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 ~ I.1 - Motivations and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 I.2 A p p r o a c h '. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-2 1.3 Results............................................ 1-3
; I.3.1 Characterization of Core Damage Frequency
". atSurry....................................... 1-3 I.3.2 Characterization of Plant Damage State F re q ue n ci e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I-3
, I.3.3 Characterization of Dominant Sequence F re q uenci e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I-7 I.4 C o n cl u si o ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 I.4.1 Specific Plant Damage State Conclusions . . . . . . . . . . . . . . 1-13 1.4.2 Specific Sequence Conclusions . . . . . . . . . . . . . . . . . . . . . . 1-13 1.4.3 Uncertainty and Sensitivity Conclusions . . . . . . . . . . . . . . . 1-13 II. PROGRA M SCOPE AND LIMITATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 11- 1 i
III. P R O G R A M R EV IE W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111- 1 111. 1 Senior Consultant Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III-I III.2 Qualit y Control ' G roup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111- 1 III.3 U tili t y In te r f ace . . . . . . . . . . . . . . . . . . . . . . . . .- . . . . . . . . . . . III-2. IV. TAS K DES C RI PTIO NS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .' . . . . . . . . IV-1 i IV.1 Task Flow C har t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-1 IV.2 Plant Familiariza tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-3 IV.2.1 Initial Plant Visit . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-3 IV.2.2 Information Obtained . . . . . . . . . . . . . . . . . . . . . . . . . IV-4 V
L l
\
Table of Contents (Continued) Section Page IV.3 Initiating Event identification and Grouping.......................................... IV-12
; IV.3.1 Initiating Event identification . . . . . . . . . . . . . . . . . . . IV-12 IV.3.2 Initiating Event G rouping . . . . . . . . . . . . . . . . . . . . . . IV-20 IV.3.3 Assumptions Made in Initiation Event S e l ec ti o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-20 IV.4 Event Tree A nalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-33 IV.4.1 Event Tree Assumptions . . . . . . . . . . . . . . . . . . . . . . . IV-33 IV.4.2 Plant Damage State Definition . . . . . . . . . . . . . . . . . . IV-39 IV.4.3 Tg (Loss of Offsite Power)
E v e n t T re e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-45 IV.4.4 T2 (L ss of Main Feedwater) EventTree................................. IV-48 IV.4.5 T3 (Turbine Trip with MFW) E v e n t T re e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-51 IV.4.6 T4 (Loss 480V Bus) Event Tree . . . . . . . . . . . . . . . . . . . IV-54 IV.4.7 IV-57 T5 (L ss of DC Bus) Event Tree . . . . . . . . . . . . . . . . . . IV.4.8 T6 (L ss of Charging Pump Cooling) Ev e n t T r e e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-60 IV.4.9 Seal LOCA Event Tree . . . . . . . . . . . . . . . . . . . . . . . . IV-63 j IV.4.10 Station Blackout Event Tree . . . . . . . . . . . . . . . . . . . . IV-67 IV.4.ll A (Large LOCA) Event Tree . . . . . . . . . . . . . . . . . . . . .IV-72 IV.4.12 S3 (Medium LOC A) Event Tree . . . . . . . . . . . . . . . . . . IV-75 IV.4.13 S2 (Small LOCA) Event Tree . . . . . . . . . . . . . . . . . . . . IV-78 IV.4.14 S3 (Very Small LOCA) Event Tree . . . . . . . . . . . . . . . . IV-81 IV.4.15 Event Tree Nomenclature . . . . . . . . . . . . . . . . . . . . . . IV-84 I IV.5 S y s te m A nal ysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-89 IV.5.1 System Modeling and Scope . . . . . . . . . . . . . . . . . . . . . IV-89 IV.5.2 Containment Spray System Model . . . . . . . . . . . . . . . . IV-93 lV.5.3 High Pressure Injection / Recirculation S y s t e m M o de l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-98 IV.S.4 A ccum ulator Model . . . . . . . . . . . . . . . . . . . . . . . . . . IV-107 vi
Table of Contents (Continued).
' Section Page IV.5.5 Low Pressure injection / Recirculation -
System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-110 . IV.5.6 'Inside Spray Recirculation System Model................................... IV-Il6 IV.5.7 -Outside Spray Recirculation System M o de l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-121 IV.5.8 Auxiliary Feedwater System Model . . . . . . . . . . . . . . IV-126 IV.5.9 Primary Pressure Relief System i M o del . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV- 13 3 r IV.5.10 Power Conversion System Model . . . . . . . . . . . . . . . . IV-138 IV.5.11 Charging Pump Cooling System Model . . . . . . . . . . . . IV-139 , IV.5.12 Service Water System Model . . . . . . . . . . . . . . . . . . . IV-145 IV.5.13 Component Cooling Water System M o de l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-150 IV.5.14 Reactor Protection System Model . . . . . . . . . . . . . . . IV-155 IV.5.15 Emergency Power System Model . . . . . . . . . . . . . . . . IV-156 IV.5.16 Safety injection Actuation System .- Model................................... IV-162
~
IV.5.17 Consequence Limiting Control System Model................................... IV-165 IV.5.18 Recirculation Mode Transfer System M o de l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV- 17 0
- IV.5.19 System Analysis Nomenclature . . . . . . . . . . . . . . . . . IV-174-IV.6 Analysis of Dependent Failures . . . . . . . . . . . . . . . . . . . . . . . . . IV-183' 4
IV.6.1 Sub tle Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . IV-181 . 1 1 IV.6.2 Common Cause Analysis . . . . . . . . . . . . . . . . . . . . . . IV-190' 4 IV.7 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-192: IV.7.1 - Guidelines for Analysis of Human , A c ti o n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . IV-195 -l IV.7.2 Results of Human Reliability Analysis ) on Post Initiator Actions . . . . . . . . . . . . . . . . . . . . . . - IV-199 IV.7.3 Assumptions Used During Surry HRA . . . . . . . . . . . . . IV-204 - l 1 J vii l
.a
Table of Contents (Continued) i Section , P_ age IV.8 Data Base Developm ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-213 IV.8.1 Sources of Information for Data Base..................................... IV-213 IV.8.2 Assumptions and Limitations in the D at a B a se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-213 IV.8.3 Data Base Description ' . . . . . . . . . . . . . . . . . . . . . . . IV-215 i IV.9 Accident Sequence Quantification . . . . . . . . . . . . . . . . . . . . . . .' IV-239 IV.9.1 - . Rationale for Selection of Sequences to be Quan tifie d . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-239 IV.9.2 List of Sequences Quantified in the A na l ysi s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-240 i IV.9.3 Quantification issues . . . . . . . . . . . . . . . . . . . . . . . . IV-240' IV.10 Anticipated Transients Without SCRAM . . . . . . . . . . . . . . . . . . IV-247 IV.10.1 ATWS Model Development and Success Criteria Definition . . . . . . . . . . . . . . . . . . . . . . . . . ~ 1V-247 IV.10.2 ATWS Event Tree and Phenomenology . . . . . . . . . . . IV-248 IV.10.3 ATWS Quantification . . . . . . . . . . . . . . . . . . . . . . . IV-249 IV.ll Uncertainty / Sensitivity Analysis . . . . . . . . . . . . . . . . . . . . . . . IV-254 IV.ll.1 Treatment of Uncertainties. . . . . . . . . . . . . . . . . . . IV-254 - IV.11.2 Sources of Uncertainty . . . . . . . . . . . . . . . . . . . . . . IV-255 IV.ll.3 Results of Uncertainty / Sensitivity A nal ysis . . . . . . . . . . . . . . . _ . . . . . . . . . . . . . . . . . . IV-255 4 V. RESULTS................................................ V-1 V.1 Characterization of Core Damage Frequency atSurry............................................. V-1 V.2 Characterization of Plant Dama Frequencies . . . . . . . . . . . . . . ..ge State
. . . . . . . . . . . . . . . . . . . . . . . . . . - V-12 V.2.1 Plant Damage State SYYB . . . . . . . . . . . . . . . . . . . . . . . . V V.2.2 Plant Damage S tate SNN N . . . . . . . . . . . . . . . . . . . . . . . . - .V-12.
V.2.3 Plant Damage State SYNI . . . . . . . . . . . . . . . . . . . . . . . . . V-13 V.2.4 Plant Damage S tate AYNN . . . . . . . . . . . . . . . . . . . . . . . . . V-13. V.2.5 Plant Damage State ANNN . . . . . . . . . . . . . . . . . . . . . . . . V ; V.2.6 Plant Damage State AYNB . . . . . . . . . . . . . . . . . . . . . . . . -V-14 l viii a
, , - . - - - - - , ,, --,,,n,. - - - , - .- - - - , -n- --r.-- ,
Table of Contents (Continued) i , i i Section Page V.2.7 Plant Damage S tate AYNI . . . . . . . . . . . . . . . . . . . . . . . . . V-14 L V.2.8 Plant Damage S tate AYYB . . . . . . . . . . . . . . . . . . . . . . . . V-14 i V.2.9 Plant Damage State TNNN . . . . . . . . . . . . . . . . . . . . . . . . V-15 V.2.10 Plant Damage State TYYB . . . . . . . . . . . . . . . . . . . . . . . . V-15 V.2.ll Plant Damage State TYNI . . . . . . . . . . . . . . . . . . . . . . . . . V-15 V.2.12 EventV...................................... V-16 V.3 Characterization of Dominant Sequence F re que n ci e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-17 V.3.1 Sequence Ti (SL)-D g CF1.......................... V-17 V.3.2 Sequence 5 3 Dg................................. W20 V.3.3 Sequence T 43 Q -Hg.............................. -V-21 V.3.4 Sequence T 4gQ-H g .............................. 1-22 V.3.5 Sequence gT L(LT)D g CF 3
.......................... V-23 V.3.6 Sequence gT L(ST)D g CFg . . . . . . . . . . . . . . . . . . . . . . . . . .
V-24 V.3.7 S e que nceg T L P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-26 V.3.8 Sequence TKRD 4............................... V-28 V.3.9 S e qu e nce V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-29 V.3.10 Sequence S2H g................................. V-32 V.3.11 Sequence T 43 Q -H2.............................. V-33 V.3.12 Sequence S g Hg................................. V-34 V.3.13 Sequence S g Dg................................. V-35 V.3.14 Sequence S 2 Di................................. V-36 V.3.15 Sequence T 4HQ -H 2 ****************************** Y-37 V.3.16 Se quence T K RZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-38 V.3.17 Sequence AD 3 ................................. V-39 V.3.18 Sequence AHg ................................. V-39 V.3.19 Sequence S H2 2................................. V-40 V.3.20 Sequence gT Q-D g CF 3
............................ V-41 IX
b & Table of Contents (Continued) Section Page. V.4 Sensitivity S tudies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-44 V.4.1 Sensitivity Study 1 -Increase in RCP Seal LOC A Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-48 V.4.2 Sensitivity Study 2 - Decrease'in.RCP Seal LOC A Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - 'V-48 V.4.3 Sensitivity Study 2A - Decrease ir RCP S eal L OC A Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-49 V.4.4 Sensitivity Study 3 -Increase in Offsite Power Recovery Probability . . . . . . . . . . . . . . . . . . . . . . . V-49 V.4.5 Sensitivity Study 4 - Credit for Non-Safety Grade Gas Turbine Generator . . . . . . . . . . . . . . . . . V-50 V.4.6 Sensitivity Study 5 - Recovery of Common Cause Failure of Service Water Valves . . . . . . . . . . . . . . . . V-50 V.4.7 Sensitivity Study 6 - Increase in Beta Factor V alues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-50 V.4.8 Sensitivity Study 7 - Elimination of Beta Factors'...................................... V-51 V.4.9 Sensitivity Study 8 - Beta Factors for C he ck Va lv e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-51 V.4.10 Sensitivity Study 9 - Decrease in Inter-f acing LOCA Failure Rates . . . . . . . . . . . . . . . . . . . . . . . . V-52 V.4.ll Sensitivity Study 10 -Increase in Inter-facing LOCA Failure Rates . . . . . . . . . . . . . . . . . . . . . . . . V-52 , V.4.12 Sensitivity Study 11 - ECCS Operability 4 Following Containment Failure . . . . . . . . . . . . . . . . . . . . . V-52 V.4.13 Sensitivity Study 12 - Decreased PORY Demand Rate........................................ V-53 V.4.14 Sensitivity Study 13 - Combination of Sensitivity S tudies 3, 4, 6 . . . . . . . . . . . . . . . . . . . . . . . . . V-53 V.5 Comparison of Results with WASH-1400. . . . . . . . . .-. . . . . . . . . . . . V-68 V.6 Im portance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-75 V.6.1 Risk Increase Importance Measures . . . . . . . . . . . . . . . . . . V-75 V.6.2 Risk Reduction Importance Measures . . . . . . . . . . . . . . . . . V-75. l 1 VI. REFERENCES............................................ VI-l l APPENDI.Y A ................................................ A-1 APPENDIX B ................................................ B-1 X l
LIST OF FIGURES '
~ Figure- M 1.3.1-1 ' Box and Whisker Presentation of Surry Total Core Dam age Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.3.2-1 Box and Whisker for Surry Plant Damage States With Frequencies G reater than 1.0E-7 . . . . . . . . . . . . . . . . . . . . . . . . - - I-5 -IV.1-1 Study Task Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV IV.4.3-1 Event Tree for Tg - Loss of Offsite Power . . . . . . . . . . . . . . . . . IV-47 IV.4.4-1 Event Tree for T2 - L ss of MFW . . . . . . . . . . . . . . . . . . . . . . . . IV-50 IV.4.5-1 Event Tree for T3 - Turbine Trip with MFW Initially Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV IV.4.6-1 IV-56 :
Event Tree for T4 - Loss of 480V Bus . . . . . . . . . . . . . . . . . . . . . IV.4.7-1 IV Event Tree for T5 - L ss of DC Bus . . . . . . . . . . . . . . . . . . . . . . IV.4.8-1 Event Tree for T Cooling . . . . . .................................... 6 - L ss of Charging Pump IV-62 IV.4.9-1 IV-66 Event Tree for St - Seal LOCA ........................ IV.4.10-1 S tation Blackout Event Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-71 IV.4.ll-1 Event Tree for A - Large LOC A . . . . . . . . . . . . . . . . . . . . . . . . IV-74 IV.4.12-1 Event Tree for Sg - Medium LOC A . . . . . . . . . . . . . . . . . . . . . . IV-77 IV.4.13-1 Event Tree for 52 - S m a ll L OC A . . . . . . . . . . . . . . . , . . . . . . . . IV-80 IV .4.14-1 Event Tree for S3 - Very Small LOCA . . . . . . . . . . . . . . . . . . . . IV-83' IV.5.2-1 CSS Simplified Schematic . . . . . . _. . . . . . . . . . . . . . . . . . . . . . . IV-96 IV.S.2-2 CSS Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-97 IV.5.3-1 Simplified HPl/R Schematic . . . . . . . . . . . . . . . . . . . . . . . . . . . ~I V-104 IV.5.3-2 HPI/HPR System Dependency Diagram . . . . . . . . . . . . . . . . . . . IV-106 IV.5.4-1 Accumulator Simplifi< 5chematic . . . . . . . . . . . . . . . . . . . . . . IV-109 IV.5.5-1 LPl/LPR Simpli fW Sch natic . . . . . . . . . . . . . . . . . . . . . . . . . IV-114 IV.5.5-2 LPl/LPR Syst*m nu.m e rncy Diagram . . . . . . . . . . . . . . . . . . . . IV-II5 IV.5.6-1 ISR System Simplified Schematic. . . . . . . . . . . . . . . . . . . . . . . . IV-119 IV.5.6-2 ISR System Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . . IV-120 IV.5.7-1 OSR System Simplified Schematic . . . . . . . . . . . . . . . . . . . . . . . IV-124 IV.5.7-2 OSR System Dependency Diagram . . . . . . . . . . . .-. . . . . . . . . . . . .IV-125 IV.5.8-1 AFW System Simplified Schematic . . . . . . . . . . . . . . . . . . . . . . . . IV-131 IV.5.8-2 AFW System Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . IV-132 xi
X l , i l , List of Figures (Continued)
'. ' ' ~ Figure Page IV.5.9-1 Simplified Schematic of the PPRS . . . . . . . . . . . . . . . . . . . . . . . . IV-136 IV.5.9-2 Primary Pressure Relief System Dependency D i a g ra m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-137 IV.5.11-1 CPC System Simplified Schematic . . . . . . . . . . . . . . . . . . . . . . . . IV-143 IV.5.ll-2 CPC System Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . . IV-144 ! IV.5.12-1 SWS Sim plified Schematic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-148 IV.5.12-2 Service Water Systen$ Dependency Diagram . . . . . . . . . . . . . . . . . IV-149-IV.5.13-1 Simplified Schematic of the CCWS Portions Required for RCP Thermal Barrier Cooling . . . . . . . . . . . . . . . . . IV-153 IV.5.13-2 CCW System Dependency Diagram ....................... IV-154 IV.5.15-1 EPS Simplified Electrical Diagram . . . . . . . . . . . . . . . . . . . . . . . . IV-161 IV.S.16-1 Components Dependent on SIAS for Automatic A c t ua t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-16te IV.5.17-1 Simplified CLCS Logic Diagram . . . . . . . . . . . . . . . . . . . . . . . . . IV-169 IV.5.18-1 Simplified RMTS Logic Diagram . . . . . . . . . . . . . . . . . . . . . . . . . IV-173 IV.10-1 AT WS E vent Tre e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-253 V.1-1 Box and Whisker Presentation of Surry Total Core Dam age Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-9 I
V.1-2 Box and Whisker for Individual Plant Damage States ............................................ V-10 V.5-1 Comparison with WASH-1400 Sequence Frequencies . . . . . . . . . . . V-72 t Xii
x LIST OF TABLES Table Page. I.3.3-1 Accident Sequences Representing 80% of Total Core Damage Frequency at Surry . . . . . . . . . . . . . . . . . . . . . . . I-8 IV.2-1 List of Requested Information/ Drawings / Procedures........................................ IV-5 IV.2-2 Information Prepared by the Surry PRA Team Prior to Plant Visi t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-7 IV.2-3 Typical Questions on System Design and Opera ti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-8 IV.2-4 Components for Plant-Specific Failure Data . . . . . . . . . . . . . . . . ~IV-9 IV.2-5 Events for Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . IV-10 IV.2-6 Request for Most Up-To-Date Analysis in Following Areas........................................... IV-Il IV.3-1 Initiating Event Categories Used in the Surry P R A U pda t e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-18 IV.3.1-1 Sources of Initiating Event Candidates . . . . . . . . . . . . . . . . . . . . IV-19 IV.3.2-1 Transient Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-21' IV.3.2-2 LOC A Initiating Eve nts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-24 IV.3.2-3 T t, T2, T ,4 T Transient Success Criteria Summary Information .3 ...................................... IV-25 IV.3.2-4 T., Transient Success Criteria Summary In f or m a t i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-26 IV.3.2-5 TgTransient Success Criteria Summary I n f or m a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-27 IV.3.2-6 Very Small LOCA Success Criteria Summary I n f or m a ti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-28 IV.3.2-7 Small LOCA Success Criteria Summary Inf orm ati on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-29 IV.3.2-8 Medium LOCA Success Criteria Summary In f o r m a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-30 IV.3.2-9 Large LOCA Success Criteria Summary In f o rm a t i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-31 IV.3.3-1 Initiating Event Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-32 IV.4.1-1 Event Tree and Success Criteria Assumptions . . . . . . . . . . . . . . . IV-35 IV.4.2-1 Applicable Surry Plant Damage States . . . . . . . . . . . . . . . . . . . . IV-41 IV.4.2-2 Assumptions Used in Plant Damage State A ss i gn m e n t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-44 xiii
c List of Tables (Continued) l Table - P_ age IV.4.3-1 T tTransient Success Criteria Summar Inf ormation ' . . . . . . . . . . . . . . . . . . . y..................... 'IV-46 IV.4.4-1 T2Transient Success Criteria Summar InIormation . ' . . . . . . . . . . . . . . . . . . y.....................
. IV-49 IV.4.5-1 -TgTransient Success Criteria Summary int or m a tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-52 IV.4.6-1 T( Transient Success Criteria Summary IDI or m a tion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-55 IV.4.7-1 TyTransient Success Criteria Summary
. In f or m a ti on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-58 IV.4.8-1 TgTransient Success Criteria Summar InTormation . . . . . . . . . . . . . . . . . . . y..................... IV-61 IV.4.9-1 Success Criteria Summary Information . . . . . . . . . . . . . . . . . . . . . IV-65
} IV.4.10-1 Timing Considerations and Other Assumptions in the S B O E ve n t T ree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-69 IV.4.ll-1 Large LOCA Success Criteria Summar Information . . . . . . . . . . . . . . . . . . .y..................... IV-73 IV.4.12-1 Medium LOCA Success Criteria Summar Inform ation . . . . . . . . . . . . . . . . . . . . .y ................... IV-76 IV.4.13-1 Small LOCA Success Criteria Summary In f orm ation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-79 IV.4.14-1 Very Small LOCA Success Criteria Summary Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-82 IV.4.15-1 Identifiers for Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-85 IV.4.15-2 Definition of Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-87 IV.5-1 Systems Included in the Surry System Analysis . . . . . . . . . . . . . . . IV-91 IV.5.2-1 CSS Component Status and Dependency Summary . . . . . . . . . . . . . IV-95 IV.5.3-1 HPI/HPR Component Status and De Sum mary . . . . . . . . . . . . . . . . . . . pendency
....................... IV-102 IV.5.5-1 LPI/LPR Component Status and De Sum mary . . . . . . . . . . . . . . . . . . . pendency
....................... IV-Il3 IV.5.6-1 ISR Component Status and Dependency Summary . . . . . . . . . . . . . IV-Il8 IV.5.7-1 OSR Component Status and Dependency Summary . . . . . . . . . . . . IV-123 IV.5.8-1 AFW Component Status and Dependency Summary . . . . . . . . . . . . IV-129 IV.5.9-1 PPRS Component Status and Dependency Summary. . . . . . . . . . . . IV-135 IV.5.11-1 CPC Component Status and Dependency Summary . . . . . . . . . . . . IV-142 xiv
I l List of Tables (Continued) Table Page IV.5.12-1 SWS Component Status and Dependency Summary. . . . . . . . . . . . . IV-147 IV.5.13-1 CCW Component Status and Dependency Summary . . . . . . . . . . . . IV-152 IV.5.15-1 AC/DC Power Supplies and Dependencies. . . . . . . . . . . . . . . . . . . IV-159 IV.5.16-1 SIAS Actuation Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-163 IV.5.17-1 Component Dependencies on CLCS . . . . . . . . . . . . . . . . . . . . . . IV-167 IV.5.18-1 Components Actuated by RMTS . . . . . . . . . . . . . . . . . . . . . . . . . . IV-172 IV.5.19-1 System Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-175 IV.5.19-2 Event and Component Type Identifier . . . . . . . . . . . . . . . . . . . . . IV-178 IV.5.19-3 Failure M ode Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-181 l IV.6-1 Generic List of Potential Subtle Interactions . . . . . . . . . . . . . . . . IV-184 IV.6-2 Applicability of Generic Subtle Interactions toSurry........................................... IV-185 IV.7.1-1 Human Actions Quantified in the Surry PRA . . . . . . . . . . . . . . . . . IV-193 IV.7.1-2 Groundrules for Calculation of Valve Restoration Error Probabilities . . . . . . . . . . . . . . . . . . . . . . . . . . IV-197 IV.7.1-3 Groundrules for Calculation of Common Miscalibration Error Probabilities . . . . . . . . . . . . . . . . . . . . . . . . IV-198 IV.7.2-1 Summary of Operator Errors During ATWS . . . . . . . . . . . . . . . . . . IV-205 IV.7.2-2 Summary of Operator Errors During Loss of SG i Cooling Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-206 IV.7.2-3 Summary of Operator Errors During Loss of Injection Sequences (S g D,2S D,3S D, TQD) . . . . . . . . . . . . . . . . . . IV-207 IV.7.2-4 Summary of Operator Action During Station Blackout.......................................... IV-208 IV.7.2-5 Additional Operator Errors Used in Surry Analysis........................................... IV-209 IV.7.3-1 Groundrules for Surry H R A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-210 IV.7.3-2 Allowable Recovery Times to Prevent Core D a m a ge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-211 IV.7.3-3 Other Timing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-212
^
IV 8-1 Plant Specific Data Used in Accident Se Quantification . . . . . . . . . . . . . . . . . . quence
.................... IV-214 IV.8-2 Initiating Event Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-216 IV.3-3 CSS Fault Sum m ar y Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-217 IV.8-4 HPl/HPR Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . IV-218 xv
1 k~ l 1 List of Tables (Continued) l Table Page IV.8-5 Accumulator Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . . IV-220 IV.8-6 LPI/LPR Fault Summ ary Table . . . . . . . . . . . . . . . . . . . . . . . . . . IV-221 IV.8-7 ISR Fault Sum mary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-223 IV.8-8 OSR Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-224 IV.8-9 AFW Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-225 IV.8-10 Primary Pressure Relief Fault Summary Table . . . . . . . . . . . . . . . IV-227 IV.8-ll CPC Fault Sum mary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-228 IV.8-12 SWS Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-230 IV.8-13 CCW Fault Sum mary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-231 IV.8-14 Electric Power Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . IV-232 IV.8-15 Actuation System Fault Summary Table . . . . . . . . . . . . . . . . . . . . IV-233 IV.8-16 Recovery Factor Fault Summary Table . . . . . . . . . . . . . . . . . . . . IV-234 IV.8-17 Beta Factor Fault Summary Table . . . . . . . . . . . . . . . . . . . . . . . . IV-235 IV.8-18 Miscellaneous Event Fault Summary Table . . . . . . . . . . . . . . . . . . IV-236 IV.8-19 Ratio of Means to Medians for Lognormal Dis tribu ti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-238 IV.9-1 List of Core Damage Sequences initially Q ua n ti fi e d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-241 IV.9-2 Surry Dominant Accident Sequences . . . . . . . . . . . . . . . . . . . . . . IV-242 IV.10-1 ATWS Success Criteria Summary Information . . . . . . . . . . . . . . . . IV-250 IV.10.3-1 Probabilities Used for Independent Events inATWS.......................................... IV-251 IV.11.2-1 Sources of Uncertainty in Surry PRA . . . . . . . . . . . . . . . . . . . . . . IV-256 IV.ll.3-1 Summary of the Surry Base Case Uncertainty A n a l y si s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-258 V.1-1 Surry Dominant Accident Sequences . . . . . . . . . . . . . . . . . . . . . . V-3 V.1-2 Accident Sequences Greater Than 10-7/R-Yr a t S u rr y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-5 V.1-3 Summary of Sensitivity Studies in Su rry P R A S t udy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-7 V.3-1 Accident Sequences Representing 99% of Total Core Damage Frequency at Surry . . . . . . . . . . . . . . . . . . . . . . . . V-18 V.4-1 Summary of Sensitivity Studies in Surry P R A S t udy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-45 xvi
I l-F List of Tables (Continued) Table Page V.4-2 Betting Odds Assigned to Sensitivity Studies. . . . . . . . . . . . . . . . . V-47 V.4-3 Comparison of Surry Base Case Results with Sensitivity S tudy 1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-54 V.4-4 Comparison of Surry Base Case Results with Sensitivity S tudy 2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-55 V.4-5 Comparison of Surry Base Case Results with Sensitivity Study 2A Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-56 l V.4-6 Comparison of Surry Base Case Results with Sensitivity S tudy 3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-57 V.4-7 Comparison of Surry Base Case Results with Sensitivity S tudy 4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-58 V.4-8 Comparison of Surry Base Case Results with Sensitivity S tudy 5 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-59 V.4-9 Comparison of Surry Base Case Results with Sensitivity S tudy 6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-60 V.4-10 Comparison of Surry Base Case Results with Sensitivity S tudy 7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-61 V.4- I l Comparison of Surry Base Case Results with Sensitivity Study 8 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-62 V.4-12 Comparison of Surry Base Case Results with Sensitivity S tudy 9 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-63 V.4-13 Comparison of Surry Base Case Results with Sensitivity Study 10 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-64 V.4-14 Comparison of Surry Base Case Results with Sensitivity Study 11 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-65 V.4-15 Comparison of Surry Base Case Results with Sensitivity Study 12 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-66 V.4-16 Comparison of Surry Base Case Results with Sensitivity Study 13 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-67 V.5-1 Comparison of This Study With WASH-1400 . . . . . . . . . . . . . . . . . V-69 V.6.1-1 Risk Increase importance Measures for Total Co re Dam age Fre quency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-77 V.6.1-2 Risk Increase Importance Measures for Plant Dam age S ta te S N N N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-78 V.6.1-3 Risk Increase Importance Measures for Plant D a m a ge S ta te T Y Y B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-79 V.6.1-4 Risk Increase Importance Measures for Plant D a m a ge S ta te S Y Y B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-80 xvii
List of Tables (Continued) Table ~Page V.6.1-5 Risk Increase Importance Measures for Plant Dam age S tate TN NN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-81 V.6.1-6 Risk Increase Importance Measures for Plant D am a ge S ta te A Y Y B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-82 V.6.1-7 Risk Increase Importance Measures for Plant - D a m a ge S ta te V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-83 'V.6.1-8 Risk Increase Importance Measures for Plant Dam age S ta te A Y N B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - V-84 V.6.1-9 Risk Increase Importance Measures for Plant D am age S ta te A Y NI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. V-85 V.6.1-10 Risk Increase Importance Measures for Plant Dam age S tate A N NN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : V-86 V.6.1-I l Risk Increase Importance Measures for Plant Dam age S ta te S Y NI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-87 V.6.1-12 Risk Increase Importance Measures for Plant Dam a ge S ta te T Y NI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-88 V.6.1-13 Risk Increase Importance Measures for Plant D a m a ge S ta te A Y N N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-89 V.6.1-14 Cross Reference of Events in Section V.6 Tables to Originating Supercomponents . . . . . . . . . . . . . . . . . . . . . .V-90 V.6.1-15 Term Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-92 V.6.2-1 Risk Reduction Importance Measures for Total Core Damage Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . V-98 V.6.2-2 Risk Reduction importance Measures for Plant Damage State SNNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-99 V.6.2-3 Risk Reduction Importance Measures for Plant Damage S tate T Y YB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-100 V.6.2-4 Risk Reduction Importance Measures for Plant Damage S tate SYYB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-101 V.6.2-5 Risk Reduction Importance Measures for Plant Damage S tate TNNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-102 V.6.2-6 Risk Reduction Importance Measures for Plant Damage S tate AY YB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-103 V.6.2-7 Risk Reduction Importance Measures for P l a n t D a m a ge S ta t e V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-104 V.6.2-8 Risk Reduction importance Measures for Plant Damage State A YNB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-105 xviii
List of Tables (Continued) Table -Page V.6.2-9 Risk Reduction Importance Measures for Plant Dam age S tate A YNI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-106 V.6.2-10 Risk Reduction Importance Measures for Plant Damage S tate A NNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-107 V.6.2-Il Risk Reduction Importance Measures for Plant Dam age S tate S Y NI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-108 V.6.2-12 Risk Reduction Importance Measures for Plant Damage S tate T Y NI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-109 V.6.2-13 Risk Reduction Importance Measures for Plant Damage S tate A Y N N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V-Il0 l l XIX
.RELATED DOCUMENTATION This is one of several documents that will present information to the NRC Office of Regulatory-Research about Light Water Reactor (LWR) risk. TgOffice of Regulatory Research will use this. information to prepare NUREG-il50. NUREG-ll50 . will examine risk from a selected group of nuclear power plants and will provide the basis for - both comparison of NRC research to industry results and the resolution of numerous severe accident issues. Figure i represents the process that was used to calculate risk. As can be seen by this figure, there are three interfacing programs performing this work: The Accident Sequence Evaluation Program (ASEP), the Severe Accident Risk - Reduction Program (SARRP), and the PRA Uncertainties Estimation Program (PRUEP). As a result of these programs, several reports are being written that will document the ongoing work. In this section we will briefly describe the content of the different reports and will list the titles of those relevant to the Surry NUREG-il50 analyses. ASEP Reports The ASEP reports will present the methodology and results of the systems analyses for the LWRs studied. Estimates of core damage frequency and estimates of severe accident sequence frequencies are found in these reports: NUREG/CR-4550, SAND 86-2084, Vol. 1, " Analysis of Core Damage Frequency from Internal Events: Methodology Guidelines," F.T. Harper, et al., Sandia National Laboratories (to be published). NUREG/CR-4550, SAND 86-2084, Vol. 2, " Analysis of Core Damage Frequency from Internal Events: Summary Report," F.T. Harper, et al., Sandia National Laboratories (to be published). Containment Event Tree Reports These reports document analyses performed under the SARRP to investigate the response of containments at the respective plants. NUREG/CR-4700, SAND-1135, Vol.1, " Containment Event Analysis for Postulated Severe Accidents at the Surry Nuclear Power Plant," A.S. Benjamin, et al., Sandia National Laboratories (to be published). Containment Event Tree Review Report This report documents the review of the development and construction of the SARRP containment event trees, the containment failure probabilities, the containment failure modes, the containment failure timing, and the computer model used to construct and - evaluate the trees. NUREG/CR-4569, "A Review of the Severe Accident Risk Reduction Program (SARRP) Containment Event Trees," University of Wisconsin, Madison, WI., May,1986. xx
Radionuclide Release Calculation Reports These reports present results of analyses of the environmental release of fission products (source terms) for severe accident scenarios in the containment designs chosen for NUREG-ll50 NUREG/CR-4624, BMI-2139, Vol. 3,"Radionuclide Release Calculations for Selected Severe Accident Scenarios: PWR Subatmospheric Containment Design," R.S. Denning, et al., Battelle Columbus Laboratories, July 1986. SARRP Summary Reports These reports summarize the research represented in Figure i. These reports present (1) the risk insights that have been generated as a result of recent research into severe accident systems behavior and physical phenomena, (2) an evaluation of the current level of plant safety, and (3) a discussion of the potential benefits and costs of measures intended to enhance safety. NUREG/CR-4551, SAND 86-1309, Vol.1, " Evaluation of Severe Accident Risks and the Potential for Risk Reduction: Surry Power Station, Unit 1." A.S. Benjamin, et al., Sandia National Laboratories (to be published). i 1 l l xxi
- - , . - , - - , - , - - -. - -- - - . ~ , . -- -
CECPONCISLE CELEVANT PROGRAMS INPUT PROCESS OUTPUT DOCUMENTATION
- SYSTEM CONFIGUR ATIONS SYSTEM EVENT - CORE D AMAGE FREQUENCY ASEP - RELIASILITY DATA TREE AND FAULT TREE - SEQUENCE FREOUENCIES
- HUM AN RELI ABILITY STUDIES ASEP REPORTS ANALYSIS UNCERTAINTV - ACCIDENT CUT SETS
-PROCEDURES ANALYSIS - DAMAGE STATES
- CONTAINMENT DESIGN CONTAINMENT - OMMANT PATHW AYS CONTAWMENT EVENT SARRP - CONTAINMENT SYSTEMS - A URE MODES TREE REPORTS, PRUEP - ACCIDENT PHENOMENOLOGY EVENT
,,,L, T,REE ,, - SOURCE TERM Sm CONTAWMENT EVENT
- EQUIPMENT SURVIV ASILITY CONDITIONAL FREQUENCIES TREE REVIEW REPORT
- CHE C AL POTENTIALS SOURCE TERM
_ - RELE ASE FR ACTIONS RADIONUCLIDE RELE ASE SARRP PROPE RTIE S CODE PACK AGE AND - PHYSIC AL P AR AMETERS CALCULATIO64 REPORTS. X RUEP SOURCE TERM
- RADIONUCLIDE RELE ASE SARRP
SUMMARY
- DEPOSITION WELOCITIES O - CONT AMMENT CONDITIONS ANALYSl$ GROUPS REPORTS
- METEOROLOGY - FREOUENCY OF HE ALTH
- DEMOGR APHIC DATA CONSEQUENCE EFFECTS IARAP IA""E - TOPOLOGY IU""ARI ANALyglS - PROPERTV D AM AGE
- EMERGENCY RESPONSE - ON-SITE COST REPORTS l
- FREQUENCY OF
- S AFETY OPTION INTEGRATION SARRP COST ESTIMATES OF -S ETY OPTION SENEFITS SUM ARY
- MISCELLANOUS - UNCERT AINTY W RISK RESULTS REPORTS PLANT D ATA - CONTRIOUTORS TO UNCERTAINTY Figure i information Flow for NUREG-1150 Input
. I. EXECUTIVE
SUMMARY
I.1 ~ Motivations And Objectives This document presents the results of one of several studies that will provide information , to the NRC Office of Research about Light Water Reactor (LWR) risk. The Office of ' - Research ' will use - the results of .this work, along -.with other input, to prepare NUREG-il50, which will examine risk from a selected group of nuclear power plants, by incorporating the results of wide-ranging research efforts that have taken place over the . past several years. These results will provide the bases for updating our perception of risk from selected plants, developing methods for extrapolation to other . plants, , comparing NRC research to industry results, and resolving numerous severe accident i
!ssues. ;
Surry Unit I has been chosen as one of the reference plants that will be analyzed to accomplish these goals. The Surry Nuclear Power Plant contains two units of 788 megawatts (electrical) capacity and is located near Surry in Virginia. . The reactors are each housed in a large d analyzed in WASH-1400.gsubatmospheric Other plants that have containment. been chosen TheasSurry reference plantplants was previouslyare Peach Bottom, Sequoyah, Grand Gulf, Zion, and LaSalle. Our objective was to perform an analysis that approximated a detailed, state-of-the-art, level one Probabilistic Risk Assessment (PRA). For .most of the project, we worked under severe time and resource constraints, and it was necessary to take shortcuts in some areas. This document presents the initial part of the risk equation--the frequency of scenarios involving system failures which lead to severe core damage. External and special events were not analyzed in this study. Containment and consequence analysts have taken these results and have integrated them into the risk equation. The corre containment and consequence analyses can be found under separate cover.gnding Surry 1 1-1
- 1 l l l l 1.2 Approach
! We decided that to meet the program objectives.with the time available, we would have to use every available piece of information about Surry and take " intelligent" shortcuts. Because Surry has been the subject of many studies, there was plenty of information. in - order to recognize appropriate shortcuts, a team that was very experienced in the field of PRA was selected. The Surry PRA team analyzed only those aspects of the plant that they felt could be important. Time was not spent analyzing areas that had been shown to be unimportant in the past. Also, if the analyst felt that a system could be represented adequately using a simplified model rather than a detailed fault tree, the simplified approach was used. However, if the analyst felt that'a system was important enough to warrant extreme modeling detail, he then used the appropriate modeling techniques. Using this approach, we have produced results that we feel meet the program objectives I without excessive effort. The standard PRA approach was used in the analysis. We formulated event trees, modeled the top events using large fault trees, and quantified the results using the Set Equation. Transformation System (SETS) and Set Equation Evaluation Program (SEP) computer codes. In order to maintain high quality, this work was reviewed by four different groups: 1) an independent Senior Consultant Group (SCG), 2) an independent Quality Control Group (QCG), 3) an internal Sandia review group, and 4) an internal NRC review group. 1-2
I.3 Results A summary of the quantitative results of the analysis is presented in this section. The results are presented at three levels; the plant level, the plant damage state level, and the sequence level. 1.3.1 Characterization of Core Damage Frequency at Surry The Surry PRA identified twenty core damage sequences with a frequency greater than 1.0E-7 per reactor year. These sequences and another eight sequences that were retained to provide full coverage of all plant damage states were analyzed in depth. (The important damage states are summarized in Section I.3.2, and the important sequences are summarized in Section 1.3.3.) The mean value of the total core damage frequency is 2.6E-5 per reactor year. The WASH-1400 value for core damage frequency is 4.4E-5 and represents the sum of individual sequence median values which cannot be readily compared to this study's results. Uncertainty and sensitivity analyses were also performed. The results of these analyses are presented on the " box and whisker" graphic in Figure I.3.1-1. The " box" represents the range of the means of sensitivity studies that were performed to identify the impact of data selection and modeling assumptions on core damage frequencies. Some of the sensitivity issues considered were the behavior of the reactor coolant pump seals in a station blackout, the values of generic common-cause factors, human error probabilities, recovery probabilities, interfacing Loss of Coolant Accident (LOCA) check valve failure l rates, and the use of non-safety grade equipment during an accident (a complete list is presented in Table V.4-1). The " whiskers" associated with the box and whisker charts represent ranges of parameter value uncertainty for the base case and sensitivity studies. The inner bars on the whiskers indicate the 95th and 5th percentiles of the probability distribution calculated for the base case. The upper bar is the highest 95th percentile of any of the sensitivity studies. The lower bar is the lowest 5th percentile of any of the sensitivity studies. I.3.2 Characterization of Plant Damage State Frequencies The plant damage states with mean frequencies greater than 1.0E-7 are shown in Figure j l.3.2-1. The results of the base case and sensitivity calculations are shown using the " box . and whisker" format that was described previously. The dominant plant damage states shown in Figure I.3.2-1 are described briefly below. They are presented in order of frequency. The sequences included in each damage state are described later in Section I.3.3. Plant damage states were developed, based on the status of four parameters and are identified by a four-letter code as follows: First Letter Reactor Coolant System Integrity A: LOCA with Reactor Coolant System (RCS) at low pressure before vessel breach (e.g., A, Sg) 5: LOCA with RCS at high pressure before vessel breach (e.g., S2, TQ) T: RCS nearly intact before vessel breach (53 ,T) I-3
1.1 E-4
-- : 95% UPPER BOUND, SENSITIVITY STUDY 1 10 (PESSIMISTIC SEAL LOCA MODEL)
- 6.7E-5
- ._ 95% UPPER BOUND, BASE CASE
; '. MEAN VALUE, SENSITIVITY STUDY 1 (PESSIMISTIC SEAL LOCA MODEL) 2.6E-5 MEAN VALUE, BASE CASE 1.9E-5 MEAN VALUE, SENSITIVITY STUDY 3 (INCREASED RECOVERY OF AC POWER) 10 -
7.1 E-6 ! - -- 5% LOWER BOUND, BASE CASE
-- : 5% LOWER BOUND, SENSITIVITY STUDY 12 (LOWER PORV DEMAND RATE) 10-8 Figure 1.3.1-1 Box and Whisker Presentation of Surry Total Core Damage Frequency I-4
104 T SNNN l PLANT _~ DAMAGE
. y STATE _
IDENTIFIER = SYYB TYYB TNNN __ 'un' -- AYNB AYYB 10 . .. .. __ e e 10-s _ e 10 7 -
~
v v 10 a i Figure 1.3.2-1 Box and Whisker for Surry Plant Damage States With Frequencies Greater than 1.0E-7 I-5
l l
-Y: ' LOCA outside containment Second Letter: . Refueling. Water Storage Tank (RWST) inventory injected into containment (Y_es or No)-
Third Letter: - Containment heat removal (Yes or N_o) Fourth Letter . . Containment Sprays Available
~
B: Both Containment Spray Injection . (CSI) and ' Containment Spray Recirculation (CSR) I: CSI only R:' CSR only N: No containment spray - SYYB -- Characterized by small LOCA sequences with all containment systems available. The failures that contribute most to the sequences in this plant damage state are mechanical failures of the valves and pumps'in the High Pressure Injection (HPI) and Low Pressure Injection -(LPI) systems. Because all the containment systems are-. available, this plant damage state has low consequences relative to some other plant damage states. This plant damage state includes the following sequences:- S2H3,522H 2'S gD ,TKRZ,T g3Q-H g,T 43Q-H2,T 4gQ-H2 ' 4H 9 -"I - SNNN - Characterized by small LOCA sequences in which all containment' systems fall. This plant damage state is dominated by station blackout sequences followed by a-reactor coolant pump seal LOCA or a stuck-open Power Operated Relief Valve (PORV). Because the containment systems are not available and the sump is probably dry, this is a more severe plant damage state. This plant damage state includes the .following sequences: T i(SL)-Dg CFg,TgQ-D gCF 1 TYYB -- This plant damage state is characterized by-a transient or very small LOCA with success of all containment systems. Because all containment systems are available, this damage state has relatively low consequences compared to other damage states. This damage state includes the following sequences: TKRD 4,TgLP,5 D3g TNNN - This plant damage state is charaterized by transients in which no containment systems are available. Long-term and short-term station blackout sequences dominate this damage state. This damage state includes the following sequences: T gL(LT)D gCF g,T gL(ST)D gCFg l-6
_ , ~ . -_ _ - - . AYYB ~- This plant damage state is characterized by large and intermediate LOCAs in which all of the containment systems function. The sequences that contribute to this damage state.are driven by hardware failures 'of the HPI and LPI systems. The damage state has relatively low consequences compared to some other states. This damage state
~ includes the following sequences:
AHg,Sg Hg,Sg Dg ,ADj V - This. plant damage state. is comprised entirely of interfacing LOCAs. The damage state is subject to large uncertainties. Because the containment is bypassed this damage - L state could result in large consequences. . j I.3.3 Characterization of Dominant Sequence Frequencies !- The accident sequences representing 80% of the total core ~ damage frequency _ are presented in Table I.3.3-1.
- 1) Sequence Ti (SL)-Dg CF 3 l
- This sequence is initiated by a loss of offsite power (Ti) for greater than 1/2 hour and _
j failure of two diesel generators resulting in station blackout at. Unit 1. - The availability - ! of AC power at Unit 2 was not considered. Station blackout results in the unavailability : { of the high pressure injection system (D g), containment spray system (C), and the inside spray recirculation system (F3). This sequence is grouped in the SNNN plant damage j state. I Station blackout results in a loss of seal injection flow to the Reactor Coolant Pumps (RCPs) and a loss of component cooling water to the RCP thermal barriers. This j condition results in vulnerability of the RCP seals to failure (SL). Core damage was i estimated to begin I hour following onset of a seal LOCA if high pressure injection.(HPI) i flow was not restored by this time. The dominant contributors to failure to restore HPI were determined to be~ failure to restore AC power and failure of the operator to properly restore component cooling to HPI following AC power recovery. Restoration of AC (offsite) power was required within 1/2 hour of seal LOCA in order to provide HPI flow by 1 hour. The 1/2 hour time lag was assessed necessary to allow restoration of plant power, inth canal water inventory
- component cooling water, and other required support systen. prior to establishing HPI flow.
- 2) Sequence S33 0 i
! This sequence is initiated by a very small LOCA (equivalent diameter less than 1/2"), l followed by failure of high pressure injection -(D g). All containment systems are available throughout the sequence. This sequence is grouped in the TY YB plant damage
- state.
The dominant contributor to failure of high pressure injection is the common cause failure of the motor operated valves in the HPI discharge piping. This failure mode prevents utilization of the Unit 2 HPI cross connect, as the connection point is upstream
- of the valves. The MOV in the alternate injection path is included in the common cause failure.
! I-7
i Table 1.3.3-1 Accident Sequences Representing 80% of Total Core Damage Frequency At Surry
% of Total Core Plant
- Damage State I -Sequence Frequency Damage Frequency 6.6E-6 26.4 SNNN T i(SL)-D iCF3 2.6E-6 10.4 TYYB SD3i T 43Q-Hi 1.9E-6 7.6 SYYB T 4HQ -Hi 1.6E-6 6.4 SYYB 1.3E-6 5.2 TNNN T iL(LT)Di CFi 1.3E-6 5.2 TNNN T iL(ST)D iCF3
~ T iLP 1.lE-6 4.4 TYYB TKRD 4 1.lE-6 4.4 TYYB 9.0E-7 3.6 V V 4 8.9E-7 3.6 SYYB S2Hg T 43Q-H2 8.lE-7 3.2 SYYB point estimate frequency based on propagation of mean values for basic events I-8
) 3) Sequence T 43Q-Hg This sequence is initiated by failure of a 480V bus in the 3 power division (Tg3), followed by failure of pressurizer PORVs to close following a transient (Q), and failure of the low pressure suction for high pressure recirculation ~ system (Hg ). This sequence is grouped in
- the SYYB plant damage state.
l This sequence is initiated by loss of the 13 or 13-1480V bus. . Opening of a common circuit breaker causes loss of both busses. This causes loss of one vital instrumentation [ bus which will result in reactor trip. Due to the potential for impaired ability at Surry to , control reactor pressure under these circumstances, the PORVs were assumed to be demanded open. Loss of the 13 480V bus also results in failure of the B train of the low ' pressure recirculation system and the inability to close the PORY block valve powered - from the 13 bus. In addition, the B train of the containment spray system (CSS) and the i inside and outside spray recirculation system (ISRS and OSRS) are unavailable due'to the- ! initiating event. The A trains of CSS, ISRS, and OSRS operate as designed to remove j containment heat, but failure of recirculation core cooling results in core damage.
~
, The dominant contributors to failure of the low pressure. suction for the high pressure { recirculation system (H are hardware failures in the suction line from the sump or the RWST to the available Lk))1 pump. l [ 4) Sequence T 4H Q-H g This sequence is initiated by failure of a 480V bus in the H power division (T4H), f 11 wed l 4 by failure of pressurizer PORVs to close following a transient (Q), and failure of the low
- pressure suction for the high pressure recirculation system (Hg ). This sequence is grouped in the SYYB plant damage state.
4 This sequence is initiated by loss of the IH or lH-1480V bus. Opening of a common circuit breaker causes loss of both busses. This causes loss of one vitalinstrumentation i bus which will cause reactor trip. Due to the potential for impaired ability at Surry to control reactor pressure under these circumstances, the PORVs were assumed to be ! demanded open. Loss of the 480V-1H bus also results in failure of the A train of the low i pressure recirculation system and the inability to close the PORY block valve powered from the IH bus. In addition, the A train of the containment spray system (CSS) and the inside and outside spray recirculation systems (ISRS and OSRS) are unavailable due to the initiating event. The B trains of CSS, ISRS, and OSRS operate as designed to remove containment heat, but failure of recirculation core cooling results in core damage.
- The dominant contributors to failure of the low pressure suction for the high pressure recirculation system (HL) are hardware failures in the suction line from the sump or the RWST to the available LPI pump.
- 5) Sequence T g l.M)D 3CFg l
l This sequence is initiated by a loss of offsite power (Ti ) for greater than 1/2 hour and failure of two diesel generators resulting in station blackout at Unit I followed by long-term . failure of the auxiliary feedwater system L(LT). Station blackout results in the unavailability of the high pressure injection system (D ), i containment spray system (C), and the inside spray recirculation system (Fg ). This lequence is grouped in the TNNN plant damage state. I-9
--_- . - ,. - . - - --. - - . - - - - _.-, - . - _ - , - .~. - - _ - .-
, .. . .~. . . .- -. ,M i :'
l
- lt is assumed that following station blackou',t the turbine-driv.en AFW pump successfully-starts and continues to run. . Af ter approximately A hours without recovery of AC power, d
battery ; depletion :was assum_ed to occur, resulting in -loss of all instrumentation and
. control power. It is assumed that the plant'could not be maintained in a stable condition -
t indefinitely - witi instrumentation - or control - power. Consistent with NUREG/CR-3226,gt .a time frame of approximately 3 hours after battery depletion was
. allowed for restoration of AC power, before core damage would occur.
The dominant contributor to the sequence frequency is battery depletion which leads to
- the long term unavailability of the AFW system.
- 6) Sequence Ty L(ST)Dg CF g
- This sequence is initiated by a loss of offsite power (T,) for greater than 1/2 hour and
- failure of two diesel generators resulting in station brackout at . Unit I followed by a short-term failure L of - the AFW , system ' L(ST). Station - blackout results in the unavailability of the h.igh pressure injection system (D g), containment spray system (C),
and the inside spray recirculation system (F1 ). This sequence is grouped in the TNNN plant damage state. i This sequence includes station blackout followed by failure of the turbine-driven AFW
! pump train. Steam generators will dry out in approximately 30 minutes. All core heat.
- - removal is unavailable at this point. Consequently, core damage would begin at l approximately I hour (af ter the initiating event) If AFW and HPI flow have not been l restored by that time. Restoration of AC (offsite) power 'was required within 1/2 hour l (of the initiating event) in order to provide HPI flow by I hour. The 'l/2 hour time lag was included to account for restoration of plant power, intake canal water inventory, component cooling water, and other required support systems, prior to restoration of HPl
- flow.
, The dominant failure modes of the turbine-driven AFW pump are the failure of the pump to initially start or unavailability of the pump due to maintenance activities.
- 7) Sequence Tg LP This sequence is initiated by a loss of offsite power (Tg ) for greater than 1/2 hour, f followed by failure of the Auxiliary Feedwater (AFW) system (L), and failure of feed and bleed cooling due to an insufficient number of open PORVs (P).' This sequence is grouped in the TYYB plant damage state.
j , $ This sequence, initiated by loss of offsite power transient, includes successful operation of one or more diesel generators. Failure of the AFW system causes a demand for feed
- and bleed cooling. Charging flow is available, but various failures prevent one PORY i- from opening. Success criteria require two open PORVs for successful feed and bleed operation. All containment systems would be available; however, the steam generators are unavailable as a heat sink due to loss of AFW. Sufficient primary pressure reduction
, is unavailable ~to allow feed and bleed. The resultant heatup and eventual boil off of the - primary coolant lead to core damage.' The dominant contributors to the sequence frequency are undetected flow diversion of the Unit 1 AFW flow to Unit 2 through the AFW cross connect or the common cause i failure of all three AFW pumps due to steam binding resultin
- coupled with mechanical failure of either of the two PORVs.g from These check valve contributors leakage, account for approximately 65% of the sequence frequency.
f I-10
- 8) Sequence TKRD4 This sequence is initiated by any transient requiring reactor scram (T), followed by a failure of the RPS to automatically scram the reactor (K), failure of the operator to manually scram the reactor (R), and failure of emergency boration using the PORVs and-the charging pumps (D4 ). This sequence is grouped in the TYYB plant damage state.
The dominant contributor to failure of emergency boration is operator failure to open a PORY and align and start (switch to fast speed) a boric acid transfer pump within _10 minutes of the failure to scram.
- 9) Sequence V l
The V sequence results from a failure of any one of the three pairs of check valves in series which are used to isolate the high pressure reactor coolant system from the low pressure injection system. The resultant flow into the low pressure system is assumed to result in failure (rupture) of the low pressure piping or components outside the containment boundary. Although core inventory makeup by high pressure systems is initially available, inability to switch to recirculation would eventually lead to core damage. Due to the location of the postulated system failure, all containment i safeguards are bypassed. This sequence is placed in a plant damage state by itself. The dominant contributors are the undetected transfer open of the second check valve (closest to the RHR system) and rupture of the first check valve (closest to the RCS) in any of the three pairs.
- 10) Sequence S H2g This sequence is initiated by a small LOCA (equivalent diameter between 2" and 1/2")
followed by failure of the low pressure recirculation system (H g) to support high pressure recirculation. All containment systems are available. This sequence is grouped in the j SYYB plant damage state. The dominant contributors to this sequence are common cause miscalibration of the RWST water level sensors and random mechanical failures of pumps and valves in both trains of the LPR/LPI system.
- 11) Sequence43T 4H2 This sequence is initiated by failure of a 480V bus in the 3 power division (T43), followed by failure of pressurizer PORVs to close following a transient (Q), and failure of the high pressure recirculation system (H2). This sequence is grouped in the SYYB plant damage state.
This sequence is initiated by loss of the 13 or 13-1480V bus. Opening of a common circuit breaker causes loss of both buses. This results in loss of one vitalinstrumentation bus which results in reactor trip. Due to the potential for impaired ability at Surry to control reactor pressure under these circumstances, the PORVs were assumed to be l demanded open. Loss of the 480V 13 bus causes failure of train B of the high pressure recirculation system and the inability to close the PORY block valve powered from the i 13 bus. In addition, the B train of the charging pump cooling system, containment spray i system (CSS), and the inside and outside spray recirculation systems (ISRS and OSRS) are unavailable due to the initiating event. The A trains of CSS, ISRS, and OSRS would operate as designed to remove containment heat, but failure of core cooling recirculation would result in core damage. i 1-11 1
l The dominant contributors to failure of the high pressure recirculation' system are mechanical failure of the LPR discharge - HPR suction valves and failure of the service water and component cooling water pumps for the charging pump cooling system to continue to run for the mission time. I.4 Conclusions l In the ten years between the WASH-1400 analysis of Surry and the present study, both the Surry plant configuration and our understanding of reactor operation and safety have changed. WASH-1400 calculated a total core damage frequency of 4.4E-5. This study calculated a total core damage frequency of 2.6E-5. It should be noted when comparing the two that the WASH-1400 value for core damage frequency is a point estimate, based on the sum of individual sequence median values, while this study's value is the mean of a calculated distribution. The modifications in plant configuration at Surry reduce the frequency of comparable WASH-1400 sequences to 1.0E-5, but consideration of seal LOCAs, transient-induced LOCAs, and more detailed evaluation of station blackout, combine to increase the total core damage frequency to 2.6E-5. Some of the significant differences and similarities between this study and WASH-1400 are presented below: e Reactor coolant pump seal LOCAs are dominant in the present study, but not in WASH-1400, e Station blackout followed by loss of AFW remained approximately the same. e Loss of a 480V electrical bus - leading to a transient-induced LOCA appeared significant in the present study, but was not considered in WASH-1400. e ATWS sequences are not directly comparable due to increased knowledge of ATWS phenomenology, different probabilities for failure to scram, and different perceptions about operator error rates in ATWS situations. e Interfacing LOCAs were reduced primarily due to increase in valve test frequency. e The LOCA sequences followed by failure of ECCS systems are generally lower in the present study than WASH-1400. e The enhanced understanding of containment cocling phenomena and containment failure scenarios used in this study led to a significantly reduced dependence on containment cooling systems for the prevention of core damage, e The WASH-1400 loss of all feedwater sequences were reduced in frequency in the present study due to both the installation of a cross-tie of AFW at the plant and the assumed viability of feed and bleed in preventing core damage af ter -loss of all steam generator heat removal. 1-12
I.4.1 Specific Plant Damage State Conclusions Of.the seventeen plant damage states that.were quantified to calculate risk measures, six appear to be probabilistically significant (the means are greater than 5.0E-7)._ Of 0 these six, three involve either failure of all containment systems or containment bypass
- (SNNN, TNNN, V). The calculated mean frequencies of these three damage states are as follows: SNNN - 7.5E-6, TNNN - 2.6E-6,'V - 1.0E-6. Because these damage states can
- result in containment failure or containment. bypass and release of unscrubbed fission j products, they may result in high consequences.
e
- I.4.2 Specific Sequence Conclusions The core damage profile at .Surry is made up of many sequences that contribute significantly (greater than 1%) to the total. core damage frequency. The total core
- damage frequency is not dominated by a single sequence. However, station blackout.
sequenchs as a group contribute approximately 40% of total core damage frequency. There is not one single important contributor to the station blackout sequences. Core 1 damage is due to seal LOCAs, battery depletion and failure of AFW. } I.4.3 Uncertainty and Sensitivity Conclusions l The above conclusions are incomplete without considering the results of the uncertainty and sensitivity calculations. The total base case core damage frequency (2.6E-5) has a i 95% upper bound value of 6.7E-5 and a 5% lower bound of 7.lE-6 due to statistical uncertainty in the failure data. ! No single sensitivity study causes the mean core damage frequency to increase more than
- 65% or decrease more than 36 This is because the profile of total core damage 4 frequency is made up of several different sequences, none of which is dominant.
, Although some plant damage states are dominated by one sequence, and wide variations ! can be seen when considering the effect of the sensitivity analyses on individual plant ' ) damage states (see Figure 1.3.2-1), most sensitivity studies impact only a few sequences I
- at a time.
i l l } i I i l l-13 l i I
i- , ( II. PROGRAM SCOPE AND LIMITATIONS As stated previously, the objective of this study was to perform a PRA that is as near to the state-of-the-art as possible within the time and resource constraints. Whereas a typical level 1 PRA takes 16 months, we were asked to produce one in 6 months. We did , have the advantage of starting with a plant that had been studied previously. To give the j reader an idea for_ the scope of our. work, we will go through a typical list of PRA tasks I and explain what was done in our analysis. To simplify things, we will compare our level of detail to a " state-of-the-art" PRA. . We will grade our level of detail for each task as
- 1) state-of-the-art,2) slightly abbreviated,3) abbreviated, and 4) non-existent.
- 1) Initial Information Collection--We collected information from past Surry studies and the FSAR and put together an initial set of event trees, fault trees, and questions for plant personnel. The pre-visit information gathering took a month.
We spent a week at the plant gathering information first hand and maintained regular contact with the plant throughout the course of the study. (Slightly abbreviated)-
- 2) Initiating Event Identification--We used initiating event information (internal events only) from past studies and conducted a thorough search for support system initiators. (State-of-the-art)
- 3) Event Tree Development--Because the plant has been studied thoroughly, we did not develop functional event trees. Past studies and current containment analyses were used to identify the event tree headings necessary to model all reactor and containment functions. No significant shortcuts were used to develop the system event trees.
(State-of-the-art)
- 4) System Modeling-The level of modeling detail was up to the discretion of the analyst. If the system was considered relatively unimportant, or if a detailed model would have taken an unreasonable amount of time, simplifications were made. If the system was considered important, a detailed modeling effort was undertaken.
the models are therefore a combination of detailed fault trees, simplified Boolean expressions, and black box models. (Ranges from abbreviated to state-of-the-art-- depending on what system is modeled)
- 5) Analysis of Dependent Failures--A significant effort was made to identify, model, and quantify dependent failures: Intersystem dependencies were identified and modeled in the system analysis; Subtle interactions found in past PRAs were reviewed for their applicability to Surry; A Licensee Event Report (LER) review of Surry was made to identify any unexpected interactions or common-cause failures; Beta factors for common cause failures were systematically applied to sequence cutsets involving failures of redundant pumps and valves. (Slightly abbreviated)
- 6) Human Reliability Analysis (HRA)--A screening procedure was developed to estimate human error probabilities. Although an HRA specialist was present during the plant visit, he did not get to spend as much time interviewing operators as he would have liked. The screening procedure was somewhat conservative and values i that yleided high results were flagged and reconsidered. Only errors of omission were considered in this analysis. (Abbreviated) 11 - 1
- 7) Data Base Development--A data specialist was present during the plant visit. As with the HRA specialist, a week is not considered adequate-to do a thorough job.
However, we did come up with some reasonable plant-specific data. Where plant- - specific data was lacking, generic data was used. (Abbreviated) l
- 8) Accident Sequence Quantification--No significant shortcuts were taken in this I area. Our task was made easier by the fact that some of our system models were l relatively simple. (State-of-the-art) 1
- 9) . Physical Process of Reactor Meltdown Accidents--For the most part, we relied on past thermal hydraulic calculations and calculations performed for us by the containment analysts. (Slightly Abbreviated)
- 10) Radionuclide Release and Transport--This was handled by the NUREG-ll50 source term analysts.
- 11) Environmental Transport and Consequence Analysis--This was handled by the NUREG-II5O consequence analysts.
- 12) Seismic Risk Analysis--This is outside the present scope. (Non-existent)
- 13) Fire Risk Analysis--This is outside the pre,sent scope. (Non-existent)
- 14) Flood Risk Analysis--This is outside the present scope. (Non-existent)
- 15) Other External Hazards (e.g., Tornadoes)--This is outside the present scope. (Non-existent)
- 16) Treatment of Uncertaintles--We treated statistical uncertainty in the failure data, uncertainty associated with the application of the failure data, and uncertainty caused by modeling assumptions and success criteria. (State-of-the-art)
In addition to the comparison of our analysis to a state-of-the-art PRA, we felt that it would be helpful to identify some things that PRAs don't normally treat.ghe following list of items not normally treated in PRAs is reprinted from NUREG-1115. Partial Failures Design Adequacy Adequacy of Test and Maintenance Practices Effect of Aging on Component Reliability (also burn-in phenomena) Adequacy of Equipment Qualification Equipment Operability in Sequence Environment Diagnostic Human Errors Environmentally-Related Common Cause Similar Parts-Related Common Cause Sabotage Long-Term Accident Response (beyond approximately 24 hours) Innovative Operator Accident Response Actions Iffects of Training and Operator Experience / Conditioning on Operator Response 11- 2
t l The makeup of the Surry PRA' team is provided here for the reader's information. Team Leader '- Robert C. Bertucio (EI)- System Analyst - Marc D. Quilici (EI) Technical Direction and Review (EI) Human Factors Support - Michael Weinstein (HPT) Data Support - Raymond 3. Borkowski (ORNL) r j i f i 1 I i 4 L i II-3
-_ -- = . .. . .. -.
Ill. PROGRAM REVIEW To ensure the quality of our wor!<, we chartered several groups with the responsibility of ! reviewing our work and providing timely feedback. Because the time available to 1 complete our analysis was short, these reviews had to be intense, and PRA team response time had to be almost instantaneous. The different review groups are described in this ! section. ] 111.1 Senior Consultant Group j The purpose of the Senior Consultant Group (SCG) was to provide a broad scope review of the methods and results of the reference plant PRAs. This high-level review was to further assure the validity and app!!cability of the products. The SCG was not expected I to provide detailed quality control or assurance of the products. The members of the SCG are listed below:
- 1. Dennis C. Bley, PL&G
- 2. Michael P. Bohn, SNLA
- 3. Gregory 3. Kolb, SNLA
- 4. Joseph A. Murphy, NRC
- 5. William E. Vessely, SAIC 111.2 Quality Control Group f The goals of the Quality Control Group (QCG) are listed below:
- 1. To provide guidance regarding the methodologies to be utilized in the PRAs, I 2. to assure the consistent application of the methodologies by all PRA teams, and
- 3. to assure the technical adequacy of the work.
These goals were met via periodic review meetings with the' PRA teams. At these meetings, the QCG discussed the methodologies and reviewed, in detail, all technical work performed. The QCG is composed of the individuals listed below. Also shown are ~each Individual's technical specialty.
- 1. Gregory 3. Kolb, SNLA (QCG team leader, systems analysis)
- 2. Gareth W. Parry, NUS (uncertainty analysis, system analysis / containment and consequence analysis interface) 3 Barbara 3. Bell, BCL (human reliability analysis)
- 4. Arthur C. Payne, Jr., SNLA (system analysis, reliability data)
Ill-1
111.3 Utility Interface A constant interface was maintained .with the utility throughout the duration of the analysis. The Surry PRA team leader was in frequent contact with Surry plant personne! to ask questions and verify information.' Surry personnel also reviewed the results of the- - study when they were made available. The Surry comments are provided in Appendix B. , 3 I
% I
, T t
.i 1
l l i 4 L 4 4 f /
# E %
l F- ,
'T s
t A
' 111 w- t
--7, - -- , , - .n --
w ,, ,-w-v,,, --
,,,.-csv,-,-r- .me--m+ ,
IV. TASI'. DESCRIPTIONS This section contains information on the major tasks performed for this study. Section IV.1 provides a task flow chart which shows the interr':lationship of the individual tasks. The remaining subsections within Section IV address each individual task as it applied to the Surry analysis. Section V provides the information covered by the last task entitled
" Interpretation of Results."
IV.1 Task Flow Chart The major tasks performed for this study are indicative of the general tasks performed in any Level 1 PRA. Figure IV.1-1 displays the major tasks carried out in this analysis and shows the primary information flow paths between each task. Reference 3 provides more detailed descriptions of the methodology used in carrying out each task. The reader is referred to that volume and the subsections which follow in order to obtain a comprehensive description of how the Surry analysis was conducted. i ! l l 1 l
\
l IV-1
- . . _ . . . .- _ _ ..m --
t sNITtATrNG EvtNT IDENTIFCATION
. PAST STUOfES SUPPORT SVSTEM INITlATORS ANALYSES IP iP
~ UNCERTAINTY SENSITivlTY INTERPRETATON
#h*d$ " SYSTEM MODEUNG ACCIDENT SEQUENCE OETAILED FAULT TREES
_FSARs
.PAsT m . . SIMPLIFIED BOOLEAN MODELS . SETS CODE PARAMETER VALUE UNCERTAWTY TEgR SwES -
- 8 TACK Box MooELS - RECOVERY ACTONS MODElmG UNCERT ANTy RESULTS
. ptANT visit ANALYblS OF DEPENDENT FAILURES :
. INTERSYSTEM OEPENDENCIES ,s _
. PLANT SPECIFIC COMMON CAUSE
.GENERfC COMMON CAUSE
= . SUGTLE INTERACTIONS
<t h)
HUMAN RELIABluTY . ANALYSIS : _ - ASEP SCREENING PROCEDURE es .
. PLANT SPECIFIC PRE-ACCCENT AND POST ACCIDENT ANALYS15 OATA BASE DEVELOPMENT
~
. PLANT SPECIFIC DATA
.GENERC DATA Figure IV.1-1
. Study Task Flow Diagram ;
l l l-IV.2 Plant Familiarization Prior to the initial plant visit, the Surry PRA team reviewed previous fault tree and l event tree analyses applicable to Surry, the fault tree and event tree sections of WASH-1400 and the sections of the Surry FSAR applicable to the systems of interest. t- Preliminary event trees, system fault trees, .and simplified system schematics were l constructed and preliminary success criteria and dependency matrices were developed to identify specific areas where information was needed to develop accurate models. Based on these initial activities, a package was prepared and sent to the plant identifying the plant specific information and data that was required, and a sampling of generic and specific questions concerning system design and operation that had arisen due to our initial review. The following sections provide brief descriptions of the plant visit and the information obtained during the visit. IV.2.1 Initial Plant Visit A one week plant visit was arranged to meet with plant personnel. Among the many areas of discussion were plant and system modeling questions, collection of system design and operational information, discussion of transient sequence progressions, and the operators responses to these events. The PRA plant visit team included a human factors specialist, a containment analyst, and a failure data specialist. During the visit the team had discussions with the Surry supervisor of System Safety, the Operator Training Coordinator, and the head of Human Performance Engineering. In addition, individual members of the PRA team talked with reactor operators, the Shif t Technical Advisor, and members of the maintenance engineering staff. Discussions centered on gaining a clear understanding of the following items: e The normal and emergency configurations and operation of the various systems of interest. e System interdependencies. e Design and operational procedure changes implemented at the plant, within the last 5 years, e Operational problem areas identified by plant personnel which might impact the analysis. e The automatic and manual actions taken in response to various i emergency conditions. e The availability of plant specific operational data. The emergency procedures which addressed actions identified by the PRA analysts as important actions were " walked through" with operations personnel. The following tables provide a summary of the information requested from the Surry personnel prior to the plant visit: Table IV.2-1 identifies the plant specific information, drawings, and procedures requested I based on the initial familiarization. l IV-3
~ - . . . ,, -
Table IV.2-2 identifies the information prepared by the PRA team prior to the plant visit which was to be reviewed for accuracy during-the plant visit. ' Table IV.2-3 presents a preliminary set of questions provided to the plant personnel prior
-to the plant visit.
Table IV.2-4 identifies the list of plant specific failure data requested. Table IV.2-5 provides the preliminary list of events considered to require human reliability analysis for which information was required. Table IV.2-6 identifies those areas in which the most up to date analytical results were desired. IV.2.2 Information Obtained A complete set of the current Surry P&lDs, wiring diagrams, and logic diagrams were provided by the Surry staff. Also, the Surry staff provided copies of the Surry Emergency Procedures, Abnormal Procedures, Emergency Contingency Action Procedures, Functional Restoration Procedures,- current technical specifications, and several sections from the current revision of the Surry FSAR including the current list of equipment actuated by emergency safeguards signals, a list of emergency safeguards actuation functions, the list of major piping penetrations through containment, including line status, isolation requirements, post accident positions, etc., and safety injection control board indications. The Surry personnel also provided the analysis team with the requested plant specific failure data and insight into the operational philosophy at the Surry plant. l 1 l l IV-4
Table IV.2-1 List of Requested Information/ Drawings / Procedures PROCEDURES FOR THE FOLLOWING EVENTS
- 1. Loss of Station Power
- 2. Station Blackout
- 3. Reactor Coolant System Depressurization through Secondary Steaming
- 4. Loss of One AC Safety Bus (4160 V)
- 5. Loss of One DC Bus
- 6. Loss of Main Feedwater (MFW)
- 7. Loss of MFW and Auxiliary Feedwater (AFW) at One Unit (including procedures for feed and bleed or cross-connect of AFW between Units 1 and 2)
- 8. Turbine Trip
- 9. Loss of Component Cooling Water
- 10. Loss of Charging Pump Cooling Water System
- 11. Low Pressurizer Water Level
- 12. Loss of One 120 VAC Vital Bus
- 13. SIAS Actuation
- 14. Low or High Reactor Coolant System Pressure ELEMENTARY WIRING DIAGRAMS
- 1. AC/DC Distribution System
- 2. Emergency AC (including DC power supply for diesel generator start)
- 3. SIAS
- 4. Consequence Limiting System SIMPLIFIED LOGIC DIAGRAMS
- 1. Consequence Limiting System
- 2. SIAS l 3. Diesel Generator Load Sequencers
! 4.- AFW Initiation l IV-5 l I
Table IV.2-1 (Cor t'd) List of Requested Information/ Drawings / Procedures LOAD LISTS FOR EMERGENCY BUS AND MOTOR CONTROL CENTER (AC & DC) PIPING & INSTRUMENTATION DIAGRAMS l l
- 1. NSSS
- 2. . Residual Heat Removal
- 3. Emergency Core Cooling Systems (LPI + HPI + ACC)
- 4. Containment Spray
- 5. Containment Recirculation Spray
- 6. SWS
- 7. Charging Pump Coolirig System
- 8. MFW
- 9. AFW
- 10. Main Steam
- 11. Component Cooling Water System
- 12. Auxiliary Building Heating, Ventilation, and Air Conditioning (HVAC)
- 13. Turbine Building HVAC
- 14. Circulating Water System
- 15. Chemical Volume and Control System LAYOUT DRAWINGS
- 1. Reactor Building
- 2. Auxiliary Building
- 3. Turbine Building LIST OF POST-TMI MODIFICATIONS AT SURRY IV-6
l Table IV.2-2 Information Prepared by the Surry PRA Team Prior to Plant Visit A. System Success Criteria Matrix
~
e Defines system success criteria for each initiating event B .' System Dependency Matrix j e Identifies dependencies at the train level between front-line systems (HPI, CSI, AFW, etc.) and support systems l (AC power, DC power, SIAS, etc.) l C. Simplified Schematics for the Following Systems: e High pressure injection / charging e Low pressure injection e Containment spray injection e Containment recirculationi e Auxiliary feedwater e Charging pump cooling water system 't e Service water system These schematics will be indicative of the level of detail of the syste'm models. D. Preliminary Event Trees
-e Desire review of assumptions, sequence timing, and phenomenology -
IV-7 l
. ..- -. , . - . . _ . ~ - . _ . , -
Table IV.2-3 Typical Questions on System Design and Operation GENERAL QUESTIONS /INFORMATION
- 1. Normal and actuation position of all ECCS valves.
- 2. List of components actuated by each train of SIAS, CLCS, and CIS.
J
- 3. Pump cooling requirements for AFW, HPI, LPI, CSI, CR (room cooling, seal cooling, '
motor cooling, etc.).
]
SPECIFIC QUESTIONS
- 1. What function do the cooling coils on the LPI pump inlets provide (SIS Unit 1 Sheet 1), and are they required for pump operation?
- 2. What is the function of the line from the RWST supply line to the LPI pumps (3/4"- l S1-55-153)?
- 3. How many emergency service water pumps are there; three for each unit or three total?
- 4. Are the batteries, fuel oil system, etc., for the emergency service water pumps dedicated?
- 5. For valves, which power is removed (e.g., MOV 1869B), how is it removed, and how easy is it to restore?
- 6. Is power removed from HPI valve MOV 1842?
- 7. What is the normal operating position of LPI valve MOV 1890C7
- 8. Is there an HPI cross-connect between Units 1 and 2?
- 9. What isolation signals does MOV 1370 seal injection valve receive?
IV-8
i Table IV.2-4 Components for Plant-Specific Failure Data Desirable Reliability Component Characteristics Boron Injection Tank Isolation Cycles /Yr Valves Failures / Cycle Potential Common Cause Main Condenser Isolation Valves Cycles /Yr Failures / Cycle Potential Common Cause Diesel Generators Outage Time for Test & Maintenance Probability (Fall to Start) Probability (Fail to Run) Emergency Service Water Pumps Probability (Fall to Start) Probability (Fall to Run) High Pressure Injection / Charging Probability (Fall to Run) Pump Probability (Fail to Start) Charging Pump Cooling Water Pumps Probability (Fall to Run) Probability (Fail to Start) AC/DC Buses Probability (Short to Ground) Other Failure Types i Batteries Probability (Unavailable on Demand) Turbine-Drive Auxiliary Outage Time for Test & Feedwater Pump Maintenance l Probability (Fall to Start) I Inside Containment Recirculation Failure History (From i Pumps Test) l l l I I IV-9 l f - , -
Table IV.2 Events for Human Reliability Analysis e Feed and Bleed e Reactor Coolant System Depressurization by Secondary Steaming e Cross-Connect of Auxiliary Feedwater from Unit 2 l e Anticipated Transient Without Scram (Failure of Boration or Manual Scram) . e Switchover to High Pressure Recirculation for Small Loss-of-Coolant Accident e Diesel Generator Sharing During Loss of Offsite Power o DC Battery Test i l l t i l I
.IV-10
. - , - J Table IV.2-6 Request for Most Up-to-Date Analy' sis in Following Areas e Anticipated Transient Without Scram o Feed and Bleed e Reactor Coolant System Depressurization Through Secondary Steaming ,
e Station Blackout (Battery Depletion Time and Auxiliary 'f Feedwater Pump Cooling Requirement) l i e Charging Pump Cooling Water Requirements -t e Reactor Coolant Pump Seal Cooling ,Water Requirements (and Seal LOCA Sizes) J l 1
)
IV-Il i l l
l IV.3 Initiating Event Identification and Grouping Initiating event identification angrouping were performed for Surry in accordance with the methodology in Reference This task involved. the identification of potential significant initiators at nuclear plants, identifying the applicability of them to the Surry plant, grouping the initiators into categories based on similar plant response and similar success criteria for successful initiator mitigation. The final list of initiating events used in the study, and their frequencies are shown in Table IV.3-1. All of the initiators in the table, except interfacing LOCA (V) were evaluated using event tree analysis. The evaluation process which resulted in the selection of these events is described in the following sections. Section IV.3.1 identifies the sources used to search _for initiators, special initiators identified for Surry and those initiators omitted from detailed evaluation in the study. Section IV.3.2 identifies success criteria, groups initiators and develops frequencies for initiating event categories. Section IV.3.3 lists any pertinent assumptions inherent in the initiating event analysis. Finally, Section IV.3.4 presents the nomenclature used for initiating events. IV.3.1 Initiating Event Identification Table IV.3.1-1 lists the sources used to identify initiating event candidates. Each condidate in the source list was reviewed for its impact on plant operation. Initiators which caused demaH for automatic reactor trip were retained for further evaluation and grouping (e.g., loss of main feedwater, or loss of flow in one RCS loop). Initiators which wodd not be expected to lead to an immediate (less than 1 minute) reactor trip were - retained for grouping or eliminated on the basis of equipment which was failed by the initiator. Initiators which failed front line or support systems, and could eventually lead to reactor shutdown were generally retained for grouping. However, these were handled on an individual basis. Initiators which would not directly lead to a reactor shutdown were eliminated. Manual shutdowns for refueling or administrative reasons were not considered. Initiators retained for event tree analysis were grouped into categories based on plant responst and success criteria required for successful mitigation. The results of this j activity are discussed in Section IV.3.2. Some of the potential accident initiators were not analyzed by event tree analysis. The remainder of this section will discuss the disposition of those events. These are addressed in the following three categories:
- 1) special initiators which were not evaluated using event trees.
high energy pipe rupture in AFW room steam generator tube rupture . interfacing LOCA
- 2) events which are included in other initiators and therefore not explicitly modeled low intake canal level
- loss of a 120 VAC instrumentation bus IV-12
- 3) initiators which were important in other PRAs, but not included in this study
- loss of the service water system
- loss of component cooling water system
- loss of instrument air IV.3.1.1 Special Initiators Three events at Surry were determined to be potentially important enough for further investigation, but ultimately were not evaluated using event trees.
- 1) High Energy Pipe Rupture in AFW Room:
The room at Surry which houses the AFW pumps also serves as a pass-through area for the main steam lines and the feedwater lines. In addition to the piping, the AFW room contains three MSIVs, three main steam non-return valves, fifteen steam generator atmospheric dump valves, three steam generator relief valves, one small decay heat relief valve and three main feedwater check valves. The concern is that rupture of a valve body or steam-water line could flood the room with steam and/or water, thereby failing all three AFW pumps. This event would be functionally equivalent to a T3L sequence. Main feedwater would still be available and the AFW cross connect from unit 2 would still be available. None of the valves or pumps necessary for MFW at unit 1 or AFW at unit 2 are in the unit 1 AFW room. The decision not to include this initiator in the study was based on comparison of the estimated frequency of valve rupture and the frequency of T3L. The frequency of T3 is about 7 for this study and event L is about 2E-4. T L is therefore on the order of IE-3/yr. 3 The frequency of valve or pipe rupture is estimated to be on the order of 3E-5/yr, even though there are 25 valves in the room. A large enough break must be postulated so that all three AFW pumps fait due to flooding or overheated environment. The AFW pumps are at the bottom of the room and the steam lines are at the top. An incident during the early years of plant operation resulted in a steam release to the room, however, it was not enough to heat up the lower portions of the room. The frequency of severe valve / pipe rupture was estimated as follows: R" 25 Valves 1E-10 + 6 Pipe Seg 1E-10 gE - X- _" *R 8760 liR/YR 7 3E-5/YR The frequency of this event is judged to be small compared to other sequences of events which result in the same systemic failure state and which were evaluated in the study (e.g. T3L sequences). Steam line or FW line rupture in the AFW room was therefore not explicitly included in the quantification. IV-13
- 2) Steam Generator Tube Rupture (SGTR):
Steam generator tube rupture was examined for possible inclusion in the study. Based on the results of the screening, SGTR was not included as an initiating event. SGTR is thought to be a significant risk source only in sequences where core damage occurs and a steam generator relief valve fails open, thereby establishing an open path from the core to the environment. This produces a sequence with a source term equivalent to an interfacing LOCA. Since the SG atmospheric dump valves at Surry are equipped with block valv'es the only valves of concern (with respect to creating a non-isolable path to the environment) are the safety valves. SGTR at Surry was screened to estimate the frequency of core damage sequences with stuck open safety valves, compared to frequency of . interfacing LOCA. The expected scenario for SGTR is to depressurize the primary side ' until inventory loss is minimized, and then cooldown and go on RHR cooling. In order for SGTR to lead to core damage, HPI or AFW must be unavailable. The events which must happen to produce the risk significant sequence mentioned previously are: SGTR x (Fail HPI or Fail AFW) x SG-SV demand x SG-SV fail open The probability of this sequence is evaluated as follows: SGTR = .02/yr, based on review the fogwing PRAs: OgeeMillstone-3,gn, NSAC, Seabrg Indian Point. HPI fail = 7E-4, based on sequence S2 D. AFW fail = 2E-4, based on Fault Tree analysis, section IV.4. SG-SV demand = .1 based on procedures in place at Surry ; which call for depressurizing the ' faulted SG, which will minimize demand for safety valves. SG-SV fail open = 5E-3, based on PWR generic data. The probability of this sequence is therefore 9E-9 per year, which is 100 times less than the frequency for event V, which has a similar source term.
- 3) Interfacing LOCA Interfacing LOCAs were included in the study and were quantified as an initiating event. However, because they are assumed to lead directly to core damage without the presence of any additional IV-14
failures, it was not necessary to evaluate these events.through the use of event trees. - Interfacing LOCAs were evaluated in a. similar manner to that done in WASH-1400. _ The calculated mean frequency was found to be 1.0E-6/yr. IV.3.1.2 Events Included in Other Events -
- 1) Low Intake Canal Level -
l [ The service water system at Surry is a free flow,' gravity fed system which depends on a differential water level between the intake canal and discharge. canal to. provide the driving head for service water flow. The intake canal is approximately 1-1/2 miles long ..and normally contains 45 million gallons of water. The normal height-i differential .between the intake and discharge canals _ is about 27 L feet. Eight circulating water pumps of 210,000 gpm each constantly supply water to the canal. The major load on the canal during plant operation is the condenser cooling requirements, which account for approximately 1.6E+6 gal / min if both units are generating at' full: power. Should the canal have insufficient water inventory,' the plant ultimate heat sink would be unavailable. Insufficient canal level (as an occurrence) was investigated to determine if it should be an initiati_ng event. It was concluded (as described below) that the only_ identifiable event with any significant frequency which could lead to insufficient canal level is a station blackout (loss of all AC power). Therefore, insufficient canal level was included as a possible occurrence during station blackout, but was not considered as an initiating event.
