Text

Review of Connecticut Yankee (Haddam Neck) Nuclear Power Plant Probabilistic Safety Study, Interim Rept
	ML20211P873
Person / Time
Site:	Haddam Neck File:Connecticut Yankee Atomic Power Co icon.png
Issue date:	07/15/1985
From:	Atefi B, Gallagher D, Le P; SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	; NRC
Shared Package
ML20211P865	List: ML20211P859; ML20211P873;
References
	CON-NRC-03-82-096, CON-NRC-3-82-96 NUDOCS 8607230400
	Download: ML20211P873 (89)
	v • d • e

.- . _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _

i A REVIEW 0F THE CONNECTICUT YANKEE (HADDAM NECX)

NUCLEAR POWER PLANT PROBABILISTIC SAFETY STUDY l

! Interim Report N J

=_- -

andu 75N MN'"

Science ApplicationsIntemationalCorparation 9

O 8607230400 860716 PDR P

ADOCK 05000213 PDR

(

A REVIEW 0F THE CONNECTICUT YANKEE (HADDAM NECK)

NUCLEAR POWER PLANT PROBABILISTIC SAFETY STUDY -

Interim Report N Y Bahman Atefi Daniel W. Gallagher '

Phuoc T. Le Mary T. Drouin and Paul J. Amico*

July 15, 1985 Prepared for U.S. Nuclear Regulatory Commissicn Washington, D.C. 20555 Contract No. NRC-03-82-096

Applied Risk Technology Corporation Post Office Box 1303, 1710 Goodridge Drive, McLsan, Virginia 22102 (7tu) 821-8300

FOREWORD

~

This interim report was prepared under Task Order 24 of Contract NRC-82-03-096, " Technical Assistance in Support of NRC Reactor Licensing i Actions: Program III."

l The report provides preliminary results obtained to date in a review of the Haddam Neck Probabilistic Safety Study. The results are subject to change as the review proceeds. The purpose of the report is to indicate the status of the review and to provide an opportunity for the NRC and other interested parties to comment at an early stage of the review.

This report will later be incorporated into a final report. All comments received will be considered and, when appropriate, will also be reflected in the final report. A draft of the final report also will be provided for review.

/

l l

l ,

l

TABLE OF CONTENTS .

Section Pace FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

1.0 INTRODUCTION

.......................... 1-1 2.0 REVIEW 0F THE INITIATING EVENTS . . . . . . . . . . . . . . . . . 2-1 2.1 Generic LOCA Initiators .................. 2-1 2.2 Special LOCA Initiators .................. 2-4 2.2.1 Unisolated Reactor Coolant Pump Seal Failure .... 2-4 2.2.2 Steam Generator Tube Rupture ............ 2-5 2.2.3 LOCA Outside Containment .............. 2-6 2.2.4 Catastrophic Pressure Vessel Rupture ........ 2-8 2.3 Transient Initiating Events ................ 2-8 2.3.1 General Plant Transients .............. 2-10 2.3.2 Total Loss of Main Feedwater ............ 2-10 2.3.3 Main Feedline Break . .'. . . . . . . . . . . . . . . 2-13 2.3.4 Steamline Break Upstream of the Non-Return Valve .. 2-13 2.3.5 Steamline Break Downstream of the Non-Return Valve . 2-14 2.3.6 Loss of Offsite Power . . . . . . . . . . . . . . . . 2-16 2.4 Plant-Specific Transient Initiators ............ 2-16 2.5 Summary .......................... 2-19 3.0 REVIEW 0F THE EVENT TREE ANALYSIS . . . . . . . . . . . . . . . . 3-1 3.1 General Event Tree Findings ................ 3-1 3.1.1 Analysis of Random and Consequential Small LOCAs .. 3-1 3.1.2 Treatment of Consequential RCP Seal LOCA ...... 3-4 l

TABLE OF CONTENTS (cont'd) .

Section Paae 3.1.3 Need for Containment Heat Removal with Bl eed- and- Feed . . . . . . . . . . . . . . . . . . . 3-6 ,

3.1.4 Treatment of Consequential Loss of Semi-Vital AC (SVA) . . . . . .'. . . . . . . . . . . . . . . . 3-6 3.2 Specific Event Tree Findings . . . . . . . . . . . . . . . , 3-7 3.2.1 Large LOCA Event Tree ............... 3-7 3.2.2 Medium LOCA Event Tree . . . . . . . . . . . . . . . 3-7 3.2.3 Small LOCA Event Tree ............... 3-7 3.2.4 Steam Generator Tube Rupture . . . . . . . . . . . . 3-11 3.2.5 Steamline Break Upstream of NRVs Ev.ent Tree .... 3-12 3.2.6 Steamline Break Downstream of NRVs Event Tree ... 3-14 3.2.7 Main Feedline Break Event Tree . . . . . . . . . . . 3-14 3.2.8 Unisolated RCP Seal Leakage Event Tree . . . . . . . 3-14 3.2.9 General Plant Transient Event Tree . . . . . . . . . 3-15 3.2.10 Total Loss of Main Feedwater Event Tree ...... 3-15

' 3.2.11 Loss of DC Bus 2 Event Tree ............ 3-17 3.2.12 Loss of Offsite Power Event Tree . . . . . . . . . . 3-17 3.2.13 Loss of Offsite Power and MCC-5 Event Tree . . . . . 3-17 3.2.14 Loss of Offsite Power and One Emergency Bus Event Tree . . . . . . . . . . . . . . . . . . . . . 3-17 3.2.15 Station AC Blackout Event Tree . . . . . . . . . . . 3-17 3.2.16 Insufficient Flow of Service Water Event Tree ... 3-20 3.2.17 Loss of Control Air Event Tree . . . . . . . . . . . 3-22 3.2.18 Loss of MCC-5 Event Tree . . . . . . . . . . . . . . 3-22 3.2.19 Total Loss of DC Event Tree ............ 3-26 3.2.20 Loss of DC Bus 1 Event Tree ............ 3-26 3.2.21 Loss of Semi-Vital AC Event Tree . . . . . . . . . . 3-29 I 3.2.22 Anticipated Transients Without Scram Event Tree .. 3-29 I 3.2.23 Consequential Small LOCA Event Tree ........ 3-29 3.2.24 Consequential Steam Generator Tube Rupture (SGTR)

Event Tree . . . . . . . . . . . . . . . . . . . . . 3-29 i

TABLE OF CONTENTS (cont'd) .

Section .

Ea2A 4.0 SYSTEM RELIABILITY ANALYSIS REVIEW . . . . . . . . . . . . . . . 4-1 4.1 AC Power System . . . . . . . . . . . . . . . . . . . . . . 4-3 4.2 MCC-5 and Semi-Vital AC Power . . . . . . . . . . . . . . . 4-6 4.3 DC Power System . . . . .................. 4-8 4.4 Steamline/Feedline Isolation . . . . . . . . . . . . . . . 4-10 4.5 High Pressure Safety Injection (HPSI) System . . . . . . . 4-13 4.6 Low Pressure Safety Injection (LPSI) System . . . . . . . . 4-16 4.7 Residual Heat Removal (RHR) System . . . . . . . . . . . . 4-18 4.8 Charging System . . . . . . . . . . . . . . . . . . . . . . 4-20 5.0

SUMMARY

OF OTHER REVIEW WORK IN PROGRESS . . . . . . . . . . . . 5-1

6.0 REFERENCES

. . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 I

e

s LIST OF TABLES Table Paae 2.1 Categorization of LOCA Initiators in the Haddam Neck PSS . . 2-3 2.2 Special LOCA Initiators in the Haddam Neck PSS . . . . . . . 2 '

2.3 Transient Initiators Included in the General Plant Transient Category in the Haddam Neck PSS ......... 2-11 2.4 Generic Transient Initiators Considered in the Haddam Neck PSS ...................... 2-17 2.5 List of All Initiating Events Used in the Haddam Neck PSS ..............,....... 2-20 3.1 Definition of Various Plant Damage States for Core Melt Sequences ......................... 3-2 6

4 l

t I

1 l

l l

LIST OF FIGURES Fiaure Pace 3.1 Small LOCA Event Tree . . . . . . . . . . . . . . . . . . 3-8 3.2 Small-Small LOCA Event Tree . . . . . . . . . . . . . . . 3-10 3.3 Steam Generator Tube Rupture Event Tree . . . . . . . . . 3-13 3.4 Unisolated RCP Seal Leakage Event Tree ......... 3-16 3.5 Loss of DC Bus 2 Event Tree . . . . . . . . . . . . . . . 3-18 3.6 Loss of Offsite Power and MCC-5 Event Tree ....... 3-19 3.7 Station AC Blackout Event Tree ............. 3-21 3.8 Insufficient Flow of Service Water Event Tree . . . . . . 3-23 3.9 Loss of Control Air Event tree ............. 3-24 3.10 Loss of MCC-5 Event Tree ................ 3-25 3.11 Total toss of DC Event Tree . . . . . . . . . . . . . . . 3-27 3.12 Loss of DC Bus 1 Event Tree . . . . . . . . . . . . . . . 3-28 3.13 Loss of Semi-Vital AC Event Tree ...,......... 3-30 3.14 Consequential Small LOCA Event Tree . . . . . . . . . . . 3-31 3.15 Consequential Steam Generator Tube Rupture Event Tree . . 3-33 4.1 AC Power Dependency Diagram . . . . . . . . . . . . . . . 4-4 4.2 Semi-Vital AC and MCC-5 Dependency Diagram ....... 4-7 4.3 DC Power System Dependency Diagram ........... 4-9 4.4 Steamline/Feedline Isolation System Dependencies Diagram . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 4.5 High Pressure Safety Injection System Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 4.6 Low Pressure Safety Injection System Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . . . 4-17 4.7 RHR System Dependency Diagram .............. 4-19 4.8 Charging System Dependency Diagram . . . . . . . . . . . . 4-21 l

1.0 INTRODUCTION

The Integrated Safety Assessment Program (ISAP) was developed by the NRC to examine the outstanding issues from several NRC programs that are pertinent to each power plant and to assess the importance of each issue with respect to its impact on the risk associated with the operation of the plant. The issues that will be considered for each plant in this program include: those identified in Phase II of the Systematic Evaluation Program (SEP), pending licensing requirements, including TMI Action Plan items for the particular facility, pending Unresolved and Generi Safety Issues, significant events that have occurred during the operation of the plant, and dominant contributors to plant risk based on a plant-specific Probabilistic Safety Analysis (PSA). An initial screening of the issues required by the programs mentioned above is performed to arrive at a set of ISAP topics that are appropriate for the specific plant under study. A detailed evaluation of these topics is then performed by the licensee and submitted to the NRC for review. The NRC's analysis of each topic consists of a review of the licensee's submittal, a comparison of the plant design and procedures with current licensing criteria, and an assessment of the risk significance of each topic for the plant under study.

The first plant evaluated under this program was Northeast Utili-ties' Millstone Unit 1. The second plant being evaluated under this program is Northeast Utilities' Connecticut Yankee (Haddam Neck), a 590 MWe pressur-ized water reactor. The utility recently performed a level 1 Probabilistic Safety Study (PSS) that examines all of this plant's internally initiated events (1). In addition, the licensee is currently in the process of eval-l uating some of the ISAP topics using PSA techniques.

The objectives of the present study are to (a) perform a complete review of the Haddam Neck PSS for accuracy, completeness, and correct repre-sentation of risk associated with operation of this plant, (b) review the ISAP topics analyzed by the licensee using PSA techniques, and (c) identify f areas of plant vulnerability using the Haddam Neck PSS and past operating history of the plant.

1-1

This interim report provides the preliminary results of the PSS ;

review performed to date. The next section presents results of a review of j the PSS initiating events. Section 3.0 reviews and comments on the PSS event tree analysis. Section 4.0 presents the results of completed reviews of a number of the system fault trees. Section 5.0 provides a brief summary of other review work in progress and describes our plans for completion of the task. All references cited in the report are listed in Section 6.0. .

l l

1 l

o 4

t 1-2 l

i

2.0 INITIATING EVENTS The initiating events considered in the Haddam Neck PSS were grouped into two major categories, Loss of Coolant Accident (LOCA) initia-tors and transient initiators. The LOCA initiator category consists of two classes of initiators. The first class includes those LOCA initiators which are due to primary system pipe rupture. The second class includes LOCA ,

initiators with special features. Examples of the second group are unisolated reactor coolant pump seal failure, steam generator tube rupture, and LOCA outside containment.

The transient initiator category in the PSS consists of gener.ic transient initiators common to all PWRs, and a series of plant-specific transient initiators that occur due to failures in the support systems.

Each of these broad initiator groups was further broken down into subgroups based on common functions or systems required for mitigation of their progression. A discussion on each of these initiator groups follows.

2.1 Generic LOCA Initiators The full range of possible primary system pipe ruptures in this plant was divided into different size LOCA initiators. The range in break size of these LOCA initiators was determined by performing a plant-specific best-estimate LOCA analysis to assess plant behavior following different break size LOCAs. This assessment was then combined with the capabilities of the plant's safety injection systems and the steam generators' cooling requirements to arrive at the appropriate break sizes.

Three ranges of primary pipe break sizes were identified which are labeled large , medium- and small-break LOCAs.

The large-break LOCA category covers break sizes with equivalent diameters ranging from 6 inches up to a double-ended break of the largest pipe in the primary system. It is assumed that break sizes with equivalent diameter greater than a double-ended break of the largest primary pipe cannot be mitigated. This break range also includes reactor vessel ruptures that do not exceed the emergency core cooling system capabilities.