'During normal operation, a balance is maintained .in the canal ,
between the circulating water pump supply-'and the condenser ' ' discharge. Other loads in the canal are minimal compared to these cooling requirements. Emergency service water _ pumps of 45,000 gpm capacity are provided. This capacity matches the> safety related loads. During normal operation, if the canal level drops below 18 feet (from a usual 27 feet), the turbines and reactors at both units will receive trip signals, and the condenser waterboxes will be isolated (supplied by IE power). Therefore, any postulated failures, during normal operation which alters the canal balance would be terminated when the canal level reached 18 feet. Failure to isolate one or more of the condensers would cause continued canal out-flow, but consideration of overall effect on canal level must include the amount of inflow available from the circulating water pumps. The residuallevelin the canal would be sufficient to supply safety related loads for about 16 hours even if the ESW Pumps were not available. This set of - circumstances is a minor contributor to a turbine trip initiating event category, but does not represent a unique systemic failure state of the plant. IV-15
..w' Fail'ure to isolate 1the .waterboxes upon lowicanal'. lev $1 was a' low-
. probability event,' for the case when canal in-flow was available (i.e. offsite- power available).' Insufficient canal level was' therefore not , considered an. initiating event,' but was addressed in the context of : y station blackout. - 2)' Loss of 'a 120 VAC Instrumentation Bus - Surry has , four vital instrumentation buses. . Two , vital buses .are . 4 supplied .through' inverters-fromi DC: buses,' and two are supplied by , 480VAC buses through sola transformers. . It.was determined (based on the relative reliability of inverters and solas) the buses supplied by - the solas were .more likely to lose power than the buses supplied -' through the inverters, and thus they'became candidates for initiating _
; events. . Loss of any one bus would cause inadvertant turbine runback and would potentially cause reactor trip due'to the inability to control ; all reactor parameters within' trip . limits without. one vital: bus.
l' However, loss of a single vital bus would not cause the unavalability of-any ECCS equipment. . Loss of only.one vital bus is therefore, a
- - minimal contributor to the turbine trip event category.
I Loss of a 4160VSC or 480VAC bus (which are covered in another IE category) will cause loss of a. vital bus. { , l- IV.3.1.3 Potential Initiators Not important at Surry
- 1) Loss of Service Water System The SWS at Surry is represented by the intake canal and the piping
- necessary to service each cooling load. The SWS is primarily.a free-flow gravity fed system, but some cooling loads (such as HPI cooling) require pumps. Service water pumps and valves were modeled with -
- j. their associated heat exchangers in other system models. SWS, in effect, was reduced to canal inventory. Therefore, loss of SWS can
- . only be caused by low canal level, which is discussed in .Section IV.3.1.2.
- 2) Loss of Component Cooling Water b
i Loss of CCW at Surry will cause loss of cooling to the reactor coolant pump (RCP) motors and RCP thermal barriers and eventually. lead to ' loss of instrument air. It will not cause an automatic reactor trip, but , will necessitate reactor shutdown due to the required tripping of the i RCPs upon loss of cooling. i Loss of CCW does not directly fail MFW or any other system required j to respond to a' transient. Loss of CCW does'not fail any critical
- . safety functions. Therefore, loss of CCW was not included as an:
!- initiator, i-i i.
IV-16
< ,-- ,o-w >, ~r-- -+w ww----N.-,,,,n.- n --
,--,-,,w,,e-, -------s +r +- , <m'
- 3) Loss of Instrument Air There are ' two _ instrument air systems at Surry, one for outside containment and one for inside containment.
Loss of outside instrument air will cause:
. MSIV closure CCW to containment is isolated Lo-Lo SG level signal Main feed regulator valve closure Lo-Lo canal level signal TDAFWP steam admission valve will open These events will result in the following:
RCPs will be tripped (manually) Reactor trip due to MSIV closure or SG lo-level - Loss of MFW . CCW to RCP thermal barrier lost TDAFWP will start Loss of outside IA is therefore equivalent to a systemic failure state i represented by T , with the additional failure of component cooling water (i.e., T 2W). Event W is considered on the T event tree and in fact, loss of instrument air is a cause included in 2 W. Loss of IA
- sequences are therefore included in T 2W sequences.
l Loss of containment instrument air will interrupt air supply to air 1 operated valves inside containment. The only air operated valves inside containment of interest to this study are the PORVs. These valves are supplied with nitrogen bottles to provide motive force in the event IA is lost. It was decided that loss of containment air would not cause a direct reactor trip, nor fail any systems of interest in this study. ; i l l IV ,_ . _ _ -
Table IV.3-1 Initiating Event Categories Used in the Surry PRA Update - Abbreviation Description Frequency *(/Yr) Tg Loss of Offsite Power 7.0E-2 T2 Transients with Loss of MFW 9.4E-1 T3 Transients with MFW Initially Available 7.3 - T Non-Recoverable Loss of 480 VAC Buses H 9.0E-3 4H T g3 Non-Recoverable Loss of 480 VAC Buses 3 9.0E-3 T 3g Non-Recoverable Loss of DC Bus A 9.0E-4 T SB Non-Recoverable Loss of DC Bus B 9.0E-4 T6 Loss of Charging Pump Cooling 3.0E-2 A Large LOCA, 6" - 29" 5.0E-4 Sg Medium LOCA, 2"-6" 1.0E-3 ~ 5 Small LOCA,1/2" - 2" 2 1.0E-3 S 3 Very Small LOCA, less than 1/2" 2.0E-2 V Interfacing LOCA 1.0E-6 Mean Values j IV-18 s
, , . . - , , - - - , .- _ - - , . ,, . . . . - . -- ._.4,-_- . - _ --- -r . - - , - , --c,,
- Table IV.3.1-1 Sources of Initiating Event Candidates
- 1. Search of LERs at Surry Unit I and Unit 2 from 1979 to 1985.
- 2. NUREG/CR-3862,II2) Devel'opment of Transient Initiating Event Frequencies for Use in PRA, May 1985.
3
- 3. List of Subtle Interactions Supplied by SANDIA.'
- 4. Questions during plant familiarization trip.
- 5. Review of past PRAs on PWRs.
- 6. List of Potential Initiators from ASEP Methodology Group.
t i l 1 IV-19
4 IV.3.2 -Initiating Event Grouping The initiating event grouping process started with- the grouping of initiators based on
. plant response and systems initially unavailable. Then, success criteria were identified for each initiating event group. . Finally, success criteria for each group were verified to be applicable to each initiator assigned to that group.
The final set of transient initiating event groups and their characteristics are shown in Table IV.3.2-1. A similar grouping for LOCA initiators is shown in Table IV.3.2-2. A comparison of the success criteria for each initiating event group re'vealed that some groups had identical success criteria. Although the initiators had various impacts on the ability of systems to meet these success criteria, the criteria themselves were the same. Success criteria for initiating event groups are shown in the following tables. T,T,T4H,T43, g 2 T5A, TSB Table IV.3.2-3 T Table IV.3.2-4 3 T6 Table IV.3.2-5 5 3 Table IV.3.2-6 S 2 Table IV.3.2-7 S i Table IV.3.2-8 A Table IV.3.2-9 Success criteria and event trees were developed for two additional " events", those being ATWS and seal LOCA caused by loss of seal cooling. Although these events are unique occurrences witn special requirements for mitigating functions, they are not true
" initiators"in that they are not the result of a single event._ ATWS is discussed in Section IV.10 and seal LOCAs due to loss of seal cooling are discussed in Section IV.4.9.
IV.3.3 Assumptions Made in Initiation Event Selection Assumptions which apply only to selection of initiating events are shown in Table j IV.3.3-1. Some assumptions used in the event tree analysis may indirectly impact initiating event identification. The complete list of event tree assumptions appears in-- Section IV.4.1. l 1 i IV-20
. ~_- _ -,
Table IV.3.2-1 Transient Initiating Events initiating Representative In1tiators Annual Event included In Initiating Frequency Category Event Category (Mean Value) Conwnents Tg Fallure of Offsite Power Grfd 7.0E-2 This group constitutes initi-(Loss of Offsite Loss of Station Reserve Power ators which Interrupt the Power) Loss of Power to the Swltchyard offsIte power source to the 4160V plant buses. Frequency derived from NUREG 1032." I T 2 Failure of Main FW 9.4E-1 This group constitutes initi-(Loss of Main HT SG meter Level ator whIch either Isolate Feedwater) Inadvertent SI (trip) the MFW pumps or cause a fallure in the hotwell - f N FW flow path. See Note 1
' Frequency derived from Surry Specific data listed in NUREG/CR-3862.(12)
T Turbine Trip 7.3 This group constitutes all 3 (Turbine Trip Reactor Trip Initiators which cause WIth MFW Loss of Load reactor trip but do not Available) MSIV Closure fall MFW or any other front line or support system. Loss of Turbine Control See Note 2 Frequency derived from Surry specific data IIsted In NUREG/CR-3862.II2I' T,g - Short on 4160V Bus 9E-3 Initiator is assumed to be T4j Short on 48W hs a nonrecworable loss of (Loss of 480V Fallure of 4160/480V Transformer 480V bus. See Note 3 Bus) Annual frequency derived by assuming hourly failure rate of IE-6/hr for transformer failure, i
Table IV.3.2-1 (Cont'd) Transient Initiating Events initiating Representative initlators Annual , Event included In initiating Frequency Category Event Category (Mean Value) Comments Tg - Short on DC Bus 9E-4 initiator Is non-recoverable T SB
~
I ** '* "'* (Loss of a DC Bus) See Note 4 Annual frequency derived by assuming hourly fallure rate of IE-7/hr for . bus short. q T 6
- L ss f Charging Pump 3E-2 Fallure to provide SW to the 4 (Loss of CC charging pump oll coolers or
** Charging Pump Loss of Charging Pump flow through the seats Is as-Cooling SW. sumed to cause unavallablIIIty of the charging system wIthIn '
about 10 minutes. Automatic reactor trip Is expected to occur. Manual shutdown will occur soon after shutdown of the charging pump system. Frequency derived from com-perfsfon of generic data In NUREG-3862 with plant specific data In LER search. i
NOTES TO TABLE IV.3.2-1
- 1. Surry has electric driven MFW pumps. It was assumed that MFW would be available at Surry for many initiators such as MSIV closure, loss of turbine bypass, etc., which would fail MFW at plants with turbine driven MFW pumps.
- 2. At Surry, any reactor trip above 50% power will cause the MFW regulating valves to close. FW mini-flow lines to the condenser will open, while the FW pumps stay on. AFW will start on lo-SG level. If AFW starts successfully, operator will secure MFW. If AFW does not come on, operator can feed SGs with MFW pumps by opening FRV bypass (4"line). MFW pumps are electric driven.
- 3. There are'two 480V second level buses (IH and IHI) per power train. Failure of a 4160V was n bustowill fait power identify i to both 480V Buses. A survey of the following data bg NR IEEE,gOconee gA,gure Zion PRA,probabigtyes Indian Point PRA,for transformergd an buswo Millstone-3 PRA.I Failure probabilities for buswork ranged from 6E-7/hr in the Oconee NSAC study to 4E-9/hr in IEEE-500. The median of the surveyed values is approximately lE-7/hr. The values for transformer failures ranged from 3E-6/hr in the Millstone-3 PRA to 5E-7/hr in IEEE-500. The median of the surveyed values is approximately IE-6/hr. Failure rate associated with 4160V bus is 1.0E-7/hr (9E-4/yr). Failure of a 4160/480V transformer will fail one 480V bus and has a frequency of 1.0E-6/hr associated with it. It was conservatively assumed that short of one 4160/480V transformer would fail both 480 buses due to opening of the common circuit breaker. Until the short is repaired, both 480V buses are assumed unavailable. Surry has no cross ties of lower level buses, therefore, all buses being fed from the affected 4160V or 480V are lost. Initiator will be evaluated for loss of H or 3 bus. Reactor will likely trip due to loss of vital instrumentation bus. Buses lost as a result of the 4160 is as follows:
480 VAC IH 480 VAC 13 480 VAC IH-1 480 VAC 13-1 480 V MCC IH1-1, lHi-1A, 480 V MCC 131-1,131-1 A,131-2 IH1-2 120 VAC VB l-IV 120 VAC VB l-1 Loss of one vital bus will cause an automatic turbine runback. Plant personnel indicated that if this occurred at 100% power, the probability of keeping the reactor on line was small.
- 4. Loss of DC bus will cause loss of all switchgear at associated 4160V and 480V buses. Switchgear breakers are failed as is, so pumps that are running are assumed to continue to run (i.e., Charging pump and CCW). A vital instrumentation bus will be lost, causing turbine runback. Loss of a DC bus will cause reactor trip and a half SI signal (but pumps on affected buses will not activate).
Failure probability derived by assuming IE is caused by a short in the bus work. Shorts in the loads or interruptions in power were not included. These events are generally. recoverable in a very short period of time. IV-23
l Table IV.3.2-2 LOCA Initiating Events Initiating Representative Initiators Annual Event Included in Initiating Frequency Category Event Category (Mean Value) Comments A Large LOCAs SE-4 Large LOCAs, equivalent ' diameter greater than 6 inches. , S 1 Medium LOCAs 1E-3 Medium LOCAs, equivalent - diameter between 2 and 6 inches. S 2 Small LOCAs, Open PORVs 1E-3 Small LOCAs, equivalent-
- _ diameter between 2' inches y and 1/2 inch.
I 2 Includes inadvertent open i PORVs. l .I S 3 Very Small LOCAs, Spontaneous Seal. LOCAs 2E-2 Very small LOCAs, less i than 1/2 inch equivalent j diameter, including LOCAs initiated by random failure of one RCP seal. i All frequencies were i developed based on a sur-vey.of frequencies used for similar events in past PWR PRAs.
3 Table IV.3.2-3 T,T,T,T i 2 4 5 Transient SUCCESS Criteria Summary Information .i INITIATOR: Tg - LOSP T2 - LOSS MFW T4 - LOSS 480V AC BUS T5 - LOSS DC bus CONTAI PMENT CONTAlfMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump 1/2 CSS 1/3 HPR 1/2 ISR and SWS 1. OSR needs CSS OR in Seal Injection OR and to associated HK in injection 1/3 Charging Pumps and 1/2 ISR and SWS 1/2 LPR OR to prow!de i and PORY Reclose to associated 1/2 OSR and SWS IFSH. 2 PORVs Open (If opened) CSR HX to associated HX (in Feed OR 2. ISR needs SWS and Blood) CCW E RCP In Injectton Thermal Barrier in to provide alI RCP NPSH. and PORY Rectose 3. Secondary steam (If opened) relief assumed y
- available.
to i 'n
- 4. AFW to 1 SG sufffclent
- 5. No RCS Pressure.
relief required 1f scram. However PORY may open. 6.-Failure of RCS Integrity goes to S #'** *# 2 j ' seal LOCA tree, as appropriate 7 If AFW and RCS Integrity are prov.Tded, con-talnment heat removal and core
' heat removal late are not required.
Table IV.3.2-4 T3Transient SUCCESS Criteria Summary InfOrmation INITIATOR: Turbine Trip with MFW available, T3 CONTAINMENT CONTAINMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS RPS 1/3 AFWP Any Open PORys 1/2 CSS 1/3 IfR 1/2 ISR and 1. PORVs challenged OR Reclose OR and SWS to at rate of 1/70 1/2 MFW ELSE 1/2 ISR and SWS 1/2 LPR Associated translents for T . 3 OR Transfer to to Associated HX 1/3 C7h rging $ Event 2 CSR HX m 2. Comments 1-7 for Pump Tree 1/2 OSR for Ty apply to and IEP Seal latogrity and SWS this initiator. 2 PORVs Open 1/3 Charging to Associated (in Feed and Pump in HX 3. Core heat removal, Bleed) Seal injection late and containment Flow atmospheric heat OR renovel are required q CCW to Thermal only when feed and blood is demanded 4 CD Barrier of AlI or RCS Integrity. RCPs Is lost.
Table IV.3.2-5 T 6 Transient SUCCESS Criteria Sumary Information INITIATOR: LOSS Charging Pump Cooling, T6 CONTA1NMENT CONTAINMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOYAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS Control Rod 1/3 AFW Pump CCW to Thermal 1/2 CSS See Comments 1/2 ISR and- 1. #3, 4,'7 in-Insertion vla OR Barrier of all OR SWS to T y apply. Manual 1/2 MFW Pump RCPs 1/2 ISR and Associated initiation SWS to HX 2. Manual shutdown Associated OR assumed. CSR HX 1/2 OSR and SWS to 3. No PORY demand Associated for this HK translent.
- 4. Core heat re-moval, late is y not available y due to fatlure of 191 f
s Table IV.3.2-6 Very Small LOCA SUCCESS Criteria Summary Information INITIATOR: Very Small LOCA, S3 CONTA1NMENT CONTAINMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION , REMOVAL, LATE" REMOVAL COMMENTS RPS 1/3 Charging Pump See Comments See Comment 5 1/3 WR 1/2 ISR and 1. Failure of RPS and and SWS to transfers to 1/3 AFW Pump 1/2 LPR _ Associated ,ATWS tree. OR HK 1/3 Char 3ng Pump p 2. For S , It was 3 and 1/2 OSR and assumed that If 2 PORVs Ope 9ed SWS to AFW and charging Associated flow were avall-HK able, the opera-
-3 1/3 AFW and tors could de-pressurtze RCS 1/3 Charging Pump and go on closed g and 1/2 LPR cycle cooling 4 before the RWST 00 was emptled, there-by eltminating the requirement for recirculation.
- 3. If containment f an coolers are available it was assumed that spray actuation set point would not be reached.
- 4. RCS integrity is lost as a result of the Initiator.
- 5. Containment pres-sure suppression-not required in the early time frame.
Table IV.3.2-7
! Small LOCA SUCCESS Criteria Summary Information INITIATOR: Small LOCA, S 2 CONTAINMENT CONTAINMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL' COMMENTS RPS 1/3 Charging Pump See Comments See Comment 3 1/3 WR 1/2 ISR and 1. Failure of RPS and and SwS to transfers'to 1/3 AFW Pump 1/2 LPR Associated HX ATWS tree.
OR OR 1/3 Charging Pump 1/2 OSR and 2. RCS Integrity is and SwS to lost as a result 1 PORY Opened Associated HX of the Initiator. OR 1/3 AE and 3. Containment pres-i- 1/3 IFR and sure suppression 1/2 LPR ls not required ; In the early 7 u
. time frame, (D
1 i lI i
Table IV.3.2-8 Medium LOCA SUCCESS Criteria Summary Information INITIATOR: Medium LOCA, S i CONTAlNMENT CONTAINENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS Not Required 1/3 Charging Pump See Comments 1/2 CSS 1/2 LPR 1/2 ISR 1.1/2 Injection and OR and and SWS lines adequate 1/2 LPI 1/27 SR Switch injection to Associated for LPl. and and SWS point to hot leg HX 2/3 ACC to Associated at 16 hr. OR 2. 2/3 Injection CSR HX 1/2 OSR and lines adequate SWS to for HPl. Associated HX
- 3. Reactor suberltl-callfly is not explicitly re-quired. If IPS f alls, the reactor
- will be molntained subcritical by o injection of RWST Inventory.
- 4. RCS Integrity is lost as a result of the Initlator.
i
4 1 Table IV.3.2-9 i Large LOCA SUCCESS Criteria Sumary Information INITIATOR: Large LOCA, A CONTAINMENT CONTA1NMENT a REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT SUBCRITICALITY REMOVAL. EARLY INTEGRITY SUPPRESSION REMOVAL. LATE REMOVAL COMMENTS L Not Required 1/2 LPl See Comments 1/2 CSS 1/2 LPR 1/2 ISR and 1. Injection of and OR and SWS to LPl Into one 2/2 ACC 1/27 5R Switch injection Associated HX RCS loop was i and SwS Point to Hot Leg OR considered suf-i to Associated at 16 hr. 1/2 OSR and f1clent. CSR HK SwS to Associated HX 2. Reactor subcriti-cality is not explicitly re-quired. If IPS falls, the reactor j 'will be maintained suberttical ly in-j 2 Joctlon of RWST ., b inventory.
- 3. RCS Integelty Is I lost as a result'
~ . of the fnitiator.
4. 4 I 1 i
+ .,
4 9 1 l .
Table IV.3.3-1 Initiating Event Assumptions
- 1. All initiators are assumed to originate at high power operation. However, during
.the ATWS quantification,'it was desirable to introduce a split fraction for high power, low power events.
- 2. Initiators from shutdown were not included.
- 3. Manual shutdowns for administrative reasons or refueling were not included.
- 4. Offsite power was assumed to be available for all events except Tg .
- 5. Overcooling transients were not evaluated as a special class of events, with unique mitigation requirements.
i l l l h I I I
- t !
l IV-32
l
-)
l [
~ IV.4 Event Tree Analysis i~ The initiating event identification and grouping process was previously described in Section IV.3. Table IV.3-1 presents the list of initiators used in the study.
This section presents and discusses the event tree analysis which was performed for the Surry study. Seven distinct event trees were constructed for Surry. Some of the event trees were evaluated several times for different events. In addition to the seven event trees constructed to evaluate initiating events, three event trees were constructed to evaluate special situations. These are the ATWS tree, the seal LOCA tree and the station blackout tree. The ATWS tree is presented and discussed in Section IV.10. The seal LOCA tree was developed to model recovery actions after-occurrence of a seal LOCA due.to loss of all seal cooling. The seal LOCA tree was used to evaluate only sequences with AC power available. The station blackout event tree was developed to facilitate modeling of recovery of AC power. Seal LOCAs occuring during station blackout are treated within the station blackout tree. Section IV.4.1 discusses the general limitations and assumptions inherent in all of the
! event trees. Section IV.4.2 discusses the development of plant damage states. Sections . IV.4.3 through IV.4.14 present and discuss the event tree for each initiating event, the ; seal LOCA tree and the station blackout tree. Finally, the last section presents the nomenclature used in the event tree analysis.
IV.4.1 Event Tree Assumptions This section discusses the event tree development process which was used for this study. Also included in this section is a listing of assumptions used in the event tree development and a discussion of the event tree plant damage state interface. i This study used the small event tree-large fault tree approach for accident sequence
- definition. A functional event tree was not utilized for this study. Instead, a review of j '
Surry transient response and a review of past PRAs of similar reactor types were used to identify the event tree headings necessary to model all reactor funcitons. Success
- criterial were developed based on a review of past PRAs, as well as. plant specific analyses, and current Battelle and SANDIA analyses. The core damage sequences were j grouped into plant damage states, which became the starting point for containment
! analysis found in Reference 16. i l Development of the plant damage states is discussed in Section IV.4.2. Because full { coverage of all plant damage states was desired for risk prediction, containment system status was evaluated for each core damage sequence. t { The general assumptions used in the event tree analysis are shown in Table IV.4.1-1. , Additional assumptions which were unique to the development of a specific event' tree ! are included in that particular event tree section. IV.4.1.1 Modeling of Interactions Between Containment Systems and ECC Systems
- Operability of ECC systems may depend on containment integrity and the operability of the containment systems. The dominant dependency is through the ECCS need for water inventory in the sump. In order to preserve inventory, the containmentgug'pgorm a steam confinement and steam condensing function. Past PRA
- used deterministic systemic criteria to model interactions between containment systems and IV-33
ECCS i.e., loss of all_ safety grade systems which provide containment heat removal will lead to containment failure due to overpressure, which would lead to core damage - through failure of ECC systems. This study modified the traditional approach in two ways: First, _ indirect, passive,and non-safety grade means of heat removal were considered in setting success criteria to prevent containment failure. Second, dependencies between containment failure and ECC failure were treated probabilistically. Best estimate' success criteria for containment heat removal were developed. These were incorporated into the success criteria for the event trees. Accidents resulting in loss of containent- heat removal were identified as " core vulnerable states". A'" core damage factor" was incit.ded in these sequences to account for the percentage of these sequences which were considered to result in core damage. The factor for Surry was calculated in Reference 16. The frequencies of the plant damage states include this factor. IV-34
Table IV.4.-1-1 Event Tree And Success Criteria Assumptions I 1.- ATWS events are treated by a separate event tree. ATWS success criteria' are treated in a separate table.
- 2. All ' successful sequences are ' carried to the point where stable hot shutdown -
! conditions exist or stable long-term cooling conditions exist. .In general, sequences-were terminated at 24 hours. i 3. No RCS inventory makeup is required if RCS integrity is maintained. This implies
- that normal pressurizer water level is sufficient to accommodate RCS. inventory
. shrinkage from full power to hot shutdown, or if any inventory makeup is required, the probability of failing to provide it is negligible. .
j 3a. No boration of- the reactor is required if hot shutdown temperatures and RCS j integrity are maintained.
- 4. RCS pressure / volume control via heaters, sprays, normal makeup and let-down is not addressed.
! 5. CCW to the thermal barrier in the RCP lower bearing g RCP seal injection flow is sufficient to prevent an RCP seal LOCA. ! 6. Operator must initiate feed and bleed by opening HPl injection valves to cold legs ! and connecting pump suction to RWST. An automatic actuation signal will not l necessarily occur in TML-type sequences.
- 7. During transients with scram, primary pressure relief is assumed .to~ never be required. This means the SRVs (code safeties) are never required .to open.
However, pressure may rise to PORV setpoints, thus prompting a PORY opening. Should this happen, there is a requirement for the PORY to reclose or be isolated in j order to maintain RCS integrity.
- 8. PORV demand probabilities were used as follows:
Transients from high power with loss of an AC or DC power bus - demand probability = 1.0 ( Transients from high power with all instrumentation and power - demand probability = 0.014 buses operable Transients from low power - demand probability = 0.0 Manual shutdowns - demand probability = 0.0 The derivation of PORV demand rate for various transients was basgon operating experience with Westinghouse reactors, as reported in WCAP-9804 .T2 and T3 type transients are common enough that it was possible to get sufficient PORY opening data to estimate a demand rate. For these transients, a demand rate of 0.014/ transient was used. T g, T , and T transients were of particular interest
~
l because they represent failure of electrical' buses. These transients cause loss of an IV-35 l-
~
Table IV.4.1-l (Cont'd) . Event Tree And Success Criteria Assumptions instrumentation bus as well as disable various pumps and valves. For T , T4, and T type transients, very little data exists, .and it was difficult to postulake a demanh - rate based on actual data. Therefore, a value of 1.0/ transient was used for Tg , T4, and T5 initiators. This is a conservative estimate which reflects the fact that these initiators are likely to partially disable pressure control systems such as pressurizer sprays, heaters, and control, which would increase the likelihood of PORV opening. In addition, plant personnel indicated the SG ADVs are isolated approximately 90% of the time. Isolation is by means of a manual, locally operated valve. - This constraint would increase the difficulty of RCS pressure control.
- 9. Non-isolable stuck open PORV sequences are transferred to the S 2 LOCA tree.
- 10. Switchover to HPR with containment heat removal provide'd by sprays is required q for long term heat removal af ter feed and bleed. This derives from a) requirement . '
for long-term heat removal and b) non-safety grade RHR system at Surry.- Emergency procedure FRP-H.1 calls for HPR after feed and bleed.
- 11. Success of the containment spray system is not required to provide containment pressure supression, contai heat removal, or containment sump water -
inventory. Analysis showedgnt that blowdown and continued steaming 'from the RCS, natural condensation processes and the non-safety grade fan coolers would _; provide sufficient sump inventory for operation of the recirculation spray system, ' for all size LOCAs.
- 12. During the injection phase, ISR and OSR pumps need subcooling of their pump suctions in order to provide adequate NPSH. If suction water cooling is' not available, the pumps are assumed to fail. ISR suction subcooling is provided by-diversion of ISR flow downstream of the heat exchager. OSR suction subcooling is -
provided by diversion of flow from the CSS.-
- 13. Plant personnel indicated that VEPCO_ performed " safety-grade" analysis (21) which showed that only one train of the recirculation sprays (i.e., one outside train or one inside train) is necessary to provide containment heat removal. One spray train is not sufficient to meet 10CFR100 criteria, but 'it will prevent containment overpressure. The one spray train criteria was used in the event tree models. If ISR succeeds, OSR is not required. In addition, OSR requires CSS during the early phase in order to meet suction subcooling NPSH req'uirements. If CSS fails, OSR is not available.
- 14. Surry personnel indicated that MFW regulating valves close af ter . virtually all l transients above 50% power due to plant control logic. The MFW pumps (electric-driven) remain running, and MFW is available to the' operator if AFW fails.
IV-36
1 tv
. Table IV.4.1-1 (Cont'd)
Event Tree And Success Criteria Assumptions
' 15. Understanding of events subsequent to loss of a 'DC bus is:
a) Loss of DC bus causes loss of switchgear at the associated , a 4160 VAC and 480 V AC buses, i b) Loss of one DC bus disables one train of CLS Hi-Hi-c) ' Loss of one DC bus causes false CLS Hi, which causes~one
- train of SIAS to actuate, and d) Loss of one DC bus causes reactor trip without PCS.
J b) Loss of one vital bus will cause turbine runbsck and .was assumed conservatively to lead to turbine trip, and ' c) MFW is assumed unavailable due to loss of one : vital instrument bus.
- 16. Loss of charging pump cooling water system will to lead to manual shutdown which
, was assumed to not result in PORY opening. ; 17. ISR and OSR trains were modeled to include the heat exchanger and service water to the heat exchanger. ISR and OSR start removing heat 2 and 5 minutes after a CLS Hi-Hi. In order for ISR pumps to have adequate NPSH in the early time-frame, j service water must be available to the associated ISR heat exchanger. In order for .
j OSR pumps to have adequate NPSH in the early time-frame, CSS must operate. j 18. Accumulators were assumed required for Si because analysis could not be found to prove otherwise. However, the large LOCA assumption that one accumulator discharge is lost out the break is not assumed for Sg . , 19. In instances where seal injection flow is unavailable, it is assumed that feed and i bleed is also unavailable, because both functions depend on HPI system. i 20. If loss of all feedwater occurs, feed and bleed operation must be utilized. Because this violates RCS integrity, seal cooling and seal LOCA. questions are not asked. l 21. Cross-connect of any system from Unit 2 (except HPIin seal LOCA tree)is treated in the recovery analysis. i i 22. Af ter reactor trip, MFW regulating valves are expected to close. AFW will receive signal to start on low SG water level. Procedures and plant personnelindicate that AFW is the preferred source of SG inventory. AFW therefore appears on the event tree before MFW (i.e.', PCS).
- 23. Mitigation requirements associated with RCS overcooling are not addressed.
l t i IV-37
f Table IV.4.1-T (Cont'd) i Event Tree And Success Criteria Assumptions s.
! 24. Seal LOCAs as initiating events, caused by local faults in'one seal are included in
-the 5 3 initiator. The charging pump system is assumed available at the time of the .
initiator. In these sequences, the seal LOCA is the initiating event. It was assumed j that an 5 3 initiator.would never reach the recirculation phase if AFW and charging - j
-flow were available. The break flow for this size LOCA is small enough that containment sprays will not come on. Charging flow is the only drain on the i
RWST. The 5 3scenario assumes the reactor would be depressurized, cooled down. I and put in the closed cycle cooling mode before the RWST is empty, if AFW'and - 2-HPI are available. . 25. 'The seal LOCA event tree is used to evaluate sequences from other event trees , which are characterized by loss of seal injection flow and seal cooling to all RCPs. These sequences are labeled " seal LOCA vulnerable" by the other event trees and became initiators for the seal LOCA tree. If seal injection flow is not supplied from Unit 2,it is assumed that all three RCP seals will fail.
- 26. Entry into seal LOCA tree is contingent on some source of SG inventory being i available; either AFW or MFW.
- 27. For 5, scenario, the RCS pressure at the time of recirculation is low enough that the LPR system is capable of recirculation. This is related to the requirement for accumulators in Sg (see #18). It was assumed that if the break was large enough to 4
depressurize below the accumulator injection point (600 'psig) during the initial'
- phase of the LOCA, the RCS would be sufficiently depressurized for LPR cperation l by the time recirculation was required.
- 28. For large LOCAs the CSS provides a containment pressure reduction function and is a source of sump water gch is required for recirculation spray; operation.-
, However, Battelle analysis has shown that in large LOCAs, the naturally + occurring condensation processes in the containment are sufficient to maintain containment pressure below the yield point (yield point was used as success criteria rather than design pressure) until recirculation sprays come on. I 29. The event tree analysis considered sequences with containment failure during the recirculation phase of a LOCA to be a core vulnerable state. A " core damage" factor was included in these sequences which represents' the probability that containment failure would lead to core damage. The mechanisms through which this can occur are: 4 e Loss of sump inventory due to flashing at containment failure or long term evaporation. i e Insufficient NPSH due to loss of subcooling. I e Rupture of system piping due to hydrodynamic or mechanical-forces during containment failure. Analysis performed in support of the containment event tree (16) calculated the-factor to be 0.022, with an error factor of 2. l IV-38 I 4 n.s .. , - - . -.. ..e ,. , - . , . , , . . - - - - , . ,,n-,. . . . . , , , ., ,e- -,m., n vw-mennnr mm r. g
IV.4.2 ' Plant Damage State Definition Each sequence was assigned to a plant damage state, based on four factors: l -e RCS Integrity
- e . RWST Injected into Containment
- e Containment Heat Removal Available-e Containment Sprays Available (for radioactivity removal)
.. Each of these is discussed below: A. RCS Integrity For purposes of containment ' analysis, it is important to know the reactor coolant system pressure at the time of vessel failure. The vessel failure referred to is that caused by core melting. The RCS pressure was treated as an RCS integrity issue in this analysis. Four categories of RCS integrity status were identified and related. to initiating events. j The categories are: a) Large LOCA which has the characteristic of low ] RCS pressure. b) Small LOCA, which has the characteristic of moderate or high pressure LOCA, c) An intact system, which has the ] characteristic of very high pressure, and d) Interfacing LOCA, which . bypasses containment.
~
B. RWST Injected into Containment Another key parameter for accident analysis is to know whether or not i the reactor cavity is full of water. Af ter comparing the RCS volume with the cavity volume, it was determined that in order to assure the cavity is full of water, the RWST must be fully injected into the containment. Two states were identified for this parameter, RWST - injected and RWST not injected. No partial RWST injection was considered. ! C. Containment Heat Removal Available i The third key parameter for containment analysis was whether or not
- containment heat removal was available. For plant damage state definition, -this was defined to be the availability of ;at least one recirculation spray train, with service water being supplied to the heat i
exchanger. Alternate means of CHR with AFW which were included in - I
- the event tree success criteria, would not be available af ter core damage.
D. Containment Sprays Available The fourth key parameter for containment analysis is whether or not
- containment atmospheric radioactivity removalis available at the time i
of core melting. At Surry, this was defined to mean availability of at
- least one containment spray train.
4 IV-39 i
IV.4.2.1 Plant Damage State Development Plant damage states were developed, based on the status of the four parameters discussed above. The damage states were identified by a four letter code as follows: First Letter: Reactor Coolant System Integrity ; A: LOCA with RCS at low pressure before vessel I breach (e.g., A, Sg) S: LOCA with RCS at high pressure before vessel breach (e.g.,52, TQ) T: RCS intact before vessel breach (T,53) l V: LOCA outside containment ' Second Letter: RWST water into containment Ees or No) Third Letter: Containment heat remova! Qes or No) Fourth Letter: Containment Sprays Available B: Both CSI and CSR 1: CSI only R: CSR only N: No containment spray Note: Choice of "V" in the first column obviates the need for any other choices. Out of 49 potential combinations, 30 are logically impossible, and two will be a null set, in accordance with success criteria assumptions. Table IV.4.2-1 lists the plant damage states utilized in the study. As mentioned above, 30 potential combinations are logically impossible and were eliminated. These impossible states are as follows (* Indicates any option may be selected).
*N*B Cannot have CSI without RWST
*N*1 Cannot have CSI without RWST
*N'R Cannot have CSR without RWST
**YI Cannot have CHR without CSR
**YN Cannot have CHR without CSR IV.4.2.2 Plant Damage State Assumptions )
Assumptions used to assign individual sequences to plant damage states are shown in Table IV.4.2-2. 7 IV-40
-e-, - n -ne- -- . e yny- y -- m
Table IV.4.2-1 - Applicable Surry Plant Damage States PLANT DAMAGE STATE DESCRIPTION 1 l AYYB Large LOCA, with injection of the RWST into containment,. I containment heat removal- available, and sprays available in i injection and recirculation. AYNI Large LOCA, with injection of the RWST into containment, no containment heat removal available, and sprays available in
- injection only.
AYYR Large LOCA, with injection of the RWST into containment, containment heat removal available, and sprays available in injection and recirculation. AYNB Large LOCA, with injection of the RWST into containment, no containment heat removal available, but sprays available. AYNN Large LOCA, with injection of the RWST into containment, no ; containment heat removal available, and no sprays available. ANNN Large LOCA, without injection of the RWST Into containment, l and subsequent failure of containment heat removal and sprays. SYYB Small LOCA, with injection of the RWST into containment, containment heat removal .available, and sprays available in l. j injection and recirculation. IV-41 I
Table IV.4.2-1 (Cont'd) Applicable Surry Plant Damage States PLANT DAMAGE STATE DESCRIPTION SYNI Small LOCA, with injection of the RWST into containment, no containment heat removal available, and sprays available in injection only. SYYR Small LOCA, with injection of the RWST into containment, containment heat removal available, and sprays available in recirculation only. SYNN Small LOCA, with injection of the RWST into containment, no l containment heat removal available, and no sprays available. l I' SNNN Small LOCA, without injection of the RWST into containment, and subsequent failure of containment heat removal and sprays. TYYB RCS intact, with injection of the RWST into containment, containment heat removal available, and sprays available in injection and recirculation. TYN! RCS intact, with injection of the RWST into containment, no containment heat removal available, and sprays available in injection only. TYYR RCS intact, with injection of the RWST into containment, containment heat removal available, and sprays available in recirculation only. l IV-42 I J
Table IV.4.2-1 (Cont'd) Applicable Surry Plant Damage States PLANT DAMAGE STATE DESCRIPTION TYNN RCS intact, with injection of the RWST into containment, no containment heat removal available, and no sprays available. TNNN RCS intact, without injection of the RWST into containment, l and subsequent failure of containment heat removal and I sprays. V Interfacing LOCA, containment bypass. I I IV-43
Table IV.4.2-2 Assumptions Used In Plant Damage State Assignment
- 1. Plant damage state assignment was done at the sequence level.
- 2. All Si events were assigned to "A" plant damage states.
- 3. TLP sequences (failure to feed and bleed because of insufficient PORY opening) were assigned to "T" plant damage states, even though one PORY may be open. The RCS is pressurized during TLP sequences due to the action of the HPI pumps. It is therefore put in a "T" state.
l
- 4. TKRZ sequence was assigned to "S" damage state. The pressure rise in the RCS !
was assumed to cause a small LOCA.
- 5. Selection of N or Y for RWST injection considered ECCS sources of injection, in addition to the containment sprays. Accumulator injection was considered irrelevant in determining N or Y for RWST injection.
)
l l l l IV-44 1
IV.4.3 T (Loss g of Offsite Power) Event Tree - This section presents and discusses the event tree for the loss of offsite power (Tg) initiating event group. IV.4.3.1 Success Criteria Success criteria for the T3event tree are shown in Table IV.4.3-1. The character of the initiator does not create any unique success criteria. However, it does create many
- unique conditions for the evaluation and quantification of sequences.
Loss of offsite power will result in de-energization of the normal and emergency 4160V buses. - This will de-energize all lower level buses. The DC buses and the vital buses
. powered by the DC buses would be expected to be available, unless random failures of
! these buses were postulated. l The reactor protection system will de-energize, thus signaling the control rods to l Insert. Vital bus I and lY will be unavailable until their respective AC power trains are-t re-energized. PORVs were assumed to be demnded for T3 initiators from high power. } However PORY 1455-C which is powered from VB1-1 was assumed not to open because the vital bus is de-energized. The main feedwater system and balance of plant systems i will be unavailable for the duration of the event. 1 4 The Tg event was assumed to affect both unit I and unit 2, although the event tree was evaluated for unit 1. Should DG #2 (dedicated to Unit 2) fall to start or run, DG #3 would align to unit 2, thereby making it unavailable for unit 1. Sequences in which diesel generators 1 and 3 are unavailable were evaluated using a special station blackout (SBO) event tree. The primary purpose of the SBO event tree is to facilitate the modeling of AC power recovery. i The four primary functions required in response to T are reactor scram, primary system integrity, auxiliary feedwater and RCP seal cooling.g If all these functions are provided, the transient is assumed to be mitigated at a very early stage. Failure to provide reactor ! scram transfers to the ATWS tree. Failure of PORVs to reclose transfers to the S2 l LOCA tree. Failure to provide RCP seal cooling indicates a seal vulnerable condition and transfers to seal LOCA tree. l i Failure to provide AFW leads to a demand for " feed and bleed" cooling. These sequences ! are developed on the Tg tree, and in fact, represent most of the sequences on that tree. l For feed and bleed, the actions of providing charging flow and opening the PORVs are.
- modeled separately. Failure to provide charging flow and open two PORVs leads to core damage. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. These sequences are developed on the tree.
IV.4.3.2 Event Tree The event tree for T g is shown in Figure IV.4.3-1. The important functional, phenomenological and hardware dependencies as well as assumptions and limitations are ' stated in the general assumptions found in Table IV.4.1-1. The annotations on the event tree refer to the notes in Table IV.4.1-1. , i I ! IV-45 l l l
Table IV.4.3-1 T1 Transient SUCCESS Criteria Summary Information INITIATOR: T3 - LOSP CONTAl *ENT 00NTAlWENT REACTOR CORE EAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT StBCRITICALITY REMOVAL. EARLY INTEGRITY SUPPRESSION REMOVAL. LATE REMOYAL COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump 1/2 CSS 1/3 WR 1/2 ISR and SWS 1. OSR needs CSS OR In Seal InJoction OR and to associated HK In Injection i 1/3 Charging Pumps and 1/2 ISR and SWS 1/2 LPR OR to provide and PORY Reclose to associated 1/2 OSR and SWS r$H. 2 PORVs Open (If opened) CSR HK to associated HK (in Feed OR 2. ISR needs SWS and Bleed) CCW Io~ RCP in Injection Thermel Barrier In to provide al1 RCP WSH. and PORY Reclose 3. Secondary steen (if opened) relief as'sumed available. I A 4. AFW to I SG 3 sufficient
- 5. No RCS Pressure relief required If scram. Howevor PORY may open.
- 6. Failure of RCS Integrity goes to $ #I** 'I 2
see1 LOCA tree, as appropriate
- 7. If AFW and RCS Integrity are provided, con-talament heat removal and core heet removal late are not required.
k INIT. RPS RVC AFW SIF CCW HPI PRV CSS ISR OSR LPR HPR $
$ SEQ. l T3 K Q Lg D3 W D2 P C F3 F2 Hi H2 $
3,3a OK 5 OK j SEAL LOCA VULNERABLE- TgD3W-GO TO SEAL LOCA TREE T 3LH2 CM TgLHg _- OK
- - CM T,LF iH2 12 CM T gLF3 Hg j 10 T,LF 3F2 CV
! - OK j
- CM TgLCH2 11 CM T,LCH3
! CV TgLCF, 1 CM TgLP l i 12 CM TgLPF, l 7,8 CM TgLPFgF2 - CM TgLPC 1 l 4 I l CM T 3LD2 l l 12 , CM TgLD2 F, I CM TgLDFF232 l l g CM TiLD2C STUCK-OPEN PORV - GO TO S 2 TgO-1 ATWS - GO TO ATWS TREE Ty K-Figure IV.4.3-1 Event Tree for T1 - Loss of Offsite Power IV-47
h IV.4.4 T 2(Loss of Main Feedwater) Event Tree , This section presents and discusses the event tree for the loss of main feedwater (T ) 2 initiating event group. Main feedwater was assumed to be lost for the duration of this event. Y.4.4.1 Success Criteria l
- Success criteria for the T2event tree are shown in Table IV.4.4-1.
! Loss of main feedwater results in low steam generator water level, which causes demand for a reactor scram, as well as signal AFW to start. PORY demand for this class of initiators is considered to be a random occurrence, due to degraded control system performance or degraded BOP component performance. The probability of PORY demand was assigned a value of .014, ( for high power initiators only), based on historical
- Westinghouse experience.
l The four primary functions required in response to T are reactor scram, primary system '
; integrity, auxiliary feedwater and RCP seal cooling.2If all these functions are provided, l the transient is mitigated at a very early stage. Failure to provide reactor scram
- transfers to the ATWS tree. Failure of PORVs to reclose transfer to the 52 LOCA tree.
, Failure to provide RCP seal cooling leads to a seal vulnerable condition and transfers to i seal LOCA tree. Failure to provide AFW leads to a demand for " feed and bleed" cooling. These sequences are developed on the T2 tree, and in fact, represent most of the sequences on that tree. For feed and bleed, the actions of providing charging flow and opening the PORVs are modeled separately. Failure to provide charging flow and open two PORVs leads to core damage. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. These sequences are developed on the tree. IV.4.4.2 Event Tree The event tree for T is shown in Figure IV.4.4-1. The important functional, phenomenological and hardware dependencies as well as assumptions and limitations are i stated in the general assumptions found in Table IV.4.1-1. The annotations on the event
; tree refer to the notes in Table IV.4.1-1.
i i i } l ! IV-48
. . - . . - _ . - - , , , , , , . - _ , , - . - . . - , - - . ---,- . - - - - - - - _ - - - - - -l
l Table IV.4.4-1 T2 Transient SUCCESS Criteria Summary Information INITIATOR: T2 - LOSS MFW CONTAIM4ENT CONTA1904ENT , REACTOR CORE EAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT , SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS i j RPS 1/3 AFW Pumps 1/3 Ch*. gIng Pump 1/2 CSS 1/3 W R 1/2 ISR and SWS 1. OSR needs CSS OR In Seal Injection OR and to assoc!ated HC In Injection
~
!/3 Char 7g ag Pumps and I/2 ISR and SWS 1/2 LPR OR to prov!de and PORY Reclose to associated 1/2 OSR and SWS WSH.
2 PORVs Open (If opened) CSR HK to assoc!ated HK (In Feed OR 2. ISR needs SWS and Bleed) CCW E RCP In Injection Thermal Barrler In to provide all RCP WSH. ! and PORY Rectose 3. Secondary steam 4 (If opened) rollef assumed available. y 4. AFW to I SG
- g suf ficlent
.; 5. No RCS Pressure rollef required If seram. Howevor PORY mey open. -l 6. Fallure of RCS Integrity goes to $2 tree or seal LOCA tree, as appropriate
- 7. If AFW and RCS Integrity are
- prov!ded, con-telnennt heat removal and core heet removal late are not required.
INIT. RPS RVC AFW SIF CCW HPI PRV CSS ISR OSR LPR HPR $
$ SEO.
T2 K Q L, Da W D2 P C F, F2 Hi H2 3, 3a OK
$ OK l PEAL LOCA VULNERABLE- yp3w.
I GO TO SEAL LOCA TREE
- OK
- CM T2LH2 CM T2LH, OK
- CM T2LF3H2 CM T2LF3 Hi CV T2LFi2F
- OK
! - CM T2LCH 2 11 CM T2LCH,
- CV TaLCF, CM T2LP 3
7, 8 12 , CM TaLPF,
' CM TaLPFgF2 6,20 l CM T 2LPC !
CM T2LD2 12 CM TaLD F2i 1 CM T2LD2g2 FF I 4 9 CM TaLD2C STUCK OPEN PORY - GO TO S2 T Q-1 i i ATWS 00 TO ATWS TREE T K- l Figure IV 4.4-1 Event Tree for T2- Loss of MFW l 1 I I IV-50
__ . _ _ _ . . . _ - - - _. . _ _ m i IV.4.5 T 3(Turbine Trip With MFW) Event Tree
.This section presents and discusses the event tree for the turbine trip with MFW' available (T3) initiating event group. This initiating event group includes transients with one or both main feedwater pumps available af ter reactor trip.
i' IV.4.5.1 Success Criteria Success criteria for the T3event tree are shown in Table IV.4.5-1. This initiating event group is initiated by a turbine trip, followed by a demand for reactor trip. PORY demand for this class of initiators is cosidered to be a random occurrence, 1 due to degraded control system performance or degraded BOP component performance. The probability of PORY demand was assigned a value of .014, (for high power initiators only), based on historical Westinghouse experience. > 1 The MFW control system at Surry is such that if the reactor trip breakers are closed and i T ay is less than 543'F, the main feedwater regulating valves will close, the miniflow j line,s will open and the MFW pumps will stay on. This was assumed to be the course of all i T, initiating events. Although the MFW pumps are isolated from the steam generators, i tKey remain a viable source of SG inventory make-up, should AFW be unavailable. AFW
,. is the preferred source of SG make-up, but MFW pumps can easily be used by opening the i feedwater regulating valve bypass valve. Because AFW is the preferred source of SG make-up,it appears on the tree before main feedwater.
l Four primary functions were required to successfully mitigate the T3 events. These functions are reactor scram, RCS Integrity, SG inventory makeup, and RCP' seal { cooling. If all these functions are provided, the transient will be mitigated at a very
- early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of 1 i PORVs to reclose transfers to the S 2 LOCA tree. Failure to provide RCP seal cooling.
i leads to a seal LOCA vulnerable condition. This is evaluated in the seal LOCA tree. Question of SG cooling was not asked for sequences with loss of seat cooling. Since both i; MFW and AFW are initially available, failure of both feedwater and seal cooling was l considered to be insignificant. i Failure to provide feedwater leads to a demand for " feed and bleed" cooling. These < sequences are developed on the T tree and in fact, represent most of the sequences on ! that tree. For feed and bleed, the ac,tions of providing charging flow and opening the i PORVs are modeled separately. Failure to provide charging flow and open two PORVs j leads to core damage. Containment status is delineated for the sequences. Successful - (. feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. IV.4.5.2 Event Tree ; i l The event tree for T 3 is shown in Figure IV.4.5-1. The important functional, j ! >henomenological and hardware dependencies as well as general assumptions and , ! imitations are stated in Table IV.4.1-1. The annotations on the event tree refer to the l l notes in Table IV.4.1-1. i h IV-51
Tablo IV.4.5-1 T3 Transient Success Criteria Sumary Information INITIATOR: Turbine Trip with MFW available, T 3 l CONTAIl#EENT CONTAINENT REACTOR CX)RE HEAT RCS PRESSW E CORE HEAT ATM) SPHERIC HEAT SWCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL. LATE REMOVAL COMMENTS 4 RPS 1/3 Afte Any Open PORVs 1/2 CSS 1/3 WR 1/2 ISR and 1. PORVs challenged
~
OR Reclose OR and SWS to at rate of 1/70 1/2 MFW ELSE 1/2 ISR and SWS 1/2 LPR Assoclated translents for T . 3 OR Transfer to to Associated HK 1/3 Charging Sy Event CSR HX OR 2. P m ts I-7 for ) Pump Tree I/2 OSR for T, apply to and IEF Seel fotogrity and SWS this initiator. 2 PORVs Open 1/3 Charging to Associated (in Feed and Pump la HK 3. Core heet removal, Bleed) Seal Injection late and containment Flow atmospheric heat OR removal are required CCW to7hermal only when feed and 2 Barrier of All bleed is demanded j h RCPs or RCS Integrity is lost. 1 i i 5
INIT. RPS RVD SIF CCW AFW PCS HPl PRV CSS ISR OSR LPR HPR $ g SEQ. T3 K O D3 W L M D2 P C F, F2 Hg H2 OK OK OK CM TaLMH2 22 CM TaLMH, OK CM T3LMF3 H, 10 CM TLMCH 3 2 CV TaLMF3F2 CM T3LMCH 2 93 CM T3LMCH, CV TaLMCF, CM TaLMP 12 , CM TaLMPF,
' T3LMPF,F2 CM 6 CM T 3LMPC 7, 8 CM TLMD 3 2 12 , CM TaLMD2F, I CM TaLMD F F2i2 CM TaLMD2C OK ,
OK
]
14 CM T3DaLM 12 CM
,, Ta3D LMF, CM T3D3LMF 32F I 1
I CM TaDaLMC 1 g SEAL LOCA VULNERABLE . GO TO SEAL LOCA TREE T33D W-9 TO GO TO S 3TREE T3K. ATWS.GO TO ATWS TREE. 1 i 1 i l Figure IV.4.5-1 , Event Tree for T3 - Turbine Trip i with MFW Initially Available IV-53 l 1 ! i l l I i
IV.4.6 T (Loss 4 480 V Bus) Event Tree This section presents the event tree for loss of a 480 V bus (T ) initiating event group. The event tree was evaluated for the loss of 480 VAC bus 1-H (j4H) and 480 VAC bus 1-3 i
'(Tg3). The specific initiator was postulated to be a failure of the 4160V/480V transformer which supplies the 1-H or 1-3 bus. lt was assumed that the corresponding 480 VAC IH-1 or 480 VAC 13-1 buses would be unavailable for the duration of the event due to the necessity to open the 15H7 or 1537 breaker, respectively.
IV.4.6.1 Success Criteria Success criteria for the T4event tree are shown in Table IV.4.6-1. The success criteria for this_ initiating event group are identical to initiating event groups Tg and T character of the initiator does not create any unique success criteria, ithowever,2. does Th create unique conditions for the evaluation and quantification of sequences. Loss of the 480V buses IH and 1H-1 or 13 and 13-1 buses will result in the immediate loss of the vital bus which is normally powered by the sola transformer. This will result in rapid turbine runback, which was assumed to lead to reactor trip. Due to the loss of turbine bypass control and the constraint that Surry frequently operates with the SG ADVs isolated, it was conservatively assumed that the RCS pressure would reach the PORV set point if the transient was initiated from high power. PORVs which were powered by operable vital buses would open, unless they had been isolated prior to the intiating event. Main feedwater was assumed to be unavailable due to loss of the vital bus. No other systems were unavailable as a result of the initiating event. Four primary functions were required to 'successfully mitigate these events. These functions are reactor scram, RCS integrity, SG inventory makeup, and RCP seal cooling, if all these functions were provided, the transient will be mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of PORVs to reclose transfers to the 5 9 LOCA tree. Failure to provide RCP seal cooling leads to a seal LOCA vulnerable condition. This is evaluated in the seal LOCA tree. Failure to provide feedwater leads to a demand for " feed and bleed" cooling. These sequences are developed on the T tree, and in fact, represent most of the sequences on that tree. For feed and bleed, t$e actions of providing charging flow and opening the PORVs are modeled separately. Failure to provide charging flow and open two PORVs leads to core damage. Containment status is delineated for the sequences. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. These sequences are developed on the tree. IV.4.6.2 Event Tree The event tree for T 4 is shown in Figure IV.4.6-1. The important functional, phenomenological and hardware dependencies as well as assumptions and limitations are stated in Table IV.4.1-1. The annotations on the event tree refer to the notes in Table IV.4.1-1. i IV-54
. . , . _ - , . , - . - , . . -,,.,mm ~, -m,_, - _ - - - . , , _ , . - . . - ,
Table IV.4.6-1 T4 Transient Success Criteria Summary Information l- INITIATOR: T4 - LOSS 480V AC bus CONTAI194ENT CONTAI800ENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT SLBCRITICALITY RD10 VAL, EARLY INTE(RITY SUPPRESSION REMOWAL, LATE REMOWAL COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump I/2 CSS 1/3 WR I/2 ISR and SWS 1. OSR needs CSS OR in Seal injection
~
OR and to associated it( In Injection I- t/3 CharFng Pumps and 1/2 ISR and SWS 1/2 LPR OR to provide and PORY Reclose to associated 1/2 OSR and SWS IPSH. 2 PORVs Open (If opened) CSR HK to associated HK
. (In Feed OR 2. ISR needs SWS 1 and Bleed) CCW E R(P in Injection Thermal Barrier in to provide
,j .. all R(P IPSH. l- and PORY Rectose 3. Secondary steen (If opened) relief assumed available. 7 4. AFW to 1 SG ) $ suf fIctent
- 5. No RCS Pressure ~
f rollef required If scram. However PORV may open.
- 6. Failure of RCS Integrity goes !
I' to 5 tree or 2 seal LOCA tree, {. as appropriate
- 7. If AFW and RCS j latogrity are provided, con-tainment heet removal and core heet removal late .
]. are not required.
4 _ _ . - - _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ m __ v umm -
-- e w---w--
, i INIT. RPS RVC AFW SIF CCW HPl PRV CSS ISR OSR LPR HPR $
Q SEO. T. K .O. L, D3 W D2 P C F, F2 H, H2 $ 3, 3a ! OK 5 OK i SEAL LOCA VULNERABLE- T D 3W. GO TO SEAL LOCA TREE
- OK l - CM T LH 2 CM T LH, OK
- CM T4LF,H2 t 12 CM T4LF,H, 10
, CV T4LF,F2
- OK
- CM T4LCH 2 11 CM T4LCH, CV T4LCF,
, CM T4LP 12 CM T4LPF,
- 7. 8 CM T LPFgF2 6,20 CM T4LPC CM T4LD 2 12 CM T4LD2F, CM T4LD2i2 FF 9
CM T4LD2C STUCK-OPEN PORY - GO TO S2 .T4 0- , ATWS - GO TO ATWS TREE T4K-Figure IV.4.6-1 Event Tree for T 4- Loss of 480V Bus l IV-56 l
IV.4.7 Ty (Loss of DC Bus) Event Tree This section presents the event tree for the " loss of a DC bus" (Ts ) initiating event group. The event tree was evaluated for a loss of DC Bus 1-A (T5A) &nd loss of DC bus 1-B (T33). The specific initiator was postulated to be a non-recoverable short of the bus. Interruptions in power supply to the bus and load shorts on the bus were considered to be recoverable in a relatively short period of time and therefore were not included in this category. IV.4.7.1 Success Criteria ! Success criteria for the T event tree are shown in Table IV.4.7-1. The success criteria are identical to T and T The character of the initiator does not create any unique l success criteria, bowever,. it does create unique conditions for the evaluation of l sequences. Loss of a DC bus will result in many false signals, as well as the immediate. loss of one vital bus. Loss of a DC bus will cause a low intake canal level signal which will trip the turbine, and a low steam generator level signal which will trip the reactor and the turbine. Loss of a DC bus will also start the turbine driven AFW pump due to the fall open condition of one steam admission valve, in addition, loss of a DC bus will cause a CLS Hi and a resultant SIAS actuation of one train. The major impact on the plant systems is through the loss of control power to the affected buses. It was assumed that all breakers fail as is, so operating pumps remain on, while non-operating pumps become unavailable. Manual loading of pumps onto buses was not considered. Since one HPI pump is normally operating, and one train of valves is expected to open due to the SIAS actuation, emergency coolant injection will occur and may open a PORV. This situation is covered by the probability value used for a stuck open PORV which includes operator failure to terminate HPI and close the PORV block valve. Four primary functions were required to successfully mitigate these events. These functions are reactor scram, RCS integrity, SG inventory makeup, and RCP seal cooling. If all these functions were provided, the transient will be mitigated at a very early stage. Failure to provide reactor scram transfers to the ATWS tree. Failure of PORVs to reclose transfers to the 57 LOCA tree. Failure to provide RCP seal cooling leads to a seal LOCA vulnerable condition. This is evaluated in the seal LOCA tree. Failure to provide feedwater leads to a demand for " feed and bleed" cooling. These sequences are developed on the T5 tree, and in fact, represent most of the sequences on that tree. For feed and bleed, the actions of providing charging flow and opening the PORVs are modeled separately. Failure to provide charging flow and open two PORVs leads to core damage. Containment status is delineated for the sequences. Successful feed and bleed cooling leads to demand for containment systems and coolant recirculation systems. IV.4.7.2 Event Tree . The event tree for T is shown in Figure IV.4.7-1. The important functional, phenomenological and kardware dependencies as well as general assumptions and limitations are stated in Table IV.4.1-1. The annotations on the event tree refer to the notes in Table IV.4.1-1. IV-57
Table IV.4.7-1 l T5 Transient SUCCESS Criteria Summary Information f INITIATOR: T5 - LOSS DC bus 4 CONTAlmENT CONTAlmENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOYAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS RPS 1/3 AFW Pumps 1/3 Charging Pump 1/2 CSS t/3 WR 1/2 ISR and SWS 1. OSR needs CSS OR In Seal injection OR and to associated HK in Injection 1/3 Charging Pumps and 1/2 ISR and SWS 1/2 LPR OR to provide and PORY Reclose to associated 1/2 OSR and SWS WSH. 2 PORVs Open (If opened) CSR HX to associated HX
-(In Feed OR 2. ISR needs SWS and Blood) CCW E RCP in Injection Thermal Barrier In to provide alI RCP WSH.
and PORY Reclose 3. Secondary steam (If opened) rollef assumed _ available.
- 4. AFW to I SG 00 suf ficient
- 5. No RCS Pressure rollet required If seram. However PORY may open.
- 6. Fellure of RCS Integrity goes to S ##** '#
2 seal LOCA tree, as appropriate
- 7. If AFW and RCS Integrity are provided, con-tainment heat removal and core heat removal late are not required.
INIT. RPS RVC AFW SIF CCW HPl PRV CSS ISR OSR LPH HPR $ y SEO. T5 K Q Li D3 W D2 P C F, F2 Hi H2 3,3a OK 5 OK -l l SEAL LOCA VULNERABLE-TDW-5 8 l GO TO SEAL LOCA TREE
- OK <
- CM T5LH2 l CM T5LH i
_- OK
- CM T5LF3 H2 ,
12 1
, CM T5LFi Hi 10 CV T5LFi2F
- OK
- CM T5LCH 2 11 CM T5LCH i l l
CV T5LCF, CM T5LP 12 CM T5LPF, 7, 8 CM T5LPF i2F 1 6,20 l CM T5LPC
]
l 1 CM T5LD2 12 CM T5LD 2 F, , CM T5LD2i2FF 9 CM TWC 5 2 STUCK-OPEN PORV - GO TO S 2 T50-1 ATWS - GO TO ATW3 TREE TsK-Figure IV.4.7-1 Event Tree for T5- Loss of DC Bus
- IV-59 l
IV.4.8 T6 (L ss of Charging Pump Cooling) Event Tree This section presents the event tree for the loss of charging pump cooling (T6 ) initiating event group. This initiator fails the system which provides seal injection flow to the reactor coolant pumps during normal and emergency operation and provides high pressure coolant injection for LOCA mitigation. This initiator is less severe at Surry than at other plants because RCP thermal barrier cooling at Surry is provided by the Component Cooling Water System which is independent from the charging pump cooling system, whereas at some plants, the same system which provides HPl pump cooling also provides cooling to the RCP thermal barrier. IV.4.8.1 Success Criteria Success criteria for the T 6initiating event class are shown in Table IV.4.8-1. The unique character of this initiator makes these success criteria slightly different from other initiators. J l For purposes of event tree analysis, this initiator can be loss of the two HPI service l water pumps or loss of the two HPI component cooling pumps. This loss would be alarmed in the control room by low discharge pressures. It was assumed that immediate action would be taken to secure the charging system, and manual reactor shutdown would begin within ten minutes of ! css of charging system. Because a manual reactor shutdown will occur, PORV demand was assumed negligable. Three primary functions were required for early mitigation of this initiator. These were reactor shutdown, SG inventory makeup, and cooling to the RCP thermal barrier. Failure to provide any of these functions was handled on an individual basis. Failure to provide reactor shutdown with the control rod system could be recoverable using HPI from unit 2 for boration. Failure to provide SG inventory makeup would normally lead to demand for feed and bleed cooling. However, the unavailability of HPI at unit 1 prevents this. These sequences were recoverable by cross connect of AFW from unit 2 or cross connect of HPI from unit 2. Failure to provide CCW to the RCP thermal barriers was transfered to the seal LOCA tree. IV.4.8.2 T6Event Tree The T 6 event tree is shown in Figure IV.4.8-1. The important functional, phenomenological, and hardware dependencies have been discussed in the previous section or are listed in the Event Tree Assumptions in Table IV.4.1-1. The annotations on the event tree refer to the notes in Table IV.4.1-1. 1 l l l l IV-60 I
Table IV.4.8-1 T6Transient Success Criteria Summary Information INITIATOR: Loss Charging Pump Cooling, T6 CONTAINMENT CONTAlNMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS-2 Control Rod 1/3 AFW Pump CCW to Thermal NA NA NA 1. #3, 4, 7 In Insertion via OR Barrier of all T y apply. Manual 1/2 MFW Pump RCPs initiation 2. Manual shutdown assumed.
- 3. No PORY demand for this transfont.
- 4. Core heat re-moval, late is not available' Q
E
~
due to fallure of M't. + E 4 4 W I l
INIT. MRT AFW PCS CCW CSS ISR OSR STATUS SEO. To R L M W C- F, F2 OK i SEAL LOCA VULNERABLE T.W-AFW AVAIL GO TO SEAL LOCA TREE OK SEAL LOCA VULNERABLE 8 ~ MFW/PCS AVAILABLE GO TO SEAL LOCA TREE 14 LOSS OF ALL SG COOLING l NO HP1 FROM U-1 (NO F & B FROM U-1). 16 NO SEAL LOCA. T,LM-FURTHER SEQUENCE DELINEATION HANDLED AS RECOVERY ACTION LOSS OF ALL SG COOLING AND SEAL COOLING. FURTHER ACCIDENT SEQUENCE DELINEATION T.LMW. l HANDLED AS RECOVERY ' ACTION i NEED HPI FROM UNIT 2 ' T.R- i
)
i Figure IV.4.8-1 Event Tree fOr T 6- LOSS Of Charging Pump Cooling -
'IV-62
IV.4.9 S'eal LOCA Event Tree - The seal LOCA event tree is presented in this section. The seal LOCA event tree is used to evaluate RCP seal LOCA vulnerable conditions caused by loss of all seal cooling, with - AC power available. Entry into the tree presumes loss of all seal cooling coincident with success of AFW or MFW. Entry into the tree also presumes AC power is available to at least one 4160V bus. Sequences with no AC power available are discussed in Section IV.4.10, station blackout event tree. IV.4.9.1 Success Criteria Success criteria for 'the seal LOCA tree are shown in Table IV.4.9-1. The unique feature about these sequences is that HPI at unit 1 is unavailable. Seal injection flow or.HPI flow must be supplied by HPI at Unit 2. However, when the RWST at unit 2 is empty, it is not possible to go onto recirculation using the HPI pumps at unit 2. ] Entry into this tree assumes the reactor is subcritical, SG inventory makeup is available, but all seal cosling and HPIis unavailable. For the development of the event tree,it was assumed that the initiator was non-recoverable. Recovery actions associated with i restoration of CCW or HPI-service water at Unit 1, or cross-connect of HPI-SW from unit 2 were considered after initial quantification of the event tree sequences. The first action to prevent a seal LOCA is to restore seal injection flow to unit 1, using HPl pumps at unit 2. A 1-hour time limit was allowed for provision of seal injection flow 4 in order to prevent seal LOCA for the initial quantification. One hour is the shortest time in the Surry seal LOCA model. None of these sequences were significant using this conservative time limit, so it was not necessay to do more detailed evaluation using the probabilistic seal LOCA model described in Appendix A.I. If seal injection flow is not established within one hour, a seal LOCA was assumed to. I result. It was assumed to occur in all pumps and be 450 gpm gump (1350 gpm total).' This is a maximum flow rate, as calculated in NUREG/CR-4294 . In order to mitigate the seal LOCA, HPI flow from one pump on unit 2 must be provided.' l Unit 2 can only provide injection flow to unit I until the RWST at unit 2 is empty (cross I connect of RWST from unit I was examined as recovery). LPI at unit 1 is required to i provide core make-up during the recirculation phase. This necessitates RCS' l depressurization by secondary steaming. Because RCPs are unavailable to provide RCS mixing at this point, depressurization of all three steam generators is required for successful primary system depressurization. After that,1/2 LPI pumps in injection and then recirculation are required. Containment system operability requirements are the same for this event tree as the other transient event trees. IV.4.9.2 Event Tree ( The event tree for the seal LOCA vulnerable condition is shown in Figure IV.4.9-1. Entry into the tree is a seal LOCA vulnerable condition, with successful reactor subcriticality, and AFW or MFW available. If seal injection flow is provided from unit 2 within one hour, seal LOCA is avoided. Because seal injection flow is minimal, the plant could stay in this mode until the RCS was cooled down and depressurized.' IV-63
If HPI flow was not provided from unit 2 within one hour, a 1350 gpm LOCA was assumed to develop. If HPI flow was not provided from unit 2 within one hour of seal LOCA, core damage occurs. After successful HPI flow from unit 2, it is necessary to depressurize the RCS using AFW in order to allow the LPI pumps to perform recirculation. The event tree shows the development of all the sequences and the containment status for the core damage sequences. The status of sequence groups is annotated on the event tree. i i J i i 1 IV-64 g ,.,--,- --
Table IV.4.9-1 Success Criteria Summary Information INITIATOR: Seal LOCA Vulnerable (Due tc. LOSS of Seal Injection Flow, LOSS of CCWS) CONTAlfMENT CONTAlPMENT
'RCS CORE HEAT PRESSURE CORE HEAT ATMOSPHERIC HEAT INTEGRITY REMOVAL, EARLY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS
'one charging One charging pump 1/2 CSS' 1/2 LPR' from Unit 1 1/2 ISR and 1. Entry into pump from unit from unit 2 providing OR SWS to Associated seal LOCA as-2 to provide flow to 1 of 3 cold 1/2 I5R and HX assumes scram, seal injection legs. SWS to OR and core heat flow. AND Associated HX 1/2 OTR and removal Is RCS depressurization SWS to Associated being provIdod.
by secondary steaming. HX by AFW or PCS. APD 1/2 LPI,. unit 1 2. Entry into seal g LOCA tree repre-sents a seal LOCA vulnerability. A 1 I T s _ _ _ _ _ _ _ i_____.____ _ _ - _ - _ _ _ _ _ _ _ _
! INIT. HP2 HP2 S80 LPl CSS ISR OSR LPR STATUS SEO N, N2 S De C F, F2 H, SIF REESTABLISHED IN OK TIME TO PREVENT LOCA
- OK SEAL LOCA. HPl FROM U 2. DEPRESSURIZE AND
" I*
- CM TD3W-Ng H, 12 4 .inJ CM TD3W-N F,Hi i
8E
.a E CV TD3W-NiF i2F
$2 F OK g*$ L CM TD3W-N3 CH, 25,26 r CM TD3W-N,CF, L- CM TD3W-Ng CF,Hi CM i 3 1 e2 CM ( DEPRESSURIZATION I
CM > OF PRIMARY SUCCESSFUL TD3W-NiDe2 F NO LHS1 FOR INVENTORY
. CM l MAKE-UP TD3W-N3DeC I
CM j TD3W-N iDeCF, CM TD3W-N,S l 12 NEVER DEPRESSURIZE. CM l HPR NOT POSSIBLE TD 3W-N iSFi I CM > BECAUSE U-2 NOT TD 3W-N,SF Fi2 CMl -CONNECTABLE D3W-N,SC TO U-1 SUMP 1 CMj TD3W-N iSCF, SEAL LOCA S OCCURS CM TDaW-N iN2 j 12 CM j TD3W-N3N2i F y SEALLOCA, CM NO INJECTION TD3W-N iB2F,F2 l l CM > TD3W-N3N2C
' INITIATORS TDW i 3 T0W 2 3 TDW 3 3 TDW 4 3 TDW 5 3 TsW Figure IV.4.9-1 Event Tree for St - Seal LOCA l
l IV-66
I
- IV.4.10 Station Blackout Event Tree I.
A station blackout.(SBO) event tree was constructed to. facilitate'the modeling of AC power recovery during SBO. No.new success criteria or mitigating requirements were identified. Several timing considerations were identified and used to structure the tree. - IV.4.10.1 Assump'tions and Timing Considerations The important assumptions and timing considerations'are shown in Table IV.4.10.1. l- IV.4.10.2 Event Tree The event tree is shown in Figure IV.4.10-1. Entry into the tree assumes a subcritical reactor and no AC power available at Unit 1 or Unit 2. The first heading on the tree addresses restoration of AC power to the plant buses within
~
} 'l/2 hour. Thirty minutes was chosen because it conveniently corresponds to two timing l considerations. First, it is the time required to deplete SG inventory if AFW is. not , available. Since safety functions are not essential to prevent core damage within the first 30 minutes, restoration of power to the plant systems. within this time was - considered to be sufficient to restore the reactor to a safe condition.
~
Thirty minutes is also the time at which the intake canal would be drained if none of the main condenser waterboxes were manually isolated after a station blackout. Restoration of AC power to the emergency buses will automatically isolate . .the condensers.'
- Restoration of power to the normal buses will re-energize the circ-water pumps thereby
) refilling the canal, if either of these events occur within thirty minutes, canal drainage-j would be prevented. If the canal is completely drained, restoration of HPI flow is complicated by the need to refill the intake canal in order to provide a water source for the HPI-SW pumps. - This is f actored into the recovery madel by requiring-30 minutes
- from the time of recovery of AC power to the switchyard to the time of restoration of HPI flow.
[ The next heading on the tree is for RCS integrity. One PORY (PORV-l!%)is assumed to cycle open (provided it was not blocked prior to the initiater). Failure of the' PORV_ to l reclose results in a small LOCA. Since the Motor Control Centers are de-energized, the block valves are inoperable and the PORY is not isolable. Two possible mitigation scenarios are generally considered for these sequences (closing block valve or providing HPI flow). Only scenarios involving closing the block valve are applicable in this case because the Surry specific timing considerations associated with system restoration : (specifically the canal level restoration) prevent restoration of HPI flow within the allowable time. Recovery of AC power to the block valves and isolation of the PORY within one hour of opening, followed by eventual restoration of HPI flow.will mitigate-this event. ( The next heading on the tree addresses AFW availability in the early time frame. If AFW is not available, SG inventory would be depleted in 1/2 hour. From that time, there is an - ! additional 1/2 hour to restore both HPI flow and AFW to prevent core damage. However, l due to the timing considerations of canal refill and. system restoration, recovery from this scenario (i.e., AFW failure) is not possible unless AC power is restored with 1/2 hour from time of loss of AFW. 1 IV-67
The next event tree heading addresses the occurence of a seal LOCA. At this time (one hour) into the event, the successful sequences on the tree have RCS integrity, AFW to the steam generators, and no AC power. The occurrence of a seal LOCA was modeled (see Appendix A.1) probabilistically as a function of time in order to facilitate more precise modeling of AC power recovery. If a seal LOCA occurred, core damage. was assumed to be prevented if HPI flow was restored withir. one hour of seal LOCA. Due to restoration timing considerations discussed above (canal level) this requirement translates into recovery of AC power within 1/2 hour of seal LOCA in order to prevent core damage. The probability of non-recoverable seal LOCA was calculated, from one hour to six hours, by multiplying the probability density function for seal LOCA at time "t", times the cumulative distribution function for non-recovery of AC power at time t + l 1/2 hour, and integrating over the time period of interest. If seal LOCA occurs and HPI flow is restored within one hour, the SBO event is successfully mitigated. Should a seal LOCA occur and HPI flow is not restored within one hour, core damage will occur. If seal LOCA does not occur, the question of AC power recovery is not critical until after the four-hour time frame. At that time, the batteries supplying DC power to instrumentation are assumed to be depleted. After this point,' no credit is given for successful control of steam generator water level. An additional three hours after battery depletion was allowed for recovery of AC power before core damage would occur. The sele NUREG/CR-3226.gn of a three-hour time period-is consistent with assumptions in I IV-68 I
Table IV.4.10-1 Timing Considerations And Other Assumptions In The SBO Event Tree
- 1. Intake canal estimated to be drained in 1/2 hour if AC power not restored to emergency buses or normal buses. See Appendix A.2 for calculation E 2. If the turbine driven AFW pump does not start, SG will go dry in approximately
!. 1/2 hour. Thirty additional minutes allowed to provide HPI flow and restore l l AFW in order to prevent core damage.
- 3. If PORY fails to reclose, one hour is allowed to isolate PORV in order .to prevent core damage. See Appendix A.6 for basis.
- 4. If canal is drained, 30-minute. time lag is included in the timing model from the time of return of AC power to time at which HPI flow is restored. This is to allow for bus energization and canal refill. Normal canal inventory assumed necessary to provide HPI-SW flow.
- 5. If AFW fails and PORV fails to reclose, no recovery allowed.
- 6. PORV demand probability conservatively assigned a value of 1.0 for high power initiators.
- 7. Credit for manual isolation of condenser waterboxes within first 30 minutes is not allowed. Due to the size of the valves (96") and the number which must be closed (8), significant manual isolation can not be accomplished in 30 minutes.
- 8. Battery depletion assumed to occur at four hours. Core damage assumed to start in three more hours if AC power not restored.
- 9. Operator initiated reduction of RCS pressure to 500 psi to prolong the life of the RCP seal was not modeled.
f IV-69
Table IV.4.10-1 (Continued) Timing Considerations and Other Assumptions in the SBO Event Tree
- 10. Risk of seal LOCA considered to start at about one hour. Probability of seal LOCA modeled as Weibull distribution -with . 5% and 95 % probabilities corresponding to about one hour and ten hours. See Appendix A.1 for details of seal LOCA model.
- 11. HPI flow must be provided one hour after seal LOCA in order to prevent core damage. See Appendix A.6 for basis.
- 12. Seal LOCA flow rate considered to be 1350 gpm (450 gpm per pump). See-Appendix A.1 for discussion.
e d l 1 1 i IV-70 l l
~ - - - _ , - . _ _ _ _ , , , - - -
- _ . . .._.. _ -._.,m .. - ___ . . _ . . _ _ . . _ .. . , , _ _ _ . . - - _ _ _ _ - - _ - _ - - . _ . . _ . . - . - _
I j RECOVER AC RECOVER AC AVOID RECOVER AC RECOVER AC i WITHIN PORV AFW WITHIN SEAL WITHIN % WITHIN STATUS j % HOUR RECLOSE 1 HOUR LOCA HR OF SL 7HR i NRAC % HR Q L NRAC 1 HR NSL A NRAC NRAC 7 HR LOCA OK REC. AC 0 < t < 30 MIN. OK REC. AC 30 MIN.< t < 1 HR.
- 3. 3a OK NO SL, REC. AC 1 HR.< t < 7 HR.
8ATT. DEPLETE. NRAC 7 HR. , CM SBO (NO SEAL LOCA) J OK SL OCCUR - RECOVERED I CM SL OCCUR - NO HPS RECOVERY CM NO AFW, f Y 8, 7 OK PORV ISOLA 1 cd WITHIN 1 HR. 2 h CM l CM i 9 Y V I CANAL DRAIN OCCURS BATTERY DEPLETION j AT 30 MIN. OCCURS AT 4 HR. i i Figure IV.4.10-1 1 1 Station Blackout Event Tree 1 4
IV.4.ll A (Large LOCA) Event Tree This section presents the event tree for the large LOCA (A) initiating event group. The A initiating event group includes LOCAs of equivalent diameter between six and twenty-nine inches. IV.4.ll.I' Success Criteria The success criteria for large LOCA are shown in Table IV.4.ll-1. Assumptions #12,13,- 17, 28, and 29 from Table IV.4.1-1 specifically apply to the development of the large LOCA success criteria. j IV.4.ll.2 Event Tree i
- The event tree for large LOCA is shown in Figure IV.4.ll-1. The important functional, phenomenological and hardware dependencies as well as general assumptions and limitations are stated in Table IV.4.1-1. The annotated numbers on the event tree refer to assumptions in Table IV.4.1-1.
1 l !s J 4 I f l ) h 1 9 \
\
- j. IV-72 i
u o !' ~!
t 4 Table IV.4.11-1 Large LOCA Success Criteria Summary Information INITIATOR: Large LOCA, A CONTA1NMENT CONTAINENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMOSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS Not Required 1/2 LPI See Comments 1/2 CSS 1/2 LPR 1/2 ISR and 1. Injection of and OR and SWS to LPI Into one 2/2 ACC I/ U SR Switch injectlon Associated HX RCS loop was 1 and SWS Point to Hot Leg OR . considered suf-to Associated at 16 hr. 1/2 OSR and ficient. CSR HX SWS to Associated HX 2. Reactor suberlti-cality is not explicifly re-quired. If IFS falls, the reactor will be maintained subcritical by in-Joction of RWST [ c,a inventory. 1 3. RCS Integelty is . lost as a result of the initiator. 4
. i I l l NIT. ACC LPI CSS ISR OSR LPR d
< W A D5 D6 C F, F2 H, g
- OK
- CM AH,
- OK d 29
- CM AH 3F3 CV AF gF2 r- OK
' ' CM ACH 3 I
CV ACF, CM ads 12 CM AD6F, 28 -
; CM ADs3 F F2 CM ADsC l
CM AD 5 ' 12 CM AD53 F CM AD5F3F2 CM AD $ C ;
- AD 5C F, CM -
l Figure IV.4.11-1 Event Tree for A - Large LOCA j t l IV-74
- IV.4.12 Sg (Medium LOCA) Event Tree This section presents the event tree for the medium LOCA (Sg ) initiating event group. -
The S g initiating event group includes LOCAs of equivalent diameter between two inches and six inches. . IV.4.12.1 Success Criteria Success criteria for medium LOCAs are shown in Table IV.4.12-1. Assumptions //11,12, 13,17,18, 27, 28, and 29 from Table IV.4'.1-1 specifically apply to the development of success criteria for Sg . Success criteria for S, were selected with the intent to make Sg distinctively different from A and S . These differences were derived from requirements- for AFW, accumulators,'Hhl/R and LPI/R. . The Sg events were assumed to remain moderately pressurized during the very early time i frame, thus requiring early inventory makeup from HPI. As the pressure declined, the accumulators and LPI were required. A requirement for high pressure recirculation was i not postulated. Because S assumed to be ineffective. g was assumed to depressurize within 30 minutes, AFW was i IV.4.12.2 Event Tree i The event tree for S gLOCAs is shown in Figure IV.4.12-1. The important functional, phenomenological, and hardware dependencies as well as general assumptions and limitations are stated in Table IV.4.1-1. The annotated numbers on the event tree refer. to assumptions in Table IV.4.1-1. e i l l i- l I i a j t IV-75 ! I i
- . . = . -_-- _ ._ . _ . - . . -
Table IV.4.12-1 Medium LOCA Success Criteria Summary Information i INITIATOR: Medium LOCA, S g CONTAINMENT CONTAINENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE- REMOVAL COMMENTS Not Required 1/3 Charging Pump See Comments- 1/2 CSS 1/2 LPR 1/2 ISR 1.1/2 Injection - and OR and and SWS lines adequate 1/2 LPI 1/27 5R Switch injection .to Associated for LPl. and and SWS point to hot leg. HK 2/3 ACC to Associated at 16 hr. OR 2. 2/3 Injection CSR HK 1/2 OSR and lines adequate SWS to for HPl. Associated HK
- 3. Reactor subcritl-callfly is not j expilcitly re-J quired. If IPS
,_ falls, the reactor y will be maintained y subcritical by inJoction of RWST Inventory.