2-1 I

The medium-break LOCA covers break sizes with equivalent pipe diameters ranging from 2 to 6 inches. Included in this initiator are multiple failures of primary safety relief valves and steam generator manway leaks that fall in this break range.

The small-break LOCA covers break sizes with equivalent diameters ranging from 3/8 of an inch up to 2 inches. Non-isolable opening ' of the ,

Power Operated Relief Valves (PORVs) or Safety Relief Valves and pipe breaks such as incore instrument tube ruptures that fall in this break range are included in this initiator. For breaks smaller than 3/8 inch equivalent diameter, the primary inventory can'be maintained by the normal plant makeup flow, which is approximately 160 gpm.

Table 2.1 shows the LOCA categories used in the Hadd'am Neck PSS along with the assigned frequency for the occurrence of each initiator in the PSS.

For the large- and medium-break LOCAs, the frequencies used in the Haddam Neck studies are the same as those evaluated in the Millstone Unit 3 PSS (2). These frequencies were calculated in the Millstone Unit 3 PSS by performing a Bayesian updating of the generic Reactor Safety Study (WASH-

! 1400) data (3). This was done by taking the 5th and 95th percentile values for each class of LOCA initiators as the 20th and 80th percentiles of the prior distribution to express greater uncertainty in pipe failure proba-bilities. These prior distributions were then updated based on the observa-tion that no pipe breaks in these ranges have occurred in nuclear power plants so far. For the small-break LOCA, the median pipe break frequency suggested in WASH-1400 is converted to mean frequency and is used in this study. It is argued that the contribution of a stuck-open PORV to the frequency of this initiating event is negligible. This is due to the fact that such an event would consist of a spurious opening of PORVs combined with failure of PORVs to reclose and failure of the operator to stop the event by closing the appropriate block valves.

Also shown in Table 2.1 are the LOCA initiation frequencies suggested in WASH-1400. In WASH-1400, these frequencies are given as median values with aii error factor of 10. Frequencies shown in Table 2.1 are mean values which are converted from the median frequencies.

J 2-2

Table 2.1 Cctegorization of LOCA Initiators in the Haddam Neck PSS Approximate Mean Frequency LOCA Category Break Diameter (peryear)

(inches) PSS WASH-1400 (3)

Large-Break 6"<D< Double-ended 3.9E-4 2.6E-4 rupture of largest primary piping Medium-Break 2"<D<6" 6.1E-4 7.9E-4 Small-Break 3/8"<D<2" 2.7E-3 2.7E-3 (Normal makeup capability)

\

2-3

As can be seen, for large and medium-break LOCAs the frequencies evaluated in Haddam Neck PSS are fairly close to the generic frequencies suggested in WASH-1400. In the case of a small-break LOCA, the frequency was taken from WASH-1400.

Overall, it is not clear whether the Bayesian updating performed in the PSS provides a LOCA frequency that is more accurate or meaningful than the suggested frequencies in WASH-1400. This is due to the fact that the basis for the prior distributions, i.e., WASH-1400 suggested frequen-cies, consists of some actual data and a lot of subjective judgment. Thus, it is not clear what meaningful inform: tion can be obtained from further updating this semi-subjective distribution.

2.2 Special LOCA Initiators Several potential LOCA initiators with special features were also analyzed in the Haddam Neck PSS which are reviewed in this section.

2.2.1 Unisolated Reactor Coolant Pump Seal Failure This LOCA initiator in most plants results in primary system inventory loss beyond the capability of the normal makeup system, in which case the high-pressure safety injection system is required to maintain the primary system inventory. However, in Haddam Neck each reactor coolant pump seal includes a breakdown bushing that limits the leakage to 50 gpm per pump. This leakage rate is within the capacity of the plant makeup system.

In addition, the primary loops in this plant include motor-operated isola-tion valves that could be used to isolate any loop with a leaking reactor coolant pump seal.

The frequency of the unisolated reactor coolant pump seal failure was calculated using the following relationship:

2-4

FUS " IS - (PMOV + POE) (2.1) l where !

FUS is the frequency of unisolated RCP seal failure; FS is the frequency of seal failure at Haddam Neck (0.25/ year based on four actual events in 16 years of experience);

PMOV is the probability of either MOV failing to close on demand (5.0E-2);

POE is an operator error of either failing to respond to annun-ciators, failing to follow the procedures, or selecting the wrong valve (3.1E-3).

Based on this equation, the frequency of unisolated reactor coolant pump seal failure is 0.013. It is interesting to note that the generic pump seal failure frequency used in different PRAs is 0.02 (4),

which is an order of magnitude smaller than Haddam Neck experience. Thus, the existence of loop isolation valves and of breakdown bushings that limit the leakage is quite important in this plant.

2.2.2 Steam Generator Tube Rupture The second LOCA initiator with special requirements considered in this study is the steam generator tube rupture. The special feature of this initiator is that it creates a path for LOCA o'utside containment and also affects secondary side heat removal. In the Haddam Neck PSS this initiator is defined as failure of one to five steam generator tubes. Larger numbers of tube ruptures or simultaneous tube ruptures in several steam generators are considered unlikely.

The frequency with which this event occurs at the Haddam Neck Power Plant is calculated based on generic data suggested in NUREG-0844 (5).

In this report, four single tube failures over 240 reactor years of exper-ience are cited. This results in a steam generator tube' rupture frequency of 1.7E-2 per year. In EPRI NP-2230 (6), for all PWRs at all powers eight steam generator leakage events in 213 years of operation are reported.

Steam generator leakage in this report is defined as " excessive primary to 2-5

o .

secondary leakage in the steam generator." Based on this data a mean fre-quency of 3.7E-2 per year is calculated.

2.2.3 LOCA Outside Containment The next initiator considered is LOCA outside containment. This category includes all initiators that result in the creation of a direct path for loss of coolant outside the containment except for steam generator tube rupture, which is considered separately.

The frequency of this event was evaluated by first considering low-pressure systems or paths that interface with the high-pressure primary coolant system, followed by identifying scenarios that could lead to LOCA outside containment in these systems or paths.

Identified systems with possibility of initiating LOCA outside containment include the Chemical and Volume Control System (CVCS), the High-l and Low-Pressure Safety Injection lines, and the Residual Heat Removal (RHR)

System. .

4 The frequency of a LOCA outside containment in the CVCS was calculated by looking at scenarios that could result in ruptures outside containment in the charging and letdown linet. The frequency with which the event could occur due to ruptures in the chtrging line outside contain-ment was assessed to be very low because of multiple component failures that must occur. .

For the letdown line, the only credible initiator found was pipe rupture outside containment upstream of the normally open air operated valve FCV-202. The frequency of this event was calculated using the following relationship:

i 2-6

--. ._=

FL=FPR ' FMOV-200 . F0E (2.2) where F

t is the frequency of a LOCA outside containment due to 2

ruptures in the CVCS letdown line; FPR is the frequency of pipe rupture -(11 pipe segments) *

(8.5E-9 pipe segment failure /hr for pipe segments with

- a diameter less than 3 inches) * (8760 hrs / year) -

8.2E-4 per year; FM0V-200 is failure of MOV-200 to isolate the line -

(1.25E-3 demand failure based on monthly tests) *

(16 months between t'ests) - 2.0E-2; F0E is operator failure to close M0V-200 manually - 0.3.

Based on this equation, the frequency of a LOCA outside containment due to ruptures in the CVCS letdown line is 4.9E-6 per year.

Another initiator for this event which was not considered in the above analysis is the possibility of rupture of one of three orifices which are located right before the air operated valves. The failure frequency of this event can be calculated using the following relationship:

FOR = 3 A0R T (2.3) where

, FOR is the failure frequency of the one out of three orifices A

0R is the mean rupture failure rate of an orifice which is 3.0E-8/hr (7);

T is the number of hours per year, 8760 hrs / year.

Based on this equation, the failure frequency of any one of the orifices is 7'. 8 E- 4 . This frequency should be added to the frequency of pipe rupture FPR

> shown in equation 2.2. Combining these pipe segment and orifice failure j probabilities with the failure of MOV-200 and. operator error described in equation 2.2, the frequency of initiation of a LOCA outside containment due to ruptures in the CVCS letdown line is calculated as 9.6E-6 per year.

2-7

The total frequency of LOCA outside containment due to ruptures in the high and low pressure injection lines and the RHR discharge line is calculated as 2.8E-7 per year. This low frequency is primarily due to the fact that multiple component failures must occur in these lines before a LOCA outside containment can be initiated.

Catastrophic Pressure Vessel Rupture l 2.2.4 The final special LOCA initiator considered is catastrophic pressure vessel rupture that is beyond the capability of the Emergency Core Cooling System (ECCS). The frequency of this event was taken from WASH-1400 as 2.7E-7 per year.

Table 2.2 lists these special LOCA initiators and the frequencies assigned to them in the Haddam Neck PSS and in the present review.

2.3 Transient Initiating Events a

The transient initiating events in the Haddam Neck PSS consist of .

generic transient initiating events that occur due to causes common to most pressurized water reactors and some plant-specific transient initiating events that occur due to failures in the plant's support systems.

The generic transients in this study were grouped into the follow-ing categories:

l 1. General plant transients 4

2. Total loss of main feedwater

3. Main faedline break -

4. Steamline break upstream of non-return valve

5. Steamline break downstream of non-return valve

6. Loss of offsite power i

These initiators are reviewed in this section, l

i 4

2-8 i

l Table 2.2 Special LOCA Initiators Considered in

[ the Haddam Neck PSS I

Frequency (per year) .

! Initiating Event PSS Suggested Comments i

! Unisolated RCP 1.3E-2 l Seal Failure i

j Steam Generator 1.7E-2 3.7E-2 EPRI NP-2230(6) j Tube Rupture i Interfacing System 4.9E-6 ,

9.6E-6 Addition of 1

LOCA in CVCS orifice rupture Letdown Line failure frequency j Interfacing System 2.8E-7 LOCA in Other Systems l

! Catastrophic Pressure 2.7E-7 l Vessel Rupture '

i 1

i l

1 i

I l

l 2-9

2.3.1 General Plant Transient The general plant transient includes all the transient initiators that result in a trip with main feedwater system available. This category also includes some initiators that normally are included in the group of transients with power conversion system (PCS) unavailable. For example, full or partial closure of one or more Main Steam Isolation Valves (MSIV), .

loss of condensor vacuum, and loss of circulating water are included in this category because of a unique feature of the PCS in this plant in which the feedwater pumps do not trip on safety injection signal, high steam generator level or loss of condensor vacuum. Thus, this plant is much less likely than other PWRs to lose feedwater following a transient.

Table 2.3 lists the initiating events included in this category.

The initiating event frequencies shown in this table are generic frequencies taken from EPRI NP-2230 (6). These frequencies are for all PWRs at all powir levels excluding the events in the first two years of operation. In the Haddam Neck PSS the initiating frequency of this class of transients was calculated from the plant-specific data. Events that occurred during the first two years of the plant operation, generally thought of as the break-in period, were excluded and only the next 14 years (between 1970 to 1983) were considered. Based on 44 transients in the 14 years for which the data was evaluated, the frequency of general plant transient was calculated to be 3.14 per year. As comparison with the data in Table 2.3 shows, this plant has experienced a much smaller frequency of general plant transient than the generic experience.

2.3.2 Total Loss of Main Feedwater The next transient category is the total loss of main feedwater.

In this plant, this transient can occur due to total loss of the main feedwater system, closure of all main feedwater regulating valves or isola-tion valves, trip of both main feedwater or condensate pumps, or loss of control air to secondary plant components.

2 10

e Table 2.3 Transient Initiators Included in the General Plant Transient Category in the Haddam Neck PSS Frequency (6) l Transient Initiator (peryear)

RCP Trip 0.32 Multiple RCP Trip 0.02 .

RCP Locked Rotor RCP Shaft Failure RCP TC Isolation Valve Closure RCP TH Isolation Valve Closure Loss of 4160V Bus 1-1A or 1-IB 0.09 Instrumentation Faults Indicating Loss of Flow J Loss of One FW or Condensate Pump 0.05 Closure of One or More MSTVs 0.14 Loss of Running and Standby FW Heater Drain Pumps Increase in FW Flow - 0.57 Reduction in FW Flow , 1.37 Reduction in FW Temperature Increase in FW Temperature Full or Partial Closure of one or more FW Regulating Valves or

, Isolation Valves Loss of Internal or External Load Excess Load Condenser Leakage 0.02 Moisture Separator Reheater Faults Instrumentation Faults, Erroneous Signals FW Flow Instability 0.29 FW Heater Faults Miscellaneous Leakage in Secondary System 0.09 Startup of an Idle RCS Loop 0.00 Spurious Opening of Atmospheric 0.02 Steam Dump Valve Spurious Opening of One High Pressure Steam Dump Valve Loss of a Vital Bus T4.I Automatic Turbine Trip 0.98 T4.2 Loss of Condenser Vacuum 0.I2 T4.3 Loss of Circulating Water 0.03 T4.4 Governar Valve Malfunction T4.5 Generatur Trip T4.6 Turbine Generator Overload 0.27 T4.7 Turbine Stop Valve Closure 4

2-11 f

, . , _ _ _ . - - . . - _ . . _ . . - .7_ , .- - __-. . . _ . - _ - , . _ _ , , , . , , , , , -. , . , - . _ , - . . . , , . - - . - . . _ _ _ . . _ . . .-- . _ _ _ _ _ _ . _ _ _ .

Table 2.3 Transient Initiators Included in the General Plant Transient Category in the Haddam Neck PSS (continued)

Frequency (6)

Transient Initiator (per year)

T5.1 Automatic Trip 1.23 ,

T5.2 Control Rod Problems 0.12 T5.3 High or Low Pressurizer Pressure 0.02 T5.4 High Pressurizer Level -

T5.5 Spurious Trip 0.08 T5.6 Manual Trip 0.54 T8.1 Control Rod Withdrawal 0.02 T8.2 CVCS Malfunction Baron Dilution 0.02 T8.3 Control Rod Drive Mechanism Malfunction 0.41 T8.4 Control Rod Ejection T8.5 High Power Trip T9.1 Inadvertent Safety Injection Signal 0.05 T9.2 High Containment Pressure Signal 0.00 T9.3 Spurious Low Pressurizer Pressure Signal Total 6.87 .

0 2-12 i

The frequency of this event was calculated using plant-specific data. Based on five events in 14 years, a frequency of 0.36 per year is determined. The generic frequency of this category for total loss of main feedwater and trip of both main feedwater condensate pumps using EPRI NP-2230 data is 0.10 per year.

Overall, it appears that the frequency derived from plant-specific experience for these two categories of initiating events at this plant is

sufficiently large to justify using this data rather than generic transient frequencies. ,

2.3.3 Main Feedline Break The next generic transient initiator is the main feedline break.

The frequency with which this transient occurs was calculated by adding the number of pipe segments in the main feedwater lines and multiplying this figure by the pipe segment fei. lure rates suggested in WASH-1400.

, Based on 69 pipe segments and a mean pipe segment failure rate of I 8.5E-10 per hour for pipe segments with a diameter larger than three inches, the frequency of main feedline break in this plant was calculated to be 5.1E-4 per year. ,

2.3.4 Steamline Break Upstream of the Non-Return Valve There are two types of failures that contribute to the occurrence of this initiator. These include the possibility of pipe rupture upstream of the four non-return valves and spurious opening of one or more steam generator safety valves. .

1 In the PSS the pipe rupture contribution to this initiating event was calculated using a similar method as the main feedwater break frequency.

Based on 64 pipe segments and a mean pipe segment failure rate of 8.4E-10, the frequency of steamline break upstream of the non-return valve due to

! pipe rupture was calculated to be 4.8E-4 per year.

2-13

a s l

The contribution from spurious opening of one of the sixteen steam generator safety valves was not evaluated in the PSS. The frequency of this event can be calculated using the following relationship:

FSR = 16 F33 FFC (2.4) where ,

F SR is the frequency of.any of the steam generator safety relief valves getting stuck open; F

33 is the frequency of spurious opening of the steam generator safety relief valves; FFC is the failure probability of the safety relief valves to close, given they have opened.

The frequency of spurious opening of steam generator safety relief valves, for all PWRs, at all power excluding the first two years is 0.03 (6). The mean failure probability of safety relief valves to close, given they have opened, is 2.0E-2/ demand (7). Thus, the contribution from spurious opening of steam generator safety valves to the steamline break upstream of the non-return valve is 9.6E-3 per year. Adding this to the contribution from pipe rupture gives the total frequency of steamline t;reak upstream of the non-return valve as 1.0E-2/ year.

2.3.5 Steamline Break Downstream of the Non-Return Valve The frequency of steamline break downstream of the non-return valve in the PSS was calculated by considering the frequency of the pipe break downstream of the non-return valve and the frequency of spurious opening of two or more high-pressure steam dump valves. The number of high pressure steam dump valves that would constitute a steamline break was chosen based on the fact that each valve has a relief capacity of about 4%

of the full flow. Main Steam Trip Valve (MSTV) closure occurs when the steam flow is 110% of the rated flow. Thus, a single steam dump valve's opening will not lead to MSTV closure -- two or more valves must open.

The frequency with which spurious opening of two or more high pressure steam dump valves in the PSS occurs was calculated by considering 2-14

the probability of common cause failure of two or more valves using the methodology and data suggested in NUREG/CR-2770 (8). The mean frequency of i inadvertent opening of two or more valves was calculated at 4.2E-3 per year.

Because of the large number of pipe segments downstream of the non-return valve and difficulty in defining pipe segments, instead of multi-plying the number of pipe segments by the frequency of pipe segment failure, a more subjective approach was used in the PSS to calculate the frequency of pipe break downstream' of the non-return valves. From reference (2) it was found that the frequency of failure of turbine bypass valves is 3.8E-2 per year. This frequency is taken to represent steamline breaks due to valve failures. Then it is assumed that the frequency of pipe breaks is at least an order of magnitude smaller than the frequency of valve failures. Thus, the frequency of pipe breaks is calculated as 3.8E-3 per year and the total i frequency of steamline break downstream of the non-return valve as 8.0E-3 per year.

In the above calculation, it'is not clear why spurious opening of two or more high pressure steam dump valves (turbine bypass valves) is considered a steamline break. If the MS,TVs close as a result of this event, the event would be similar to a general plant transient due to closure of '

all MSTVs. If the MSTVs do not close, the turbine and plant would adjust.to the new steam flow rate. Also, in the PSS evaluation of this initiator,,the basis for assuming that pipe break frequency is an order of magnitude smaller than turbine bypass valve frequency is not clear.

l The frequency of steamline break downstream of the non-return valve can be calculated by considering the total number of pipe segments downstream of the non-return valves and the failure rate of pipe segments as discussed beTore. As mentioned earlier, it is indicated in the PSS that there was some difficulty in defining pipe segments downstream of the non-return valves. The licensee estimates that there are between 200 and 300 pipe segments downstream of the non-return valves (9). Using the largest estimate of the number of pipe segments, 300, the upper bound frequency of steamline break downstream of the non-return valve is calculated to be 2.2E-3 per year. ,

2-15

r 2.3.6 Loss of Offsite Power The last generic transient initiator is the loss of offsite power.

This transient is defined as an event that leads to complete loss of offsite power to all 4160KV buses that originate onsite or offsite. The duration of this event should be long enough to result in a plant trip.

The frequency of occurrence of this event in the PSS was calculated using plant-specific data. Between 1/1/68 to 7/31/85 (17.6 years), seven loss of offsite power events occurred at this plant. Of these events, one was of veg short duration and did not lead to a reactor trip.

Three events occurred when the reactor was not at power and were due to causes that cannot occur during power operation. Thus, the plant-specific frequency of loss of offsite power was calculated to be 0.17 per year. The mean frequency of loss of offsite power for the ten operating plants in the northeast region is 0.154 per year (10).

Table 2.4 lists generic transient initiators used in the Haddam Neck PSS.

2.4 Plant-Specific Transient Initiators In addition to the generic transient initiators discussed in the previous sections, a series of plant-specific or special transient initiators were identified in the PSS: These initiators occur as a result of failure of a support system and result in multiple failures of frontline or other support systems.

The plant-specific transient initiators identified in the PSS include:

1. Insufficient flow of Service Water System (SWS)

2. Loss of control air system

3. Loss of motor control center 5

4. Loss of DC' Bus 1

5. Loss of DC Bus 1

6. Total loss of DC system

7. Total loss of semi-vital AC system 2-16

l Table 2.4 Generic Transient Initiators Considered in the Haddam Neck PSS _

Frequency (per year)

Initiating Event PSS Suggested Comments General Plant Transient 3.14 Loss of Main Feedwater 0.36 Main Feedline Break 5.1E Steamline Break Upstream 4.8E-4 1.0E-2 Addition of frequency of stuck open safety relief valves Steamline Break Downstream 3.8E-3 2.2E-3 Exclusion of failure of Non-Return Valve frequency of the high pressure steam dump valves Loss of Offsite Power 0.17 2-17

The first plant-specific initiator analyzed is insufficient flow of Service Water System (SWS). This system provides (poling water to a large number of components and systems. One of the firstJeffects of loss of SWS is the loss of turbine lube oil cooling. Following this, the main feedwater pumps will become unavailable due to loss of cooling. Loss of the SWS will also result in the loss of heat removal from component cooling and residual heat removal system heat exchangers. In addition, the containment air recirculation fan system will lose its heat removal capability. Opera-tion of this system is called upon further down in the incident. Finally, diesel generators are dependent on SWS for cooling. It is important to note that the Fire Pump System is capable of performing the same functions as the SWS and can be used as a backup for this system.

9 The SWS consists of four pumps. During the coldest months of the year, one SWS is sufficient to carry the plant load. During het summer months operation of three pumps might be necessary, with- one' pump on standby. ,

To calculate the frequency of initiation of this event, the PSS conservatively assumes that th'ree SWS pumps are running. The loss of heat removal from essential components that are serviced by the SWS is defined as failure of either two out of three or three out of three SWS pumps, followed by failure of either the fire pump system as backup to SWS or failure to isolate the SWS flow to the secondary plant components so that SWS could remove the essential heat load with only one pump. All necessary operator actions are included in the above scenario.

The total frequency of failure of the SWS, including the backup fire pump system and the necessary operator actions for isolation of secondary plant component, is calculated as 1.3E-4 per year. Our review indicates that modeling of the SWS failure as an initiator and the frequency of occurrence of this event was adequately analyzed in the PSS.

The next plant-specific transient initiator is the loss of Control Air System. This event is defined as non-recoverable failure of the control air system to supply compressed air to the appropriate components. The Service Air System can be used as a backup to the control air system by i

l 2-18

manual lineup of the system. Both of these systems are dependent on the Closed Cooling Water System for cooling of their air compressors.

Major consequences of loss of the control air system include closure of the feedwater regulating valves, lack of component cooling water flow to the reactor coolant pump thermal barrier and bearing oil, closure of main steam trip valves, and loss of atmospheric steam dump and steam dump to '

the condensor.

The non-re'coverable failure of the control air system is conserva- -

tively calculated to be 1.1E-2 per year. s The last five plant-specific transient initiators are system or subsystem failures that have been modelled as part of the pl ant systems failure analysis for event tree quantification.

Among these, only MCC-5 was not modeled correctly. For MCC-5 it was found that the system fault tree did not model the premature closure of the supply breaker from the alternate power source. In addition, some of the recovery actions were not modeled appropriately. The combined effect of these is a factor of two increase in the frequency of failure of the MCC-5 to 2.8E-2 per year. More detailed discussion about these modeling errors is provided in Section 4.0 on System Reliability Analysis.

Table 2.5 lists all the initiators considered in the Haddam Neck Study, including the plant-specific transient initiators discussed above.

2.5 Summary t

Our review of the Haddam Neck PSS initiating events indicates that selection of the LOCA initiators and the transient initiators in this study l is reasonable. The LOCA initiators due to primary coolant system pipe j rupture cover the whol~e range of credible pipe ruptures. In addition, the LOCA initiators with special features cover all other events that could result in loss of coolant accidents.

t With respect to transient initiators, the list of initiators included in various generic transient categories covers all initiators 2-19

Table 2.5 List of All Initiating Events Used in Haddam Neck PSS Frequency (Per Year)

Initiating Event PSS Suggested Large-Break LOCA 3.9E-4 2.6E-4(I)

Medium-Break LOCA 6.1E-4 7.9E-4(1)

Small Break LOCA 2.7E-3 Unisolated RCP Seal Failure 1.3E-2 Steam Generator Tube Rupture 1.7E-2 3.7E-2(2)

Interfacing System LOCA in 4.9E-6 9.6E-6(3)

CVCS Letdown Line Interfacing System LOCA in 2.8E-7 Other Syst, ems Catastrophic Pressure Vessel 2.7E-7 Rupture General Plant Transient 3.14 Loss of Main Feedwater 0.36 Main Feedline Break 5.1E-4 Steamline Break Upstream of 4.8E-4 1.0E-2(4)

Non-Return Valve Steamline Break Downstream of 3.8E-3 2.2E-3(5)

Non-Return Valve 1 2-21

Table 2.5 List of All Initiating Events Used in Haddam Neck PSS (continued)

Frequency (Per Year)

Initiating Event PSS Suggested Loss of Offsite Power 0.17 Insufficient Flow of Service 1.3E-4 Water Loss of Control Air System 1.1E-2 Loss of MCC-5 1.4E-2 2.8E-2(6)

Loss of DC Bus 1 8.5E-3

/

Loss of DC Bus 2 8.4E-3 Total Loss of DC System 7.8E-6 ,

Total Loss of Semi-Vital AC 1.7E-3 System (1) WASH-1400 suggested frequencies (2) EPRI-NP 2230 suggested data (3) Orifice rupture failure frequency is addea to the pipe rupture failure frequency in this event.

(4) Frequency of stuck open safety relief valves is added to the pipe rupture failure frequency in this event.

(5) Failure frequency of the high pressure steam dump valves is excluded from this event.

(6) Premature closure of the supply breaker from alternate power source is added to the frequency of this event.

2-22

traditionally included in PRAs. Furthermore, the list of plant-specific transient initiators considered in this study includes all possible support state failures that could cause a transient in this plant.

~

Quantification of the LOCA and transient initiators in this study included using both plant-specific and generic data. The use of plant-specific data for quantification of the initiators in this study was found to be appropriate. For the most part all initiator frequencies evaluated in this study are correct. Several minor comments were made on some initiators that.would result in small changes in the initiator frequencies. Table 2.5 contains a complete list of the initiating events used in the Haddam Neck PSS. Also shown are the initiator frequencies used in the PSS and suggested frequencies for a few of the initiators where different values from those used in the PSS were found appropriate.