- 4. RCS Integrity is lost as a result of.the initiator.
h t l
INIT. HPI ACC CSS ISR OSR LPI LPR $ H SEO. Si Di D5 C F3 F2 Ds Hi f 2 - OK
- CM S tHg CM SD t s 27 OK CM Sg F3 H, CM SgF,Ds 29 CV SjFF 32 CM SFFD 3 3 2 s 27 - OK
- CM S3 CH, 11 CM S3CDs j
CV S3 CF, CM SgCF3 Ds CM SD i 5 12 CM SDF 3 3i CM SgD F F532 11 CM S,D$C CM StD5CF 3 CM S,Di i 12 CM SDF i i3 i CM S iDgF Fi2 CM S,D 3C 1 i Figure IV.4.12-1 Event Tree for Si - Medium LOCA i IV-77
n IV.4.13 S2 (Small LOCA) Event Tree This section presents the event tree for small LOCAs (S2 ) initiating event group. 5 2 events were assumed to have equivalent diameters from one-half to two inches. IV.4.13.1 - Success Criteria Success criteria for S2LOCAs are shown in Table IV.4.13-1. Assumptions 11,12,13,17, 28, and 29 apply speciIically to the development of success criteria for S2-Evaluation of the accident phenomenology involved with S2sequences followed by loss of containment heat removal systems indicated that AFW would be a viable heat sinkg long into the recirculation phase of an S 2 LOCA. MARCH analysis of S., at Surry, giving credit for AFW, indicated containment would not reach failure presture (135 psia) until one week af ter the accident. Based on this analysis, S F F2g2 and S2CF 3 sequences were not considered containment failures or core damage sequences. AFW. was required for successful S2 mitigation, because it was assumed the break size itself was not sufficient to carry away decay heat and pump heat. If AFW was unavailable, " feed and bleed" cooling was assumed viable if the operator would open one PORV. i IV.4.13.2 Event Tree The event tree for 5 2 is shown in Figure IV.4.13-1. The important functional, phenomenological and hardware dependencies as well as general assumptions and limitations are stated in Table IV.4.1-1. The annotated numbers on the tree refer to the assumptions in Table IV.4.1-1. i s IV-78 l
Table IV.4.13-1 Small LOCA SUCCESS Criteria Summary Information INITIATOR: Small LOCA, S 2 CONTA1NMENT CONTA1NMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERIC HEAT SLBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS RPS 1/3 Charging Pump See em ts See Comment 3 1/3 IfR I/2 ISR and I. Failure of RPS and and SWS to transfers to 1/3 AFW Pump 1/2 LPR Associated HK ATWS tree. OR OR 1/3 Cha@ng Pump 1/2 03 and 2. RCS Integrity is and SWS to lost as a result i PORY Opened Associated HX of the Initiator. OR 1/3 AE and 3. Contalnment pres-1/3 IFR and sure suppression 1/2 LPR ls not required in the early time frame. q
'l
' INiT. RPS HPI AFW PRV CSS ISR OSR LPR HPR $
S K Di L Pi C F, F2 H, H2 m
- OK
- CM SH 2 CM SH'2 t
~
~ OK
- CM S2F,H2 CM S2F,H, 29 OK SFF2i 2
--{- CM S2CH 2 CM S2CH, 29 OK S2CF,
- OK 0
w CM S2LH, g - CM S2LH, g h OK O CM S2LF 12 iH 2 3 29 CM S2LF 3 H,
' CV S2LF g2 F OK 0
m 11
- CM S2LCH 2 U CM S2LCH, CV S2LCF, CM S2LP, 12 CM l i
S2LP,F, i 29 CM S2LP3 g2 FF CM S2LP C CM S2 D, 12 CM SDF, 2 g 1 CM S2D,F 3F2 l 4 CM S2DgC 1 ATWS. GO TO ATWS TREE SK 2 l Figure IV.4.13-1 1 Event Tree for S2 - Small LOCA IV-80
IV.4.14 S3 (Very Small LOCA) Event Tree This section presents the event tree for the very small LOCA initiating event group. This group of LOCAs include spontaneous seal LOCAs, and very small breaks. The leak size is equivalent to less than a 1/2" break. - IV.4.14.1 Success Criteria The success criteria for S3are shown in Table IV.4.14-1. They are very similar to the S2
- criteria. However, timing considerations due to the impact of the very small leak rate l have a significant impact on the recirculation requirements.
Heat removal from the RCS by the AFWS, combined with the containment fan coolers and natural cooling / condensation processes are expected to maintain containment pressure well below the spray actuation point. With only the HPI flow draining the RWST, S3 breaks could remain in the injection phase for a long time. An average break flow of 100 gpm would require 58 hours to drain the RWST, which is much longer than the traditional 24 hour mission time applied to other sequences.. It is generally considered that by this time, other systems could be made available to put the reactor in a cold shutdown condition and maintain it that way for as long as necessary.- Therefore, for S3, if AFW and HPI are available, it is presumed the reactor could be cooled down and depressurized before the RWST is empty, thereby eliminating the need to go to sump recirculation of the ECCS.
- IV.4.14.3 Event Tree i
The event tree for 5 3 is shown in Figure IV.4.14-1. The important functional, phenomenological and hardware dependencies as well as general assumptions and - limitations are stated in Table IV.4.1-1. The annotated numbers refer to assumptions in Table IV.4.1-1. The tree is similar to the S, tree, except that if HPl and AFW are available, the l sequence is considered successTully mitigated without the need for ECR and containment i systems.
.l
- I
=
I IV-81
.~ ._ .
Table IV.4.14-1 Very Small LOCA SUCCESS Criteria Summary Information INITIATOR: S3 - Very Small LOCA CONTA1NMENT CONTAINMENT REACTOR CORE HEAT RCS PRESSURE CORE HEAT ATMDSPHERE HEAT ' SUBCRITICALITY REMOVAL, EARLY INTEGRITY SUPPRESSION REMOVAL, LATE REMOVAL COMMENTS RPS 1/3 Charging Pump See Comment 3 See Comment 4 1/3 WR 1/2.lSR and I. Failure of RPS
-N ond and SWS to transfers to e, 1/3 AFW Pump 1/2 LPR Assoc!ated ATWS tree.
OR HX 1/3 Char 7ngPump OR 2. For S , M was . 3
,% and 1/2 OSR and assumed that If AFW 2 PORVs Opened 3 SWS to. and charging flow Associated IK were avallable, the. r.
) OR operators could de-- 1/3 ATW and pressurize the RCS
- 1/3 charging pump and go on closed I cycle cooling before
$ the RWST was emptied, thereby, ellminating the requirement for recirculation
- 3. RCS Integetty is lost as a result of the initlator.
- 4. Containment pressure -
suppression is not required. Successful containment heat removal will. provide pressure suppression. 4
- . _ _ _ _ _ _ -. _ _ _ . - _ _ . _ _ _ _ _ _ _ . _ _ - - - . - - - - - - - - - - _ . _ _ _ _ _ _ _ _ _ _ _ - - - - _ _ - - - _ _ _ _ _- ._r
e INIT. RPS HPi AFW PRV CSS ISR OSR LPR HPR $
'$ SEQ.
83 K. D, L P C F, .F2 Mt H3 g OK OK
- CM S3LH2 CM S3LH, r OK L CM S3LF,H2 CM S3 LF,H, CV S3LF,F2
- OK
- CM S3LCH 2 CM S3LCH, CV S3LCF, CM S3LP CM S3LPF, CM SAPF Fi2 CM S3LPC CM S3D, CM Sp,F, CM Spi F,F2 CM S3D,C l
ATWS. GO TO ATWS TREE SK 3 ! I Figure IV.4.14-1 l Event Tree for S3 - Very Small LOCA j l IV-83
IV.4.15 Event Tree Nomenclature 1
. Nomenclature for events and event tree headings are presented in Tables IV.4.15-1 and IV.4.15-2.
l l J b I j i l l 3 I IV-84
. - - - . ._ , ,_. -- . - - - - - _ _ . , . , . ~ _ - - - ._.
~ . . -
l l l Table IV.4.15-1 Identifiers For Event Trees - l l Event System Identifier System / Mode Identifier C - Failure of Containment Spray System CSS l i -D i - Failure of Charging Pump System in High HPl . Pressure Safety Injection Mode D2 - Failure of Charging Pump System in Feed HPI and Bleed Mode i D3 - Failure of Charging Pump System in Seal CHP Injection Flow Mode D 4- - Failure of Charging Pump System in HPI Emergency Boration Mode D 3 Failure of Accumulators in the Injection Mode ACC D 6 Failure of Low Head Safety injection System in the LPI Injection Mode Fi - Failure of Inside Spray Recirculation System ISR F2 - Failure c.f Outside Spray Recirculation System OSR Hi - Failure of Low Head Safety Injection System in the LPR 1 Recirculation Mode H2 - Failure of Charging Pump System in the High HPR Pressure Recirculation Mode K - Failure of Reactor Protection System RPS' L - Failure of Auxiliary Feedwater Required for AFW Transients with Reactor Trip L2 - Failure of Auxiliary Feedwater Required for ATWS AFW M - Failure of Power Conversion System PCS N - Failure of Charging Pump System from Unit-2, HP2 . Aligned for Seal Injection Flow to Unit-1, in l time to prevent a Seal LOCA 1 l N2 - Failure of Charging Pump System from Unit-2, HP2 l Aligned for High Pressure Injection Flow to Unit-1, l in time to prevent core damage j i i l IV-85 l
--g---,---.---- e-o , , , , - e n -, e v n,-e ,r-w --e- ----
Table IV.4.15-1 (Continued) Event System Identifier System / Mode Identifier P - Failure of Both Pressurizer PORVs to Open for PRV Feed and Bleed Pg - Failure of One PORV to Open for S2L PRV P 2 Failure of RCS Pressure Relief in Response to ATWS PRR Q - Failure of Pressurizer SRV/PORVs to Close RVC af ter a Transient - R - Failure of Manual Reactor Trip MRT l S - Failure of Steam Generator Steam Relief, SBD Sufficient to Cause Primary System Depressurization T - Failure of Turbine Trip or MSIV Closure in TBT Response to ATWS W - Failure of Component Cooling Water to the CCW Thermal Barrier of All Reactor Coolant Pumps 2 - Presence of " Unfavorable" Moderator Temperature Coefficient Zi - Presence of Very Low Moderator Temperature Coefficient. IV-86
- Table IV.4.15-2 Defintition Of Events C -
Less than 1/2 CSS trains taking suction from RWST and injecting into associated containment spray sparger. Dg - Less than 1/3 charging pumps taking suction from RWST and injecting
- through MOV 1867 C/D into 1 of 3 RCS cold legs. Initiated by SI signal.
4 D2 - Same as Dg , except must be initiated by operator.
-D 3 -
Less than 1/3 charging pumps injecting through MOV 1370. D4 - Less than 1/3 charging pumps injecting through the normal charging
- lines, with the BAT pumps on fast speed and MOV 1350 open, and one-t PORV open, within 10 minutes from initiator. SI alignment not required.
Dy - For A, less thn 2/2 accumulators injecting into their associated cold legs. For Si , less than 2/3 accumulators injecting into their associated cold legs D6 - Less than 1/2 LHSI trains taking suction from the RWST and injecting through MOV 1890C to 1/3 RCS cold legs. , Fi - Less than I/2 ISR trains, taking suction from the sump and injecting through associated spray sparger, with service water being provided to l the secondary side of the heat exchanger. F2 - Less than 1/2 OSR trains, taking suction from the sump and injecting through associated spray sparger, with service water being provided to the secondary side of the heat exchanger. Hg - Less than 1/2 LHSI pumps taking suction from the sump and injecting to MOV 1890C, or injecting to the charging pump suction. Plus switch to hot leg recirculation at 16 hours for A and Sg LOCAs. H2 - Less than 1/3 charging pumps taking suction from the LHSI discharge and injecting through MOV 1867 C/D. K - Failure of automatic insertion of sufficient control rods to produce subcriticality at hot shutdown. L - Less than 1/3 AFW pumps delivering water to 1/3 steam generators. L2 - Less than 2 MDFWP or 1 TDAFWP delivering flow to 2 of 3 steam generators. M - Failure of at least I main feedwater pump delivering flow to at least one steam generator, and a source of water from the hotwell or CST which is sufficient for 24 hours. IV-87
.=
Table IV.4.15-2 (Continued) 4 N- - Failure of at least one charging pump from Unit-2 aligned to inject through MOV 1370. N2 - Failure of at -least one charging pump from Unit-2 providing flow through MOV 1867 A/B to 1/3 RCS cold legs. . P - Failure of ' at least 2 PORVs and associated block valves to open, initiated by manual action. P - Less than -1/2 PORVs and associated block valve 'open. . initiated by i operator. P 2 Failure of at least 3 SRVs to open, or 2 SRVs 'and 2 PORVs and associated block valves to open, in response to RCS pressure rise from ATWS, within 2 minutes of assumed scram signal.
-~
Q Failure of pressurizer PORVs to reclose or be manually isolated after a , transient. R - Failure of manual reactor trip caused by pushing the manual scram button, or disconnecting power to the CRDM MG sets, within 2 minutes of initiator. . S - Failure of steam generator steam relief via: e Decay heat release valve e SG PORY e Main condenser (manually bypassing MSIVs,if necessary) ; e Atmospheric dump through condenser hoggers. , e Insufficient quantity to cool down the RCS at a rate of 100 F/hr. T - Failure of automatic turbine stop valve closure or automatic MSIV closure or manual TSV closure or manual MSIV closure within 30 seconds of assumed failed scram signal. l
- W -
Failure of component cooling water supplied to the lower bearing I heat exchanger of all reactor coolant pumps. Z - Existence of a moderator temperature coefficient considered to be - less negative than -7 pcm/ F. Zi - Existence of a moderator temperature co-efficient considered to be more negative than -20 pcm/ F. 1 I I [ IV-88
IV.5. System Analysis The approach used to perform the system analysts was previously-described in Section
-IV.2. Section IV.5.1 provides an introduction into the modeling of the systems performed in the Surry analysis and the general assumptions used in the construction of the fault trees. Section'IV.5.2 through IV.5.17_ describe' the modeling effort for each system.
These ' subsections contain a system description, identification - of interfaces and dependencies, discussion' of operational ! constraints,- a description of _ the models developed, specific' assumptions used in ' modeling, and .a'. discussion of operational ~ experience for each of the systems. The systems which were modeled in the Surry study. l- are shown in Table IV.5-1.< This table also lists prominent plant systems which were nct-l explicitly modeled in the study and identifies the reasons they were not modeled. i i IV.5.1 System Modeling and Scope System models were developed for each of the front line systems identified in the event i tree headings and for all support systems required to operate the front line ~ systems. Fault tree models ' were constructed for all of the fluid delivery systems. Actuation
~
- systems and electric power systems (AC and DC) were modeled by means of Boolean j expressions which were incorporated into the sequence analysis at _the appropriate _
levels. Fault tree models were developed with top events corresponding to the success
! criteria used in the event tree analysis. Some systems have different success criteria in ' , different circumstances, and hence different top events.
Modeling of the systems was performed at the pipe segment level. Operator actions in
~
response to plant conditions were included in the models where specific procedures for these actions were available. Operator errors of commission were not included.
. Throughout the system analysis process, groundrules and assumptions were made.
I Assumptions about a specific system are provided in the specific system write-ups. The
, following general groundrules apply throughout the system analysis:
- 1. Control power (for closing breakers) for pumps-is from the DC bus associated with the AC motive power bus, i.e., DC control power for pumps powered from the IH buses is from DC Bus IA and pumps powered from the 13 buses is from DC Bus IB.
- 2. All control power for AC motor operated valves is supplied via a step-i down transformer directly from the valve's motive power source.
l j 3. For the purpose of calculating failure probabilities, pump and valve breakers and control circuits are assumed to be part of the-l component.- Failure probabilities for " command faults" are included
! in the basic component failure rates.
- 4. Flow diversion through pathways less than one-third of the original pipe size are not considered to result in system functional failure, for open systems.
)
1
- IV-89
---,m., ..- -,,._e. , . . . - . . -.,,_...,,,,,._.m,.._._ -y,...,,,,r, , . _ - _ _, ,m.. --., ,w . , - , . . , w ,7 --.~i.- ,---%,.e-, 9:2, m .e -
- 5. In general, only one term for _ unavailability due to test and maintenance was included per system train. This was done to prevent
" double counting" of T&M actions which may in fact be done -
simultaneously. The T&M values of pumps were used because their frequency is normally much larger than that of valves. .
- 6. Mispositioning of valves prior to the initiating event was not considered in the cases where the valve position is annunciated in the-control room or the valve received an automatic open signal from an actuation system.
l l l IV-90
&l, m , m_ Table IV.5-i Systems Included In The Surry System Analysis l l SYSTEM TYPE OF MODEL COMMENTS Containment Spray ' Fault Tree - One top event modeled. High Pressure Fault Tree - Four top events modeled for Injection / Recirculation injection . ( . Accumulators Fault Tree Two' top events modeled. Low Pressure Fault Tree One top event modeled for Injection / Recirculation injection. Two top events modeled for recirculation.
;. Inside Spray Fault Tree One top event modeled.
Recirculation
~
i- Outside Spray Fault Tree One top event modeled. Recirculation Auxiliary Feedwater Fault Tree Two top events modeled. Primary Pressure Relief Fault Tree Three top events modeled - Power Conversion Main Feedwater Plant Specific Surry has electric driven i Data MFW pumps. . They were
- assumed to be unaffected by
- most BOP failures. MFW was assumed to be operable only'for T,T*3 6 Turbine Bypass and Not Modeled Main Condenser Charging Pump Cooling Fault Tree Three top events modeled for - -
- the three interfaces with the -
HPI/HPR fault trees. Service Water Fault Tree Four top event modeled for the -
- four interfaces with the ISR and OSR fault trees.
i 4 IV-91 w.--m-,-g,--.gr*a * +-&-ve-- :-rM*-+- -
, , - - - , - - , - , ~ , , - - , , , , , - - - . - , ..,,--,,,,,e-. - -y.- -
e, , e 3er -e9-
_. . _ . . _ - - _ - _ - - _ _ _ ~ Table IV.5-1 (Continued) !
. Systems Inclu'ded In The Surry System Analysis g
i SYSTEM TYPE OF MODEL - COMMENTS Component' Cooling Abbreviated One top event modeled. . Fault - Water - - Fault Tree tree only includes those portions of the CCW system necessary to provide cooling . flow to the RCP thermal barriers. - Reactor Protection " Black Box" Model Generic data from NUREG-1000 was used for the RPS Emergency Power Boolean Expression The power interfaces of .
- components were modeled to the 4160 VAC bus and 125 VDC bus level in the front line and support system fault trees and-were quantified using generic' bus failu're data. Boolean expressions were developed for unavailability of the diesel.
generators, DC buses and battery dependencies, and vital AC buses. Safety Injection Boolean Expression Boolean expressions were Actuation developed to model SIAS power dependencies. Generic failure - data used on train level. Consequence Boolean Expression Boolean expressions were Limiting. Control developed to model CLCS dependencies on power. Generic failure data'used on train level.- Recirculation Mode Boolean Expression Boolean expressions were Transfer developed to model RMT system . dependencies on power. Generic failure data - used on ' fain level. l IV-92
L IV.5.2 Containment Spray System Model' ! The containment spray system (CSS) provides the initial containment 'pressur'e reduction - l following an accident by spraying cool water from the RWST to' condense steam in the- [ containment.' In ' addition, the CSS performs a support function for the outside spray i recirculation system as discussed ~in Section IV.5.7. The following sections provide a; physical description of the CSS, identifies the interfaces and dependencies'of the CSS with other front line and support systems, identifies any operational constraints on the
- CSS, provides a description of the fault tree' model constructed for the CSS, identifies
- the CSS specific assumptions, and identifies the operational experience available for the CSS.
IV.5.2.1 CSS Desc.iption The Surry CSS is composed of two 100% capacity spray injection trains. The CSS has no . recirculation or sump cooling capability. Each spray train draws water from the RWST'
- i. through independent suction lines. Each CSS pump takes suction through a normally open l MOV and an in-line filter assembly. Each CSS pump discharges through a pair of i normally closed MOVs arranged in parallel and through a check valve to its associated containment spray header. Both CSS pumps also feed a common third spray header j (located on the outside of the crane wall) through ' separate check valves. A simplified 3
schematic of the CSS is shown in Figure IV.5.2-1. The CSS automatically starts on receipt of a hi-hi (25 psia) containment pressure signal 4 from the consequence limiting control system (CLCS). The CLCS signals open the pump inlet and outlet valves and start the CSS pumps. An agastat timer in the pump start l ciruit delays pump start for 30 seconds af ter receipt of the signal. t j IV.5.2.2 CSS Interfaces and Dependencies ! The CSS interfaces with the high and low pressure injection systems at the common i refueling water storage tank (RWST). The CSS is dependent on the RWST for fluid inventory, the AC power buses for motive power .to the CSS pumps' and motive and control power to the MOVs in the CSS, the DC power buses for control power to the CSS pumps, and the CLCS for actuation of the CSS components.. These dependencies and { specific train assignments are shown in the system dependency diagram in Figure IV5.2-2 l and the component status and dependency summary listing in Table IV.5.2-1. i
; IV.5.2.3 CSS Operational Constraints j The only operational constraint utilized in the development of the CSS'model is that Technical Specifications require one train of the CSS be operable at all times, i.e., only l
one train can be removed from service for maintenance at any one time. This is 1
- incorporated into the model of the CSS by allowing only one CSS pump to be initially.
unavailable due to test or maintenance activities. IV.5.2.4 CSS Logic Model
- T'e success criterion for the Surry CSS is the same for each application in the event tree j analysis. The success criterion is one of the two CSS trains provide flow to any one
, containment spary header. This translates into the following top event in the CSS fault tree: l j C- Insufficient flow from both CSS pumps to the spray headers i ! IV-93 i
-- _ _ _ . - _ . _ _ _ _ , _ _ _ .._ _ _ _ ._.-_ _ ., _ ~ . _ _ _ . . _ _ - - , _
l l
-1
- The fault tree developed for- this top event is shown in the attached microfiche. . The
. specific assumptions used to develop- the CSS fault tree are included in the following l - section.-
'lV.5.2.5 Assumptions in CSS System Model .
In addition to the general modeling assumptions made in the analysis and previously~ J discussed in Section IV.5.1, several system specific assumptions were made in the course - of the analysis. The specific assumptions made in the CSS analysis are as follows:
- 1. Flow to any one of the two major spray' headers-is considered to be system success. Flow to only the crane wall ' header was not considered sufficient, however, it is'not possible to get flow to the
. crane wall header without getting flow to one of the other headers.
- 2. The probability of plugging a sufficient number-of nozzles in a spray header to significantly degrade performance was considered .to be negligible.
- 3. Manual valves XV8 and XV15 in the recirculation pathway to the RWST are normally closed valves which are not indicated in the control room. During testing of the CSS pumps they are opened. The recirculation lines are large enough -that they are assumed to constitute a flow diversion, thus failing the CSS train if open. - If the-CSS were demanded during pump testing or if the valves were not -
reclosed following testing, the associated CSS train was assumed failed. IV.5.2.6 CSS Operating Experience No plant specific operational experience was included in the analysis of the Surry CSS. l 5 IV-94
i l Table IV.S.2-1 CSS Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES - l Pumps: l-CS-P-1 A Standby CLS Hi-Hi-2A 480V Bus IH DC Bus I A CLS Hi-Hi-2A - 1-CS-P-1 B Standby CLS Hi-Hi-2B 480V Bus 13 DC Bus lB CLS Hi-Hi-2B - MOVs: l CS100A NO/FAI CLS Hi-Hi-2A MCC-lH1-2 CLS Hi-Hi-2A CS100B NO/FAI CLS Hi-Hi-2B. MCC-131-2
]
CLS Hi-Hi-2B - J
- CS101A NC/FAI CLS Hi-Hi-2A MCC-1H1-2 CLS Hi-Hi-2A CS101B NC/FAI CLS Hi-Hi-2B MCC-131-2 j CLS Hi-Hi-2B '
CS101C NC/FAI CLS Hi-Hi-2A MCC-1H1-2 CLS Hi-Hi-2A CS101D NC/FAI CLS Hi-Hi-2B MCC-131-2 CLS Hi-Hi-2B 4 i IV-95 l
PSS3 MOVC5101B PSS2
.n. ::
MOVCS101A N CV13 CV105
- c >
RWST PSSS
- MOVCS101D CV24 CV127 pg$4 xys Cv7 MOvCS101C N
PS57 o > MDPCSIA DPCSIB _,,_ PS50 (1-CS-P-1 A (1-CS-P-18) MOVCS100A 1-CS-FL-1 A PSS1 MOVCS100B 1-CS-FL-1B Figure IV.5.2-1 CSS Simplified Schematic
. . - - ..a.__ . . . , _ - - .. , . _ , . , . - , , . . _ . . , . _ . . . _.- _. . . . .. - - --
CONTAINMENT CSS PUMP SPRAY CSSPUMP A DISCHARGE 8 DISCHARGE SYSTEM i i i i i I PUMP PUMP TRAIN TRAIN MOvCS101A MOvCS1015 MOvCS101C MOVCS101D A 8 0 Q Q Q Q 0-CONSE QU(NCE a /\ CONSEQUENCE a /\ CONSEQUENCE A /\
"f
%D LIMITING CONTROL
%/
/\
LIMtTING CONTROL
%/
/\
LIMITING CONTROL
\/
j\ 8 8 8 N SYSTEM %/ SYSTEM %/ SYSTEM %/ IM AC 1H AC 1H AC EMERGENCY EMERGENCY EMERGENCY
# /
POwtR u Q POWER 1J POWER u DC 1A EMERGENCY V PO.E. ,. o - Figure IV.S.2 CSS Dependency Diagram IV l
l IV.5.3 High Pressure injection / Recirculation System Model The Surry charging system provides normal coolant makeup to the RCS and cooling flow to the RCP seals under normal operating conditions. The high pressure injection / recirculation (HPI/HPR) system uses the same charging pumps to provide primary coolant injection and recirculation following an accident, as well as maintaining flow to the RCP seals. The HPI system also functions to deliver boric acid to the RCS from the boric acid transfer system if emergency boration is required. The following sections provide a physical description of the HPI/HPR system, identifies interfaces and dependencies of the HPI/HPR system with other front line and support systems, identifies any operational constraints on the HPl/HPR system, provides a description of the fault tree model constructed for the HPI/HPR system, identifies and HPI/HPR system specific assumptions, and identifies the operational experience available for the HPI/HPR system. IV.5.3.1 HPI/HPR System Description Under normal operating conditions, one of the three charging pumps provides normal RCS makeup and cooling to the RCP seals by taking suction from the volume control tank (VCT) through two MOVs in series. Upon indication of a loss of RCS coolant or steam line break (i.e., low pressurizer level, high containtment pressure, high pressure differential between main steam header and any steam line, or high steam flow with low TAVG r I w steam line pressure), the safety injection actuation system (SIAS) initiates emergency coolent injection. The SIAS signals the normal charging line isolation valves to close, the standby charging pumps to start, the valves from the VCT to close, the normally open pump inlet and outlet MOVs to open, and a parallel set of normally closed MOVs to open to provide suction from the RWST. Also on receipt of an SIAS signal, a parallel set of normally closed MOVs open to provide flow from the pump discharge header to the three RCS cold legs. An additional path to the RCS cold legs through a manually operated normally closed MOV is also available. Flow through this line to the RCS is treated as a recovery action. The line to the RCP seals remains open throughout the event. The HPI system may also be used in the " feed and bleed" cooling mode. The 'only difference in this mode of operation from that discussed above is that a SIAS signal is not necessarily generated so the HPI system is manually placed in service. In the recirculation mode of operation, the charging pumps draw suction from the discharge of the low pressure safety injection pumps in the low pressure recirculation (LPR) system. Upon receipt of a low RWST level signal, the recirculation mode transfer (RMT) system signals the charging pump suction valves from the RWST to close and the suction valves from the LPR pump discharges to open. In the emergency boration mode, the HPI functions as described in the HPl description above with the exception that the boric acid transfer (BAT) pumps deliver boric acid from the BAT tanks to the charging pump suction header. To perform this operation, the operator must switch the normally operating BAT pump to fast speed operation and open the MOV allowing flow into the charging pump suction header. To enhance boric acid addition to the RCS, the emergency procedure calls for the PORVs be opened (to provide pressure reduction). A simp!! fled schematic of the HPl/HPR system, including the relevant portions of the BAT system is presented in Figure IV.S.3-1. IV-98
-l 1
1 i IV.5.3.2 HPI/HPR System Interfaces and Dependencies The HPI system interfaces with the CSS and the low ~ pressure injection system at the
- common RWST. The HPR system interfaces with the low pressure recirculation system
- at the recirculation suction valves for the HPR. The HPI system is dependent on the RWST for fluid inventory, the AC power buses for motive power to the HPI pumps and motive and control power to the MOVs in the HPI system, the DC power buses for control power to the HPI pumps, the SIAS for actuation of the HPI components, and the charging pump cooling system for charging pump seal cooling and lube oil cooling. - The HPR j_ system is dependent on the low pressure system for fluid inventory, the AC power buses
! for motive power to the HPR pumps and motive and control power to the MOVs in the HPR system,the DC power buses. for control power to the HPR pumps , the RMTS for :
actuation of the HPR switchover from injection, and the charging pump cooling system l for charging pump seal cooling and' lube oil cooling. Additionally, for the emergency
- boration mode of HPI operation, the HPI is dependent on the primary pressure relief system to provide sufficient pressure reduction to allow for the timely injection of boric acid._ These dependencies and specific train assignments are shown in the system dependency diagram in Figure IV.5.3-2 and the component status and dependency summary in Table IV.5.3-1.
IV.5.3.3 HPI/HPR System Operational Constraints
! Technical Specifications require two charging pumps to be operable at all times, i.e., <
- only one pump can be removed from service for maintenance at any one time. This is j incorporated into the model of the HPI/HPR by allowing only one charging pump to be
- initially unavailable due to test or maintenance activities.
The Surry HPI/HPR system is limited to the simultaneous operation of two of the three charging pumps. Further, the two operating pumps must be powered from different 4160 l VAC buses. The third charging pump is placed in the " pull locked" position, i.e., the j switch is placed in the off position. In this position, the pump is considered to be
- operable since the pump remains aligned to an AC bus and an SIAS actuation signal is l present. Once the switch is returned to the " auto" position, if the SIAS signal has not i been cleared, the pump will automatically start.
IV.5.3.4 HPI/HPR System Logic Models
- The success criteria for the Surry HPI/HPR vary depending on the application in the l- event tree analysis. The success criteria for the HPI modes of operation require flow i from any one of three charging pumps to the RCS cold legs in response to a LOCA l (automatic actuation), flow from any one of three charging pumps to the RCS cold legs in l
the " feed and bleed" mode (manual actuation), flow from any one of the three charging-pumps to the RCP seals, or flow from any one of three charging pumps to 'the RCS with - flow from one of two BAT pumps operating at fast speed (emergency boration mode). These success criteria translate into the following top events in the HPI fault trees: Dg - Failure to provide sufficient high pressure flow to the cold legs - from at 'least one charging pump, given demand for automatic actuation. IV-99 l t
D2 - Failure to provide sufficient high pressure flow to the cold legs from at least one charging pump, given no demand for automatic actuation. D 3 Failure to continue to provide seal injection flow from at least one charging pump. 4 D4 - Failure to provide sufficient emergency boration flow to the cold legs. The success criterion for the HPR mode of operation is continued flow from any one of the three charging pumps taking suction from the discharge of the low pressure recirculation system, given successful low pressure system operation. T'his success criterion translates into the following top event in the HPR fault tree. H2 - Insufficient flow from at least one charging pump in the recirculation mode, given successful operation of the low pressure system. The fault trees developed for these top events are shown in the attached microfiche. The specific a;sumptions used to develop the HPl/HPR fault trees are included in the following section. IV.5.3.5 Assumptions in HPl/HPR System Models in addition to the general modeling assumptions made in the analysis and previously 1 discussed in Section IV.5.1, several system specific assumptions were made in the course - of the analysis. The specific assumptions made in the HPI/HPR analysis are as follows:
- 1. Initial charging pump configuration considered in the analysis is that pump 1 A is operating, pump IB is in standby and pump IC is " pull locked" and aligned to the IH bus.
- 2. Charging pumps are rotated regularly during normal operation to achieve balanced service times.
- 3. Failure to close the normal charging flow line does not constitute a flow diversion pathway.
- 4. Minimum flow lines on the charging pump discharge do not represent a significant flow diversion pathway due to flow restriction orifices.
- 5. Room cooling is not required for the charging pumps due to the open communication with a large open area, resulting in long heat-up ,
times.
- 6. The probability of all three parallel cold leg injection lines, each with two check valves and a locked open manual valve, falling to permit i
flow is considered negligible compared to other system faults. l 1 IV-100
- 7. Valves Ill5B and lil5D are interlocked with valves ill5C and lil5E such that B and D will not open if C or E are not closed. However, I the C and E valves are provided with redundant limit switches and the probability of all four limit switches failing is considered negligible compared to the valve failure probabilities.
- 8. Switchover to the RWST from the VCT will occur upon indication of low VCT level regardless of the presence or absence of an SIAS signal.
- 9. When charging pump IC is not operating (pull locked), it is aligned to be powered from the bus powering the operating charging pumps.
Pump IC is not considered as the standby pump during normal operation except in the case of outage of the 1A or IB charging pumps.
- 10. Use of MOV 1842 for cold leg injection, the cross connect with the Unit 2 RWST, and the cross connect of the Unit 2 charging pumps were treated as recovery actions in the accident sequence analysis as necessary,
- 11. For the emergency boration analysis, one BAT pump is normally operating and the manual valving arrangement is such that only the running pump can provide flow without manual realignment. Since the time period of interest is 10 minutes, no recovery actions for manual realignment were postulated.
- 12. Sufficient emergency boration can be accomplished through either the normal charging flow path or through the injection flow path.
- 13. No SIAS signal is assumed to occur in those cases where emergency boration is required.
- 14. No faults were postulated in the normal flow line to the RCS pump seals since the line is normally in use and the valves fail in the position such that they allow flow to the seals.
- 15. Regardless of the status of an Si signal, the standby charging pump will automatically start on loss of the operating charging pump.
IV.5.3.6 HPl/HPR System Operating Experience Since the Surry HPl/HPR system includes the normally operating charging pumps, significant operating experience was available from plant data to justify the use of plant specific failure data for the charging pumps. No other applicable operating experience was found for the HPl/HPR system. IV-101
J Table IV.5.3-1 HPI/HPR Component Status And Dependency Summary. COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES i Pumps: 1-CH-P-1 A Normally Operating SIS-A 4160 V Bus IH, SIS-A, 1 DC-1B, CPC System l-CH-P-1B Standby SIS-B 4160V Bus 13, SIS-B, DC-1B, CPC System 1-CH-P-lC Locked Out in CR SIS-A, B 4160V Bus IH,13, SIS-4 A, -B, DC-1 A, IB, CPC System MOVs: lil5B NC/FAI SIS-A, RMT-A MCC IHl-2, SIS-A,
, RMT-A lil5D NC/FAI SIS-B, RMT-B MCC 131-2, SIS-B, RMT-B ! lil5C NO/FAI SIS-A MCC IH1-2, SIS-A lil5E NO/FAI SIS-B MCC 131-2, SIS-B 1267A NO/FAI R. Manual MCC IHI-2 1269A NO/FAI R. Manual MCC 131-2 j 1270A NO/FAI R. Manual MCC IHi-2
] 1267B LO/FAI R. Manual MCC IHl-2 1269B . LO/FAI R. Manual MCC 131-2 f 1270B LO/FAI R. Manual MCC 131-2 1286A NO/FAI R. Manual MCC IHl-2 1287A NO/FAI R. Manual MCC IH1-2 1286B NO/FAI R. Manual MCC 131-2 1287B NO/FAI R. Manual MCC 131-2 1286C NO/FAI R. Manual MCC IH1-2 1287C NO/FAI R. Manual MCC 131-2 1370 NO/FAI R. Manual MCC IHl-2 IV-102
Table IV.S.3-1 (Continued) HPl/HPR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES MOVs: 1289A NO/FAI R. Manual MCC IH1-2, SIS-A 1289B NO/FAI R. Manual MCC 131-2, SIS-B 1867C NC/FAI R. Manual MCC IHl-1, SIS-A 1867D NC/FAI R. Manual MCC 131-1, SIS-B 1842 NC/FAI R. Manual MCC IH1-2 1869A LC/FAI R. Manual MCC IH1-1 1869B LC/FAI R. Manual MCC 131-1 1863A NC/FAI RMT-A MCC IH1-2, RMT-A 1863B NC/FAI RMT-B MCC 131-2, RMT-B AOVs: TV SI-102A NC/FO R. Manual Inst. Air, DC-A TV SI-102B NC/FO R. Manual Inst. Air, DC-B i IV-103
_ . ~ . . 9 NORMAL CMARGe%G LINE PS21 MOV1M7D PS23 CV22S LE GS PS22 - .uOvin70
- n. l g TOMOT PS14 MOV1mes LEGS RwST MOV1370 AOV11M k, A0V1160 TO LOOP FILL
,FC pg, IV15I _
l {IV278 MEALER y FO IV277 RCP TO low ME AD SE ALS -, CV224 $70 COLDN Ss PUMPS MOW 12H WOW 12874 MOV12 MOV12475 MOV12 Ov1297C
* ~CWe10 UNIT 2 h,MOV18694TO MO' 9
?C CHARGING PUMP ,
PS 15 LE G5 9 " CV25a 9 CW267 CW27s IV72s CROSSTIE PS2 PS12 PSI 4 IV2e PS11 MDPCM1A MOPCHIS MDPCM1C 'gg y CV25 PUMPS MOV1115C c k MOW 1115g UNIT 2 k AcV102A
" MJ PSS PSs N N N N0 m CROS$ TIE 'FO' MOV1115C
, ,' 1267A MOV12679 1269A OV12698 1270AMOV127,08 g,g MOV11150 R, ,Mov'a>4 FROM LOW ME AD $1 PUMP 1A FROM LOW MEAD Sa PUMP 15 " 'MOVinse NOTE, PIPE SEGMENT (PSII) REFERS TO PtPING AND COi4PONENTS BETWEEN NODES
. Figure IV.5.3-1
- Simplified HPI/R Schematic
A O BAT BAT TANK TANK 1A 18
%J %J
~
X X
>< x ><
MDPCH2A S S MDPCH2B (1-CH-P-2A) (1-CH-P-28) PS 132 Z Z
-x ><
X g.,o , X 4k TO BORIC ACID BLENDER d A2 7' FROM VCT V NC TO CHARGING MOV 1350 PUMP SUCTIONS FAI Figure IV.5.3-1 (Cont'd) Simplified HPI/R Schematic IV-105 l I
HPtHPR HPI,HPR PUMP DISCHARGE TR AINS TO COLO LEGS m I l l I PUMP PUMP PUMP TRAIN TR AIN TRAIN MOVIM7C MOVIMFD 1A 18 1C SAFETY /\ /\ 6 SAFETY /\ a a INJECTION %/ %/ INJECTION h/ ACTUATION /\ /\ ACTUATION /\ SYSTEM 5 SYSTEM E
%/ %/ %/
/\ /\ /\
EMERGENCY EMERGENCY POWER 1J ( \f ( \g POWER 1J OC 1A /\ I\ EMERGENCY POWER is #\ #\
%/ %/
LPR SUPPLY TO HPR CH^aG'"Q
/\ /\ /\ /\
"""l,$Ed'"" v v v v I I LPR SUPPLY LPR SUPPLY RWST FROM FROM SUPPLY PUMP 1A PUM918 1O HPI Q Q
, I <Pl PR PUMP TRAIN A
3 o M od11158 MOV1115D y RECIRCULATION a /\ MODE h/ TRANSFER j\ SAFETY a /\ INJECTION N/ ACTUAflON /\ /\ e AC 1H SYSTEu 37 v POWER 1J j EMERGENCY POWER IJ /\ v 4 Figure IV.5.3-2 HPl/HPR System Dependency Diagram i IV-106
.h 6-.A- .M-,_. --._ -z e .
t
- IV.5.4 Accumulator Model The accumulators provide an initial influx of borated water to reflood the reactor core following a large LOCA or a medium LOCA on the upper end of the LOCA size definition. The follo_ wing sections provide a physical description of the accumulators,-
, identifies the the interfaces and dependencies of the accumulators with other front line-and support systems, identifies any operational constraints on the accumulators, provides a description of the. fault tree model constructed for the accumultors, identifies the specific assumptions made in the analysis of the accumulators, and identifies the
- operational experience available for the accumulators.
IV.5.4.1 Accumulator Description ! The accumulator system consists of three tanks filled with borated water and pressurized j with nitrogen. Each of the accumulators is connected to one of the RCS cold legs by a . line containing a normally open MOV and two check valves in series. The check valves ! serve as isolation valves during normal reactor operation and open to empty the contents i of the accumultor when the RCS pressure falls below 650 psig. A simplified schematic of } the accumulators is shown in Figure IV.5.4-1. j IV.5.4.2 Accumulator Interfaces and Dependencies i 3 The accumulators are dependent on the nitrogen system to maintain a head on the j accumulators. The nitrogen is supplied by dedicated local nitrogen bottles and the i accumulators are fully instrumented to indicate an abnormal pressure condition. Due to } the small fault exposure time this dependency was not further developed. The accumulators are initially filled with borated water from the RWST. The-accumulators are filled and the valves are closed. Instrumentation verifies that the level remains above a minimum value. Therefore, no dependencies were modeled between the accumulators and the RWST. l IV.5.4.3 Accumulator Operation Contraints Technical Specifications require that all three accumulators be operable. If one accumulator becomes inoperable, i.e., low level or low pressure, it must be restored i within four hours. This limits the fault exposure time such.that the probability of the 1 associated faults are negligible and were not further developed. j IV.5.4.4 Accumulator Logic Model The success criteria for the accumulators vary depending on the application in the event { tree analysis. The success criterion for the accumulators following a large LOCA, which j assumed a cold leg break, is injection of the contents of the two accumulators associated j with the intact cold legs into the RCS. The success criterlont for the accumulators - i following a medium LOCA is injection of the contents of two or more accum'ulators into - j the RCS. These success criteria are translated into the following top events associated
- with the large and medium LOCA size breaks, respectively
! Failure of one or more of the accumulators - D3 (A LOCA) l located in the intact cold legs to inject their i contents into the RCS.
- D3 (Sg LOCA) -
Failure of two or more of the accumulators to inject their contents into the RCS. IV-107 t
. _ _ , . _ . . _ , _ _ _ _ _ , . . , - , , _ _ . - _ _ _ _ _ . . . _ _ _ _ . _ . , - , _ ,,.~.. ___-_ , , - - , , , . , - _ .
~ The fault trees. developed for these top events are shown in the attached microfiche.
The specific assumptions used to detelop the accumulator fault trees are included in the ,
.following section. !
IV.5.4.5 Assumptions in Accumulator Model
. In addition to the general modeling assumptions made in the analysis and previously. .1 discussed in Section IV.S.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the analysis of the accumulators are as follows:
~
- 1. For the large LOCA analysis, the cold leg break was assumed to be in Loop 1.
- 2. Due to the short fault exposure times, redundant valving arrangements, the use of fait closed valves, the redundant alarm and pressure indication, of faults leading to level or pressure reduction in the accumulators were not postulated. The only faults postulated were demand type faults.
IV.5.4.6 Accumulator Operating Experience No plant specific operational experience was included in the analysis of the Surry accumulators. 1 A I i i a 1 i I 1 i l 1 h e i i i i IV-108
)
i i 1 1-SI-TK-1 A FROM p RWST ! a w a vm FC V , , LOOP 1 1865 A CV107 COLD LEG CV109 T-SI-TK-1B O e i 4
$ FC V , , LOOP 2 1865B CV128 COLD LEG 1
CV130 1-SI-TK-1C 1 2 1 FC U e , LOOP 3 8 ' i 1865C CV145 COLD LEG CV147 1 Figure IV.5.4-1 Accumulator Simplified Schematic
,, x 7 ,- + , , .;- . - - .. - - . - - ,
=,
4
~ ; IV.5.5 . Low Pressure Injection / Recirculation System Model J
The Surry low pressure injection recirculation (LPI/LPR) system provides emergency. f _ coolant injection and recirculation- following a loss of coolant accident when the .RCS depressurizes below 300 psig. In addition to the direct recirculation of coolant during the { recirculation phase once the RCS is depressurized,; the LPR : discharge provides~ the l suction source for the HPR system following drainage of the RWST. The following sections provide a physical description of the LPI/LPR system,' identifies
'_the interfaces and dependencies of the LPI/LPR system with other front line and support -
systems, identifies any operational constraints on the LPI/LPR system, provides a . description of the fault ; tree model constructed for the LPI/LPR system, identifies the ! LPI/LPR system specific assumptions, and identifies the operational experience available c !' for the LPI/LPR system. .
; 'IV.5.5.1 LPI/LPR Description The Surry LPI/LPR system is composed of two 100% capacity pump trains. The LPl/LPR
{ has no. heat removal capability. In the injection mode, the pump trains share a common ! suction header from the RWST. Each pump draws suction from the header through a j normally open MOV, check valve, and locked open manual valve in series. Each pump l* discharges through a check valve and normally open MOV in series to a common injection I header. The injection header contains a locked open MOV and branches to three separate l j L lines, one to each cold leg. Each of the lines to the cold legs contain two check valves in
- series to provide isolation from the high pressure RCS.
1 : i In the recirculation mode, the pump. trains draw suction from the containment sump
- through a parallel arrangement of suction lines to a common header. Flow from the '
j suction header is drawn through a normally closed MOV and check -valve in series. 1 Discharge of the pumps is directed to either the cold legs through the same lines used for
! injection or to a parallel set of headers which feed the charging pumps, depending on the j- RCS pressure.
- In the hot leg injection mode, system operation is identical to normal recirculation with '
i the exception that the normally open cold leg injection valve must be remote manually i closed and one or more normally closed hot leg recirculation valves must be remote i manually opened. 1 1 Upon indication of a loss of RCS coolant or a main steam line break (i.e., low pressurizer i level, high containment pressure, high pressure differential between main steam header
- i. and any steam line or high steam flow with low TAVG r I w steam line pressure), the ;
j~ safety injection actuation system (SIAS) initiates LPI operation. The SIAS signals the low . i pressure pumps to start. All valves are'normally aligned to their ~ injection position. If . primary system presaure remains above the LPI pumo shutoff head, the pumps will discharge to the RWST through two normally open minimum flow recirculation lines until
- the RCS pressure is sufficiently reduced to allow inflow.
Upon receipt of a low RWST level signal, the recirculation mode transfer system (RMTS) signals the low pressure pump suction valves from the RWST and the valves in the mmimum flow recirculation lines to the RWST to close and the suction valves from the i containment sump to open. b IV-110 [ - l
At approximately 16 hours following the start of the accident, the emergency procedures . call for switchover from cold leg recirculation to hot leg recirculation. The operator J ' must restore power to valves 1890 A, B,'and C, open 1890 A and B, and close 1890C. - A simplified schematic of the LPI/LPR system is shown in Figure IV.5.5-1.
- IV.5.5.2 LPI/LPR Interfaces and Dependencies The LPI system interfaces with the CSS and the high pressure injection system at the' common RWST. The LPR system interfaces with the high pressure recirculation system at the recirculation suction valves for the HPR. The LPI system is dependent on the RWST for fluid inventary, the AC power buses for motive power to the LPI pumps and l l motive and control power to the MOVs in the LPI system, the DC power buses for control
- . power to the LPI pumps, and the SIAS for actuation of the LPI components. The LPR ;
j system is dependent on the injection systems for sump inventory, the AC power buses for motive power to the LPR pumps and motive and control power to the MOVs in the LPR system, the DC power buses for control power to the LPR pumps, and the RMTS for
; actuation of the LPR switchover from injection. These dependencies and specific train assignment are shown in the system dependency diagram in Figure IV.5.5-2 and the~
component status and dependency summary in Table IV.5.5-1. i IV.5.5.3 LPI/LPR Operational Constraints The only operational constraint utilized in the LPI/LPR system model is that Technical-Specifications require one train of the LPI/LPR system to be operable at all times, i.e., only one train can be removed from service for maintenance at any one time. This is e incorporated into the model of the LPI/LPR system by allowing only LPI/LPR pump to be
. initially unavailable due to test or maintenance activities.
IV.5.5.4 LPI/LPR Logic Models ;
, The success criteria for the Surry LPI/LPR vary depending on the application in the l event tree analysis. The success criterion for the LPI mode of operation is flow from one or more low pressure pumps to the RCS cold legs in response to a loss of primary coolant inventory, 2
This succo criterion translates into the following top event in the LPI fault tree: 1 [ D6 - Insufficient flow from at least one low pressure pump to the cold 3- legs. - . The success criteria for the LPR modes of operation are continued flow from either of ' the two low pressure pumps to the cold legs and switchover to hot leg recirculation at 16 hours or sufficient flow from either of the two low pressure pumps to the charging pump suction header. These success criteria translate into the following top events in the LPR fault trees: Hg (A,53 LOCAs) - Insufficient flow from at least one low pressure pump to the cold legs from the containment sump or failure to switch to hot- leg recirculation at 16 hours.
- IV- 111 t
l
Hg (52' 33 LOCAs) - Insufficient flow from at least one low pressure pump to the charging pump suction header from the containment sump. The fault trees developed for these top events are shown in the attached microfiche. The specific assumptions used to develop the LPI/LPR fault trees are included in the folicwing section.
, IV.5.5.5 Assumptions in LPI/LPR System Models 1
In addition to the general modeling assumptions made in the analysis and previously discussed in Section IV.5.1, several system specific assumptions were made in the course
, of the analysis. The specific assumptions made in the analysis of the LPI/LPR system are as follows:
- l. Failure to close the minimum flow recirculation lines to the RWST during the recirculation phase of a LOCA does not result in failure of the LPI/LPR system due to flow diversion. Failure to close mini-flow i lines would result in a minimal flow diversion back to the RWST, which could easily be rectified.
- 2. Failure of the minimum flow recirculation lines to allow flow during ,
the injection phase, (i.e., plugged or closed valves), thereby providing j pump protection following an SIAS signal at high RCS pressures was l not . postulated since the valves are normally open, lighted and alarmed in the control room if out of normal position, and both lines must fall. The _ only potential failure mode is plugging and is ( considered to be statistically negligible, due to testing frequency.
- 3. Room cooling for the low pressure pumps is not required.
- 4. Failure of the LPI due to failure of low pressure pump seal coolers is considered negligible compared to other LPI failures. The seal coolers have a natural circulation air cooler and draw seal water from the pump suction.
4
- 5. All LPI/LPR MOVs, with the exception of valves 1864A and 1864B,
- have position indication in the control room. The valve positions are lighted and alarmed to indicate misalignment of the LPI/LPR system. Therefore inadvertent mispositioning of the MOVs was not j postulated in the analysis, i
, 6. Plugging failures due to debris in the sump were included in two ways. First, a common cause failure due to sump plugging was . postulated for all systems which rely on the sump. And, second 1 random plugging of sump suction valves, was included. The common cause probability was SE-5/ demand. The random plugging failure
- probability was based on a five year test period.
i IV.5.5.6 LPl/LPR Operating Experience I No plant specific operational- experience was included in the analysis of the Surry LPI/LPR system. IV- 112
l Table IV.5.5-1 LPl/LPR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES l Pumps: 1-SI-P-1 A Standby SIS-A 430V IH, DC-A, SIS-A 1-SI-P-1 B Standby SIS-B 480V 13, DC-B, SIS-B MOVs: 1862A NO/FAI R. Manual, RMT-A MCC-lH i-2, RMT-A l 1862B NO/FAI R. Manual, RMT-B MCC-131-2, RMT-B 1864A NO/FAI R. Manaul MCC-lH1-2 1864B NO/FAI R. Manual MCC-131-2 1890A NC/FAI R. Manual MCC-l H i-2 1890B NC/FAI R. Manual MCC-lJi-2 1890C NO/FAI R. Manual M CC-l H 1 -2 1885A NO/FAI RMT-A MCC-lH I-2, RMT-A - 1885B NO/FAI RMT-B MCC-131-2, RMT-B 1885C NO/FAI RMT-A MCC-lH1-2, RMT-A 1885D NO/FAI R MT-B MCC-131-2, RMT-B 1860A NC/FAI RMT-A MCC-lH i-2, RMT-A 1860B NC/FAI RMT-B MCC-131-2, RMT-B 1863A NC/FAI RMT-A MCC-lHi-2, RMT-A 1863B NC/FAI RMT-B MCC-131-2, RMT-B 4 IV-Il3 l
l [ i PS42
. NO/FAI TO CHARGING NO/FAI PUMP lNLET HEADER RWSTl ,, 1885C FROM HPI 1885D NO/FAI PS1 XV15X LO NC-FAI PS40 18858 HOT LEG LOOP 3 TO [18638 Al NO/FAI HP1 tag, P WER REMOVED NO CV46B PS33 ,
C PS47, 6"-St-481502 FAI -, HOT LEG LOOP 2 1862B PS31' XV48 ROM HPl (1-SI-P-18) NO FAI PS43 y NC CV47 FAI PSMS PS35 8648 POWER REMOVED h CV241 CV79 COLD LEG LOOP 1 4 N 18608 3 NO pS44 . i FAI 6*-SI-152-1502 g. A PS38 < - aN gD COLD LEG LOOP 2 i P 36 I 1890C CV242 CV82 NC CV56 PS34 m , F AI NO FAI PS45
' 864A b COLD LEG LOOP 3 1860A PS37 POWER REMOVED CV243 CV85 NO CV46A Al 6*-58-49-1502
'A' ' HOT LEG LOOP 1 C 9 PS46 PS30 (1-SI-P 1 A)
PS32 h J P1863A kPS39 FRW MDPSIIA gpg
~
i I SUMP TO PUMPS CHARGING -
- AL - OUT OF POSITION ALARM IN CONTROL ROOM Figure IV.5.5-1 LPI/LPR Simplified Schematic
LPI/LPR LPl/LPR PUMP TO HO,7 LEGS TRAINS n O T T l l l 1 I I PUMP PUMP PUMP 1 A TO PUMP 1 A TO PUMP 1BTO PUMP 1BTO TRAIN TRAIN 6" SI-49-1502 6" SI-48-1502 6" St-49-1502 6" SI-48-1502 n n n n SAFETY A A INJECTION \/ C ACTUATION /\ m SYSTEM %/ j\ 1H /\ /\ /\ /\ - AC 1H 7 AC f f gg g7 EMERGENCY EMERGENCY j j j jg j POWER POWER- 1J g IJ y 1A
/\
DC gg EMERGENCY jg POWER 1B 37 RECIRCULATION /\ MODE V TRANSFER /\ SYSTEM B y Figure IV.5.5-2 LPI/LPR System Dependency Diagram
IV.5.6 Inside Spray Recirculation System Model The inside spray recirculation (ISR) system provides long term containment pressure reduction and containment heat removal following an accident by drawing water from , the containment sump and spraying the water into the containment atmosphere. Heat is 1 removed from the sump water through service water cooled heat exchangers. The l following sections provide a physical description of the ISR system, identifies the ; interfaces and dependencies of the ISR system with other front line and support systems, identifies any operational constraints on the ISR system, provides a description of the fault tree model constructed for the ISR system, identifies the ISR specific assumptions, and identifies the operational experience available for the ISR system. IV.5.6.1 ISRS Description l The Surry ISR system is composed of two independent 100% capacity recirculation spray trains. Each spray train draws water from the containment sump through independent suction strainers and lines. The ISR and OSR draw from the same sump, although the sump is compartmentalized and each ISR train has a separate sump compartment. Each ISR system pump discharges to a service water heat exchanger. The cooled water is then directed to an independent spray header. In order to ensure adequate NPSH for the ISR pumps during the initial phases of a LOCA, a recirculation line diverts a small amount of the cooled ISR flow back to the sump, close to the pump inlet. A simplified schematic of the ISR system is shown in Figure IV.5.6-1. The ISR system automatically starts on receipt of a hi-hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals start the ISR pumps. An agastat timer in the pump start circuit delays pump start for two minutes to ensure adequate sump inventory and the correct diesel generator loading sequence in the event of loss of offsite power. IV.5.6.2 ISRS System Interfaces and Dependencies The ISR system is dependent on the injection systems for sump inventory, the service water system for cooling of the sump water, the AC power buses for motive power to the ISR pumps, the DC power buses for control power to the ISRS pumps, and the CLCS for actuation of the ISR pumps. These dependencies and specific train assignments are shown in the system dependency diagram in Figure IV.5.6.-2 and the component status and dependency summary in Table IV.5.6-1. l IV.5.6.3 ISR System Operational Constraints The only operational constraint utilized for the ISR system model is that Technical Specifications require one train of the ISR system be operable at all times, i.e., only one train can be removed from service for meintenance at any one time. This is incorporated into the model of the ISR system by allowing only one ISR pump to be initially unavailable due to test or maintenance activities. IV.5.6.4 ISR System Logic Model The success criterion for the Surry ISR system is the same for each application in the event tree analysis. The success criterion is that at least one of the two ISR trains provides flow to its containment spray header with service water being supplied to the heat exchanger. This translates into the following top event in the ISRS fault tree: IV-116 l
Fg -Insufficient flow or cooling from at least one ISR trains. The fault tree developed for this top event is shown in the attached microfiche. The : specific assumptions used to develop the ISR fault tree are included 'n the following section. IV.5.6.5 Assumptions in ISR System Model
~
in addition to the general modeling assumptions made in the analysis and previously discussed in Section IV.5.1, several system specific assumptions were made in the course of the analysis. The specific assumptions made in the ISR system analysis are as follows:
- 1. The ISR pumps are environmentally. qualified for a post-LOCA atmosphere and as such do not require room cooling.
- 2. Due to flow restriction orifices on the recirculation lines to the sump they do not constitute flow diversion pathways, i
- 3. ~If cooled flow from the recirculation line is not provided to the pump suction during .the early phases of a LOCA sufficient NPSH is not available to the ISR pumps and the. pumps were assumed to fail.
Plugging of the lines is considered negligible.
- 4. The probability of plugging of sufficient nozzles in a spray header to prevent an ISR system train from-performing its function is assumed -
negligible. j_ IV.5.6.6 ISRS Operating Experience I Plant specific operational data derived from monthly pump test record's of the ISR pumps indicated a significant difference from the generic data. Therefore plant-specific data was used in the analysis. l i i i-
)
t i ) i IV- 117 i 1
'l
Table IV.5.6-1 ISR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-RS-P-1 A Standby CLS-Hi-Hi 480V Bus IH, 2 min. time CLS-Hi-Hi-2A, delay DC-1 A 1-RS-P-1 B Standby CLS-Hi-Hi 480V Bus 13, 2 min. time CLS-Hi-Hi-2B, delay DC-1B l l 1 I i i IV-118 - t
, . . , , . . -a. -e - --e- -
1 1 i l 1 I
)
l ! l PS60 PS61
~
_ 9
~ w HXRS1A SW HXRS1B SWS l
l MDPRS1A MDPRS1B l 1 I I <> I l <, I Figure IV.5.6-1 ISR System Simplified Schematic IV-119
ISR SYSTEM n T I I TRAIN TRAIN 1A 1B e ,1 < l CONSEQUENCE A LIMITING \/ CONTROL B
/\
SYSTEM $7 AC 1H /\ EMERGENCY 7 POWER 1J 7 DC 1A /\ p EMERGENCY jg POWER 1B 7 SERVICE jg jg WATER SYSTEM y y Figure IV.5.6-2 ISR System Dependency Diagram S IV-120 l
i IV.5.7 Outside Spray Recirculation System Model - The outside spray recirculation (O5R) system provides long term containment pressure reduction and containment heat removal following an accident by drawing water .from the containment sump and spraying the water into the containment atmosphere Heat is . removed from the sump water through _ service water cooled heat exchangers. The ' following sections provide a physical description of the OSR system, . identifies the interfaces-'and dependencies of the OSR system with other front line and . support systems, identifies an operational constraints on the OSR system, provides a description of the fault tree model constructed for the OSR' system, identifies the OSR system specific assumptions, and identifies the operational experience available for the OSR system. IV.5.7.1 OSR System Description I The Surry OSR system is composed of two independent,100% capacity recirculation ~ 4 spray trains. The spray trains draw water from the containment sump through two parallel suction strainers and lines which are headered together. The OSR and ISR draw l from the same sump, although the sump is compartmentalized. Each OSR train has its own separate compartment. Each OSR system pump has an individual suction line from the header with a normally open MOV. Each pump discharges through a normally open 4 MOV, check valve and a service water heat exchanger. The cooled water is then directed to an independent spray header. In order to ensure adequate NPSH for the OSR - system pumps during the early phase of a LOCA, a line is provided which diverts a small ! , amount of the cool CSS flow to the sump, close to the pump suction strainers. A l j simplified schematic of the OSR system is shown in Figure IV.5.7-1. ! a
; The OSR system automatically starts on receipt of a Hi-Hi (25 psia) containment j pressure signal from the consequence limiting control system (CLCS). The CLCS signals 1 start the OSR system pumps and ensure that the pump. inlet and discharge valves are open. An agastat timer in the pump start circuit delays pump start for five minutes to ensure adequate sump inventory and the correct diesel generator loading sequence in the event of loss of offsite power.
IV.5.7.2 OSR System Interfaces and Dependencies The OSR system is dependent on the injection systems for sump inventory, the CSS for adequate NPSH during the early phase of OSR system operation, the service water . system for cooling of the sump water, the AC power buses for motive power to the OSR
- system pumps and motive and control power to the OSR system MOVs, the DC power
, buses for control power to the OSR system pumps, and the CLCS for actuation of the + OSR system pumps. These dependencies and specific train assignments are shown in the system dependency diagram in Figure IV.5.7-2 and the component status and dependency summary in Table IV.5.7-1. IV.5.7.3 OSR System Operational Constraints The only operational constraints utilized for the OSR system model is that Technical Specifications require one train of the OSR systen be operable at all times, i.e., only one train can be removed from service for maintenance at any one time. This is incorporated into the model of the OSR system by allowing only one OSR system pump to be initially unavailable due to test or maintenance activities. 4 IV- 121
, .- -+.. - ..- - .,.,._.-,.-,n-- . - - . . - . , , . , - , . , , . , _ . , - . . - - , , - . .a. , , -
IV.5.7.4 OSR System Logic Model Ths success criterion for the Surry OSR system is the same for each application in the
, ~ event tree analysis. The success criterion is that at least one of the two OSR system trains provides flow to its containment spray header, with service water provided to the heat exchanger. This translates into the following top event in the OSR system fault tree:
F2-Insufficient flow or cooling from at least one OSR system trains. 7 The fault tree developed for this top event is shown in the attached microfiche. ' The specific assumptions used to develop the OSR system fault tree are included in the
- following section.
, IV.5.7.5 Assumptions in OSR System Model j In addition to. the general modeling assumptions made in the analysis and previously 4 discussed in Section IV.5.1, several system specific assumptions were made in the course
- of this analysis. The specific assumptions made in the OSR system analysis area as 1
follows:
- 1. Room cooling is not required for operation of the OSR system-pumps due to their location in an area where there is open -
communication to a large area resulting in long heat-up times.
- 2. CSS flow to the sump region in the area of the OSR pump suction is required to provide adequate NPSH to the OSR system pumps
- . during the time of CSS operation.
- 3. The probability of plugging of sufficient nozzles in a spray header to prevent an OSR system train from performing its function is assumed negligible.
IV.5.7.6 OSR System Operating Experience No plant specific operational experience was included in the analysis of the Surry OSR
- system.
t i IV-122 l
. ._._ ~ _. _ _ _ ._ _ , _ . _ __ , _ _ . , __ _ . , , ._. _- _,..- -. -
l Table IV.5.7-1 l' OSR Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-RS-P-2A Standby CLS-Hi-Hi-2A 480V Bus IH, DC-1 A, 5 min TD CLS-Hi-Hi-2A, CSS 1-RS-P-2B Standby CLS-Hi-Hi-2B 480V Bus 13, DC-1B, 5 min TD CLS-Hi-Hi-2B, CSS MOVs:
- RS155A NO/FAI CLS-Hi-Hi-2A MCC IH1-2, 4
CLS-Hi-Hi-2A RS155B NO/FAI CLS-Hi-Hi-2B MCC-131-2, CLS-Hi-Hi-2B RS156A NO/FAI CLS-Hi-Hi-2A M CC-1H I-2,~ CLS-Hi-Hi-2A RS156B NO/FAI CLS-Hi-Hi-2B MCC-131-2,
- j. CLS-Hi-Hi-2B i
i 4 1 i l i I 4 l IV-123 l-..-. - , - - - - . _ - . _ _ . _ , - _ . . , , - _ , _......_.____,.-,-_.-.._.__.J. , . , . _ , . ,
i < > l
,,. a.
1 s < >
^
4 MOVRS156B g HXRS1D SWS HXRS1C SWS l CV11 % % ,
- !>< N - !
CV17
!>< N MOVRS156A PS 72 PS 71 FROM CSS i E _L. _L l MDPRS2B MDPRS2A l
! ( ( MOVHS155A 1 O I newm I i D { MOVRS155B O 1 Figure IV.5.7-1 i OSR System Simplified Schematic
.k
OSR SYSTEM l l T I I TRAIN TRAIN 2A 2B 1e m .em CONSEQUENCE-A #\ LIMITING h/ CONTROL B #\ SYSTEM %/ AC 1H /\ p EMERGENCY f POWER 1J DC 1A \ S/ EMERGENCY POWER 1B SERVICE j j WATER SYSTEM ! i 1 j CONTAINMENT jq jq
#SE v v Figure IV.5.7-2 OSR System Dependency Diagram i
l ! IV-125
IV.5.8 Auxiliary Feedwater System Model The auxiliary feedwater (AFW) system provides feedwater to the steam generators to s provide heat removal from the primary system after reactor trip. The.following sections provide a physical description of the AFW, identify the interfaces and dependencies of the AFW with other. front line and support systems, identify any operational constraints on the AFW,~ provide a' description of the fault tree model constructed for the AFW, identify the AFW specific assumptions, and identify the operational experience available for the AFW. IV.5.8.1 AFW System Description The Surry AFW is a three train system, two electric motor driven pumps and one steam turbine driven pump. Each pump draws suction through an independent line from the 110,000 gallon condensate storage tank (CST). In addition, a 300,000 gallon CST, a 100,000 gallon emergency makeup tank and the fire main can be used as water supplies for the AFW pumps. Each AFW pump discharges to two parallel headers' . Each of these . headers can provide auxiliary feedwater flow to any or all of the three steam generators. Flow from each header to any one SG is through a normally open MOV and a locked open valve in series, paraiie!ed with a line from the other header. These lines feed one line containing a checi valve which joins the main feedwater line to a steam generator. A simplified schemat.c of the AFW is shown in Figure IV5.8-1. The motor driven AFW pumps automatically start on receipt of an SIAS signal, loss of main feedwater, low steam generator level in any steam generator, or loss of offsite power. The turbine driven AFW pump automatically starts on receipt of indication of low steam generator level in two of the three steam generators or undervoltage of any of the three main RCS pumps. These signals also ensure that the system MOVs are in the correct position. , IV.5.8.2 AFW System Interfaces and Dependencies {t The AFW system is dependent on the AC power buses for motive power to the AFW
- motor driven pumps and motive and control power to ti;e. AFW MOVs, the DC power
- buses for control power to the AFW pumps, and the-SIAS for actuation of the AFW l pumps. The turbine driven pump turbine inlet valves require instrument air as well as DC
, power for control, however, on loss of either instrument air or DC power the valves fail open allowing steam flow to the pump turbine. Hence, no dependencies were modeled in these cases to represent system success. These dependencies and specific train i assignments are shown in the system dependency diagram in Figure IV.5.8-2 and the component status and dependency summary in Table IV.5.8-1. IV.5.8.3 AFW System Operational Constraints ! Technical Specifications require both motor driven feedwater pumps to be operable at all times and the turbine driven pump to be operable when the reactor is above 10 percent power. However, one pump may be removed from service for maintenance for a short - l period of time. This is incorporated into the model of the AFW by allowing only one l AFW pump to be initially unavailable due to test or maintenance activities. IV- 126 i
. _ _ _ _ _ _ ___ _,._,,_._ _ . . _ _ , . . _ . . _ . _, __ - m _. . _ _ _ _ _ , . , . - . . _ _ , _ _
IV.5.8.4 AFW System Logic Model The success criterion for the Surry AFW vary depending on the application in the event l tree analysis. The success criterion for the AFW following all events except an ATWS is l flow from any one AFW pump to any of the three steam generators. The :uccess criterion for AFW following an ATWS event is flow from both motor driven AFW pumps or flow from the turbine driven pump to two steam generators. These success criteria translate into the following top event in the AFW fault trees. L - Insufficient flow to at least one steam generator from at least one AFW i pump. L2 - Insufficient flow to at least two steam generators from at least two motor driven AFW pumps or one turbine driven AFW pump. The fault trees developed for this top event is sh6wn in the attached microfiche. The specific assumptions used to develop the AFW fault trees are included in the following section. IV.5.8.5 Assumptions in AFW System Model In addition to the general modeling assumptions made in the analysis and previously discussed in Section IV.5.1, several system specific assumptions were made in the course of this analysis. The specific assumptions made in the AFW analysis area as follows:
- 1. Failures of parallel manual valves in the pump discharge lines and in the lines from the headers to the main feedwater lines were not postulated since the valves are flow tested following maintenance, precluding inadvertent closure of the valves and the probabilite '
plugging is negligible in comparison with other system faults.
- 2. The lube oil cooler associated with each AFW pump is conside. d to be part of the pump and as such, its failures are accounted for la the pump failure rates.
- 3. Opening of the steam admission valves to the turbine driven pump is all that is required to start the pump. DC power and/or instrument air are not considered to be required since their loss will result in opening of the valves.
- 4. In the absence of instrument air or DC power the turbine driven pump will operate at maximum speed. Initially, speed control of the turbine driven pump is not required to prevent SG overfill, due to the amount of inventory which must be supplied. The turbine driven AFW pump can be msnually controlled in the absence of DC power or instrument air by manually throttling the turbine steam inlet valves, or by throttling the pump discharge valves (151 A, B, C, D, E, F). It was determined that if steam generator water level indication was available, the probability of overfilling the steam generators was very small compared to other ways to fail the Turbine Driven AFW Pump.
l IV-127 i
- 5. ' Failure of the Unit 2 cross connect in the open position is assumed to fail the Unit 1 AFW due to the flow diversion to the operating unit..
The operating unit would be at a lower pressure and hence would. receive the majority of the flow. The postulated failure is valve open while indicating - closed. The diagnosis of the problem would be difficult for the Unit 1 operators and the additional flow from the-AFW flow to Unit 2 would not be easily detected.
- 6. The use of the Unit 2 AFW pump cross connect and the use of 300,000 gallon CST, the emergency makeup tank, or the fire main as a backup to the CST will be considered as recovery actions in the accident.
sequence analysis if necessary. IV.5.8.6 AFW System Operating Experience Review of the Surry AFW operating experience revealed that a problem with steam - binding of AFW pumps had occurred due to backleakage of relatively hot main feedwater through the system check valves. The backleakage resulted in steam accumulation in the AFW lines and failure _of two pumps. Since the event,' the affected check valve were 4 reworked and plant changes were made, including _ removal of the insulation from the i AFW pump discharge lines to facilitate steam condensation and requiring a check of the ' pump outlet pipe temperatures 'once every shif t. No further incidents have occurred since, however, due to the potential for common cause multiple pump failures this failure mode has been included in the system models. Plant specific operational data derived from plant records of the AFW pumps was used in the analysis. 1 l l
.l l
l l l IV- 128 l
l Table IV.5.8-1 AFW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES l Pumps: 1-FW-P-2 Standby 2/3 Lo SG Level, Main Steam RCS Pump Under-voltage 1-FW-P-3A Standby SIS-A, LOMFW, 4160V Bus 1H, DC-A, Lo SG Level, LOSP l-FW-P-3B Standby SIS-B, LOMFW, 4160V Bus 13, DC-B, Lo SG Level, LOSP MOVs: 151A NO/FAI Open signal same MCC-lH1-2 as Pump 3A Act. 151B NO/FAI Open signal same MCC-131-2 as Pump 3B Act. 151C NO/FAI Open signal same MCC-lH1-2 as Pump 3A Act. 151D NO/FAI Open signal same MCC-131-2 as Pump 3B Act. 151E NO/FAI Open signal same MCC-lH1-2 as Pump 3A Act. 151F NO/FAI Open signal sime MCC-131-2 l as Pump 3B Act. 160A NC/FAI R. Manual MCC-2H1-2 160B NC/FAI R. Manual MCC-231-2 i 260A NC/FAI R. Manual MCC-lH1-2
- 260B NC/FAI R. Manual MCC-131-2 l
1 IV-129 l 1
-j
Table IV.5.8-1 (Continued). AFW Component Status And Dependency Summary - COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES A OVs: MS102A NC/FO 2/3 SG low level Inst. Air, DC-A* or LOSP to station service buses MS102B NC/FO 2/3 SG low level Inst. Air, DC-B* or LOSP to station service buses On loss of instrument air and DC power, valves fail in safe position, i.e., open resulting in steam flow to AFW pump turbine. N2 bottles provided for control of AFW pump in the event of loss of air. IV-130
- MAIN A STEAM XV87f
.^.
110,000
*A' 300,000 GAL CV151 XV150 XV144 CAL a XV120
_ CST CST , LO PS95 PS96 HEADERS g PS97 e--CV178 HEADER A f -f - 88 OYII . CV182
~~
TO UNIT 2
.-. AFW SYSTEM PS94 PS99 PS98 1 L "CV172 ~CV157 CV142 MOVFW260A 0 m 1 3 $ $ A0VMS1028 A0VMS102A PS82 PSS1 PS80 4L h L MOVFW2608 2g O* *= 0% 2 Oe XV270 XV271 E k$ k k$
_OP,fW3h,,,pP,f,W3I,,y,,D,,P,fW2 1 TURBINE DRIVE II I 'I II" YI I XV183 Ld L . JLJL , 1
<. ii ,
,J L1L..
V136
)
PS83 dV
=
84 ' , ' ' 'v, FROM FIRE r CV CV310 7 ' MAIN FROM UNIT 2 AFW PUMPS XV168 XV284 3 XV169 FROM EMERGENCY CV273 MOVFW160A MAKEUP SYSTEM XV283 XV154 Figure IV.S.8-1 AFW System Simplified Schematic
AFW . SYSTEM n I I TRAIN TRAIN TRAIN 2 3A 3B
>%l -%
1H A AC g i EMERGENCY POWER 1J
#\
V DC 1A A EMERGENCY POWER 1B V Figure IV.5.8-2 AFW System Dependency Diagram - 1 IV-132
IV.5.9 -' Primary Pressure Relief System Model The primary pressure relief. system (PPRS) provides protection from overpressurization
.of the primary system to ensure that primary integrity is maintained. The PPRS also provides the~ means to' reduce the RCS pressure if _necessary. The following sections provide a physical description of the PPRS, identify the interfaces and dependencies of the PPRS with other front line and support systems, identify any operational constraints on the PPRS, provide a description of the fault tree model constructed for the PPRS, identify the PPRS specific assumptions, and identify the operational experience available .
for the PPRS. IV.5.9.1 PPRS Description The Surry PPRS is composed of three code safety relief valves (SRV) and two power
- operated relief valves (PORVs). The code safety valves were important only in the ATWS
' analysis. The PORVs provide RCS pressure relief at a set point below the SRVs. The PORVs discharge to the pressurizer relief tank. Each PORV is provided with a motor operated block valve. A simplified schematic of the PPRS is shown in Figure IV.5.9-1.-
. The PORVs automatically open on high RCS pressure or are manually opened at the .
discretion of the operator. The block valves are normally open unless a PORY is leaking. IV.5.9.2 PPRS Interfaces and Dependencies j The PPRS is dependent on the AC power buses for motive and control power to the PORV~
, block valves, vital AC power for control power to the PORVs, and the containment air l system for motive. power to the PORVs. - However, the PORVs are provided with air
- bottles sized to provide approximately 80 openings of each valve. Therefore, no dependencies on the containment air system were included in the system models. These dependencies and specific train assignments are shown in the system dependency diagram in Figure IV.5.9-2 and the component status and dependency summary in Table IV.5.9-1.
i The SRVs have no dependencies on any other plant system. 1 i IV.5.9.3 PPRS Operational Constraints i 2 No operational constraints were identified for the PPRS. IV.5.9.4 PPRS Logic Model ! The success criteria fer the Surry PPRS vary depending on the application in the event i tree analysis. One support system function was also identified for the PPRS in the fault-tree for the emergency boration mode of HPI operation. . The success criterion for the PPRS following a transient event demanding PORV opening is that the PORVs
! successfully reclose. The success criterion for the PPRS following a transient and failure of the AFWS is that both PORVs successfully open on demand. The success criterion for the PPRS following a small LOCA with failure of the AFWS and for the support system
~
function provided to HPI in the emergency boration mode is that one or more PORVs successfully open on demand. The success criterion for ATWS is that 3 SRVs or 2 SRVs and 2 PORVs open. The PPRS related events are coded with the designator PPS in the fault tree and sequence analysis. IV-133 1 f -
, a-a,--n--,, , , . , - - , , - > , - , - , ,-.--,n . . . - . , - - -e--e -.--,-r, .m..-,, - - - , , , +mm- w- e+ ,
E These success criteria translates into' the following top events in th'e PPRS fault trees: Q - One or more PORVs fail to reclose following a transient. P -
' Failure of one or more PORVs to open on demand.
Pg - Failure of at least one PORV to open on demand-(Note: also serves as a developed event in the 4D fault tree). P - 2 Failure of at least 2 SRVs o_r_ failure of 1 SRV and 1 PORV. The fault trees developed for these top events are shown in the attached microfiche. ' IV.5.9.5 Assumptions in PPRS System Model No system specific assumptions were made in the course of the PPRS analysis. IV.5.9.6 PPRS Operating Experience 4 The Surry operation experience with the PORVs and their block valves indicated that
- - approximately 50% of the time during reactor, operation, at least one block valve is i
closed and that approximately 10% of the time both block valves are closed,'.du: to leaking PORVs. This experience was included in the analysis. i i l 4 I. ! l' I i
- - 1 I
4 I l l I 1 IV-134 i-r
Table IV.5.9-1 PPRS Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES PORVs: PCV-1455C NC 3 Opens on high RCS Vital Bus 1-1, pressure, or at containment discretion of air. operator. PCV-1456 NC / Vital Bus 1-11, containment air MOVs: 1535 Normally open, unless R. Manual MCC-lH1-2 i PORV is leaking. I block valve closed
) 50% of time,2 block valves closed 10% of j time.
1536 R. Manual MCC-131-2 SRVs: 1551A NC Automatic None 1551B NC Automatic None 1551C NC Automatic None IV-135
l C 6 5 - 5 5 4 4 1 1 V C V C C F C F P P m , v > 5 6 3 3 5 5 1 1 V V O O'
'x M M S
' R P
C P 1 5 e 5 h 1 t 1
- f V 9 o S 5 c
6 4 V it I a 6" e me r
, u g h k "6 i c F S B d 1
5 c e 6" v5 s1 R i f i l E p 6 Z I m A R i U S 1
" 5 S 6 5 S ,
1 E K V R N S P A T F E I L E R R E Z I R U 2 S - S K E T-R P C R-O 1 T _
~<h*
lI
PRIMARY PRESSURE RELIEF SYSTEM n l I I FLOW PATH FLOW PATH THRU PORV THRU PORV 1455C 1456 l O
-sl O
-s VITAL AC 1-1 EMERGENCY 7
POWER 1-ll p AC 1H
/\
EMERGENCY y POWER 13 A V Figure IV.S.9-2 Primary Pressure Relief System Dependency Diagram IV-137
IV.5.10 Power Conversion System Model The power conversion system (PCS) can be used to provide feedwater to the steam generators following a transient. The following sections provide a physical description of the PCS, identify the interfaces and dependencies of the PCS with other front line and support systems, identify any operational constraints on the PCS, provide a description of the model used in the analysis of the PCS, identify the PCS specific assumptions, and identify the operational experience available for the PCS. IV.5.10.1 PCS Description The PCS, as modeled in this study, consists of the main feedwater pumps, the condensate pumps, the condensate booster pumps, and the hotwell inventory. Because Surry has electric driven MFW pumps, it is possible to supply feedwater using the MFW system, without having the turbine bypass and steam condensing systems available. The inventory of the hotwell (with the CST as a backup supply) was calculated to be sufficient for all mission times of interest. The feedwater regulating valves will close after a reactor scram, due to plant control logic. The feedwater pumps remain on, and the miniflow valves will open. Feedwater can then be provided to the SGs, through the feedwater regulating valve bypass valve. IV.5.10.2 PCS Interfaces and Dependencies The PCS is dependent on DC power and instrument air. However, the system was not explicitly modeled and the dependencies were not developed further than that required on the initiating event level. IV.5.10.3 PCS Operational Constraints No operational constraints were identified for the Surry PCS. ) IV.5.10.4 PCS Logic Model A fault tree model was not constructed for the PCS. The success criterion for the PCS are restoration of flow from one or more main feedwater pumps to one or more steam generators. The following failure event was quantified using the generic failure rates for the equipment and actions required to restore flow. M - Failure of at least one main feedwater pump to provide flow to at least one steam generator. IV.5.10.5 Assumptions in PCS System Model Feedwater regulating valves were assumed to close af ter all reactor trips. IV.5.10.6 PCS Operating Experience No plant specific operational experience was included in the analysis of the Surry PCS. IV- 138
IV.5.ll Charging Pump Cooling System Model The charging pump cooling (CPC) system is a support system which provides lube oil cooling and seal cooling to the three charging pumps in the HPI/HPR system. The following sections provide a physical description of the CPC system, identify the interfaces and dependencies of the CPC system with the front line systems and other support systems, identify any operational constraints on the CPC system, provide a description of the fault tree model constructed for the CPC system, identify the CPC system specific assumptions, and identify the operational experience available for the CPC system. IV.5.11.1 CPC System Description The Surry CPC system provides two specific cooling functions for the charging pumps, lube oil cooling and seal cooling. The CPC system is composed of two subsystems, the charging pump service water system and the charging pump cooling water system. The charging pump service water system is an open cooling system which provides cooling to the lube oil coolers and to the intermediate seal coolers in the charging pump cooling water system. The charging pump cooling water system is a closed cycle system which provides cooling to the charging pump seal coolers. The charging pump service water system is composed of two 100% capacity pump trains, each providing flow to one intermediate seal cooler and all three charging pump lube oil coolers. Flow is drawn from the condenser inlet lines through independent lines by the charging pump service water pumps. Upstream of each pump are two separate, independent strainer assemblies. Each pump discharges through two check valves. Downstream of the check valves the flow is split with a portion of the flow directed to an intermediate seal cooler and the other portion directed to a common header feeding the tube oil coolers. From this header, flow is directed through the lube oil coolers for the operating charging pumps. Temperature control valves control the flow through the tube oil coolers to prevent overcooling of the tube oil. The service water flow is discharged to the discharge canal. The charging pump cooling water system is a closed cycle system composed of two 100% capacity pump trains, each containing a charging pump cooling water pump and intermediate seal cooler which provide cooling water to the charging pump seal coolers. Each pump draws suction from the outlet of either of the two intermediate seal coolers and discharge to a common header. The common header provides flow to the seal coolers for each charging pump. 1wo seal coolers in parallel are provided for each charging pump. The discharge of the seal coolers is returned to the intermediate seal coolers where it is cooled by the charging pump service water system. Makeup to the charging pump cooling water system to account for seal leakage is provided by a surge tank which is supplied by the component cooling water system. A simplified schematic of the CPC system is shown in Figure IV.5.11-1. One of the charging pump service water pumps and one of the charging pump cooling water pumps are normally in operation. Upon indication of low discharge pressure of one of the pumps, the parallel pump receives a signal to start. With the exception of the pumps and the lube oil cooler temperature control valves, all other components in the system are manually actuated. IV-139
4
- IV.5.ll.2 CPC System Interfaces and Dependencies
. The CPC system interfaces with the HPl/HPR system at the charging pumps. The CPC
. system is dependent on the AC power buses for motive and control power to the charging .
pump service water and cooling water pumps.- Although the CPC system is dependent on - the component cooling water system for the ultimate makeup to the charging pump seal cooling surge tank, no dependency was modeled since a sufficient supply of makeup is available due to the initial inventory in the surge tank and due to the location of the surge tank which would result in gravity flow of component cooling water into the surge tank even in the event.of loss of the component cooling water system. .The lube oil cooler temperature control valves require instrument air as well DC power for control, however on loss of either instrument air or DC power the valves fail open allowing flow ! - to the coolers. Hence, no dependencies were modeled in these . cases.- These 3-dependencies and specific train assignments are shown in the system dependency. diagram
.in Figure IV.5.ll-2 and the component status .and dependency summary ;in Table IV.5.ll-1.