/

l J 2-20

3.0 EVENT TREE ANALYSIS The Haddam Neck'PSS analysis team constructed 24 event trees to represent plant response to the initiators discussed in Section 2.0. We have reviewed these trees to determine if they are a reasonable representa-tion of this plant's response to the initiators. The assumptions which went into the tree construction were evaluated with respect to plant-specific thermal / hydraulic analyses performed by the utility (11) and were compared, where applicable, with assumptions used in previous PRAs. Where there were notable differences or confusion, further analyses were conducted to assess whether the assumptions were reasonable. Each discrepancy is discussed in this section, and, when necessary, the trees were modified to reflect the results of our analysis. These discrepancies fall into two categories. The first category address issues which are general in nature; that is, they affect more than one event tree. These are discussed in Section 3.1. The second category addresses issues which are specific to a particular initia-tor (event tree). These are discussed in Section 3.2. The plant damage states into which the core melt sequences are assigned are identified by a 3 character designation XYZ. Each of these characters are defined in Table 3.1.

3.1 General Event Tree Findings This section presents the results of our evaluation of notable areas of difference and confusion which pertain to more than one event tree. -

3.1.1 Analysis of Random and Consequential Small LOCAs The PSS considers a single size of small LOCA, ranging from an equivalent diameter of 3/8 inches to an equivalent diameter of 2 inches.

The plant response and success criteria are based on the most restrictive requirements across the break size range. For all breaks in this range, it is assumed that high-pressure injection and steam generator cooling are both l required and that high-pressure recirculation is required within about one hour. However, in the best-estimate LOCA analysis performed for the Haddam l 3-1

Table 3.1 Definition of Various Plant Damage States for Core Melt Sequences .

Three Character Designation XYZ X is the generic symbol for initiating event type and consists of one of the following cases:

A indicates large or medium-LOCA initiator S indicates a small break LOCA or Consequential Small LOCA initiator T indicates a transient or special initiator V indicates a LOCA outside containment initiator V2 indicates a LOCA outside containment due to steam generator tube rupture R indicates a catastrophic reactor vessel rupture 1 is the generic symbol for timing of the core melt and consists of one of the following two cases:

E indicates an early core melt occurring in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months or less after the initiation of the accident L indicates a late core melt occurring greater than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after the initiation of the accident I is the generic symbol for the availability of containment heat removal and consists of one of the following two cases:

C indicates the availability of the containment heat removal based on either containment air recirculation fan coolers or the containment sprays f

i No Symbol indicates neither of the above two heat _ removal systems are available 3-2

Neck plant (11), it is shown that steam generator cooling is only required at the lower end of this range, i.e., equivalent diameter less than 3/4 inch. Further, the analysis shows that alternative means of cooling are available for these smaller breaks. These are (1) bleed-and-feed cooling when steam generator cooling is unavailable, and (2) depressurization of the primary to below the low pressure injection initiation point by rapid blow-down of the steam generators (secondary depressurization) when high-pressure '

injection is unavailable. Secondary depressurization can also be utilized later in the accident sequence in situations in which high-pressure injection succeeds but high-pressure recirculation fails. In this case, the resultant depressurization of the primary allows use of low-pressure recir-culation. In the PSS, bleed-and-feed is inconsistently applied to the various small LOCAs (random and consequential) and secondary depressuriza-tion is not applied at all. Additionally, the operator response time allowed for the operator to initiate recirculation for these breaks at the lower end of the range is quite a bit shorter than the actual available time since it is based on the time available,for the 2-inch diameter breaks. All of these assumptions could serve to distort the perceived core melt risk from these very small breaks because the success criteria are not reasonably consistent across the entire break size range.

The solution to this problem is to divide the small LOCAs into two break size ranges, the small LOCAs (3/4-inch to 2-inches) and the small-small LOCAs (3/8-inch to 3/4-inch). This was done in the best estimate LOCA analysis but for some reason was not carried through to the PSS. The small LOCA range would encompass random breaks only, and the success criteria would require high-pressure injection (HPSI or charging) for early core cooling and high-pressure recirculation for late core cooling. Methods for depressurizing and utilizing low pressure systems would not be credited because LOCA analysis indicates that the pressure could not be sufficiently lowered prior to core uncovery. In keeping with the LOCA analysis, steam generator cooling would not be required for this break size.

The small-small LOCA range would encompass both random breaks and consequential LOCAs caused by a stuck-open PORV or by RCP seal failure (see also Section 3.1.2) . The LOCA analysis implies that the response for each of these LOCAs is virtually identical. For these LOCAs, early core cooling could be provided by (1) steam generator cooling (SGC) in conjunction with 3-3

high-pressure injection (HPSI or charging), (2) bleed-and-feed cooling (when HPI is available and SGC is unavailable), or (3) secondary depressurization and low-pressure injection (when SGC is available and HPI is unavailable) .

Late core cooling success would depend on the pressure at the time of recirculation, although it should be noted that when early core cooling is provided by SGC and HPI and high pressure recirculation cannot be provided due to charging system failure, then secondary depressurization can be utilized at the time of recirculation switchover to allow use of low-pressure recirculation. The time allowed the operator to successfully initiate recirculation for LOCAs in this range is assumed to be much greater than the one hour allowed in the PSS. We would expect that it would take about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or so to reach the point at which recirculation could be established and that the low break flow rate would allow the operator a substantial amount of time, probably over an hour even at the upper end of the range, after this point is reached to actually establish recirculation.

(Note: If bleed-and-feed (BAF) cooling is utilized, then BAF assumptions apply.) The event trees which contain random or consequential LOCAs have been modified to incorporate the changes discussed above. Two modifications to the PSS small LOCA tree were required, one to create a new small LOCA tree and one to create a revised small-small LOCA tree.

3.1.2 Treatment of Consequential RCP Seal LOCA ,

A problem related to the above discussion is the PSS treatment of the consequential RCP seal LOCA. This event results from a loss of cooling to the RCP seals, which causes seal failure and a subsequent LOCA. The design of the Haddam Neck RCP seals is such that the LOCA flow rate is limited to 50 gpm/ seal . For this reason, the,PSS argues that in some ways the RCP seal LOCA is not a real LOCA at all, since the total potential flow rate is only 200 gpm if all four seals fail and may actually be lower. Any leak of less than 160 gpm does not come under the definition of a LOCA, since normal makeup to the charging system can provide this much fl ow. (It is stated in the initiating event section that the 3/8-inch diameter lower limit of the small LOCA range is based on this 160 gpm flow rate.) Another point made by the PSS is that there are a number of mitigating factors which come into play even with a 200 gpm seal LOCA. First, the operator can use loop isolation valves to stop the LOCA. Second, the difference between 200 gpm and 160 gpm is small and it would take a very long time to deplete the 3-4

RWST and thus create the necessity for recirculation. For these reasons, the PSS assumes that if charging can be recovered after the seal s have failed the result is the same as if the seals had not failed at all. That is, the event is treated like a transient instead of a LOCA. This occurs mostly in certain occurrences of the event " primary integrity" (PIT), where seal failure with charging recovery is considered success of PIT.

We are not satisfied with this treatment of the RCP seal LOCA.

First, the values 160 gpm and 200 gpm are approximations and, even with the uncertainties, indicate that the RCP LOCA falls clearly into the small LOCA range. Second, it is not reasonable to take the difference between 160 and 200 gpm and consider it to be the flow rate from the RWST. That assumes that the normal charging lineup would be in place, with makeup being provided to the volume control tank. In actuality, the charging system would be initially lost (this must happen for the RCP seal LOCA to occur since charging also supplies seal injection) and the 200 gpm flow rate would trigger safety injection, which transfers charging suction to the RWST.

Thus, the RWST flow rate would be the full 200 gpm, and the recirculation switchover point would be reached in a little over eight hours. Finally, the ability of the operator to isolate the RCPs and thus terminate break flow is limited because complete isolation would interrupt flow to the steam generators, making SGC impossible.

Based on the above discussion, it appears that treating an RCP seal LOCA as anything but a genuine small-small LOCA is overly optimistic.

It appears clear that the " size of the break" fits the definition of a small-small. LOCA and that the plant response would be like other small-small LOCAs. Therefore recirculation must be considered because it would be required before the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months sequence time cutoff. We recognize and under-stand the reluctance of the PSS to categorize and treat this event with the same restrictive success criteria it applied across the range of its small LOCA category; however, this problem would not have occurred if the PSS had divided the small LOCA range as discussed in Section 3.1.1. Since we have made that division and our small LOCA range more accurately fits the RCP seal LOCA than either the PSS small LOCA or the PSS RCP seal LOCA assumptions, the affected event trees have been modified so that the RCP seal LOCA is treated identically to the redefined small-small LOCA.

3-5

l 3.1.3 Need for Containment Heat Removal with Bleed-and-Feed The PSS assumes that containment heat removal (CHR) using either j fans or . sprays is required for bleed-and-feed (BAF) scenarios. This is despite the fact that other recent PWR PRAs have shown that BAF followed by !

recirculation or RHR cooling is sufficient to prevent core melt without the use of CHR. Additionally, the plant-specific LOCA analysis shows that the peak containment pressure during BAF without CHR is about 23 psi in the first 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months , a figure which is substantially lower than the containment failure pressure, The basis for the PSS a::sumption is that "an adequate pressure [ differential] must be maintained between~the PORV receiver air tank and [the] containment [in order] to keep the PORVs opened." The PSS does not define " adequate," nor does it state at what time after the initia-tion of BAF " adequate pressure" is lost.

The assumption is potentially conservative in that it appears that a time frame should exist during which switching to long-term cooling should arrest the pressure rise and prevent PORV closure. However, it also appears that the probability of losing CHR when BAF and long-term cooling are operating is very small due to the redundancy of CHR and to the extensive equipment sharing between long-term cooling and CHR. Thus, the inclusion of the need for CHR during BAF scenarios probably does not significantly affect the results, and thus a more detailed consideration of this need is not warranted at this time. Should our requantification indicate that the problem is significant, it will be given further considera-tion. It should be noted that temperature over-pressure (LTOP) as a backup bleed path would completely eliminate this dependence.

3.1.4 Treatment of Consequential Loss of Semi-Vital AC (SVA)

The semi-vital AC system (SVA) is an important support system at the Haddam Neck plant. Unlike the treatment of other support systems in the PSS, SVA was not considered in the support states evaluated. Rather, when it affected an event tree, SVA was included as an event on the tree. While this is an inconsistency in the approach, there is nothing inherently wrong with it if the analysis is handled properly. It is somewhat confusing in -

the PSS because SVA appears on some event trees and yet not on others which are similar and on which one would expect to find it. What the PSS did was 3-6

. . l l

to remove it from trees where the sequence frequencies through the SVA failure branch were less than the cutoff value (IE-6/ year). This was done ,

to simplify the trees. Again, there is nothing inherently wrong with this '

approach other than the fact that it is confusing and inconsistent. We would have preferred, for the sake of scrutibility, that SVA had been handled as part of the support state analysis, but we see no reason to modify the trees at this point because modification would be difficult and would not change the ultimate results with regard to consequential SVA failure.

3.2 Specific Event Tree Findings _.

This section presents the results of our evaluation of notable areas of difference and confusion which pertain to a specific event tree.

In addition, the specific trees which are affected by the general comments discussed above are identified.

3.2.1 Large LOCA Event Tree We have reviewed the large LOCA event tree and find it to be a proper representation of plant response. Our only comment would be that the need to switch to two path recirculation to prevent boron precipitation is probably not justified. It is unlikely that sufficient boron precipitation to cause a problem would occur. However, this action is so simple and there is such a long time after the initiation of recirculation to perform it that it is not important to the results of the analysis.

3.2.2 Medium LOCA Event Tree We have reviewed the medium LOCA event tree and find it to be a proper representation of plant response.

3.2.3 Small LOCA Event Tree As discussed in Section 3.1.1, we found that the analysis of small LOCAs should have been broken up into two size ranges and given success criteria as described in that section. Two trees have been developed to implement that conclusion; the small LOCA tree is shown in Figure 3.1 and 3-7

Seoll Reactor High Charging Break Operator High Contain. Sequence Sequence LOCA Trip 1 Prese. Puepe Size Action 2 Preneure Hoot Close Designator Safety and Inittote Recirc. Roeoval In joc. 1 Locotton Recirc. RHR & V1ve ET3A RT1 HP1 CHG DSL DA2 HPR OR OK ETSA i SLC ET3AHPR SL ETSAlFRCHR i St C ET3ADA2 l SL ET3ADA2CHR l

i SLC ETSABSL SL ETSABSLCHR Y i SLC ETSACHG s

SL ET3ACHGD R OK ETSAHP1 i SLC ETSAHP1HPR SL ET3AHP1HPRDIR i SLC ETSAHP10A2 SL ETSAHP10A2CHR i SEC ET3AHPIBSL SE ETSAHPIBSLDR i SEC ET3AHP1CHG SE ETSAHP1CHCCHR i SEC ETSART1 SE ET3ARTICIR i

I FIGURE 3.1 SMALL LOCA EVENT TREE I

the small-small LOCA tree is shown in Figure 3.2. The following event definition changes / additions (small-small LOCA tree only) should be noted:

- OA-8, Operator Cognitive Decision to Initiate Bleed-and-Feed.

This action will take two forms. In cases where high-pressure injection of some kind (HPSI or charging) is available and steam generator cooling has failed, this action will involve the operator's recognition of those conditions and his decision to initiate bleed-and-feed by opening the PORVs. In cases where high pressure injection capability has failed and steam generator-cooling is available, this action will involve the operator's recognition of those conditions and his decision to initiate low-pressure makeup through the reduction of primary pressure by opening secondary atmospheric dump valves.

- BLED, Procedural Actions and , Equipment Required to Implement Bleed-and-Feed (Initiating Bleed - HPI already available) .

Applies to first case discussed above, i.e., where high pressure injection is available.

SBD, Procedural Actions and Equipment Required to Implement Secondary Blowdown and Low-Pressure Injection. Applies to second case discussed above, i.e., where high pressure injection has failed.

0A-2, Operator Cognitive Decision to Initiate Recirculation.

Three cases would apply, depending on system availability and RCS pressure. In each case, this action would involve operator diag-nosis of the conditions and decision to take the proper action.

Case 1--high RCS pressure with charging system available: the proper decision is to initiate high-pressure recirculation. Case 2--high RCS pressure with charging system unavailable and steam generator cooling available: the proper action is to initiate secondary blowdown and low-pressure recirculation. Case 3--low RCS pressure: the proper action is to initiate low pressure recirculation. For all other cases, no action is useful.

3-9

l l

i l

Seell-Seoll Weestea Trip 1 SC Caelang Ween Stae Ourging Puge Hsp Prese.

Operwter Astlen e Petery Bleed Sensadery opr esse steedoen Astian 2 High Cmtens Sespanse W Prene. Meet C1see Dest yeter LDCA onnen Fr auf Safety Instsete Instlete mes tre. Resovel er AFu) Lacet t em In} l Em-ly Casl mes ses m>st$vtyS1 ET3B ATI SCC SSL OC W1 CAs m ED M OA2 > Pit Det

, . ET. .

I SLC ET3DPIt SL EN SLC ET380A2 )

SL ETMCA2 Oft i ON ETEBOC i SLC ET3eCHopit SL ET3 echo estost SLC ET30CHCCA2 SL ETseCHC0420st i ON ET30CHort i SLC ET3eCHortwit SL ET30CHortifRCH4 SLC ETSSCHOP10A2 SL ET3BOOP10A2CH4 SEC ETMCHop1$80 SE CTWOCPt S900M SEC Lt30CHOF10Ae E ET3eOOP10ASCH4 s 04 ETageSL i SLC CT3eBSurit SL L'3essur4 Chit SLC LT300$LCA2 A ET2005LDA208t i DN ET3BSSLW1 i SLC ET300$Upte4 SL ETEBBSUFtreOft SLC ET300$u f1CA2 SL ETamStr10A2 Chit f SEC ET3seSUF1$50 SE ET3mSuetS80 CHI

, i SEC E % SUFICAS SE ET30eSu e10ASCHI ON ET3SSCC A ET3eSCCDet SLC ET30$CCr4 SC ET30Scortost SLC ET30$CCOA2 SL ET30SCCOA20st SEC ETA m SE ET3perrer m net SEC ET335CCQAs SE ET3eSCCOASCHI SLC ET3eSCCOC I SL ETEBSCCCHCO M I SEC ET3eSCCOCeLED SE ET385CCorm rw SEC ET3eSCCCHCCAe

. SE ET3BSCCOCCA8084 SEC ET3eSCCCHCw l SE ET30$CCOCHP1CH4 SLC ET30$CCS A

$6 ET30SCCaSLoft SEC ET3eSCCSSJLED SE ET3eSCCeteLEDost SEC ET38SCCOACAe SE ET3eSCCSACA80M SEC ET3eSCCSSJPt SE ET3SSCCSSJP! Chit SEC ET3eqY1 SE ET3eqTIOat l

FIGURE 3.2 SMALL-SMALL LOCA EVENT TREE 3-10

_ _ __ _ ~_ . _ _ .

- HPR, Procedural Actions and Equipment Required to Implement Recirculation. As in the PSS, this event pertains only to the

't low-pressure (RHR) part of the recirculation equipment and its proper alignment. The exact equ.ipment required and actions needed are based on the specific recirculation case under consideration as specified for action OA;2 above.

IMPORTANT NOTE: These event definitions also apply to the analysis of consequential small LOCAs in the transient event trees, as appropriate. The particular trees which have been modified to reflect our review comments on con::equential small LOCA response are identified in subsequent sections as being affected by the general comments in Sections 3.1.1 and 3.1.2. The specific operator actions available for any particular support system initiating events will depend upon the specific support systems that failed.

3.2.4 Steam Generator Tube Rupture Event Tree The steam generator tube rupture event tree has a significant error pertaining to operator response under certain conditions. The error comes from assuming that, for all conditions, the operator will eventually come 'to a step in a procedure which calls for determining whether SGTR exists a'nd that the first actions taken will be in response to the SGTR.

This supposition is reflected on the tree by the positioning of this opera-tor ' response prior to the steam generator cooling event (SGC). The PSS states that the success criteria for SGC is dependent on whether detection and isolation has occurred, and assumes that this operator response is not dependent on whether SGC has succeeded. This statement is contrary to the actual sequence in which certt.in events. occur. The failure of SGC is a critical preeriiptory failure in the symptom-oriented procedures. If steam generator cooling is not available and it is required (which is the case),

the operator is instructed to go immediately to one of the emergency functional recovery procedures. This occurs long before any step would be l

1 reached which calls for the operator to determine if an SGTR has occurred.

Once in this procedure, failure to establish SGC would cause the operator to initiate bleed-and-feed. Again, this action would occur without the opera-tor having come to any procedural step which would result in his discovering a SGTR. This is most likely acceptable, since initiating tileed-and-feed would appear to result in a drop in primary pressure below the secondary 3-11

steam relief pressure in a relatively short period of time (based on the bleed-and-feed ' analysis included with the PSS). Thus, following the procedures for SGC failure would result in a safe condition (assuming successful bleed-and-feed response), but the SGTR condition would not be discovered. In any case, it appears that once the SGC failure occurred, the procedures would result in the operator never reaching a step at which he would determine that an SGTR existed. In order to properly represent the sequence of events, the SGC event has been moved up to before the operator

. response and the tree has been restructured.

Another timing problem we noted is that the consequential second-ary steam leak event (SRV) appeared after the primary depressurization event (DEP) based on the assumption that successful DEP would prevent the secondary SRVs from lifting. A review of the SGTR thermal-hydraulic analysis included with the PSS indicates that the valves will lift very early following the SGTR, prior to the time DEP would occur. We have modified the tree by reversing the order of these events to properly reflect the timing sequence.

Finally, the PSS assumes that if the SRV fails (a secondary steam leak occurs) and the loop isolation valves are not closed, it is still possible to avert core melt by using long-term cooling (LTC). The thermal-hydraulic analysis provided in the PSS is not sufficient to justify this assumption. It is .not clear how the RCS pressure can be reduced suffi-ciently to preclude the continuous loss of coolant to a steam generator which is essentially at atmospheric pressure. This continuing loss should result in depletion of the RWST and eventual core melt in less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The tree has been modified to take this into account and is shown in Figure 3.3.

3.2.5 Steamline Break Upstream of the Non-Return Valves (NRVs) Event Tree We have reviewed the steamline break upstream of NRVs event tree and find it to be a proper representation of plant response, with the possible exception of the assumption that CHR is required for these breaks.

While this type of break will result in the blowdown of one steam generator into the containment, it is unlikely that the containment pressure will 3-12

4 e . .

L J

4 I

't 9.- ts c . f a., e 'a .m. smw e. A.,, % %-, a- c-. Se,

l. -., i e..% ..

9.,i s..n et.

. ,. ..t e.

e. -

9,

-m.

m.9

-i u m.-

4.t.ae 'e.tes Eg> t/t to.t. sW feed 94 9 W Iest s m.t l'a O't l MB OS *Pi tot 80s get Et3 l 99 MP Ga4 l klf 4*C Qe

, e m

- l'8089 I og stagesLte et transsene a Statne 8 ffatSWLif 8 Efesavene em Evance

{ d'aI899Lff g .3 Stew 5tht%4 3 Efaustene et ET.ne rstm 2 EfouttDL8 Lff 8 t'astignagag 6

as t'aute tet 3 L?auttlegf g

.3 t'aut'999444

. $teget

,,3 tocastt

[ ;.8 faentoLP

. .a vaca99ev

m stape y

ja staocomp

' gv4 StaOCDE%ff j.a s'aosospene

,su {gteostee

, .8 yveOC1EAN 8 ;tf aOGlavent

- lg?aosatt f - s'accatiLle r3 g

4 vencono.ugfg faoses eae tHe 'aDCuttGL8

.g tangug a

3 f f aDCal.ngle m8eae i tas ;gf acementes 8 f sDCistatB% Bf 3 f accultmagee faOceal j ,88 l(teDC441'C i

{ ,et.

'st.e.psemis.ta.

'ap pt i ,3 taggonge, 3 tapoptene ta

.. . . . , _ . . ... . .. - i ;s .r.tCa ts oe

, i mg eatsatt E fa t

- en af.tC&

esaLle FEDS t 1 og ggegggiepa v3 state &IAM g l 3 StatEdete j Nei EfetEJtBW jf 3 I g stagnatesDe l 1 R$ Efe9 Eft 24fC EfessansLMDA j g g .

er afassatavue

.a Eteggatsvene PEC Ef*SC2&te in EtatGat. tope

' 3 E'atcJht3Lif

' .StstC2stingae i 4

L3 jarascaene

% s i '

! .a itf4SClemeC'w

'statcae.a6 v4 Ittasc#eesene

.. 'IfascJos i

i s.

s l ... c c.e. .

E Is tstCJO.ftpe

.. 'G.?eMl9.e

es. ,

.a r.=no. i== .

3 4'eer winnit

.. Afe1GADEsse I g lEfegCJodtav0e l l ,t.g T4 20698% 4 y 5 etcaosuvLetos

,.a 'escapsurre 6

-+.3 f es etEJ.os.tev648

o. .

.---6.oe I a if lva

.. te r-mia

,a - ta.at jegg statGapsgas

- -.,e we.maose.we I '.3 '4*a=3Ddulet f

. .a

, 9: kesEJDEs.am.

ce==. ae 2

.93 i .

W .= aglEE.,e.tce.

si 4t,4=,ao

< o .eae

.. a,e.it

}3 ;gtaettoe FIGURE 3.3 STEAM GE'iEMTN TUBE RUPTURE EVENT TREE 3-13 i

reach a level which could cause a problem. If the intact steam generators are isolated from the break and cooling is provided through these steam generators, there should be no additional steam added to the containment and therefore the pressure would remain relatively low. It appears, then, that for these scenarios the assumption of the need for CHR is conservative, although it should be noted that no best estimate analysis was provided. It does not appear, however, that this assumption has a significant impact on the analysis . Therefore, we will not change the event tree structure at this time. However, if our requantification indicates that the effect of the assumptirn it greater than it appears, this issue will be investigated further.

3.2.6 Steamline Break Downstream of NRVs Event Tree We have reviewed the steamline break downstream of NRVs event tree and have found it to be a proper representation of plant response. It should be noted that the general findings discussed in Sections 3.1.3 and 3.1.4 apply to this tree and to all other transient trees discussed in the remainder of Section 3.2. This fact will not be repeated in the discussion for each event tree because there is no effect on the tree structure, as discussed in those sections.

3.2.7 Main Feedline Break Event Tree We have reviewed the main feedline break event tree and have found it to be a proper representation of plant response.

3.2.8 Unisolated RCP Seal Leakage Event Tree The unisolated RCP seal leak initiating event is not the same as the consequential RCP seal LOCA. The consequential RCP seal LOCA is generally caused by a loss of seal cooling to all four seals, as discussed in Section 3.1.2, which results in a flow rate in the small LOCA range. The unisolated RCP seal leak initiator refers to a random failure of a single seal which is not isolated by the operator. This failure results in a leakage flow rate of about 50 gpm, which is bdow the lower limit of the definition of a small LOCA. Thus, the general comments in Sections 3.1.1.

and 3.1.2 do not apply to this event.

3-14

In general, the unisolated RCP seal leak event tree is a reason-able representation of plant response to the event. There is, however, one exception. The PSS assumes that success of the charging system and steam generator cooling is sufficient to mitigate the event. This is a reasonable assumption since steam generator cooling is sufficient to remove decay heat and, at 50 gpm, the RWST contains enough water to provide makeup through the charging system for over 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (which is past the sequence cutoff of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ). HPSI is also capable of providing this makeup from the RWST, but the RCS pressure must be lowered to do so. The method of lowering the RCS pressure depends on the actual systems available, and the particular case we are interested in is when charging has failed and steam generator cooling is available. As stated in the PSS and supported by the procedures, the pre-ferred method of reducing RCS pressure in this case is by using secondary depressurization (steam generator blowdown). Logically, since all this method does is reduce pressure without causing additional loss of primary coolant, the plant response should be the same as when the charging system is operating. That is, the event is effectively terminated since the makeup required is about 50 gpm and the RWST capacity at that flow rate is over 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . However, the PSS event tree treats this case in the same manner as the case where steam generator cooling fails, when the preferred method of cooling is bleed-and-feed. Thus, for both cases in the PSS, long-term (RHR) cooling and CHR _re assumed to be required. This assumption is obviously conservative for the first case, where secondary depressurization is used.

Therefore, the tree has been modified so that this conservatism is removed for that case. The revised tree is shown in Figure 3.4. .

3.2.9 General Plant Transient Event Tree We have reviewed the general plant transient event tree and have found it to be a proper representation of plant response.

3.2.10 Total Loss of Main Feedwater Event Tree We have reviewed the total loss of main feedwater event tree and have found it to be a proper representation of plant response.