IV.5.ll.3 CPC System Operational Constraints i The -only operational constraint utilized in the CPC system model results from the . normal operation of one charging pump. Since one charging pump is in operation at all =1 times, one charging pump service water pump, one charging pump cooling water pump -j and the associated coolers must be in operation also. 1 i IV.5.ll.4 CPC System Logic Model 1 ! The CPC system is a support system for the charging pumps in the HPl/HPR system.' The l top events identified for the CPC system represent the modeled interfaces of the CPC system with the HPl/HPR system. The developed events contained in the HP!/HPR fault trees correspond to the following top events: i CPCA - Insufficient cooling to charging pump - A from the CPC system. CPCB - Insufficient rmoling to charging pump B from the CPC system. CPCC - Insufficient cooling to . charging pump C from the CPC system. The fault trees developed for these top events are shown in the attached microfiche. For both the HPl/HPR modes of operation, the tree structure of CPC system models is , identical. However, in the sequence quantification task, HPl/HPR mission times as , appropriate were used to compute the time dependent failure rates and those failures l resulting in failure of the CPC system during the injection phase were deleted from_the ] recirculation sequences.
- IV.5.ll.5 Assumptions in CPC System Model i
in addition to the general modeling assumptions made in the analysis and previously , discussed in Section IV.5.1,'several system specific assumptions wre made in the course !' of the analysis. The specific assumptions made in the CPC system analysis are'as follows: l' 4 l IV-140
- 1. Charging pump service water to .the intermediate seal _ cooler is not -
required for successful operation of the charging pump seal coolers.
- 2. As noted in Section IV.5.3, charging pump A is assumed to be_ normally operating. Therefore, for the CPC system, the temperature control valve on the associated lube oil cooler is open while the temperature control valves on the other two coolers are closed.
- 3. The temperature control valves fail open on loss of air or DC power.
- 4. The temperature control valves are . controlled from -a temperature signal from the charging pump lube oil and it is assumed that a signal to open will occur soon after pump startup.
- 5. The assumed operating configuration of the CPC system is that the A i train . charging pump service water and cooling _ water pumps are i operating. .
L 4 6. One of the two redundant charging pump seal coolers for each charging pump will provide sufficient seal cooling. ! 7. Loss of CPC is assumed to lead to unavailability (whether shutdown or fail) of the charging pumps within 10 minutes. IV.5.II.6 CPC System Operating Experience i' Operational experience from the CPC system indicates that the charging pump service. water pump inlet strainers are susceptible to plugging since the fl_uid is raw water direct from the intake canal. This~was identified as an area which potentially could result in a common cause failure of both trains of the CPC system. The strainer assemblies have
~
been replaced (Summer 1984) with a different design of strainer (duplex strainer). However, insufficient operational experience was available to assess the impact of this ] design change on the plugging failure rate.- i Inadvertent operation of the charging pump cooling water system with charging pump service water isolated from the intermediate seal coolers has occurred. However, it !- resulted in no damage to the charging pump seals. Flow was maintained in the cooling -
, water system during the time of isolation. Based on this operational exprience, loss of g charging pump service water to the intermediate seal coolers was not included in the
- system models as a failure mode for the CPC system.
t IV-141
Table IV.5.l l-1 CPC Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-SW-P-10A 1 Standby, Standby pumps MCC-lH1-1 1 Normally i start on low Operating header pressure 1-SW-P-10B ) MCC-lJ1-1 1-CC-P-2A 1 Standby, j MCC-lH1-1 1-CC-P-2B [ l Normally MCC-1]I-I
/ Operating i
MOVs: SW108A 1 NO corresponding to Open on increased i running charging pump i lube oil temperature, others closed. SW108B ) Valves fail open on s lou of DC power SW108C or instrument air. i 1 IV-142
XV444 TO UNIT 2 CROSS CONNECT FROM UNIT 1 CH. PMP COOLING % W,' UNIT 2 A0VSW108A CONDENSER LINE XV301 STRI A XV304 XV267 STR2A 10A CV113 XV114 CV268 XV116 XW121 XV127 XV128 XV169 XV168 XV171 XV122 l HXCHSA I A0VSW1088 PS100 MDPSW10A PS102 : SA IXV125 XV126 g XV117 XV170 Si e -, N FROM UNIT 2 [HXCH58I A0VSW108C CONDENSER LINE XV305 STRIB XV306 XV261 STR28 109 CV108 XV109 CW262 XV1201 58 I XV123 XV124 p XV173 XV172 XV118 HMCH XV441 PS101 MDPSW108 PS103 SC w i HMCH7F
% TO UNIT 2 % N CH. PMP COOLING CROSSTIE PS107 4J XV778 y PS114 W/ UNIT 2 V110 XV115 i E
XV723 yp IV710 P$111 'I ' E HMCHTE c XV701 CV752 2B XV781 PS10 XV780 PS108 I HXCH70,IIII X 0 XV773 D $112 MDPCC2B XV783 XV931 w XV706 TO SURGE TANK _ pg ggg IE XV695 C PS MDPCC2A ' CMP XV782 MW769 XV132 XV16S HX HTC g i _ 7m HX H78 PS116 XV763 CU764 2A XV786 XV785 XV770 8 XV765 PS118 XV779 1A XV997 A CH P I HX HTA A gyyy O HXSW1A 7 ' X
\
INTERMEDIATE SE AL COOLERS 4 4 SE AL COOLERS Figure IV.5.11-1 CPC System Simplified Schematic
t CuaRomo PUMP SERVICE WATER SYSTEM O T I I PUMP PUMP 10A 108 O O 1H AC EMERGENCY Y
"**" /\
u V CHARGING PUMP COOLING WATER SYSTEM n T I I CPC PUMP PUMP SYSTEM 2A 28 0 Q Q 1H #\ CHARGING PUMP /\ AC EMERGENCY V SERVICE WATER POWER /( SYSTEM
%/ 1J CHARomo PUMP jg Coouwa WATER y SYSTEM Figure IV.5.ll-2 CPC System Dependency Diagram IV-144
_ _- - . ~ . . _ . . , _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ _ _ _ , _ _ _ . . . . __ _ _ . _ _ _ ._ . _ _ _ _ _ _ , , , _ _
IV.S.12 Service Water System Model The service water system l(SWS), as defined for. this analysis, is a support system which provides cooling to the heat exchangers in the ISR system and OSR system. The SWS
-_ provides heat removal from the containment following an accident. The following sections provide a physical description - of the .SWS, identify the interfaces and dependencies of.the SWS with the front line systems and other support systems, identify any operational constraints on the SWS, provide a description of.the fault tree model constructed for the SWS, identify the SWS specific assumptions, and identify -the operational experience available for the SWS.
- IV.5.12.1 SWS Description The Surry SWS is a gravity flow system. The service water supply to the containment
- spray heat exchangers consists of two parallel inlet lines which provide SW from the
- condenser cooling pipes each through two normally closed MOVs in parallel to individual i headers. The headers each provide flow to one ISR and OSR heat exchanger. The two l headers are cross connected by two normally open MOVs in series such that flow from 4
either inlet line can be used to cool all four ISR and OSR heat exchangers. Service water flows through each heat exchanger and discharges through a normally open MOV to two headers which flow to the discharge tunnel. A simplified schematic of the SWS is shown in Figure IV.5.12-1. The SWS automatically starts on receipt of a Hi-Hi (25 psia) containment pressure signal from the consequence limiting control system (CLCS). The CLCS signals open the header j inlet valves. No other actions are required to place the SWS in service. IV.5.12.2 SWS Interfaces and Dependencies -' , The SWS interfaces with the ISRS and OSRS at the respective heat exchangers for these 4 systems. The SWS is dependent on the AC paer buses for motive and control power to ! the system MOVs and on the CLCS for opening of the header inlet valves. These 3 dependencies and specific train asignments are shown in the sys_ tem dependency diagram in Figure IV.5.12-2 and the component status and dependency summary in Table IV.5.12-1. t IV.5.12.3 SWS Operational Constraints No specific operational constraints were identified for the SWS. IV.5.12.4 SWS Logic Model The SWS is a support system for the ISR and OSR. The top events identified for the SWS l represent the modeled interfaces of the SWS with the ISR and OSR. The developed
- events contained in the ISR system and OSR system fault trees correspond to the following top events
SWS1 - Insufficient SWS flow through ISR train A cooler (HXRSIA). SWS2 - Insufficient SWS flow through ISR train B cooler (HXRSIB). SWS5 - Insufficient SWS flow through OSR train A cooler (HXRSIC). SWS6 - Insufficient SWS flow through OSR train B cooler (HXRSJD). i k IV-145 e we - rses.-- .---,-,mg --,,,,,n .,--..-[, ,w.w ,,w..c., , , , - - , .,en,,,, ww em-n y, m,.m,. ,.,,,,pe-g..v-,wemme-e-av~-,w-,w- p,g -,,n
IV.5.12.5 Assumptions in SWS Model In addition to the general modeling assumptions made in the analysis and previously discussed in Section IV.5.1, one system specific assumption was made in the course of the analysis. The specific assumption made in the SWS analysis is as follows: i
- 1. Air binding of the service water side of the heat exchangers was not included in the models. Vent pipes with check valves are provided for i each heat exchanger. The pipes are vented at the top of the containment.
IV.5.12.6 SWS Operating Experience A review of the Surry SWS operational experience identified a potential for common cause failure of the service water valves to the heat exchangers. Once during annual testing of the system all four valves on unit I failed to open when actuated from the control room. Testing of the unit 2 valves resulted in failure of 3 of the 4 to open. The valves were manually opened. Several of the valves were found to be heavily corroded due to exposure to the brackish water. Based on this incident, the potential for common cause failure of both the ISR system and OSR system due to exposure to the brackish service water was included in the SWS model. i j I I k f IV-146 . I
\
l
. - - . ..n.-, --- -
. - , .. l
d Table IV.5.12-1 SWS Component Status And Dependency Summary COMPONENT NORMAL STATUS ' ACTUATION DEPENDENCIES MOVs: SW104A NO/FAI R. Manual MCC-lH1-2 SW105A NO/FAI R. Manual MCC-lH1-2 SW104B NO/FAI R. Manual MCC-131-2 SW105B NO/FAI R. Manual MCC-131-2 SW106A NO/FAI R. Manual MCC-lH1-2 SW106B NO/FAI R. Manual MCC-131-2 SW103A NC/FAI C',S-Hi-Hi-2A MCC-lH1-1 CLS-Hi-Hi EA SW103B NC/FAI CLS-Hi-Hi-2B MCC-131-1,' CLS-Hi-Hi-2B SW103C NC/FAI CLS-Hi-Hi-2B MCC-131-1, 4 CLS-Hi-Hi-2B SW103D NC/FAI CLS-Hi-Hi-2A MCC-lH1-1, CLS-Hi-Hi-2A SW104C NO/FAI R. Manual MCC-lH1-2 SW105C NO/FAI R. Manual MCC-lH1-2 l ! SW104D NO/FAI R. Manual MCC-131-2 SW105D NO/FAI R. Manual- MCC-131-2 f I l i l IV-147
E G _ R L - AE . A HN 5 C S N 0 1 I U DT W O S 2 V T 6 O B A aM S 3 3 _ P 0 0 h 1
,W S
vV a 0l vVW
,1 S
O O - u S M 7 6 M
+ A 4
P S P A 0 I 1 S W R S l X V l O M B 5 0 1 W S 3 V 6 O S P M C D 3 3 0 0 1 2 W I m
'W
+ m S V
m rSV c 8 4 O O i t 9 0 M IB 0 1 6 M 7 a S S S R W P P 1 m X S - e l l V 2 h O 1 c M C 5 S 5 d 0 1 V e I i W e f S i 4 V r l 6 O u p m S P M i g mi F S S EL W MKA S
+ C OAN _
_. 4 RT FN A _ C I 0 I C _ 1 S _ R W - X S l l V O M D 5 0 1 W 5 S _ 6 S P aO V _ XM 4 D B 4 6 0 D I 0 1 1 S W W R S S X V V l I O O M M 6 6 A S 6 P 0 1 W S V O M 2i g i
I 4 I i SERVICE WATER l SYSTEM lD I I I I I FLOW FLOW FLOW FLOW THRU THRU' THRU THRU MOVSW103A MOVSW103B MOVSW103C MOVSW103D em em em em A
/\ /\
CONSEQUENCE \[ \p LIMITING CONTROL
> SYSTEM B S/ N/
1H
\
AC EMERGENCY POWER 1J V V ! Figure IV.5.12-2 Service Water System Dependency Diagram IV-149
p IV.5.13 Component Cooling Water System Model
! The component cooling water (CCW) system, as defined for this analysis, includes only that portion of the CCW system required to provide cooling water to the RCP thermal barriers. The following sections provide a physical description of the portions of the CCW system necessary for the analysis, identify the interfaces and dependencies of the CCW system with the front line systems and other support systems, identify any e operational constraints on the CCW system, provide a description of the fault tree model constructed for the CCW system, identify the CCW system specific assumptions, and identify the operational experience available for the CCW system.
IV.5.13.1 CCW System Descriptions The CCW system is composed of two CCW pumps in parallel and_ two CCW heat
- exchangers. The CCW system is a closed cycle system. - The CCW pumps take suction i from the return line from the RCS pump thermal barriers and are headered together at their discharges. The header feeds the two CCW heat exchangers arranged in parallel.
The discharge of the heat exchangers is delivered to the thermal barriers. Af ter cooling of the thermal barriers, the flow is returned to the CCW pump suction. Makeup to the ! CCW system is provided from a surge tank in the system. A simplified schematic of the 1 portions of the CCW system required for thermal barrier cooling is shown in Figure IV.5.13-1. One CCW pump and heat exchanger are normally in operation. In the event of failure of either component, the parallel component is manually placed in service. Following a loss
, of offsite power, the stub buses powering the CCW pumps are shed from the emergency buses and must be manually reconnected to restore power to the CCW pumps. The .
throttle valve on the thermal barrier cooling water outlet closes on loss of instrument air or receipt of a CLCS hi-hi signal, resulting in loss of flow to the thermal barriers. IV.5.13.2 CCW System Interfaces and Dependencies The CCW system is dependent on the AC power buses for motive power for the CCW pumps, the DC power buses for cor ol power to the CCW pumps and the thermal barrier throttle valves, and the instrument air system for motive power to the thermal barrier
- throttle valve. These dependencies and specific train assignments are shown in the system dependency diagram in Figure IV.5.13-2 and the component status and dependency summary in Table IV.5.13-1.
3 IV.5.13.3 CCW System Operational Constraints Following a loss of offsite power, the stub buses which power the CCW pumps are , automatically shed and must be manually reloaded on the main bus by the operator to I restore power to the pumps. i IV.5.13.4 CCW System Logic Model The success criterion for the Surry CCW system is that continued CCW flow is provided to the RCS pump thermal barriers following reactor shutdown. i 1 IV-150 l i
r This success criteria translates into the following top event in the _CCW system fault-trees: W - Failure to provide CCW flow to all RCS pumps thermal barrier
. coolers.
The fault tree developed for this top event is shown in the attached microfiche. The specific assumptions used to develop the CCW system fault tree are included in .the following section. IV.5.13.5 Assumptions in CCW System Model
- in addition to the general modeling assumptions made in the analysis and previously
, discussed in Section IV.5.1, several system specific assumptions were made in the course of the analysis. These specfic assumptions made 'in the CCW system analysis are as follows: i
- 1. 'The normal operational configuration is that CCW pump A and CCW heat exchanger A are in service.
' 2. The service water valves to the normally operating heat exchanger are open manual valves with flow through them and the service water system is a gravity flow system. Therefore, no faults were postulated for the service water interface with the system.
IV.5.13.6 CCW System Operating Experience No plant specific operational experience was included in the analysis of the Surry CCW j system. s 4 l 3
^
( l IV-151 _ _ _ . . . _ _ _ . . - _ . . ~ - ._
Table IV.5.13-1 CCW Component Status And Dependency Summary COMPONENT NORMAL STATUS ACTUATION DEPENDENCIES Pumps: 1-CC-P-1 A Normally Operating R. Manual 4160V 1-H 1-CC-P-1 B Standb R. Manual 4160V I-J 5 A OVs: TV-CC-107 NO/FC ' Close on i Instrument Air ( CLS-Hi-Hi i i 1 6 1 i l i IV-152
8 r==
====~~~~~~~~}
CONTMNesENT CONTAINesENT l RCP A SURGE g 81 g g,", TANat l
! RV-CC 116Af 93 l sws -
I _ g-CC-544 i g RCP g . TV-CC107 I'I*'3I I' "' #2 1-CC;5571-CC-548 : g (CLs-M He-CLOsE) 1-CC-554 RV-CC 1168
=
1-CC 500 1-CC-583 I Q X
-CC-PtA 4 1-CC-E-1A N g F.C.
m - I i
** g CC-552 I f i-CC-553
_ -CC-Pt s CC-5s4 y 1-CC-E-te Q l RCP g g t CC-See 1-CC 5s7 - " i-CC-$so I RV CC iisCA l
-sw-ss , ,gi-sw-35 i g
T i sws' i I 6_______________J Figure IV.5.13-1 Simplified Schematic of the CCWS Portions Required for RCP Thermal Barrier Cooling
i CCW TO RCS PUMP THERMAL BARRIER n i r T l l PUMP PUMP 1A 1B
- -: u, 1H
/\
AC EMERGENCY POWER 1J /\ V INSTRUMENT /\ /\ AIR V V .i r I l
- Figure IV.S.13-2 CCW System Dependency Diagram i
li ! IV-154
- f
.-. ~ .
, IV.5.14 Reactor Protection System Model
-The reactor protection system-(RPS) is designed to automatically scram the reactor fo!!owing receipt of indications of abnormal conditions. The Sgy RPS was not modeled for this angs. - Generic data derived from NUREG-1000 and the NRC ATWS Rulemaking, was used in the analysis.
i i i i f l r 1 IV-155 1
L iV.5.15 Emergency Power System Model
- The emergency power system (EPS) provides- AC .and DC pown to safety : related components following ' reactor scram. The following ' sections- provide a- physical
' description of the. EPS,-identify the interfaces and dependencies of the.EPS with. front line and other support systems, identify any operational constraints on the EPS, provide a' description of the model used to incorporate the EPS in the analysis, identify the EPS -
- specific assumptions, and identify the operational experience available for the EPS.
IV.5.15.1. EPS Descriptions - The EPS consists of two 4160 VAC buses, four 480 VAC buses, four 120 VAC vital j Instrumentation buses, two 125 VDC buses, one dedicated and one shared dicsci l generator, and their associated motor control centers, breakers, transtormers, chargers, !j - inverters, and batteries. Each 4160 VAC bus is normally powered from offsite power sources. On loss of offsite l i power the breakers open and the diesel generators start and their associated breakers i !' close to load the diesels on the emergency buses. Surry has three diesel generators, one dedicated to each unit and a third swing diesel generator shared by the units. The
- dedicated diesel at unit 1 is attached to the IH 4160 VAC bus while the swing diesel can j be connected to the 13 4160 VAC bus. . In the event that the swing diesel is demanded by -
i both units, the diesel will be aligned to the unit at which an SIAS or CLCS hi-hi exists. If , signals exist at both units, the diesel will be aligned to the unit whose breaker close { first. Each diesel is a self contained, self cooled unit with its own battery for ' starting i power. The 4160 VAC buses provide power to the large pumps such as the high pressure
! injection pumps, the stub buses which each power one CCW and residual heat removal i~ pump and is shed on undervoltage on the main bus, and the 480 VAC buses through
- . tranformers.
1 1 The following description applies to the IH related buses. Since the IH and 13 related buses are symmetrical, the description.is equally applicable to the 13 related buses with j the appropriate changes to the designators. ! The IH 4160 VAC bus feeds two 480 VAC buses (IH and lH-1) through transformers. The l IH 480 VAC bus is primarily used to power pumps such as the A train low pressure ! injection pump. The IH-1480 VAC bus feeds two motor control centers (MCCs), MCC 3 IH1-1 and lH1-2, which provide power to a multitude of MOVs and small pumps such as
; the charging pump cooling water pumps. MCC IH1-1 also provides power to two battery l chargers used to charge DC battery A, and to the 1-1120 VAC vital instrumentation bus
- through a SOLA transformer. The 1-111 120 VAC vital instrumentation bus is powered by
- DC bus I A through an inverter, t
4 The 1A 125 VDC bus provides control power to the switchgear for the pumps powered l from the IH buses. .The IA 125 VDC bus is powered from a 480 VAC bus, as noted above, j and in the event of loss of the AC power source is powered from DC battery A. i . {~ A simplified electrical diagram of the EPS is included in Figure IV.5.15-1. Table j_ IV.5.15-1 summarizes the normal and alternate power source for each EPS bus and - ,
; component and identifies any dependencies for the EPS components. '
! l 1 i l IV-156 i
l' IV.5.15.2. EPS Interfaces and Dependencies The EPS interfaces with almost all.of the systems required for safe shutdown of the reactor following an abnormal event. Specific dependencies of these systems on the EPS ! - are detailed in each of the applicable system sections. Dependencies between the EPS l components are included in Table IV.5.15-1. h _ IV.5.15.3 EPS Operational Constraints I
- The Surry EPS design does not require load sequencers for reloading of the buses'--
c following -loss'of offsite power due to the use of -time delays included in -the start i r circuitry for many of the required pumps. j'~ Technical Specifications require all three diesel generators to be operable. However, one diesel may be taken out of service for a limited period of time. This was incorporated
-into the analysis by excluding any combination of unavailability.of more than'one diesel generator due to maintenance activities.
i IV.5.15.4 EPS Logic Model i
; The EPS was explicitly modeled only for loss of offsite power events. Random failures of ; individual 4160 VAC buses for non loss of offsite power events were quantified using i
generic industry data. For the loss of offsite power initiating event, the following Boolean equations were developed and substituted in the system models which were dependent on AC or DC power: i ACP-TAC-LP-BUSlH = OEP-DGN-FS-DG01 + OEP-DGN-FR-DG01 + l OEP-DGN-MA-DG01 i ACP-TAC-LP-BUS 13 = OEP-DGN-FS-DG02 + OEP-DGN-FR-DG02 + OEP-DGN-MA-DG02 + OEP-DGN-FS-DG03 + i OEP-DGN-FR-DG03 + OEP-DGN-MA-DG03 4 DCP-TDC-LP-BUSI A = ACP-TAC-LP-BUSlH
- DCP-BAT-LP-BATA i- DCP-TDC-LP-BUSIB = ACP-TAC-LP-BUS 13
- DCP-BAT-LP-BATB j ACP-TAC-LP-BUSI-III = ACP-TAC-LP-BUSlH
- DCP-TDC-LP-BUSI A
! ACP-TAC-LP-BUSI-II = ACP-TAC-LP-BUS 13
- DCP-TDC-LP-BUSlB 1
ACP-TAC-LP-BUSI-I = ACP-TAC-LP-BUSlH i ACP-TAC-LP-BUSI-IV = ACP-TAC-LP-BUS 13 { The equations for DC above were also used to model the bus dependencies for the loss of ! a single AC or DC bus initiating events. Station blackout (SBO) at unit I was defined as failure of diesel generator 1 and 3 to provide power following a loss of offsite power. The frequency of SBO was calculated from the following Boolean equation: I SBO = (OEP-DGN-FS-DG01 + OEP-DGN-FR-DG01 + OEP-DGN-MA-DG01)
- i (OEP-DGN-FS-DG03 + OEP-DGN-FR-DG03 + OEP-DGN-MA-DG03)
Beta factors for common failure were added, and double test and maintenance activities-l were removed from the resultant product. ! IV-157 i, s
i - IV.5.15.5 Assumptions in EPS System Model In. addition to the general modeling' assumptions made in the analysis and previously ., discussed in Section IV.5.1, several system specific' assumptions were made in the course - ] of the analysis. These specific assumptions made in the EPS analysis are as follows:
- 1. Failure of. diesel generator 2 will result in the inability of ' diesel generator 3 to supply to unit 1. ;
- 2. The stub buses must be manually reloaded on the main buses following a loss of offsite power.
- 3. Battery depletion time was assumed to be 4 hours.
4.. Based on redundancy provided by the parallel arrangement of the - inverters and chargers used to provide power -to the DC buses, the' inverters and chargers were assessed to be negligible contributors tc, loss of DC power and hence were not ir.cluded in the models. IV.5.15.6 EPS Operating Experience Plant specific operational data for diesel generator failure to start was obtained from Oak Ridge LER data and was included in the analysis of the Surry EPS. I
-l u
IV-158
Table IV.5.15-1 AC/DC Power Supplies And Dependencies BUS / NORMAL ALTERNATE COMPONENT FEED FEED DEPENDENCY / COMMENTS 4160V - 1A Station Generator Offsite grid, via RSS transfer from None of the ASEP systems are 18 A, B, C. provided power by these buses. IC Not included in electric power model. 4160V - 1H Offsite grid, via RSS DG #1 Switchgear power provided by. (Orange Bus) transfer from C DC battery A. 4160V IH-Stub 4160 - 1H None Stub bus contains 1 CCW pump and 1 RHR pump. Bus is shed from main bus on tN on mein bus. 2 1 4160V - IJ Offstte grid,.vfa RSS DG #3 Switchgear power provided by g (Purple Bus) transfer A DC battery B. DG#3 may be ,i required by Unit 2 4160V IJ-Stub 4160V-lJ None Stub bus contains I CCW pump and 1 RHR pump. Bus is shed shed from main bus on UV on moln bus. DG #1, DG #3 NA NA No Dependencles. DGs are self
, contained. Each DG has a dedicated battery to start It.
Self cooled.. Upon LOSP, DG#3 will align to either unit, depending on whose breaker closes first. If SIS or CLS HI-HI signal exists at a unit, 1 that unit will.get DG #3.
Table IV.5.15-1 (Continued) AC/DC Power Supplies and Dependencies 1 BUS / NORMAL ALTERNATE , COMPONENT FEED FEED DEPENDENCY / COMMENTS 480V - 1H 4160V IH None SwItchgoer for pumps Is sup-480V - 1HI .4160V IH None plled by DC battery A. 480V - IJ 4160 TJ -None Switchgeer for pumps is sup-480V - IJ1 4160 IJ None plied by DC battery B. E IH1-1, 480V IH1-1 None MCC 1H1-2 MCC IJI-1, 480V IJ1-1 None M(X: 1J1-2 2 i 120V AC Vital MCC IHi-1, via sola DC Bus A, via Inverter. 5 o Bus I-I transformer i 120V AC Vital DC Bus A, via inverter. MCC IH1-1, via sola transformer. Bus 1-111
- 120V AC Vital DC Bus B, via in,verter. MCC IJ1-1, via sola transformer.
Bus 1-11 120V AC Vital MCC IJ1-1, via sola DC Bus B, via inverter. Bus 1-IV tranformer. DC Bus A MCX: 1H1-1 via charger Battery A 1A1 or 1A2
- DC Bus B MCC IJ1-1 via charger Battery B 1B1 or 182
TO SWITCHYARD SWITCHYARD XFM c1 22 V n n n R$$ C RSS B RSS A ll ll 11 D E n EN - 4 60
!! ll ll ll () ll TO UNIT 2 1A 1B 1C DG ll ll 1
NORM AL 4160 V 8USES -- (NOT ANALYZED FURTHER) STUB STUS 0 1H 1 H-1 1J 1J 1
% 55 MCC1H12 MCC1H11 l MCC 1J1-1 l MCC 1J1-2 C "
Sou C," ," , C,"'," C," ," Sou s DCA s s DC B s BATTA (INVERTER) (INVERTER) BATT 8 1 1 NC ,) VITAL
) p l)NC NC 'l)) ) ,) NC VITAL VITAL VITAL 120 AC 120 AC 120 AC 120 AC 1 -1 1-ilt 1.t e 1-IV Figure IV.5.15-1 l EPS Simplified Electrical Diagram 1
IV-161
IV.5.16 Safety Injection Actuation System Model The safety injection actuation system (SIAS) automatically initiates the high and low pressure injection systems following an indication of the need for primary coolant makeup. A review of the SIAS design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis. IV.S.16.1 SIAS Description The Surry SIAS is composed of two independent trains used to automatically actuate the low and high pressure injection systems and the motor driven AFW pumps.- The signals which actuate SIAS are shown in Table IV.5.16-1. IV.5.16.2 SIAS Interfaces and Dependencies Although the SIAS is dependent on the vital instrumentation buses and the DC buses for operation of the relay logic network, no dependencies were modeled in the analysis since for loss of power initiating events, motive or control power to the components to be actuated is unavailable due to the initiating event and in non loss of power events, the power bus failure rates are negligible in comparison with the SIAS train unavailabilities. Specific components in the low and high pressure injection systems and the motor driven AFW pumps are dependent on the SIAS for automatic actuation. These specific dependencies are illustrated in Figure IV.5.16-1. I IV.5.16.3 SIAS Operational Constraints No specific operational constraints were identified for the SIAS. IV.5.16.4 SIAS Logic Model No specific logic models were developed for the SIAS. The SIAS related events included in the front line system fault trees were coded with the system identifier SIS throughout the fault tree and sequence analysis. IV.5.16.5 Assumptions in SIAS System Model No system specific assumptions were made in the SIAS analysis. IV.5.16.6 SIAS Operating Experience No plant specific operational experience was included in the analysis of the Surry SIAS. l l 1 IV-162
Table IV.5.16-1 SIAS Actuation Parameters l Sensors Required Signals for SIAS Actuation Train A e Low Pressurizer Level 2/3 (LC459A-XA, LC460A-XA, LC461A-XA) e High Containment Pressure 1/1 CLCS Hi e High AP Between Main 2/3 Steam Header and Any Steam Line i e High Steam Flow in 2/3 1/2 Per 1.ine Lines Coincident With:
- Low T G in 2/3 Loops 1 Per Line Low Steam Line Pressure 1 Per Line in 2/3 Lines Train B e Low Pressurizer Level 2/3 (LC459X-XB, LC460X-XB, LC461X-XB) ~
e High Containment Pressure 1/1 from CLS Hi e High AP Between Main 2/3 Steam Headers and Any Steam Line ' e High Steam Flow in 2/3 Lines - 1/2 Per Line ' Coincident With: ! Low T i 1 Per Line gg n 2/3 Loops Low Steam Line Pressure 1 Per Line l in 2/3 Lines l IV-163 4
-- --,.n.. . . - , , , , - , --- - ,n...,,. . - . -, - -.---. .n , ,.e.- , - , - .
4 S11 MOV-1865A A Chg Pp C 125 VDC A MOV-1289A 120 VAC Sl2 MOV-1865A A LCV-W1-11158 m LCV-W1-1115C g RELAY LOGIC h A S13 A MOV-1867C NETWORK DG#1 Sl4 Chg Pp A A AFWP-3A SIS LHSI P #1 A TRAIN A S11 MOV-18658 B Chg Pp C 125 VDC B LCV-W1-1115E 120 VAC S12 LCV-W1-11150 B MOV-1865C o ' MOV-12898 RELAY LOGIC h B Sl3 B MOV-1867D DG #3 NETWORK Sl4 Chg Pp B B AFWP-3A SIS LHSI P #2 B l TRAIN B Figure IV.5.16-1 l Components Dependent on SIAS For Automatic Actuation { l IV-164
IV.5.17 Consequence Limiting Control System Model The consequence limiting control system (CLCS) automatically actuates the containment safeguards systems following receipt of an indication of hi-hi (25 psia) containment pressure. A review of the CLCS design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis. The following sections provide a brief physical description of the CLCS, identify the interfaces and dependencies of the CLCS with front line and other support systems, identify any operational constraints on the CLCS, provide a description of the model used to incorporate the CLCS into the analysis, identify the CLCS specific assumptions, and l identify the operational experience available for the CLCS. IV.5.17.1 CLCS De:>cription The Surry CLCS is composed of four containment pressure sensors, each feeding a signal corr.parator. The output of each signal comparator is input into two separate three out of four logic trains. These logic trains automatically actuate the containment safeguards system components. A simplified CLCS logic diagram is shown in Figure IV.5.17-1. IV.5.17.2 CLCS Interfaces and Dependencies The CLCS is dependent on the vital instrumentation buses and the DC buses for operation of the primary sensors and the relay logic network. The DC dependencies were modeled for the loss of power initiating events. In non loss of power events or in the event of loss of only one vitalinstrumentation bus where additional bus failures would need to occur to result in system failure, the power bus failure rates are negligible in comparison with the CLCS train unavailabilities and hence no additional models were constructed. Specific components in the containment safeguards system and electric power system are dependent on the CLCS for automatic actuation. These specific dependencies are listed in Table IV.5.17-1. IV.5.17.3 CLCS Operational Constraints No specific operational constraints were identified for the CLCS. IV.5.17.4 CLCS Logic Model Boolean equations were developed to incorporate the CLCS DC power dependencies into the models used in the sequence quantification. The following Boolean equations were used to incorporate these dependencies for the Tg , T4H' 43' 5A, and TSB initiating events: CLS-ACT-FA-2A = CLS-ACT-FA-CLS2A + DCP-TDC-LP-BUSI A CLS-ACT-FA-2B = CLS-ACT-FA-CLS2B + DCP-TDC-LP-BUSlB CLS-ACT-FA-CLS2A and CLS-ACT-FA-CLS2B represent the CLCS train A and B generic unavailabilities. The CLCS related events included in the front line system fault trees were coded with the system identifier CLS throughout the fault tree and sequence analysis. IV-165 l
s IV.5.17.5 ' Assumptions in CLCS System Model No system specific assumptions were made in the CLCS analysis. I- ' IV.5.17.6 CLCS Operating Experience E
' No plant specific operational experience was included in the analysis of the Surry CLCS.
l 1 l 1 .i s 1 4 i 4 l 4 1 i l 4 I 1 , i 1 4 IV-166 !
! Table IV.5.17-1 i Component Cependencies On CLCS l Relay Pumps MOVs Other Train A CR-CLS-1 A i 1-RS-P-1A SW-103A ! I l-CS-P-1 A SW-101 A CW-106A j CR-CLS-2A2 1-RS-P-2A RS-155A CS-100A CS-101 A CR-CLS-2A3 CW-106C SW-103D ) RS-156A ? CR-CLS-2A4 CW-100B DG #1 CS-101C CR-CLS-2A5 CW-100D CR-CLS-2A6 TV-MS101A TV-MS101C ; j CR-CLS-2A7 TV-MS101B } i i f IV-167
Table IV.5.17-1 (Continued) Component Dependencies On CLCS Relay Pumps MOVs Other i Train B CR-CLS-2B1 1-RS-P-1B SW-103B l-CS-P-1 B SW-101B SW-106B ' CR-CLS-2B2 1-RS-P-2B RS-155B ) CS-100B j CS-101B i CR-CLS-2B3 CW-106D BKR 2533 - j SW-103C Block Close i RS-156B CR-CLS-2B4 CW-100A DG #3 CS-101D BKR 2533 -
- Trip 3 CR-CLS-2B5 CW-100C CR-CLS-2B6 TV-MS-101 A i
TV-MS-101C .i CR-CLS-2B7 TV-MS-101B 'h ) } I I l t i. IV-168 i
CR CLS 2A1 3 CR CLS 2A2 PT CR CLS LM. PS-LM100A1 2A3 l 100A SIGNAL COMPARATOR CR V811 % CLS l_ 3/4 2A4 RELAY 1- MATRIX CR 2A H CLS l': PT 2A5 125 Vdc-A CR LM- PS LM10081 UL8 1008 SIGNAL COMPARATOR , 4 V8111 CLS A7 TRAIN A 1
' TRAIN 8 CR I CLS PT 281 j
LM- PS LM100C1 - CR 100C SIGNAL COMPARATOR , CLS j 282 j V81 111 , 3/4
" CLS RELAY - 283
- MATRIX
) PT "
; CS 5
- 284 LM- PS LM100D1 1000 SIGNAL COMPARATOR CR i V81-IV CLS 285 l
) CR ! CLS 286 CR i
CLS j
- 287 l
- l 1
! Figure IV.5.17-1 l Simplified CLCS Logic Diagram 1 }
1 IV-169 t-___.-..-.~.__...___ . - . . . - . . _ . _ _ . . - _ _ _ . _ . _ _ _ _ , . . . _ _ _ _ . _ , . - , - - _ . _ . . , _ _ _ - _ , _ . . . . _ _ . _ _ _ _ _ . - _ . - , . - - _ _
IV.5.18 Recirculation Mode Transfer System Model The recirculation mode transfer (RMT) system automatically initiates the switchover of the suction of the low pressure injection pumps from the RWST to the containment sump and the suction of the high pressure injection pumps from the RWST to the low pressure injection pump discharges on low RWST level. A review of the RMT system design was performed to verify that the system trains were symmetric and that there were no system peculiarities which would impact the reliability of the system. Generic system unavailability data was used in the analysis. The following sections provide a brief physical description of the RMT system, identify the interfaces and dependencies of the RMT system with front line and other support systems, identify any operational constraints on the RMT system, provide a description of the model used to incorporate the RMT system into the analysis, identify the RMT system specific assumptions, and identify the operational experience available for the , RMT system. ; IV.5.18.1 RMT System Description The Surry RMT system is composed of four independent RWST level sensors, each feeding two separate two out of four relay matrices. These two relay matrices automatically actuate the components required to perform the switchover to the recirculation mode of the low and high pressure systems. A simplified RMT system logic diagram is shown in Figure IV.5.18-1. IV.5.18.2 RMT System Interfaces and Dependencies The RMT system is dependent on the vital AC instrumentation buses for power to the level sensors and to the relay logic. These dependencies were modeled for the loss of power initiating events. In non loss of power events or in the event of loss of only one vital bus where additional bus failures would need to occur to result in system failure, the power bus failure rates are negligible in comparison with the RMT system train unavailabilities and hence no additonal models were constructed. Specific components in i the low and high pressure injection / recirculation systems are dependent on the RMT system for automatic actuation to their recirculation position. These specific dependencies are listed in Table IV.5.18-1. IV.5.18.3 RMT System Operational Constraints No specific operational constraints were identified for the RMT system. IV.5.18.4 RMT System Logic Model Boolean equations were developed to incorporate the RMT system AC power dependencies into the models used in the sequence quantification. The following Boolean equations were used to incorporate these dependencies for the Tg , T4H, and T43, initiating events: RMT-ACT-FA-A = RMT-ACT-FA-RMTSA + ACP-TAC-LP-BUSil RMT-ACT-FA-B = RMT-ACT-FA-RMTSB + ACP-TAC-LP-BSilV ! RMT-ACT-FA-RMTSA and RMT-ACT-FA-RMTSB represent the RMT train A and B , generic unavailabilities. Common cause miscalibration of the RWST level sensors was also included in the RMT system models for all initiating events. IV-170
- _ =. . .. . ._. . .
l IV.5.18.5 Assumptions in RMT System Model No system specific assumptions were made in the RMT system analysis. IV.5.18.6 RMT System Operating Experience No plant specific operational experience was included in the analysis of the Surry RMT system. i l i i i i 1 I 1 ) I l i k i 1 1 1 4 , l l l l l i i l i j j i i 2 IV-171 i
\.
Table IV.5.18-1 Components Actuated By RMTS l I } COMPONENT OPERATION Train A MOV1863A OPEN MOV1885A CLOSE MOV1885C CLOSE MOV1860A OPEN i MOV1862A* CLOSE i LCV-IISB CLOSE 1 If Train B i
; MOV1863B OPEN MOV1885B CLOSE MOV1885D CLOSE
- MOV1860B OPEN MOV1862B* CLOSE LCV-lll5D CLOSE Provided with a 2-minute time delay for actuation.
t j IV-172 l
.- ~ . . - . . - . . _ _ . - - _ . __ . . _ . _ . . . . _ _ .. .- --. _- _ -
120 VAC h OPEN 1863A 2 -------- LT ~ CLOM 1885A
- 2/4 TRAIN A R-CS100A1-g CS 100A ~~*
RELAY 30 ATRIX RELAY CLb5k CS100A2 OPEN 1880A tT _________ CS R CSi i =C2""" m ) = c'o*E **2a vs 1-a CLOSE tCV-m5. q ..C.,,,,, _
.L
-a ca LT - - ~
2/4 OPEN 18538 CS R-CS100C1 ' g Y RELAY : CLOSE 18055 WB 1-MI 190C R-CS100C2 -+ RAATRIX -------- TRAIN S CLOSE 18050
+
LT { V81* : C 1 , ( 2IAIN TD ) _ _ ___ CLOSE LCV-1115D Figure IV.5.18-1 Simplified RMTS Logic Diagram l I I - _ , _ _ _ _ __ _ _ _ - _ _ _ _ _ . ._ . . _ _ . _ _ ._ __
IV.5.19 System Analysis Nonemclature in order to ensure that naming of failure events is done consistently throughout the fault tree coding process, a standard coding scheme was established. This consistency is necessary to ensure that the dependencies and interfaces between the systems are properly accounted for when the individual system fault trees are merged with their support systems and the merged fault trees are linked together to perform the accident sequence quantification. In addition, the standard coding scheme provides the analyst or reviewer a traceability of the events from the cutsets resulting from the accident sequence quantification to the individual fault trees. The standard coding scheme developed utilizes a sixteen character identifier. Each individual event code is composed of four parts, a system identifier, an event or component type identifier, a failure mode code, and a unique event identifier. Each of these parts is separated by a dash for readability. The system identifier is composed of three characters which were selected to readily convey the system to the reader. The list of system identifiers is pro /ided in Table IV.5.19-1. The event or component type identifier is composed of three characters which iden:ify the component type if a component fault, or the event type if other than a component fault. The list of event or component identifiers is included in Tabic IV.5.19-2. The failure mode code is composed of two characters which identifies the f ailure mode associated with the fault. The list of failure mode codes is included in Table IV.5.19-3. The unique event identifier is i composed of up to five characters which utilize a portion of the utility ID for a compor.ent or in the case of non component faults or grouped faults conveys information about the fault type. IV-!74
Table IV.5.19-1 l System Identifiers System l Identifier System Name l ACC Accumulators l ACP AC Power System ARF Air Return Fan System ADS Automatic Depressurization System AFW Auxiliary Feedwater System or Emergency Feedwater System 4 CPC Charging Pump Cooling System CHP Charging Pump System CVC Chemical and Volume Control System CHW Chilled Water System CSC Closed Cycle Cooling System i CCW Component Cooling Water System
! CDS Condensate System CLS Consequence Limiting Control System CCU Containment Atmosphere Cleanup CGC Containment Combustible Gas Control CFC Containment Emergency Fan Cooler System CIS Containment Isolation System CSR Containment Spray Recirculation System CSS Containment Spray System j CRD Control Rod Drive System DCP DC Power System DWS Drywell (Wetwell) Spray Mode of RHR System EHV Emergency lleating, Ventilation, and Air Conditioning System ESF Engineered Safety Feature Actuation System ESW Essential Service Water System Fil5 Fuel llandling System IICI High Pressure Coolant injection System flCS High Pressure Cure Spray System flPR liigh Pressure Recirculation System IIPI liigh Pressure Safety injection System I
a l IV-175
Table IV.5.19-1 (Continued) System identifiers System Identifier System Name HSW High Pressure Service Water System ICS Ice Condenser System ISR Inside Containment Spray Recirculation System IAS Instrument Air System ISO Isolation Condenser System LCl Low Pressure Coolant Injection System LCS Low Pressure Core Spray System LPR Low Pressure Recirculation System LPI Low Pressure Safety injection System MCW Main Circulating Water System (main condenser cooling water) MFW Main Feedwater System MSS Main Steam System NHV Normal Heating, Ventilation, and Air Conditioning System OEP Onsite Electric Power System OSR Outside Containment Spray Recirculation System PCS Power Conversion System PPS Primary Pressure Relief System (PORV/SRV) i RGW Radioactive Gaseous Waste System RLW Radioactive Liquid Waste System RBC Reactor Building Cooling Water System RCS Reactor Coolant System RC1 Reactor Core Isolation Cooling System RPS Reactor Protection System RMT Recirculation Mode Transfer System RilR Residual lleat Removal System SIS Safety injection Actuation System SWS Service Water System SDC Shutdown Cooling Mode of itHR SGT Standby Gas Treatment System SLC Standby Liquid Control System l IV-176
d
. Table IV.5.19-1 (Continued)
System Identifiers System Identifier System Name
! SPC Suppression Pool Cooling System (or suppression pool cooling mode of the RHR system) i SPM Suppression Pool Makeup System TBC Turbine Building Cooling Water System 1
l j i i I } i i i i i I f I ! I [ l i I l i IV-177 l
Table IV.5.19-2 Event And Component Type Identifier - Component Identifier i Air Cooling Heat Exchanger ACX Sensor / Transmitter Units: I Flow ASF Level 'ASL Physical Position ASO Pressure ASP Radiation - ASR Temperature AST Flux ASX Circuit Breaker CRB ; Calculational Unit CAL i Electrical Cable CBL Signal Conditioner CND Control Rods: Hydraulically-Driven CRH : Motor-Driven CRM ! Ducting DCT Motor-Driven Compressor MDC Motor-Driven Fan FAN ' Fuse FUS Diesel Generator DGN Hydrogen Recombiner Unit HRU ' flest Exchanger HTX ' inverter INV , Electrical isolation Device 15 0 Air Cleaning Unit ACU Load / Relay Unit LOD I Logic Unit LOG Local Power Supply LPS Motor-Generator Unit MGN i Motor-Operated Damper MOD 1 l l IV-l78 i
I Table IV.5.19-2 (Continued) Event And Component Type Identifier s Component identifier Pumps
- Engine-Driven EDP j Motor-Driven MDP i Turbine-Driven TDP Manual Control Switch X5W Rectifier REC I Transfer Switch T5W -
Transformer TFM l j Tank TNK l Bistable Trip Unit TXX Air Heating Unit AHU Electrical Bus - DC BDC ) Electrical Bus - AC BAC I Manual Damper XDM Pneumatic / Hydraulic Damper PND j Battery BAT Valves: 'l Check Valve CKY I Hydraulic Valve HDV Safety / Relief Valve SRV Solenold-Operated Valve 50V
- Motor-Operated Yalve MOV 1 Manual Valve XVM Air-Operated Yalve AOV i Testable Check Valve TCY j Explosive Valve EPY I Filter FLT f instrumentation and Control Circuit ICC Strainer STR Heater Element HTR i
IV-179 j l
i Table IV.5.19-2 (Continued) Event And Component Type identifier l l Event Identifier l Pipe Segment Fault PSF Pipe Train Fault PTF Actuation Segment Fault ACS Actuation Train Fault ACT AC Electrical Train Fault TAC DC Electrical Train Fault TDC Human Error XHE Common Cause Fault CCF Miscellaneous Aggregation of Faults VFC IV-180 l l
Table IV.5.19-3 Failure Mode Codes
- FAILURE MODE CODE Valves, Contacts, Dampers Fall to Transfer FT Normally Open, Fall Open 00 Normally Open, Fall Closed (Position) OC Normally Closed, Fall Closed CC Normally Closed, Fall Open CO Valves, Filters, Orifices, Nozzles Plugged PG Pumps, Motors, Diesels, Turbines, Fans, Compressors Fall to Start FS Fall to Continue Running FR Sensors, Signal Conditioners, Bistable Fall High HI ,
Fall Low LO No Output NO , 4 Segments, Trains and Miscellaneou:, Agglomerations Loss of Flow, No Flow LF Loss of Function FC . I Actuation Falls FA No Power, Loss of Power LP ! Failure (for miscellaneous fault agglomerations VF : not based on segments or trains) { Hardware HW j t Battery, Bus, Transformer i No Power, Loss of Power LP ! Short ST ! Open OP l l l . i
- l cEvents or components are only suggestions. The failure modes listed may be used for any cpp!! cable event or component type.
IV-181
i Table IV.5.19-3 (Cont'd.) l Failure Mode Codes
- i l
l FAILURE MODE CODE Tank, Pipes, Seals, Tubes , Leak LK l Rupture RP ; Human Errors' Fall to Operate FO Miscalibrate MC Fall to Restore from Test or Maintenance RE Normal Operations (unavailable due to planned activity): l Maintenance MA l Test TE r Test and Maintenance TM 1 l l IV-182 L
IV.6 Analysis Of Dependent Failures Throughout this study, a significant effort was made to identify, model, and quantify dependent failures. Dependent failures were treated in two ways. Dependent failures due to functional dependencies and support dependencies were identified and modeled in the event trees and fault trees. Discussion of these efforts is found in the event tree and fault tree sections (Chapters IV.4 and IV.5 respectively). Coupled failures which are not explicitly modeled as functional dependencies or support dependencies were included in the study as a result of three specific efforts. They were: e Subtle interactions found in past PRAs were reviewed for their applicability to Surry, e An LER review of Surry was made to identify any unexpected interactions or common cause failures which have occurred at the plant, e Beta factors for common cause failures were systematically applied to sequences cutsets involving failures of redundant pumps, MOVs and diesel generators. In addition, for those systems not' modeled in detall, (l.c., actuation systems, control systems, emergency electric power systems, and the power conversion system), a review of the system designs and interfaces was performed to determine whether there were any peculiarities in the system design which would result in unexpected interactions with other systems or would be expected to result in significant differences in the failure rate of the system from the generic system failure rate. The actuation systems at Surry,1.c., SIAS, CLCS, and the RMT system, are cach composed of two symmetrical trains. Power train separation was maintained for each of the actuation systems and no instances were identified where series components requiring actuation within a system train were actuated by different actuation system trains. The emergency power system trains are also symmetrical and there are no crosstics between buses. One interaction between the power systems at units I and 2 arises due to the use of the third diesel generator as a swing diesel. Although diesel generator 2 cannot provide power to any unit I components, its unavailability was assumed to lead to the unavailability of the swing diesel to power loads at unit I since it would likely be aligned to unit 2. This interaction was explicitly modeled in the electric power boolean equations. The remainder of this section is divided as follows: Subsection IV.6.1 Jiscusses the review and resolution of subtle interactions found in past PRAsl Sub'ection IV.6.2 presents the results of the LER search and discusses the method of application of beta factors. IV.6.1 Subtle Interactions As discussed above, a list of potential subtle Interactions were identified by this PRA program, based on past operating experience and PRA analyses. Each of these items were examined with respect to tha specific Surry design to determine whether or not similar interactions exist at Surry. The brief description of the items in the list of potential subtle Interactions is shown in Table IV.6-1. Table IV.6-2 summarizes the applicability of the items in the list to the Surry design and the resolution of those items which were found to be applicable. IV-183
Table IV.6-1 Generic List Of Potential Subtle Interactions l 1. Failures of diesel generator load sequencers following loss of offsite power
- resulting in station blackout.
- 2. Occurrence of sneak circuits following power restoration.
- 3. Problems in bus switching logic.
- 4. Modeling of pump room cooling.
- 5. Occurrence of voltage droop prior to loss of offsite power.
- 6. Use of terminal blocks inside containment for actuation systems.
~
- 7. Inadvertent isolation of all feedwater flow from all steam generators.
- 8. Potential use of alternate core cooling systems.
- 9. Steam binding of the AFW pumps due to back leakage through normally closed check valves or MOVs.
- 10. Air binding of cooling water systems.
!!. Steam line break isolation circuitry. ;
i 12. Passive component failures which result in common cause failures of multiple systems. li
! 13. Importance of isolation of non-essential cooling water loads.
i l 14. Failure of discharge check valves for cross-tied pumps.
- 15. System failures following station blackout.
! 16. Dependent events based on operating experience.
I
- 17. Availability of main feedwater following plant trip.
j; t j 18. Refill of dry steam generators.
- 19. Main / auxillary feedwater commonalities.
I
- 20. PORY unavailability due to block valve closure.
- 21. Overfill of steam generators resulting in water carry-over to the steam lines.
- 12. Normal operating configuration, l
j 23. l.ocked door dependencies. i I
- IV 184
Table IV.6-2 Applicability Of Generic Subtle Interactions To Surry ITEM NUMBER IN TABLE IV.6-1 APPLICABILITY / RESOLUTION 1 l 1. Surry does not use load sequencers to reload the l emergency power buses following diesel generator start. ! Load sequencing is accomp!!shed by time delay relays in most of the safety loads. The HPI and LPI pumps remain on the bus. CSS, ISR, OSR, and the AFW pumps all have time delays in their start circuitry (30 sec., 2 min,5 min., I min. respectively). Some non-safety loads are loaded < on " stub" buses. The stub buses are normally powered from the emergency buses but are shed on undervoltage. Reloading is manual. No indication of increased unavailability due to the time delay relays was found. The potential for failure to shed the stub bus loads resulting in trip of the diesel generators was considered to be negligible in comparison to the diesel generator failure rates.
- 2. No essential systems at Surry have isolation circuits, in particular, the Surry AFW system employs cavitating venturis to limit flow through a steam line break.
Therefore this potentialinteraction was not considered to be app!! cable.
- 3. All systems of interest, with the exception of PCS are powered from offsite power sources rather than from the main station generator. The Surry design does not include bus-to-bus cross feeds as noted in the report for Indian Point. Therefore this potentialinteraction was not considered to be applicable.
- 4. Room cooling is not required for any of the pumps important in the Surry analysis. Therefore, the potential interactions involving room cooling were not considered to be appilcable.
- 3. This interaction derives from an event at Indian Point.
Loss of offsite power occurred in such a way that there was a "long" period of slowly declining voltage before power was completely lost. The voltage " droop" was sufficient to blow fuses. This interaction was not incor) orated into the Surry study, because sufficient detal,s of the magnitude and length of the " droop" are not available. It is not possible to predict probability of fuse failure based on the available data. IV-183
Table IV.6-2 (Continued) ITEM NUMBER IN TABLE IV.6-1 APPLICABILITY / RESOLUTION
- 6. All circuit junctions for environmentally qualified system within containment are made by Raychem Splicing. No terminal blocks are used. Therefore, this potential interaction was not considered to 1sc applicable.
- 7. At Surry, MFW is isolated on an SIAS signal (Iow steam pressure) and the AFW system relies on cavitating venturis to limit flow to a depressurized steam generator. Therefore, this potential interaction was not considered to be applicable.
- 8. Alternate core cooling methods were included in the Surry analysis. Feed and bleed cooling using HPI and the PORVs was considered in the event tree analysis. Use of the cross connects from unit 2 to provide HPI and AFW flow to unit I were also considered as backup core cooling methods. Primary depressurization through secondary blowdown was originally considered for inclusion in the Surry analysis. However, since a l significant number of failures would have occurred by the I
time secondary blowdown would be considered by the operator, secondary blowdown was not found to be a significant core cooling option in the final analysis. l 9 Steam binding of the AFW pumps has occurred at Surry. The check valves which provide isolation from the main feedwater lines are swing disc check valves which were l found to have steam cuts in the seat / disc face allowing I backleakage of main feedwater. The upstream check valves are not isolation valves and are expected to allow a limited amount of backleakage. This backleakage resulted in a steam accumulation in the piping and pumps and steam binding of the pumps. The valves with the steam cuts were repaired and reinstalled. Insulation was removed from the AFW piping to facilitate condensation ! of any steam which may collect and a shif tly check of the AFW pump outlet piping temperatures was instituted. No further occurrences have been reported, however the potential for steam binding still exists but at a much lower rate due to the preventive measure taken by the plant. Therefore, the AFW fault trees include this failure mode.
- 10. Insufficient information was available concerning rates of l
air ingress into systems and its affect on system l operability, in order to be able to include this interaction I in the models. IV-186
=- - - - , . _ ..
l ! I Table IV.6-2 (Continued) ITEM NUMBER l IN TABLE IV.6-1 APPLICABILITY / RESOLUTION
- 11. MFW isolates on an SIAS signal, AFW is not isolated on i steam line break. Therefore, this potential interaction was not considered to be applicable.
- 12. Several' areas were identified in which a single passive failure could result in the failure of multiple systems.
l These events were modeled -in each of the applicable systems to assure that the commonality would be reflected in the accident sequence evaluation. ! 13. Two potential cases were identified in which failure to j isolate nonessential cooling loads could impact safety ; system operation. Failure to shed the stub bus, which 4 powers the component cooling water and RHR pumps, i l following LOSP could potentially result in diesel generator trip when it is loaded on the bus, however the failure rate associated with the failure to shed the stub l' bus is considered to be negligible with respect to the ' diesel generator failure rate. Following LOSP, failure to close the condenser circulating valves will result in
, drainage of the intake canal in approximately 30 >
Drainage of the intake canal becomes
, minutes.
important in the event of loss of all AC power and has 4 been included in the station blackout model. 1 i 14. Probability for check valve fall to close is IE-4/d. 1 Probability for pump fall to start is 2E-3/d. Excessive backflow through pump discharge check valves in cross-tied pumps resulting in flow diversion through the idle . l pump was therefore considered to be minimal in ' comparison with the pump failure rates. Therefore, this - potentialinteraction was not addressed further. i i 15. Seal LOCA occurrence was included in the station l j blackout models. No long term tests have been ; performed on the Surry batteries. Batteg depletion time i of four hours was based on NUREG-3226m.
- 16. Beta factors based on EPRI-NP-3967(25) were applied on
; a cutset basis during the accident sequence quantification j for the diesel generators, MOVs, and the HPI, LPI, CSS, j OSR, AFW, and SWS pumps.
I
! t i
i } f ! IV-187 i i I i !
.6 4 J w - e s -
l
. Table IV.6-2 (Continued) 1 1
ITEM NUMBER I I IN TABLE IV.6-1 APPLICABILITY / RESOLUTION
- 17. It was assumed -that, -due - to . control logic at Surry, following any reactor trip from greater than 50% power, the MFW. regulating valves close. The MFW pumps continue to run, however. Therefore, MFW was assumed to be available in the event of AFW failure for T 3 initiating events. l
- 18. Upon loss of AFW at unit 1, AFW at unit 2 would be used for SG makeup and then MFW at unit 1. It was assumed i that these alternate systems could be brought on line prior to steam generator dryout. Refilling of dry steam 1 generators was not explicitly addressed in the study.
.,1
- 19. No significant commonalities between the MFW and AFW j systems were identified. _ Therefore, this potential i
interaction was not further addressed. i ;
~
j 20. Discussions with plant personnel indicated that Surry 1 operates with one or more PORVs blocked about 50% of the time. They also said both PORVs are blocked about l 5% of the time. Using these values as approximations and assuming each PORY was independent of the other,it , was calculated that each PORY was blocked 30% of the i time. Therefore, approximately 10% of the time both ' j PORY block valves are closed,40% of the time one PORY j block valve is closed, and approximately 50% of the time l both PORY block valves are open. These conditions were j included in the models for the PORVs. ) 21. Overfilling of the steam generators and the resultant 7 carry over of water into the turbine driven AFW pump ) turbine was considered to be a low probability event if instrumentation was available. In addition, even if it did occur, sufficient feedwater capacity is available from the motor driven AFW and MFW pumps. However, SG overfill was included in the station blackout analysis. During station blackout, control of the AFW turbine
' driven pump was assumed to be maintained as long as DC power was available. Following battery depletion, it was assumed that SG level Instrumentation would be lost and steam generator overfill could occur at approximately 1
- hour following battery depletion.
1 ! IV-188 i 4 __ __ _ _ _ . . _ . _ _ . . . - _ . _ , _ . _ _ . _ _ _ _ _ _ _ _ . _ _ . . _ , , _ . . . . . _ _ . _ ,
k Table IV 6-2 (Continued) ITEM NUMBER IN TABLE IV 6-1 APPLICABILITY / RESOLUTION
- 22. The normal operating configuration of Surry was used in the study. In cases where an alternate configuration produced more severe results, the percent of time that Surry operated in this alternate configuration was j
estimated, based on discussions with plant personnel. The more severe results associated with the alternate configuration were included, based on the percentage of . time the plant spent in that configuration. In cases where the normal operating configuration produced the most severe results, these results were used 100% of the time.
- 23. Discussions with plant personnel indicated that key-locked doors and other powered security restrictive measures failed open on loss of power.
Access restrictions during loss of power events were therefore not included in the study. i IV-189
IV.6.2 Common Cause Analysis Common cause events were included in the accident sequence quantification in one of two ways. Plant specific common cause failures were identified by a search of the Surry LERs. Three events were identified by this LER search.' They were included in the fault-tree models at the appropriate levels. The three events were common cause failure of ., , ? - CPC pumps or strainers, common cause failure of containment spray heat exchanger ' service water valves and steam binding of two auxiliary feedwater pumps. These events
- are discussed below.
A. Common Plugging of Charging Pump Cooling Water Strainers An LER search of Surry Units 1 and 2, from 1980-1984 (inclusive) yielded frequent incidents of low-pump discharge pressure in the HPI service water , system. Low pump discharge pressure was caused by plugged strainers, i increased water demand from the air conditioning system, or a combination of both. For the purposes of this study, low pump discharge pressure was l assumed to result. in insufficient HPI pump cooling, although the LER survey did not indicate that HPI pump unavailability ever resulted from the service water incidences. In three instances both HPI SW pumps at the same unit had low discharge pressure. Three failures in 10 plant years yield a failure rate of 3E-5/hr for common cause plugging of the strainers. The fault tree models assumed i this condition would lead to rapid HPI pump unavailability unless corrective action was taken by the operators. Corrective actions for this failure Includes j a) reducing SW air conditioning loads
- b) bypassing the filters -
j c) supplying HPI cooling from Unit 2 SW pumps It must be noted that the current ^ service water strainer is a duplex strainer l while the old strainers were a "Y" type strainer. The duplex strainers adds another recovery option (i.e., switch strainer halves) but it is not known if , the duplex strainer will plug less of ten. For these reasons, the old strainer q data was used in the Surry model. It is probably conservative. i j B. Steam Binding of AFW Pumps i i Review of the Surry AFW operating experience revealed a problem with i steam binding of AFW pumps had occurred due to backleakage of main i feedwater through the system check valves. The backleakage resulted in j steam accumulation in the AFW lines and unavailability of two pumps. ! Since the event, the affected check valves were rebuilt and plant changes 1 were made, including removal of the insulation from the AFW pump i discharge lines to facilitate steam condensation and requiring a check of { pump outlet pipe temperature once every shif t. No further incidents have i occurred. However, due to the potential for common cause multiple pump { failures this failure mode has been included in the system models. This failure probabi!!ty was assessed to be IE-4/ demand. Details of the calculation are shown in Appendix A. l IV-190
l l C. Common Cause Failure of CSR Service Water Valves l A review of the Surry SWS operational experience identified a potential for common cause failure of the service water containment spray valves to the heat exchangers. During annual testing of the system all four valves on Unit I failed to open when activated from the control room. Similar testing of the Unit 2 valves resulted in failure of 3 of the 4 valves at Unit 2
-to open. All valves were subsequently manually opened. Several of the valves were found to be heavily corroded due to exposure to brackish water. Based on this incident, the, potential for failure of both the ISR-system and OSR system due to common cause failure of the service water valves was included in the SWS model. The probability was assessed to be ~
3E-2/ demand, with a non-recovery factor of 0.1. Details of this calculation are found in Appendix A. Although the testing frequency of these valves has been increased to - quarterly, insufficient data exists to determine the impact of the testing frequency change on the failure probability. The derivation of the 3E-2 value includes the expected possibility of improved reliability due to increased testing. To account for other potential common cause faults, generic beta factors were applied, as appropriate, to the sequence cutsets following the initial accident sequence quantification. (23) The values used for the beta factors were derived from EPRI-NP-3967. As noted in Section IV.8, it was assumed that the reported values in EPRI-NP-3967 represent 95% upper confidence bounds. The common cause met and the beta factor guidelines are detailed in the methodology- document.golo T following groundrules for application of beta factors are summarized below:
- 1. Beta factors were only applied within systems, not across system boundaries.
- 2. Beta factors were only applied within~ a system to redundant components and identical failure modes.
- 3. Beta factors were not applied in those cases in which a plant specific common cause event involving the same components was identified.
- 4. Cutsets for the random independent failure of multiple components were included in systems models in addition to the cut sets containing the beta factors.
- 5. To ensure completeness, those cut sets involving independent failures of redundant components which were below the probability cutoff for the sequence quantification IE-9 and which could become significant following the application of the generic beta factors were reexamined and added to the sequence cutsets if necessary.
- 6. Failure of the third and fourth redundant components _in a series (after failure of the second) were assumed to have a probability of 1.0.
IV-191
f IV.7 Human Reliability Analysis This chapter presents the results of. the human reliability analysis performed for this study. Included in this chapter is a discussion of the human actions which were identified, the methods and assumptions used in the evaluation of them, and the final human error probabilities used in the accident sequence quantification. Human reliability analysis for this study was performed in accordance with the RMIEP 1 Screening rules, modified by SANDIA for the NUREG-ll50 effort. This methodology was established in a series of internal SANDIA memorandums. The HRA for the'Surry PRA , was performed in accordance with References 26 and 27. I Identification of human interactions with the plant systems came about as a result of the i i fault tree analysis and the accident sequence recovery analysis.
.e System fault tree models identified the need for human actions in order -
for a system perform to successfully under certain circumstances, o Core damage sequence recovery analysis identified alternate systems, components or operations which could be used to mitigate accident sequences. . Success of these items require human actions. e Station blackout recovery analysis identified human actions during and af ter station blackout. All human errors which were identified were errors of omission. These are defined as i instances where an operator is required to correctly perform a task in order to ensure the proper functioning of a system. If this task is not performed correctly in any way, the system loses its functionality. The human actions identified in this study are shown in Table IV.7.1-1. This table is a list of all human actions identified in the analysis. The , probability to fall to correctly perform each of these actions was quantified. i Section IV.7.1 discusses the guidelines, groundr'ules, and procedures used to evaluate the human actions. Section IV.7.2 discusses the evaluation of each action and presents the l resultant HEPs that were quantified for each action. Section IV.7.3 lists the assumptions used in the overall HRA. f IV-192
, . , - - - - , . - - - . - - - - - - ._m , , , . . . . , - ,. .- ,.
Table IV.7.1-1 Human Actions Quantified in the Surry PRA l Pre-Initiator Actions
- 1. Restoration of CSS valves after pump test
- 2. Calibration of RWST level sensors Post-Initiator Actions
- 1. Pull start charging pump C I
- 2. Initiate feed and bleed
- 3. Initiate emergency boration
- 4. Reconfigure to hot leg recirculation a
- 5. Reattach stub bus after T i
- 6. Manual reactor trip
- 7. Manual actuation of RMTS
- 8. Manual actuation of CLCS
- 9. Cross connect of AFW from Unit 2
- 10. Cross connect of HP1 from Unit 2
- 11. Realign HPI-SW to bypass plugged strainer
- 12. Open alternate injection line through MOV-1842 i
IV-193
'l
' Table IV. 7.1-1 (Continued)
Human Actions Quantified in the Surry PRA
- 13. Restoration of HPI af ter station blackout
- 14. Align HPI from Unit 2 for seal LOCA injection flow
- 15. Isolate PORV when leaking i
- 16. Isolate condensers after station blackout d
IV-194
, ,v , .- ----.,--c
, - - - , , w,., .,
IV.7.1 Cuidelines for Analysis of Human Actions This section presents a general discussion of the procedures used to evaluate the human actions listed in Table IV.7.1-1. IV.7.1.1 Pre-Initiator Restoration Failures Events for mispositioned' valves were identified by the system fault tree analysis. These events could occur as a result of failure to restore valves af ter monthly pump testing or failure to restore valves during power ascension that were closed for maintenance during cold shutdown. Some systems have valve configurations that do not require alteration for pump testing. Consequently, valve misposition errors for these systems were considered negligible compared to other causes of system failure. Because all pump testing at Surry is staggered, no common cause misposition errors were identified. Restoration errors were quantified in accordance with Reference 26. A summary of the guidelines and procedures for quantification of mispositioned valves are shown in Table IV.7.1-2. Af ter applying the guidelines in Table IV.7.1-2, the only valve restoration ' error included in the quantified fault trees is associated with the containment spray system. This was assigned a value of 3.0E-3. t IV.7.1.2 Pre-Initiator Miscalibration Errors Common cause miscalibration of sensors in the ECCS actuation systems was postulated for each set of common sensors. Table IV.7.1-3 shows the guidelines and procedure for l evaluation and quantification of these events. The miscalibration of sensors was - factored into the study after sequence cutsets had been generated. Cutsets which included failure of both trains of an actuation system were replaced with the common cause failure event. After applying the guidelines in Table IV.7.1-3, the only miscalibration error that was significant was miscalibration of the RWST water level sensors in the RMTS. This was calculated to be 3.0E-4. ) IV.7.1.3 Manual Actuation When Auto-Actuation Fails A group of human actions were identified which involved manual actuation of ECCS or containment systems when automatic actuation failed. These actions were identified by the fault tree analysis. The loss of automatic actuation was assumed to be caused by failure of relays, bistables, and other components in the actuation systems. These
- failures were generally a'ssumed to be recoverable by operator action if power was
{ available to the control circuit. Common cause miscalibration was not recoverable, unless clear indications from other systems were available. The HEP for these actions was assumed to be entirely diagnosis error. The actions associated with manual actuation are very simple and thus have small HEPs compared to the diagnosis errors postulated for these events. The calculation of diagnosis HEPs was predicated on two factors: the amount of time i the operator has available to perform the action and the indications the operator has that j auto actuation has failed. These factors are specific to each cut set.
- IV-195 i
_ - . _ . ._ _ _ _ - - - - - - -, _ . _ - ._ m. -m . .- - , . - - -.. . - - - ---
For cases where only one train of actuation failed, the actuation of the other train was assumed to be sufficient indication that the questioned system was required. For these cases, the HEP was calculated to be the diagnosis error of the median joint HEP in Figure 3 of Reference 27. For cases where both trains of actuation failed, two types of indications were considered available to the operator: Instrumentation from other systems and whether or not previous safety system actuation had occurred. For example, for CLS Hi failure the operator would have.some indication that CLS Hi should actuate, because SIAS would be actuated. For those cases, if alternate indication was present, the HEP was calculated from the upper joint diagnosis error in Figure 3 of Reference 27, corresponding to the time available for action. If no alternate indication was present, no recovery was allowed. The upper joint HEP was chosen because indirect indications are available to the operator, rather than the more direct indications in the previous case.
- IV.7.1.4 Post-Initiator Recovery Actions ,
Some of the actions could be grouped on a sequence basis. For these sequences, an HRA of the sequence was done evaluating the in'dividual actions in the context of the sequence of events. Isolated actions in a sequence were evaluated individually using the diagnosis errors and action errors in Reference 27. Post initiator actions were usually involved with restoration of systems or components, or actuation of alternate systems. f 4 l 1 IV-196
Table IV.7.1-2 Groundrules For Calculation of Valve Restoration Error Probabilities
- 1. Valve restoration errors were postulated for each pump test and for pump l maintenance.
l
- 2. Valve restoration error probabilities were assumed negligable if a) valve position is annunciated in control room, b) valve position is indicated in control i
room and position indications checked at least every 24 hours, c) valve is flow tested af ter use, . d) valve receives automatic actuation signal.
- 3. Valve restoration errors assigned overall value of 3.0E-3 This represents .03 for initial error and .1 for independent verification.
- 4. All testing of pumps at Surry is staggered on a trair basis. Common cause
' mispositioning of valves in redundant trains of systems was therefore considered negligable.
- 5. Surry has a class I tagging system, as defined in NUREG/CR-1278.(36) ,
L C P 1 ( i IV-197 8
, , - n - r r,--- --.e- , - . , - n , -- , -- -
Table IV.7.1-3 Groundrules For Calculation of Common Miscalibration Error Probabilities
- 1. Common cause miscalibration errors postulated for CLS Hi-Hi, CLS Hi, SIAS, and RMTS.
- 2. Miscalibration of enough sensors to fait both trains of the actuation system was of interest. Logic arrangements for each actuation were considered.
- 3. Probability of common cause miscalibration was calculated in accordance with Reference 26.
l
- 4. Miscalibration of sensor or bistable possible. Miscalibration assumed to be of significant magnitude.
i i i IV-198 l l
IV.7.2 Results of Human Reliability Analysis on Post Initiator Actions . An HRA was performed on four sequences which contained several potential operator actions. In addition, HEPs for events in other sequences were evaluated. The results are presented and discussed in the following sections. IV.7.2.1 HRA of Operator Actions During ATWS Five operator actions could potentially be required during an ATWS sequence, depending l on the particular course of the sequence. An HRA was done for ATWS which evaluated
- these actions as a sequential series using a consistent set of diagnosis errors and
- cognitive assumptions. These five events are,in order, o Manual reactor scram e Turbine trip,if not done automatically e Start AFW,if not started automatically e Open block valve on PORY within two minutes, if PORV isolated previous to initiator e Emergency borate, if manual scram failed i
Scenario For the purposes of the HRA, the starting point for the ATWS event is defined to be the first indication in the control room that either a) one or more RPS trip parameters have been exceeded, b) one or more reactor trip breakers have been de-energized, or c) at least one train of RPS logic has been tripped. This is the first indication the operator would have that control rod insertion was supposed to have occurred, but did not. (The possibility that an ATWS could occur without one of the above indications was not considered). These indications would be accompanied by several flashing lights and annunciators. These indications would direct the operator toward reactor scram. The operator must trip the turbine within one minute, if it does not trip automatically. - The operator must also start AFW within one minute, if it does not start automatically. The operator will also attempt to manually scram the reactor either by pushing the manual scram button which de-energizes the shunt trip, or by removing power from the control rod drive motor generator sets. Manual scram must be accomplished in the first two minutes in order to be affective in altering the course of the transient. At approximately two minutes, the maximum pressure increase will occur, thereby demanding the pressure mitigation functions. The SRVs and PORVs will open automatically. If manual scram is unsuccessful, the operator must shut the reactor down using emergency boration. This involves opening of a valve from the boric acid transfer (BAT) pumps to the HPI suction and switching the BAT pump to fast speed. The operator is also instructed to open a PORV to reduce RCS pressure and thereby enhance HPI flow. Procedures and Training All operator actions during ATWS are clearly specified in individual steps in procedure ECA 1.0. However, due to the fast acting nature of an ATWS, the operators would not have time to take a procedure from the file. All ATWS actions must be performed from IV-199
1 memory. They are therefore considered skill-based actions. Even the emergency boration is assumed to be performed without reference to procedure. Although 1 emergency boration is required by 10 minutes, in actuality the operator would commence boration immediately after he realized that manual scram was unsuccessful. ECA 1.0 defines the basis for the operator actions even though the procedure will j probably not actually be referred to during the initial response to an ATWS event. Operator. training at Surry instructs the operators to suspect ATWS on every transient until they have verification otherwise. Whenever an operator sees indication of scram or partial scram, he is instructed to immediately look at the rod position indicators and if they are not alllit red, press the manual scram button, turbine trip button, and then start AFW. If rod postion indication is still not available, he is instructed to go (or send a surrogate) down to the MG set room and remove power from the CRD-MG sets. These
- actions are a' routine part of any reactor scram.
Timing of Operator Actions i
' Manual reactor trip, manual . turbine trip, and manual start of AFW would all be performed as soon as the operator could look at the rod position and reach the scram -
button on the control panel. All three controls (scram, turbine trip, and AFW start) are close together. Timmg for these actions is considered to be within one minute. Accomplishing manual scram by leaving the control room to remove power from the MG j sets was not considered. It was assumed that the shunt trip will perform properly if j manually activated. Leaving of the control room to remove power from the MG sets ~ 1 would take too long to include in the model. i Opening the block valve for the PORY will occur after the operator realizes manual ' scram has failed. It must occur within two minutes to be effective in mitigation of the ini,tial pressure spike. Emergency boration will be attempted within 10 minutes. Calculated HEPs i.
- The entire ATWS sequence of events with the exception of opening the block valve for
- the PORY for the early pressure rise,is assumed to be skill-based actions. The actions of
- manual scram, turbine trip and AFW start are simple actions. HEP for these actions were assigned a value of 1.0E-3 each, as specified in Table 9 Item 10, Reference 27.
Opening of the PORY block valve within two minutes to help mitigate the pressure rise is i not explicitly stated in the ATWS procedure and consequently was not considered skill-based. For this action, HEP was assumed to be dominated by diagnosis error. The lower
- bound HEP for 2 minutes in Figure 3 of Reference 27 was used.
4 Emergency boration was not assumed to be a skill-based action. This procedure is not as i familiar as pushing the manual scram button. Three actions are necessary,
- j. o Open Valve 1350
- e Switch BAT pump to fast l
e Open a PORY l IV-200 i
. . . - , .__..m_, _ ,_ . . . ._.,______.,.._m- - . . _ ,, , _ . . . ,___m -, ._ .
L i For each of these actions, a basic error rate of .02 (Item 3, Table 9, Reference 27) and a verification error. of .2 (Item 6, Table, Reference' 27) was used. Each action has a total of .004 for a total of 0.012 for emergency boration. The ATWS results are summarized in
. Table IV.7.2-1.
IV.7.2.2 HRA for Loss of Steam Generator Cooling Events Five human actions could potentially be required in loss of SG cooling scenarios, depending on the particular scenario and which equipment was failed. The HRA for these i events considered that all five actions would be performed sequentially, as directed by i procedure. The modeling assumes the operator would follow procedures step by step until the sequence was mitigated. The five potential actions are,
, e Manual start AFW,if failed to actuate I o Restore MFW,if possible
- o Align AFW from Unit 2 if not able to get AFW or MFW from Unit 1 e Establish HPIif AFW-Unit 2 falls
; e Open PORVs to a!!ow feed and bleed 3
l Scenario
, The scenario for this sequence begins with feedwater makeup to the steam generator j being unavailable. Water level in the steam generator is decreasing. The operator would have 30 minutes before the SGs are dry. If feedwater to the SGs had not been restored by that time, he would have to initiate feed and bleed cooling. There are three ways to provide FW at Surry; AFW at Unit 1, MFW at Unit 1, and AFW at Unit 2. The operator 1
would attempt these in order of preference, as directed by procedures. ]' Procedures and Training l All of these actions are explicitly directed by procedures. A pathway through the procedures was identified as follows, i l The operator is assumed to start EP 1.00 (reactor trip) within 10 minutes of trip. If no SI } signal is present (which should be the case) he is directed to EP 1.01 (Recovery from j reactor trip) where in steps 2 and 3, he is directed to establish feedwater with either i MFW or AFW from Unit 1. If neither of these are available, he is directed to Functional l Restoration Procedure H.l. Step 4 of FRP H.1 directs a cross connect of AFW from Unit ! 2. This action can be done entirely from the main control room. If this fails he is i directed to try to restore MFW or depressurize the SGs and use the condensate pumps. If I these fail, steps 16 thru 18 of FRP H.1 direct the operator to go to feed and bleed. Timing The timing constraints in the model required AFW to be restored within 30 minutes. If this was r.ot possible, feed and bleed cooling must be in place by 45 minutes. Manual start of AFW is a simple operation which could be done in two minutes. Restoration of MFW is also a simple operation. All it requires is opening of the four inch bypass valves. Cross connect of AFW from Unit 2 involves opening two valves in the cross header, closing six valves in the Unit 2 discharge headers and starting an AFW pump. This was estimated to require 5 - 10 minutes. Intiation of feed and bleed also requires 5 - 10 minutes. It involves opening the HPI suction and discharge valves and opening the PORVs. IV-201
Calculated HEPs Diagnosis error was not postulated for any of these events. It is assumed that the opertor will pick up EP 1.00 within 5 - 10 minutes af ter reactor trip. It was also assumed he will read each step correctly. Manual start of AFW was considered to be a skill-based action and was assigned an HEP of 1.0E-3, from Item 10, Table 9, Reference 27. 1 All of the other actions were assigned on initial error probability of .02 from item 3, j Table 9, Reference 27 and a verification factor of .2 from Item 6, Table 9, Reference l
< 27. This gives a total HEP of4.0E-3, for each action. The actions are considered f
independent and seperate. These results are summarized in Table IV.7.2-2. IV.7.2.3 HRA of Operator Actions During Loss of injection Sequences Four human actions could potentially be required during loss of injection sequences, depending on the particular scenario involved. An HRA was done for these sequences which evaluated these actions as a sequential series of events. Scenario ' These sequences are assumed to be initiated on reactor trip caused by low RCS pressure. Most of these sequences will be accompanied by an SI signal. Normal sequence of events wou!d be for HPI to automatically actuate and provide makeup flow. But, for various reasons HPI may fall and result in these sequences being analyzed. The possible recovery actions associated with these initial loss of HPI sequences are: i e Isolate PORY if LOCA is caused by stuck open PORV. e Start charging pump C (standby pump) If pumps A and B are not running. e Open alternate injection path through MOV 1842, if MOVs 1867C and 1867D are closed. i e Align HPI from Unit 2. All of these events would not necessarily apply to the same sequence. But the operator would likely go through this sequence of corrective actions until the injection function was restored. Procedures and Training All of these actions are explicitly called out in the Surry procedures. Depending on the
, particular initiator, different pathways through the procedures can be postulated. i i
If reactor trip occurs with no SI, or low pressurizer pressure occurs with no reactor trip, the operator could be in procedures EP 1.01 or AP-42 respectively. Both of these l procedures call for manual SIAS, if needed and manual starting of the standby charging pump,if needed. if these actions are not successful, the operator is directed to go to Functional Restoration Procedure FRP, C.I. In this procedure he is instructed to open the alternate injection path and if flow is still not available, cross connect HPI from Unit 2. IV-202 l
=- . . . _ . - - _ .- - - . -. -_- . - _ . . _ _ _ .
l Timing The key timing parameter for these actions is the time to core uncovery. Restoration of HPI flow or isolation of the break up to the time of core uncovery was considered , sufficient to prevent core damage. Core uncovery times were estimated for each of the j initiator types (S3 , S2' 33, TQ). They varied from 15 minutes for Sg to 2 hours for $ .- 3 l The first three operator actions in the series are simple actions and can be performed in i a very short time, from the control room. In order to cross connect HPI flow from Unit 2 however, an operator must leave the control room to manually open/close some valves in the charging pump area. It was estimated that cross connect of HPI would require 15 to 20 minutes. Considering that ! the decision to use it would not come until 15 - 20 minutes af ter reactor trip these
- timing constraints made HPI cross connect unavailable for use in S g and S LOCAs.
i 2 i Calculation of HEPs f Failure to isolate a stuck open PORY was estimated to be 1.0E-1 for complex transients such such as as loss turbine of offsite trip. This power or loss of distinction was an used electrical bus, and 1.0gfor simple transients in WCAP9804 and appeared to be l preferable to the methods in Reference 27. 4 I Starting of the standby charging pump and opening the alternate injection path were considered to be skill-based actions, as defined in Reference 27 and were consequently
) assigned an HEP of 1.0E-3.
l HEP for failure to cross connect HPI from Unit 2 was considered to be totally action j errors. Since the operator was presumed to be following a procedure, diagnosis error was 1 not considered to be applicable. Cross connect of HPI requires opening valves outside j the control room to be coordinated with pump operation in the control room. Since
; operators from Unit 2 would be cognizant of this operation, a second overall verification factor was used. HEP was calculated as follows:
{ .05 HEP for away from control room actions (Item 4, Table 9, Reference 27)
.2 Verification (Item 6, Table 9)
.02 HEP for in control room action i
' (Item 3, Table 9)
.2 Verification (Item 6, Table 9) j .2 Additional verification on the overall process
- , .0028 TOTAL HEP The HEPs are summarized in Table IV.7.2-3.
I IV.7.2.4 Operator Actions During Station Blackout Two operator actions are specifically identified in the station blackout model. They are: i e Manualisolation of main condensers e Restoration of HPI flow af ter AC power is restored. IV-203 i
..n, , , . , , , . . ~ , _ - . . , , - - - - - - - , . _ _ . , . - - . . _
___.,...-----..,_-,,n---_n_. ,._-n n_ _ -, - , . , _ . , . . , , . _ _ . . _ , , - , - .
A detailed HRA was not performed for these actions, as for other actions. Station blackout was considered to represent a tremendous departure from normal operating situations. Therefore, that prediction of sequences of actions and operator emphasis on recovery and allocation of personnel resources to different tasks was based on engineering judgement. Unlike other sequences where one or two failures whould be the main focus of plant personnel, a station blackout presents so many anomalies, any of which could become the main focus of the plant staff. For this reason, the HRA for station blackout was based on a top level estimate. The results are summarized in Table IV 7.2-4. ManualIsolation of Condensers There are eight condenser halves. The condensers are isolated by 96" valves. They are equipped with a hand wheel for manual action. It was estimated that to crank a valve closed in the presence of full flow would require 20 minutes per valve. All eight valves must be closed to isolate the canal. If no valves are closed at all, canal drainage occurs in 30 minutes. Comparing the 20 minute action time with the 30 minute requirement time, led to the conclusion to give no credit for condenser isolation within the required time. Restoration of HPI Flow After restoration of AC power to the plant, restoration of charging flow is of prime importance. If significant RCP seal degradation has occurred, safety injection flow may be required. Prior to restoration of HPI flow, support systems such as service water, AC power and DC power must be restored. Restoration of service water may require refill of the intake canal. HEP for restoration of HPI flow was estimated for two conditions; one when a seal LOCA existed and imminent HPl restoration was required, and one when no seal LOCA existed and restoration could be done more slowly. An overall value of .25 for the short term case and .10 for the long term case were used for failure to restore charging A or B in ; proper sequence. However, Pump C is normally locked out and could be used in the event ! Pump A and B failed. An independent value of 0.1 was used for failure to utilize ; Pump C. Selection of this value presumes the operator would realize pumps A and B had I failed and take more precautions with restoration of pump C. IV.7.2.5 Individual Operator Actions in Other Sequences Additional operator actions in other sequences were quantified on an individual basis, using the same methods and procedures as for the other actions. None of these actions were particiarly important in the final sequences. The HEPs for these actions are shown in Table IV.7.2-5. IV.7.3 Assumptions Used During Surry HRA General assumptions used for the Surry HRA are shown in Table IV.7.3-1. Timing considerations for recovery from core damage sequences are shown in Tables IV.7.3-2, and IV.7.3-3. IV-204
Table IV.7.2-1 Summary Of Operator Errors During ATWS Action -HEP Comment Manual Reactor Trip 1.0E-3 Skill-based error. ~ Manual Turbine Trip 1.0E-3 Skill-based error. Manual AFW Start 1.0E-3 Skill-based error.
- Open PORY Block Valve 2.5E-1 Not explicitly stated in (if blocked) for Initial ATWS procedure. Re-pressure relief, presents diagnosis error at 2 minutes.
i Perform Successful 1.2E-2 No diagnosis error. All Emergency Boration action errors. (includes all actions j directed by procedures) f i - i l IV-205
Tabic IV.7.2-2 Summary Of Operator Errors During 1.oss Of SG Cooling Sequences Action HEP Comment Manual Start AFW l.0E-3 Skilled-based error. l 1 l Restore MFW 4.0E-3 Action error. ' Align AFW-Unit 2 4.0E-3 Action error. Establish HPI 4.0E-3 Action error. Open PORVs 4.0E-3 Action error. IV-206
Table IV.7.2-3 Summary Of Operator Errors During Loss Of Injection Sequences (Sg D,2S D,3 S D, Th Action HEP Comment 1 i Isolate PORV T gQ, T 4Q, T 5Q l.0E-1 T2Q, T 3Q l.0E-2 Start Charging Pump C 1.0E-3 Skill-based error. Open MOV 1842 1.0E-3 Skill-based error. (alternate injection path) Align HPI-Unit 2 for S g 1.0 Alignment of HPI from forS 2 1.0 Unit 2 requires manual, local for TQD 3.0E-3 operation. Assumed to for S3D 3.0E-3 require 15-20m for completion, af ter decision to proceed. Timing considerations eliminate this for Sgand S2. For TQD, S3D, HEP is series of action errors. C l 1 IV-207 l l
. - _ . . . - .-. . ~ . . .
Table IV.7.2-4 Summary Of Operator Action During Station Blackout Action Timing HEP Comment Manual isolate 30 Min. 1.0 No credit for manual iso-Condenser lation of condenser was Waterboxes allowed given the timing required (30 m), the place in the procedure for action on the condenser (Step 19) and the other possible actions to divert operators (restore power). Restart HPI Varles 2.5E-2 HEP is estimated .25 for Pumps in Proper If seal LOCA pumps A and B, if seal Order with Respect exists LOCA exists. 10 for to HPI-SW and Canal 1.0E-2 pumps A and B,if no seal Level If no seal LOCA exists. 1 for pump C . LOCA exists for both cases. ' 4 4 IV-208 _ _ _ . .. . . . . ~ _ , _ _ _ _.~ _
Table IV.7.2-5 Additional Operator Errors Used In Surry Analysis l l Action Sequence Timing HEP Comment Align Hot A, Sg 16 Hr. 8.0E-5 Includes multiple verification. Leg Recirculation Align HPI, TD3W ' 1 Hr. 3.0E-3 Action errors predominate Unit 2 for Seal Injection Flow Reconnect Stub Tg i Hr. 4.0E-3 Action errors predominate . Bus Af ter LOSP Manual RMT A Sm 2.5E-1 Diagnosis error, based on time available Sg 9m 1.0E-1 Diagnosis error, based on time available Bypass of CPC All 10m 1.0E-1 Diagnosis error at 10 min. from Service Water Figure 3, Ref. 27. Strainers i IV-209
i Table IV.7.3-1 Groundrules For Surry HRA i
- 1. One SRO and one RO for Unit I assumed in the control room at all times.
l
- 2. Actions done outside the control room could be performed by any plant l personnel except Unit 1 SRO, RO, STA.
- 3. STA assumed to be in the control room within 10 minutes of any reactor scram.
I
- 4. SRO/RO will follow event oriented procedures. Event oriented procedures are
! cross-referenced very well at Surry. If safety systems respond as designed, event oriented procedures provide adequate instruction to mitigate all events.
l 5. Upon arrival of STA in the control room, he will track the progress of the event
- by monitoring critical safety functions in accordance with CSF status trees, j Progression of the transient through the CSF status trees may direct the ,
) operators to enter a symptom oriented procedure (called functional restoration ] procedures). The event oriented procedures may also direct the operators to a l symptom oriented procedures. , i j 6. All actions outside the control room require at least 10 minutes transit time. . 7. Each step in a procedure requires at least one minute to complete. s
- 8. Verification of an 51 checklist or a CLS Hi-Hi checklist requires 10 minutes to j complete.
l ]
- 9. If operator finds improper equipment status during Si verification or CLS Hi-Hi j verfication, it was assumed he would take immediate action from the control room or immediately dispatch someone to restore equipment to desired status
! outside the control room. j 10. All resultant operator errors are assumed to be mean values with error factor I of 10. IV-210 O ! _ _ __ . - _ _ . . _ _ _ _ ~ . . - _ ._ _
Table IV.7.3-2 Allowable Recovery Times To Prevent Core Damage l Maximum Allowable Reference Restoration Recovery Action Sequence Time Time Source Restore SG Cooling TML Rx Trip 30m W - EPG ATWS Initiator 60s WCAP 8330 Initiate Feed & Bleed TML Rx Trip 45m W - EPG Restore HPI Flow TQD t(Q) 60m NUREG 1032 SD 2 Rx Trip 35m BMI 2104 SD g Rx Trip 20m Estimate, based on BMI-2109 SBO-Seal LOCA Seal LOCA 60m Estimate,
; based on 4
EGG-CAAD- .l 5428 j SD 3 Rx Trip 2 hr Estimate
! based on
, EGG-CAAD-1 5428 Emergency Boration ATWS Initiator 10m WCAP 8330 f Isolate PORY TQD t(Q) 60m NUREG 1032 Restore HPI and TML Rx Trip 60m NUREG 1032 SG Cooling i i IV-211
Table IV.7.3-3 Other Timing Considerations Maximum Reference Allowable Action Sequence Time Time Source Manual Scram ATWS Initiator 2m WCAP-8330 Turbine Trip ATWS Initiator 30s WCAP-8330 I Open PORY Block ATWS Initiator 90s Estimate Restore Seal Cooling TD3W Loss Seal I hr Seal LOCA Cooling Model 1 Manual RMTS A RMT Signal 5m Calculated j (13% RWST) j Sg RMT Signal 9m Calculated 4 4 (18% RWST) Isolate Condensers SBO SBO 30m Calculated f i i I I i I r 1 l I i i I i IV-212 i
l l ! IV.8 Data Base Development The following sections identify the sources used to establish the data base for quantification of the Surry sequences, assumptions used in the data development, limitations associated with the data, and provide a summary of the data used in the Surry sequence quantification on a system by system basis. IV.8.1 Sources of Information for Data Base The data in the Surry data base includes both plant specific and generic data. _Where sufficient plant specific operational data were available for important components or where potential plant specific common cause failures were identified, plant specific data l i were used. Data for all other individual components were derived from the ASEP generic - i data base. Probabilities of actuation system train and electric power bus failures were l also derived from the ASEP generic data. Table IV.8-1 summarizes the plant specific data used in the quantification. ! Initiating event frequencies were derived from _several sources. The frequency of loss of : I offsite power ) NUREG-1032.gnd associated power recovery factors were based on data from Frequencies for initiating event category T3 (turbine trip with MFW i available) and T 2 NUREG/CR-3867.g of main feedwater) were derived from Surry specific data listed in ;
' Frequencies of T4 and T3 (loss of power bus) were derived from generic data for the postulated faults leading to the loss of the bus. The frequency of ,
i loss of charging pump cooling was estimated based on the generic data in
; NUREG/CR-3862 and plant specific data. LOCA initiating event frequencies were ;
developed based on a survey of frequencies used for_ similar sizes LOCAs in previous PWR j PRAs. Derivation of the initiating event frequencies are included in Section IV.3. 1 Operator actions identified in the fault trees and recovery actions in the accident l ! sequence quantification were evaluated using the human error probabilities (HEPs) in ' l References 26 and 27. Discussions of the derivation of HEPs are included in Section IV.7. Values for the bg factors used in the accident sequence quantification were derived from EPRI-3967. Application of the beta factors is discussed in Section IV.6. i 1 IV.8.2 Assumptions and Limitations in the Data Base ; No specific limitations were identified in the Surry data base. Several assumptions were j j made in the development of the Surry data base and are as follows: ' i I (1) All failure probabilities for operator actions were assigned error ; i factors of 10.
- j. (2) The beta factors reported in EPRI-NP-3967 were assumed to j represent the 93% confidence bound.
1 l (3) The beta factors derived from EPRI-NP-3967 were assigned error j factors of 3. I j j l \ 1 IV-213 l
Table IV 8-1 Plant Specific Data Used in Accident Sequence Quantification Failure Rate ] Failure Event (Median Value) ' Error Factor CPC Service Water 5.9E-3/ demand 3.5 1 Pump FTS i CPC Service Water 1.6E-4/hr 1.6 I Pump FTR -l CPC Service Water 2.0E-5/hr 3 i j Strainers Plugged ' j Charging Pump FTS 3 lE-3/ demand 3.5 Charging Pump FTR 5.5E-5/hr 2.9 { inside Spray Recirculation 3.6E-2/ demand 1.8 j Pump FTS/R i i Common Cause Failure of 1.lE-2/ demand 11.0 i the SWS Inlet Valves to the Recirculation Spray Heat Exchangers
- Motor Driven AFW Pump 5.6E-3/ demand 2.2 i
FTS/R Turbine Driven AFW 7.lE-3/ demand 4.6 J Pump FTS/R
; Diesel Generator FTS 7.lE-3/ demand 4.1 t
PORY Block Valve Closed 3.0E-1/ demand 1.0 0 Due to Leaking PORV PORV Block Valve Fails 3.6E-2/ demand 2.4 j to Transfer on Demand i l I i l IV-214 , l
i IV.8.3 Data Base Description 1 The data used to obtain point estimates of the accident sequence frequencies were mean ( values. The uncertainty analysis using SEP required the use of the median values and error factors. SEP also requires the assumption of lognormal distributions. Tables IV.8-2 l through IV.8-18 provide a summary of the data used in the accident sequence quantification. For each fault, initiating event, or beta factor in these tables, the fault identifier or event tree identifier used as appropriate, along with a description of the identifier, the median value, error factor, source of the data, and any applicable I comments. The data included in these tables are median values. Since all data distributions were assumed to be lognormal, the median values can be converted to mean values by a simple multiplier, based on the error factor. For the convenience of the reader, a conversion table for medians to means is shown in Table IV. 8-19. Table IV.8-2 summarizes the initiating event frequency data. Tables IV.8-3 through IV.8-15 summarizes the individual system component, super component, and operator action failure probabilities associated with the system fault trees. Table IV.8-16 summarizes the recovery action failure probabilities used in the accident sequence quantification. Table IV.8-17 summarizes the beta values applied in the accident sequence quantification. Table IV.8-18 summarizes those faults used in the accident sequence quantification which are not included in any of the above classifications. 1 I l I IV-215
Table IV.8-2 Initiating Event Data MEDIAN IDENTIFIER DESCRIPTION (/RX-YEAk) E SOURCE / COMMENTS
~
A Large LOCA, D>6" 1.9E-4 10 S t Medium LOCA, 2"<D<6" 3.8E-4 10 Survey'of. Pre'ious v PWR Studies S 2 Small LOCA, 1/2"<D<2" 3.8E-4 10 S 3 Very Small LOCA, D<1/2" Spontaneous 1.3E-2 5 Seal LOCAs T Transient Initiating Events, Requiring 6.04 2 NUREG/CR-3862 Reactor Scram TN High Power Transient Initiating 3.11 2 NUREG/CR-3862 Events, Requiring Reactor Scram T i Loss of Offsite Power 6.4E-2 2 NUREG-1032 T 2 Loss of. Main Feedwater 0.86 2 NUREG/CR-3862 T 3 Turbine Trip w/ Main Feedwater 6.70 2 NUREG/CR-3862 Available TH4 Loss of 480V.AC Bus 1H 3.4E-3 10 See Section IV.3-TJ4 Loss of 480V AC Bus 1J 3.4E-3 10 -See Section IV.3 TA5 Loss of 125V DC- Bus 1A 3.4E-4 10 See Section-IV.3 ~ TBS Loss of 125V DC Bus IB 3.4 E 10 -See Section IV.3' T L ss of Charging Pump Cooling 1.9E-2 5 NUREG/CR-3862, Plant 6 Specific Data _
Table IV.8-3 CSS Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN E SOURCE / COMMENTS CSS-CKV-FT-CV13 Check Valve CV13(CV24) Fails to 1.0E-4 3 ASEP Data Base (CSS-CKV-FT-CV24) Open on Demand CSS-MOV-LF-101A Loss of Flow Through MOV 101A 3.0E-3 3 ASEP Data Base (CSS-M0V-LF-101B, (101B,101C,101D) CSS-MOV-LF-101C, CSS-M0V-LF-1010) CSS-PSF-LF-PTRNA* Insufficient Flow Through CSS Pump 7.5E-3 4 ASEP Data Base (CSS-PSF-LF-PTRNB) Train A(B) CSS-TNK-LF-RWST Insufficient Water Available From 1.0E-6 10 RWST 4 CSS-XVM-RE-XV8 Failure to Reclose Valve XV8(XV15) 1.0E-3 10 See Section IV.7 G (CSS-XVM-RE-XV15) Following Test Super Component - See Fault Tree'for Listing of Included Events
Table IV.8-4 HPI/HPR Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN _EF F SOURCE / COMMENTS' HPI-CKV-FT-225 Check Valve 225 Fails to Upen 1.0E -4 3 ASEP Data Base on Demand HPI-PSF-FL-PTRNB Faults in Charging Pump Train B- 3.4E-3 3.8 ~ Plant Specific Data . Pipe Segment PS12 (6-hour time period) and ASEP Data Base-HPI-MOV-LF-1867C Loss of Flow through MOV 1867C(D) 3.0E-3 3 ASEP Data Base (HPI-MOV-LF-1867D) Dominated by FT0 on Demand HPI-MDP-FR-1A6HR Charging Pump 1A Fails to Continue to 2.4 E -4 2.9 Plant Specific Data Run for 6 Hours E HPI-MDP-FR-A18HR Charging Pump 1A (IB, 1C) Fails to 5.7E-4 2.9 Plant Specific' Data 4 (HPI-MDP-FR-B18HR, Continue to Run for 18 Hours 5 HPI-MDP-FR-C18HR) HPI-XHE-F0-PLLCK Operator Fails to' Remove Pull Lock 3.8E-4 10 Skill Based Action Condition See Section IV.7 HPI-MOV-LF-11158 Loss of Flow Through MOV 1115B(D) 3.0E-3. 3 ASEP Data Base (HPI-MOV-LF-1115D) (Dominated by FT0 on' Demand) HPI-MOV-FT-1115C- MOV 1115C(E) Fails to Close on Demand 3.0E-3 3 .ASEP Data.. Base (HPI-MOV-FT-1115E) H'PI-PSF-FL-PSUCT* Insufficient. Flow from RWST to 2. 7 E-4 '. 2.1 ASEP Data Base Charging Pump Suction - Pipe Segment 2 Super Component - See Fault Tree for Listing of Included Events ,
, g .f. i Table IV.8-4 (Continued)
HPl/HPR Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN g SOURCE / COMMENTS 3.C E-3 10 See S'ection IV.7 l HPI-HXE-F0-FDBLD Operator Fails to Open PORVs and ' Establish HPI Flow for Feed and ' Bleed Cooling 9.0E 3 - 5.4 Plant Specific Data i HPI-PSF-FL-PTRNC* Faults'in Charging Pump Train C - Pipe Segment PS13 (6-Hour Time 3 i Period), 4.7E 2.5 ASEP Data Base HPR-PSF-LF-SUCTA* Insufficient Flow from LPI Pump A(B)
; (HPR-PSF-LF-SUCTB) to Charging Pump Suction Header 3.0E-3 .3 ASEP Data Base- ,
2 CVC-PSF-LF-BAT 2A* Insufficient Flow from BoriG Acid (Dominated by M0V b - Transfer Pumps to Charging Pump FT0 on Demand)
- Suction Header ,
4.5E-3 10- See Section IV.7 PPS-XHE-FO-PORVs Operator Fails to perform Emergency Boration-(open PORVs and Switch BAT Pumps to. Fast Speed) t
,oa 3
.c t
1 ,. / , ..
.t _-g<
% , g .
)
i Super ' Component _ - See ' Fault Tree :for Listing of Included- Events-r ., p- _,
+ ,,
-. . . - . . . . . - - - - . ..... =. _ . .. - . . .. . .. -- .. .
\
l Table.IV.8-5 4 Accumulator Fault Summary Table- , IDENTIFIER DESCRIPTION MEDIAN E SOURCE / COMMENTS'
.ACC-PSF-LF-ACCA -Insufficient Flow from Accumulator 3.5E-4 2.3 ASEP Data Base l- (ACC-PSF-LF-ACCB, A(B,C)
ACC-PSF-LF-ACCC) 1 2 i A g i- : i i i 1 1 i 1 . Super Component - See Fault Tree for Listing of Included Events i k l _ _.
4 Table IV.8-6 LPI/LPR Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN E SOURCE / COMMENTS LPI-MOV-PG-1890C MOV1890C Plugged 1.0E-4 3 ASEP Data Base LPI-PSF-LF-PTRNA* Insufficient Flow from LPI Pump 3.6E-3 4.2 ASEP Data Base (LPI-PSF-LF-PTRNB) Train A(B) - Pipe Segment PS32(PS33) (6-Hour Time Period) LPI-PSF-LF-ASUCT* Insufficient Flow to LPI Pump 1.5E-4 2.3 ASEP Data Base (LPI-PSF-LF-BSUCT) Train A(B) - Pipe Segment PS30(PS31) LPI-PSF-LF-CLEG2* Faults in Line to Cold Leg #2 (#3) 1.0E-3 10 ASEP Data Base (LPI-PSF-LF-CLEG3) from M0V1890C (Flow Tested Yearly) LPI-MDP-FR-A18HR LPI Pump A(B) Fails to Continue 5.0E-4 10 ASEP Data Base (LPI-MDP-FR-B18HR) to Run for 18 Hours U
~
LPI-MOV-PG-1864A M0V1864A(B) Plugged 4.0E-4 3 ASEP Data Base (LPI-MOV-PG-1864B) (Flow Tested Yearly) 4 LPR-CCF-PG-SUMP Common Cause Plugging of the 1.0E-6 100 Zion PRA(8) Containment Sump LPR-XHE-FO-HOTLG Operator Fails to Perform 3.0E-5 10 See Section IV.7 Switchover to Hot Leg Recirc-ulation at 16 nours LPR-PSF-LF-HTLGA* Faults in Line to Hot Leg - 4.3E-3 2.3 ASEP Data Base (LPR-PSF-LF-HTLGB) Pipe Segment PS46 (PS47)
- Super Component - See Fault Tree for Listing of' Included Events
Table IV.8-6 (Continued) LPI/LPR Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN I]:_ ' SOURCE / COMMENTS LPR-PSF-FC-SUCTA Insufficient Flow from Containment 9.4E-3 2.3 ASEP Data Base (LPR-PSF-FC-SUCTB) Sump to LPI Pump 1A(IB) LPI-CKV-LK-SI241 Transfer Open (Leak) of LPI Check Valve 3.5E-3 3 PWR Generic Data (LPI-CKV-LK-SI242, SI241 (242, 243) LPI-CKV-LK-SI243) , LPI-CKV-RP-SI79 Rupture of LPI Check Valve SI?9 4.4E-5 10 PWR Generic- Data (LPI-CKV-RP-SI82, (82,85,241,242,243); One Year LPI-CKV-RP-SI85, Fault Exposure Time LPI-CKV-RP-SI241, LPI-CKV-RP-SI242 LPI-CKV-RP-SI243) LPI-CKV-FT-SI79 Failure of LPI Check Valve SI79 1.0E-4 3 ASEP Data Base 3 (LPI-CKV-FT-SI82, (82,85,241,242,243) to Close LPI-CKV-FT-SI85 LPI-CKV-FT-SI241, LPI-CKV-FT-SI242, LPI-CKV-FT-SI243) Super Component'- See Fault Tree for Listing of Included Events
( l Table IV.8-7 ISR Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN EF SOURCE / COMMENTS. ISR-PSF-LF-TRNA
- Insufficient Flow from ISR Train A(B) 3.8E-2 2.0 Plant Specific Data-(ISR-PSF-LF-TRNB) to the Spray Header 2
l i w l l l Super Component - See Fault Tree for Listing of Included Events
Table IV.8-8 OSR Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN E SOURCE / COMMENTS OSR-PSF-LF-TRNA
- Insufficient Flow from OSR Train A(B) 7.2E-3 3.8 ASEP Data. Base (OSR-PSF-LF-TRNB) to the Spray Header t
i l l , i ! . Super Component - See Fault Tree for Listing of Included Events-
l Table IV.8-9 AFW Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN SOURCE / COMMENTS EF_ AFW-CKV-FT-CV27 Check Valve CV27 (CV58, CV89) 1.0E-4 3 ASEP Data Base (AFW-CKV-FT-CV58, Fails to Open on Demand AFW-CKV-FT-CV89) AFW-MOV-PG-151A MOV151A (B, C, D, E, F) Plugged 4.0E-5 3 ASEP Data Base Tested (AFW-M0V-PG-15IB, Monthly AFW-M0V-PG-151C. AFW-MOV-PG-1510, l AFW-MOV-PG-151E, AFW-MOV-PG-151F) AFW-PSF-LF-HDRA* Insufficient Flow Through Header A(B) 2.0E-4 3 ASEP Data Base (AFW-PSF-LF-HDRB) Y 3 AFW-PSF-FC-XCONN* Flow Diversion to Unit 2 AFW System 1.0E-4 3 ASEP Data Base Through Cross Connect AFW-PSF-LF-PTR3A* Insufficient Flow From AFW Pump 3A(3B) 7.3E-3 2.3 ASEP Data Base and Plant (AFW-PSF-LF-PTR38) Specific Data AFW-PSF-LF-PTRN2* Insufficient Flow from AFW Turbine 7.1E-3 4.6 ASEP Data Base and Plant Driven Pump 2 Specific Data AFW-TNK-VF-CST -Insufficient Water Available from 1.0E-6 3 Engineering Judgement-CST the CST is Backed Up By Multiple Water Sources Super Component - See Fault Tree for Listing of Included Events
f l Table IV.8-9 (Continued) AFW Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN E SOURCE / COMMENTS I AFW-ACT -FA-PMP3 A No Actuation Signal for AFW Pump 3A SE-4 3 Engineering Judgment (AFW-ACT-FA-PMP38, (3B, Valves A0V102A, 102B) Actuation Circuits Are AFW-ACT-FA-VLVA, Simpler Than SIAS and AFW-ACT-FA-VLVB) CLCS AFW-PSF-LF-SGA* Insufficient Steam Flow from Steam 1E-4 3 ASEP Data Base-Dominated
- (AFW-PSF-LF-SGB, Generator A(B, C) to Turbine Driven by Check Valve FT0 on Demand l AFW-PSF-LF-SGC) Pump - Pipe Segment PS95 (96, 97)
AFW-CCF-LF-STMBD Common Cause Failure of All Three AFW 1.2E-5 30 Engineering Judgment based on Pumps Due to Backleakage Through operating experience and Check Valves Resulting in Steam remedial measures taken on Binding of the Pumps this issue. See Appendix A y for derivation. E
=
M Super Component - See Fault Tree for Listing of Included Events
- - - - - - l
Table IV.8-10 Primary Pressure Relief Fault Sununary Table IDENTIFIER DESCRIPTION MEDIAN EF_ SOURCE / COMMENTS PPS-MOV-FC-1535 Block Valve MOV-1535(1536) 3.0E-1 1.0 Plant Specific Data-(PPS-MOV-FC-153) Closed Due to Leaking PORV PPS-MOV-LF-1535 Block Valve MOV-1535(1536) 4.0E-2 2.4 Plant Specific Data (PPS-MOV-LF-1536) Fails to Transfer on Demand PPS-SOV-CO-1456 PORY 1456 Fails to Reclose Following 1.0E-2 3 ASEP Data Base Transient PPS-SOV-FT-1456 PORY 1456 (1455C) Fails to Open 5.0E-3 3 ASEP Data Base (PPS-S0V-FT-1455C) on Demand
- PPS-PSF-FT-1456* Insufficient Pressure Relief Through 2.0E-2 3 ASEP Data Base i
q (PPS-PSF-FT-1455C) PORV 1456 (1455C) Line 4 0 1 l l Super Component - See Fault Tree for Listing of Included Events
; i 1
i Table IV.3-11 CPC Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN EF, SOURCE / COMMENTS CPC-CCF-PG-STRAB Common Cause Plugging of SWS Strainer 1.3 E-4 5 Plant Specific Data l 2A and 2B (6-Hour Time Period) (Based on Old Strainer Design) CPC-CCF-PG-ST18H Common Cause Plugging of SWS Strainer 3.1E-4 5 Plant Specific Data 2A and 2B (18-Hour Time Period) (Based on Old Strainer Design) CPC-MDP-FS-SW10B Failure of Charging Pump Service Water 5.9E-3 3.5 Plant Specific Data Pump 10B to Start on Demand CPC-PSF-LF-SWPTA* Insufficient Flow From Charging Pump 1.1E-3 1.6 Plant Specific Data Service Water Pump 10A (Injection
< Time Period) b CPC-PSF-LF-SWPTB* Insufficient Flow from Charging Pump 1.2E-2 2.6 Plant Specific Data Service Water Pump 10B (Injection and ASEP Data Base Time Period)
CPC-MDP-FR-10A18 Charging Pump Service Water Pump 2.9E-3 1.6 Plant Specific Data (CPC-MDP-FR-10B18) 10A(B) Fails to Run for 18 Hours CPC-MDP-FR-10B9H Charging Pump Service Water Pump 10B 1.4E-3 1.6 Plant Specific Data Fails to Run for 9 Hours CPC-MDP-FR-CCP2A Charging Pump Cooling Water Pump 1.2E-4 10 ASEP Data Base 2A Fails to Run for 6 Hours CPC-MDP-FR-CCA18 Charging Pump Cooling Water Pump 3.6E-4 10 ASEP Data Base (CPC-MDP-FR-CCB18) 2A(B) Fails to Run for 18 Hours CPC-XVM-PG-XV171 Manual Valve XV171(118) Plugged 8.0E-6 10 ASEP Data Base-(CPC-XVM-PG-XV118) Weekly Testing
- Super Component - See Fault Tree for Listing of Included Events
Table IV.8-11 (Continued) CPC Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN EF SOURCE / COMMENTS CPC-ICC-FA-CCPBS No Actuation Signal for CCW Pump 2.0E-4 5 Engineering Judgment-(CPC-ICC-FA-SWPBS, 2B (SWS Pump 108 TCV 1088, TCV 108C Simple Circuits CPC-ICC-FA-TCV88, (1 Relay, 1 Switch) CPC-ICC-FA-TCV8C) CPC-PSF-LF-CCPTB* Insufficient Flow from Charging Pump 2.7E-3 7 ASEP Data Base Cooling Water Pump 28 (Injection Time Period) CPC-MDP-FR-CCB9 Charging Pump Cooling Water Pump 2B 1.8E-4 10 ASEP Data Base Fails to Run for 9 Hours CPC-PSF-FL-SHXPB* Insufficient Flow Through Seal Heat 6.4E-5 7 ASEP Data Base
? (CPC-PSF-FL-SHXPC) Exchanger for Charging Pump B(C) Week Test g Interval CPC-PSF-FL-LOCPB Insufficient Flow Through Lube Oil 3.0E-3 3 ASEP Data Base-(CPC-PSF-FL-LOCPC) Cooler for Charging Pump B(C) Dominated By A0V FTO on Demand l
l Super Component - See Fault Tree for Listing of Included Events
Table IV.8-12 SWS Fault Sumary Table IDENTIFIER DESCRIPTION MEDIAN E SOURCE /C0pe9ENTS SWS-PSF-LF-HXTRA Insufficient Flow Through Spray 4.5E-4 2.3 ASEP Data Base-(SWS-PSF-LF-HXTRB, Recirculation Heat Exchanger 1A Quarterly Testing SWS-PSF-LF-HXTRC,(IB,IC,ID) SWS-PSF-LF-HXTRD) SWS-MOV-LF-103A* Insufficient Flow Through MOV 103A 3.0E-3 3 ASEP Data Base-(SWS-MOV-LF-103B, (B,C,D) Dominated by M0V SWS-MOV-LF-103C, FT0 on Demand SWS-MOV-LF-103D) SWS-PSF-LF-XCONN Insufficient Flow Through SWS Header 4.0E-4 3 ASEP Data Base Crossconnect
- E 4 SWS-CCF-FC-B10FL Common Cause Failure of All Four 1.1E-2 11.0 Plant Specific g Service Water Inlet Valves to the Data, See Heat Exchangers Appendix A for Derivation Super Component - See Fault Tree for Listing of Included Events
Table IV.8-13 l CCW Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN EF SOURCE /C0f# TENTS CCW-HTX-FC-CCEIA* Failure of Heat Exchanger 1-CC-D-1A 2.4E-6 5 ASEP Data Base CCW-HTX-FC-CCElB Failure of Heat Exchanger 1-CC-E-1B 3.0E-3 3 ASEP Data Base-Dominated By MOV FT0 on Demand CCW-PSF-FR-CCPIA CCW Pump 1-CC-P-1A Fails to Continue 1.0E-4 5 ASEP Data Base to Run for 6 Hours CCW-PSF-FS-CCPIB* CCW Pump 1-CC-P-1B Fails to Provide 3.0E-3 3 ASEP Data Base Flow IAS-A0V-0C-CC107* Insufficient Flow Through TV-CC-107, 6.0E-7 3 ASEP Data Base for any 6 hour period b. I
- Super Component - See Fault Tree for Listing of Included Events
[
Table IV.8-14 Electric Power Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN EF SOURCE / COMMENTS ACP-TAC-LP-BUS 1H Power Not Available from 4160V AC 3.8E-7 10 ASEP Data Base (ACP-TAC-LP-BUS 1J) Bus IH(1J) DCP-TDC-LP-BUSIA Power Not Available from 125V DC 3.8E-7 10 ASEP Data Base (DCP-TDC-LP-BUS 18) Bus IA(IB) DCP-BAT-LP-BATA Power Not Available from DC Battery 1.5E-3 6 ASEP Data Base (DCP-BAT-LP-BATB) A(B) ACP-TAC-LP-BUS 1I Power Not Available from 120V AC 6.2E-6 5 ASEP Data Base Vital Bus I l
;: ACP-TAC-LP-BSIII Power Not Available From 120V AC 3.8E-7 10 ASEP Data Base .'s Vital Bus II M
l ACP-XHE-FO-STBBS Operator Fails to Reconnect Stub Bus 1.5E-3 10 See Section IV.7 OEP-DGN-FS-DG01 Diesel Generator 1 (2, 3) Fails 7.1E-3 4.1 D I (CEP-DGN-FS-DG02, to Start on Demand Plant Specifi 353ta NUREG/CR-4347 OEP-DGN-FS-DG03)
- OEP-DGN-FR-DG01 Diesel Generator 1 (2, 3) Fails 6.0E-3 3 ASEP Data Base l
(DEP-DGN-FR-DG02, to Run for 6 Hours OEP-DGN-FR-DG03) 1 i OEP-DGN-MA-DG01 Diesel Generator 1 (2, 3) Unavailable 6.0E-3 6 ASEP Data Base (OEP-DGN-MA-DG02, Due to Maintenance Activities OEP-DGN-MA-DG03) l 1
l Table IV.8-15 l Actuation System Fault Summary Table 1 IDENTIFIER DESCRIPTION MEDIAN SOURCE / COMMENTS EF_ SIS-ACT-FA-SISA No Actuation Signal from SIAS 1.0E-3 5 ASEP Data Base (SIS-ACT-FA-SISB) Train A(B) l l CLS-ACT-FA-CLS2A No Actuation Signal from CLCS 1.0E-3 5 ASEP Data Base (CLS-ACT-FA-CLS28) Train A(B)
- RMT-ACT-FA-RMTSA No Actuation Signal from RMTS 1.0E-3 5 ASEP Data Base j (RMT-ACT-FA-RMTSB) Train A(B)
RMT-CCF-FA-MSCAL Cannon Cause Failure of the RMTS Due 1.1E-4 10 See Section IV.7 to Miscalibration of RWST Level Sensors E l da 1 2 l l l
l Table IV.8-16 Recovery Factor Fault Summary Table IDENTIFIER DESCRIPTION MEDIAN EF_ SOURCE / COMMENTS l SWS-BIOFL-RCVY Failure to Manually Open Spray 7.7E-2 3.2 See Section IV.9 Recirculation Heat Exchanger SWS Inlet Valves AFW-XHE-FO-UNIT 2 Failure to Provide ATW Flow to Unit 1 7.0E-3 4 See Section IV.9 l Through Crossconnect to Unit 2 HPI-XHE-F0-UNIT 2 Failure to Provide HPI Flow to Unit 1 2.2E-2(Ty ) 7(T1 ) See Section IV.9 Through Crossconnect to Unit 2 4.9E-3 4 (All Others) (All Others) HPI-XHE-FO-ALTIN Failure to Open Alternate Injection 1.9E-3 10 See Section IV.9 Valve 1842 4 RMT-XHE-FO-MAN Failure to Manually Initiate Switchover 3.8E-2 10 See Section IV.9
% from Injection to Recirculation CLS-XHE-FO-MAN Failure to Manually Initiate 1.5E-3 10 See Section IV.9 Containment Safeguards Systems CPC-XHE-FO-REALN Failure to Bypass CPC System Service 3.8E-2 10 See Section IV.9 Water Strainers NROSP-1HR Failure to Recover Offsite Power 0.28 2 NUREG-1032 Within One Hour NROSP-2HR Failure to Recover Offsite Power 0.15 2.5 NUREG-1032 Within Two Hours NRACP 1-2HR Non-recovery of AC Power Within 5.0E-1 1.5 NUREG-1032 1/2 Hour NRACP - 7 HR Non-recovery of AC Power Within 7.1E-2 3 NUREG-1032 7 Hours, Given No Recovery at 1/2 Hour
_ _ _ _ _ . _ _ _ _ _ _ . . _ _ _ _ _ _ _ . _ _ _ - _ _ _ - . _ _ - - ._ - . . _ _ - 2. l l l l Table IV.8-17 l Beta Factor Fault Susunary Table IDENTIFIER DESCRIPTION MEDIAN EF SOURCE /C0pmENTS BETA-DG Beta Factor - Diesel Generators 1.7E-2 3 EPRI-NP-3%7 BETA-MOV Beta Factor - MOVs 2.7E-2 3 EPRI-NP-3967 BETA-CH Beta Factor - Charging Pumps 5.7E-2 3 EPRI-NP-3%7 BETA-LPI Beta Factor - LPI Pumps 3.7E-2 3 EPRI-NP-3%7 BETA-SPRAY Beta Factor - Spray Pumps 1.7E-2 3 EPRI-NP-3%7 BETA-AFW Beta Factor - Motor Driven 1.0E-2 3 EPRI-NP-3967 AFW Pumps l l BETA-SW Beta Factor - SWS Pumps 1.0E-2 3 EPRI-NP-3967 2 E 3 l l l l
l l l Table IV.8-18 l Miscellaneous Event Fault Su:rmary Table l l IDENTIFIER DESCRIPTION MEDIAN EF SOURCE / COMMENTS K Failure of the RPS to Trip the Reactor 3.7E-5 5 NUREG-1000 R Failure to Manually Trip the Reactor 0.14 3 See Section IV.10 l Following RPS Failure Z Absence of " Favorable" Moderator 7.1E-3 7 See Section IV.10 Temperture Coefficient QH Failure to Reclose PORY Flowpath 8.0E-3 3 ASEP Data Base, Following a T4H Initiator Plant Specific Data, Westinghouse Generic Data Qg Failure to Reclose PORV Flowpath 1.0E-2 3 ASEP Data Base, Following T43 Initiator Plant Specific
? Data, Westinghouse en Generic Data Failure to Reclose PORY Flowpath 2.4E-3 3 ASEP Data Base, QA Following a T5A Initiator Plant Specific
, Data, Westinghouse Generic Data 03 Failure to Reclose P0RV Flowpath 1.2E-3 3 ASEP Data Base, following a TSB Initiator Plant Specific Data, Westinghouse Generic Data Q Failure to Reclose PORY Flowpath, 1.2E-5 3 ASEP Data Base, l Power Initially Available Plant Specific Data, Westinghouse i Generic Data l
Table IV.8-18 (Continued) Miscellaneous Event Fault Summary Table IDENTIFIER DESCRIPTION NEDIAN EF SOURCE /COMENTS SLOCA Conditional Probability of Seal 0.62 1.6 See Appendix A LOCA Following 580 NRACSL Failure to Provide HPI Flow to Reactor 2.02E-1 3 See Appendix A Within One Hour After Seal LOCA, Conditional on Non-recovery of Offsite Power at 1/2 hr. (Event is Dominated by Non-Recovery of AC Power) MSLOCA Conditional Probability of No 0.34 1.6 See Appendix A Seal LOCA Following S80 5 m e
' ] { I Table IV.8-19 l 1 Ratio of Means to Medians for Lognormal Distributions The following table gives the ratio of mean value to median value for lognormal distributions as a function of error factor. L l Error Factor Ratio (Mean/ Median) I 1.0 1.00 1.6 1.04 2.0 1.09 2.5 1.17 3.0 1.26 4.0 1.42 5.0 1.61 7.0 2.01 10 2.66 30 8.47 100 50.3 l l i l l 1 l l IV-238 l l \ l I i !
IV.9 Accident Sequence Quantification The accident sequences developed in the event tree analysis (Section IV.4) were evaluated and quantified to determine the core damage sequences with the highest contributions to the total core damage frequency and the core damage frequency associated with each plant damage state. The sequences were quantified by combining the Boolean equations of the appropriate fault trees using the event tree logic associated 1 with the sequences and reducing the resultant equation to f arm minimal cut sets. For those systems which operate in two modes (i.e., injection and recirculation), partial i system success in the injection mode was accounted for in the recirculation fault trees l by including the injection faults. In the quantification of recirculation type sequences the terms which represent complete failure of the system in the injection mode were, deleted from the sequence equations. The sequence minimal cut sets were quantified using the data shown in Section IV.8. The following sections provide the rationale behind the selection of the accident sequences which were quantified, identify the sequences quantified, and identifies the plant specific issues, such as the use of probability cutoff values in the quantification process and the application of recovery factors and quantification of the plant damage states associated with the sequence quantification. IV.9.1 Rationale for Selection of Sequences to be Quantified In the initial screening of the accident sec;uences, all sequences from the event tree analysis were examined. Initially, quantif cation was performed on those sequences which met one or more of the following selection criteria,
- l. Sequence involves single system failure. Rationale: These sequences of ten have high frequencies relative to all other sequences.
- 2. Sequence involves failure of two systems which include common interfaces or dependencies. Rationale Dependencies between two i
systems can of ten cause the sequence frequency to be comparable to single system sequence frequencies.
- 3. Sequence involves an initiating event coupled with a system failure which results in transfer to another event tree (e.g., TQ sequences which transfer to the small LOCA tree) and the remaining portion of the sequence meets criteria 1 or 2 above. , Rationale Necessary in order to compare " initiator frequencies."
- 4. Sequences of special interest (i.e., failure of feed and bleed cooling, Event V, station blackout, seal LOCA, ATWS).
- 3. Sequences necessary to provide adequate coverage of all plant damage states.
Following the initial quantification, the sequences which were not quantified were reexamined and compared with the sequences which were quantified to ensure that sequencesininitially insignificant discarded comparison were, with the ot in fact,her sequences.of sufficiently The sequences which were small fr quantified are discussed in the following section. IV-239
j IV.9.21.ist of Sequences Quantified in the Analysis Based on the selection criteria presented in the previous section, more than 100 , eequences were initially quantified. In the cases of similar sequences which differed only l due to the initiating event, and the capabilities of the systems involved were not l Impacted by the initiatlag event, one sequence quantification was performed and the frequency of the other sequence was derived by ratioing the initiating event frequencies. Table IV.9-1 presents the sequences quantified during the initial quantification. The app!! cable beta factors and recovery factors were applied to each of I these sequences at the cut set level. From this initial quantification, twenty sequences with point estimate frequencies greater than 1.0E-7 were identified. Eight additional sequences with frequencies greater than 1.0E-9 were also retained to provide full coverage of the plant damage states. This set of sequences is defined as the dominant core damage sequences and became the basis for the uncertainty, sensitivity, and importance analysis. Table IV.9-2 lists the dominant core damage sequences, and their frequencies and the plant damage state assignment for each sequence. IV.9.3 Quantification issues During the accident sequence quantification, accident sequence equation truncation method and level, the identification of recovery actions and the application of the associated recovery factors to the sequence equations, and the quantification of the individual plant damage states. These issues are discussed in the following three sections. IV.9.3.1 Truncation of Accident Sequence Equations Truncation of sequence equations based on cut set frequency and cut set order is commonly done during the accident sequence quantification in order to reduce the sequence cut sets to a manageable level while retaining the major contributors to sequence frequency. In the Surry accident sequence quantification, no sequence equation truncation on cut set order was performed. Sequence equations were truncated on cut set frequency, in general, sequence cut sets whose frequency was less than 1.0E-9 were discarded from the sequence equation. For sequences whose total frequency was less than 1.0E-8, the cut set truncation frequency was 1.0E-10. Based on the results of the initial sequence quantifications, these cutoff value were determined to be acceptable. IV.9.3.2 Identification and Apphcation of Recovery Actions Following the initial sequence quantification generic beta factors were included at the cut set level and sequence specific recovery factors were applied at the cut set level. The resultant sequence frequencies were recalculated. The application of generic beta factors was previously discussed in Section IV.6. Recovery actions were considered at the cut set level. Recovery actions were included if they were directly stated in the emergency or abnormal procedures, or could be ex)ccted to directly result from a procedural step or group of steps, and sufficient time ex.sted to allow diagnosis and completion of the action. The following discussion identifies the plant specific recovery actions and the associated failure event codes, their application, and limitations on their application to the Surry cut sets and sequences. IV 240
. .,~ - ~. .- -. . __. -
I Table IV.9-1 3 List Of Core Damage Sequences Initially Quantified Seouences TgQ-H2 T3AQ-Hg T 34Q-DgC T43LD 2 l T2Q-H2 T5BQ-Hg T3gQ-DgC T 34LD 2 T3MQ-H2 5H22 TKRZC T3aLD2
- T4HQ-H2 52Hg TgQ-DgCF3 TKRD 4 '
l T 43Q-H2 TKRZ Tg(SL)DgCFg TKRDgC l T3AQ-H2 TKRL 2 T gLH2 T gL(LT)D gCFg l TSBQ-H2 TgD3WDgN T2LH2 TgL(ST)DgCFg [ ) 52lpg T230 WDgN T3MLH2 T gLFgF2 I j S3 lpg T33D WDgN T4HLH2 T2LFgF2 i TgQ-lpg T 4H 3D WDgN T34LH2 T3LFgF2 f T2Q-lpg Tg3 3D WDgN T3aLH2 AD 6 ! T3MQ-lpg T6WDgN TgLHg AD3 f i T 4HQ -lpg EVENT-V T2LHg SgD6 I j T 43Q-lpg 52HgFgF2 T3LHg SgDg j j T 33Q-lpg TgQ-FgF2 T3MLHg SgD3 [' ] T3gQ-lpg T2Q-FgF2 T 4HLHg AH g S2 D; T3MQ-FgF2 T43LHg SgHg f S2CFg Tg3Q-FgF2 T3ALHg AF Fg2 ] S3Dg T34Q-FgF2 T5BLHg SgFgF2 l j T gQ-Dg TSBQ-F Fg2 TgLP SgCD6 j T29-D1 TgQ-CFg T2LP AD3C j T3MQ-Di T2Q-CFg T 3MLP. ACF g ( j TggQ-Di T3MQ-CFg T4HLP SgCFg j Tg3Q-Dg l TggQ-CFg T43LP SgCD6Dg . j T 34Q-Dj Tg3Q-CFg AD6C T3 ALP T3gQ-Dg T 34Q-CFg T3SLP T 2Q-DgC f ] TgQ-Hg TSBQ-CFg TgLD2 T 3MQ-DgC j T 2Q-Hg 53DgC T2LD2 T4HQ-D gC j T 3MQ-Hg S2DgC T3MLD 2 T43Q-DgC - j TggQ-Hg TgQ-DgC T4HLD2 Tg3Q-Hg l T 34Q-Hg SgHgFgF2 ADDgC6 AHgFgF2 j l l IV-241 i j
Tcbla IV.9-2 Surry Dominant Accident Sequences Plant Sequence Frequency
- _ Damage State T g(SL)-DgCFg 6.6E-6 SNNN SD3i 2.6E-6 TYYB Tg3Q-Hg 1.9E-6 SYYB T4HQ-Hg 1.6E-6 SYYB TgL(LT)DgCFg 1.3E-6 TNNN TgL(ST)DgCFg 1.3E-6 TNNN TgLP 1.!E-6 TYYB TKRD, 1.lE-6 TYYB EVENT-V 9.0E-7 EVENT-V S2Hg 8.9E-7 SYYB ;
Tg3Q-H2 8.!E-7 SYYB SgHg 7.7E-7 AYYB SDi g 7.lE-7 AYYB SD21 7.!E-7 SYYB T 4HQ-H2 6.8E-7 SYYB TKRZ 4.8E-7 SYYB AD 3 3.9E-7 AYYB AHg 3.9E-7 AYYB SH22 3.3E-7 SYYB TgQ-DgCFg 3.2E-7 SNNN SgFgF2 7.0E-8 AYNB ; I
- point estimate based on propagation of mean values.
l IV-242 :
Table IV.9-2 (Continued) Surry Dominant Accident Sequences l Plant Sequence Frequency
- Damage State l
- 5.0E-8 SYN!
52HgFgF2 SgHgFgF2 5.0E-8 AYNI AF Fg2 3.5E-8 AYNB AHgFgF2 2.5E-8 AYNI I Sg6C DgC 2.7E-9 ANNN AD6DgC 1.4E-9 ANNN i T gLFgF2 1.0E-9 TYN! i CORE DAMAGE TOTAL 2.5E-5 l l l 1 i point estimate based on propagation of mean values. I i IV-243
Alignment of Unit 2 HPI Flow to Unit 1 (HPI-XHE-FO-UNIT 2) A cross connect of the Unit I and Unit 2 HPI systems allows flow from the Unit 2 charging pump C to be provided to the discharge line of the Unit 1 C train charging pump. Two manual valves in series must be locally opened by the operator and it was assumed that the Unit 2 C train charging pump must be started to provide flow through the cross connect. The unavailability for 5 3 and TQ sequences was determined to be 7E-3, of which 3E-3 is due to operator error and 4E-3 is due to hardware failures. This recovery factor was app!!cd to those cut sets in sequences involving failures of HPI due to faults upstream of the Unit I charging pump discharges. This recovery factor was not applied to sequences involving Sg or S 2 LOCAs, due to the timing considerations. The time required to diagnose the need for and make operational the cross connect was longer than the estimated time between the failure of HPI and the onset of core j damage. More discussion of these timing considerations is found in Section IV.7. l l Opening of Alternate Cold Leg High Pressure inlection Valve (HPI-XHE-FO-ALTIN) An alternate cold leg injection valve (MOV1842)is available to provide flow to the cold legs from the charging pumps. The operator must manually open the valve from the control room to provide flow to the cold legs. The unavailability for all applicable events was determined to be 5E-3, of which IE-3 is operator error and 4E-3 due to hardware failures. The operator action was determined to be skill based. This recovery factor was applied to those cut sets in sequences involving failures of HPI due to faults in the parallel in)cction valve arrangement (MOV1876C and MOV1867D). However, recovery actions were not included in the loss of offsite power cut sets which include failure of DG #1 since MOV1842 is powered from MCC IHl-2 which would be powered from diesel generator #1. In addition, recovery was not applied to cut sets involving common cause failure of 1876C and D, due to the common cause modeling guidelines of this study which assumes similar components will be failed. Alignment of Unit 2 AFW Flow to Unit I (AFW-XHE-FO-UNIT 2) A cross connect of the Unit I and Unit 2 AFW systems allows flow from the Unit 2 AFW pumps to be provided to the discharge headers of the Unit 1 AFW system. One of two motor operated valves in parallel must be opened by the operator and the Unit 2 AFW system must be manually started to provide flow through the cross connect. In additon, the injection valves to Unit 2 SG's must be closed to divert flow to Unit 1. The unavailability following all non loss of offsite power events was determined to be IE-2, of which 4E-3 is attributable to operator error and 6E-3 due to hardware failures. This failure to recover event was not applied to sequences where both units would need AFW, such as loss of offsite power. It was applied to all of the cut sets in non loss of offsite power sequences involving failures of AFW. The dominant failures of the Unit 1 AFW system were common cause failure of all three pumps or flow diversion of Unit i AFW to Unit 2, through an inadvertantly open cross-connect valvel neither of which would result in the inability to perform this recovery action. Manual In;tletion of Switchover from injection to Recirculation (RMT-XHE-FO-MAN) The RMT system can be manually actuated upon failure of automatic actuation to occur. The operator must diagnose the failure of automatic actuation and manually actuate switchover in the short period of time available during the drop in RWST level from 18% to 2% This was calculated to be 9 minutes for S gand 5 minutes for a LOCA. The failure to manually initiate recirculation switchover was assessed to be 0.1 for Sg 3 LOCA and .25 for A LOCAs, which consists entirely of failure to diagnose the problem in 1 IV-244
the allowable time. The .1 value was also conservatively applied to S., LOCAs. This recovery factor was applied to all of the cut sets involving failure of the'RMT system to automatically initiate switchover. Manual Actuation of Containment Safeguards Systems (CLS-XHE-FO-MAN) The CLCS can be manually actuated upon failure of automatic actuation to occur. The l operator must diagnose the failure of automatic actuation and manually actuate the l Injection and recirculation spray systems prior to overpressurization of the
- containment. Containment pressure and temperature indications and the likely presence ~
l of a CLCS-HI signal would alert the operator to the need for actuation of the spray systems. The failure to manually initiate CLCS was assessed to be 4E-3 which consists of operator failure to diagnose the problem and perform the action. This recovery factor i was applied to all the cut sets involving failure of the CLCS to automatically initiate the spray systems. Manual Opening of SWS Valves to the ISR and OSR Coolers (SWS-BIOFL-RCVY) Following the common cause failure of the service water valves on the ISR and OSR heat exchangers to open, the operator would be expected to attempt to manually open the valves locally, using a hand-wheel. The failure of the operator to be able to open one or more of the valves was assessed to be 0.1. This failure to recover event consists entirely of hardware faults, as the human error probability to diagnose the situation was assessed 1 to be very low. This value reflects a subjective assessment of the inability to open at least one valve manually, given an initial common cause failure of all four valves. This event was applied to ali cut sets which include the common cause failure of the valves, 4 for which sufficient time was available to dispatch an operator to the valves. A thne of 20 minutes was assumed for the operator to diagnose the problem, send someone to the valves and open them. The ISR pumps were assumed to fall in this time period due to insufficient NPSH, caused by insufficient suction cooling. The OSR pumps however, would still be operating and could provide containment heat removal once the service water valves were opened. Manual Bypass of the CPC System Service Water Strainers (CPC-XHE-FO-REALN) In the event that plugging of the CPC system service water strainers occurs the operator can bypass the plugged strainer assembly by providing service water from the Unit 2 CPC sys tem. To perform this operation, the operator must diagnose the problem prior to failure of the charging pumps, manually open the valves required to cross connect the l systems, and ensure that suf ficient flow is available froin Unit 2 CPC system. A time of 10 minutes was allowed to complete this operation based on the estimated time a 4 charging pump could operate without cooling. This assessment is very conservative because none of the strainer plugging occurrences which have happened at the plant i involved abrupt loss of service water. Decrease in service water was gradual. The failure to perform these actions was assessed to 0.1 which consists almost entirely of diagnosis error. This recovery action was applied to all cut sets which included long term plugging failures of the CPCS strainers. No recovery of plugged strainers was applied to the short term sequences due to the relatively short time available and the number of other operator actions required in the short term. t l IV-245
Recovery of Offsite Power Within One Hour (NROSP-lHR) Following recovery of offsite power, the diesel generators are no -longer required to provide power. The probability of failure to restore offsite power within one hour was assessed to be 0.31 based on generic data from NUREG-1032. This recovery factor was applied to all cut sets in Tg Q-H sequences which included diesel generator failures. IV.9.3.3 Quantification of Plant Damage States As stated in the criteria for selection of sequences to be quantified, adequate coverage of the plant damage states was required. This meant that sequences which did not meet any of the other selection criteria were sometimes included in the dominent accident sequences even though they do not signficantly impact the dominant accident sequence frequency. However, they may be dominant because their associated plant damage states may be significant contributors to overall plant risk. Eight sequences which did not meet any of the first four selection criteria were added to the list of sequences to be quantified to satisfy plant damage state coverage. In those cases where the sequences frequency was less than IE-8, the cut set truncation value was reduced one order of magnitude (to IE-10) and the sequence quantification was redone. In all of the cases where the cutoff value was lowered, the additional cut sets identified,if any, resulted in insignificant changes to the sequence frequency. e -
- >j l
IV-246
, x.
4 a IV.10 Anticipated Transients Without Scram
# - ATWS events for Surry were evaluated using a special event tree. Sequences with failure -
,s to scram were transferred from other event trees to the ATWS tree. This section
~ discusses the ATWS evaluation. Section IV.10.1 discusses development of success criteria. Section IV.10.2 discusses the event tree construction and accident sequence delineation. Section IV.10.3 discusses the quantification of ATWS sequences.
IV.10.1 ATWS Model Development and Success Criteria Definition , The major ATWS analytical work which determined phenome ! criteria (for Westinghouse plants) was published in WCAP-8330.ggy , All ATWS issues models andaresuccess l based directly or indirectly on this analysis. Subsequent ATWS evaluations have produced refinements in some phenomenological areas and have generated more analytical results to support alternate success criteria. The intent of this study was to duelop an ATWS , model which included all phenomological issues previously )dentified and which was based , on concensus success criteria. i A reviewtwas performed of previous ATWS analyses from the following sources: - , 5 , - NUREG-0460(28) SECY-83-g3(30) Zion PRA
- - III )
Indian Point Pg Seabrook PRA i4 - Millstone-3 PRA(10) d - W - Owners Gr I3I) ' i - FUREG - 1000g ATWS Rulemaking Comments ' ! Based on this review, the success criteria in Table IV.10-'l were developed. The basis for j selection of success criteria for this study are discussed below. t The document review indicated a significant distinction in success criteria for transients initiated at high power and those initiated from low power. Zion, Indian Point and 1 Seabrook used 80% as the demarcation line for high and low power, while Millstone and the WOG used 25% The relationship between power level and pressure rise is not well
- enough documented in the references to select which power level is appropriate. This study chose 25%, because the initiating event data, reviewed in section IV.3 of this report wu correlated to 25% The final frequency of high power transients, calculated for this sibdy is 3.4/yr, which compares favorably to 3.6/yr in the WOG comments and 4
4.0/yr in SECY-83-293. ' , i Selection of success criteria for this study were based on not allowing RCS pressure to exceed 3200 psi. This value was chosen because it corresponds to stress level C limits of 4 the ASME Code. = Peak RCS pressure is related to the value of the reactor's moderator temperature coeffecient at the time of ATWS. There exists a critical value of MTC, above which there is insufficient negative feedback to maintain RCS pressure below 3200 psi regardless of relief valve operation. For this study, the important, parameter is the percent of time the MTC is above the critical value, rather than the critical MTC value < itself. However, it appears the critical MTC value is -7pcm/*F. ~ Based on the document t review, an upper bound value of 0.05 and a lower bound value of 0.001 was selected. translates to a mean value of 0.014 with an error factor of 7. t
}
j- IV-247 f
, , . - - ,--,,v. , -+,-m,-,.-.,--n-.----,u,,.-,.,g.... ~,..g~ , , , . , , ,a ~ ,. .,an e,- r--n-,,-~ ,-a, . -
m . _ _ _ ._. _ _ _ _ b Transients initiated from low power have no restrictions on MTC. Pressure can be maintained below 3200 psi for transients initiated from low pcwer, regardless of MTC,'if relief valve opening is successful. In addition, NUREG-0460 develops the idea that if MTC is very negative, reactivity feedback is great enough to maintain pressure below 3200 psi, even if multiple relief valves fail to open. Failure of pressure relief under conditions of very low MTC is therefore considered a negligible contributor to core damage. The amount of time a very low MTC exists was taken as 0.5, from NUREG-0460. NUREG-0460, SECY-83-093, Zion, Indian Point, Millstone and the WOG comments all l required turbine trip for transients from high power in order to prevent core damage. The phenomenological reason for this is not clear but to be consistent with the other studies, turbine trip was required for all loss of main feedwater events from high power except when very low MTC exists. Failure to trip the turbine was assumed to result in
- overcooling of.the RCS cold legs which would add positive reactivity to the core. This would aggravate the ongoing ATWS and was assumed to lead to overpressurization of the ,
RCS, regardless of the pressure relief capacity that was available. Turbine trip was not required for transients from low power or transients with main feedwater available. Primary pressure relief requires three SRVs. Since PORVs are typically 1/2 the capacity
- of SRVs, two SRVs and two PORVs were also allowed. This relief capacity was sufficient -
l- to maintain pressure below 3200 psi, if MTC was below -7 pcm/ F and turbine trip was
! successful.
Emergency boration and SG inventory makeup were required for all ATWS events, regardless of power level. SG inventory could be supplied by MFW or 700 gpm flow from AFW. These criteria are consistent with Zion. NUREG-0460, Zion, Indian Point, Seabrook and the WOG allow mitigation of stuck open relief valves under certain conditions. SECY-83-093 did not address them. This study ' 4 assumed that stuck open relief valves during ATWS would be safely mitigated if HPl was ! successful. IV.10.2 ATWS Event Tree and Phenomenology l The ATWS event tree is shown in Figure IV.10-1. The headings were developed to include all of the essential phenomenological considerations which were discussed in the previous section. Containment systems were not included on the event tree. ATWS events do not directly impair the operability of any containment system. ATWS sequences leading to core damage with impaired containment system operability are generally of very low probability compared to other core damage sequences with impaired containment. It is I therefore justified to omit containment systems from the ATWS event tree. Should some sequence have a particulary high frequency (10 or so), containment systems operability j can be evaluated for these sequences using the T event tree. 3 l Each of the headings on the tree is discussed below.
- R - Manual Reactor Trip - This is the first heading on the tree. If the operator manually scrams the reactor, ATWS is over and there are no further unique mitigative requirements. Manual reactor scram must occur with one minute. It is accomplished by opening the reactor trip breakers. This can be done by de-energizing the shunt trip from .
the control room or removing power at the motor-generator set. i j IV-248 t 5
...- -, -...--.- .1
i PL - Power Level - This heading does not represent an action or a system failure, but is a logic model convenience to delineate different success criteria for the high and low power condition. Z --Moderator Temperature Co-efficcient - As with the power level heading,' this is a l logic model convenience to delineate the .three conditons of MTC. The use of two headings, Zi and Z, separates the tree into three regimes. Z, is very low moderator ! temperature co-efficient (less than -20pcm/F) and Z is unfavorable MTC (greater than-7pcm/F). T- Turbine Trip - This heading identifies the requirement to trip the turbine within one minute of the initiating event. _P Primary Pressure Relief - This heading identifies the need for the SRVs and PORVs to open to maintain pressure below 3200 psi.-
- .L AFW - This heading represents a requirement for SG inventory makeup. This can be
- met by MFW or enhanced AFW. j Q - RVC - This requirement is for all relief values to reclose af ter the initial pressure j spike subsides. If a PORY or SRV fails to reclose, it causes a requirement for HPI flow from SI or charging pumps. j D,JD2 - HPI - This heading represents the need for . emergency boration, using the HPI pu'mps and boric acid transfer pumps (D4). D 7 si required for those sequences where a
- relief valve has failed to reclose. Success of HPI, drawing suction' from the RWST will ;
i provide subcriticality as well as inventory makeup. ! ! The ATWS procedure at Surry directs the operator to open a PORV to reduce primary pressure and speed up the boration process. The action was included in the model for D4, ! although it may not be necessary to accomplish emergency boration (it was not a ! significant contributor). Emergency boration was required to be initiated within 10 i minutes of the inP r. ting event. 1 i IV.10.3 ATWS Quantification j l 1- ATWS sequences were quantified separately for each initiating event. This was necessary in order to retain electrical power dependencies for each initiating event. In ! addition, some actions such as turbine trip or AFW operation were not required for T3. , The sequence naming scheme did not include power level (PL) or existence of very favorable moderate temperature co-effecient (Z i). These events are not system failures, but are pre-existing conditions which may affect the success criteria for other events. The frequency for TKRD4, therefore, includes contributions from all power levels and all MTC conditions. Many of the events on the tree were independent of all other events, and could be quantified by hand rather than by using SETS. The values used for independent events, for each initiating event are shown in Table IV.10.3-1. W i IV-249 _ . _ _ _ . . _ _ _ _ _ _ _ _ . .._ _. _ . _ ~ _ . _ _ _ _ _ __ - - , _ _ _ _ . _ _ _ _
Table IV.10-1 ATWS Success Criteria Summary Information EVENT: ATWS Rc5 REACTOR CORE HEAT RCS PRESSURE SUBCRITICALITY REMOVAL, EARLY INTEGRITY RELIEF COMMENTS Manual insertion MFW All SRV, PORY Turbine Trip 1. Entry into the ATWS tree assumes of control rods by OR must reclose (except T ) the RPS failed. 3 operator 2 @P OR OR OR MSiv closure 2. AFW must be supplied to 3 of 4 SG. Emergency boration 1 TDP (except T)) , using I charging AND 3. If MTC <-20 pcm/ F no pump, taking suction 3 SRVs PR required. from Boric Acid Tank, OR discharging through the 2 SRVs and 2 PORVs 4. If MTC >-7 pcm/ F PR
-I Boron injection Tank, (See comments for not possible.
and remaining at when pressure relief (PR) elevated temperature to is required) 5. Turbine Trip not required maintain suberiticality, for low power Initiators, or if MTC is very low.
- 6. MTC criterla apply to high power only.
i i Table IV.10.3-1 s Probabilities Used For Independent' Events In ATWS t FAILURE FAILURE FAILURE 0F 0F FAILURE OF
% TRANSIENTS REACTOR MANUAL UNFAVORABLE VERY LOW 0F PRIMARY _
INITIATING FROM HIGH SCRAM SCRAM MTC MTC TURBINE PRESSURE EVENT POWER (1) (2) (4) (6) (7) TRIP RELIEF (K) (R) (Z) (T) (P2 ) Ty .6 1E-5(3) 1.0(5) .014 .5 0.0(8) _4E-4 T 2
.6 6E-5 .17 .014 .5 0.001(9) 4E-4 T .6 6E-5 .17 .014 .5 0.0(10) 4E-4 3
T4 .6 6E-5 .17 .014 .5 0.0(8) 4E-4 T 5
.6 6E-5 .17 .014 .5- 0.0(8) 4E-4 4
i
Notes To Table IV.10.3-1
- 1. Power level of 25% defined the high power / low power break point. The split fraction for high/ low power event frequencies was derived from Surry specific data in NUREG/CR-3862.
- 2. Scram failure probabilities based on information NUREG-1000. Mechanical failures account for IE-5, electrical failures account for SE-5. Surry has shunt trip device installed.
- 3. Electrical portion of RPS will de-energize upon loss of offsite power. Only mechanical failures of rods are important for Ti .
- 4. Failure of manual scram includes two contributors, the percentage of RPS failures for which manual scram is ineffective, and the operator failure to initiate manual scram. Manual scram is only effective for electrical failures of the RPS (i.e.,
83%). Operator error to perform manual scram-is .001.
- 5. RPS failure probability for Ti represents mechanical failures only, for which manual scram is not effective.
- 6. Probability of unfavorable MTC based on ATWS evaluations. -(see Section IV.10.1)
- 7. Probability of very low MTC based on NUREG-0460.
- 8. Turbine trip or MSIV closure will occur as a result of initiator.
- 9. Surry has turbine trip circuitry which is independent of RPS.
- 10. Turbine trip not required.
IV-252
i I l I MRT TBT PPR AFW RVC HPI LE EL LO R PL 2, Z T P2 L2 O D4/D2 OK
- OK
- CD TKRD 4
- OK l -- CD TKROD 2
. CD TKRL 2 ATWS CD TKRP 2 TRANSFER M
CD TKRT OTHER TREES MTC > -7 pcm/* F CD TKRZ PL = Hi
- OK
~
d MTC < -20 pcm/* F r OK L CD TKRQD 2 CD TKRL 2
- OK
- CD TKRD 4 r- OK PL < 25% 6 CD TKROD 2 CD TKRL 2 1
l CD TKRP 2 Figure IV.10-1 ATWS Event Tree i IV-253
4-
- IV.ll Uncertainty / Sensitivity Analysis There are various sources of uncertainty in the numerical results of this study. This 4 - section' discusses specific sources of uncertainty .for the. Surry study, discusses -the manner in which the uncertainties' were evaluated, and presents the results of the uncertainty / sensitivity analysis.
IV.ll.1 Treatment of Uncertainties
~
Two basic types of uncertainty were addressed in the Surry study, parameter value uncertainty and modeling uncertainty. Parameter values of interest are the basic events.
- of the probability models and include failure rates, component unavailabilities, initiating event frequencies, and human error probabilities. - The key difference ,between the parameter value uncertainty and modeling uncertainty is the following. Parameters can take on any of a continuous range of values and the fact that there is uncertainty as to
- j. which value is the correct one does not change the structure of the logic model. On the
- other hand, modeling hypotheses are generally. discrete. Uncertainty in the choice of j which hypothesis is correct can not generally be accomodated by a unified logic model.
- Different hypotheses may well lead to different logic models, and in fact may require different parametric data.
Parameter value uncertainties have been handled in past PRAs_by gfining a probability distribution on the value of each parameter such that the n percentile of the distribution represents the value below which the analyst has a degree of belief of n/100 -
- that the true value lies. This subjectivist approach to the representation of uncertainty
- makes the propagation of parameter. value uncertainty through the - final - results mathematically straightforward, using Monte Carlo or other sampling techniques. ,
! Modeling uncertainties can be evaluated by defining discrete probability' distributions over the different modeling hypotheses. However, it is important to understand how the different assumptions can affect the results. This is the role of the sensitivity analyses which were performed for the modeling uncertainties identified as being potentially significant. 1 Some sensitivity analyses were also performed on what would be regarded as parameter
- value uncertainties for reasons discussed in the following subsection.
J IV.ll.l.1 Representation of Parameter Value Uncertainty [ l The subjectivist approach of defining a probability distribution on parameter values was , adopted. The uncertainty range characterized by the distributions varies in origin.
- If the estimates are based on plant specific data, the range should be characteristic of j the statistical uncertainty of the po
[ are generic (or non plant specific) thepulation from be range should which the data came. characteristic of thoseIf factors-the estimates which may affect the failure properties of the component in the different uses and environments from which the data for the estimates has been gathered.. Thus the range. l should include, for instance, plant-to-plant variation. In either case the probability distributional form for this study was taken as the lognormal distribution because of computer code (SEP) limitations. Two of the major areas where judgements are made with respect to parameter value- .' estimation are the definition of the population of components, and the choice and interpretation of the applicable data. An example of the first type is the decision as to I IV-254 i
~ . . . . . _ - . _ . - .- .-- - - -
-whether al'1 motor, driven pumps should constitute the ; population, or whether, the different sized pumps should form their. own populations.. Generally if sufficent. plant -
specific data were available, it was utilized. Otherwise, a generic population was defined, with an appropriate uncertainty range on the failure parameter estimate. l An' example of the second judgement area is the use.of the LER/NPE data to estimate common cause failure parameters. There are differing opinions as to how events should t be screened for applicability to a particular plant. Different schemes would lead to i different estimators and each scheme would have its own uncertainty characterization. l While the different schemes could be combined to give a broader distribution it is also of' interest to see- explicitly the effect of certain assumptions. Consequently for the common cause failure probabilities and certain other parameters whose estimates were - felt to be less defendable, it was decided to perform sensitivity studies which essentially i amounted to shifting the probability distributions. This can be regarded in a sense as ( representing analyst to analyst uncertainty.' j IV.ll.2 Sources of Uncertainty
- j. All aspects of the Surry PRA were reviewed to identify sources of uncertainty, both I
conservative and non-conservative. Table IV.ll.2-1 is a list of the most significant sources. Those in group B are associated with modeling assumptions. Those in group A are associated with the interpretation of data and the application of various estimation inethods and are specific concerns, rather than a more general concern with parameter value uncertainty. The issues are identified here because they are candidates for uncertainty and sensitivity analysis. ] IV.ll.3 Results of Uncertainty / Sensitivity Analysis ) In general, parameter value uncertainty was evaluated using statistical sampling codes. The results of this analysis are discussed in Section IV.11.3.1. The specific issues
- identified in Table IV.ll.2-1 are handled through sensitivity studies. The discussion and ;
i results of the sensitivity studies are found in Section V.4. " In order to evaluate the impact of the uncertainty in the parameter values on the overall sequence frequencies, a Monte Carlo simulation was performed on Boolean equations J developed for total core damage frequency and for each plant damage state frequency. The Boolean equations were developed by combining the cutsets representing at least 90% of the frequency of each applicable dominant sequence frequency. The Monte Carlo 1 sPnulation was performed using the SEP computer code using a sample size of 2400 l samples. The values for events derived from the same piece of generic data or plant specific data were coupled for the analysis.- The data used in the uncertainty analysis were median values and their associated error factors computed from the data base included ca Section IV.8. The results of the uncertainty analysis performed for the base case analysis, including mean values, 95% upper and 5% lower bounds for total core
- damage and each plant damage state are shown in Table IV.11.3-1, a
i i 1 i J IV-255
Table IV.11.2-1 Sources Of Uncertainty In Surry PRA l 1 A. Uncertainty in Parameter Estimates. l i
- 1. Check valve failure rates used for interfacing LOCA are a) not for the l specific failure modes of interest,' or b) based on zero occurrences of event of interest. -
l l $ 2. Failure and recovery probabilities for CCF of SW valves are based. on-incomplete knowledge of failure mechanisms, i 3. Beta factors used in CCF methodology are generic. 4 1, l
- 4. Human error probabilities used in sequence quantification were derived from propagation of basic human error probabilities. Overall numbers were called means and assigned EF of 10. Alternative interpretations of statistical significance of HEPs are available, i
j 5. Initiating event frequencies for LOCAs are based on scarce data and are not well correlated to size for small end of break size. 4
- 6. Probabilities for loss of and recovery of offsite power are generic.
Probabilities for non-recovery of offsite power in long term are based on - very few occurrences.
- 7. Frequencies used for loss of AC and DC buses are based on sparse data.
Applicability of failure data to postulated failure modes is uncertain. B. Uncertainty Due to Modeling Assumptions
- 1. Probability of PORV demand af ter Ti , T4 , T3 is assumed to be 1.0.
Assumption based on incomplete knowledge of RCS pressure response to transients. I i IV-256 s L __ _ __ _ _ _ _ _._ , . _ _ _
k
. Table IV.11.2-1 (Continued)'
Sources Of Uncertainty In Surry PRA l - l 2. Seal LOCA model based on expert opinion of seat behaviour as of October 1985. Operating experience with loss of seal coolin'g is non-existent. Test data is sparse. l 3. Non-safety grade or non-tech spec equipment was generally not included in l base case analysis. ( .
'+. Actual plant response to station blackout is uncertain. Battery depletion time, ability to cool core without control power,' impact of primary depressurization are currently based on best guess assumptions.
+
- 5. Operator response during station blackout is a matter of conjecture .
Priorities and resources devoted to recovery of plant systems, offsite power,' diesel generators, or gas turbine generators during an actual station blackout are not predictable in a similar manner to other events. 4 IV-257'
-. . , . , . . . - . ,.,4 - s
....m-- --._.e. .
,m. , ..,e .-.m ,,e , - . - . o , , - - . -
, Table IV.11.3-1 '
Summary Of The Surry Base Case Uncertainty Analysis MEAN* 95% UPPER
- 5% LOWER
- VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 AYNI 6.2E-8 1.0E-7 6.8E-12 AYNB 8.3E-8 3.lE-7 5.3E-10 AYNN 1.8E-10 5.5E-10 7.lE-13 ANNN 3.8E-9 1.4E-8 4.lE-Il SYYB 7.8E-6 2.5E-5 9.2E-7 SYNI 4.7E-8 6.8E-8 4.0E-10 SNNN 7.5E-6 2.6E-5 4.8E-7 TYYB 4.8E-6 1.5E-5 7.4E-7 TYNI 9.5E-10 3.3E-9 7.4E-12 TNNN 2.6E-6 8.8E-6 1.8E-7 V 1.0E-6 3.5E-6 2.0E-8 I
- Frequency of Occurrence Per Reactor Year it l
IV-258
V. RESULTS This section presents the final' results of the Surry PRA Update. These resul'ts include the dominant core damage. sequences, their frequencies and contributors, plant damage state frequencies, uncertainty analysis, and results of sensitivity studies on the key issues of the study. In addition, a comparison of these results with those of WASH-1400 and the results of the importance analysis are presented. S(ction V.1 presents the results from the perspective of overall core damage frequency; statistical uncertainty; and sensitivity studies on key issues of modeling, success criteria, and data development. Section V.2 presents the results from the perspective of plant damage states. Section V.3 describes the core damage sequences on an individual basis and identifies their dominant contributors. Section V.4 presents a detailed discussion of the sensitivity studies and Section V.5 compares the results of this study with the results of WASH-1400. Differences in results due_to plant modifications, failure data, and study - methodology are discussed. Finally, Section V.6 presents the results of the importance l analysis performed for the base case results. V.1 Characterization of Core Damage Frecuency at Surry { l This study resulted in the identification of twenty core ' damage sequences with a frequency greater than 1.0E-7 per reactor year. In addition, another eight sequences i were retained to provide full coverage of all plant damage states. This set of sequences j is referred to as the dominant core damage sequences. These sequences, their
; frequencies and the plant damage state assignments are shown in Table V.1-1. A brief l description of each sequence greater than 1.0E-7 is provided in Table V.1-2. The individual sequences are discussed in more detail in Section V.3.
t l The mean value of the sum of the dominant sequence frequencies is 2.6E-5 per reactor i l year. Uncertainty analysis was performed on the total core damage frequency, using the SEP code. The results are shown as follows. Upper 95% Bound 6.7E-5 1 Mean Value 2.6E-5 ' Median Value 1.9E-5 Lower 5% Bound 7.lE-6 i ) These numbers represent the mean value and associated confidence limits of the total j' core damage frequency for the base case. Uncertainty analysis was performed on the frequency of each plant damage state in a similar manner. These results are presented and discussed in Section V.2. 4 Sensitivity studies were performed on several key issues to identify the impact of data ) selection and modeling assumptions on core damage frequencies and uncertainties. 1 Selection of the sensitivity studies and discussions of each study are in Section V.4. The j sensitivity studies and their impact on core damage frequency are summarized in Table l V.1-3. The total core damage frequency and each plant damage state frequency were l : l l l l V-1 ' u l
. _ . _ _ _ _ - - - - ~ . _ _ - - - ----- -------"
I
. recalculated for each sensitivity study. In addition, uncertainty analysis using SEP, was done for each sensitivity study. Calculating the uncertainty on each sensitivity study j enables the construction of a " box and whisker" type graphic presentation of core damage i frequencies. The " box" represents the range of the means of the sensitivity studies while -
the " whiskers" represent the 95% and 5% uncertainty bounds on core damage frequency and the sensitivity results as indicated in the figures. The inner " whiskers" represent the 95% and 5% uncertainty bounds on the base case core damage frequency. The outer
" whiskers" represent the 95% uncertainty bound for the highest sensitivity study and the 5% uncertainty bound for the lowest sensitivity study. The box and whisker results for total core damage frequency are shown in Figure V.1-1. The box and whisker charts for ~
individual plant damage states are shown in Figure V.1-2. h
- l y
f a 4 I i V-2 __ ._.. _ _ ,,,.__ - . ~ . . , .-.
Table V.1-1 Surry Dominant Accident Sequences Plant j Sequence Frequency
- Damage State T g(SL)-Di CF g 6.6E-6 SNNN _.
SD 3i 2.6E TYYB T 43Q-Hg 1.9E-6 SYYB T 4HQ-Hg 1.6E-6 SYYB T iL(LT)DgCF g 1.3E-6 TNNN T gL(ST)DgCF i 1.3E-6 TNNN T iLP 1.lE-6 TYYB TKRD 4 1.lE-6 TYYB EVENT-V 9.0E-7 EVENT-V SH2g 8.9E-7 SYYB T439-h2 8.lE-7 SYYB SgHg 7.7E-7 AYYB
- StDg 7.lE-7 AYYB S2 D; 7.lE-7 SYYB 4 T 4HQ-H2 6.8E-7 SYYB TKRZ 4.8E-7 SYYB AD 3 3.9E-7 AYYB AH g 3.9E-7 AYYB SH22 3.3E-7 SYYB T gQ-D gCFg 3.2E-7 SNNN SFFii2 7.0E-8 AYNB point estimate based on propagation of mean values.
V-3
Table V.1-1 (Continued) Surry Dominant Accident Sequences Plant-See,uence Frequency
- Damage State
.S 2HgF Fi2 5.0E-8 SYNI SHFFii2 i 5.0E-8 AYNI AF Fi2 3.5E-8 AYNB AH F Fii2 2.5E-8 AYNI SDDC g6i 2.7E-9 ANNN AD6i DC 1.4E-9 ANNN T gLFgF2 1.0E-9 TYNI l 1
i i CORE DAMAGE TOTAL 2.5E-5 i .I I i i 1 l i point estimate based on propagation of mean values. V-4
Table V.1-2 Accident Sequences Greater Than 10-7/R-Yr At Surry Sequence Frequency
- Description Ti(SL)-D iCF1 6.6E-6 Station blackout leading to RCP seal LOCA, followed by failure to restore AC power within 1/2 hr. of seal LOCA.
SD3g 2.6E-6 Very small LOCA - Failure of high pressure coolant injection. T 1.9E-6 Loss of 480V Bus J - Stuck open PORY - Failure to isolate - 43Q-Hi Failure of low pressure recirc. T4gQ-H1 1.6E-6 Loss of 480V Bus H - Stuck open PORY - Failure to isolate - Failure of low pressure recirc. TyL(LT)D iCF1 1.3E-6 Station Blackout - (No seal LOCA) Battery depletion at 4 hrs. - Nonrecovery AC power within 3 hours of battery depletion.
< TyL(ST)D iCF1 1.3E-6 Station blackout - Failure of AFW to start -
J, Nonrecovery AC power within 1/2 hr. TyLP 1.1E-6 Loss of offsite power - Failure of AFW - Failure to feed & bleed via two PORVs. TKRD 4 1.1E-6 ATWS - Failure of manual scram - Failure of emergency boration. EVENT-V 9.0E-7 Interfacing LOCA. SH2y 8.9E-7 Small LOCA - Failure of low pressure coolant recirc. T4gQ-H2 8.1E-7 Loss of 480V Bus J - Stuck open PORV - Failure to isolate -
, Failure of high pressure recirc.
1
- point estimate based on propagation of mean values.
Table V.1-2'(Continued)
]
Accident Sequences Greater Than 10-7/R-Yr At Surry. I i 1 Sequence Frequency
- Description SH gy 7.7E-7 Medium LOCA - Failure of low pressure coolant recirc.
SD gi 7.1E-7 Medium LOCA - Failure of coolant injection. 7
! S0 21 7.1E-7 Small LOCA - Failure of coolant injection.
T 4HQ-H2 6.8E-7 Loss 480V Bus H - Stuck open PORY - Failure to isolate - Failure of high pressure recirc. TKRZ 4.8E-7 ATWS - Failure of manual scram - Unfavorable MTC results in RCS overpressure.
-t AD 3.9E-7 Large LOCA - Failure of accumulators.
7 S AH i 3.9E-7 Large LOCA - Failure of low pressure coolant recirc. SH 22 3.3E-7 Small LOCA - Failure of high pressure coolant recirc. T10-D i CF1 3.2E-7 Station blackout - Stuck open PORY (unable to isolate) - Nonrecovery AC power in 1 hr. i 4 t i I
- point estimate based on propagation of mean values.
.l
Table V.1-3 Summary Of Sensitivity Studies In Surry PRA Study Total Core Dama y 4 No. Subject Description of Sensitivity Study Frequency
- 1. Seal LOCA during Base case seal LOCA model assumes mean time to seal 4.3E-5 Station Blackout LOCA of approximately 4.5 hrs. after loss of all seal cooling. This sensitivty study represents a pessimistic seal LOCA model based on the Zion seal LOCA model. Seal :
LOCA assumed to occur 1/2 hour after station blackout. Recovery of AC power required within 1/2 hour of seal LOCA to prevent core damage.
- 2. Seal LOCA during This sensitivity study represents an optimistic seal LOCA 2.1E-5 i
Station Rlackout model which assumes a much longer mean time to seal LOCA (on the order of 24 hours), which virtually eliminates seal LOCA events from the station blackout model. 2a. Seal LOCA during Small seal LOCA size. Base case assumes total seal LOCA 2.5E-5
?
Station Blackout flowrate is 1350 gpm. Here total flowrate is 450 gpm. This allows two hours after seal LOCA for recovery of HPI flow to prevent core damage.
- 3. Recovery of Offsite Use of Cluster 6 in NUREG-1032 for recovery of offsite power, 1.9E-5 Power after Station rather than Cluster 7. . Cluster 7 is mid-range of all Blackout clusters. Cluster 6 is better than average.
- 4. Credit for Non- This sensitivity study includes the gas turbine generator at 2.1E Safety Grade Gas Surry site as a means of supplying emergency AC power.
Turbine Generator Gas turbine was originally. designed and intended for black . " start capability. Now used for power peaking. Not under j Tech Specs. Sensitivity study assumed gas turbine could be made available
- I hr. after station blackout. Assumed unavailability prior to demand was 0.25. Probability of failure assumed to be 0.1.
- calculated mean values 4
Table V.1-3 (Cont'd) Summary Of Sensitivity Studies In Surry PRA Study Total Core Damage No. Subject Description of Sensitivity Study Frequency -
- 5. Recovery From Recovery from CMF of the CHR-SW valves, by manually opening 2.6E-5 CMF of SW Valves the valves was included in the study. The probability used for recovery in the base case was 0.1. This value represents subjective estimate rather than evaluation of failure processes.