3-15

RCCF F08 R 1 I FFSS22222222 t 22 HTT A A A A H 8

H A A A A FF FFF F FF A

G FF A r CLL990 0 C D C 9BOOA A A A pA W M A 'O A AAA o 22222 222 22 FF SO W W W V W W W W W W W et FFFFF F F F F F A A A A F F F F FF F F F F F F F V V V V c a A A A A A A A A A A 8 8O0 M H M M M N H M M M MH MS SSS nn eg VW WW W W W W W F FF F F FF F F V V VAHHA A GC0G H CCCGGCCCC HHHHH HH l

GG H CCC HH G H G CGI HT ui q s NM 8O8B9O8OO M M M M 8BB M M BSO M S 9S SSCC0C 8 8SO8O 0CCC9O S CC0C 8 8B C0CO0C 9OO O9S C 8 C 0C R s

e e TT T T T TT T T T TT TT EEEEEEEEEEEEEEEEE EEEEE T TTEEEEEEEEEE T T TT T TTTEEEE TT1 TTT T T T T T SD e

c n

ee sm ye C C C C C C C C C

C ,C d C 2 sel SC KKKLLLEEE OOOTT T T TEKEEKLLL T T OT T LKLLL OSSSS LKLLLEEEEL OSSSSOT TT TLEE TT 2T S ST T E u l t

r a t e E a v E t t o D R nom aoe CHR s' g 1' ,' ,' .' n' ' .' s ,' g' i' T

,' r' T

g N n C E i T V gel L nr o E ooo LT C lI K A

E F L d A e d S ed e L l ne A B aF l

,1 gi E

o S r8 eo e tC t no S A

P aet y C rl t l D pcne et i R OA i E t D rl E eu t a T oF) e G 2

F A

dtS A L me(

ue d 0

S A F2 e gI I

/

rr N ee U t e an V s e F ndd M l en 4 o a- o MFC 3

E A

V R

- l U t a S et eiC G

I S vA F

g n

G ige H r p C am h u C P r

o1 1 t T cp 9 at ee R T d

e t

o l O o T o l h E t P aa hCR SL t

ee 2 =

6'eG

r 3.2.11 Loss of DC Bus 2 Event Tree The only problem with the loss of DC bus 2 event tree is with respect to the event PIT (primary integrity). The general findings discussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.5.

3.2.12 Loss of Offsite Power Event Tree We have reviewed the loss of offsite power event tree and have found it to be a proper representation of plant response.

3.2.13 Loss of Offsite Power and MCC-5 Event Tree The only problem with the loss of offsite power and MCC-5 event tree is with respect to the event PIT (primary integrity). The general findings discussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.6. .

3.2.14 Loss of Offsite Power and One Emergency Bus Event Tree We have reviewed the loss of offsite power and one emergency bus event tree and have found it to be a proper representation of plant response.

3.2.15 Station AC Blackout Event Tree The major problem with the station AC blackout event tree is with respect to its treatment of plant response to an RCP seal LOCA. It is assumed (reasonably for this plant) that a seal LOCA will occur if the blackout persists for over fifteen minutes. Thus, the general findings discussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response in the PSS would apply to this tree.

The tree has been modified to take those findings into account.

3-17

F o e =

9 h

I f

g

.t .,#,,,,,,, ,,.iiiiiiii9....... l....................,,,,li..,

9

_nmmmmmsmumnumaanmuun e

l ================================: :::::::::::::::: mununn

.I 1.idIdIr4r IIe I3 dl fld'l Ildld1 l'Is 111d3 II IslaIrl3IigId$didIy1IIe e

ral I..!!f I lil!_ __ __ __ __

e 2

-]

fl M i

c g

y jI .

=i

~

g IIi ! 85A h I I!_ _ _ . m t

m

, 6 4 g J.L! _ _ . __ s

~

3 b l.

a &

g 1

LLi .

.: i

{ 5i _

il n-_

1- :

.N *.

=

1h. _

r o

e e e .

D 1

h

~

i ery : es py Maag i ht yn e .e.se.'-e

h. is p inerener e** ," - it.em.e L.et*

e.. p ,es_sa,41.m e a . ,, s p.re f..e.ry e .e ,si , cr..

In.eene. % -

is m.

p..,0... e

.s ts -ti

_w g.eep

...e..

aKC-9 .es oper.ened!

= m pf e.e

..w.,

. . m =w I'm n ,I ,Ee p.e e.,

!e_ . ge l'

, .'s (,

_vi I .-. I e,e i = .4 i su ! ., ! = i c. 1 ., as as:, # ea, ! t <e i

e sis l

.EE I pet

% 19e908

! ,18 a nna3 16 I EmaOS i ck 190E l l ss ti mee.

'to Ei zeesoe

! TLC EISDCena

!1L E s toteadoe 4' m ,E i steet ,

g g Et lElsportere 7

96 IKuorise*De

! ,kg espeeteng ,

r l

,E eEC taDoelemage teoceisse l

. ;M Iloorsteepe i ts$ I K4*itat

.-l 4

.L.K.uppleneDe e

l j j kt stapere A est Bw eeepe

! %E lEtw eena

% t tw eemate 08 19d eD4 j :h.C I14p eDCr#

64 19er ariceepe EL

! P""'* LC I ges *Jeteaa

,% I SW eDtJi&2De r i

ei 13d eOcet l l: E8 18deDOpt e4 a pesapegoeier.oe

! lEC 'Elw e6sce96a3

E 19aFe00ptGaape tEC 13apeDoettus SE 15depsetteope I

,15 E85WeDoetese SE lE49apeDersenspe i nnp asse I ,% 99desupOe I 19de88*4 l ]LC E e s sap e.wwsom I as Eiwesweaa is, Eisweseenane MC E19ersestte

,98 Es sapaene tegDe MC Entweewone

,E Et9Weenreae)e tg Eagaresegg I ,E Et tar d.eDeOm I SEC ELSWeasDES.Se M E19af ecteDEALEtape

. . ,o _ . ME Gisweenopsene I to e19deseOdeoKie 3

968 E L SWe8WOOet M 6 en Estareens,OEpelce Es sap est g f :E E18 dest 708 f y l I sa Eisweeinee a6 Eisweeineene

! 'm3 Essapeettens

,a I.Einwessasoe tRC lEt taf ees 7kat ,

4 i:e8 sleepeesta.sepe g

T

'est teeFestfene

$ Et edeGe feneDe

, ES ElBafeetfDE *

' I E Elaereel?DEDe I 5C EISeres190 case EE #E15 deal? DER E.Zie RC 19deaufDecas M E15ar eet tOCener.,e SEA .Estaf eet1Dere M ,El34 pee 170ereDe 3 (llW assa 1 & Ei gap assage I %8 l

s kEiS8F4EeP.e8 lEis.*ea egos EC EL

'.E l td e&eaDag Et5desea6* ace us piswassamu et m ;EisareE.deas p'w.sesettape tt 8 Barassaeastse EC ,0 948 e8404

' E I

[Si tes tledDucca WC IE t tW peatuca st W tDDe us !s Lowt keac.cs98 Meal 4t&.e M pt9W cataDesame KC }EltwltsJoces M t tap eseKatip*Ce

, MC 'Estit I I i

=c I

i.'""4.

4 4

, 'm :.O.ttt..a# 44

, w .v w .e

, it ic, g . .e no M..n, iE

- E, .e..

M 419etese.

FIGURE 3.6 LOSS OF CFFSITE PCiiER A'4D MCC.S EVENT TREE 3-19

/

.)

e J.

In addition to this, this tree is inconsistent with the other LOSP trees in two ways. First, when recovery of main feedwater following recov-ery of offsite power was considered in the other trees, two events appeared:

0A-17 (operator cognitive decision to recover main feedwater), and RMF (mechanical and procedural failures in recovering main feedwater). These events were not included on the station blackout tree but were lumped together with the recovery of offsite power node since the failure to recover power was said to dominate the failure to recover main feedwater, in order to simplify the tree. Even if this were the case, this inconsistency is confusing. Additionally, highlighting cognitive errors by modeling them on the event trees is an important tool in understanding plant response and combining them with other events would be counterproductive. Therefore, the tree has been modified to specifically identify these events.

~

The second inconsistency is the consideration of a 15-minute recovery period for offsite power. This was included because of the 15-minute time period to prevent RCP seal failure, which requires offsite power. However, we would argue that if offsite power is recovered within fifteen minutes, it is almost as if the event had not occurred. That is, no adverse effects would have resulted from the LOSP (even including station blackout) other than a plant trip. Therefore, the initiating event LOSP should be redefined as meaning a LOSP of greater than 15 minutes duration (as has been done in other PRAs such as Millstone-3 PSS, where a 30-minute time period was used) and the initiating event frequency quantified to take that into account.' LOSPs of less than 15-minutes duration should be -

considered " general transients." The tree has been modified to reflect this change. The revised event tree is shown in Figure 3.7.

3.2.16 Insufficient Flow of Service Water Event Tree The major problem with the insufficient flow of service water event tree is the assumption that operator action is required to trip the reactor in order to prevent core melt. This is because it is assumed that much vital equipment would be lost due to overheating if the plant is not manually tripped. This assumption is extremely conservative and unrealis-tic. Even in the absence of a detailed analysis to determine what would fail and when the plant would trip, it is erroneous to assume such massive failures, especially when some of the failures involve systems which do no't 3-20

5 ." .

i.

Il a.s P am ,t i Aag P e 'Oper e yy :Onygsag iwsp Gpy P p.e.cy ,5 , epy.e.p pee p lC.m..s4 S dre. i S s.a es .e ae. le l e, . it !..* 4 *= ;p a. e si e si la .. a r r.=.=

ci=. e.r e I

~~,s EtSDeft9EO M EISDeftselDe 4rMS E89De*iSa#~~

~~M E:1D.efigneDe~~

~~.MC~~

~~,M E.MiM.3 E 3pe~~

~~,en E s tar .~~

~~Elgd omP.~~

~~l .LC~~

.E

~~Eiswaw.ce g h4 E a sse eena L E c tor egaJte r :es E .S*8 80 56 4 tiEmp eDec.~~
[
g a EiSd eDec.De RS EllaseDce43
% LitaFeoscagDe y ,Gli E s9d eCef t A$ t iB*FeDe91eiPG l & Lila84Qodite.QG I J Ittaf eceDeltaa SL L i tap aCMD.*i ene tteCe us t.wec.c.
SE LiSa8eDodite0De
, .8 L19eF40eeske SE IISweDe#IeseDe e ltaf eed I %.
, ; i ss Ettare tc.e ow.e,. .
E E s sarass e.De I e s6 nw nw.e me saaca. ,e
_a nw e se
% lib nw***.WE.4.epe
, Ef gase ekeDe gtg lisp weg
.-e.. + - a I ,% E t tde.dOCDe I SEC E s tareedOCatta ,
.--- as E .Saf e. DOE.EktGDe nw.-o a. 4, u ,
,ms Eiw.wo Eiw. woe .,acDei j e Elfa8e.WDer10e d W EstaFeenip l.
1 s Eis.#esai,oe i i RS Ellaf a
) nw .. e
, _a n . a
$ s..sann.e.
g
, s w ai c .
iw. .,as.
.w

n mw n g un piw.o wa.a. oe SE 'G old stai?sseDe tLS estaseeni pe E 'A l tap esa s ,040e
~~{ 1 lEt 'Eife8.saistucats3 l l u.~~
. .a.w i s. .s.n.o
. . s.e. tape
= u.a. a.De i un siw oc sw.
e a
3.w . ,0.
i i
s ss pow.s.e...e.
. iwa.w i ,siw s .w w.c.e l 168
! ,81568at.a,ssa
'siw ,,c . .
S... ow a=Es 5 Sarat # ELE 3pe I
M ne ow .ma u siw .a.eDe RS tila8af.aos I A t .
=
~~.itares..goscamt~~
.iw .maix.
, w. .~ .e J lE;w .
S.tB
. ;.SS*P.t.absgae .
,MC .tila8.g.x.c apseg a.c u i.iw. .
as juw ..c.c..i.e es :s i s.s g.. a.spe MC 'Etwo et IE 6 9.' 90e FIGURE 3., . ATION BLACK 0UT EVENT TREE 3-21 k
~
even require service water for cooling. Reasonably, one would expect that overheating failure of the condensate and main feedwater system would cause plant trip before other systems were damaged. Even using a conservative approach and assuming that all operating systems. cooled by service water would be irreparably damaged, the only result would be unrecoverable loss of feedwater, loss of the air compressors, loss of the operating charging pump, and loss of the operating containment air recirculation units. Other components cooled by service water'could be recovered if service water is eventually restored. Therefore, the tree has been modified to reflect the availability of the unaffected systems if only automatic reactor trip occurs.
Another comment is that no credit is given for bleed-and-feed cooling if AFWS fails. Granted, if service water is not eventually recovered prior to the need for long-term cooling, the use of BAF would serve only to delay core melt. However, this ability to extend the time of melt and credit for recovering service water within that time frame should have been considered. The tree has been modified to reflect this change.
The revised event tree is shown in Figure 3.8.
3.2.17 Loss of Control Air Event Tree The only problem with the loss of control air event tree is with respect to the event PIT (primary integrity). The general findings discussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.9.
3.2.18 Loss of MCC-5 Event Tree The only problem with the loss of MCC-5 event tree is with respect to the event PIT (primary integrity). The general findings discussed in l Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.10. .
3-22
S S 3 !!!!!!!!! 3ddbdik
~~!,illimi3:mmmimimmmalli!l,!rll mm 5II!!!!!!!1ltl11 -~~
t , m m i m i m.i>>>>>> m n m m === i dll:!!!!!!!!!!!!!!!!J!n
.2
.1 i.,v,v,v,s.v i,,v,v,v,v,v.,,,v,v,v4v,v.,v,v,v,v,v,v.,,v,v,v,s.,v,v,v.r,v, of I ill 5
3 g
}i!! "t __ __
5 T r 5 .
! i
}l _ _ . . _ _ _.
I {e +
- ^
11 :-
.~
A.LO:s t :
7, aa _ E 3 5 '-
i;
!1!*- ,
i a
a he i
f*
b_ 5
>! ;i : j
!!!t '
iph IiiII'l '.
[I ! .
. 1)! _
i
~~'I I~~
.l> ,,
injll i
nni 3 I.
l 1,
w
p t
h.
i 8
'I
.ilililIlinH nliln!!!s!! nnnnnnl[II,11l.1l.1.l.l.l1.l!.!!l,l.5 t l 8 3 . . ..
sj)plrlnln1j,j,jgg!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-i!!!!!!!!..
c1 ,,,,v.v....i,,,,,,,,:,$,,,,2,:,2,.,,,,...,,,,,4.,,,,,,,,,,,an.,,,
8 .1
' > JL_ . . _ .
nj st I
w e
I1.! ! __ __
__ 5 III- __
5 f v 5 d_' __ __
.,8 8
__ gg 1I .i._! __ _ " ^
a u'ill;- __
a j .
d
, ' a .
s E g a
> d j t-a b t
~~-! - m. {.-~~
I (
I
.- t 111 _
o!
d.e\-
~~a llt i it-II:~~
{
n .
l!n n 4
0 3
e e P
ko m,.cenesee .
e jQperesar . M haineeser h t>wgsq b gle beene **ery
, . ~ . -,
syyesy be gn lgmesesse. _ - seeense i .ne.e es s,,eeses.
i, . . .e,. .. '..e a.e me.or we.eer is larencea., <w.;,eed e -e.- n !d ..e o .se n - l=e e e ' ees ==.e. e wee e % sisee . .-ene.,
I sise tase. seenifeessene in) 8 se WI lasaseos temowel seen. i
- SeSe .e. sell , [s essa L8aat.,sese
- f' essee, f f.ie a..e's.a. t, as, .e ee . - , e - t .
e .ee.
Le,e i ec e, e i de I en i e, o. i , t me a 1 i e. , , e . oe
,a een sie i
, l= r.e ye.C E. tee t' l e6 Espetoe I RA ,
i t. Ei.sena E. Ca4De
,GI a:eDG iMA Gi o@@e l E GieDGrece I .mA eiec, coa
~~& EieDeGnaJoel~~
en l a .ti.socet
.o ,i. .e
, i ise,s titoers.reo#
I ,s.: sisoceitse
.E sisoce.saroe E , eCi@@lles
^eEE E M E 6 e20*ise0DW es e.cocettee g
..et lE.Nieseoe siwe
-M esede j
16 siwe,re eo .
l .as siw. sea E (seeresaJoe N t h eapeCies tS El teW eD g i
{ eL lsi ed eo.ee.ao.
5 EA E6edeosest e6 St l4 L ed eceranaos E sereO
&E I