A sensitivity study was run assuming less probability of recovery. The upper bound for non-recovery was 0.95, the lower bound was 0.05. The median was 0.22 and EF = 4.36.
- 6. Beta Factors Assumed the values in EPRI NP-3967 are mean values. Base case 3.6E-5' assumes they are upper bounds.
- 7. Beta Factors All generic beta factors were set to zero. 2.2E-5
- 8. Check Valve Beta Use "MOV-beta factors" on check valves in the Event V 3.8E-5 Factors calculation.
?? 9. Interfacing LOCA Base Case - Failure rate for check valve rupture is 2.6E-5
- Optimistic Failure 1.3E-8/hr. Failure rate for check valve leakage is SE-7/hr.
Rates (FR) This sensitivity study reduces failure rate for rupture - to 4E-9/hr. Leakage failure rate reduced to .l.6E-7. See text for justification of values.
- 10. Interfacing LOCA Failure rate for rupture increased to 4.3E-8/hr. . Failure 2.9E-5
- Pessimistic rate for leakage unchanged. . See text for justification Failure Rates of values.
- 11. ECCS Failure Sensitivity study assumes containment failure.due to 3.1 E -5 '
Caused by Con- overpressure always leads to core damage via loss of ECC tainment Failure systems. Base case predicts that containment failure due to overpressure leads to core damage only 2% of the time.
-12. PORV Demand Rate Base case PORV demand rate was chosen as 1.0 for T 1, T ,4 2.1E-5 and T initiators. Sensitivity study reduces demand rate S
for these transients by a factor of 10.
- 13. Combination of SS3, SS4, and SS6 2.4E-5
- calculated mean values
1.1 E-4
- 95% UPPER BOUND, SENSITIVITY STUDY 1 10-4 -
(PESSIMISTIC SEAL LOCA MODEL)
-- 95% UPPER BOUND, BASE CASE
~
; MEAN VALUE, SENSITIVITY STUDY 1 (PESSIMISTIC SEAL LOCA MODEL) 2.6E-5 MEAN VALUE, BASE CASE l
1.9E-5 MEAN VALUE, SENSITIVITY STUDY 3 (INCREASED RECOVERY OF AC POWER) 10-5 - 7.1 E-6 __ e 5% LOWER BOUND, BASE CASE
-- : 5% LOWER BOUND, SENSITIVITY STUDY 12 (LOWER PORV DEMAND RATE) 10-6 Figure V.1-1 Box and Whisker Presentation of Surry Total Core Damage Frequency V-9 I
l
'O' : SNNN PLANT DAMAGE . ,
V STATE . __ IDENTIFIER = SYYB TYYB TNNN ar __ AYNB
-- ~~
AYYB 10-5 - 10-s __ I
. l 10-7 --
. o i I
F F 10-s Figure V.1-2 Box and Whisker for Individual Plant Damage States V-10 , 1
TYN1 AYNI -- 10-7 - SYNi _ o o ..
. AYNN l
ANNN 10-s - o 10 8 a6
-o.
1 0-10 _- 1 0-11 Figure V.1-2 (Cont'd) Box and Whisker for Individual Plant Damage States V-Il
q d 1 i V.2 Characterization of Plant Damage State Frequencies - f i The development of plant damage states has been previously discussed in Section IV.4.2.- 1 The frequency and uncer.tainty of each plant damage state was calculated for each sensitivity study which could potentially impact it. This allows construction of a box and i whisker for each plant damage state. The plant damage state box and whiskers are . shown in Figure V.1-2. The following sections describe each plant damage state in more detail. / V.2.1 Plant Damage State SYYB ' Plant damage state SYYB is characterized by small LOCA sequences with successful j injection of the RWST inventory into the containment, and all containment systems available. The sequences which contribute to this plant damage state are: l) SH MRZ T43 H2 2 g 4) Q
- 2) SH 22 5) T g3Q-Hg 3) T 4HQ-H2
- 3) 5D 2 i 6) T 4HQ-Hg The sequences in this plant damage state are generally caused by mechanical failures of valves and pumps in the HPI and LPI systems. The frequency of this plant damage state is potentially impacted by the common cause failure modeling of the study and the selection of PORV demand probabilities. Sensitivity. studies 6 (high beta values), 7 (no beta values) and 12 (reduced PORY demand) are, therefore, applicable to this plant damage state.
The base case frequency of this plant damage state is 7.8E-6. Elimination of the beta factor modeling reduces the frequency to 7.lE-6 while increasing the beta factors by a . factor of 2.4 increases the frequency to 9.2E-6. Reduction of the PORY demand rate has the biggest impact, reducing the frequency to 3.2E-6. V.2.2 Plant Damage State SNNN This plant damage state is characterized by small LOCA sequences without injectio'n of the RWST inventory into containment, and failure of all containment systems. The sequences which contribute to this plant damage state are:
- 1) T g(SL)-DgCF g
- 2) T gQ-D gCF g This plant damage state is dominated by station blackout sequences followed by a seal LOCA or a stuck open PORV. The sensitivity studies concerned with the seal LOCA model, recovery of offsite power, credit for the gas turbine generator, PORV demand rate as well as the common cause failure modeling may potentially impact this plant damage state. In addition, sensitivity study 2A also affects this plant damage state, in that it moves the seal LOCA sequence to the TNNN plant damage state. The base case.
frequency of this plant damage state is 7.5E-6. Sensitivity Study 2A (small seal LOCA) has the greatest reducing impact, reducing the frequency to 3.2E-7,' while Sensitivity - Study 1 (assumed seal LOCA at 1/2 hour) has the greatest increasing impact, increasing the frequency to 2.6E-5. V-12
... .- . ._ . - . .- - - - . - - . . . ~ . . -.
V.2.3 Plant Damage State SYNI This plant d' amage state is characterized by small LOCAs, successful injection of the RWST into containment, followed by failure of all containment systems. This. plant damage state is characterized by only one sequence:
- 1) 5HFF 23g2 This is caused by an S2 LOCA followed by_ common' cause plugging of both containment-sumps. This leads to a loss of LPR and containment spray systems. The value d for l containment sump plugging was 3E-5/ demand, based on the Zion PRA Study No l sensitivity studies were done on this sequence. The frequency of this plant damage state
~
for the base case is SE-8/yr. t V.2.4 Plant Damage State AYNN- ; This plant damage state is characterized by large LOCAs, successful injection of the RWST_ inventory into the containment, followed by failure of all containment systems. The dominant sequences in this plant damage state are:
- 1) SgCF g
{ l 2) ACF 3 These sequences involve containment failures caused by failure of the containment heat removal systems. These sequences were determined to result in failure of the low
- pressure recirculation system only 2 percent of the time. The frequency of this plant
, damage state includes only that portion of the sequences which result in core damage.
- The frequency of these sequences are dominated by common cause failure of the -
containment heat removal service water valves and the containment spray pumps. Sensitivity Study 6 (increased beta), Sensitivity Study 7 (eliminate beta), and Sensitivity Study 11 (ECCS failure after containment failure) were applied to this plant damage j state. l Assuming containment failure causes ECCS failure has the greatest impact, increasing d frequency to 8.3E-9. ! V.2.5 Plant Damage State ANNN L This plant damage state is characterized by large LOC'As, without injection of the RWST 4 into containment and the subsequent failure of all containment systems. This plant damage state has two sequences. 1
- 1) SDDC g6 g
- 2) AD6i DC These sequences are dominated by unavailability of the RWST. A single' failure probability was used for the RWST to include all possible events such as rupture, improper venting or blockage. No sensitivity studies were performed on this plant l damage state.
The frequency of this plant damage state for the base case is 3.8E-9/yr. I
-V-13
}
-.- --- -, , -r , . , -,w-rw. nm, .._.,eee, r - -- r---- m---- - - - , - - - - - , , , , , - - - - , , -n-- - - - - -
- V.2.6 Plant Damage State AYNB
! This plant damage state is characterized by large LOCAs, successful injection of the I RWST inventory into the containment followed by failure of containment heat removal systems in the recirculation phase, but operability of sprays until the time of containment failure. The following sequences contribute to this plant damage state:
- 1) SFF gg2
- 2) AF g2F These sequences involve containment failure as a result of loss of containment heat j removal. This was evaluated to result in loss of the ECCS, in only 2% of the cases. The frequency of this plant damage state includes only that portion of these sequences which
~
j are predicted to result in core damage. The frequency of this plant damage state is dominated by common cause failure of the containment heat removal service water valves. The sensitivity studies that apply to plant damage state AYNB are reducing the recovery probability of the service water j valves to .67 (Sensitivity Study 5) and assuming ECCS always fails af ter containment 1 failure (Sensitivity Study 11). l The mean frequency of the plant damage state, is 3.3E-8. Sensitivity study 5 increases the frequency to 6.3E-7, while sensitivity study 11 increases the frequency to 4.2 E-6. 1 i V.2.7 Plant Damage State AYNI l
- This plant damage state is characterized by large LOCAs, followed by successful
! injection of the RWST inventory into containment, followed by failure of all containment
- systems in the recirculation phase, the following sequences contribute to this plant -
j damage state; i
- l) SHFF g gg2
- 2) AHgg2 FF These sequences are dominated by common cause plugging of both containment sump i{ compartments. This leads to a loss of LPR and containment spray systems. Th
- used for containment sump plugging was SE-5/ demand, based on the ZION No PRA.y8yah
} sensitivity studies were done on these sequences. The frequency of this plant damage state is 6.2E-8. I V.2.8 Plant Damage State AYYB This plant damage state is characterized by large LOCAs, followed by successful , injection of the RWST into containment and successful operation of all containment systems. The sequences which dominate this plant damage state are:
- 1) AH g 3) SD gg
! 2) SHgg 4) AD S i This plant damage state is impacted by Sensitivity Study 6 (increase of beta factors) and Sensitivity Study 7 (elimination of beta factors). Sensitivity Study 6 results in an j increase in the frequency from a base case of 2.2E-6 to 3.lE-6 while Sensitivity Study 7 reduces frequency to 1.8E-6. 4 V-14 1
,, , . - - - , _ _ , - - - , , , . . - , - ~ _ _ _ , - . , . - . . _ _ - -,__--m._- . . , . , . _
, . _ , r--, c. ,
m V.2.9 Plant Damage State TNNN This plant damage state is' characterized by transient induced core damage with no l containment systems available. The sequences.which dominate this plant damage state l are: l
- 1) T 3L(LT)D gCF g
- 2) T 3L(ST)DgCF g These sequences are dominated by station blackout events (i.e., loss of all AC power) with failure of AFW, and as such are potentially. impacted by Sensitivity Study 3 (recovery of offsite power), Sensitivity Study 4 (credit for gas turbine generator) and Sensitivity Studies 6 and 7 (beta factors). These sequences are also impacted by the seal LOCA Sensitivity Studies 1, 2, and 2A because these sequences and seal LOCA sequences l are mutually exclusive.
I The frequency of the base case is 2.6E-6. Sensitivity Study. 2A (smaller seal LOCA) results in the largest increase, to 8.0E-6 while Sensitivity Study 3 reduces frequency the most, to 1.lE-6. V.2.10 Plant Damage State TYYB
~
l This plant damage state is characterized by transient induced core damage with - successful injection of the RWST into containment and availability of all containment systems. This plant damage state is dominated by:
- 1) TKRD 4
} 2) T gLP
- 3) S3 D; The base case frequency is 4.8E-6. Only the beta factor sensitivity studies (6 and 7), and the offsite power recovery study apply to this plant-damage state. Higher beta factors -
increase this frequency to 8.8E-6, while' reducing beta factors reduce this plant damage state to 2.2E-6. V.2.ll Plant Damage State TYN1 This plant damage state is characterized by transient induced core damage with ! successfulinjection of the RWST into containment and failure of all containment systems in the recirculation phase. The following sequences dominate TYN1:
- 1) T g LF F 32
- 2) T2LF 32 F
- These sequences involve containment failure due to loss of all containment heat
. removal. Containment failure was calculated .to lead to core damage in 2% of the l cases. The frequency of this plant damage state represents only that portion of the sequences which lead to core damage. l l i i l V-15 )
e The frequency of this plant damage state is dominated by common cause failure of the containment heat removal service water valves. - Sensitivity Studies 5 (reduction of CCF recovery factor), 3 (increased recovery of AC power), and 11 (ECCS failure af ter containment failure) apply to this plant damage state. The base case frequency is 9.5E-10. Sensitivity study 11 increases this to 4.7E-8. V.2.12 Event V - This plant damage state is entirely comprised of interfacing LOCAs. Sensitivity studies were done to explore the impact of postulated common cause failure of check valves, as well as increasing or decreasing the failure probabilities of the check valves. The base l case mean frequency is 1.0E-6, while the sensitivity study values ranged from 1.lE-5 for postulated common cause failure of check valves to 1.lE-7 for reduced frequency of check valve rupture. l 4 i V-16
+
i l
. l V.3 Characterization of Dominant Sequence Frequencies i x j The-dominant core damage sequences and their associated plant damage states were l previously identified in Sections V.1 and V.2.- Table V.3-1 shows the core ~ damage sequences which are greater than 1.0E-7. The following subsections discuss each of th'ese j-
. sequences and provide a listing of the ~ dominant cut sets and the definitions of the-associated terms. Nonrecovery terms are included in these cut sets.
) ,
) V.3.1 Sequence Tg (SL)-Dg CF i
This sequenc'e is initiated by a loss of offsite power (T ) for greater than 1/2 hour and '
'6#
failure of two diesel generators resulting in station blackout at Unit 1 (i.e., loss of all AC power). The availability of power to Unit 2 was not included. Station hiackout'results in the unavailabilitj ofsthe high pressure injection system (D g), containment spray system ' ir (C), and the inside spray recirculation system (F ). i This sequence is grouped in_ the SNNN , plant damage state. J. [ Loss of all AC power results in a loss of sealinjection' flow to the reactor coolant pumps ' F. (RCPs) and a loss of component cooling water to the RCP thermal- barriers. This condition results in vulnerability of the RCP seals to failure. The probability of the occurrence of a seal LOCA was modeled probabilistically as a function of time following total loss of seal cooling. (See Appendix A) Core damage was estimated to begin I hour i following onset of a seal LOCA if high pressure injection (HPI) flow was not restored by this time. The dominant contributors to failure to restore HPI within an hour of a seal LOCA are failure to restore AC power within 1/2 hour af ter seal LOCA or failure of the operator to i properly restore, component cooling to HPI following AC power recovery. Restoration of - AC (offsite) power within 1/2 hour of the seal LOCA was required in the station blackout model in order lto provide HPI flow by I hour. The 1/2 hour time lag was included to allow for restoration of plant power, intake canal water inventory, component cooling i water, and other required support systems prior to estab!!shing HPI flow. (see Appendix A for more discussion) ~ Recovery of AC power with the gas turbine generator or offsite sources _ is explored in Sensitivity Studies 3 and 4. Surry has a unique service water system (i.e., gravity fed through the intake canal) which may provide complications during and recovering from a station blackout, but this was not shown to be a dominant contributor to this sequence. , The frequency of this sequence is estimated as: - Q Tg(SL)-Di CF3 = 6.6E-6 The minant contributors to this sequence frequency are listed and discussed below:
?
$w
! -4 t V-17 L _._ _ _ -- - - - -- ---- - - - - -- - --
Table V.3-1 Accident Sequences Representing 99% Of- Total Core' Damage. Frequency At 'Surry
% of . Plant
, Total Core Damage
-Sequence Frequency Damage Frequency State T(il)-DCF i i i 6.6E-6 26.4 -SNNN SD 2.6E-6 10.4- TYYB 3i T
4JQ-Hi 1.9E-6 7.6- SYYB T4g0-H3 1.6E-6 6.4 SYYB-TyL(LT)D CF1i
'1.3E-6 5.2 TNNN
, Til(ST)D iCFi 1.3E-6 5.2 TNNN TyLP 1.1E-6 4.4 TYYB , l 4.4 TKRD 4 1.1E-6 TYYB V 9.0E-7 4.0 V SH-21 8.9E-7 3.6 SYYB T4gQ-H2 8.1E-7 3.2 SYYB SHii 7.7E-7 3.1 AYYB SDii 7.1E-7 2.8 AYYB SD2i 7.1E-7 2.8 SYYB 4 T 4HQ-H2 6.8E-7 , 2.7 SYYB TKRZ 4.8E-7 1.9 SYYB
-AD S
3.9E-7 1.6 AYYB 3.9E-7 AH i 1.6 . AYYB SH22 3.3E-7 1.3 SYYB T10-D iCF) 3.2E-7 1.3 SNNN Point estimate based on p'ropagation of mean values for basic events. V-18 l
O Cut Set Cut Set Frequency- ' T *OEP-BETA-DGENFS*NRACPI-2HR*SLOCA*NRACSL 1.3E-6 T *OEP-BETA-DGENFR*NRACPI-2HR*SLOCA*NRACSL 9.lE-7 T *0EP-DGN-FS-DG0l*OEP-DGN-FS-DG03*NRACl-2HR*SLOCA*NRACSL 7.0E-7
'T *OEP-DGN-FS-DG0l*OEP-DGN-MA-DG03*NRACPI-2HR*SLOCA*NRACSL 7.0E-7 T *OEP-DGN-MA-DG0l*OEP-DGN-FS-DG03*NRACPI-2HR*SLOCA*NRACSL 7.0E-7 l
T *OEP-DGN-FR-DG0l*OEP-DGN-FS-DG03*NRACPI-2HR*SLOCA*NRACSL 4.8E-7
^
T *OEP-DGN.-MA-DG0l*OEP-DGN-FR-DG03*NRACPI-2HR*SLOCA*NRACSL ' 4.8E-7 T *OEP-D,GN.-FR-DG01*OEP-DGN-MA-DG03*NRACPI-2HR*SLOCA*NRACSL 4.8E-7
.T *OEP-DGN-FS-DG0l*OEP-DGN-FR-DG03*NRACPI-2HR*SLOCA*NRACSL 4.8E-7 T *OEP-DGN-Fit-DG0l*OEP-DGN-FR-DG03*NRACPI-2HR*SLOCA*NRACSL 3.3E-7 l -
! TERM DESCRIPTIONS Tg - Loss of Offsite AC Power; F(T i) = 7.0E-2/ reactor year. NRACPI-2HR - Failure to recover AC power within 1/2 hour; P(NRACPI-2HR) =
- 5. l E-1.
NRACSL - Failure to provide HPI flow within I hour following seal LOCA occurrence (weighted average calculated from seal LOCA model); P(NRACSL) = 2.5E-1. Human error contributes .025.
! OEP-BETA-DGENFS - Common cause failure of diesel generators #1 and #3 to start on demand; P(OEP-BETA-DGENFS) = 2.3E-4.
OEP-BETA-DGENFR - Common cause failure of diesel generators #1 and #3 to run for 6 hours; P(OEP-BETA-DGENFR) = 1.6E-4. OEP-DGN-FS-DG01 - Failure of diesel generator #1 to start on demand; P(OEP-DGN-FS-DG01) = 1.lE-2. OEP-DGN-FR-DG01 - Failure of diesel generator #1 to continue to run for 6 hours; i P(OEP-DGN-FR-DG01) = 7.5E-3. OEP-DGN-MA-DG01 - Diesel generator #1 unavailable due to maintenance activities; P(OEP-DGN-MA-DG01) = 1.lE.-2. , OEP-DGN-FS-DG03 - Failure of diesel generator #3 to start on demand; l P(OEP-DGN-FS-DG03) = 1.lE-2. [ l' OEP-DGN-FR-DG03 - Failure of diesel generator #3 to continue to run for 6 hours; l P(OEP-DGN-FR-DG03) = 7.5E-3. OEP-DGN-MA-DG03 - Diesel generator #3 unavailable due to maintenance activities; P(OEP-DGN-MA-DG03) = 1.lE-2. SLOCA - Cumulative probability of seal LOCA occurrence within 6 hours i following loss of seal cooling; P(SLOCA) = 6.5E-1. l l l V-19 l I
J s V.3.2 Sequence 53Dy j i
.This sequence is initiated b'y a very small' LOCA- (less than 1/2" equivalent diameter) - j
- followed by failure of high pressure injection (D g). This sequence is grouped in the.TYYB j plant damage state.
;j The dominant contributor to this sequence is common cause failure of. MOV-IS67C and MOV-1867D in. the HPI discharge line. This failure mode precludes use of alternate ' j injection path through MOV 1842, due to the assumption of common cause failure at this ~ .!
MOV. - l Surry is better equipped to mitigate very small LOCAs than some plants due to their ability to cross connect HPI from Unit 2 and the RWST from Unit;2. Core damage i frequency from all S 3 initiators is less than that expected at some other plants due to the expectation that very small LOCAs will not result in actuation ~of the containment spray system. This eliminates the need to go to recirculation. The ability to cross-connect RWSTs at Surry supports this prediction. The frequency of this sequence is estimated as:
- SDg3 = 2.6E-6 The dominant contributors to this sequence frequency are listed and discussed below:
Cut Set Cut Set Frequency-S *HPI-MOV-LF-1867C* BETA-MOV 2.5E-6 : S *CPC-CCF-PG-STRAB*HPI-XHE-FO-UNIT 2 4.0E-8 S *CV25-FTO*HPI-XHE-FO-UNIT 2 2.6E-8 ' S *CV410-FTO*HPI-XHE-FO-UNIT 2 2.6E-8 5 *XV24-PLUG *HPI-XHE-FO-UNIT 2 1.0E-8 TERM DESCRIPTIONS S 3 - Very Small LOCA, D ( 1/2"; F(5 3) = 2.0E-2/ reactor year. HPI-MOV-LF-1867 - Failure of MOV-1867C to open; P(HPI-MOV-LF-IS67C) = 3.8E-3 BETA-MOV - Beta factor for motor operated valves; P(BETA-MOV) = 3.3E-2 CPC-CCF-PG-STRAB - Common cause plugging of both HPI Service Water Strainers; ] P(CPC-CCF-PG-STRAB) = 2.0E-4 ) HPI-XHE-FO-UNIT 2 - Failure to provide HPI flow to the discharge of Unit i HPI pumps using charging pumps at Unit 2; P(HPI-XHE-FO-UNIT 2)
= 1.0E-2 CV25-FTO -
Check valve 25 fail to open; P(CV25-FTO) = 1.3E-4 CV410-FTO - Check valve 410 fail to open; P(CV410-FTO) = 1.3E-4 X24-PLUG - Manual valve 24 plugged; P(XV24-PLUG) = 1.0E-4 V-20
l V.3.3 Sequence Tg3Q-Hg This sequence'is initiated by failure of 480V bus 13 or 13-1 (Tg3), followed by failure of - pressurizer PORVs to close following .a transient (Q), and failure of the low pressure - suction for the high pressure recirculation system (H ).g This sequence is ' grouped in the.
-SYYB plant damage state.
This sequence :is initiated by loss of the 13 or 13-1 480V bus due to' failure of the ! 4160/480V transformer. In order to isolate the transformer, feed breaker from the 4160V bus, is opened and both 480V buses are lost. This causes loss of one vital instrumentation - i ! bus which will result in reactor trip. Due to the potential for impaired ability at Surry,' . i l to control reactor pressure under these circumstances, the PORVs were conservatively ! - assumed to be demanded open. Loss of the 13 480V bus also results in failure of the B l' train of the low pressure recirculation system and the inability to close the PORV block valve powered from the 13 bus. In addition, the B train of the containment spray system (CSS) and the inside and outside spray recirculation ~ systems (ISRS and 'OSRS) are ' unavailable due to the initiating event. The A trains of CSS, ISRS, and OSRS operate as designed _ to remove containment heat, but failure of recirculation core cooling recirculation results in core damage. The dominant contributors to failure of the low pressure suction for the high pressure . recirculation system are hardware failures in the LPI suction lines or failure of the available LPI pump. The PORV demand rate was conservatively selected to be 1.0 for this class of transients, in part due to the practice of frequently running with the SG-ADVs blocked.- Impact of alternative demand rates is explored in Sensitivity Study 12. 1 j A key factor in this sequence is failure of PORY 1455-C to close and the inability to isolate it, using block valve 1536, because power to 1536 is lost due to the initiator. 4
. Another important factor is the assumption that 480VAC bus 13-1 would be lost along with 480VAC bus 1-3 for the duration of the event. Both of these buses must be lost for the duration of the event to yield the cut sets listed below. ! The frequency of this sequence is estimated as:
l - ] T 43Q-Hg = 1.9E-6 1
; The dominant contributors to this sequence frequency are listed and discussed below.
i l Cut Set Cut Set Frequency T4* *LPR-PSF-FC-SUCTA 1. l E-6 . i T * *MDPSil A-FTS 3.5E-7 T4* *MDPSII A-TM 2.lE-7 T *LPI-MDP-FR-A24HR 1.4E 43 i TERM DESCRIPTIONS T g3 - Loss of 480 VAC bus 13; F(T43) = 9.0E-3/ reactor year.
! Q3 - Probability of nonisolable stuck open PORY following a T 43 l initiator; P(Q 3) = 1.2E-2.
V-21
LPR-PSF-FC-SUCTA - Failure of RWST isolation MOV 1862A to close or sump suction MOV 1860A to open; P(LPR-PSF-FC-SUCTA) = 1.0E-2. MPSII A-FTS - LPI pump 1A fails to start; P(MDPSilA-FTS) = 3.2E-3 MDPSIIA-TM - LPI' pump 1 A in maintenance; P(MDPSII A-TM) = 1.9E-3 LPI-MDP-FR-A ISHR - Failure of LPI motor-driven pump Sil A to run for 18 hours; P(LPI-MDP-FR-A18HR) = 1.3E-3. V.3.4 Sequence T4gQ-Hg This sequence is initiated by failure of 480V bus IH or 1H-1 (T4g), followed by failure of pressurizer PORVs to close following a transient (Q), and fairure of the low pressure suction for the high pressure recirculation system (H g). This sequence is grouped in the SYYB plant damage state. This sequence is initiated by loss of the IH or 1H-1480V bus due to the failure of the 4160/480V transformer. In order to isolate the transformer a common feed breaker from the 4160V bus is opened, thus losing power to the intact bus. This causes loss of one vital instrumentation bus which will result in reactor trip. Due to the potential for impaired ability at Surry to control reactor pressure under these circumstances, the PORVs were conservatively assumed to be demanded open. Loss of the 480V-lH bus also results in failure of the A train of the low pressure recirculation system and the inability to close the PORV block valve powered by the IH bus. In addition, the A train of the containment spray system (CSS) and the inside and outside spray recirculation systems (ISRS and OSRS) are unavailable due to the initiating event. The B trains of CSS, ISRS, and OSRS would operate as designed to remove containment heat, but failure of recirculation core cooling recirculation results in core damage. The dominant contributors to failure of the low pressure suction for the high pressure recirculation system are hardware failures in the LPI suction lines or failure of the available LPI pump. The PORV demand rate was conservatively selected to be 1.0 for this class of transients inpart due to the practice of frequently running with the SG-ADVs blocked. Impact of alternative demand rates is explored in Sensitivity Study 12. A key factor in this sequence is failure of PORV 1456 to close and the inability to isolate it, using block valve 1535, because power to 1535 is lost due to the initiator. Another key factor is the assumption that both buses IH and lH-1 are lost for the duration of the event. Both buses must be lost for the duration of the event to yield the cut sets listed below. The frequency of this sequence is estimated as: T 4H 9 -"I = 1.6E-6 The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency T4H" H *LPR-PSF-FC-SUCTB 9.0E-7 T4* H*M DPS!!B-FTS 2.9E-7 T *M DPSilB-TM 1.7E-7 Tf ** H*LPI-MDP-FR-B18HR 1.2E-7 V-22
I
. TERM DESCRIPTIONS T 4H - L ss of 480 VAC bus 1H; F(T4H) = 9.0E-3heactor year.
QH. - Probability of a nonisolable stuck open PORY following a T4H initiator; P(Q H) = 1.0E-2. l LPR-PSF-FC-SUCTB - Failure of RWST isolation MOV 1862B to close or sump suction MOV 1860B to open; P(LPR-PSF-FC-SUCTB) = 1.0E-2. MPSIIA-FTS - LPI pump IB falls to start; P(MDPSII A-FTS) = 3.2E-3 MDPSIIA-TM - LPI pump IB in maintenance; P(MDPSII A-TM) = 1.9E-3 . LPI-MDP-FR-B18HR - Failure of LPI motor-driven pump SilB to run for 18 hours;- P(LPI-MDP-FR-B18HR) = 1.3E-3. i V.3.5 Sequence Tg L(LT)Dg CFi l This sequence is initiated by a loss of offsite power (T ) for greater than 1/2 hour and '- failure of two diesel generators resulting in statidn blackout (SBO) at Unit 1. i Availability of power at Unit 2 was not included. SBO at Unit I results in long term
- failure of the auxiliary feedwater system L(LT). Station blackout results in the j unavailability of the high pressure injection system (D g), containment spray system (C)
{ and the inside spray recirculation system (Fi ). This sequence.is grouped in the TNNN plant damage state. i In this sequence, following station blackout, the turbine-driven AFW pump successfully . l starts and continues to run. If, after approximately 4 hours, AC power is not recovered,
, battery depletion was considered to occur. This results in loss of allinstrumentation and j control power. The plant can not be maintained in a stable condition igefinitely without i instrumentation or control po'wer. Consistent with NUREG/CR-3226, a time frame of
- approximately 3 hours was allowed for restoration of AC power, before core damage
- would begin.
i l The frequency of this sequence is estimated ast i T gL(LT)DgCFg = 1.3E-6
- The dominant contributors to this sequence frequency are listed and discussed below.
)' Cut Set Cut Set Frequency l l l T *OEP-BETA-DGENFS*NRACPI-2HR*NRACP-7HR*NSLOCA 2.6E-7 T i*OEP-BETA-DGENFR*NRACPl-2HR*NRACP-7HR*NSLOCA 1.8E-7 l
; T j *0E P-DG N-FS-DG 0 l *0EP-DG N-M A-DG 03* N R AC P I-2H R j *NRACP-7HR*NSLOCA 1.4E-7 T g
- 0EP-DG N-M A-DG 0 l
- OEP-DGN-FS-DG 03*NRACP I-2HR
*NRACP-7HR*NSLOCA 1.4E-7
{ T g *0EP-DG N-FS-DG 0 l *OE P-DG N-FS-DG 03*NR AC P l-2H R i *NRAC-7HR*NSLOCA 1.4E-7 i T g *0E P-DG N-FR-DG 0 l *0E P-DG N-FS-DG03* N R AC P l-2H R l *NRACP-7HR*NSLOCA 9.2E-8 I Y-23 N .-
T g*0EP-DGN-MA-DG01*OEP-DGN-FR-DG03*NRACPI-2HR'.
*NRACP-7HR*NSLOCA 9.2E-3 T *OEP-DGN-FR-DG0l*OEP-DGN-MA-DG03*NRACPI-2HR g *NRACP-7HR*NSLOCA 9.2E-3 T *OEP-DGN-FS-DG0l*OEP-DGN-FR-DG03*NRACPI-2HR g *NRACP-7HR*NSLOCA 9.2E-3 T *OEP-DGN-FR-DG0l*OEP-DGN-FR-DG03*NRACPI-2HR g *NRACP-7HR*NSLOCA 6.3E-3 TERM DESCRIPTIONS Tg -
Loss of offsite AC power; F(T g) = 7.0E-2/ reactor year. NRACPI-2HR - Failure to recover AC power within 1/2 hour; P(NRACPI-2HR)
= 5. l E-1.
NRACP-7HR - Conditional failure probability to recover AC power within 7 hours, given it was not recovered by 1/2 hour; P(NRACP7-HR) = 9.0E-2. NSLOCA - Probability of no seal LOCA (calculated from the seal LOCA model); P(NSLOCA) = 3.5E-1. OEP-BETA-DGENFS - Common cause failure of diesel generators #1 and #3 to start on demand; P(OEP-BETA-DGENFS) = 2.3E-4. OEP-BETA-DGENFR - Common cause failure of diesel generators #1 and #3 to run for 6 hours; P(OEP-BETA-DGENFR) = 1.6E-4. OEP-DGN-FS-DG01 - Failure of diesel generator #1 to start on demand; P(OEP-DGN-FS-DG01) = 1.lE-2. OEP-DGN-FR-DG01 - Failure of diesel generator #1 to continue to run for 6 hours; P(OEP-DGN-FR-DG01) = 7.5E-3. OEP-DGN-M A-DG01 - Diesel generator #1 unavailable due to maintenance activities; P(OEP-DGN-MA-DG01) = 1.lE-2. OEP-DGN-FS-DG03 - Failure of diesel generator #3 to start on demand; P(OEP-DGN-FS-DG03) = 1.lE-2. OEP-DGN-FR-DG03 - Failure of diesel generator #3 to continue to run for 6 hours; P(OEP-DGN-FR-DG03) = 7.5E-3. OEP-DGN-MA-DG03 - Diesel generator #3 unavailable due to maintenance activities; P(OEP-DGN-MA-DG03) = 1.lE-2. V.3.6 Sequence Tg L(ST)Dg CFt This sequence is initiated by a loss of offsite power (T i ) for greater than 1/2 hour and ; failure of two diesel generators resulting in station blackout at Unit 1. Availability of power at Unit 2 was not included. Core damage in this sequence is caused by short-term failure of the AFW system L(ST). Station blackout also results in the unavailability of the high pressure injection system (Dg), containment spray system (C), and the inside V-24
spray recirculation system (Fg ). This sequence is grouped in the TNNN plant damage state. l This sequence involves station blackout followed by failure of the turbine-driven AFW l pump train. All core heat removal is unavailable af ter failure of AFW. Core damage was estimated to begin in approximately I hour if AFW and HPI flow had not been restored by that time. Restoration of AC (offsite) power was required 1/2 hour prior to the time HPI could be restored. The 1/2 hour time lag was included in the recovery model to allow for restoration of plant power, intake canal water inventory, component cooling water, and other required support systems, prior to restoration of HP1 flow. The dominant failure modes of the turbine-driven AFW pump are the failure of the pump to initially start or unavailability of the pump due to maintenance activities. j The frequency of this sequence is estimated as: u { T gL(ST)Dg CFg = 1.3E-6 The dominant contributors to this sequence frequency are listed and discussed below. I Cut Set Cut Set Frequency T *0EP-BETA-DGENFS*NRACPI-2HR*AFW-PSF-LF-PTRN2 2.5E-7 T *OEP-BETA-DGENFR*NRACP1-2HR*AFW-PSF-LF-PTRN2 1.7E-7 T *OEP-DGN-FS-DG0l*OEP-DGN-MA-DG03*NRACPI-2HR
*AFW-PSF-LF-PTRN2 1.3E-7 j
T g*OEP-DGN-FS-DG0l*OEP-DGN-FS-DG03*NRACPI-2HR
*AFW-PSF-LF-PTRN2 1.3E-7 T *OEP-DGN-MA-DG0l*OEP-DGN-FS-DG03*NRACPI-2HR g *AFW-PSF-LF-PTRN2 1.3E-7 T g*OEP-DGN-FR-DG0l*OEP-DGN-FS-DG03*NRACPI-2HR
- AFW-PSF-LF-PTR N2 9.2E-8 T g
- OE P-DG N-M A-DG 0 l
- OEP-DG N-F R-DG 03* N R AC P I-2H R
*AFW-PSF-LF-PTRN2 9.2E-8 T g *OE P-DGN-FR-DG0 l *OE P-DGN-M A-DG03*NR A CPI-2HR
! *AFW-PSF-LF-PTRN2 9.2E-8 T g *OE P-DGN-FS-DG0 l *OEP-DGN-FR-DG03*NRACP I-2H R
*AFW-PSF-LF-PTRN2 . 9.2E-8 T g*OEP-DGN-FR-DG0l*OEP-DGN-FR-DG03*NRACPI-2HR
- AF W-PSF-LF-PTRN2 6.2E-8 TERM DESCRIPTIONS Tg -
Loss of offsite AC power; F(T g) = 7.0E-2/ reactor year. AFW-PSF-LF-PTRN2 - Failure of turbine-driven AFW pump train 2 to provide flow due to faults in pipe se ment PS80; P(AFW-PSF-LF-PTRN = 3. l E-2. NRACPI-2HR - Failure to recover AC power within 1/2 hour; P(NRACPI-2HR) = 5.lE-1. l OEP-BETA-DGENFS - Common cause failure of diesel generators #1 and #3 to start j on demand; P(OEP-BETA-DGENFS) = 2.3E-4. i V-25 1
-, . - _ . . . - . - - ~ - - . -
l i i i
~OEP-BETA-DGENFR - Common cause failure of diesel generators #1 and #3 to run
' for 6 hours; P(OEP-BETA-DGENFR) = 1.6E-4.
OEP-DGN-FS-DG01 - Falure of diesel generator #1 to start on demand; P(OEP-DGN-FS-DG01) = 1.lE-2. - 1 OEP-DGN-FS-DG03 - Failure of diesel generator #3 to start on demand; P(OEP-DGN-FS-DG03) = 1.lE-2. OEP-DGN-MA-DG01 - Diesel generator #1 unavailable due to maintenance activities; P(OEP-DGN-MA-DG03) = 1.lE-2. OEP-DGN-FR-DG01 - Failure of diesel generator #1 to continue to run for 6 hours; P(OEP-DGN-FR-DG01) = 7.5E-3. OEP-DGN-FR-DG03 - Failure of diesel generator #3 to continue to run for 6 hours; P(OEP-DGN-FR-DG03) = 7.5E-3. . ! V.3.7 Sequence Tg LP This sequence is initiated by a loss of offsite power (Tg ) for greater than 1/2 hour, followed by failure of the auxiliary feedwater (AFW) system (L), and failure of feed and bleed cooling due to an insufficient number of open PORVs. This sequence, initiated by loss of offsite power, includes successful operation of one or more diesel generators. Failure of the AFW system causes a demand for feed and bleed cooling. Charging flow is available, but various failures prevent one of the two PORVs from opening. Success criteria requires that two PORVs'open for successful feed and j bleed. All containment systems would be available, however the steam generators are 3 , unavailable as a heat sink due to loss of AFW. The resultant heatup and eventual boil off of the primary coolant leads to core damage. The dominant contributors to the sequence frequency are undetected flow diversion'of the Unit 1 AFW flow to Unit 2 through the AFW cross connect or the common cause failure of all three AFW pumps due to steam binding resulting from check valve leakage coupled with mechanical failure of either of the two PORVs. -None of the AFW failures were recoverable, because cross connect of AFW from Unit 2 was not modeled af ter transients which affect both units. These contributors account for approximately 65% of the sequence frequency. 1 The frequency of this sequence is estimated as: TgLP = 1 lE-6 The dominant contributors to this sequence frequency are listed and discussed below. 1 Cut Set Cut Set Frequency T *AFW-PSF-FC-XCONN*PPS-PSF-FT-1455C . 2.3E-7 T *AFW-PSF-FC ,XCONN*PPS-PSF-FT-1456 ' 2.3E-7 T *AFW-CCF-LK-STMBD*PPS-PSF-FT-1456 1.5E-7 V-26 -
, = - - .-
N T *AFW-CCF-LK-STMBD*PPS-PSF-FT-1455C 1.5E-7 T fNROSP-lHR
**OEP-DGN-M A-DG0l*AFW-PSF-LF-PTR3B*AFW-PSF-LF- 5.3E-8 T *OEP-DGN-FS-DG0l*AFW-PSF-LF-PTR3B*AFW-PSF-LF-PTRN2 g *NROSP-lHR 5.3E-8 T *OEP-DGN-FR-DG0l*AFW-PSF-LF-PTR3B*AFW-PSF-LF-PTRN2 .
*NROSP-lHR 3.6E-8 l
T *OEP-DGN-MA-DG0l*AFW-PSF-FC-XCONN*NROSP-lHR 3 lE-8 l T *OEP-DGN-FS-DG0l*AFW-PSF-FC-XCONN*NROSP-lHR 3.1E-8 j T *OEP-DGN-FR-DG0l*AFW-PSF-FC-XCONN*NROSP-1HR 2. lE-8 f T *OEP-DGN-FS-DG0l*AFW-CCF-LK-STMBD*NROSP-lHR 2.0E-8 T *OEP-DGN-MA-DG0l*AFW-CCF-LK-STMBD*NROSP-lHR 2.0E-8 T *OEP-DGN-MA-DG02*AFW-PSF-LF-PTR3A*AFW-PSF-LF-PTRN2* 1.6E-8 PPS-MOV-FC-1536*NROSP-lHR T i*OEP-DGN-FS-DG02*AFW-PSF-LF-PTR3A*AFW-PSF-LF-PTRN2* 1.6E-8 i PPS-MOV-FC-1536*NROSP-lHR T i*OEP-DGN-MA-DG03*AFW-PSF-LF-PTR3A*AFW-PSF-LF-PTRN2* 1.6E-8 PPS-MOV-FC-1536*NROSP-1HR OE P-DG N-FS-DG 03
- A F W-PSF-L F-PTR 3 A
- A F W-PS F-L F-PTR N 2* 1.6E-8 Tg*PPS-MOV-FC-1536*NROSP-lHR T I*OEP-DGN-FR-DG0l*AFW-CCF-LK-STMBD*NROSP-lHR 1.4E-8 T g*0EP-DGN-FR-DG03*AFW-PSF-LF-PTR3A*AFW-PSF-LF-PTRN2* 1.lE-8 PPS-MOV-FC-1536*NROSP-lHR T g*OEP-DGN-FR-DG02*AFW-PSF-LF-PTR3A*AFW-PSF-LF-PTRN2* 1.lE-8 PPS-MOV-FC-1536*NROSP-lHR TERM DESCRIPTIONS l
l Ti - Loss of offsite AC power; F(T g) = 7.0E-2/ reactor year. i AFW-PSF-FC-XCONN - Undetected flow diversion from Unit 1 AFW system through the cross-connect to Unit 2; P(AFW-PSF-FC-XCONN) = j 1.3E-4. i j
' AFW-CCF-LK-STMBD - Undetected leakage through AFW system valves CV27, CV58, or CV89 resulting in common cause steam binding of all three , AFW pumps; P(AFW-CCF-LK-STMBD) = 8.5E-5.
AFW-PSF-LF-PTR3A - Same as 3B except pipe segment should be PS81 & pump train should be 3A. AFW-PSF-LF-PTR3B - Failure of motor-driven AFW pump train 3B to provide flow J due to faults in pipe segment PS82; P(AFW-PSF-LF-PTR3B) = 8.5E-3. AFW-PSF-LF-PTRN2 - Failure due to faults of turbine-driven in pipe segmentAFW PS80;pump (train 2 to provide P AFW-PSF-LF-PTRN2) = flow
- 3. l E-2.
AFW-BETA-PTRAB - Common cause failure of the motor-driven AFW pump trains j P(AFW-BETA-PTRAB) = 1.1E-4. 4 NROSP-lHR - Failure to recover offsite power within one hour; i P(NROSP-1HR) = 3.lE-1. i V-27
'c <
i 't' 1 T !._ . OEP-DGN-FS-DG01 - Failure of diesel generator #1 to start on'damand;' { P(OEP-DGN-FS-DG01) = 1.lE-2 OEP-DGN-FS-DG021 - Failure of diesel generator #2 to start on demand; P(OEP-DGN-FS-DG02) = 1.lE2. OEP-DGN-FS-DG03 -
.- Failure of diesel generator #3 to start on demand;-
- P(OEP-DGN-FS-DG03) = 1.lE-2. -
I- OEP-DGN-M A-DG01' - Diesel generator #1 unavailable due to maintenance activities;- P(OEP-DGN-MA-DG01) = 1.lE-2. OEP-DGN-MA-DG02 - Diesel generator #2 unavailable due to maintenance activities; P(OEP-DGN-M A-DG02) =- 1.lE-2. OEP-DGN-MA-DG03 - Diesel generator #3 unavailable due to maintenance activities; i P(OEP-DGN-MA-DG03) = 1.lE-2, 1 1 OEP-DGN-FR-DG01 - Failure of diesel generator #1 to continue to run for 6 hours; I i P(OEP-DGN-FR-DG01) = 7.5E-3.
- l .
j OEP-DGN-FR-DG02 - Failure of diesel generator #2 to continue to run for 6 hours; ; r P(OEP-DGN-FR-DG02) = 7.5E-3. j OEP-DGN-FR-DG03 - Failure of diesel generator. #3 to continue to run' for 6 hours; P(OEP-DGN-FR-DG03) = 7.5E-3.
, PPS-PSF-FT-1455C - Failure of PORV 1455C to open on demand; 4
P(PPS-PSF-FT-1455C) a 2.5E-2. PPS-PSF-FT-1456 - Failure of PORY 1456 to open on demand; P(PPS-PSF-FT-1456) = 2.5E-2. ) PPS-MOV-FC-1536 - PORV block valve 1536 closed; P(PPS-MOV-FC-1536) = 3.0E-1. V.3.8 Sequence TKRD 4 This sequence is initiated by any transient requiring reactor scram (T), followed by a i failure of the RPS to automatically scram the reactor (K), failure of the operator to' manually scram the reactor (R), and failure of emergency boration using the PORVs and the charging pumps (D4 ). This sequence is grouped in.the TYYB plant damage state, i This sequence is initiated by a transient requiring scram and failure of the RPS to scram the reactor, in addition manual reactor scram falls due to either operator error or j physical failure of the control rods or drives which prevent their Insertion.
~
The dominant contributor to failure of emergency boration is operator error to correctly align and start (switch to fast speed) the boric acid transfer pumps within 10 minutes of
- the failure to scram.
d V-28
~- --w,,-,, ,--,,r-es .-e.,wn,,-,-,w,y,-,---,..+, ,w,- .-.g- ,m, .m-., .,n- g- ,,n m p w , , .ww-y--, ,,--,y, , ~ - , yr, ,, ,y -
w.-,w w
The frequency of this sequence is estimated as: TKRD4 = 1.lE-6 The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency T*K
- R*PPS-XHE-FO-PORVS 8.lE-7
- T*K*R*CVC-PSF-LF-BAT 2A 2.6E-7 l
TERM DESCRIPTIONS T - All transient initiating events requiring scram; F(T) = 6.6/ reactor year. K - Failure of the RPS to trip the reactor following a transient; P(K) = 6.0E-5. R - Failure to manually trip the reactor following RPS failure; P(R) = 1.7E-1. PPS-XHE-FO-PORVS - Operator falls to correctly perform emergency boration; P(PPS-XHE-FO-PORVS) = 1.2E-2. CVC-PSF-LF-BAT 2A - Failure of the boric acid transfer pump CH2A to provide sufficient flow for I hour; P(CVC-PSF-LF-BAT 2A) = 3.8E-3. V.3.9 Sequence V The V sequence results from a failure of any one of the three pairs of check valves in series which are used to isolate the high pressure reactor coolant system from the low pressure injection system. The resultant flow into the low pressure system is assumed to result in failure (rupture) of the low pressure piping or components outside the containment boundary. Although core inventory makeup by the high pressure systems is initially available, inability to switch to recirculation would eventually lead to core damage. Due to the location of the postulated system failure, all containment safeguards are bypassed. This sequence is placed in a plant damage state by itself. The configuration of the LPI discharge lines at Surry involves a single injection line, rated for low pressure which has an open MOV in it. Downstream of the MOV, the piping is rated for high pressure conditions. The single line divides into three lines which each go to an RCS cold leg. Each high pressure line has two check valves. Smallleakage past these two valves will flow to the RWST through the LPI pump mini-flow recirculation lines. The most restrictive point in this path is a two-inch line. It was estimated that check valve leakage on the order of 100 gpm could be diverted to the RWST without any risk of LPI system overpressure. V-29
The failure modes of interest, event V, are those that produce sudden, large back leakage through the two high pressure check valves in any of the three cold leg injection lines. This was postulated to occur in three ways: A. Rupture of valve internals on both valves. " Rupture" connotes castastrophic loss of structural integrity. The implication is that the valve was holding pressure prior to its rupture. Rupture of both valves could occur any time between test periods. However, only one valve would be at risk at any time. Only the valve that is holding pressure is assumed to be able to rupture. B. Failure of one valve to close on repressurization, combined with rupture of the other valve. The test procedure at Surry must be done when depressurized. There is no assurance the valve remains closed on subsequent repressurizations. If one valve sticks in the open j position, the other valve is the only boundary between the high and ! low pressure piping. Failure of two valves to close would be detected upon startup. C. Rupture of one valve with the previous (undetected) transfer open of the other valve. If one valve is holding pressure, the other valve can drif t open. It is postulated that one valve drif ts open and falls in the open position. The failure rate for this is 5.0E-7/hr. If this occurs prior to the rupture of the valve holding pressure, an interfacing LOCA will occur. It makes no difference whether the upstream or the downstream valve is the valve holding pressure. If the upstream valve (closest to the RCS) has a higher leak rate than the downstream valve, the space between the valves will be pressurized, the downstream valve will hold pressure and the upstream valve,is at risk for transferring open. If the upstream' valve has a lower leak rate than the downstream valve, the space between is not pressurized and the downstream valve can transfer open. For this analysis, it was assumed that the space between the valves was pressurized to RCS __ pressure or at atmospheric, depending on the relative leak rates of the valves. The dominant contributors are the undetected transfer open (thereby causing leakage if demanded), occurring between the yearly test, through one ~c heck valve and rupture of the either check valve in any of the three pairs. The frequency of this sequence is estimated as: V = 9.0E-7 The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency L PI-C K V-R P-5185
- L PI-C K V-L K -S1243
- D 2.6E-7 ;
L PI-C K V-R P-SI82* L PI-CK V-L K -51242
- D 2.6E-7 ;
L PI-C K V-R P-5179
- L PI-C K V-L K -51241
- D 2.6E-7 i L PI-C K V-FT-51243
- L PI-C K V-R P-S185 1.6E-8 L P I-C K V-FT-5185
- L PI-C K V-R P-S 1243 1.6E-8 V-30
L PI-CKV-FT-51242* L PI-C K V-R P-5182 1.6E-8 L PI-C K V-FT-5182* L PI-C K V-R P-SI 242 1.6E-8 L PI-C K V-FT-SI 241
- L PI-C K V-R P-5179 1.6E-8 L PI-CK Y-FT-S 179* L PI-C K V-R P-SI 241 1.6E-8 L PI-C K V-R P-SI 243
- L PI-C K V-R P-S 185
- D 7.lE-9 L PI-C K V-R P-51242* L PI-C K V-R P-Sf 82* D 7.lE-9 L PI-C K V-R P-51241
- L PI-C K V-R P-5179* D 7.lE-9 l
TERM DESCRIPTIONS
\
l LPI-CKV-LK-51241 - Transfer open of LPI check valve 51241; one year fault l exposure time P(LPI-CKV-LK-51241) = 4.4E-3. LPI-CKV-LK-51242 - Transfer open of LPI check valve S1242; one year fault exposure time P(LPI-CKV-LK-51242) = 4.4E-3. LPI-CKV-LK-51243 - Transfer open of LPI check valve S1243; one year fault exposure time P(LPI-CKY-LK-SI243) = 4.4E-3. LPI-CKV-RP-SI79 - Rupture of LPI check valve S179; one year fault exposure time; P(LPI-CKV-RP-SI79) = 1.2E-4.
! LPI-CK V-RP-SI82 -
Rupture of LPI check valve S182, one year fault j exposure time; P(LPI-CKV-RP-SI82) = 1.2E-4. LPI-CKV-RP-SI8S - Rupture of LPI check valve SI85, one year fault
; exposure time; (P(LPI-CKV-RP-5185) = 1.2E-4.
LPI-CKV-RP-SI241 - Rupture of LPI check valve S1241, one year fault j exposure time; P(LPI-CKV-RP-51241) = 1.2E-4.
! LPI-CKV-RP-S1242 -
Rupture of LPI check valve 51242, one year fault exposure time; P(LPI-CKV-RP-SI242) = 1.2E-4.
, LPI-CKV-RP-51243 -
Rupture of LPI check valve S1243, one year fault exposure time; P(LPI-CKV-RP-51243) = 1.2E-4. LPI-CKV-FT-SI79 - Failure of LPI check valve S179 to close; P(LPI-CKV-FT-SI82) = 1.3E-4. LPI-CKV-FT-5182 - Failure of LPI check valve S182 to close; P(LPI-CKV-FT-5182) = 1.3E-4. LPI-CKV-FT-5185 - Failure of LPI check valve S185 to close; P(LPI-CKV-FT-Sl85) = 1.3E-4. LPI-CKV-FT-51241 - Failure of LPI check valve 51241 to close;
- P(LPI-CKV-FT-51241) = 1.3E-4.
LPI-CKV-FT-51242 - Failure of LPI check valve SI242 to close; P(LPI-CKV-FT-51242) = 1.3E-4. , V-31 -
, , , ~ , - , , , , ., - , - - - - ,--,,-.n_ - - . , . . . , ., , , , - . - - . - - . , ._.
LPI-CKV-FT-51243 - - Failure of LPI check valve S1243 to close; P(LPI-CKV-FT-SI243) = 1.3E-4. D - Average demand factor for the second valve P(D) = .5 V.3.10 Sequence S H 2 i This sequence is initiated by a break in the RCS piping in the range of 1/2"( D ( 2" (S2) followed by failure of the low pressure recirculation (LPR) system to provide suction for the high pressure recirculation (HPR) system (H 3). This sequence is grouped in the SYYB plant damage state. This sequence involves a small LOCA and failure of core coolant makeup in the recirculation phase. All containment heat removal systems are available - but the continued heat up and boil off of primary coolant leads to core damage. l The dominant contributors to failure of the LPR system to provide suction for the HPR system are common cause failure of the RWST suction valves to close, common cause failure of the sump suction valves to open, or the common cause failure of the LPI pumps to continue to start and run for 18 hours. The frequency of this sequence is estimated as: SHg 2 = 8.9E-7 The dominant contributors to this sequende frequency are listed and discussed below. Cut Set Cut Set Frequency S *LPR-BETA-SUCTAB 3. 3E-7 S *RMT-CCF-FA-MSCAL 3.0E-7 S *LPI-BETA-PTRAB 1.9E-7 S *LPR-PSF-FC-SUCTA*LPI-PSF-LF-PTRNB 3.5E-8 5 *LPI-PSF-LF-PTRNA*LPR-PSF-FC-SUCTB 3.5E-8 TERM DESCRIPTIONS S 2 Small LOCA,1/2"(D( 2"; F(S )2= 1.0E-3/ reactor year. LPR-BETA-SUCTAB - Common cause failure of RWST isolation MOVs 1862A and 1862B to close or sump suction MOVs 1860A and 1860B to open; P(LPR-BETA-SUCTAB) = 3.3E-4. LPI-BETA-PTRAB - Common cause failure of LPI motor-driven pumps S!! A and SilB to start and run for 18 hours; P(LPI-BETA-PTRAB) = 1.9E-4. LPR-PSF-FC-SUCTA - Failure of RWST isolation MOV 1862A to close or sump suction MOV 1860A to open; P(LPR-PSF-FC-SUCTA) = 1.lE-2.. I V-32
L PR-PSF-FC-SUCTB - Failure of RWST isolation MOV 1862B to close or sump suction MOV 1860B to open; P(LPR-PSF-FC-SUCTB) =
- 1. l E-2.
LPI-PSF-LF-PTRNA - Failure of LPI pump train Sil A to provide sufficient flow during injection; P(LPI-PSF-LF-PTRNA) = 3.2E-3. LPI-PSF-LF-PTRNB - Failure of LPI pump train SilB to provide sufficient flow i during injection; P(LPI-PSF-LF-PTRNB) = 3.2E-3. V.3.11 Sequence T43Q-H2 This sequence is initiated by failure of 480 V bus 13 or 13-1 (T,3), f followed by failure of l pressurizer PORVs to close following a transient (Q), and failure of the high pressure l recirculation system (H 2). This sequence is grouped in the SYYB plant damage state. This sequence is initiated by loss of the 13 or 13-1 480V bus due to failure of the 4160/480V transformer. In order to isolate the transformer a common feed breaker from the 4160V bus is opened and both 480V buses are lost. This causes loss of one vital instrumentation bus which will cause reactor trip. Due to the potential for impaired ability at Surry to control reactor pressure under these circumstances, the PORVs were conservatively assumed to be demanded open. Loss of the 480V 13 bus causes failure of train B of the high pressure recirculation system and the inability to close the PORY block valve powered from the 13 bus. In addition, the B train of the charging pump cooling system, containment spray system (CSS), and the inside and outside spray recirculation systems (ISRS and OSRS) are unavailable due to the initiating event. The A trains of CSS, ISRS, and OSRS would operate as designed to remove containment heat, but failure of core cooling recirculation would result in core damage. The dominant contributors to failure of the high pressure recirculation system are mechanical failure of the LPI-HPI cross-over valves and failure of the service water and component cooling water pumps for the charging pump ccoling system to continue to run for the mission time. The PORV demand rate was conservatively selected to be 1.0 for this class of transients in part due to the practice of frequently running with the SG-ADVs blocked. Impact of alternative demand rates is explored in Sensitivity Study 12. A key factor in this sequence is failure of PORV 1455-C to close and the inability to isolate it, using block valve 1536, because power to 1536 is lost due to the initiator. Another important factor is the assumption that 480VAC bus 13-1 would be lost along with 480VAC bus 1-3 for the duration of the event. Both of these buses must be lost for the duration of the event to yield the cut sets listed below. The frequency of this sequence is estimated as: T 43Q-H2 = 8.lE-7 The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency j T43*Q3*HPR-PSF-LF-SUCTA 5.9E-7 T 43 *Q3*CPC-MDP-FR-CCA18 1.0E-7 V-33
t t T * *HPR-M DP-FR-A 18HR : ^ 7.6E-8' , :T *
- C PC-M DP-F R- 10 A 18
- C PC-X H E-FO-RE A L N 3.2E-8 j LTgy* *C PC-C C F-PG-ST 18 H + C PC-X H E-FO-R E A L N 5.4E ,
' TERM DESCRIPTIONS T 43 - Loss of 480 VAC bus 13; F(Tg3) = 9.0E-3/ reactor year.
Q3 Probability of a nonisolable stuck open PROV following a Tg3 initiator; P(Q 3) = 1.2E-2. i HPR-PSF-LF-SUCTA - Insufficient flow - from LPI Pump A to .the charging pump suction header; P(HPw-PSF-LF-SUCTA) = 5.5E-3. CPC-MDP-FR-10A18 - Failure of charging pump cooling service water pump 10A to a run or 18 hours; P(CPC-MDP-FR-10A18) = 3.0E-3. CPC-MDP-FR-CCA18 - Failure of charging pump cooling component cooling water pump 2A to run for 18 hours; P(CPC-MDP-FR-CCA18) =-. l 9.6E-4.
- HPR-MDP-FR-A18HR - Failure of charging pump CHI A to run for 18 hours;
! P(HPR-MDP-FR-A18HR) = 7.0E-4.
- CPC-CCF-PG-ST18H - Common cause plugging of charging pump cooling strainers 2A j and 2B within 18 hours; P(CPC-CCF-PG-ST18H) = 5.0E-4.
j CPC-XHE-FO-BYPAS - Failure of the operator to bypass the. charging pump cooling - l strainers in the long term; P(CPC-XHE-FO-BYPAS) = 1.0E-1. t
- CPC-CCF-PG-ST18H - Common cause plugging of charging pump cooling strainers 2A and 2B within 18 hours; P(CPC-CCF-PG-ST18H) = 5.0E-4.
CPC-XHE-FO-REALN - Failure of the operator to realign the charging pump cooling - system to bypass plugged strainers, in the long term; j P(CPC-XHE-FO-REALN) = 1.0E-1. V.3.12 Sequence SgHg This sequence is initiated by 1 break in the RCS piping in the range 2"( D ( 6" (Sg )' j followed by failure of the low pressure recirculation system-(H g).- This sequence is grouped in the AYYB plant damat state. This sequence includes a medium LOCA, success of the high pressure injection system, depressurization of the primary system through the break, success of the low pres _sure injection system, and subsequent failure of the low pressure system in the recirculation phase. All containment-heat removal systems are available but the continued heat up and t.oll off of primary coolant leads to' core damage. The dominant contributors to failure of low pressure recirculation are the common cause lj failure of the RWST isolation valves to close or the common cause failure of the sump
- - suction valves to open.
i I i. i j V-34 i
The frequency of this sequence is estimated as:
~
SHg g = 7.7E-7 The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency S *LPR-BETA-SUCTAB 3.3E-7 S *RMT-CCF-FA-MSCAL 3.0E-7 5 *LPR-XHE-FO-HOTLG 8.0E-8 S *LPI-BETA-PTR ABFR 6.0E-8 f TERM DESCRIPTIONS Sg - Medium LOCA,2"( D(6"; F(S ) g= 1.0E-3/ reactor year.
~
) LPR-BETA-SUCTAB - Common 'cause failure of RWST. Isolation MOVs 1862A and ' i 1862B to close or sump suction MOVs 1860A and 1860B to j open; P(LPR-BETA-SUCTAB) = 3.3E-4. i LPR-XHE-FO-HOTLG - Operator failure to align the LPR discharge for hot leg recirculation at 16 hours; P(LPR-XHE-FO-HOTLG) = 8.0E-5. i LPI-BETA-PTRABFR - Common cause failure of LPI motor-driven pumps SIIA and l SIIB to run for 18 hours; P(LPI-BETA-PTRABFR) = 6.0E-5. RMT-CCF-FA-MSCAL - Common cause miscalibration of both trains of the RMTS level i sensors; P(RMT-CCF-FA-MSCAL) = 3.0E-4. ) V.3.13 Sequence SgDg This sequence is initiated by a break in the RCS piping in the range 2" ( D ( 6" (S g) followed by failure of the high pressure injection system (D g). This sequence is grouped in the AYYB plant damage state. ! This sequence involves a medium LOCA and failure of core coolant makeup. All - ) containment heat removal systems are available but t.he continued heat up and boil off of j primary coolant leads to core damage. The dominant contributors to failure of high pressure injection are hardware failures of '4 the check valves in the common suction line of all three charging pumps, common cause j plugging of both strainers in the charging pump cooling service water lines, or common cause failure of the MOVs in the HP! discharge lines. 1 The frequency of this sequence is estimated as: SgDg = 7.lE-7 L v-35
. . . . _ . . . . - - - . . , _ . ~ . _ , _ _ _ _ - , _ _ , , _ _ , _ , .,_ _ _ ,__
- The dominant contributors to this sequence frequency are listed and discussed below.
' Cut Set Cut Set - Frequency S *HPI-PSF-FL-PSUCT 3. lE-7 S *CPC-CCF-PG-STRAB 2.0E-7 : ), S *HPI-BETA-1867CD 1.2E-7. j i TERM DESCRIPTIONS Sg - Medium LOCA, 2"( D (6"; F(5 ) g=- 1.0E-3/ reactor year. .
- ' HPI-PSF-FL-PSUCT - Insufficient flow to charging pump suction header through pipe-segment PS2; P(HPI-PSF-FL-PSUCT) ='3.lE-4.
l 5 CPC-CCF-PG-STRAB - Common cause plugging of charging pump cooling strainers 2A ) j and 2B within 6 hours; P(CPC-CCF-PG-STRAB) = 2.0E-4. I HPI-BETA-1867CD - Common cause failure of HPIinjection MOVs 1867C and 1867D
- i. to open; P(HPI-BETA-1867CD) = 1.2E-4.
V.3.14 Sequence 52Dg j This sequence is initiated by a break in the RCS piping in the range 1/2"( D ( 2" (S2 ) i followed by failure of the high pressure injection system (D ).g This sequence is grouped I in the SYYB plant damage state.
; This sequence is initiated by a small LOCA and failure of core coolant makeup. All 4
containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage. l The dominant contributors to failure of high pressure injection are hardware failures of -f the check valves in the common suction line of all three charging pumps, common cause - plugging of both strainers in the charging pump cooling service water lines, or common cause failure of the MOVs in the HPl discharge line. The frequency of this sequence is estimated as: 52 D; = 7.lE-7 The dominant contributors to this sequence frequency are listed and discussed below. l Cut Set Cut Set Frequency S *HPI-PSF-FL-PSUCT 3.lE-7 5 *CPC-CCF-PG-STRAB 2.0E-7 i S *HPI-BETA-1867CD 1.2E-7 i TERM DESCRIPTIONS S 2 - Small LOCA,1/2"(D(2" F(5 ) =2 1.0E-3/ reactor year. 1 V-36
HPI-PSF-FL-PSUCT .- Insufficient flow to charging pump suction header through pipe segment PS2; P(HPI-PSF-FL-PSUCT) = 3.lE-4. CPC-CCF-PG-STRAB - Common cause plugging of charging pump cooling strainers 2A and 2B within 6 hours; P(CPC-CCF-PG-STRAB) = 2.0E-4. HPI-BETA-1867CD - Common cause failure of HPIinjection MOVs 1867C and 1867D to open; P(HPI-BETA-1867CD) = 1.2E-4.
.Y.3.15 Sequence T 4H9-N2 This sequence is initiated by failure of 480V bus IH or lH-1.(T4H), f Ilowed by failure of pressurizer PORVs to close following a transient (Q), and failure of the high pressure recirculation system (H 2). This sequence is grouped in the SYYB plant damage state.
This sequence is initiated by the loss of IH or lH-1480V bus due to failure of the ~ i 4160/480V transformer. In order to isolate the transformer, a common feed breaker from the 4160 bus is opened, and thus power to both buses is lost. This causes loss of one ! vital instrumentation bus which will cause reactor trip. Due to the potential for ! impaired ability at Surry to control reactor pressure under these circumstances, the PORVs were conservatively assumed to be demanded open. Loss of 480V-lH bus also results in failure of train A of the'high pressure recirculation system and the inability to close the PORY block valve powered by Bus lH. In addition, train A of the charging j pump cooling system, the containment spray system (CSS), and inside and outside spray ~ recirculation systems (ISRS and OSRS) are unavailable due to the initiating event. The B i trains of CSS, ISRS, and OSRS would operate as designed to remove containment heat, l but failure of core cooling recirculation would result in core damage. j The dominant contributors to failure of the high pressure recirculation system are - j mechanical failure of the LPI-HPI cross-over valves and failure of the service water and
- component cooling water pumps for the charging pump cooling system to continue to run j for the mission time. The PORY demand rate was conservatively selected to be 1.0 for t
this class of transients in part due to the practice of frequently running with the SG-ADVs blocked. Impact of alternative demand rates is explored in Sensitivity j Study 12. A key factor in this sequence is failure of PORY 1456 to close and the inability to isolate it, using block valve 1535, because power to 15351: lost due to the initiator. Another important factor is the assumption that 480VAC bus IH-1 would be lost along with 480VAC bus 1-H for the duration of the event. Both of these buses must be lost for the duration of the event to yield the cut sets listed below. l The frequency of this sequence is estimated as: T 4HQ-H2 = 6.8E-7 i The dominant contributors to this sequence frequency are listed and discussed below. Cut Set i Cut Set Frequency T4H* *HPR-PSF-LF-SUCTB 5.0E-7 T *CPC-MDP-FR-CCB18 8.6E-8 Th*' *HPR-MDP-FR-B18HR 6.3E-8 Y-37
T4H'9 *CPC-MDP-FR-10B18*CPC-XHE-FO-REALN H 2.7 E-8 T4H'9 +CPC-CCF-PG-ST18H*CDC-XHE-FO-REALN H 4.5E-9 TERM DESCRIPTIONS T 4H - L ss of 480 VAC bus IH; F(T4H) = 9.0E-3/ reactor year. Qg = Probability of a nonisolable stuck open PORY following a T 4H initiator; P(Q ) = 1.0E-2. H HPR-PSF-LF-SUCTB - Insufficient flow from LPI pump B to the charging pump suction header; P(HPR-PSF-LF-SUCTB) = 5.5E-3. CPC-MDP-FR-10B18 - Failure of charging pump cooling service water pump 10B to run for 18 hours; P(CPC-MDP-FR-10B18) = 3.0E-3. HPR-MDP-FR-B18HR - Failure of charging pump CHIB to run for 18 hours; P(HPR-MDP-FR-B18HR) = 7.0E-4. CPC-MDP-FR-CCB18 - Failure of charging pump cooling component cooling water pump 2B to run for 18 hours; P(CPC-MDP-FR-CCB18) = 9.6E-4. CPC-CCF-PG-STl8H - Common cause plugging of charging pump cooling strainers 2A and 2B with in 18 hours; P(CPC-CCF-PG-ST18H) = l 5.0E-4. CPC-XHE-FO-REALN - Failure of the operator to bypass the charging pump cooling strainers in the long term; P(CPC-XHE-FO-REALN) = 1.0E-1. V.3.16 Sequence TKRZ This sequence is initiated by any transient from high power (T), fo!! owed by a failure of the RPS to automatically scram the reactor (K), failure of the operator to manually scram the reactor (R), and the presence of an unfavorable moderator temperature coefficient (Z). This sequence is grouped in the SYYB plant damage state. This sequence is initiated by a high power transient and failure of the RPS to scram the reactor. Manual reactor scram fails due to operator error or physical failure of the control rods or drives which prevent their insertion. The presence of an unfavorable. moderator temperature coefficient will cause a severe primary system pressure rise which is assumed to result in failure of the reactor coolant boundary integrity.
" Unfavorable" MTC is defined as sufficient to cause the pressure rise is to exceed service level C stress limits of the HPI injection valves. This was considered to cause plastic deformation and loss of operability. Inability to provide coolant injection leads to core damage.
The frequency of this sequence is estimated as: TKRZ = 4.8E-7 V-38
F The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency-i -T*K*R*Z 4.8E-7 TERM DESCRIPTIONS T - High' power transient initiating events requiring scram; F(T) = 3.40/ reactor year. j 'K - Failure of the RPS to trip the reactor following a transient; P(K) = 6.0E-5. R - Failure to manually trip the reactor following RPS failure;'P(R) = 1.7E-1. , 2 - Absence of " favorable" moderator temperature coefficient; P(Z) = 1.4E-2. Y.3.17 Sequence AD 3 l { ,This sequence involves a large LOCA followed by failure of the accumulators (D )* AII 5 ] other systems are operable. This sequence is grouped in the AYYB plant damage state. The frequency of the sequence is estimated as: l AD3 = 3.9E-7 h The dominant contributors to this sequence are: i i Cut Set Cut Set Frequency ) A*ACC-PSF-LF-ACCB 2.0E-7 , j A*ACC-PSF-LF-ACCC 2.0E-7 ! TERM DESCRIPTIONS I
, A - Large LOCA (6"(D (29") F(A) = 5.0E-4/yr.
s ACC-PSF-LF-ACCB - Local faults in the accumulator pipe segment. Check valve j " 145 or 130 fall to open or MOV 1865B is plugged P(ACC-PSF-LF-ACCB) = 3.9E-4 ACC-PSF-LF-ACCC - Local faults in the accumulator pipe segment. Check valve 147 or 128 fall to open or MOV 1865C is plugged j P(ACC-PSF-LF-ACCC) = 3.9E-4 V.3.18 Sequence AH g j is i This followed sequence by -failure of is the initiated low pressure by a recirculation break in the RCS system (Hgpiping in the range
). This sequence 6"( D grouped in the AYYB plant damage state.
i V-39 1
.~ . - - - -. . - .. . - .
This sequence involves a large LOCA, success of the low pressure injection system, and e subsequent failure of the low pressure system in the ' recirculation phase. All r containment heat removal systems are available but the continued heat up and boil off of
- l. coolant leads to core damage.
The dominant contributors to failure of low pressure recirculation are the common cause
- failure of the RWST isolation valves to close or the common cause failure of the sump suction valves to open.
l- The frequency of this sequence is estimated as: AHg = 3.9E-7 The dominant contributors to this sequence frequency are listed and discussed below, i ! Cut Set
, Cut Set Frequency A*LPR-BETA-SUCTAB 1.6E-7 . A*RMT-CCF-FA-MSCAL 1.5E-7 i A*LPR-XHE-FO-HOTLG 4.0E-8 A*LPI-BETA-PTRABFR 3.0E-8 1 TERM DESCRIPTIONS j A -
Large LOCA, (6"< D<29")F(A) = 5.0E-4/ reactor year
; .1 i LPR-BETA-SUCTAB -
Common cause failure of RWST isolation MOVs 1862A and 1862B to close or sump suction MOVs 1860A and 1860B to open; j P(LPR-BETA-SUCTAB) = 3.3E-4. LPR-XHE-FO-HOTLG - Operator failure to align the LPR discharge for hot leg recirculation at 16 hours; P(LPR-XHE-FO-HOTLG) = 8.0E-5. i
- LPI-BETA-PTRABFR -
Common cause failure of LPI motor-driven pumps Sil A and t SilB to run for 18 hours; P(LPI-BETA-PTRABFR) = 6.0E-5. i V.3.19 Sequence S H22 { This sequence is initiated by a break in the RCS piping in the range 1/2".< D< 2" (S2) followed by failure of the high pressure recirculation (HPR) system (H 2). This sequence
; 1s grouped in the SYYB plant damage state.
t i This sequence involves a small LOCA and failure of core coolant makeup in the recirculation phase. All containment heat removal systems are available but the continued heat up and boil off of primary coolant leads to core damage. } The dominant contributors to failure of the HPR system are the common cause failure of j
; the charging pumps to run for 18 hours or the common cause failure of the hot leg 1 i discharge valves to open.
V-40 1 l l _ ______ __ ._ _ _ _ _ _ _ _ _ . _
The frequency of this sequence is estimated as: SH2 2 = 3.3E-7 The dominant contributors to this sequence frequency are listed and discussed below. Cut Set Cut Set Frequency S *HPR-BETA-SUCTAB 1.8E-7 S *HPI-BETA-MDPFR18 5.0E-8 5 *CPC-CCF-PG-ST18H*CPC-XHE-FO-REALN 5.0E-8 S *CPC-BETA-SWABR18 3.8E-8 5 *CPC-BETA-CCABR18 1.2E-8 TERM DESCRIPTIONS S 2 Small LOCA,1/2"<D <2"; F(5 2) = 1.0E-3/ reactor year. l HPI-BETA-MDPFR18 - Common cause failure of all three charging pumps to run for l 18 hours; P(HPI-BETA-MDPFR18) = 5.0E-5. HPR-BETA-SUCTAB - Common cause failure of both LPI-HPI cross-over valves; P(HPR-BETA-SUCTAB) = 1.8E-4. 3 CPC-CCF-PG-ST18H - Common cause plugging of charging pump cooling strainers 2A and 2B within 18 hours; P(CPC-CCF-PG-ST18H) =
- 5.0E-4.
l CPC-XHE-FO-REALN - Failure of the operator to realign the charging pump cooling . , in response to plugged strainers in the long term; 4 P(CPC-XHE-FO-REALN) = 1.0E-1. CPC-BETA-SWABR18 - Common cause failure of charging pump cooling service water pumps 10A and 10B to run for 18 hours;
- P(CPC-BETA-SWABR18) = 3.7E-5.
CPC-BETA-CCABR18 - Common cause failure of charging pump cooling component i cooling water pumps 2A and 2B to run for 18 hours; j P(CPC-BETA-CCABR18) = 1.2E-5. V.3.20 Sequence Tg Q-D gCFg ) This sequence is initiated by a loss of offsite power (Ti ) for greater than 1/2 hour and
- failure of two diesel generators resulting in station brackout at Unit'l followed by a failure of a pressurizer PORY to reclose. Availability of power at Unit 2 was not included. Station blackout results in the unavailability of the high pressure injection system (Dg ), containment spray system (C), and the inside spray recirculation system (Fg). This sequence is grouped in the SNNN plant damage state.
This sequence involves station blackout with a stuck open pressurizer PORV. Due to station blackout all core coolant makeup is unavailable as are the PORY block valves. Consequently, the resultant heatup and eventual boil off of the primary coolant would continue and core damage would begin at approximately I hour if HPI flow had not V-41
been restored by that time, or the block valve had not been isolated. Restoration of AC
.(offsite) power within I hour and isolation of the block valve is the dominant recovery action.
The frequency of this sequence is estimated as: T gQ-D gCF3 = 3.2E ' The dominant contributors to this sequence frequency are listed and discussed below.
; Cut Set Cut Set Frequency T *OEP-BETA-DGENFS*PPS-SOV-CO-1456 g *NRACPlHR 6.5E-3 T *OEP-BETA-DGENFR*PPS-SOV-CO-1456 g *NRACPlHR 4.4E-8 T *OEP-DGN-FS-DG0l*OEP-DGN-MA-DG03 g *PPS-SOV-CO-1456*NRACPlHR 3.4E-3 i T *OEP-DGN-MA-DG0l*OEP-DGN-FS-DG03 g *PPS-SOV-CO-1456*NRACPlHR 3.4E-8 T *0EP-DGN-FS-DG0l*OEP-DGN-FS-DG03 g *PPS-SOV-CO-1456*NRACPlHR 3.4E-8 T *OEP-DGN-FR-DG0l*OEP-DGN-FS-DG03 g *PPS-SOV-CO-1456*NRACPlHR 2.3E-8 T g **OE P-DG N-M A-DG 0 l *OE P-DG N-FR-DG03 PPS-SOV-CO-1456*NRACPlHR - 2.3E T g **OEP-DG N-FR-DG 0 l *OE P-DG N-M A-DG03 PPS-SOV-CO-1456*NRACPlHR 2.3E-8 T *OEP-DGN-FS-DG0l*OEP-DGN-FR-DG03 g *PPS-SOV-CO-1456*NRACPl HR 2.3E-8 T *OEP-DGN-FR-DG0l*0EP-DGN-FR-DG03 g *PPS-SOV-CO 1456*NRACPlHR 1.6E-8 ,
i TERM DESCRIPTIONS Ti - Loss of offsite AC power; F(T )3 = 7.0E-2/ reactor year. I NRACPlHR - Failure to recover AC power within I hour; P(NRACPI-2HR) = 3.!E-1. i ! OEP-BETA-DGENFS - Common cause failure of diesel generators #1 and #3 to start on demand; P(OEP-BETA-DGENFS) = 2.3E-4. OEP-BETA-DGENFR - Common cause failure of diesel generators #1 and #3 to run { for 6 hours; P(OEP-BETA-DGENFR) = 1.6E-4. OEP-DGN-FS-DG01 - Failure of diesel generator #1 to start on demand; I P(OEP-DGN-FS-DG01) = 1.lE-2. OEP-DGN-FS-DG03 - Failure of diesel generator #3 to start on demand; P(OEP-DGN-FS-DG03) = 1.lE-2. i V-42
OEP-DGN-M A-DG01 - Diesel generator #1 unavailable due to maintenance activities; P(OEP-DGN-MA-DG01) = 1.lE-2. ! OEP-DGN-MA-DG03 - Diesel generator #3 unavailable due to maintenance activities; P(OEP-DGN-MA-DG03) = 1.lE-2. OEP-DGN-FR-DG01 - Failure of diesel generator #1 to continue to run for 6 hours; l P(OEP-DGN-FR-DG01) = 7.5E-3. OEP-DGN-FR-DG03 - Failure of diesel generator #3 to continue to run for 6 hours; , P(OEP-DGN-FR-DG03) = 7.5E-3. I PPS-SOV-CO-1456 PORY 1456 stuck open; P(PPS-SOV-CO-1456) = 1.3E-2. 1 V-43
;~ . . -. . . . - . , . -. . ,. -..
1 i . a V.4 Sensitivity Studies The~ prominent sources of uncertainty in this study were identified and listed in Table IV.ll.2-1 of Section IV.ll. Sensitivity studies were not performed on all of these issues.
. . Sensitivity. studies were only performed on those issues whose potential impact on core damage frequency was signficant. Issues were selected in the following.way.-
[ Development and quantification of the Surry event tree and fault tree models resulted in l .the identification of issues for which there existed a considerable variability of expert
- opinion as to' their. potential probability and/or impact. These issues became potential candidates for sensitivity rather than uncertainty studies because they required modeling changes or could not be treated strictly on a statistical basis. However, selection of the sensitivity studies actually performed was based not only on the list of issues identified, but also on an examination of the Surry base case results.
The Surry base case results were examined to determine which issues had the greatest potential impact on core damage and/or plant damage state frequency results. This was accomplished by examining the important contributors to determine if any of them would be impacted by the list of issues. In most cases where there was a match between issues and important contributors a Sensitivity Study was done. Some of the sensitivity studies were included as a result of the review process. The Surry results were reviewed by both the QC team and NUREG-!!50 Senior Consultant Group. This resulted in identification of issues which were of significant interest to the i review groups. These issues became the subjects of sensitivity studies if they could not be addressed with rationale using the base case results. Thirteen separate sensitivity studies and one combination study were performed in the sensitivity analysis. These sensitivity studies were performed by either changing models or the data used to quantify the models. The resultant modified core damage and plant damage state equations were requantified using the appropriate data for the Sensitivity Study. All changes to the failure event data provided in the following sections are mean
- values. Uncertainty analysis on each case was also performed using SEP in the same-i
~ manner as for the base case. Table V.4-1 r)rovides a brief summary of each Sensitivity Study and the total core damage frequency calculated as a result of the changes. The i purpose of sensitivity studies was to provide quantitative estimates of the range of I uncertainty in the study results. The results of the sensitivity studies were used in two ways. Results of the sensitivity studies were used to form the " box and whisker" graphics shown in Section V. The results were also used g limited latin hypercube (LLH) analysis performed in the containment analysis study . The LLH analysis encompassed the modeling uncertainties in the accident sequence delineation as well as the accident
- process analysis and containment analysis. In order for the sensitivity studies to be used in the LLH analysis, it was necessary to assign a " probability of reality" to each 4
Sensitivity Study. This " probability of reality" was termed " betting odds" and is defined as follows:
"A probability is associated with each hypotheses of a set of mutually
( exclusive hypotheses concerning a particular modeling or. parameter i estimation issue. The sum of the probabilities of each hypotheses in a l set is unity. The probability associated with a particular hypothesis is j interpreted as the analyst's degree of belief in that hypothesis being
- j. the appropriate one for the analysis".
i V-44 I
. . _ _ --__m,.
, _ . ~ ~ _ _ _ , . , _ _ - - . . . . m. ._ , , _ . . , , - _ _ _ . , _ , _ . . _ . . - - - , - _ . - , - -
, 2 k
Table V.4-1 - Summary Of Sensitivity Studies In Surry PRA Study Total .
. Core Damagp No. Subject Description of Sensitivity Study Frequency
- 1. Seal LOCA during Base case seal LOCA model assumes mean time to seal 4.3E-5 Station Blackout LOCA of approximately 4.5 hrs. after loss of all seal cooling. This sensitivty study represents a pessimistic seal LOCA model based on the Zion seal LOCA model. Seal LOCA assumed to occur 1/2 hour after station blackout.
Recovery of AC power required within 1/2 hour of seal LOCA to prevent core damage.
- 2. Seal LOCA during This sensitivity study represents an optimistic seal LOCA 2.1E-5 Station Blackout model which assumes a much longer mean time to seal LOCA (on the order of 24 hours), which virtually eliminates seal LOCA events from the station blackout model.
p 2a. Seal .LOCA during Small seal LOCA size. Base case assumes total seal LOCA 2.5E-5 g; . Station Blackout flowrate is 1350 gpm. Here total flowrate is 450 gpm.
- This allows two hours after seal LOCA for recovery of HPI flow to prevent core damage., , ?
- 3. Recovery;of Offsit'e Use of Cluster 6 in NUREG-1032'for recovery of offsite power, 1.9E-5 Power after Station rather than Cluster 7. Cluster 7 is mid-range of all Blackout clusters. Cluster 6 is better than average.
- 4. Credit for Non- This sensitivity study includes the gas turbine generator at 2.1E-5 i
Safety Grade Gas Surry site as a means of supplying emergency AC power.
~' Turbine Generator Gas turbine was originally designed and intended for black-start capability. Now used for power peaking. Not under
~
~-
Tech Specs.
~
Sensitivity study essumed gas turbine could be made available 1 hr. after station blackout. Assumed unavailability prior to demand was 0.25. Probability of failure assumed to be 0.1.