sarapeort etere l -
~~e. {g s t ed eo , i.,eos i u pIwec, .e.e ,~~
E tE SaeeO6*ionMpe sfC If:4deo49 tees t u !ssedeoc w: li;wec etemaDe .e
,.a joweo ie o.
b e
en tied eaud "
I 'E Itsedeswee I E.8 fEisefeedde et fp.,
pedes e.eeoe a.s ,sie.ne==4 4 ,-
~~e. Igledeedesaos te eEC ltledeswte M ja.eapeewmaoe~~
-eES liiteFandest es IEleaFendeaepe g % aaseedD4
' 2ak gieaseentoG3e 1 ,, Jt ed emm80CE.8
^
- lgitaresuPNm W
, .. Icede do n j-.. lsiwewo.sene made =aae,oe 3
.es piedeadocence ,
eli stedesst I E tiespeest90s ir I S8 Sitapocas,tre
.it.,es. e [g, ES eteef eettete !,
-S. tiedeseteaape est tiedessta.3 #
- 'stenseeste 50e I
MC gladest7ent
~~eg :SiteFeenteneOS g~~
t.C :4 Ga8est**te I E (;4mpeestodge l est 8 eareestocm3 I
', es.
. 'siede.sno.casee
.s ed e . . B.e I us wwee.,m.
~~s.ed esno . e3e~~
- Eled eetfoef tDe
% MC =:eeft I ,EieRTIOW t ;steoriere 1
- 114mttwoos art seetasse I 4 e t ekiteleOS 5 hieatsetease Wiepaaledene
~~. Mimetie:S I -~~
hientietene i
5 piantisiede
- pienf tenedeOS s missie I - Mesi 40e ett iesisere M , i.estaseoe MC seeleete I et 4 + ee r ea lmOS i .
~~s. :simite we~~
= 4esitaiedeos ut s t ect osi s I - E ssi tei h38 nac %esineisde es E sesseleasofte (EC
,. ff.inate.e
,0...
FISURE 3.10 LOSS OF "CC-5 EVENT TREE 3-25 P
la, e y
3.2.19 Total Loss of DC Event Tree The major problem with the tctal loss of DC event tree is the assumption that a failure of the operator to control charging fl ow, which may result in a challenge to the SRVs, will result in a core melt. The PSS admits this is a conservative assumption since the SRVs may not be challenged at all. Our review has further concluded that the conservatism of the assumption is a significant event if it is assumed that the SRVs do lift, since it is by no means certain that they will fail to reseat. It would appear that the only difference between the case in which the operator fails to control charging and the case in which he succeeds is in the conditional probability of a consequential LOCA. In the case of operator failure, excess flow-induced opening and failure of an SRV to reseat would yield a higher consequential LOCA probability. The tree has been modified to reflect this conclusion.
A cosmetic problem with the event tree results from the inclusion of events 0A-14 and RDC, which address recovery of DC power. The PSS determined that DC power cannot be recovered due to plant unique design features, a conclusion with which we concur. However, that conclusion was not arrived at until after the tree was constructed, and the recovery events were not removed from the tree. We find this confusing, and have corrected and simplified the tree by removing these events. The revised event tree is shown in Figure 3.11.
3.2.20 Loss of DC Bus 1 Event Tree The only problem with the loss of DC Bus 1 event tree is with respect to the event PIT (primary integrity). The general findings dis-cussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAT and small LOCA plant response apply to this tree. The tree has been modi-fied to take those findings into account. The revised tree is shown in Figure 3.12.
e 3-26
i l
Total Recotor Operator Primary Aux. Contain. Sequence Sequence Looo Trip 1 Action 19 Inteytty Feed 4 Heat Close Designator of DC Init. Chg. (Local Removat Power Flow Cntel Op. )
E19 RT1 OA19 PIT AF4 CHR OK EIS i TEC E19AF4 TE E19AFACHR g
L i TEC E19 PIT TE E19PITCHR OK E190A19 i i TEC E190A19AF4 TE E190A19AFAClet i TEC E190A19 PIT TE E190A19PITClet i TEC E19RT1 TE E19RTICHR FIGURE 3.11 TOTAL LOSS OF DC POWER EVENT TREE I
fI .
L 4 e o e
i i
' i
=
alillllltl2imm.om m m m m m m,m m.,m.,mim m m ,
+ i
.4 , ,
ji ill ' s r
jjjp 5
r n [
.l.11 I -_
n! $n k ,. _.
h Illf' _ l M
C -
r y l
ri
~~y}II _~~
~~Ilv ri-1- i -~~
~~.L I!I, '~~
L
3.2.21 Loss of Semi-Vital AC Event Tree The only problem with the loss of semi-vital AC event tree is with respect to the event PIT (primary integrity). The general findings dis-cussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modi-fied to take those findings into account. The revised tree is shown in Figure 3.13.
3.2.22 Anticipated Transients Without Scram Event Tree We have reviewed the anticipated transients without scram event -
tree and have found it to be a proper representation of pia 7t response.
3.2.23 Consequential Small LOCA Event Tree The only problem with the consequential'small LOCA event tree is with respect to the handling of plant response to small LOCA events. The general findings discussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.14.
3.2.24 Consequential Steam Generator Tube Rupture (SGTR) Event Tree The problem with this event tree is similar to that with the random SGTR tree (Section 3.2.4). That is, the sequence of events with respect to operator action and the conditions which affect these actions is not properly represented. Once again, this is due to the nature of operator response to a failure of steam generator cooling (SGC). When SGC is successful, the procedures will cause the operator to take actions which will lead him to isolate the faulted steam generator secondary side and then eventually close the loop isolation valves. This sequence is properly represented on the event tree. However, when SGC is failed, the procedures will immediately set the operator on a course which will lead him to estab-lish bleed-and-feed cooling before he determines that a steamline break and SGTR exists. Only after he has done this will he proceed to isolate the faulted steam generator and primary loop. This sequence is not properly 3-29
. e .
. . , ' C..,.,
. ' k.... 7 i ., wi w.s.e,' .w, ,l . , o-..
~,,,
a-
.l=
ei.
t.i ui
, o
. . ' . 'I .y. p .
u is..r.
w
.i... 3. ,, . ..... m ;,
i e i ew c=
ui .. ..s .* v. .i t ! c.c *i 4 v. i s.a I a,. I i
1 :== lE l ,tLS
, i.Iiat.
4s :4fi@.o.
st 38 tG.
s jus 3do m saios sA l
.s 'uso'G,.L&1C o.
I u sa.05 &
is uios.
y ul 1 i.
sC u.oO oO ,,
[ I s
u kno..ii so ..a A soGel>
9Ec 9.
ka too,il.&o.
2ioOe et D. L
.us io .
~~u . o. )~~
is.
i n..
i
,u
.m. n o ,*.o.
l ,u w =,o jui. n-
}43 04
~ g 'ss juia.coe.
s uiv.c o.
! U luie.ozo.3 s suiv.occ,uo a lui..oo i u ui =+i l s .o I sc s
C's pie.uo, c
.v.o ua us .
m ,u,. . oe iu.c.
us 4... ..c,.. ,ac e..
m
,=
g o.c, . e.
I
-s 4mw o i u l.uin . .
,s .u.
S.C
~~s. fuis o.;ane o.ao A.~~
~~ye u kuie e. m.* .*o.~~
ws
,. p..
paive
..s ss. nw i ,s kai. o.e .
I u-M lu = cc .c.c .,
fl W c4Cd.s'.
c<>
u iu.
~~g. pg+~~
~~. u. . u.. ect., co . i m ju.a e Foo oe .c i~~
~~c. 43r.~~
i s lu .r ..=
I i 'u k ..
I
,s
u
'b,..,,,.v.
u.
f is uis.o a ;
,u. u.. ,
u uin ..
ui . .i.u n. . 9 s ut ..P co. .
jM u1 p i ;s ...,DS.,.
. l s
i u
),
. u i.e.no.c.
io o.
'u.c Mi i os
',uc mainwo,oca.,6 t
saw f
= ui .o.oo..i ,
. uin. ,
l s8 '43,1 9e,.c t
s 2 I' sg Jat.t.a SL 4E A S. '.9...d ao .
p tit.
sS '421 ecas ,.
1.o@
l I u .ui u .n.c< c.<*.o.
s nin oce..
,2 ital. .
[
.sg s
$'..e.. d,i.1.cce,.o.
.c.e.ve. .
I u ..oc. .
.s we.
.u n.co.
9ES
%5'n.cMD 9H .
'us
= u4 .w< ,. x ,...
,a on.c . .c.
,u r es.*
.o.
. , eL 3
~~to 19s.t...~~
}ui.i9 hi l ]ss
,s n, .. ,,.o.
I u u i ui..iu., u.a ,.
, e u,..w.
l u ui. w l !s .68 uie wo.A jao.itus e.c.
s m.w
,. ,ui..c .
u .u ., we, .
s ui. ..e u.
l I u tu .iw , wc. .
s w.
I us iu .. w.,..iui. w.,is
~~u gr. we. .n.o.~~
~~us u i .. w. . ..~~
u .o.
'9t C !u..
f fi.i w g.s.
u 4t2 ' ei s.a.o.
1 ua ter FIGURE 3.13 LOSS OF SCII 't!TAL AC EVENT TREE 3-30
e .
Neester jig [1pitt gtng hip klperater '*a s eep %erderf 'Operotee hip % e 'Sa m e
% 31 Tetp 1 Caeling fees. Per h.p A. ,Peees. IA esten 3 Gleed Steedom Astten 2 'Paese.
[Centeln.
, Heat Cleon Ceesgneter m ,1est/PCRYl %Fe f!ntstete l Innstate '9ecies. megevel Felluree I !! nj. tyI Early Cael i Nes tas. lt**SILdSl!
E23 til SCC ! SFF l CHC ! *t l CA3 SLE3 l 580 $ 042 l @ { CHR I CBC E23 I SLC ,E23@lt g ,
S.
[E23MPRCHR SLC tE230/2 SL 'E230A2CHR i OK I SLC fE230C
,E.N SL :E23CHCw4CHE SLC E23CHCCA2 SL lE23CHCCA2CH i ,CM lE23CHGHPt I
j1LC ,E23CHCwtwit
,L jf23OOWtH89 CHI ISLC E23@ 0 *1CA2
~~9 ,C23C)C et042C5st~~
~~SEC~~
, fL2345071533
,M i ueCois.x t
~~SEC ,uxicetos3~~
,$E ;E2360*10A3CMt i ;CK ;E23W F I ,$LC ,E235mf4
,A g E23SFFHP9 CHI SLC E23SFFCA2 E lE23SFFCA2CHE CN ,E23SFFHW1 i ,SLC
, [E235"M11*It
,E gE23SFMtw90st
,$LC ,E23SFFHP10A2
~~$L ,E23SPFW3CA2Oct js5C ,E23SFFWtsac~~
,SE js23FM15000.
,m u3Sme:CA3 SE E23SFFW ICA3CHE
'GC E235CC I 'SL E235GCDet I SC u3SCCWit t
L l
y ,E23SCCOA2 SL IE23SCCCA2CH4 MC E239CCSLE2
,M 'p3 SCC.Em g MC ,E23SCCCA3
,SE lE235GCCA3CMt I
l lStC lE235CCoc SL E235CCCHCCMt
,$EC ;E235CCCHCOLc
,$E g E235CCDC8tECCHI j$EC U35CCDCCA3 4
,M i ts3SCCCHCCASCHI SEC SE lE235CCOOel E235CCDO*1CHt
,E23SCCSFF j$LC I SL I MC l'E23SCCSFFC E23SCCSFF9 LED
~~E23SCCvF co.~~
SEC E23SCCSFFOA3 sE E23SCCSFFOA3 CHI SEC E235CCSFFHP1 SE E23SCCSF N tCHI
,$EC E234TI
[SE ,E23RTICHI FIGURE 3.14 CONSEQUENTIAL SMALL LOCA EVENT TREE 3-31
I l i
represented on the event tree. The solution is to move the SGC and bleed-and-feed events so that they occur before the steam generator / loop isolation j events on the tree and to restructure the tree accordingly. This has been i done and the revised event tree is shown in Figure 3.15.
i
?
i 1
I
.i
! 3-32 i
i
Coq Operstar teotn Sta High Stens Opretar Petary Operstar Lamp Leg Cmtats Saeparce Semance SC Actim 7 !aol (3%fprose. Cm e star Actim 8 Bleed Acttan 8 teelstam Tars Nest Close Does ywter T.Ae Inst Feelt-4 give !,2 Casting Instlete Inst. LampVolve Caoling Samoval, agtse S/C !aol. falle-of-4 Em ty Cast feeletten E24 047 MS4 W2 SC2 CAS RJD CAS LIV LTC CMt i 04 E24 I
(2 E24 LIV V2 E24048
- CM E24SC2 TL E24SC2CMt i TLC E24SC2LTC TL E24SC2LTCDet f2 E24SC2 LIV f2 E24SC20A8 TEC E2^erm m I
TE E249cm Sm8t f2 E24 tem r's ty v2 E2 deem s vin 8
- TEC E24SC2CAS I
TE E24SC2CASCMt I I V2 E24St.20A861V I
v2 E24SC2cASCA8
. CIC E249 2 I '
v2 E24W2 LIV I
v2 E24W20A8 i TEC E249 2SC2 I '
TE E2492SC2Det i I f2 E24* 2SC2L1W f2 E249 2SC20A8 i 04 E24WS4 TL E24MS40R
, TLC E24wS4LTC TL E24MS4LTCDet V2 E24wS4 LIV V2 E24MS40A8
- TEC E24WS48 LED I TE E24mS4&IDCMt I I I
v2 E24a:Saa EL1f y2 E24WSam e va8 TEC E24etS4048 1
TE E24WS40A8081 I
v2 E24MS40AGLlf v2 E24NS40ASCA8
, TEC E24WS492 I '
TE E24WS49 2 CHI V2 E24WS4W2 LIV f2 E24NS4W 2CAS 1 (> E240A7 TL . E240A7Det
. TLC E24C47LTC TL E24CA7LTCDR f2 E24CA7L!Y V2 E24CA7CAS
- TEC E240A78 LED TE E240478LEDCMt f2 E240478LE2.tv V2 E240478 LED 048 i TEC E24047CAS I '
TE E24C47CA808t f2 E24047048 LIV f2 f24CA7CAScAS
- TEC E240A7*2 I '
TE E240A7*2DR f2 E240479 2L!f 12 E24C479 2048 FIGURE 3.15 CONSEQUEtiTIAL STEAM GENERATOR TUBE RUPTURE EVEfiT TREE 3-33
4.0 SYSTEM RELIABILITY ANALYSIS REVIEW This section contains a preliminary review of the systems modeled in the Haddam Neck PSS. The primary intent of this review was to verify the accuracy and consistency of the system fault tree models. This effort included verifying the system fault tree logic and assessing the assumptions used to simplify the system models and their impact.
Consistency in the level of detail of the system models was also assessed. Of principal interest are the system dependencies modeled in the PSS; these include the dependencies between initiating events and the systems modeled. Finally, the fault tree models were reviewed to ensure that those faults which had been determined to contribute to the results of previous PRAs had been addressed.