- calculated mean values
. ~;
Table V.4-1 (Cont'd) ' Summary Of Sensitivity Studies In Surry PRA Study . Total Core Dama y, No. Subject Description of Sensitivity Study . Frequency
- 5. Recovery From Recovery from CMF of the CHR-SW valves, by manually opening 2.6E-5 CMF of SW Valves the valves was included in the study. The probability used '
for recovery in the base case was 0.1. This value represents subjective estimate rather than evaluation of failure processes. A sensitivity study was run assuming less probability of recovery. The upper bound for non-recovery was 0.95, the lower bound was , 0.05. The median was 0.22 and EF = 4.36.
- 6. Beta Fact rs Assumed the values in EPRI NP-3967 are mean values. Base case 3.6E-5 assumes they are upper bounds. ,
- 7. Beta Factors All generic beta factors were set to zero. 2.2E-5 3
- 8. Check Valve Beta Use "MOV-beta factors" on check valves in the Event V 3.8E-5 Factors calculation.
f 9. Interfacing LOCA Base Case - Failure rate for check valve rupture is 2.6E-5
$; Optimistic Failure 1.3E-8/hr. Failure rate for check valve leakage is SE-7/hr.
Rates (FR) This sensitivity study reduces failure rate for rupture. to 4E-9/hr. Leakage failure rate reduced'to 1.6E-7. See text for justification of. values.
- 10. Interfacing LOCA Failure rate for rupture increased ~ to 4.3E-8/hr. Failure 2.9E-5 Pessimistic rate for leakage unchanged. See text for justification i-Failure Rates of values.
- 11. ECCS Failure Sensitivity study assumes containment failure due to 3.1E-5 Caused by Con- overpressure always leads to core damage via loss of ECC
- tainment Failure systems. Base case predicts that containment failure due to overpressure leads to core damage'only 2% of the time.
- 12. PORY Demand Rate Base case PORY demand rate was chosen as 1.0 for Tg, T , 2.1E and T S initiators. Sensitivity study reduces demand r!te
. for these transients by a factor of-10. l 13. Combination of SS3, SS4, and SS6 -2.4E-5 [ i i
- calculated mean values l
Table V.4-2 Betting Odds Assigned to Sensitivity Studies Betting No. Sensitivity Study Odds
- 1. Seal LOCA During Station Blackout .05
- 2. Seal LOCA During Station Blackout .05 l
2a. Seal LOCA During Station Blackout .40
- 3. Recovery of Offsite Power Af ter .25 Station Blackout
- 4. Credit for Non-Safety Grade Gas Turbine .50 Generator
- 5. Recovery of CMF-SW Valves .50
- 6. Higher Beta Factors .34
- 7. Lower Beta Factors .01
- 8. Beta Factors on Check Valves .05
- 9. Optimistic Failure Rates for .40 Interfacing LOCA
- 10. Pessimistic Failure Rates for .10 Interf acing LOCA
- 11. ECCS Failure Caused by Containment .24 Failure
- 12. Reduced PORY Demand Rate .25
- 13. Combination Study No Odds V-47
The betting odds associated with each Sensitivity Study for the LLH analysis are shown in Table V.4-2. The sum of the betting odds associated with a base ' case issue and its
- associated sensitivity' studies is equal to 1.0 (e.g., betting odds for sensitivity studies 1 2, 2a and the base case seal LOCA model sum to 1.0; as do the ^ odds for sensitivity studies 6, 7, and the base case; and studies 9,' 10, and the base case)! The following subsections -
provide detailed descriptions of the individual sensitivity studies.
- V.4.1 Sensitivity Study 1 - Increase in RCt> Seal LOCA Probabilit'y l In the base case, reactor coolant pump seal LOCA under conditions of loss of all seal cooling was modeled probabilistically with respect to time. The model predicted the probability of occurrence of a seal LOCA in the first six hours af ter station blackout was 0.65. Seal LOCAs were recoverable if HPI flow was restored within one hour of seal LOCA occurrence. - Due to constrants on intake canal refill,' AC power must be restored within one-half hour of seal LOCA in order to meet the one hour HPI requirement. To determine the sensitivity of. the study results to this model, the base case model was .
! replaced with a seal LOCA model based on the Zion / Indian Point PRA. In the Sensitivity 4 Study, it was assumed that a seal LOCA will occur 1/2 hour following loss of all seal cooling. The one hour recovery time for HPI flow ( used in this study) and the 1/2 hour: recovery time for AC power were not changed. The difference between the Surry base { case model and this Sensitivity Study is that the Surry model stretches the occurrence of
. seal LOCAs out in time to the point where recovery of AC power is more probable. ;
I The LOCA alternate probability seal LOCA model of occurrence was This of 0.95. incorporated value was into the (rather chosen Surry studythan 1.0bytousing)a be seal l consistent with the upper bound limits used in the base. case. The probability of non-recovery of AC power was 0.32. The result is an increase in the seal LOCA sequence (T (SL)-D CF ) frequency and a decrease in the long term station blackout sequence (T L(LT)dg CII g) frequency. No other sequences - were impacted by the Sensitivity i St dy. The frequency of the SNNN plant damage state was increased.to 2.6E-5 and the. j frequency of the TNNN plant damage state was reduced to 1.4E-6. The total core damage frequency was increased from 2.6E-5 to 4.3E-5. A comparison of the base case core damage frequency and the impacted plant damage state frequencies is shown in _ Table V.4-3. Also shown are the re::ults of the uncertainty analysis associated with this i Sensitivity Study. V.4.2 Sensitivity Study 2 - Decrease in RCP Seal LOCA Probability , A worst case seal LOCA Sensitivity Study is described in the previous section. To I determine the sensitivity of the study results to a best case, a Sensitivity Study using an i l' optimistic model of seal performance was performed. This model assumes RCP seal LOCAs are very unlikely following loss of all seal cooling,- and if they do occur, will occur 16 - 24 hours after loss of seal cooling. This Sensitivity Study assumed probability of a seal LOCA was 0.05. This value was chose (rather than 0.0) to be consistent with the lower bound limits used in the base case. Also, the probability of non-recovery of AC power was reduced to 0.01. - This is-j representative of non-recovery in the 16 - 24 hour time frame. This Sensitivity Study results in a significant reduction in the seal LOCA sequence. (T (SL)-D CF ) and a resultant increase in the long term station blackout sequence (TfL(LT)dgCYg ) frequency. No other sequences were impacted by' the Sensitivity Study. The frequency of the SNNN plant damage state was decreased to 4.5E-7 and the l V-48 i c,,, . w ,--.e- ,,r , , , , a - - .- , n,-,---c. .d -<& ,n e. - < - + +~r-- w :-
g , u m.a .d a-.a- a pr - ..-_wr
- a. ---- - - - - - - - - - - - - - - - - - - - - -- - - - - - -
)
frequency of the TNNN plant damage state was increased to 4.8E-6. .- The total core damage frequency was decreased from 2.6E-5 to 2.lE-5. A comparison of the base case core damage and the impacted plant damage state frequencies is shown in Table V.4-4. Also shown are the results of the uncertainty analysis associated with this. Sensitivity Study. 1V.4.3 Sensitivity Study 2A - Decrease in RCP Seal LOCA Size I The base seal LOCA model assumed that'the RCP seal LOCA size was 450 gpm per pump - and that a seal LOCA of that size occurred in each RCP. To determine the sensitivity of the study results to this assumption, the combined.LOCA size was assumed to be less than 450 gpm from all three RCS pumps. The reduced LOCA size was estimated to result in an additional hour (over the one hour used in the base case) for recovery of HPI flow prior to the onset of core damage. The reduced size also'causes the seal LOCA
- sequence to be put in the TNNN plant damage state, rather than the SNNN plant damage state.
i The increased time available to restore HPI flow was reflected in the quantification of - l the NRACSL (non-recovery AC power af ter seal LOCA) term in the seal LOCA sequence . , cutsets. The mean value of this term was changed from 0.25 to 0.20 due to the timing } difference. The seal LOCA model was requantified using the revised NRACSL failure probability and resulted in a decrease in the seal LOCA sequence (T g(SL)-Di CF,) frequency. No other sequences were impacted by the Sensitivity Study. However, due to the plant damage state change, the TNNN state was impacted. The frequency of-the SNNN plant damage state was decreased to 3.2E-7, while the TNNN plant damage state increased to 8.0E-6. The total core damage frequency was slightly decreased from 2.6E-5 to 2.5E-5. A comparison of the base case core damage and the impacted plant damage state frequencies is shown in Table V.4-5. Also shown are the results of the
- uncertainty analysis associated with this Sensitivity Study.
V.4.4 Sensitivity Study 3 -Increase in Offsite Power Recovery Probability { The base case analysis used Cluster 7 data in NUREG-1032II3) for the probability of AC i power recovery following loss of offsite power. Cluster 7 data in NUREG-1032 is mid-range of all of the data. Cluster 7 is also representative of the~da Electric Reliability Council plants, as published in EPRI-NP-2301 . gor the Southeastern To determine the sensitivity of the of the study results to this data, the Cluster 6 data'from NUREG-1032, which is better than average, was used in this Sensi.tivity Study. Justification for using i better than average data is that Surry can obtain offsite power from six different lines and its Virginia location may not be as susceptible to severe weather conditions as other i grids. For these reasons Cluster 6 may be more representative of Surry for recovery of offsite power than the data in Cluster 7. ! The equations for core damage and the SNNN, TNNN, TYYB, and TYNI plant damage states were requantified using the Cluster 6 data. The probability of non recovery of AC - power within 1/2 hour was changed from 0.51 to 0.28, the probability on non recovery of AC power within seven hours (given that it was not recovered at 1/2 hour) was changed from 0.09 to 0.068, the probability of failure to provide HPI flow within one hour following seal LOCA (which is dominated by AC power recovery) was changed from 0.25 ! to 0.14. These changes resulted in a decrease in the frequency of all the loss of offsite , power sequences and the SNNN, TNNN, TYYB, and TYNI plant damage states. The total ! core damage frequency was decreased from 2.6E-5 to 1.9E-5. A comparison of the base: ! case core damage and the impacted plant damage state frequencies is shown in Table - V.4-6. Also shown are the results of the uncertainty analysis associated with this Sensitivity Study. V-49
. .,y-, -. o.- : .- - - - - -y --.--r.-, -
---y --+<,a-----e-, m,a---..w,n.,- .e---,-----enem
m
.V.4.5 Sensitivity Study 4 - Credit for Non-Safety Grade Gas Turbine Generator The base case analysis did not include the non-safety grade gas turbine generator located at the Surry site. The gas turbine is currently used for power peaking but was originally designed and intended for black-start capability.' .To assess the impact of the use of.the gas: turbine generator following station: blackout the models were modified _to include restoration of AC power provided by the gas turbine generator. 'It was assumed that the gas turbine generator would not-be made.available until one hour after loss of offsite , power. The equations for those blackout sequences in.which core degradation begins -
( after one hour (T (SL)-Dg CF gand T,L(LT)D C i i )g were modified by adding a term to each of the cutsets which represents failure of the gas turbine. generator to provide power (OEP-GTG-LF-FTCTL). The modified equations for core damage and for plant damage states SNNN and TNNN were quantified using a mean value of 0.35 for failure of the gas turbine. This value represents 0.25.for the unavailability of the gas turbine prior to blackout 'and .0.1 for failure of the gas turbine generator to operate. This change resulted in a decrease in the " frequency of the affected sequences and the SNNN and TN.NN plant damage. states. The total core damage frequency was decreased from 2.6E-5 to 2.lE-5. A comparison of the base case. core damage frequency and the affected plant damage state frequencies is shown in Table V.4-7. Also shown are the results of the uncertainty analysis associated l with this Sensitivity Study. V.4.6 Sensitivity Study 5 - Recovery of Common Cause Failure of Service Water Valves The calculation of the probability of common cause failure of the service water inlet valves to the spray recirculation heat exchangers was based on the occurrence of a single - event during the plant lifetime. A recovery factor was applied to sequences involving this common cause failure, if sufficient time for manual action was available. The recovery factor represents the probability that at least one valve can be manually -
- ~
cranked open by the operator. During the actual event, two of the four valves were able. to be subsequently opened. Based on one data point.it is very-difficult to calculate a
} recovery factor. A factor of 0.1 was subjectively chosen. - It represents the analyst's perception of the severity of the problem, and also recognizes the one of four success ; criteria.
4 To assess the sensitivity of the results to the selection of the recovery factor, another distribution for the probability of non-recovery was applied. The upper bound for the distribution was 0.95 and the lower bound was 0.05. This distribution yields a median value for non-recovery of 0.22 with an error factor of 4.36. I The equations for core damage and for plant damage states AYNB'and1TYNI were requantified using the new distribution for non-recovery. This change resulted in an [ increase in the frequency of the impacted sequences and the AYNB and TYNI plant damage states. The total core damage frequency was virtually unchanged. A comparison of the base case core damage and the impacted plant damage state frequencies is shown
- in Table V.4-8. Also shown are the results of the uncertainty analysis associated with this Sensitivity Study.
7 V.4.7 Sensitivity Study 6 -Increase in Beta Factor Values 1 , For the base case analysis, the beta factor values published in EPRI NP-3967(25) were j- assumed to be upper bound values. It was further assumed the distribution from which j these values came, had an error factor of three. i. V-50 t ^ e .. ... ,,-r . -m. ,. ,y .. ,m... . , . , . . . . - . , , . ,,m., ,~ , . , _.,_,.,,.L,., J,,_-..,m,,~r _. ~ ~ . . .-#.mm ,
- 7;-
}
To assess the sensitivity of the study results to this assumption, the beta factor values from EPRI NP-3967 were interpreted to be mean values .while retaining the same error factor of 3, this effectively increased the affected beta factor values by 2.4.; The equations for core damage and plant damage states SYYB, SNNN, AYNN, AYYB, l ;TNNN, and .TYYB werei requantified using the modified . distributions. for the -beta. l factors. This change resulted in an increase in the frequency of the affected sequences-and the plant-damage states. The total cere damage frequency was increased from. 2.6E-5.to 3.6E-5. A comparison of the base case core damage and the impacted plant damage state frequencies is shown in Table V.4-9. Also shown are the results of the
, uncertainty analysis associated with this Sensitivity Study.
V.4.8 Sensitivity Study 7 - Elimination of Beta Factors
- 4. To assess the sensitivity of the study results to the common cause.. failure modeling methodology,' the beta. factors were. set equal to zero. Note .that CCF based on plant specific experience were left unchanged. This Sensitivity Study eliminates generic beta factor modeling from the study, i
, The equations for core damage and plant damage states SYYB, SNNN, AYNN, AYYB, - l TNNN, and TYYB, were modified by removing the beta factors and quantified using the
- base case data. This change resulted in a decrease in the frequency of the impacted
- sequences and the plant damage states. The total core damage frequency was decreased j
from 2.6E-5 to 2.2E-5. A comparison of the base case core damage and the impacted plant damage state frequencies is shown in Table V.4-10. Also shown are the results of . the uncertainty analysis associated with this Sensitivity Study. V.4.9 ' Sensitivity Study 8 - Beta Factors for Check Valves , Common cause failure modeling of check valves was not included in the' study. This is because 1) no beta values for check valves were specified in EPRI-NP-3967 and-2) no j instances of plant specific common cause check valve failure were found. It is . reasonable to assume that check valves are susceptable to common cause failures,' at
- some rate, even though they were not included in the EPRI~ study nor found in plant specific data. In order to assess the impact of common cause failure of check valves sequences were screened by applying the beta factor value from EPRI NP-3967 for MOVs to cutsets with double and triple check valve failures. Due to.the presence of other, more probable CCF (i.e., pumps and MOVs) addition ~of beta factors to check valves only '
i affected the interfacing LOCA sequences. ! The equations for total core damage and for the Event V plant damage state were l modified to reflect the addition of the beta factors and quantified using the base case- , , data and the beta factor value for MOVs. This change resulted in an-increase in the : frequency of the Event V sequence and plant damage state to 1.lE-5. The total core
- damage frequency was increased from 2.6E-5 to 3.8E-5. A comparison of the base case l core damage and the impacted plant damage state frequencies is shown in Table V.4-II.
} Also shown are the results of the uncertainity analysis associated with this Sensitivity Study.- V-51
. ~ . - - . - - -.
4 1 o 4 V.4Il0 LSensitivityl Study 9l- Decrease ~ in Interfacing 1,0CA Fail'ure Rates; " ~
;The .bascica'se quantification- of the; EventiV ' sequence was performed usinglgenerici failure probabilities for check valve rupture and leakagei The probabilities were derived based on' a-s~urvey of PWR PRAs. The median value for rupture was SE-9/hr, with an.
error factor of 10 (mean.= 1.33E-8). The median value for leakage was 4E-7/hr with an
~
. - error factor of 3 (mean = 5.0E-7). The scarsity of failures makes these values less than. ideal. No check valve ruptures have been ~ experienced in 7E47 valve-hours. ' The check
- valve: leakage 1 failure l rates used in' the . base case .quantification are' believed to- be
' represen_tative of small backflow rates.? Although the design configuration at Surry can
, withstand moderate backflow L rates, the generic data was - used since no - data ' was'
- available 'which was necifically-representative of the higher ba'ckflow rate' associated -
l with the Surry Event V- analysis. It was desired to assess the sensitivity of the studyL
. results to the use~of alternate failure rates,
+- i
! One way to derive alternate failure rat'es is to evaluate the existing data using chi-square .
statistics. The check valve rupture data is zero ruptures .in 7E+7 valve hours. This gives
- a 50% value of 1.0E-8/hr, a 95% value of 4.3E-8 per hour and a 5% value of 7.3E-10/hr.
i The value of 4.3E-8 is used as an upper bound in ' Sensitivity Study 10.~ Because this represents an increase of 3.2 over the base case value, the rupture failure rate was; similarlyl reduced by a factor of 3.2 for this-Sensitivity Study. The' failure rates for ] check valve leakage were also reduced by a factor of 3.2. 4
, The. core damage and Event V plant damage state eg' u ations were requantified using the if
~
data discussed above. These changes resulted in a decrease in the frequency of the Event j V sequence to 1.lE-7. The total core damage frequency was not 'significantly - decreased. A comparison of the base case core damage and ths Event V plant damage j state frequencies is shown in Table V.4-12. Also shown are the results of the uncertainty . analysis associated with this Sensitivity Study. . i J V.4.ll Sensitivity Study'10 -Increase in Interfaging LOCA Failure Rates - c As discussed in Sensitivity Study 9, the base case quantification of. the Event V sequence 1' was performed using generic data for check valve rupture. To assess the sensitivity of - the study results to the use of this data, the' check valve rupture ' failure rate was increased to 4.3E-8/hr (95% chi square value of the failure data). Check valve leakage i failure rates were not increased, because they were believed to already be conservative. 1
~
i The core damage and Event V plant damage state eg'uations were requantified using the i ' data discussed above. This change.resulted in an increase in the frequency of th'e Event V sequence to 3.7E-6 The total core damage frequency was increased from 2.6E-5 to - j 2.9E-5. A comparison of the base case core damage and the Event V plant damage state frequencies is shown in Table V.4-13. Also shown are the results of Lthe uncertainty analysis associated with this Sensitivity Study. [ -V.4.12 Sensitivity Study 11 ~- ECCS Operability Following Containment Failure I t Failure of containment heat removal systems af ter. a LOCA, may lead-to containment over pressure failure, which may lead to ECCS failure. In the base case analysis,the-1- relationship between failure of containment heat removal (i.e., recirculation spray) systems and failure of the ECCS system's was treated probabilistically. -The containment analysis tasks assessed that the probability that containment failure would lead to ECCS
- failure through 'the. mechanisms of sump flashing, inventory loss, or structural damage l was 0.02. To assess the sensitivity of the study results to this ' assessment, it was .
t V-52. d
..,,,y.,.,w -+- .. --e~-.-m, ,-u,. ,-
,_3- ,,,.,\ .
m....,yw.,,,,,,,,',--,.y,rw,,,,.y ,,m'#w,,--
- -m e , . , - -,%,y,w,..,
assumed that containment failure, (i.e., loss of containment heat removal),' would always '
' , lead.to ECCS failure. The modified core damage and plant damage state equations were -
quantified using the base' case data and the assumption of ECCS failure upon containment failure. This change resulted in an increase in the_ frequency of the impacted sequences and the'AYNN, AYNB, and TYNI plant damage states. The total core damage frequency was increased from 2.6E-5 to 3.1E-5. . 'A comparison of the base case core damage and-the impacted plant damage state frequencies is shown in Table V.4-14. Also shown are the results of the uncertainty analysis associated with this Sensitivity Study.- V.4.13 Sensitivity Study 12 - Decreased PORY Demand Rate The derivation of PORV demand rate for various transients was base experience with Westinghouse reactors,' as reported in WCAP-9804g .. T2 and T 3 actual type operatin
-transients are common enough that it was possible to get sufficient PORV openings to-estimate .a demand rate. For these transients, a demand rate of 0.014/ transient was -
used. For T , T g, and T type transients, very little data exists, and it was difficult to i postulate a emand rate based actual data. In leiu of hard data, a value of 1.0/ transient ! was used for Tg , T4 , and TS initiators. This is a conservative estimate which reflects the , fact that Surry of ten operates with most of the steam generator ADVs blocked and that these initiators are likely to partially disable. pressurizer sprays and pressure control-systems which would increase the likelihood of PORV opening. To investigate the impact of this conservative estimate,;a sensitivity study was run,- using a PORV demand rate 0.1 for these initiators. This Sensitivity Study reduces all "Q"- ' sequences by a factor of ten. Plant damage state SYYB and SNNN are affected. The total core damage frequency is reduced from 2.6E-5. to 2.lE-5. . A comparison of base case frequencies and frequencies for this Sensitivity Study are shown in Table V.4-15. V.4.14 Sensitivity Study 13 - Combination of Sensitivity Studies 3,4,6 To investigate the cumulative effects of the application of several seneitivity studies, three of the individual sensitivity studies were combined. Selection of which studies to combine involved their impact on core damage frequency, and the. betting odds assigned to each Sensitivity Study. Sensitivity studies which changed core damage frequency by more than 20% and had betting odds greater .than .25 were candidates for. combination.- The combination was (#3) increased potential for recovery of offsite power, (#4) credit for the gas turbine generator, and (#6) increased values for common cause beta factors. None of the changes were mutually exclusive, nor did the use' of the combination of items require changes in the methods of application from the individual studies. The base case equations for core damage and the applicable plant damage states were modified appropriately and quantified using the base case data changed as necessary to reflect the Sensitivity Study combinations. These changes resulted in a decrease in the frequency of the SNNN, and TNNN plant damage states and an increase in the frequency of the SYYB, AYNN, AYYB, TYNI, and TYYB plant damage states. - The total' core damage frequency was decreased from 2.6E-5 to 2.4E-5. A comparison of the base case core damage and the impacted plant damage state frequencies is shown in Table V.4-16. Also shown are the results of the uncertainty analysis associated with this Sensitivity ; Study. V-53 _ ~ . _ . _ . _ - - - . _ _ . _ . _ . ,._._._._. _ _ . . _ _ . _ , _ - . _ . , _ . _ . - _ . . - _
. Table V.4-3 Comparison Of Surry Base Case Results With Sensitivity Study 1 Results BASE CASE SENSITIVITY STUDY I MEAN* 95% UPPER
- 5% LOWER
- MEAN* - 95% UPPER
- 5% LOWER VALUE BOUND BOUND- VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 - 4.3E-5 ' l.lE-4 ' l . l E-5_ -
PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 ** AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3. lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.SE-7 2.6E-5 8.lE-5 . 2.3E-6 TYYB 4.8E-6 1.5E-3 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 1.4E-6 4.8E-6 9.0E-8 V 1.0E-6 3.5E-6 2.0E-8 ** i
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State t
V-54
Table V.4-4 Comparison Of Surry Base Case Results With Sensitivity Study 2 Results BASE CASE SENSITIVITY STUDY 2
- MEAN* 95% UPPER 5% LOWER MEAN* 95% UPPER 5% LOWER l VALUE BOUND BOUND VALUE BOUND BOUND l 4 CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2.lE-5 5.2E-5 6.2E-6 l
PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 ** AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7 IE-13 ' ** ANNN 3.8E-9 1.4E-8 4.lE-Il ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 4.5E-7 1.6E-6 3.4E-8 TYYB 4.8E-6 1.5E-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 4.8E-6 1.7E-5 3.7E-7 V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-55
Table V.4-5 Compairson Of Surry Base Case Results With Sensitivity Study 2A Results BASE CASE SENSITIVITY STUDY 2A MEAN* 95% UPPER
- 5% LOWER
- MEAN* 95% UPPER
- 5% LOWER VALUE- . BOUND BOUND VALUE BOUND BOUND .
CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2.5E-5 6.3E-5 6.9E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 ** 1 AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** i AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.lE-Il ** SYYB 7.8E-6 2.5E-3 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 3.2E-7 1.lE-6 1.8E-8 TYYB 4.8E-6 1.5E-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 8.0E-6 2.6E-5 6.4E-7 V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year l
** Sensitivity Study Did Not Impact This Plant Damage State V-56 - I
Table V.4-6
= Comparison Of Surry Base Case Results With Sensitivity Study 3 Results BASE CASE SENSITIVITY STUDY 3 MEAN* 95% UPPER
- 5% LOWER
- MEAN* 95% UPPER
- 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND l
CORE DAMAGE 2.6E-3 6.7E-5 7.1E-6 1.9E-5 4.8E-5 5.5E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 ** AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.1E-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.lE-Il ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 2.5E-6 8.1E-6 1.3E-7 TYYB 4.8E-6 1.2E-5 7.4E-7 4.7E-6 1.5E-5 6.2E-7 TYNI 9.5E-10 3.3C-9 7.4E-12 1.lE-9 3.5E-9 8.6E-12 TNNN 2.6E-6 8.8E-6 1.8E-7 1.lE-6 3.6E-6 8.1E-8 V 1.0E-6 3.5E-6 2.0E-8 ** i I
- Frequency of Occurrence Per Reactor Year l
** Sensitivity Study Did Not Impact This Plant Damage State V-57 l l
i
1 Table V.4-7 Comparison Of Surry Base Case Results With Sensitivity Study 4 Results BASE CASE SENSITIVITY STUDY 4 MEAN* 95% UPPER
- 5%' LOWER MEAN 95% UPPER
- 5% LOWER VALUE BOUND BOUND VALUE BOUND' BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2.1 E-5 5.3E-5 5.7E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 **
AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.1E-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.lE-Il ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 2.9E-6 1.0E-5 1.7E-7 TYYB 4.8E-6 1.5E-5 - 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 1.5E-6 5.4E-6 9.6E-8 V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-58 I
Table V.4-8 Comparison Of Surry Base Case Results With Sensitivity Study 5 Results BASE CASE SENSITIVITY STUDY 5 MEAN* 95% UPPER 5% LOWER MEAN* 95% UPPER
- 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-3 6.7E-5 7.1E-6 2.6E-5 6.3E-3 7.3E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 **
AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 6.3E-7 1.3E-6 1.4E-9 AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.1E-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 ** TYYB 4.8E-6 1.5E-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 3.3E-9 1.4E-8 2.1E-11 TNNN 2.6E-6 8.8E-6 1.8E-7 ** V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-59
l Table V.4-9
, Comparison Of Surry Base Case Results With Sensitivity Study' 6 Results' BASE CASE SENSITIVITY STUDY 6 MEAN* 95% UPPER 5% LOWER MEAN* 95% UPPER 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-3 6.7E-5 7.lE-6 3.6E-5 9.3E-5 9.7E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E 1.5E-7 3.lE-6 1.lE-5 2.lE-7 AYNI 6.2E-8 1.0E-7 6.8E-12 **
AYNB 8.3E-8 3.1E-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 2.7E-10 9.7E-10 1.5E-12 ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 9.2E-6 3.0E-5 1.lE-6 SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 1.1E-5 3.9E-5 7.7E-7 TYYB 4.8E-6 1.5E-5 7.4E-7 8.8E-6 3.0E-5 1.0E-6 TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 3.6E-6 1.2E-5 2.7E-7 Y 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-60 l
Table V.4-10 Comparison Of Surry Base Case Results . , With Sensitivity Study 7 Results BASE CASE SENSITIVITY STUDY 7 MEAN* '95% UPPER 5% LOWER MEAN 95% UPPER 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6' 2.2E-5 5.9E-5 5.6E-6 i PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 1.8E-6 5.9E-5 1.3E-7 AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 2.lE-10 7.8E-10 7.8E-13 ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 7.lE-6 2.4E-5 8.7E-7 SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 7.3E-6 . 2.5E- 5 4.2E-7 TYYB 4.8E-6 1.5E-5 7.4E-7 2.3E-6 6.4E-6 3.5E-7 TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 2.4E-6 8.2E-6 2.lE-7 V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year r
** Sensitivity Study Did Not Impact This Plant Damage State V-61
Table V.4-11 Comparison Of Surry Base Case Results With Sensitivity Study 8 Results BASE CASE SENSITIVITY STUDY 8 MEAN* 95% UPPER 5% LOWER MEAN 95% UPPER 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-3 7.lE-6 3.8E-5 9.3E-5 9.3E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 ** AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 ** TYYB 4.8E-6 1.5E-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 ** V 1.0E-6 3.5E-6 2.0E-8 1.lE-5 4.2E-5 2.7E-7
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State l V-62
Table V.4-12
- Comparison Of Surry Base Case Results With Sensitivity Study 9 Results BASE CASE SENSITIVITY STUDY 9 MEAN* 95% UPPER
- 5% LOWER
- MEAN* 95% UPPER
- 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2.6E-5 6.5E-5 6.6E-6 l PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 **
AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-3 9.2E-7 **
- SYNI 4.7E-8 6.8E-8 4.0E-10 **
!NNN 7.5E-6 2.6E-5 4.8E-7 **
TYYB 4.8E-6 1.56-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 ** V 1.0E-6 3.5E-6 2.0E-8 1.lE-7 4.0E-7 2.9E-9 i
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State -
V-63
Table V.4-13 Comparison Of Surry Base Case Results With Sensitivity Study 10 Results I BASE CASE SENSITIVITY STUDY 10 MEAN* 95% UPPER
- 5% LOWER MEAN* 95% UPPER
- 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2.9E-5 7.4E-5 7.5E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 **
AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.1E-13 ** ANNN 3.8E-9 1.4E-8 4.lE-Il ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 ** TYYB 4.8E-6 1.5E-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 \ 1.8E-7 ** V 1.0E-6 3.5E-6 2.0E-8 3.7E-6 1.3E-5 7.7E-8
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-64
l l l l l Table V.4-14 i Comparison Of Surry Base Case Results With Sensitivity Study 11 Results - I BASE CASE SENSITIVITY STUDY 11 MEAN* 95% UPPER
- 5% LOWER
- MEAN* 95% UPPER 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.1E-6 3.lE-5 7.8E-5 7.7E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 **
AYNI 6.2E-8 1.0E-7 6.8E-12 ** l AYNB 8.3E-8 3.1E-7 5.3E-10 4.2E-6 1.6E-5 2.7E-8 AYNN 1.8E-10 5.5E-10 7.lE-13 8.3E-9 2.7E-8 3.1E-Il ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 ** SYNI 4.7E-8 6.8E-8 4.0E-10 ** i SNNN 7.5E-6 2.6E-5 4.8E-7 ** TYYB 4.8E-6 1.5E-3 7.4E-7 - ** TYNI 9.5E-10 3.3E-9 7.4E-12 4.7E-8 1.6E-7 4.lE-10 TNNN 2.6E-6 8.8E-6 1.8E-7 ** V 1.0E-6 3.5E-6 2.0E-8 ** 4 4
- Frequency of Occurrence Per Reactor Year
** Sensitivity St. dy Did Not Impact This Plant Damage State V-65
Table V.4-15 Comparison Of Surry Base Case Results i With Sensitivity Study 12 Results BASE CASE SENSITIVITY STUDY 12 MEAN* 95% UPPER
- 5% LOWER
- MEAN* 95% UPPER * '5% LOWER VALUE BOUND BOUND .VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2. lE-5 5.3E-5 5.4E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 **
AYNI 6.2E-8 1.0E-7 6.8E-12 ** AYNB 8.3E-8 3.lE-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.lE-13 ** ANNN 3.8E-9 1.4E-8 4.1E-Il ** SYYB 7.8E-6 2.5E-5 9.2E-7 3.2E-6 9.2E-6 3.2E-7 SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 7.3E-6 2.7E-5 4.4E-7 TYYB 4.8E-6 1.5E-5 7.4E-7 ** TYNI 9.5E-10 3.3E-9 7.4E-12 ** TNNN 2.6E-6 8.8E-6 1.8E-7 ** V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-66
Table V.4-16 Comparison Of Surry Base Case'Results With Sensitivity Study 13 Results BASE CASE SENSITIVITY STUDY 13 MEAN* 95% UPPER
- 5% LOWER
- MEAN* 95% UPPER
- 5% LOWER VALUE BOUND BOUND VALUE BOUND BOUND CORE DAMAGE 2.6E-5 6.7E-5 7.lE-6 2.4E-5 6.1E-5 6.5E-6 PLANT DAMAGE STATES AYYB 2.2E-6 7.6E-6 1.5E-7 3.4E-6 1.2E-5 2.3E-7 AYNI 6.2E-8 1.0E-7 6.8E-12 **
AYNB 8.3E-8 3.1E-7 5.3E-10 ** AYNN 1.8E-10 5.5E-10 7.1E-13 3.5E-10 1.0E-9 1.3E-12 ANNN 3.8E-9 1.4E-8 4.lE-11 ** SYYB 7.8E-6 2.5E-5 9.2E-7 8.4E-6 2.6E-5 1.0E-6 SYNI 4.7E-8 6.8E-8 4.0E-10 ** SNNN 7.5E-6 2.6E-5 4.8E-7 1.2E-6 4.2E-6 7.2E-8 TYYB 4.8E-6 1.5E-5 7.4E-7 8.7E-6 3.lE-5 9.4E-7 TYNI 9.5E-10 3.3E-9 7.4E-12 1.1E-9 4.4E-9 9.4E-12 TNNN 2.6E-6 8.8E-6 1.8E-7 1.lE-6 4.3E-6 7.8E-8 V 1.0E-6 3.5E-6 2.0E-8 **
- Frequency of Occurrence Per Reactor Year
** Sensitivity Study Did Not Impact This Plant Damage State V-67
.1 V.5 Comparison Of Results With WASH-1400 A comparison of the results of this study with WASH-1400 results must be done with full recognition of study differences,'in order to produce meaningful results. In the ten years -
l- between WASH-1400 and this study, the Surry . plant design as well as the industry's understanding of reactor operation and safety have changed substantially. -Any comparison of dominant contributors to core damage frequency between these two s tudies must be balanced by a knowledge of the differences in plant design, study methodology, and success criteria. The most obvious comparison to be made is on the basis of total core damage frequency. - WASH-1400 calculated a total core damage frequency of 4.4E-5 per. year. This study calculated 2.6E-5 per year. .The frequency value used in WASH-1400 is a point estimate, based on propagation of median values for basic events, while the frequency value used in this study is the calculated mean of a distribution. Many plant modifications have been made at Surry which reduce the frequency of comparable WASH-1400 sequences to 1.0E-5. However, this study predicts a core damage frequency of 1.lE-3 due to seal LOCAs and transient induced LOCAs, which were not prominent in the WASH-1400 analysis. Table V.5-1 presents a direct comparison of WASH-1400 sequence frequencies with frequencies of comparable sequences in the current study. This comparison is shown in histogram form in Figure V.5-1. Examining Table V.5-1 reveals the following comparisons: e Seal LOCAs are dominant in the PRA Update, but not in WASH-1400. e Station blackout followed by loss of AFW remained approximately the same, e Loss of a 480V electrical bus - leading to a transient induced LOCA appeared significant in the Update, but was not considered in WASH-1400. e ATWS sequences are not directly comparable due to increased knowledge of ATWS phenomenology, different probabilities for failure to scram, and different perceptions about operator error rates in ATWS situations. e Interfacing LOCA was reduced primarily due to increase in valve test frequency. e The LOCA sequences followed by failure of ECCS systems are generally lower in the present study than WASH-1400. Another notable change from the WASH-1400 results is the decreased importance of containment systems in the core damage sequences. Success criteria for containment systems for this study were based on updated analyses, which resulted in fewer constraints and dependencies of the ECCS on containment system performance. The WASH-1400 loss of all feedwater sequences were reduced in frequency in the Update dae to the installation of a cross-tie of AFW at the plant, and the assumed viabihty of feed and bleed in preventing core damage af ter loss of all steam generator heat removal. V-68
)
l Table V.5-1 Comparison Of This Study With WASH-1400 4 I Similar . Sequence. WASH-1400 WASH-1400 , Grouping in Sequence Frequency Sequence- Frequency Figure V.5-1 Ti(SL)D iCF3 6.6E-6 --- --- 1 S0 21 7.1E-7 S0 2 9E-6 2 SD 3i 2.6E-6 SFF 1i2 7.0E-8 SF g 3E-8 -- SG t 3E-8 SHFF tiI2 5.0E-8 S1HF 3E-6 14 TyL(LT)D gCF3 1.3E-6 TMLB' 3E-6 3 T3L(ST)D iCF1 1.3E-6 AFi2 F 3.5E-8 AF 1E-8 -- AG 9E-9 ! AHgy2 FF 2.5E-8 AHF 1E-10 -- T4JQ-Hg 1.9E-6 --- --- 4 T4gQ-Hg 1.6E-6 T 43Q-H2 8.1E-7 T4gQ-H2 6.8E-7 TyLP 1.1E-6 TML 6E-6 5 ATWS SEQUENCES (1) TKRD 4 1.1E-6 TKQ 3E-6 6 TKRZ 4.8E-7 TKM0 1E-6 V '9.0E-7 V 4E-6 7 V-69
Table,V.5-1'(Continued) Comparison Of This Study With WASH-1400 Similar Sequence WASH-1400 WASH-1400- Grouping in Sequence Frequency Sequence Frequency Figure V.5-1 SD g1 7.1E-7 SDg 3E-6 8 SH 2i 8.9E-7 SH2 6E-6 9 SH 22 3.3E-7. SH ig 7.7E-7 SH1 3E-6 10 T1Q-D gCFi 3.2E-7 --- --- 11 AD S 3.9E-7 AD 2E-6 12 AH i 3.9E-7 AH IE-6 13 SHFF 2i12 5.0E-8 S HF 2 1E-9 -- TgLF12F 1.0E-9 --- --- -- S2CFg (4) SC 2 2E-6 15 1 l I V-70 i
Table V.5-1 -(Continued) Comparison Of This Study With WASH-1400 Similar Sequence WASH-1400 WASH-1400 Grouping in Sequence Frequency Sequence Frequency Figure V.5-1 SDDC i6g 2.7E-9 --- --- -- AD6g DC l'.4 E-9 ACD 6E-11 -- , AD512fF (3) ADF 2E-10 -- AD ff 6i2 (3) SDFF 1iy2 (3) SiDF 3E-10 -- SDFF i6y2 S0C (3) S2CD 2E-8 -- 2t SDFf 2gl2 (3) S20G 1E-12 -- l SFF 2I2 (4) 3F2 1E-7 -- SG2 9E-8 (2) AB 1E-9 (2) S8 g 3E-9 (2) SB2 9E-9 (1) Individual ATWS sequences cannot be directly compared. (2) Not quantified. (3) Insignificant frequency. (4) _ Not considered a core damage sequence.
--- No similar dominant sequence in WASH-1400.
V-71
10-4 ,
~
. _~
WASH-1400 RE6SLTS -
~ -
THIS STUDY
~
- - SEQUENCE <1E-7 OR
_ NOT INCLUDED IN STUDY _ 10 -
~
~
z w
=
m -
~
10-s __ 2 2 TOTAL CORE DAMAGE 1 2 3 4 5 SEQUENCE GROUP Figure V.5-1 Comparison With WASH-1400 Sequence Frequencies V-72 ) i
.. . _ , _ _ _ - _ _ _ _ _ _ _ - . _ _ _ _ - _ _ _ _ . - - - - , __-__~ _ __
.:s %
8 -) ij
, s\
10-s ,
~
s .; -
<
- g
_ i - U 5 -
@104 - -
' = u.
~ _
~
j 10-7 6 7 8 9 10 11 SEQUEN,CE GROUP l , l Figure V.5-1 (Cont'd) Comparison with WASH-1400 Sequence Frequencies V-73
e 4 r
- l' f ~1' I/ < '[ ~ . , ,
10-5 ,
~
l z w a s _ y t - P
' ~
10-7 12 13 14 15 SEQUENCE GROUP Figure V.5-1 (Cont'd) Comparison With WASH-1400 Sequence Frequencies V-74
V.6 Importance Analysis Importance rankings for risk increase and risk reduction were calculated from the final Surry base case results. Importance measures were calculated for both the total core damage frequency and each of the plant damage state frequencies. Section . V.6.1 describes the results of the importance analysis from the standpoint of risk increase.
' Section V.6.2 describes the results of the importance analysis from the standpoint of risk reduction.
- V.6.1 Risk Increase Importance Measures This section presents the results of the calculation of the risk ' increase importance measures. The tables in this section identify the risk increase interval and the risk increase ratio. The risk increase interval represents the increase'in the total core damage frequency if the probability of the event of interest was increased to a value of
' l.0. The risk increase ratio for a given event is the ratio of the' core damage frequency - when the event probability equals 1.0 to the base case frequency. The importance
. calculations are based on the SEP input file, which uses median values for the basic
- events.
Table V.6.1-1 presents the calculated risk increase measures based on the total core damage frequency ranked in order of decreasing impact for those terms with a risk i increase ratio equal to or greater than ten. Failure of the RPS to automatically scram the reactor (K) is identified as the most important term with respect to risk increase. The high importance is due to the relatively frequent demand for scram compared to l demand for other systems, the perceived high reliability of the RPS, and the relatively 1 high failure probabilities associated with the other terms involved in sequences with K. If the true reliability of the RPS is significantly worse than estimated, a significant
; impact on the study results would be expected.
- High risk increase ratios are also noted for the check valve rupture terms involved in the interfacing LOCA sequence (Event V). These terms have high importance measures i
because they have low failure rates and only one additional failure is required for an l interfacing LOCA to occur. Flow diversion of AFW flow to unit 2 (AFW-PSF-FC-XCONN) and steam binding of all three AFW pumps (AFW-CCF-LK-STMBD) also have high risk increase ratios. These events are low probability events, occur in a large number of cutsets and several sequences, and each results in the failure of the entire AFW system. Tables V.6.1-2 through V.6.1-13 present the results of the importance analysis in terms of risk increase for each of the plant damage states. These importance measures are based on the base case plant damage state frequency. i Table V.6.1-14 identifies the supercomponent origin of events included in the tables in
- this section which are not coded in the standard nomenclature.
d i- Table V.6.1-15 provides definition of the event nomenclature. V.6.2 Risk Reduction Importance Measures This section presents the results of the calculation of the risk reduction importance measures. The tables in 'this section identify the risk reduction interval and the risk reduction ratio. The risk reduction interval represents the decrease in the total core V-75
damage frequency calculated if the probability of the event of interest were decreased to a value of 0.0. The risk reduction ratio for a given event is the ratio of the core damage frequency when the event probability equals 0.0 to the base case frequency - The importance calculations used the SEP input file which uses median values for the basic. events. Table V.6.2-1 presents the calculated risk reduction measures based on the total core damage frequency ranked in order of decreasing impact. The events with the greatest risk reduction importance are terms related to station blackout sequences. Loss of offsite power was found to be the most important term with respect to risk reduction potential. The loss of offsite power initiating event is involved in each cutset in six dominant sequences which account for approximately 43% (based on mean values) of the base case core damage frequency. Therefore, reduction of the frequency would significantly impact the results of the analysis. Non-recovery of AC power within 1/2 i hour is involved in the three highest frequency sequences of the four station blackout sequences and appears in cutsets representing approximately 35% of the base case core damage frequency. Non-recovery of HPI flow following seal LOCA appears in cutsets which account for 25% of the base case core damage frequency. Tables V.6.2-2 through V.6.2-13 present the importance ratios for each of the plant damage states. These importance measures apply to the base case plant damage state frequencies. Terms which appear in each cutset of a plant damage state equation are shown to have an infinite risk reduction ratio since they result in reducing the frequency of the plant damage state to zero. Table V.6.1-14 identifies the supercomponent origin of events included in the tables in this section which are not coded in the standard nomenclature. Table V.6.1-15 provides definition of the event nomenclature. V-76 l l
l l Table V.6.1-1 Risk Increase Importance Measures For Total Core Damage Frequency RISK EVENT INCREASE INTERVAL . RATIO. NAME 9.4E-03 1341.6 K 3.0E-03 429.1 AFW-PSF-FC-XCONN AFW-CCF-LK-STMBD 2.8E-03 398.4 1.9E-03 267.0 LPI-CKV-RP-SI79 LPI-CKV-RP-SI82 1.9E-03 267.0 LPI-CKV-RP-SI85 1.9E-03 267.0
-S2 1.lE-03 163.5 RMT-CCF-FA-MSCAL 1.0E-03 144.7 A 9.9E-04 141.8 LPR-CCF-PG-SUMP 9.5E-04 136.0 S1 8.9E-04 126.9 XV24-PLUG 8.5E-04' 121.9 CV25-FTO 8.5E-04 121.9 CV410-FTO 8.5E-04 121.9 CPC-CCF-PG-STRAB 8.5E-04 121.9 CSS-TNK-LF-RWST 5.7E-04 82.0 LPR-XHE-FO-HOTLG 5.7E-04 82.0 HPI-MOV-LF-1867C 3.7E-04 53.4 OEP-DGN-FR-DG01 1.9E-04 28.7 OEP-DGN-FS-D' 11 1.9E-04 28.7 CV128-FTO 1.9E-04 28.0 CV130-FTC 1.9E-04 28.0 CV145-FTO 1.9E-04 28.0 CV147-FTO 1.9E-04 28.0 MOV1865B-PLUG 1.9E-04 28.0 MOV1865C-PLUG 1.9E-04 28.0
- T43 1.8E-04 26.0
! T4H 1.4E-04 21.0 LPI-CKV-RP-SI241 1.2E-04 18.3 LPI-CKV-RP-SI242 1.2E-04 18.3 LPI-CKV-RP-SI243 1.2E 18.3 OEP-DG N-FS-DG03 1.0E-04 15.6 OEP-DGN-FR-DG03 1.0E-04 15.5 S3 8.2E-05 12.6 OEP-DGN-MA-DG01 7.4E-05 11.4 OEP-DGN-MA-DG03 7.lE-05 11.0 BETA-DG 6.9E-05 10.8 SEP POINT ESTIMATE - TOTAL CORE DAMAGE - 7.0E-06 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. ! V-77
Table V.6.1-2 Risk Increase Importance Measures For Plant Damage State SNNN RISK EVENT INCREASE NAME INTERVAL RATIO OEP-DGN-FR-DG01 1.5E-04 66.0
- OEP-DGN-FS-DG01 1.5E-04 65.9 OEP-DGN-FR-DG03 7.9E-05 35.7 OEP-DGN-FS-DG03 7.9E-05 35.6 OEP-DGN-MA-DG03 5.5E-05 24.8 OEP-DGN-MA-DG01 5.5E-05 24.8 BETA-DG 5.4E-05 24.5 T1 3.4E-05 15.6 SEP POINT ESTIMATE - SNNN - 2.29E-06 l
I l These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-78 1
Table V.6.1-3 Risk Increase Importance Measures For Plant Damage State TYYB RISK . EVENT INCREASE NAME ' INTERVAL RATIO K 6.3E-03 3789.4 AFW-PSF-FC-XCONN 3.0E-03 1799.5 AFW-CCF-LK-STMBD 2.8E-03 1670.6 HPI-MOV-LF-1867C 3.5E-04 207.9 XV24-PLUG 9.lE-05 55.4-CY25-FTO 9.1E-05 55.4 CV410-FTO 9.lE-05 55.4 l CPC-CCF-PG-STRAB 9.lE-05 55.4 ! S3 8.2E-05 49.9 BETA-MOV 3.8E-05 23.7 CVC-PSF-LF-BAT 2A 3.lE-05 19.6 PPS-XHE-FO-PORVS 3.lE-05 19.6 i SEP POINT ESTIMATE - TYYB - 1.67E-06 6 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-79
Table V.6.1 Risk Increase Importance Measures For Plant Damage State SYYB RISK EVENT INCREASE NAME INTERVAL RATIO K -3.1E-03 897.2 S2 1.lE-03 702.0 RMT-CCF-FA-MSCAL 4.4E-04 271.6 XV24-PLUG 3.8E-04 234.1 CV25-FTO 3.8E-04 234.1 CV410-FTO 3.8E-04 234.1 CPC-CCF-PG-STRAB - 3.8E-04 234.1 T43- 1.8E-04 109.0 l T4H 1.4E-04 87.4 QH 6.0E-05 37.5 Q3 - 5.9E-05 37.5 -! MDPSIIA-FTS 5.lE-05 32.4 MOV1862A-FTC 4.5E-05 28.7 MOV1860A-FTO 4.5E-05 28.6 HPR-PSF-LF-SUCTA 4.4E-05 28.0 MDPCC2A-FR-18HR 3.8E-05 24.2 CV58-FTO 3.7E-05 23.8 MDPSilA-TM 3.7E-05 23.8 CV56-FTO 3.5E-05 22.5
- CV56-PLUG 3.5E-05 22.5 LPI-MDP-FR-A18HR 3.4E-05 21.8 HPR-MDP-FR-A 18HR 3.4E-05 21.8 CV50-FTO 3.0E-05 19.7 MDPSilB-TM 3.0E-05 19.7 MDPSilB-FTS 3.0E-05 19.6 i CV47-FTO 2.8E-05 18.3 1 CV47-PLUG 2.8E-05 18.3 MOV1862B-FTC 2.8E-05 18.3 MOV1860B-FTO 2.8E-05 18.3 i MDPCC2B-FR-18HR 2.7E-05 17.7 LPI-MDP-FR-B18HR 2.7E-05 17.7 HPR-MDP-FR-B18HR 2.7E-05 17.7 HPR-PSF-LF-SUCTB 2.7E-05 17.6 HPI-MDP-FR-A18HR 2.2E-05 14.2 CPC-CCF-PG-ST18H 1.7E-05 11.3 Z , 1.6E-05 10.8 SEP POINT ESTIMATE - SYYB - 1.63E-06 i
These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-80 l
Table V.6.1-5 Risk Increase Importance Measures For Plant Damage State TNNN RISK EVENT INCREASE NAME INTERVAL RATIO OEP-DGN-FR-DG01 4.2E-05 66.0 OEP-DGN-FS-DG01 4.2E-05 65.9 OEP-DGN-FR-DG03 2.3E-05 35.7-OEP-DGN-FS-DG03 2.3E-05 35.6 XV153-PLUG 1.8E-05 27.8 CV142-FTO 1.8E-05 27.8 TDPAFW2-FTR I.8E-05 27.8 TDPAFW2-TM 1.7E-05 27.7 TDPAFW2-FTS 1.7E-05 27.6 OEP-DGN-MA-DG03 1.6E-05 24.8 OEP-DGN-MA-DG01 1.6E-05 24.8 BETA-DG 1.5E-05 24.5 TI 9.6E-06 15.6 SEP POINT ESTIMATE - TNNN - 6.53E-07 l These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-81
I Table .V.6.1-6 l
. Risk Increase Importance Measures -l For Plant Damage State ~AYYB RISK -
EVENT INCREASE NAME INTERVAL RATIO A 9.7E-04 1890.8 l 51 8.7E-04 1686.7 LPR-XHE-FO-HOTLG 5.7E-04 1109.3 RMT-CCF-FA-MSCAL 5.7E-04 1109.2 XV24-PLUG 3.8E-04 739.8' CV25-FTO 3.8E-04 739.8 CV410-FTO 3.8E-04 739.8' CPC-CCF-PG-STRAB 3.8E-04 739.8 CV130-FTO 1.9E-04 370.4 MOVl865C-PLUG 1.9E-04 370.4 CV145-FTO 1.9E-04 370.4 CV147-FTO 1.9E-04 370.4 MOV1865B-PLUG 1.9E-04 370.4 CV128-FTO 1.9E-04 370.4 LPI-MDP-FR-A18HR 2. lE-05 42.0 MOYl862A-FTC 1.5E-05 30.5 l MOV1860A-FTO 1.5E-05 30.4 l HPI-MOV-LF-1867C 1.lE-05 22.9 i MDPSW10A-FTR 6.8E-06 14.2 l BETA-MOV 5.5E-06 11.8 4 SEP POINT ESTIMATE - AYYB - 5.14E-07 i E These importance calculations are based en median frequencies. The SEP point-estimate frequency is provided for comparison. V-82 t
- - . . ,- ,v -,- - . . , - -,..me.,_.--- ,_ - . ,-
Table V.6.1-7 Risk Increase Importance Measures For Plant Damage State V RISK EVENT INCREASE NAME INTERVAL RATIO LPI-CKV-RP-SI85 1.9E-03 7192.4 LPI-CKV-RP-SI82 1.9E-03 7192.4 LPI-CKV-RP-SI79 1.9E-03 7192.4 LPI-CKV-RP-SI243 1.2E-04 469.7 LPI-CKV-RP-SI242 1.2E-04 469.7 LPI-CKV-RP-SI241 1.2E-04 469.7 LPI-CKV-FT-SI242 4.4E-05 170.0 LPI-CKV-FT-SI82 4.4E-05 170.0 LPI-CKV-FT-SI85 4.4E-05 170.0 LPI-CKV-FT-SI241 4.4E-05 170.0 LPI-CKV-FT-SI79 4.4E-05 170.0 LPI-CKV-FT-SI243 4.4E-05 170.0 LPI-CKV-LK-SI242 2.2E-05 85.2 LPI-CKV-LK-SI243 2.2E-05 85.2 LPI-CKV-LK-SI241 2.2E-05 85.2 SEP POINT ESTIMATE - V - 2.60E-07 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-83 l
Table V.6.1-8 Risk Increase Importance Measures For Plant Damage State AYNB ~ RISK ' EVENT INCREASE NAME INTERVAL RATIO A- 1.7E-05 1755.0 SI 1.7E-05 1754.7 SWS-CCF-FC-BIOFL 8.7E-07 90.9 CVFACTOR 4.7E-07 50.0 SWS-BIOFL-RCVY 1.2E-07 .13.0 4 SEP POINT ESTIMATE - AYNB - 9.66E-09 These importance calculations are based on median frequencies. The SEP point i estimate frequency is provided for comparison. V-84
Table V.6.1-9 Risk Increase Importance Measures For Plant Damage State AYNI RISK EVENT INCREASE c NAME INTERVAL RATIO LPR-CCF-PG-SUMP 5.7E-04 1E+6 A 1.0E-06 1755.1 S1 1.0E-06 1754.7 SEP POINT ESTIMATE - AYNI- 5.70E-10 s i l These importance calculations are based on median free,oencies. The SEP point estimate frequency is provided for comparison. V-85
. Table V.6.1-10
. Risk Increase Importance Measures .
For Plant Damage State ANNN ' RISK EVENT INCREASE NAME INTERVAL RATIO CSS-TNK-LF-RWST 5.7E-04 IE+6 A 1.0E-06 1755.1 S1 1.0E-06 1754.7 SEP POINT ESTIMATE - ANNN - 5.70E-10 i l l l 4 These importance calculations are based on median frequencies. The SEP point estimate f requency is provided for comparison. V-86 1 _ng_ - , -, --- , e -- a y - ~-- era
Table V.6.1-11 Risk Increase Importance Measures For Plant Damage State SYNI RISK EVENT INCREASE NAME INTERVAL RATIO LPR-CCF-PG-SUMP 3.8E-04 IE+6 S2 1.0E-06 2631.6 SEP POINT ESTIMATE - SYNI - 3.80E-10 i f i 'l l These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-87
l Table V.6.1-12 Risk Increase Importance Measures For Plant Damage State TYNI RISK EVENT. INCREASE NAME INTERVAL RATIO AFW-CCF-LK-STMBD 1.2E-06 9091.8. AFW-PSF-FC-XCONN 1.2E-06 9091.0 SWS-CCF-FC-BIOFL 'I.2E-08 90.9 CVFACTOR 6.3E-09 50.0 Tl 1.7E-09 14.5 AFW-XHE-FO-UNIT 2 1.6E-09 13.4 SWS-BIOFL-RCVY 1.5E-09 13.0 SEP POINT ESTIMATE - TYNI- 1.29E-10 l These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-88
l l Table V.6.1-13 Risk Increase Importance Measures For Plant Damage State AYNN RISK EVENT INCREASE -
' NAME INTERVAL RATIO A 1.lE-08 1754.5 51 1.lE-08 1754.1 MDPCSIB-FTR 2.6E-09 406.2 i MDPCSIB-FTS 2.6E-09 405.4 l CSS-XVM-RE-XV8 7.7E-10 121.4 CSS-XVM-RE-XV15 7.7E-10 121.4 SWS-CCF-FC-BIOFL 5.1E-10 80.6 CVFACTOR 3.1E-10 50.0 l
BETA-CSS 2.9E-10 46.9 MDPCSIA-FTR 1.3E-10 20.7 MOVCSS100B-PLUG 1.3E-10 20.7 MOVCSS100A-PLUG 1.3E-10 20.7 FLCSIB-PLUG 1.3E-10 20.7 FLCSIA-PLUG 1.3E-10 20.7 MDPCSIB-TM 1.3E-10 20.6 MDPCSIA-FTS 1.3E-10 20.6 MDPCSIA-TM 1.3E-10 20.6 i SEP POINT ESTIMATE - AYNN - 6.37E-12 f J l . These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-89 i
l Table V.6.1 Cross Reference of Events in Section V.6 Tables to Originating Supercomponents Event in Section Supercomponent Including V.6 Tables Listed Event -
, CV25-FTO HPI-PSF-FL-PSUCT CV47-FTO LPR-PSF-FC-SUCTB CV47-PLUG LPR-PSF-FC-SUCTB CV56-FTO LPR-PSF-FC-SUCTA CV56-PLUG LPR-PSF-FC-SUCTA CV5,8-FTO LPI-PSF-LF-PTRNA CV128-FTO ACC-PSF-LF-ACCB CV130-FTO ACC-PSF-LF-ACCB CV142-FTO AFW-PSF-LF-PTRN2 CV145-FTO ACC-PSF-LF-ACCC CV147-FTO ACC-PSF-LF-ACCC CV172-FTO AFW-PSF-LF-PTR3B CV410-FTO HPI-PSF-FL-PSUCT MOVCSS100A-PLUG CSS-PSF-LF PTRNA MOVCSS100B-PLUG CSS-PSF-LF PTRNB MOV1860 A-FTO LPR-PSF-FC-SUCTA MOV1860B-FTO LPR-PSF-FC-SUCTB MOV1862A-FTC LPR-PSF-FC-SUCTA MOV1862B-FTC LPR-PSF-FC-SUCTB MOV1865B-PLUG ACC-PSF-LF-ACCB MOV1865C-PLUG ACC-PSF-LF-ACCC XV24-PLUG HPI-PSF-FL-PSUCT XY153-PLUG AFW-PSF-LF-PTRN2 XV183-PLUG AFW-PSF-LF-PTR3B TDPAFW2-FTR AFW-PSF-LF-PTRN2 TDPAFW2-TM AFW-PSF-LF-PTRN2 TDPAFW2-FTS AFW-PSF-LF-PTRN2
< V-90
I Table V.6.1-14 (Cont'd) i l Event in Section Supercomponent Including i V.6 Tables Listed Event i MDPAFW3B-TM AFW-PSF-LF-PTR3B MDPAFW3B-FTS-R AFW-PSF-LF-PTR3B MDPSIIA-TM LPI-PSF-LF-PTRNA MDPSilA-FTS LPI-PSF-LF-PTRNA MDPCSIA-FTR CSS-PSF-LF-PTRNA MDPCSIB-FTR CSS-PSF-LF-PTRNB MDPCSIA-FTS CSS-PSF-LF-PTRNA MDPCSIB-FTS CSS-PSF-LF-PTRNB MDPCSIA-TM CSS-PSF-LF-PTRNA MDPCSIB-TM CSS-PSF-LF-PTRNB MDPSW10A-FTR CPC-PSF-LF-SWPTA MDPRSI A-FTS-R OSR-PSF-LF-TRNA MDPRSIB-FTS-R OSR-PSF-LF-TRNB FLCSIA-PLUG CSS-PSF-LF PTRNA FLCSIB-PLUG CSS-PSF-LF PTRNB V-91
Table V.6.1-15' TERM DESCRIPTIONS A - LARGE LOCA ,D>6" AFW-PSF-FC-XCONN - FLOW DIVERSION FROM UNIT 1. AFWS THROUGH THE ' CROSS-CONNECT TO UNIT 2
'AFW-CCF-LK-STMBD - - UNDETECTED LEAKAGE THROUGH AFWS VALVES -
CV27,CV58, OR CV89 RESULTING IN COMMON CAUSE' STEAM BINDING OF ALL THREE AFW PUMPS AFW-PSF-LF-PTR3A '- FAILURE OF MOTOR DRIVEN AFW PUMP TRAIN 3A TO PROVIDE FLOW DUE TO FAULTS IN PIPE SEGMENT PS81 ! l AFW-PSF-LF-PTR3B - FAILURE OF MOTOR DRIVEN AFW PUMP TRAIN 3B TO PROVIDE FLOW DUE TO FAULTS IN PIPE SEGMENT PS82 AFW-PSF-LF-PTRN2 - FAILURE OF TURBINE DRIVEN AFW PUMP TRAIN 2 TO PROVIDE FLOW DUE TO FAULTS IN PIPE SEGMENT PS80 - CPC-CCF-PG-STRAB - COMMON CAUSE PLUGGING OF CHARGING PUMP COOLING STRAINERS 2A AND 2B WITHIN 6 HOURS CPC-CCF-PG-ST18H - COMMON CAUSE PLUGGING OF CHARGING PUMP COOLING STRAINERS 2A AND 2B WITillN 18 HOURS CPC-XHE-FO-REALN - FAILURE OF THE OPERATOR TO BYPASS THE CHARGING PUMP COOLING STRAINERS IN THE LONG TERM CPC-PSF-LF-SWPTA - FAILURE OF THE CHARGING PUMP COOLING SYSTEM TRAIN A TO PROVIDE SUFFICIENT FLOW FOR 6 HOURS CPC-PSF-LF-SWPTB - FAILURE OF THE CHARGING PUMP COOLING SYSTEM TRAIN B TO PROVIDE SUFFICIENT FLOW FOR 6 HOURS ~ CPC-BETA-SWPABFR - COMMON CAUSE FAILURE OF CHARGING PUMP COOLING SERVICE WATER PUMPS 10A AND 10B TO RUN FOR 6 HOURS CPC-BETA-SWABR18 - COMMON CAUSE FAILURE OF CHARGING PUMP COOLING-SERVICE WATER PUMPS ~10A AND 10B TO RUN FOR 18 l HOURS l CPC-BETA-CCABR18 - COMMON CAUSE FAILURE OF CHARGING PUMP COOLING , COMPONENT COOLING WATER PUMPS 2A AND 2B TO RUN FOR 18 HOURS CPC-M DP-FS-SW10B - FAILURE OF CHARGING PUMP COOLING SERVICE WATER PUMP 10B TO START ' V-92
t
' Table V.6.1-15 (Continued)
TERM DESCRIPTIONS CPC-MDP-FR-10A18 - FAILURE OF CHARGING PUMP COOLING SERVICE WATER PUMP 10A TO RUN FOR 18 HOURS
- CPC-MDP-FR-10B18 -
FAILURE OF CHARGING PUMP COOLING SERVICE WATER
. PUMP 10B TO RUN FOR 18 HOURS CPC-MDP-FR-CCA18 - FAILURE OF CHARGING PUMP COOLING COMPONENT COOLING WATER PUMP 2A TO RUN FOR 18 HOURS CPC-MDP-FR-CCB18 - FAILURE OF CHARGING PUMP COOLING COMPONENT COOLING WATER PUMP 2B TO RUN FOR 18 HOURS i
CVC-PSF-LF-BAT 2A - FAILURE OF THE BORIC ACID TRANSFER PUMP CH2A TO PROVIDE SUFFICIENT FLOW FOR 1 HOUR HPI-PSF-FL-PSUCT - INSUFFICIENT FLOW TO CHARGING PUMP SUCTION HEADER THROUGH PIPE SEGMENT PS2 HPI-BETA-1115CE - COMMON CAUSE FAILURE OF VCT ISOLATION MOVS ll15C AND lil5E TO CLOSE HPI-BETA-Ill5BD - COMMON CAUSE FAILURE OF RWST ISOLATION MOVS Ill5B AND lil5D TO OPEN HPI-BETA-MDPFR18 - COMMON CAUSE FAILURE OF ALL THREE CHARGING PUMPS TO RUN FOR 18 HOURS HPR-PSF-LF-SUCTA - INStIFFICIENT FLOW FROM LOW PRESSURE PUMP 1A TO THE CHARGING PUMP SUCTION HEADER HPR-PSF-LF-SUCTB - INSUFFICIENT FLOW FROM LOW PRESSURE PUMP IB TO THE CHARGING PUMP SUCTION HEADER l HPR-MDP-FR-A18HR - FAILURE OF CHARGING PUMP CHIA TO RUN FOR 18 HOURS HPR-MDP-FR-B18HR - FAILURE OF CHARGING PUMP CHIB TO RUN FOR 18 HOURS HPR-BETA-SUCTAB - COMMON CAUSE FAILURE OF BOTH HOT LEG DISCHARGE VALVES K - FAILURE OF THE RPS TO TRIP THE REACTOR FOLLOWING A TRANSIENT LPI-CKV-LK-51241 - LEAKAGE THROUGH LPI CHECK VALVE S1241 LPI-CKV-LK-SI242 - LEAKAGE THROUGH LPI CHECK VALVE S1242 LPI-CKV-LK-SI243 - LEAKAGE THROUGH LPI CHECK VALVE SI243 l V-93 i l
- - . , ~ - . _ -_ - .-,, _ .
~ ._. _ ._ _ _ _ _.
42 . ? Table V.6.1-15 (Continued) TERM DESCRIPTIONS LPI-CKV-RP-SI79 - RUPTURE'OF LPI CHECK. VALVE S179,1 YEAR FAULT EXPOSURE TIME ~ I LPI-CKV-RP-SI82 - RUPTURE OF LPI CHECK VALVE S182,1 YEAR FAULT EXPOSURE TIME LPI-CKV-RP-5185 - RUPTURE OF LPI CHECK VALVE SI85,1 YEAR FAULT EXPOSURE TIME - LPI-CKV-RP-SI241 - RUPTURE OF LPI CHECK VALVE S1241,1 YEAR FAULT l EXPOSURE TIME 4 LPI-CKV-RP-51242 - RUPTURE OF LPI CHECK VALVE SI242,1 YEAR FAULT EXPOSURE TIME l LPI-CKV-RP-SI243 ' - RUPTURE OF LPI CHECK VALVE S1243,1 YEAR FAULT { EXPOSURE TIME LPI-CKV-FT-SI79 - FAILURE OF LPI CHECK VALVE SI79 TO CLOSE LPI-CKV-FT-5182 - FAILURE OF LPI CHECK VALVE SI82 TO CLOSE ! LPI-CKV-FT-SI85 - FAILURE OF LPI CHECK VALVE S185 TO CLOSE LPI-CKV-FT-SI241 - FAILURE OF LPI CHECK VALVE S1241 TO CLOSE , LPI-CKV-FT-SI242 - FAILURE OF LPI CHECK VALVE S1242 TO CLOSE s
; LPI-CKV-FT-51243 -
FAILURE OF LPI CHECK VALVE S1243 TO CLOSE I
- LPI-M DP-FR-A 18HR -
FAILURE OF LPI MOTOR DRIVEN PUMP Sil A TO RUN FOR { 18 HOURS LPI-MDP-FR-B18HR - FAILURE OF LPI MOTOR DRIVEN PUMP SilB TO RUN FOR 18 HOURS LPI-BETA-PTRABFR - COMON MODE FAILURE OF LPI MOTOR DRIVEN PUMPS j SilA AND SilB TO RUN FOR 18 HOURS LPI-PSF-LF-PTRNA - FAILURE OF LPI PUMP TRAIN SilA TO PROVIDE SUFFICIENT FLOW DURING INJECTION . LPI-PSF-LF-PTRNB - FAILURE OF LPI PUMP TRAIN SilB TO PROVIDE SUFFICIENT FLOW DURING INJECTION LPR-PSF-FC-SUCTA - FAILURE OF RWST ISOLATION MOV 1862A TO CLOSE OR SUMP SUCTION MOV 1860A TO OPEN LPR-PSF-FC-SUCTB - FAILURE OF RWST ISOLATION MOV 1862B TO CLOSE OR SUMP SUCTION MOV 1860B TO OPEN V-94 4
.= -. - ~ .. _ - , .
Table V.6.1-15 (Continued) TERM DESCRIPTIONS LPR-BETA-SUCTAB - COMMON CAUSE FAILURE OF RWST ISOLATION MOVS 1862A AND 1862B TO CLOSE OR SUMP SUCTION MOVS . 1860A AND 1860B TO OPEN LPR-CCF-PG-SUMP - COMMON CAUSE PLUGGING OF THE LPR SUMP i LPR-XHE-FO-HOTLG - OPERATOR FAILURE TO ALIGN THE LPR DISCHARGE FOR HOT LEG RECIRCULATION AT 16 HOURS = t NRACPI-2HR - FAILURE TO RECOVER AC POWER WITHIN ONE HALF I HOUR NRACP-7HR - FAILURE _TO RECOVER AC POWER'WITHIN SEVEN HOURS 3 NRACP-lHR - FAILURE TO RECOVER OFFSITE POWER WITHIN ONE l HOUR , NSLOCA - CONDITIONAL PROBABILITY OF NO SEAL LOCA NRACSL - FAILURE TO PROVIDE HPI FLOW WITHIN 1 HOUR - { FOLLOWING SEAL LOCA OCCURENCE ~ OEP-BETA-DGENFS - COMMON CAUSE FAILURE OF ALL THREE DIESEL 1 GENERATORS TO START ON DEMAND l l OEP-BETA-DGENFR - COMMON CAUSE FAILURE OF ALL THREE DIESEL
- GENERATORS TO RUN FOR 6 HOURS 1
OEP-DGN-FS-DG01 - FAILURE OF DIESEL GENERATOR #1 TO START ON i DEMAND I
! OEP-DGN-FS-DG02 -
FAILURE OF DIESEL GENERATOR #2 TO START ON DEMAND OEP-DGN-FS-DG03 - FAILURE OF DIESEL GENERATOR #3 TO START ON DEMAND OEP-DGN-M A-DG01 - DIESEL GENERATOR #1 UNAVAILABLE DUE TO MAINTENANCE ACTIVITIES - OEP-DG N-M A-DG02 - DIESEL GENERATOR #2 UNAVAILABLE DUE TO MAINTENANCE ACTIVITIES OEP-DG N-M A-DG03 - DIESEL GENERATOR #3 UNAVAILABLE DUE TO ! MAINTENANCE ACTIVITIES OEP-DG N-FR-DG01 - FAILURE OF DIESEL GENERATOR #1 TO CONTINUE TO ' RUN FOR 6 HOURS Y-95
Table V.6.1-15 (Continued) TERM DESCRIPTIONS j - OEP-DGN-FR-DG02 -- FAILURE OF DIESEL GENERATOR //2 TO CONTINUE TO RUN FOR 6 HOURS
. OEP-DG N-FR-DG03 -
FAILURE OF DIESEL GENERATOR //3 TO CONTINUE TO RUN FOR 6 HOURS - PPS-PSF-FT-1455C . . FAILURE OF PORY 1455C TO OPEN ON DEMAND ~ PPS-PSF-FT-1456 - FAILURE OF PORV 1456 TO OPEN ON DEMAND PPS-MOV-FC-1536 - PORY BLOCK VALVE 1536 CLOSED PPS-SOV-CO-1456 - PORV 1456 STUCK OPEN PPS-XHE-FO-PORVS - OPERATOR FAILS TO CORRECTLY PERFORM EMERGENCY BORATION QH - FAILURE TO RECLOSE PORY FOLLOWING A T4H INITIATOR Q3 - FAILURE TO RECLOSE PORV FOLLOWING A T4] INITIATOR RMT-ACT-FA-RMTSA - FAILURE OF RECIRCULATION MODE TRANSFElt SYSTEM - TRAIN A TO ACTUATE RECIRCULATION SWITCHOVER RMT-ACT-FA-RMTSB - FAILURE OF RECIRCULATION MODE TRANSFEll SYSTEM TRAIN B TO ACTUATE RECIRCULATION SWITCHOVER RMT-CCF-FA-MSCAL - COMMON CAUSE MISCAllBRATION OF BOTH TRAINS OF THE RMTS LEVEL SENSORS RMT-XHE-FO-MAN - FAILURE TO MANUALLY PERFORM RECIRCULATION SWITCHOVER R - FAILURE TO MANUALLY TRIP THE REACTOR FOLLOWING RPS FAILURE ' SLOCA - CONDITIONAL SEAL LOCA PROBABILITY S1 - SM A LL LOCA, 2" <D <6" 52 - SM ALL LOCA, 3/8"< D < 2" ' SWS-CCF-FC-BIOFL - COMMON CAUSE BIOLOGICAL FOULING OF THE SERVICE WATER INLET VALVES TO THE RECIRCULATION SPRAY COOLERS SWS-BIOFL-RCVY - FAILURE TO MANUALLY OPEN THE SERVICE WATER INLET VALVES TO THE RECIRCULATION SPRAY COOLERS T - ALL TRANSIENT INITIATING EVENTS V-96
Table V.6.1-15 (Continued) TERM DESCRIPTIONS T1 - LOSS OF OFFSITE AC POWER T4H - LOSS OF 480V AC BUS IH T43 - LOSS OF 480V AC BUS 13 2 - ABSENCE OF " FAVORABLE" MODERATOR TEMPERATURE COEFFICIENT i i i i I V-97
Table V.6.2-1 Risk Reduction Importance Measures
, For Total Core Damage Frequency RISK
. EVENT- REDUCTION NAME INTERVAL RATIO
'Tl 3.3E-06 1.9
.; NRACPI-2HR 2.8E-06 1.7 NRACSL 2.2E-06 1.5 SLOCA 2.2E-06 1.5 OEP-DGN-FS-DG01 1.4E-06 1.2 BETA-MOV 1.4E-06 ~ 1.2 BETA-DG 1.2E-06 1.2 OEP-DGN-FR-DG01 1.2E-06 1.2 HPI-MOV-LF-1867C 1.1E-06 1.2 S3 1.lE-06 1.2 OEP-DGN-FS-DG03 7.3E-07 1.1 OEP-DGN-FR-DG03 7.2E-07 1.1 J Q3 6.0E-07 1.1
! T43 6.0E-07 1.1
} QH 4.8E-07 1.1 T4H 4.8E-07 1.1 OEP-DGN-M A-DG01 4.4E-07 1.1 S2 4.3E-07 1.1 i OEP-DGN-MA-DG03 4.3E-07 1.1 NRACP-7HR 4.2E-07 1.1 NSLOCA 4.2E-07 1.1 i K 3.5E-07 1.1
, R 3.5E-07 1.1 S1 3.4E-07 1.1 4 , SEP POINT ESTIMATE - TOTAL CORE DAMAGE - 7.0E-06 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison.
V-98
Table V.6.2-2 Risk Reduction Importance Measures For Plant Damage State SNNN j RISK -
-EVENT REDUCTION -
l NAME INTERVAL RATIO l T1 2.3E-06 -= , SLOCA 2.2E-06 23.4 l NRACPI-2HR 2.2E-06 23.4-NRACSL 2.2E-06 23.4 OEP-DGN-FS-DG01 1.lE-06 1.9 BETA-DG 9.2E-07 1.7 OEP-DGN-FR-DG01 9.0E-07 1.6 OEP-DGN-FS-DG03 5.7E-07 1.3 OEP-DGN-FR-DG03 4.8E-07 1.3 { OEP-DGN-MA-DG03 3.3E-07 ' l.2 i OEP-DGN-MA-DG01 3.3E-07 1.2 l SEP POINT ESTIMATE - SNNN - 2.29E-06 J 1 4 5 1 i. 4 i 4 i i I j These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. j V-99 l i 1
.,. . - _. . . _ _ . , _ . - - . - . - - - - . - . . _ _ . . _ . - , . - . - - _ ~ _ _ . . . . . . , . . . . . _. . - . _
Table V.6.2-3 Risk Reduction Importance Measures For Plant Damage State TYYB RISK EVENT- REDUCTION NAME INTERVAL RATIO S3 _ _l.lE-06 2.8 HPI-MOV-LF-1867C 1.0E-06 2.6 BETA-MOV 1.0E-06 2.6 T1 3.6E-07 1.3 AFW-PSF-FC-XCONN 3.0E-07 1.2 T 2.3E-07 1.2 R' 2.3E-07 1.2 K . 2.3E-07 1.2 PPS-PSF-FT-1455C 1.4 E-07. 1.1 PPS-PSF-FT-1456 1.4E-07 1.1 PPS-XHE-FO-PORVS 1.4E-07 1.1 CVC-PSF-LF-BAT 2A 9.4E-08 1.1 1 SEP POINT ESTIMATE - TYYB - 1.67E-06 f ( i 1 .I l These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-100 l
, - , - -,- a - . , , , - - - .. ,.-, - -e - + - ~ - ---
Table V.6.2-4 , Risk Reduction importance Measures For Plant Damage State SYYB ; RISK
. EVENT REDUCTION ,
NAME INTERVAL RATIO i Q3 6.0E-07 1.6 T43 6.0E-07 1.6 QH 4.8E-07 ~ 1.4 , T4H 4.8E-07 1.4 S2 4.3E-07 1.4 MOV1860A-FTO . 2.3E-07 1.2 HPR-l'SF-LF-SUCTA 2.lE-07 1.1 l BETA-MOV 1.6E-07 1.1-MOV1860B-FTO 1.4E 1.1
- MOV1862A-FTC 1.4E-07 1.t HPR-PSF-LF-SUCTB 1.3E-07 1.1 T c 1.lE-07 ).1 R 1.lE-07 ~1.1
!.lE-07 i K 1.1 Z l.lE-07 1.1 1
- MDPSil A-FTS . 1.0E-07 1.1 V MOV1862B-FTC 8.5E-08
~
1.1 4 l SEP POINT ESTIMATE - SYYB - 1.63E-06 i i + i 4 F , .t 4
- These importance calculations are based on median frequencies. The'SEP point
- estimate f requency is provided for comparison.
V-101 L
- - . =.
,s, Table V.6.2-5 .
, Risk Reduction importance Measures For Plant Damage State TNNN
.s RISK EVENT REDUCTION NAME INTERVAL RATIO NRACPI-2HR 6.5E-07 Tl 6.5E-07 = NSLOCA 4.2E-07 2.8 NRACP-7HR 4.2E-07 2.8 OEP-DGN-FS-DG01 3.0E-07 1.9 BETA-DG 2.6E-07 1.7 OEP-DGN-FR-DG01 2.6E-07 1.6 OEP-DGN-FS-DG03 1.6E-07 1.3 OEP-DGN-FR-DG03 1.4E-07 1.3 TDPAFW2-FTS 1.2E-07 1.2 TDPAFW2-TM 9.8E-08 1.2 OEP-DGN-MA-DG03 9.4E-08 1.2 OEP-DGN-M A-DG01 9.4E-08 1.2 SEP POINT ESTIM ATE - TNNN - 6.53E-07 1 l i i ss These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. . V-102
Table V.6.2 Risk Reduction Importance Measures
. For Plant Damage State AYYB . RISK EVENT REDUCTION NAME INTERVAL RATIO o
S1 . 3.3E-07 2.8 A 1.8E-07 1.6 BETA-MOV 1.5E-07 1.4 MOV1860A-FTO 7.6E-08 1.2 RMT-CCF-FA-MSCAL 6.3E-08 1.1 CPC-CCF-PG-STRAB 4.9E-08 1.1 MOV1862A-FTC 4.6E-08 1.1 t CV25-FTO . 3.8E-08 -1.1 i CV410-FTO 3.8E-08 1.1. l HPI-MOV-LF-1867C 3.4E-08 1.1 SEP POINT ESTIMATE - AYYB - 5.14E-07 f
- These importance calculations are based on median frequencies. The SEP point
- . estimate frequency is provided for comparison.
V-103 l l i
w .- . - - 3 Table V.6.2-7 Risk Reduction Importance Measures For Plant Damage State V RISK EVENT REDUCTION NAME INTERVAL RATIO ONE-HALF 2.3E-07 9.9 LPI-CKV-RP-SI85 8.2E-08 1.5 LPI-CKV-RP-SI82 8.2E-08 1.5 LPI-CKV-RP-SI79 8.2E-08 1.5 LPI-CKV-LK-51242 7.7E-08 1.4 LPI-CKV-LK-SI243 7.7E-08 1.4 LPI-CKV-LK-51241. 7.7E-08 1.4 l l SEP POINT ESTIMATE - V - 2.60E-07 l t These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-104 i
' Tab'l e V.6.2-8 Risk Reduction Importance Measures For Plant Damage State AYNB RISK EVENT REDUCTION NAME INTERVAL RATIO SWS-BIOFL-RCVY 9.7E-09 =
CVFACTOR 9.7E-09 == SWS-CCF-FC-BIOFL 9.7E-09 == S1 6.4E-09 . 3.0 A 3.2E-09 1.5 l SEP POINT ESTIMATE - AYNB - 9.66E-09 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparispn. V-105 \ . . - . _
v
. Table V.6.2-9 '
Risk Reduction Iniportance Measures
..For Plant Damage State AYNI RISK -
EVENT REDUCTION NAME INTERVAL RATIO LPR-CCF-PG-SUMP 5.7E-10 = S1 3.8E-10 3.0 A 1.9E-10 1.5 SEP POINT ESTIMATE - AYNI- 5.70E-10 l l 1 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-106
Table V.6.2-10 Risk Reduction Importance Measures For Plant Damage State ANNN RISK EVENT REDUCTION NAME INTERVAL RATIO - CSS-TNK-LF-RWST 3.7E-10 m S1 3.8E-10 3.0 A 1.9E-10 1.5 SEP POINT ESTIMATE - ANNN - 5.70E-10 l These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-107
Table V.6.2-Il Risk Reduction Importance Measures For Plant Damage State SYNI RISK EVENT REDUCTION - NAME INTERVAL RATIO S2 3.8E-10 = LPR-CCF-PG-SUMP 3.8E-10 = ; J SEP POINT ESTIMATE - SYNI- 3.80E-10 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-108
Table V.6.2-12 Risk Reduction Importance Measures For Plant Damage State TYNI RISK EVENT- REDUCTION NAME INTERVAL RATIO SWS-BIOFL-RCVY 1.3E-10 = CVFACTOR 1.3E-10 m SWS-CCF-FC-BIOFL 1.3E-10 = Tl 1.2E-10 13.7 AFW-PSF-FC-XCONN 1.2E-10 11.0 AFW-CCF-LK-STMBD 1.2E-Il 1.1 T2 9.5E-12 1.1 AFW-XHE-FO-UNIT 2 9.5E-12 1.1 SEP POINT ESTIMATE - TYNI - 1.29E-10 These importance calculations are based on median frequencies. 'The SEP point estimate frequency is provided for comparison. V-109
Table V.6.2 Risk Reduction Importance Measures - For Plant Damage State AYNN-RISK EVENT REDUCTION ' NAME INTERVAL . RATIO CVFACTOR 6.4E-12 =
. SWS-CCF-FC-BIOFL . 5.6E-12 8.7 MDPCSIB-FTS 5.2E-12 5.3
' BETA-CSS 5.0E-12 . 4.5 1
S1 4.2E-12 ~ 3.0 A 2.lE-12 1.5 CSS-XVM-RE-XV8 7.7E-13 1.1 CSS-XVM-RE-XV15 7.7E-13 1.1. MDPRSIA-FTS-R 7.3E-13 1.1 MDPRSIB-FTS-R 5.0E-13 1.1 SEP POINT ESTIMATE - AYNN - 6.37E-12 4 l 4 These importance calculations are based on median frequencies. The SEP point estimate frequency is provided for comparison. V-110
VI. REFERENCES
't.. Reactor Risk Reference Document,' NUREG-il50, U.S. Nucl' ear Regulatory Commission,1986.
Reactor Safety Study. An Assessment of Accident Risks in U.S. Commercial ~
~
2.
. Nuclear Power Plants, U.S. Nuclear Regulatory Commission, published -as '
{ WASH-1400,1975.
- 3. Harper, F.T., et al, Analysis of Core Damage Freauency from Internal Events:
Methodology Guidelines, NUREG/CR-4550, Vol.1, Sandia National- Laboratories,
-1986.
- 4. Kolaczkowski, A.M., Payne, . A.C., Station Blackout ~ Accident < Analysis, NUREG/CR-3226, Sandia National Laboratories, May 1983. -
- 5. Categorization of Reactor Safety Issues from a Risk Perspective, NUREG-1115, U.S. Nuclear Regulatory Commission, March 1985.
- 6. Deleted.
- 7. Oconee PRA. A Probabilistic Risk Assessment of Oconee Unit 3. NSAC-60, Electric Power Research Institute, June 1984.
- 8. Zion Probabilistic Safety Study, Commonwealth Edison Company,1981.
- 9. Seabrook Station Probabilistic Safety Assessment, PLG-0300; Pickard, Lowe and Garrick, Inc. Irvine, CA. December 1983.
- 10. Millstone Unit 3 Probabilistic Safety Study, Northeast Utilities Company, August
- 1983. *
- 11. Indian Point Probabilistic Safety Study, Power Authority of the State of New York and Consolidated Edison Co.,1982.
l 12. Mackowiak, D.P., et al, Development of Initiating Event Frequencies for Use in Probabilistic Risk Assessments, NUREG/CR-3862, EG&G Idaho Inc., May 1985.
- 13. Baranowsky, P., Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, U.S. Nuclear Regulatory Commission, May 1985.
- 14. Interim Reliability Evaluation Program Procedures Guide, NUREG/CR-2728, Sandia National Laboratories, January 1983.
- 15. IEEE Guide to the Collection and Presentation of Electrical, Electronic. Sensing Component and Mechanical Eauipment Reliability Data for Nuclear Power l Generating Stations, IEEE-Std 500-1984, IEEE. New York, N.Y.1983.
- 16. Benjamin, A., et al, Evaluation of Severe Accident Risks and the Potential for Risk Reduction; Surry Power Station, Unit 1, NUREG/CR-4551, Volume _1, Sandia National Laboratories, June 1986.
VI-l
l 17.. 'Gieske,3.A.,'et al, Radionuclide Release Under' Specific LWR Accident Con'ditions, Volume V. PWR-Large Dry Containment Designs, BMI-2104, Volume V,- Battelle Columbus Laboratories, July 1984. _18. . Kolb, G.3., et al, Interim . Reliability Evaluation Program: Analysis ' of ' the ANO-Unit i Nuclear Power Plant, NUREG/CR-2787, Sandia National Laboratories, June 1982.
- 19. Payne, A.C.', et al,' Interim Reliability Evaluation Program: Analysis of the Calvert
- Cliffs Unit-1 Nuclear Power Plant, NUREG/CR-3511, Sandia National Laboratories,
-August 1984. .
- 20. - Wood, _ D.C., Gottshall, C.L., Probabilistic Analysis and - Operational Data ' ' in Response to NUREG-0737, WCAP 9804, Westinghouse Electric Corp., Pittsburgh,-
PA, Feburary 1981. 1 J
, 21. Personal Communciation: Doug Rickeard of VEPCO, and Robert Bertucio of EI, l Seattle, WA.
~i ~ 22.- Boardman, T., Leak Rate Analysis of the Westinghouse' Reactor Coolant Pumpi
~
NUREG/CR-4294, Energy Technology Engineering Center, Canoga Park, CA, July 1985. f 23. Communication: P. Cybulskis, BCL, to E. Haskins, Sandia National Laoratories; SARRP Source Term Analysis for Surry Design,-July 1985. j 24. Generic Implications of ATWS Events at the Salem Nuclear Power - Plant, NUREG-1000, U.S. Nuclear Regulatory Commissio , April 1983.
- 25. Fleming, K.N. et al, Classification and Analysis of Reactor Operating Experience i Involving Dependent Events, EPRI-NP-3967, Electric Power Research Institute,:
! June 1985.
- 1
- 26. Letter, A.D. Swain to F.T. Harper, Draft 2 of ASEP HRA Procedure for Pre-Accident Tasks, Sandia Internal Memorandum, August 23,1985.
- 27. Letter, A.D. Swain to F.T. Harper, Draf t 3 of ASEP H'RA Procedure for Post Accident Tasks, Sandia Internal Memorandum, September 20,1985.
- 28. Anticipated Transients Without Scram for Light Water Reactors, NUREG-0460,
- . U.S. Nuclear Regulatory Commission, April 1978.
2
- 29. Westinghouse Anticipated Transients ^ Without Trip Analysis, WCA P-8330, Westinghouse Electric Corp, Pittsburgh, PA., August 1974. '
, 30. Transmittal, Dircks, W.3., to NRC Commissioners, Ammendment to 10CFR50 Related to ATWS Events, SECY-83-293, U.S. Nuclear Regulatory Commission, July
- - 19,1983. ~
- 31. Utility Group of ATWS Comments to 46 Fed. Reg. 57, 521 (1981), submitted to.
Secretary of the U.S. NRC, by hand, April 23,1982.. 4 VI-2
l
- 3 2. McClymont, A.S., Poehlman, B.W., Loss of Offsite Power at Nuclear Power Plantet Data and Analysis, EPRI-NP-2301, Electric Power Research Institute, )
Palo Alto, CA, March 1982. j
- 33. l Kittmer, C.A. et al, Reactor Coolant Pump Shaf t Seal Behavior During Station l Blackout, NUREG/CR-4077, EG&G Idaho Inc., April 1985.
- 34. Fletcher, C.D., Accident Mitigation Following a Small Break with Coincident Failure of Charging and High Pressore Injection for the Westinghouse Zion PWR, EGG-CAAD-5428, EG&G Idaho inc., April 1981.
- 35. Battle, R.E., Emergency ' Diesel Generator Operating Experience. 1981 - 1983, NUREG/CR-4347, Oak Ridge National Laboratory, Oak Ridge Tennessee, July 1985.
- 36. Swain, A.D., Guttmann, H.E., . Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, Sandia National i
Laboratory, Alburquerque, New Mexico, August 1983. VI-3 l
......7.-------------+--- -- - -~---- -~ '- - "--- ~. ~ - - - ' "" "" ' ' "'~~~" *""~~" "'
c... 2i=,., T T,
,' i d
N - pt -r
~
j.- . >
r l t' l .. '
i 4* [ 4 4 t I. i e _ e I - r 1 f t :-
\
T. k t t ir a 1 1 d 1 4 ' W i. t - 7 1 'r 4 'j ! g e l .. 3
. i e' 1 1
.l 1
4 i e-N
+
1_ tc 4' 44 - i k-f - I
- 4. .
4 1 4 1 g.- t I i I 4 ? l^ f: l' A f. 1 ' f s
- ~
4,-, 5 t-+ ~ , , r n-r --- -.n -. A+,-- m b, n .
..--c.~.w,-.'_.----- ~ . - , .,- ~ - -. ~ , - - , ~ . - - +-+~~.-~ ~ - . ~ -- - - - -.. .. --- ~ ~ , . --. -- --e
APPENDIX A This appendix provides additional discussion of certain areas of ' modeling and quantification. The subappendices are: A.1 Reactor Coolant Pump Seal LOCA Model A.2 Station Blackout Model A.3 Derivation of Failure Rate for Steambinding of AFW Pumps A.4 Derivation of Failure Rate for Biofouling of SW Valves A.5 Selection of Mission Time for Diesel Generators for Loss of Offsite Power Initiators A.6 Allowable Recovery Time for Prevention of Core Damage A.7 Qualitative Discussion of Intake Canal Refill A.8 References i A-1
~ A.1 Reactor Coolant Pu'mp Seal LOCA' Model
~
'A reactor coolant pump seal LOCA model 'was developed.to predict the probability of -
seal failure, as a function of time after loss of all seal cooling. This model was necessary in, order to accurately model. the- recovery of AC power. Loss of all seal cooling is defined as loss of seal injection flow combined with loss of component cooling water flow . to the . thermal barrier heat exchangers. . This model was developed in October 1985 and as such precedes much of the analysis - done in --support of the Station Blackout: Rulemaking. . At the time this model- was developed, large scale seal test results were not agigle. .This model is basgog test ' results-and angs published in NUREG/CR-4077 and NUREG/CR-4294 and-expert opinion of seal LOCA behavior. This m'odel is a generic model applicable to the three stage seal assemblies commonly found in Westinghouse reactor coolant pumps. A.l.1 Leak Rates for Seal Failure For the purposes of defining leak rate, seal failure was defined as complete failure of all - three stages. The leak rate for this was calculated to be 450 gpm in NUREG/CR-4294. This leak rate was used in the model. It is recognized that this is the maximum leak rate possible, but no information was available at the time of model development to predict. partial stage failure probabilities. A.I.2 Development of Probabilistic Model l The parameter values which were ultimately necessary for the core damage. sequences evaluation were 1) the probability of seal LOCA occurrence within the first 6 hours after station blackout (SLOCA), and 2).the average probability of. failure to restore HPI flow within one hour of occurrence of a seal LOCA (NRACSL). The second parameter was " comprised of two probabilities; 1) The failure to recover offsite power to the switchyard within one half hour of seal LOCA,(NRAC), and 2) operator failure to correctly restore support services and HPI flow af ter AC power is restored to switchyard. The average probability for failure to restore' AC power was calculated within this modeling effort. The operator error probability was calculated in Section IV.7, and was-added to the NRAC to yield NRACSL. The upper and lower bound of these parameter values were calculated as described below. The error factors and median values of the distribution were then calculated under the assumption of a lognormal distribution as required by SEP. A Weibull distribution was chosen to model seal LOCA occurrence probability. A Weibull was chosen because it can represent a constantly increasing hazard rate and it is easy to l work with. A worst case and a best case distribution 'were defined. The cumulative l probability calculated by the worst case -became the 95% value of the lognormal - distribution mentioned above and the value from the best case became the 5% value for the lognormal distribution. Fitting constants for the best and opinion of seal LOCA performance.gorgt , case weibull The question distributionsthe was asked,"Under were worstbased (best)on expert conditions of seal performance, at what time do you feel 95% certain that a seal LOCA will (will not) occur? The hours and fitting constants are shown in Table A.1-1. A-2
The process described above defines the probability of occurrence of a seal LOCA. _ The next step was to find the average probability for failure to recover offsite AC power within 1/2 hour of occurrence of the seal LOCA (NRAC). The 1/2 hour value is derived from timing considerations discussed in Appendix A.2. The equation for the cumulative distribution function for non-recovery of offsite power was taken from NUREG-1032. It is: F nrac (t) = exp(-1.23t.472) The average probability for failure to restore HPI flow within I hour af ter seal LOCA (NRACSL) was calculated as follows: NRACSL = NRAC + operator error 6 NRAC = fsl(t)*Fnrac(t+ 4)dt 6 fsl(t)dt where st f (t) = Probability of seal LOCA versus time. 6 i st(t)dt = SLOCA = probability of seal LOCA by 6 hours. Values of NRAC and SLOCA were calculated for the best and worst cases of seal performance. The values were used to calculate the following parameter value distributions for SLOCA and NRAC, which were used in the sequence quantification. The worst case value of NRAC and SLOCA became the 95% upperbound of the parameter value distribution, and the best case value became the 5% lower bound. The median, mean and error factor were calculated. SLOCA NRAC 95 % .99 .15 mean .65 .11 median .61 .11 5% .38 .087 l error factor 1.6 1.4 l l
, The operator error value of 2.5E-2 was added to NRAC to yield NRACSL. See Section l l
IV.7 for derivation of the operator error probability. ' l Additional note: The value for NRAC used in the sequence quantification is conditional upon non-recovery of AC at one half hour. The value calculated here is unconditional, and must be divided by .51 to yield the proper value. A-3
Table A.1-1 Parameter of Seal LOCA Model Worst Best: Expert Opinion Case Guess 95% sure seal LOCA - will not occur 1/2 hr. 2 hr. 95% sure seal LOCA - will occur 4 hr. - 15 hr. Fitting Parameters for Weibull;ist(t) 6 1.96 2.02 A 2.29 8.71 Seal LOCA Probability - 1 - 6 Hour (SLOCA) .99 .38 ' Probability
. of Seal LOCA and Non-recovery of AC (SLOCA) x (NRAC) .15 .033 Average Non-recovery Probability (NRAC) .15 .087 l
t 1 A-4 4
,.,_.\
a -,. ,,- - m - 45 l A.2 Station Blackout Model 1 Station blackout (SBO) represents the loss of all AC motive power. This condition is-sufficiently different from other intiators and sequences that it requires evaluation using seperate sequence modeling. Station blackout sequences leading to core damage were identified by evaluation of the T ievent tree. These sequences are: l , T i3 D WDi CFi - Ti , followed by loss of seal cooling leading to ! seal LOCA, followed by failure of HPI.
- Containment systems are unavailable.
Ti LDi CFi - Tt, followed by failure of auxilary feedwater, followed by failure of HPI to feed and bleed. Containment system are unavailable.
- Ti Q-Di CFi
- T t ollowed f by a stuck open PORV, followed by failure of HPI to supply _ coolant injection.
Containment systems are unavailable.- !' The problem is that there are timing considerations involving seal LOCA occurrence, battery depletion, AFW failure, and AC power recovery which are applicable to SBO i sequences and are not included in the Ti models. For this reason, a special event tree was developed for SBO to evaluate these timing and phenomenology issues. . This event tree forms the basis for quantification of SBO sequences. This event tree was previously discussed in Section IV.4.10, but is also included here (see end of Appendix A.2) The entry point for the event tree is a station blackout at Unit 1. That is, an event whose frequency is calculated by collecting all the cut sets which are combinations of failures of diesel generators 1 and 3. The frequency of this event is 8.0E-5 per year. 1 This condition is then evaluated using the SBO event tree. After the sequences are delineated and quantified they are defined in terms of the sequences from the Tievent tree. ! A.2.1 Issues in the Station Blackout Evaluation Two issues addressed in the station blackout evaluation were recovery using systems at Unit 2, and the minimum canal drain time. These are discussed below: A.2.1.1 Recovery Using Systems From Unit 2 l l Recovery actions using systems from Unit 2 were not included in the SBO sequence
- quantification. Although Unit 2 was assumed to be without offsite power, diesel
! generator 2 could be expected to start and provide power to 4160V bus 2-H in 63% of SBO events, (this number was calculated using the conservative beta factor modeling
- criteria. It is 97% without beta factors). This would enable operation of one motor-driven AFW pump, one HPI pump and one CCW pump at Unit 2 in addition to the turbine driven AFW pump at Unit 2. Surry has provisions for cross connect of HPI, AFW, and . ,
CCW from Unit 2 to Unit 1. These cross connects are also explicitly identified in the i SBO emergency procedures. Cross connect of CCW could be used to prevent seal LOCA, cross connect of HPI could also prevent seal LOCA and cross connect of AFW could ; mitigate early AFW failures. 1 A-5 I i l l
. _ . - - ,-_,_.___..._-_-m., . _ . , , -- . _ . _ _ - - - - - - - - - _ _ . - - - , - _ _ . - . _ . _ _ _ I
These cross connects however, are not normally intended to have -one pump supply services to both units. Normal procedures -for cross connect of HPI and AFW call for
-isolation of the Unit 2 pump from the normal Unit 2 flow paths so that the Unit 2 pump provides flow only to unit 1. Under SBO conditions, there are two choices; one pump-could supply both units simultaneously, using throttle valves to balance flows or-one pump could supply each unit on a flip-flop' basis. Having no valve power at Unit I and
- only half the valves operable at Unit 2 would complicate either of these actions.
The.CCW system does not have these types of isolation constraints. One pump can be connected to both units simultaneously. However, it may not have sufficient capacity to remove heat loads at both units under shutdown conditions. . In order .to properly account for .these recovery actions, it would have been necessary 'to develop an integrated two-unit recovery model _ which would set success criteria, postulate resource _ allocation.between units and evaluate the probability for successful core cooling for both units under the SBO conditions.- Sufficient time was not available
'to develop this model so rather than make a subjective decision, the Unit 2 systems were assumed to be required for Unit 2.
c A.2.1.2 Use Of Minimum Canal Drain Time The 30 minute canal drain time used throughout the SBO model is conservative. This is-based on an initial canalinventory of 45 million gallons and the assumption that none of the condenser halves are isolated. There are four condenser halves per unit, each with a normal flow rate of 200,000 gpm. Credit for manual isolation of the valves was not considered. It would take 15 - 30 , minutes to manually close one of these valves. Since this is comparable to the drain time, no credit was allowed. If Unit 2 was shutdown prior'to the loss of offsite power or if DG#2 starts, the Unit 2 condensers will be isolated, thereby increasing the canal drainage time to one hour. Plus, with one hour to do something, some credit could be allowed for manual isolation of j additional valves. A.2.2 Canal Drainage and Refill Canal inventory is important in the SBO model in order to provide service water for the HPI-SW pumps and to a lesser degree to supply service water for the CCW heat exchangers. The amount of water in the canal necessary for these services is not , specified. The HPI-SW pump may be able to operate on the residual _ water in the condenser piping. The priority for canal refill under SBO condition and the number of . pumps to be restored is a matter of subjective ' estimation. In addition, hydrodynamic: details such as wave speed in the canal and the time it would take for the water to travel . , 1 1/2 miles to plant are not known. l A time for canal refill was never explicitly identified. Canal refill is only one step in the recovery of HPI. A thirty minute time lag was postulated between restoration of offsite power to restoration of HPI. It was considered that sufficient canal refill could be accomplished withing that time frame. 4 A-6
4
- A.2.2.1 Mechanical Failure of Isolation Valves -
Failure to isolate the condensers was postulated due to loss of all AC power. This was recoverable when AC power .was restored. Failure to isolate the canal due to common cause mechanical failure of the valves would not be recoverable. Its frequency was calculated and determined to be insignificant. There are eight condenser water boxes. Each waterbox has an inlet and' outlet isolation valve. Closure of either valve is sufficient.to isolate the water box. Plant specific data on these valves was available. It revealed a failure probability (for failure to transfer on demand) of 2.0E-3/d for the inlet valves 2.0E-4/d~for the outlet valves. The inlet valves are normally left open, while the outlet valves are. adjusted _ shiftly to account for the tide change. The inlet and outlet valves were therefore assumed to- be in different component populations. The common cause modeling ground rules were applied to this problem in the following way: - Probability of Canal = T gx (failure 1st outlet valve x failure 2nd valve Drainage x failure .3rd x failure 4th, etc.) x (failure 1st inlet valve x failure 2nd valve, etc.) l
= .07 x (2.0E-4 x .033 x 1.0) x (2.0E-3 x .033 x 1.0)
=3.0E-Il where .033 equals the beta value for MOVs.
A.2.3 Event Tree Discussion (Reprinted from Section IV.4.10) , The first heading on the tree addresses restoration of AC power to the plant buses within 1/2 hour. Thirty minutes was chosen because it conveniently corresponds to two timing considerations. First, it is the time required to deplete SG inventory if AFW is not available. Since safety functions are not essential to prevent core damage within the first 30 minutes, restoration of power to the plant systems within this time was assumed to be sufficient to restore the reactor to a safe condition. l Thirty minutes is also the time at which the intake canal would be drained if none of the < l main condenser waterboxes were manually isolated after a station blackout. Restoration of AC power to the emergency buses will automatically isolate the condensers.- Restoration of power to the normal buses will re-energize the circ-water pumps thereby l refilling the canal. If either of these events occur within thirty minutes, canal drainage would be prevented. If the canal is completely drained, restoration of HPI flow is ) j complicated by the need to refill the intake canalin order to provide a water source for ; the HPI-SW pumps. This is factored into the recovery model by requiring 30 minutes l from the time of recovery of AC power to the switchyard to the time of restoration of HPI flow. The next heading on the tree is for RCS integrity. One PORY (PORV-1456)is assumed to cycle open (provided it was not blocked prior to the initiator). Failure of the PORY to reclose results in a small LOCA. Since the Motor Control Centers are de-energized, the block valves are inoperable and the PORY is not isolable. Two possible mitigation scenarios are generally considered for these sequences (closing block valve or providing HPI flow). Only scenarios involving closing the block valve'are applicable in this case A-7
. .-. _ - = - _- .- - .
~
because the Surry specific timing considerations associated with system restoration
.(specifically :the canal ' level restoration) prevent restoration of = HPI flow with the allowable time. Recovery of AC power to the block valves and isolation of the PORV within one hour of opening, followed by. eventual restoration of HPI flow will mitigate
~
this event. l The next heading on the tree addresses AFW availability in the early time frame. If AFW is not available, SG inventory would be depleted in 1/2 hour. From that time, there is an additional 1/2 hour to restore both HPI flow and AFW to prevent core damage.' However due to the timing considerations of canal refill.and system restoration,' recovery from this scenario (i.e., AFW failure) is not possible unless AC power is restored with 1/2 hour from time of loss of AFW. The_ next event tree. heading addresses the occurence of a seal LOCA. At this time (one hour) into the event, the successful sequences on the tree .have RCS Integrity, AFW to 1 the steam generators, and no AC power. The occurrence of a seal LOCA was modeled (see Appendix A.1) probabilistically as a function of time in order to facilitate more ; precise modeling of AC power recovery. 'If a _ seal LOCA occurred, core damage was l
- assumed to be prevented if HPI flow was restored within one hour of seal LOCA. Due to restoration timing considerations discussed ' above (canal level) this requirement translates into recovery of AC power within 1/2 hour of seal LOCA in order to prevent core damage. The probability of non-recoverable seal LOCA was' calculated, from one <
hour to six hours, by multiplying the probability density function for seal LOCA at time i "t", times the cumulative distribution function for non-recovery of AC power at time t + 1/2 hour, and integrating over the time period of interest. i If seal LOCA occurs and HPI flow is restored within one hour, the SBO event -is ! successfully mitigated. Should a seal LOCA occur and HPI flow is not restored within 4 one hour, core damage will occur. I if seal LOCA does not occur, the question of AC power recovery is not critical until af ter the four-hour time frame. At that time, the batteries supplying DC power to instrumeritation are assumed to be depleted. After this point, no credit is given for successful control of steam generator water level. An additional three hours after battery depletion was allowed for recovery of AC power before core damage would occur. The selection of a three-hour time period is consistent with assumptions in NUREG/CR-3226. 1 Sequences 1,2,3 are successful mitigation of the event. They represent recovery of AC power at various times. Sequence 4 represents long term blackout with no recovery of
; AC power. Battery depletion leads to AFW failure. This is a T gLD CFi sequence, but was designated Ti L(LT)Dg CFg to denote long ' term AFW failure.i Sequence 5 is a mitigated seal LOCA. Sequence 6 is a non-mitigated seal LOCA and is the Tg D3 WDi CF i sequence. It was renamed T1 (SL)Di CF t ot denote seal LOCA occurrence. -Sequence 7 is
- an early failure of AFW and was denoted T gL(ST)D CF i. Sequence 9 is a non-isolable i- stuck open relief valve. It is the TgQ-D CFg i sequer. ice. Sequence 10 is a tT LQ-D i CFt .
This sequence is approximately 1.0E-8 and was not included in the dominant sequence list. t A-8 1-
'h e
f RECOVER AC RECOVER AC AVOID RECOVER AC RECOVER AC WITHIN PORV AFW WITHIN SEAL WITHIN % WITHIN STATUS 1 I
% HOUR RECLOSE 1 HOUR LOCA HR OF SL 7 HR ,
NRAC % HR Q L A.VC 1 HR l NRAC NRAC 7 HR - 9 OCA OK REC. AC 0 < t < 30 MIN. OK REC. AC 30 MIN. < t < 1 HR.
- 3. Se OK NO SL, REC. AC 1 HR.< t < 7 HR.
i* SATT. DEPLETE NRAC 7 HR.
$50 CM
- (NO SEAL LOCA) l OK SL OCCUR - RECOVERED 1
i CM SL OCCUR - NO 1 HPI RECOVERY 1 1 CM NO AFW, EARLY
, s. 7
.i - OK PORY ISOLATED WITHIN 1 HR.
CM i CM i ! ]f V CANAL DRAIN OCCURS BATTERY DEPLETION AT 30 MIN. OCCURS AT 4 HR. I i i I l Figure A-1 l Station Blackout Event Tree 1 l 9
L A.3 Derivation Of Failure Rate For Steambinding Of AFW Pumps Reference A-4 Indicates steambinding- of AFW pumps may be a generic problem at PW Rs.' The report was reviewed for --its' applicability to Surry. Three instances of steambinding in the AFWS occurred at Surry during the years of the survey,' 1981 through : 1983, inclusive.. One occurrence failed two pumps and the other two occurrences failed
, one pump. The . three events occurred very close in time. and all occurred .on Surry -
1 Unit 2. This indicates that it was a plant specific problem, which is consistent with the j, Surry _ troubleshooting which- found steam cuts on the valve seats of the AFWS check
- valves. The valves.were rebuilt, and other remedial measures were taken such as shiftly checking of the AFWS discharge piping' temperature, and removal of piping insulation to i aid in condensation of any steam which did appear in the system. No subsequent
- steambinding has occurred.
L
- Although the reported occurrences of steambinding at Surry appear to be. specifically' caused by leaking check valves, and the problem appears to have been corrected, AFW-i failure due to steambinding was included in the' AFWS model. The problem appears to be .
widespread, based on the referenced report and the causes of steambinding at other
~
plants may appear at Surry. In addition, steambinding can potentially be a common cause- i failure of all AFW pumps and therefore may be dominant even' though it has a low l probability'. For these reasons it was desired to include steambinding in the AFW model. (steambinding was assumed to be a CCF of all three AFW pumps in the AFW modei)- The probability of steambinding was calculated based on generic data in- AEOD/C404.
- The data is as follows.
1
- e 22 occurrences of steambinding of an AFW pump, e 3 years of operating experience-1981 - 1983, e 47 operating units in this 3 year period, 1 e 38 estimated AFW demands per unit per year. This includes 8 per j year for reactor trip, 30 per year for monthly pump testing. All j testing is staggered.
i-
- This data results in a point estimate for steambinding of; 1
! 22 events = 4.lE-3/ demand 47 x 3 x 38 1 The root cause of steambinding is considered to be check valve leakage, which is properly modeled with an hourly failure rate. The value of .0041 demand shows the probability that check valve leakage occurred between pump demands. In order to find an hourly ' failure rate, it was necessary to calculate a demand period. i Each reactor had averaged 38_ AFW demands per year. This is an average demand period of 9.6 days. The hourly check valve failure rate is therefore; , .0041/ demand = 1.8E-5/hr 231 hours / demand i 4 i-A-10 i
Accounting for the shif tly (eight hour) check, the probability of steambinding being undetected during a random AFW demand is; 1.8E-5/hr x 8 hr = 1.4E-4/ demand This was rounded to IE-4 for use in the fault tree quantification. An error factor of 30 was subjectively chosen. The large error factor reflects the estimation in this calculational process. A-Il 4
A.4 Derivation Of Failure Rate For BiofoulinEOf SW Valves
- An LER review of Surry 1 and Surry 2 identified one occurrence of common cause failure
- of the containment spray heat exchanger service water valves to open when activated from the control room. This occurrence formed the basis for inclusion of common cause failure of these valves in the CSR fault trees.
, The probability distribution for this event between the bounds was assumed to 'be. lognormal. This is a necessary constraint when using the SEP code, as this study did, to calculate uncertainty. The values of the distribution were calculated to be: 95% (upper) 0.125' mean .0.032 50% (median) 0.0114 5% (lower) 0.001 error factor = 11 These values were calculated based on the following data: e From 1972 to '1983, the valves were tested once per year, at each unit. This totals 22 tests. In 1983, after the failure, test frequency was changed to once per quarter. This yields two populations of data.
~
Data accumulated Data accumulated at 1 year test interval at quarterly test interval 22 tests /l failure 16 t'ests/ 0 failures A critical question in the modeling of this failure is the relationship between the test-interval and the common cause failure probability. The information available indicates this failure was caused by general corrosion and biofouling of the valve internals and valve actuators due to environmental factors. Both the service environment of the valves and the environment of the actuators could have contributed to the failures. From the information available, it was not possible to construct a relationship between test. frequency and valve reliability. Two common possibilities would be 1) that no change in failure rate occurs or 2) the failure rate decreases proportionately to test interval. Both of these cases were included in the failure rate calculation. ! l The upper bound value of the parameter distribution was assumed to represent the worst case. That is, increased test frequency does not affect reliability. The two component populations can then be combined. The 95% chi square value of I failure in 38 times is ; 0.125. This was used as the upper bound of the lognormal distribution. I The median value of the parameter distribution was assumed ~ to represent the point ' ! estimate of the "best estimate" situation, increased testing decreases the failure - l probability proportionally. The two data populations can not be combined under this t assumption. The median value becomes the point estimate of I failure in 22 times, reduced by a factor of 4 to account for quarterly test, or 0.011. A-12
A.5 Selection Of Mission Time For Diesel Generators For Loss Of Offsite Power Initiators Mission time for accident sequence cnalysis in PRAs is generally 24 hours. This precedent was set by WASH-1400. For some initiators, such as loss of offsite power, however, a single 24 hour mission time may not be appropriate. The high probability of recovery of offsite power within 24 hours, makes the use of 24 hours overly conservative and makes modeling of recovery imprecise. A six hour mission time was chosen, based on considerations of reactor operation. This mission time was then compared with a 24 hour time to determine if it was non-conservative. A six hour mission time was selected for diesel generators. This time corresponds to the mission time for the injection phase of a stuck open relief valve sequences. System models quantified for this mission time already existed. The acceptability of the six hour time period was evaluated by comparing the unavailability of AC power on a 4160V bus at six hours, to the unavailability of AC at 24 hours. A simple model was put together and evaluated using generic data for a 4160V bus supplied by one DG and offsite power. The model included diesel generator failures and recovery of offsite power. The distribution function for unavailability of AC power at time "t" was derived as follows: F(t: No AC) = F(t: No Recovery) *F(t: DG Fail) F(t: no Re y) = e -l.23t.472 (This is - from cluster 7 in NUREG-1032) - F(t: DG Fail) = DG-FTS + DG-T&M + (DG-FTR)t from NUREG 1150 generic data: DG-FTS = 2.5E-2/d DG-T&M = 1.lE-2 DG-FTR = 1.3E-3/hr F(t: No AC) is the probability of no AC power at time "t". P(t: No AC)is the probability that at any time prior to "t", AC power was unavailable. t P(t: No AC) = F(t: No AC)dt o P(24) = .056 P(6) = .045 P(6)/P(24) = .8 Setting the mission time for the DG at six hours does not undermine the creditbility of i the model. This value was then put in the DG model to calculate cut set frequencies and the station blackout frequency. A-13
A.6 Allowable Recovery Times For Prevention Of Core Damage In order to quantify recovery actions, it was necessary to.have a time frame for completion of recovery actions. A survey was made to find times to core uncovery for
- various accidents. The results of the survey are shown below:
Sequence Event Time Source. TML' SG Dryout 35 m . W EPG analysis Initiate F&B 30 m W EPG analysis TML-(SBO) Core Uncovery 97 m NUREG 1032(A-5) 52D (2") Core Uncovery 30 m EGG-CAg-f428(A-6) 35 m BMI 2104 53D (l") Core Uncovery 2 hr - EGG-CAAD-5428 TQDL Core Uncovery 1.3 hr NUREG 1032 TQDL Core Uncovery__ l.4 hr NUREG 1032 From this survey, the following recovery times were developed. Sequence Type Action to Time
-TQDL isolate PORV, no HPI 1 hr recover HPI, no isolate PORY 1 hr TQDL recover HPI and AFW 30 min TML recover AFW 30 min initiate HPI 45 min S3DL recover HPI 2 hr I
S2 DL recover HPI 30 min ' 4 l A 4 w ,- -- - - - - ,- -- -,
- , - , , , , , , - . ~ , , , , , , . , ,, 7--. _ . , _ ,me - , .
- A.7' Qualitative Discussion of Intake Canal' Refill During the Surry review a concern was voiced that in the event of a station blackout,-
leading to drainage of the intake canal, the. water level in the canal may not be
-sufficiently restored within a reasonable time frame af ter recovery:of offsite power. If this failure probability had been;significantly underestimated, core damage frequency could be significantly increased. 'It was not clear to the reviewers that the basecase analysis addressed this concern. The following discussion of canal drainage and refill is -
provided in response to these concerns. j A.7.1 Key Factors in Plant Configuration
- The intake canal is supplied by eight circulating water pumps of 210,000 gpm each. They .
are not powered by emergency power. They are manually controlled and operated from the control room. The intake canal is also supplied ~ by three emergency service water pumps of 15,000 gpm each. These are diesel driven (dedicated diesel engine), safety grade pumps which fall under Technical Specifications. They.are. manually started from the control room. There are eight condenser water boxes, each supplied with an inlet and outlet isolation valve. The valves are 96" valves, located in 96" piping which connects the' water boxes to the intake and outlet canals.' This connective piping is below the level of the water box bottom, so that the piping will have some residual water in it af ter canal drainage. The isolation valves are IE powered and receive a signal to close 75% on loss' of offsite power - or low canal level. They receive a signal to close completely on SIAS or CLS Hi. ! The suction for the HPI service water pump is from the 96" connective piping (inlet side) approximately mid point on the piping elevation. A.7.2 Basecase Modeling-The basecase assumed station blackout for longer than one: half hour would lead. to drainage of the intake canal. Canal drainage was assumed to prevent operation of the HPI-SW pumps which would prevent operation of the HPl pumps. This condition in itself l did not lead to core damage. As long as AFW was available and RCS integrity 'was . maintained (i.e., no seal LOCA or stuck open relief valve),' canal inventory was not a factor. AC power must eventually be restored in order to provide . safe ' reactor shutdown. Canal inventory became important only af ter AC power was restored and HPl was required in order to mitigate a seal LOCA. Under these. conditions, canal inventory is necessary only in order to provide a water source for HPI service water. Restoration of the canal level was included in the study in two ways; 1) a 30 minute time lag was included in the modeling of HPI restoration, to allow for canal refill J2) an operator error was postulated for failure to restore HPI,_ which inherently included failure to. restore canal inventory prior to start-up of HPl. This error probability used was .25 for failure to properly start HPl pumps A and B, and .1 for pump C. The overall operator error 'was 2.5E-2. i A.7.3 Conservatisms in the Basecase The basecase is considered conservative for many reasons, as listed below: A-15 l l
\
~ .= .. . --
3 't lN
~
;1., ? Minimum canal drainage time of 30 minutes was used:
Canal drain time was based on the assumed non-isolability of.both Unit 1:
., % ;and -Unit.-2 condensers.. ;If . Unit 2 was .not ' operating at the timef oi the.
,. initiator or if diesel generator 2 was available, the Unit 2 condensers would J be isolated...
- 2. Canal dr'ainage was e.quated to HPI failure:-
~
The basecase gave no credit for the possibility that the HPI-SW pump could operate on. any residual water lef t 'in the canal or :the 96" connective
- piping. - The 96" pipingI which runs: between' the ~ intake' canal and the condenser -is below the level of the ' canal'and the conden'ser. :It.can bed 1 ' expected to have residual water in it even if the canal is drained. The 40'
] foot run of pipe has approximately 16,000 gallons of ~ water, some of which could be utilized by the HPI-SW pump, which only requires 90 gpm. 3... ~No credit for Emergency Service Water Pumps:- l The basecase 'did not consider the use of' the ESW pumps. Although their ' capacity;is not'~ sufficient to -refill the canal if :the condensers are not" isolated,; they could provide run-over into the connective piping, Lwhich would provide water- inventory for the ..HPI-SW pump. Also, if L the - condensers were manually isolated, the ESW pumps could then begin~ to -
- . replenish canal inventory. The'SBO mudel extends to 7. hours, during which- 1 time the ESW pumps' could fill the canal to a level of 9 -10 feet if the'
~
l
. condensers had been 14olsted within 1-2 hours. This level is sufficient to supply all cooling loads.
- 4. No credit for partialisolation of condensers:
Because the canalinventory is only important through the need for HPI-SW,
- closure of one valve is all that is really necessary to supply HPI-SW. If the ~
outlet isolation valve on the waterbox corresponding to the HPI-SW suctioni
~
- source is isolated, that condenser half will refill and provide a source of water for,the HPI-SW, even .though water is running through the other
> condenser halves, and the canal is drained.
A.7.4 Concerns of Review Group The primary cdncerns of the review group were: ) e the operator error rate assigned to canal refill was too optimistic .j ! -e' no emer'gency procedures exist at Surry for canal refill af ter.a station
- blackout e failure to refill the canal may be important in SBO sequences other
. than the ones identified.
A-16 s 4 - '. Y
- - + , - - . , , ~ . . ~ = ., , , - , -.,.,..a , ,a. -
The response to these concerns is as follows:
- 1. Operator Error Rate The operator error probability assigned to failure of the first two HPI pump (pumps A & B) is 0.25. This is a relatively high value for operator error. It was subjectively chosen considering the level of stress in an SBO recovery situation and the level of training of tne Surry operators.
The operator error for the third pump was assigned a value of 0.1 for similar reasons. The lower value considers that the operator would
, recognize that the first two pumps were failed and would perform some diagnostic troubleshooting which would lead to proper recovery of .the canal.
The overall operator error for failure of all HPI pumps is therefore-2.5E-2. This has an error factor of 10 (on the median), so the upper bound is 0.1. The configuration of the HPI' system at Surry was a key factor in the derivation of this error rate. Surry has three HPI pumps, one of which is always locked out. Operation of the locked out pump reqJires manual action on the part of the operator.
, 2. Emergency Procedures Although specific emergency procedures for canal refill do not exist, this was not considered to be a decisive factor in the analysis of SBO sequences. It was felt that enough people would be involved in station blackout recovery and enough indications of insufficient canal inventory would be available that the plant staff would recognize the need to restore canal level and could do it properly without a written procedure.
- 3. Inclusion of Other Sequences As previously discussed, canal inventory was only required to provide HPI service water. No other requirements for canal inventory were explicitly modeled 'in the study. In actuality, canal inventory would be required at some point in the recovery process to provide the ultimate heat sink for RHR cooling, CCW, diesel generators, etc. These items involve long term plant shutdown and were not included in the station blackout model. The SBO model only examined these requirements necessary to initially stabilize and maintain the plant in hot standby. It was considered that the demand for HPI-SW would be the limiting requirement due to the timing considerations.
A.7.5 Conclusion The conservatisms included in the basecase SBO model are considered to cover the concerns identified by the review group. Drainage and refill of the intake canal is adequately addressed in the basecase model. A-17
A.8 ' References 1
~
A-1. Kittmer, C.A., et al, Reactor Coolant Pump Shaf t Seal Behavior During' Station Blackout, NUREG/CR-4077, EG&G Idaho, Inc., April 1985. A-2. Boardman, T., Leak Rate Analysis of the Westinghouse Reactor Coolant Pump,. NUREG/CR-4294, Energy Technology Engineering Center, Canoga Park, CA., July 1985. A-3. Communication between G. 3ackson of USNRC, and .R. Bertucio of EI, Seattle, WA. .
- - A-4. - Steambinding of Auxiliary Feedwater Pumps, ' AEOD/C404, U.S. Nuclear Regulatory Commission, July.1984.
A-5. . Baronowsky, P. Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, U.S. Nuclear Regulatory Commission, May 1985. A-6. Fletcher, C.D., Accident Mitigation Following a Small Break with ' Coincident Failure of Charging and High Pressure laiection for the Westinghouse Zion PWR, EGG-CAAD-5428, EG&G Idaho Inc., April 1981. i A-7. Giske, J.A., et al, Radionuclide Release Under Specific LWR Accident Conditions. Volume V,' PWR Large Dry Containment Design, BMI-2104, Volume V, Battelle Columbus Laboratories, July 1984. 1 t 4 ) I l A-18
APPENDIX B A draft of Analysis of Core Damage Frequency from Internal Events: Surry Unit 1, NUREG/CR-4550/ Volume 3, was sent to Virginia Electric Power Company on April 15,
- 1986, for their review and comment. The VEPCO comments are reprinted here, in Appendix B.I. Appendix B.2 provides a response to each of the specific comments in B.I.
~ J l B-1
. , - - - - - , - - -_ - . , - . . . , . -_ .-- ,,,n . _ _ , - y y,- ,,, - ., , , , .-~,-,,,--,, c _
B.1 VEPC0 Comments on Draft Report OVERVIEW AND GENERAL COPMENTS The draft ASEP report for Surry has been reviewed and specific comments are
- provide'd below. - The review included a brief review of the report contents and.
the methodology employed and a detailed review of the assessment of.the major contributors to core damage and potential high risk plant damage states.
-The draft report is generally considered adequate, although as indicated below, considerably lacking in detail. While the values used in the quantification are provided in the report, the detailed basis or justification for the critical values and how they were actually obtained were quite often missing.
The level of detail of the analysis for each task as compared to the current state of the art is summarized in Section II of the study report. The level indicated is consistent with that described in the section on each task and appears to be appropriate considering the objectives of the study. Details of the methodology are sometimes lacking (human reliability 4 screeningrulesandgenericdatabase,forexample). We understand there will be a methodology report for all the NUREG'1150 activity which will provide this. I kind of information. } The details of each task were only generally reviewed except in those cases where the analysis affected the dominant core damage sequences. In these
- cases, a thorough review was undertaken.
B-2 1
. - - - ., _ _ , _ _ - . . . _ . . . _ . . _ , . _ _ . _ . . . . . , . , , . . . _ _ . . . _ _ . _ _ - . _ . - . . _ , ~ _ . _ _ _ . . . _ _ . . -
i The review led to detailed comments which substantially affect the results in the following areas: o service water inlet valve failure leading to loss of containment heat removal o seal'LOCA model and probabilistic analysis o station blackout analysis including:
- offsite power recovery
- credit for gas turbines
- diesel generator analysis o auxiliary feedwater analysis o interfacing LOCA event The following paragraphs sumarize the more significant of these comments.
1 The updated PRA does not reflect the fact that new service water valves have been installed on Surry Unit 1 to avoid previous problems nor-give enough credit for the full range of possible measures that could be taken in the 48 hours available to obtain flow through at least one of the four valves. While we understand the frequencies of effected sequences have been reduced by recognition of the fact that core damage resulting fra: containment failure is unlikely, the potential risk significance of these sequences makes it important that the above factors be adequately reflected in the base case "best estimate" analysis. i i The seal LOCA model does not adequately reflect current knowledge about seal behavior. The model should include a probabilistic treatment of both time to failure and flow rates similar to that presented to the NRC by the B-3
- . . .. l
~
Westinghouse Owners Groupc The high probability of the maximum possible flow, given a seal LOCA, is unrealistic and should not be the base case. The PRA utilizes a generic representation of loss of offsite power rather than a plant / site specific analysis. Application of the methodology of NUREG-1032 to Surry conditions yields a loss of offsite power versus duration curve considerably lower than that used in the PRA. Use of the' generic value is inappropriate for the base case. The station blackout base case analysis does not take credit for the onsite - black start gas turbine. Such credit is necessary for realistic analysis. The PRA assumes that one diesel generator is necessary for the safe shut down of each unit at Surry. No credit is given for the' ability to bring and-maintain both. Unit 1 and 2 to safe shutdown conditions utilizing a single diesel generator. Procedures and equipment for cross connecting the Unit 1 and 2 electrical buses and heat removal systems are maintained in order to achieve l this capability. This has a significant impact on the.results and should be ! i 1 properly considered in the PRA. In addition, the PRA'should include the most recent Surry diesel generator test results in arriving at the values used in the analysis. The failure to start probability based on data for 1983 - 1985 is about one half of that used in the PRA. The analysis of the interfacing LOCA includes use of check valve failure rates which are conservative (including leaks which are within pressure relief capacity) or are inappropriate (using a failure to close mode when the valve is tested following refueling or cold shutdown). While interfacing LOCA is not a i B-4
dominant core damage contributor, the potential risk significance requires as realistic an analysis as possible in the "best estimate" base case. While a number of these issues are covered by. sensitivity. studies, the base case should present the worst realistic assessment. Incorporation of the changes suggested in these comments will substantially change the "best estimate" results of the study, i I 4 l B-5
Comment 1 - Impact Of New. Service Water System Valves The comon' cause failure of the service water inlet valves to the recirculation spray heat exchangers to open coupled with the failure to j manually open the valves within 48 hours is the dominant contribution to sequences AF F and S F F . The common cause probability assigned (mean of. j 12 1I2 3.0 x 10-2.per demand) is based on an incident at Surry in which all four valves on Unit.1, and 3 valves on Unit'2, initially failed to open on test due-to biofouling, but were subsequently opened manually. This potential problem was identified by Virginia Power and corrective measures were already being considered prior to the PRA being performed. The original valves installed in Surry Unit I have now been replaced with valves of an enhanced design which incorporate features to prevent binding and materials which have a proven history against corrosion'in brackish water applications. The valves are provided with motor operators capable of developing adequate torque to open the valves under changing service conditions (e.g. fouling) and underrated motor voltage conditions. This hardware change has not been recognized in the PRA. The valve operability is also now tested quarterly instead of annually and, while this change is recognized in the PRA, the credit given in terms of reduced valve failure probability is not clear. Given the installation of new valves which have been designed for the specific conditions encountered in the service water system and the increased , monitoring of valve performance which is more likely to lead to the detection of incipient problems if they were to occur, we believe the failure probability ! associated with the valves is more appropriately represented.by a generic value l 1 B-6
than a value based on historical experience with equipment that has now been replaced. Thus, instead of 3 x 10-2 per demand being assigned as the mean common cause failure probability, we recommend a more reasonable value would be 2 x 10'4 which is based on a motor operated butterfly valve failure probability of 7 x 10-3 per demand (from data provided in NUREG/CR 3154) and a generic MOV beta factcr of .03 as used currently in the PRA (Table IV.8-17). Comment 2 - Realistic Assessment Of Recovery Of SW Valve Biofouling Failure Comon cause failure of the service water inlet valves to the recirculation spray heat exchangers ultimately leads to containment failure and then core damage after a LOCA if actions are not taken to open the valves before the containment fails in about 48 hours. Plant emergency procedures require the operator to verify that the subject service water valves open on receipt of a CLS Hi-Hf signal. Therefore, the probability of operator action to open the valves is very high shculd the valves fail to open automatically. The long time available for recovery allows a wide range of corrective actions to be taken. Given the prior operating experience, there is a high probability that at least one of the four valves of the valves can be opened manually. Howwer, if this fails, valve operator disassembly and application of a torque up to the capacity of the shaft or shaft-disk joint is possible. Ultimately, installation of stop logs, dewatering and valve disk removal is possible. B-7
The PRA evaluates the failure to open at least one valve given the common cause failure of all four at 0.1 (mean). This failure probability is believed to be excessive considering the time available for taking extreme measures to open a valve. A failure probability in the range of 0.01 to 0.001 is believed to be more appropriate. Comment 3 - Probability Of Core Damage Given Containment Failure The draft report base case assumes that for large and medium LOCA sequences with successful ECCS, if heat is not removed from the containment it will eventually fail and this will lead to failure of the ECCS and core damage with a probability of unity. This is obviously excessively conservative and should be revised to be more realistic. We understand that the report is being revised to incorporate in the base case a 2% chance of core damage given loss of containment heat removal. We believe this is more appropriate. Comment 4 - RCP Seal Failure Model l The draft PRA report provides only limited information on how the occurrence of a seal LOCA given loss of seal cooling and injection was modeled and no information on the basis for the model. From discussions with the authors it was learned that best case and worst case time to failure estimates were obtained last fall from the NRC staff member responsible for this issue (Generic issue - 23). These estimates were then assigned 5% and 95% confidence levels of a log normal distribution and all analysis was done using these values. ; B-8
It was further assumed in the PRA that when the seal failed, the flow was 450 gpm per pump and that this led to core damage unless high pressure injection was recovered within one hour of.the seal LOCA. This flow is
- essentially the highest ever predicted for seal failure.
Subsequent to the development of the model described above, the Westinghouse Owners Group has submitted the results of tests and analyses that shows with qualified elastomers, the likelihood of obtaining seal flow rates in excess of about 20 gpm is small (less than about 5%) and tnat even without qualified elastomers the likelihood of 150 gpm or more is small in the first few hours and only becomes significant in the long term (4 to 8 hours). Westinghouse is presently procuring and proof testing replacement seals of material qualified for the loss of seal cooling conditions. The base case seal LOCA model utilized in the PRA does not realistically represent the current state of knowledge about seal behavior either with or without qualified elastomers as described by the Westinghouse Owners Group reports and in meetings with NRC. The base case model should be revised to reflect the current knowledge without qualified elastomers, the present plant l conditions. A sensitivity study should be performed to show the impact of the l change to qualified elastomer, the expected situation for most of the plant's remaining life. The report should adequately describe the seal LOCA and its basis. B-9
Based on present knowledge, a more realistic. estimate could be obtained by using about 50% of Sensitivity Study 2A result for sequence Ti (SL)-Dg CF 1 for
- the recomended base case without qualified elastomers and about 5% of the.
Sensitivity Study 2A result for the new sensitivity study showing the impact of
- qualified elastomers. The concerns with Sensitivity Study 2A given in the following comment should be noted.
1 Comment 5 - Probabilistic Analysis Of Seal LOCA For Station Blackout a) Base Case The analysis of station blackout sequences involves combining a probabilistic seal LOCA model (see prior comment) with a time dependent offsite power recovery model to evaluate seal LOCA related core damage sequences and short tenn (hardware related) and long term (loss of DC due to battery depletion) auxiliary feedwater failures to evaluate loss of heat removal sequences. While the PRA report provides some information on
- assumptions and how the analysis was performed, inadequate detail is given i
to allow understanding of the results and their sensitivity to changes in assumptions. Discussions with the authors have provided additiona.1 information which has helped to clarify what was actually done. 4 l Examples of areas where clarification and/or more detail is needed include: l i) The physical meaning of the recovery of AC power within one hour event in the station blackout event tree for the successful 1 B-10 l
closure of PORV and operation of~AFW is not clear. Its purpose is apparently only to indicate that no seal failures occur prior to one hour. The event does not, however, appear in the sequence quantification and we understand was not included in the numerical evaluation. While the impact is very small, its inclusion in the. tree is confusing.
- 11) As described in the prior comment on seal LOCA model, 5% and 95%
confidence level models were derived to represent the likelihood of a seal LOCA. While the model is described in the report in terms of mean values and mean values for various branch-point probabilities are given, all analyses was done using the 95% and 5% models and a log normal distribution. The mean values were never used in the analysis but only derived from the more complex model. The method of analysis should be more fully explained, iii) The basis for the specified value and the manner of incorporating i the human error associated with restart of HPI after a station blackout needs elaboration. l l Based on information in the report, supplemented by information obtained in discussions with the authors, a simplified check analysis of base case mean results has been performed. Reasonable agreement with the PRA was obtained. For reasons noted in the prior comment, we believe, however, that this case is not representative of present seal LOCA knowledge. B-11
-b) Sensitivity Study 2A Sensitivity Study 2A considered the impact of reducing the seal LOCA flow rate by a factor of 3. This was found to have only a minor (20%)
effect on seal LOCA sequence frequency. If it.is assumed that the time available to restart HPI to prevent core damage is inversely proportional to seal LOCA flow, then about a 40% reduction in seal LOCA sequence frequency would be expected. This value can be easily estimated by evaluating the increased change of offsite power recovery in the increased time available. For an increase in time available of two hours the non-recovery probability decreases by 40 to 50% over the times of interest. 1 The authors of the report indicate that they assumed the reduced seal flow i would increase the time available by only one hour (from one to two hours) as opposed to what would seem to be a more realistic increase of two hours l (from one to three hours). The above decrease in seal LOCA sequence frequency is offset by an increase in the frequency of non-seal LOCA sequence, TI L(LT)D I CF 1 . This sequence leads to core damage due to the loss of AFW because of battery depletion. It is only applicable to blackout sequences which do not result ! in earlier core damage as a result of seal LOCA. A reduction in seal LOCA induced core damage frequency consequently results in increased non-seal LOCA core damage frequency. It should be noted that this effect is not 9 3 included in the PRA's analysis of Sensitivity Study 2A. For the case where decreased seal LOCA flow increased the recovery time by two hours, the non-wal LOCA frequency increases by about 80%. The net effect on core damage frequency is a reduction of about 1.4 x 10~0 compared with a reduction of 1 x 10-6 evaluated in the report. l B-12
The assumptions in the revised Case 2A are the closest the PRA comes to a seal LOCA model consistent with present knowledge of seal behavior given the seal fails. Best estimates of station blackodt seal LOCA core
~
damage frequency could be approximated by about 50% of the 2A result for the case without qualified elastomers and about 5% of the 2A result for the case with qualified elastomers. c) Sensitivity Study 2 Sensitivity Study 2 considers the situation which would result if seal LOCA probability were essentially zero. The report indicates the seal LOCA sequences would disappear while the non-seal LOCA sequences (TI L(LT)DICF 1' TL(ST)DCF g g 3 and T Q-0 1CF g ) would increase. We agree that T L(LT)D I CF I 3 1 l would increase but the remaining two are independent of seal LOCA and would not be affected. The report does not provide individual sequence frequency for the Sensitivity Study cases, hence it is impossible to check the quantification. It appears, however, from the plant damage state changes 1 that the quantification was done correctly and the words are in error, f d) Sensitivity Study 1 Sensitivity Study 1 covers the case where the probability of seal LOCA is increased to essentially unity in 1/2 hour. The report description indicates that the frequency of sequences T gL(ST)DI CF1 and TgQ-01 CF1 are l decreased. In the base case these sequences are independent of the occurrence of seal LOCA hence, unless the model is changed, their values B-13
should not be affected. The authors irdicate that, for this Sensitivity Study they did assume that these sequences would not occur.if a seal LOCA occurs. If this is true, then the frequency of plant damage state TNNN should be essentially zero. The results do not show this, however. It would appear that either the text or the quantification is in error. In summary, we believe that:
- a. Additional details should be provided on the probabilistic analysis of the station blackout seal LOCA sequences.
- b. The assumptions and their basis for Sensitivity Studies 1, 2 and 2A should be clearly described.
- c. Only a doubling of allowable recovery time when the seal LOCA size is reduced by a factor of 3 is conservative and underestimates the reduction in core damage frequency.
- d. The analysis of the impact of reduced seal LOCA flow (Sensitivity Study 2A) is incomplete.
- e. The description of Sensitivity Study 2 on the impact of no seal LOCA is in error, the results however, appear to be correct.
i
- f. The descriptions and/or the results for Sensitivity Study 1 on the impact of increased seal LOCA probability are in error.
B-14
Comment 6 - Offsite Power Recovery Probability The draft report base case assumes that offsite power recovery is given by
. Cluster 7 in NUREG-1032. In Sensitivity Study 3, Cluster 6 was assumed to be applicable and showed about a 50% reduction in LOOP initiated core damage frequency and about a 30% reduction in overall core damage frequency.
Review of the Surry design and expected severe weather conditions indicate that Cluster 7 is not representative of Surry. The substation at Surry is connected to the Virginia Power system through nine different transmission lines at two voltages, 500 KV and 230 KV. Either of these systems (500 KV and 230 KV) can provide station power. The Class IE buses are normally supplied from independent sources. If either (or both) of these is lost, auto-transfer to a back-up source occurs. The frequency of severe and extremely severe weather at the Surry site is low. Consequently, the frequency of weather induced losses of offsite power which require longer recovery times is small. I Application of the methodology of NUREG-1032 to Surry utilizing the above plant / site specific factors, indicates that Cluster 7 is not applicable and that Cluster 6 would be more appropriate. The final base case should be for Surry specific conditions rather than generic or average conditions. This alone would reduce the core damage frequency by at least 25%. B-15
Comment 7 - Credit For Gas Turbine Two gas turbines are installed at the Surry site primarily for peaking. service. One of these has a black start capability and, when called upon for peaking duty, is started by the Surry control room crew using this black start system. While no detailed records of gas turbine availability are readily available, these units are frequently started, particularly during summer. The Surry. operations staff is aware of these gas turbines and of the ability to feed power into the plant if needed. While Sensitivity Study 4 indicates the sensitivity of the result to taking credit for the gas turbine, this should be included in the base case. The gas l turbines exist and are usable. The effect is about a 40% reduction in station blackout core damage frequency and a 15% reduction in total core damage frequency. Comment 8 - Credit For Shutdown On One Of Three Diesels In evaluating the loss of offsite power sequences, the PRA assumes that ; both Unit 1 and Unit 2 are affected and that each unit would require one diesel to achieve safe shutdown. As discussed on page IV.4-14, should the Unit 2 dedicated diesel fail to start or run, it was assumed that swing diesel, DG3, would align to Unit 2 and would be unavailable to supply power to Unit 1. The PRA is not realistic in that it neglects the fact that both Units 1 and j 2 can be brought and held at shutdown utilizing a single diesel generator. l l l B-16
This may be accomplished in one of two ways depending on the situation; either by connecting the Unit 1 and Unit 2 4.16KV emergency buses utilizing jumper cables which are maintained specifically for this purpose and powering a limited number of Unit I and Unit 2 heat removal systems from a single diesel, or.by utilizing the heat removal systems on a single unit and opening up the cross-connected flow paths which exist between the Unit 1 and Unit 2 Auxiliary Feedwater, High Pressure Injection and Component Cooling Water Systems. The effect on the accident sequence frequencies of being able to take
~
credit for the third diesel generator in shutting down Unit 1 is somewhat negated by the high common cause failure probability of the third diesel to start given that two diesels have already failed (e.g., a conditional probability of 0.5 may be derived from data presented in EPRI NP-2433). However, the impact is still significant; for example, the frequency of the top ranked accident sequence (T 5L-D CF ) may be reduced from 5.6E-6 to 1.0E-6 and 7 7 1 the frequency of the 7th and 8th ranked sequences T 1L(LT)Dgg1 C F (1.1E-6) and T L(ST)D IgC F (1.1E-6) may similarly be reduced by a factor of five. This I estimate does not account for operator error involved in implementing the Unit 1/ Unit 2 cross-connection which depends upon the time required to perform the operation, the procedures available and the level of operator training. The PRA is unrealistic in the modeling of station blackout sequences in that no credit is given for the ability to bring and maintain both Unit 1 and Unit 2 at safe shutdown condition utilizing a single diesel generator. Procedures and equipment for cross connecting the Unit 1 and Unit 2 buses and heat removal systems are maintained in order to achieve this capability. If this capability were incorporated in the model, we believe it would have the B-17
effect of significantly reducing the frequency of the station blackout - sequences. i I Comment 9 - Take Credit For Diesel Generator Repair i There is no credit given in this PRA for diesel generator repair whereas many studies performed to date have taken credit-for such actions. Although the impact on accident sequence frequencies would not likely be large due to l \ l l the long mean time to repair associated with diesel generators (20 hours ! according to EPRI NP-2433, June 1982) it is still desirable that such recovery actions be included, given the high significance of station blackout sequences in the results of this study. Comment 10 - Modeling Of DG Running Failures l Diesel generator running failures (single and common cause) should be modeled realistically over the duration of the loss of offsite power accident sequences rather than assuming the failures occur at time zero, as is the case in this study. The impact of this would be to negate the effect of some fraction of these diesel failures since offsite power would be recovered prior to their occurrence. The impact on the station blackout accident sequence frequencies is not judged to be large but should be included due to the current I j significance of such sequences. l l I i B-18 l
Comment 11 - Use Latest Surry Diesel Generator Failure Rates The PRA utilizes Surry plant specific data for diesel generator failure to
' tart which we understand is derived from 1981 - 1983 experience compiled by ORNL. As a result, a mean probability of failure to start on demand of 1.1E-02 is assigned. We suggest, however, that it would be more appropriate to take into account the Surry diesel operating experience since 1983. Data for 1983 through 1985 has been compiled by NUGSB0 and indicates that the Surry diesels have failed to start only once in 189 demands. If the most recent data were used in isolation from earlier data, it would result in a mean probability of failure to start of 5.0 x 10-3 per demand. This data should be used i appropriately in the Surry PRA.
l
! Comment 12 - Ability For Auxiliary Feedwater To Continue In Operation After Battery Depletion, Four Hours Into The Incident 1
As stated in the PRA, the turbine driven auxiliary feedwater pump operation ' is not dependent upon DC power or air supply since the turbine steam admission valve is designed to open 'n loss of each of the support systems and the ! turbine speed control is mechanical. However, the modeling of station blackout sequences, assumes AFW make-up to the steam generators is lost when the batteries are depleted, four hours into the incident. We recommend that the PRA evaluate and take credit for the likelihood of continued operation of the turbine driven pump following loss of all DC. Of course, such an evaluation would have to account for the degraded operating l B-19
1 conditions which would prevail at the time (e.g., loss of SG 1evel indication), and the impact of possible closure of the atmospheric steam dump valves (if open). The effect of implementing the recommendation would be to reduce the i frequency of sequence T1L(LT)DgCF 1' Comment 13 - Failure Of Unit 1 Auxiliary Feedwater Due To Unit 2 Cross I I Connect Being Open Failure of the Unit 1 - Unit 2 cross-connect being left open is modeled in the PRA as a failure mode for the Unit 1 auxiliary feedwater system due to flow diversion to the Unit 2 steam generators. Flow diversion is said to occur because Unit 2 is operating and therefore the pressure in the steam generators wouldbelowerinUnit2thaninUnit1(seepageIV.5-55). Furthermore, the failure mode is considered to be difficult to diagnose and the likelihood of recovery is small. The above argument is reasonable for most transients except loss of offsite power, when both units will trip and the pressure in the Unit 1 and Unit 2 steam generators will be essentially equal. Under such circumstances, the flow diversion from Unit I would not be significant and the open cross-connect would not be a viable failure mode for the auxiliary feedwater system. We, therefore, recommend that this mode be excluded from the evaluation of loss of offsite power sequences. The major impact of implementing the above change would be to reduce the probability of sequence T gLP from 1.2E-6 to 7.0E-7. l l B-20 , 1 l l I l l
Comment 14 - Interfacing LOCA - Event This event results from failure of any one of three pairs of isolation check valves in the low pressure system injection lines which are connected to reactor coolant system cold legs. The resultant flow is assumed to lead to rupture of the low pressure piping outside the containment boundary rendering the low pressure system inoperable and, although high pressure make-up and accumulators are initially available, core melt eventually results (1-2 hours) due to the inability to switch over to recirculation from the containment sump. The study considers three types of failure combinations for each pair of injection line check valves as follows:
- 1) Rupture of first Undetected transfer open = 2.6E-7 check valve with (leak) of second check valve during time between test
- 2) Rupture of first Failure of second check = 1.6E-8 check valve with valve to close following being opened
- 3) Rupture of first Rupture of second check = 7.1E-9 check valve with valve l
Total 2.8E-7 Totalprobabilityofevent=3(2.8E-7) = 8.4E-7 Given that the injection line check valves are individually tested prior to start-up following refueling outage or cold shutdown (if not tested within the previous 90 days) for correct seating and back leakage, we consider that valve
" failure to close" is not a credible failure mode in this context and the B-21
+ ,
probability of valve " transfer open" (defined as " leak" on page IV-8-10) has been overestimated. The latter is somewhat corroborated in the discussion of Sensitivity Study 9 (page IV.II.-9) which indicates that the probability of check valve leakage used in the base case is " believed to be representative of small back flow rates" which could be accommodated by the ECCS pressure relief. system design. Sensitivity Study 9 also suggests a factor.five reduction in the frequency of check valve to exclude those leaks which are within the capability of the system design and it is our contention that this should be reflected in the base case rather than in the sensitivity study. If these recommendations were to be adopted, the base case frequency of event V would be reduced to 5.9E-8. It is our belief that the evaluation of the two most significant failure modes associated with the Interfacing LOCA (Event V) is unrealistic. First, the check valve testing procedure prior to start-up following a refueling or cold shutdown precludes the " failure to close mode". Second, the probability assigned to excessive back leakage due to transfer open is too high as indicated in Sensitivity 9. Some judgmental reduction factor (say 5) to allow ! for leakage which is within the capacity of the design should be accounted for in the base case. I 'l s ! B-22 -t
4 _,
- COMENT 15 - COMPARISON'0F'RESULTS WITH WASH-l'400 AND CONCLUSIONS l
- a. Impact Of Above Comments .
4 The comments provided above'have significant impact on the results of l the.quantification of eight of the top 19(sequences'. The' sequences
~
i affected make up about 58% of the total base case ~ core damage frequency.. If these comments were to be fully incorporated, the~ frequency of the affected sequences'would be reduced substantially, to the point where they ! are not significant contributdrs, and the total? core . damage frequency would i- be reduced to about half of the draft's value. Obviously, the comparison with WASH-1400 and the conclusions presented are strongly affected by these comments. t
- b. Comparison With WASH-1400 1
! The importance of the considerations mentioned in the. paragraph of' Section V.4 cannot be agreed with more. The difficulties 'and potential for drawing erroneous conclusions should be stated even more strongly. As indicated above, most of the results of the comparison are changed by inclusion of even a few of the issues raised in-the above comments. The basis for the stated WASH-1400 value of 4.4E-5 is not clear. It appears to be the sum of the median sequence frequencies. (Note WASH-1400 on page 135 gives a value at 6E-5). Such a sumation is not valid. Any I comparison should use the same statistical measure (mean, median, etc.). B-23 _ __ _ . . . ~ . _ . _ . - . _ _ ___ .,_,. __ _ ._ _ _ . _ _ . , _ . _
The statement that station blackout followed by loss of AFW remains approximately the same as in WASH-1400 is very misleading. The frequency of a LOOP in WASH-1400 was 0.2 compared to the 0.07 value used in the updated study. Obviously other things changed also.
- c. Specific Plant Damage State And Sequence Conclusions And Uncertainty Considerations i
The discussions of specific plant damage state and sequence conclusions is limited to conclusions based on point estimate (or mean) values while the discussion of uncertainty and sensitivity study considerations is limited principally to total core damage frequency. While considerable attention was paid to and significant results obtained from the uncertainty and sensitivity studies, the conclusions do not significantly present what was learned in terms of contributions to risk. The effect of uncertainty and sensitivity study calculations should be extended to include a discussion of the impact of these factors on the dominate damage states sequences. This would best be included in the section where the dominate contributors are discussed based on the base case mean values, i l 1 1 B-24 I
B.2 Response to VEPCO Comments on Draf t Report Response to Overview and General Comments This section is a summary of the specific comments which follow, and as such, need no direct response. Response to Comment 1 We acknowledge that the reliability characteristics of the new service water valves are not included in the study. At the time the study was being performed, we were unaware of modifications planned for those valves. The failure probability of the old valves was based on historical experience. The increased test frequency was included in the calculation. The calculations are shown in Appendix A.4 of the final report. This information was not included in the draf t report. The frequencies of AFgF2 and SgFgF2 were reduced from 1.6E-6 and 3.3E-6 respectively, in the draf t report to 3.5E-8 and 7.0E-8 respectively, in the final report, due to consideration of ECCS operability af ter containment failure. These sequences are a minimal contributor to core damage and a minor contributor to risk, that being dominated by event V at 1.0E-6. Should the VEPCO suggested value of 2E-4 be used for common cause valve failure, the frequency of these sequences would be further reduced to 2.2E-9 for AFg2F and 4.4E-9 for Sgg2 FF' l l Response to Comment 2 Guidelines for the NUREG/CR-4550 studies did not allow modeling of extraordinary recovery actions such as installation of stop logs or valve disc removal, although we recognize that 24-48 hours is ample time to accomplish such feats. The recovery factor of 0.1 is a subjective estimate which represents the probability that given a common failure of all four valves to automatically open, the valves are degraded to such a state that it is not possible to open them by any means (short of disc removal). This estimate contains no contribution for human error. We agree that the operators will become aware that the valves did not open while doing the CLS Hi-Hi check list. We also agree it is reasonable to expect personnel to attempt remedial actions on the valves. Operator error to detect this failure in the order of IE-3, which is far below the failure recovery factor due to mechanical reasons. The value of 0.1 is a subjective estimate, which was influenced by two considerations:
- 1) the extent of generic problems that the nuclear industry has experienced in standby, open cycle cooling systems, due to corrosion and biofouling; this tended to increase the estimate,2) the one of four success criteria; which tended to decrease the estimate.
As discussed in response to comment 1, the affected sequence frequencies were reduced significantly due to consideration of ECCS operability af ter containment failure. They were reduced to the extent tSat they are not, dominant sequences. Thus, further effort to develop better numbers was not pursued. Response to Comment 3 The final report has included consideration of ECCS operability af ter containment failure. The concerns addressed in comment 3 have been resolved. B-25
Response to Comment 4
~
The development of the RCP seal LOCA model is documented in Appendix A.1 of the final report and thus provides more understanding than what was available in the draft report. The seal LOCA model was ' developed in October.- 1985, with the input of NRR staff. ' Although we followed NRR seal LOCA developments subsequent to October 1985, no conclusive test data was produced which show that our models are unreasonable. The industry test data which is being generated in support of Generic issue' 23 confirms calculated values for seal leakage when all seal stages function. The tests do not provide'- sufficient information to predict probability of seal failure versus time or probable leak ~ rates'for failed seals. Our conversations with NRR confirmed that the data were not sufficient to support a probabilistic model, such as was desired for, the.PRA. In the - absence of conclusive data, an estimation methodology,' described in Appendix A.1 of the final report, was employed. The methodology utilizes a best and worst case based on engineering judgment. Again, we acknowledge that our model may be conservative, but based on the data available,it cannot be deemed overconservative or unreasonable. Response to Comment 5 a) The station blackout model is documented more completely in the final report (Section IV.4.10 and Appendix A.2) than in the draft report. This in itself may answer some questions generated during a review of the draf t report: To answer the specific questions in Comment 5: i) An event for recovery of AC power at I hour is included on the event tree to mark the time at which the risk of seal LOCA begins. If recovery of AC power occurs by I hour, there is no risk of seal ~ LOCA. This event does not explicitly appear in the cutsets for core-damage sequences, because it is always coupled with another event for non~ recovery of AC power; i.e., NRAC-1 hour after seal LOCA,- or NRAC-7 hours. Since all of the NRAC terms were generated from the same data source, the NRAC terms were combined as appropriate to yield the fewest number of terms. This event was also questioned in the stuc's open PORV sequence. If' AC power is restored within one hour and the PORY is isolated, the i sequence is safely mitigated, i~ ii) Derivation of mean values is described in Appendix A.I. Mean values were used in the SETS quantification to find the point estimate values for each sequence. The values for basic events found in Section V.3 are mean values. Median values and error factors were used in the SEP quantification for total core damage frequency and plant damage state frequencies. The 95% and 5% values were postulated in the model development in order to find the error factors on the probability distributions. B-26
l lii) Two human errors were considered in the restoration of HPI after - station blackout; 1) failure to properly restore AC power 2) failure to restore HPI-SW prior to starting HPI pumps. Failure to re-energize the switchyard and subsequently re-energize the emergency buses given =that - offsite power ,is restored was considered . to be of relatively low probability. (about 3E-3) when compared to the probability of restoration of the grid (.3 at I hour [ to .05 at 7 hours). - Re-connecting of the buses would be a' prime . ; focus of the collective plant staff. For these reasons, probabilities ' for type I human errors are not explicitly included because they are- ! considered to be orders iof magnitude less than grid restoration probabilities. On the other hand, type 2 error probabilities were . explicitly. quantified because 1) it is not clear that restoration of canal level is-of primary focus as is restoration of AC power. 2) Failure to supply HPI-SW would cause HPI pump failure in 10 minutes, which precludes further recovery actions. The calculation of this operator error is documented in Section IV.7.2. i b) A survey of core uncovery times was made in the technical literature. For break i sizes less than 1", a wide discrepancy in core uncovery times was found. A value of two hours was chosen for this sensitivity study although some analyses predict
- ~ up to four hourt before core uncovery. A 3 hour core uncovery time as suggested in the comment would lower the seal LOCA _ sequence frequency to 4.2E-6 as '
opposed to 5.3E-6 with the choice of a 2 hour time limit. The long term station blackout sequence due to battery _ depletion is mutually ;
) exclusive with the seal LOCA sequence. If seal LOCA probability, goes up,- the long term station blackout sequence frequency goes down. SS2A-does not change the probability of seal LOCA and thus does not impact the long term SBO sequence. SS2A changes the probability of successful seal LOCA mitigation.-
i In the second paragraph in part b), we believe you are confusing results of sensitivity study 2 and 2A. In any case, SS2A was changed for the final report. For the final report, the change in seal LCCA size caused it to be put in the TNNN plant damage state, rather than SNNN. .Thus, both states are affected in i Table V.4-5 of the final report. l-c) We agree with the comment. The text was in error and corrected in the final report. d) We agree with the comment. Only the long term station blackout sequence is affected. The text was in error and has been corrected in the final report. Response to Comment 6 At the beginning of-the study, data was sought for site: specific or grid specific offsite power availability. The data for the Southeastern Electric Reliability Council (SERC), as reported in EPRI-NP-2301, was reviewed. The data in EPRI-NP-2301 was limited, and a broader data spectrum was desired. The EPRI data was plotted'on.the offsite power curves shown in NUREG-1032. The SERC data most closely coincides with Cluster 7. Thus Cluster 7 was chosen for the base case. B-27
Although we agree that the Surry site is provided with multiple power sources, its location may be susceptable to severe ice storms in the winter and hurricanes in the fall. Detailed data on these conditions were not obtained and thus use of Cluster 6 was considered a sensitivity study. Response to Comment 7 The gas turbine generator was not included in the base case because it is not under Plant Technical Specifications, and may not be considered a part of the Surry Nuclear Plant. While we acknowledge its current existence and its potential usefulness during a station blackout, we do not think it is appropriate to include this equipment in the base case, because the availability of the gas turbine is subject to factors which are completely independent of nuclear plant operation. In future years, the gas turbine may become defunct, due to economic conditions such as electricity demand or fuel costs. When preparing a study such as this one, which will be used as a basis for risk prediction for years to come, it would be inappropriate to predict core damage frequency based on use of this equipment. However, we think it is appropriate to include use of the gas turbine as a sensitivity study. We agree that inclusion of non-technical specification equipment or non-plant related equipment should be studied more intensely in the future. Response to Comment 8 Credit for shutdown of both units, using diesel generator 2, was not included for the follov;!ng reasons:
- 1. At the time the study started, we were not aware of the capability to cross tie AC or DC buses with afore mentioned jumpers. Plant personnel did not indicate this was a possibility (in July 1985) when we were collecting data.
- 2. Without an electrical cross tie of 4.16 kV buses, shutdown on one diesel would have to be accomplished (in the context of the SBO model) by cross tieing systems powered by the 2H bus. This possibility is examined in Appendix A.2 of the final report. It is concluded that although the physical capability may exist at Surry to shutdown both units using DG 2, it would require a level of human effort which is not supported by the SBO procedure which was available to us (i.e., ECA-2, March 1984).
Response to Comment 9 The NUREG/CR-4550 generic recovery data gives little credit for diesel generator repair within the time frames of interest in station blackout. Specifically, non-recovery probability for diesel generators at 6 hours is 0.8. The station blackout model only extends to seven hours. We agree that inclusion of DG recovery would make a more accurate model, but it would not be expected to show a significant decrease in sequence frequencies. Response to Comment 10 We agree that the most realistic way of modeling DG running failures would be an hourly time step model which includes: B-28
Recovery of AC power DG running failures DG failure recovery DG maintenance recovery. This type of model was beyond the scope of this study and as such, a compromise was made by selecting a mission time for diesel generators which could be used in a simpler station blackout model, and provide comparable results to a more complex.model. The selection of mission time is documented in Appendix A.5 of the final report. By choosing a six hour mission time for DGs, and assuming all failures occur at time aero, we believe we have struck a balance by having a higher initial frequency of station blackout and neglecting DG failures which occur after six hours. Response to Comment 11 The 1983-1985 DG data was not available when the data collection effort was underway. However, an explanation of the data development is in order in response to this comment. The 1981-1983 DG data for Surry, which was used in this study, indicates one failure in 157 demands. This data was analyzed, using chi-square statistics, to yield a mean value of 1.lE-2 and a 95% upper bound of 3.0E-2. Although the point estimate value of one failure in 157 demands is 6.4E-3, the accumulation of only one failure causes the calculated mean value to be much hi5 her. If the 1981-1985 data is used, it indicates two failures in 346 demands. This yields a point estimate value of 5.8E-3 and a calculated mean of 7.7E-3 per demand. If the 7.7E-3 value is used in the study, all station blackout sequences are reduced to 75% of their present value. Total core damage frequency is reduced by 2.4E-6. Response to Comment 12 Continued operation of AFW without DC power was not considered because:
- 1) there would be no instrumentation in the primary system to indicate RCS pressure or temperature
- 2) no instrumentation in the SG to indicate SG water level.
Control of the turbine driven pump could be done manually, if feedback was available to allow for corrections. We also considered that the decay heat valve or the hoggers could be manually opened to allow steam release, if feedback was available to allow for corrections. Without RCS and SG instrumentation it is only a matter of time before the SG is either overfilled or underfilled, either way leading to loss of AFW and subsequent core damage. The appropriate time for his to happen is subject to much uncertainty. We used a time that was previously used in NUREG/CR-3226. B-29
Response to Comment 13 We agree with the comment. The failure mode for AFW is only applicable when Unit 2 is operating and Unit 1 is down. This is not the case for loss of offsite power initiators. This failure mode was generally recoverable by cross connecting AFW from Unit 2, because the first step in the cross connect procedure directs the operator to close MOVs t 251 A-F, which would isolate the cross flow. Cross connect of AFW from Unit 2 was not considered af ter Tg because of the perceived difficulty of balancing flows between both units with possibly impaired power states. The value of TgLP is more appropriate as 7.0E-7. This sequence is not important to risk and as such this oversight is not significant to the results of the study. Response to Comment 14 We believe the " failure to close" failure mode is valid. Plant personnel indicated that the check valve test verifies the integrity of the seat / disc, but does not verify that the valve reclases upon repressurization. The test must be done at cold shutdown. The elapsed time or valve use between completion of test and repressurization is not controlled. . This test does not verify that the valve closes upon repressurization. We acknowledge that the probability for " transfer open"is subject to much uncertainty. The value of SE-7 per hour is based on a survey of other PRAs. We have no basis to lower the rate. This value was specifically for excessive leakages. Response to Comment 15 a) We agree that the alternate assumptions and modeling changes suggested by the utility will result in a significant change to core damage frequency, if they are incorporated into the study. However, we feel each of the areas (except #13) have uncertainty about them, and in the absence of convincing data, we chose data and models based on accepted, well reviewed information. Further evaluation of some of the comments here by both NRC and the industry may show them to be a better approximation to reality than what is contained in the base case. b) A detailed comparison of this study and WASH-1400 would show them to be even more dissimilar than indicated here. But such a revelation would serve no purpose than to show that we know more now than ten years ago. We tried to provide a brief overview to show the different perception of safety which results from the-two studies. (The value of 6E-5 on page 135 of WASH-1400 includes external events. 4.4E-5 is f or internalinitiators only) c) We agree that uncertainty analysis on individual sequences would show more insight to individual sequence contributors. However, the primary purpose of this study was to provide a core damage profile for input to containment analysis. The overall purpose of NUREG-il50 is to provide perspective on risk, rather than core damage. Consequently, evaluation of important risk contributors received priority in this study. B-30
~
i 1;
- DISTRIBUTION:
U. S. Government Printing Office Receiving Branch (Attn: NRC Stock) 8610 Cherry Lane Laurel, MD 20707 100 copies for AN Author Selected Distribution (163) 3141 S. A. Landenberger'(5) 3151 W. L. Garner 6400 A. W.-Snyder 6410 J. W. Hickman 6411 A. S. Benjamin 6412 A. L. Camp 6412 M. P. Bohn 6412 F. T. Harper (31) 6412 D. M. Kunsman 6412 J. A. Lambright 6412 A. C. Payne, Jr. 6412 T. A. Wheeler 6415 F. E. Haskin 6422 D. A. Powers 6449 K. D. Bergeron 8024 P. W. Dean DIST-1
l
/
NaC Pones 338 U S. NUCLi AR i 80ULATOA Y COasneissaOss I k& PORT NWMGE A lass.pned $y ftOC ser Vet Me, e,sayJ
a5
= ver. NUREG/CR-4550,-Vol. 3 mi. sm BIBUOGRAPHIC DATA SHEET Set omsTnUCTIONS ON THE mgytast SAND 86-2084
- 2. TITLE ANO lueTITLE J LEAVE SLANE ANALYSIS O CORE DAMAGE FREQUENCY FROM INTERNAL EVENTS: SUR Y, UNIT 1 4 OAT 5mEPORT COMPLETED
- EAR MONTM /
i AuT-Qaisi
/
R. C. Bertucio, M. D. Quilici. J. Young, . . , . OATS aa, Oaf issuno F. T. Harper j MONra veAa l November 1986 7 simFORMiNG ORGANigATION NAM ( AND MAILINo R$$$ linggaelp Caes e Pl@aECTITASE WORE UNif NURfSER Energy Incorporated und Sandia National Laborator'es contract to: [
/'"'"6"^*'*"""
Albuquerque, NM 87185 ' A1228 10 SPON50RsNG ORGANi2ATiON NAME ANO MA L NG AOOntss tanet. set # Ita TYPE OF REPORT Division of Reactor System Safe Office of Nuclear Regulatory Res rch U.S. Nuclear Regulatory Commissio a Pea'OO COveaaO <<acMs a se Washington, DC 20555 l 12 SUPPLEMENT ARY NOTES 13 ASSTRACT r/00 sweres er 'essJ This document contains the accident sequenc for urry, Unit 1: one of the reference plants being examined as part of the NUREG 150 ef rt by the Nuclear Regulatory Com-mission (NRC). NUREG-1150 will document e risk o a selected group of nuclear power plants. As part of that work, this repor contains th overall core damage frequency estimate for Surry, Unit 1, and the acc panying plant damage state frequencies. Sensitivity and uncertainty analyses pr vide additional nsights regarding the dominant contributors to the Surry cor damage frequency stimate. The mean core damage frequency at Surry was calcula ed to be 2.6E-5 per ear. Station blackout type accidents (loss of all AC power were the largest cont butors to core damage frequency. accounting for approxima ly35% of the total. Th next type of dominant contributors were transient induce LOCAs caused by loss of e ctrical bus initiators. These sequences account for 197. of core damage frequency. No o'tper type of sequence accounts for more than 10% of cor damage frequency. The numeridel results are driven to some degree by modeling assum ions and data selection for issu'es such as reactor coolant pump seal LOCAs. common ause failure probabilities, and p1hnt response to station blackout and loss of el ctrical bus initiators. Thesensitiktystudies explore the impact of alternat theories and data on these issues. The g results of the uncertainty and sensitivit analyses should be considered before an future actions are taken based on th s analysis. 18 OOCUMENT ANALY5iS - e KEvwCROS/DESCRiPTORS 15 4va,LASILIT Y ST TEMENT NT ~ GPO $ ales is SECum TYCLAS$1FsCATION
,Th. septi s De=T . eas.OP NaNOaOTeaMs Unclassified tr . re) s Unclassified '
it=wMeiaO Aces i . ...C . D U S. GOVERNMENT PRINTING OFFICE- 1907-7734et/41028
~- ~ ~ ~ - -
I I OVERSIZE DOCUMENT PAGE PULLED -
.~.
SEE APERTURE CARDS l NUMBER OF OVERSIZE PAGES FILMED ON APERTURE CARDS l l l l l APERTURE CARD /HnRD COPY AVAILABLE FROM RECORD SERVICES BRANCH,TIDC FTS 492-8989
. s i
O l-4 8 e
-,?,* \, n., .,.
? , _ , , , . . . . . , _ , . , . , , , . , , n,, ,,.__,n_,,,,ae.,.,,,,,_.+,n,,,,,,,,.y,.e,,,,pwc
~~
120555078877 1 1AN US NRC , ADM-DIV 0F PUB SVCS' POLICY & PUB MGT BR-POR NUREG W-501 WASHINGTON DC 20555 . I 9 ( ) P d w w.}}