Fault trees were provided in the PSS for the following systems: . .
/
DC Power System
~~AC Power System~~
MCC-5*
Semi-Vital AC*
Service Water System Component Cooling Water System Instrument Air System Steamline/Feedline Isolation
~~Charging Systera* .~~
~~Safety Injection Actuation System High-Pressure Safety Injection System~~
~~Low-Pressure Safety Injection System~~
~~Residual Heat Removal System~~
~~Integrated Injection for SGTR Containment Spray System Auxiliary Feedwater System~~
~~Preliminary review contained in this report 4-1~~
Some systems (i.e., RPS, Power Conversion) were analyzed using methods other The methods used to evaluate these systems also
~
than fault tree analysis.
have been reviewed. ,
The review of each system fault tree in the Haddam Neck PSS will consist of a system description and a set of comments on the system model.
The system description will include a description of the system configura-tion, the system dependencies (as shown in a system dependency diagram), and the system success criteria. The comments are divided int'o two sets, those that may be sigrificant and those that appear to be relatively minor obser-vations. Significant comments deal with modeling assumptions, errors, and omissions that could affect the system quantification but not necessarily
. the dominant accident sequence quantification.
As a final note, this review is a review of the systems and fault trees against the descriptions contained in the PSS and not against the system P& ids, control wire diagrams, etc. This information is not as yet available to the review team.
The fault tree models supplied in the PSS are mostly reduced fault trees that contain what Northeast Utilities has determined to be the major-ity of the dominant system faults. These fault trees have been developed to the component level (pumps, valves, relays, sensors, etc.) which in some cases have been recombined into developed events which were used in the reduced system fault trees. Some of the simpler (smaller) system fault trees have been included in their entirety. Because of the different levels of reduction in the fault trees, comments about the consistency of the fault tree analysis, especially concerning the level of detail and the completeness of the analysis, are not possible. Comments are restricted to comments about each system analysis as opposed to the system analysis process.
Some human errors are evaluated in the system fault tree analysis.
Those human errors that are the result of manipulative actions or that occur ,
prior to an initiating event are included in the system fault trees. These types of errors include' failure to restore equipment after test or mainten-ance and errors committed during maintenance. Many human errors are incorporated directly into the event trees. These are primarily the 4-2
O e cognitive human errors or those involving reccgnition of what is happening and of the actions necessarj to respond to the situation.
System interactions are primarily modeled through the use of a support state methodology. Each of the fror.t-line systems, as determined by the event tree analysis, and the support systems are evaluated (quantified) for various combinations of support system successes and failures. The system dependencies are not explicitly modeled on each system fault tree; for example, the emergency AC power system requires service water cooling for the diesel generators. The emergency AC power system fault tree is quantified once assuming that the service water system is available and a second time assuming the service water system is unavailable. In the second case those components that need service water cooling in order to operate are assumed to have failed.
As a result of the use of the support state methodology, the system fault trees are intended to be completely independent of each other.
System boundaries are defined so that components are modeled in one system only.
4.1 AC Power System 4.1.1 System Description
~
The normal configuration of the AC power system is to have each of the power divisions aligned to separate offsite power sources. On the loss of one offsite power supply, the affected train is automatically switched over to the remaining power supply. In the event that both offsite sources are lost, each AC power division is loaded onto one of two emergency diesel generators. The support systems required for operation of the emergency AC power system are shown in the system support diagram in Figure 4.1.
Fault trees were constructed for the failure of one of the two emergency AC buses and for the failure of both emergency AC buses, fault trees were also constructed for the loss of power (either with or without offsite power) at particular 480V buses and MCCs. Common cause failure of the diesel generators is included in the fault tree for the loss of both AC trains.
4-3
AC Power O
Offsite Power Emergency AC b
EAC 8 EAC 9
-~ -s Offsite Power ;;
y -_ m DC Power ^
2 Service Water ;; O Figure 4.1. AC Power Dependency Diagram.
4-4
1 l
l i
4.1.2 Comments The load shed logic for disconnecting the plant electrical system from the offsite sources and the emergency 480V buses from those that are load-shedded is not explicitly modeled. The breakers that must open would not be tested except during refueling outages and could affect the proba-bility of failure of one or both AC power trains. -
In modeling the diesel generator faults the analysts included the failure of the output breaker to close as part of the diesel generator fault. Based on the manner in which some faults are quantified (the manual loading circuitry is assumed never to be tested), it would appear that the output breaker is tested only during refueling outages. Inclusion of this failure in the diesel generator faults would not be appropriate if this is indeed the case.
The need for room ventilation. is not discussed in the PSS. Some ventilation may or may not be required in addition to the service water cooling that is required.
4.1.3 Other Observations Maintenance failures were modeled for the diesel generators, but due to the use of reduced fault trees it is difficult to tell if maintenance faults were handled properly.
Only one train of AC power has been modeled completely; the second is assumed to be identical to the one modeled. It is therefore not possible to determine if any common cause failures exist in the control logic.
When using a Bayesian data update technique, it is probably not appropriate to combine the diesel generator faults and the control logic l faults, for components that are tested monthly, into a single failure mode as was done in the PSS. Generic diesel generator failure data does not include the control logic faults. However, logic components tested monthly should not significantly affect the availability of the emergency AC power system.
! 4-5 t
. 4.2 ,MCC-5 and Semi-Vital AC Power 4.2.1 System Description
. Both MCC-5 and semi-vital AC power are subsets of the AC power system. Due to the importance of the consequences of losing either bus, as a failure following an initiating event or as initiators, these portions of the AC power system were discussed separately from the remainder of the AC power system.
The success criterion for both of these buses is to provide power to their respective loads. The semi-vital AC power supply is fed directly from MCC-5 through two stepdown transformers. These normal and emergency power supplies aro interlocked through an automatic bus transfer. MCC-5 his two possible sources of power; bus 8 (via bus 1-5) is the normal supply, and bus 9 (via bus 1-6) is the alternate source of power. An automatic transfer from bus 1-5 to bus 1-6 occurs when power to bus 1-5 is lost. The system dependencies for these two portions of the AC power system are shown in Figure 4.2.
4.2.2 Comments The major comments for these systems deal with the model used to evaluate the frequency of a loss of MCC-5 as an initiator. .First, operator action to recover MCC-5 before a plant trip occurs is allowed in the model for MCC-5 as an initiator. No such credit is allowed for the recovery of semi-vital AC. Since the loss of MCC-5 causes the loss of semi-vital AC, there should be more consistency in the treatment of these two events.
The model fails to ccasider a spurious closure of the alternate feed breaker to MCC-5 while MCC-5 is energized. Such a failure could result in a loss of both supplies to MCC-5 and a subsequent plant trip. WASH-1400 uses one value for spurious transfer, open or close, of a breaker. Using
! this data, the frequency of the loss of MCC-5 initiator would nearly double, increasing to 2.8E-2/yr from the PSS value of 1.4E-2/yr. .
4-6
P MCC-5
', Semivital AC O
Normal Alternate j
h b 4 MCC-5 0; 1
4 Bus 8 0 AC Power Bus 9 0 Bus 1 0 DC Power Bus 2 O .
i Figure 4.2. Semivital AC and MCC-5 Dependency Diagram.
i
' 4-7 i
---n.---- -,,n,- .n..,-..--,.,,-.--- --,-.,--.-----,-.--,,,..--,...,,n.....,.,,,,-,.-..v., . _ , - . . , . , - , , . . . . . - - - . - - . , . , --
k 4.2.3 Other Observations The fault tree model did not include maintenance failures on the alternate power supply to MCC-5. Since this power source is not normally energized, maintenance and failure to restore after maintenance are possible failure modes. The contribution of such errors should notcbe significant.
I 4.3 DC Power System 4.3.1 System Description The DC power system is a two-train system. Each train consists of a battery charger, a battery, and a distribution switchboard. During normal operation the system is powered from the AC power system via the battery chargers. On a loss of AC power the batteri'se become the source of DC power. Successful operation of the system has been defined as supplying power to the DC buses, from either power supply, for a minimum of 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months .
Fault trees were developed for five situations: loss of either DC bus following an initiating event, loss of either bus as an initiator, or loss of both buses as an initiator. No fault tree was developed for the loss of both buses following an initiating event since it was judged that the two trains of power were sufficiently independent that the probability of a failure of both trains is the product of the failure probability of each.
The system dependencies are shown in Figure 4.3.
4.3.2 Comments A test interval, and therefore detection interval, of one week was used for all battery faults. This interval is based on plant-specific test
procedures used at Haddam Neck. However, the procedures do not appear to j differ enough from industry norms to warrant such a reduction in the detec-I tion interval for all battery faults, some of which will go undetected until the batteries are demanded either during a plant transient or a load test.
Use of a longer detection interval would seem to be more appropriate for at least some of the battery faults.
i 4-8
_ . _ _ _ _ _ _ _ _ _ _ _ _ _ . . , . _ , . _ _ _ _, , _____.___._m.,,_ _ _ . _ _ _ . . _ _ _ _ ,
O e DC Power (h
1 DC 1 DC 2 O ,
Bu$
DC Power u 0 MCC-5 g AC Power Bus 9 e 1
3 i
i Figure 4.3. DC Power Systen Dependency Diagram 4-9
Common cause faults for the batteries are not considered in the PSS. The utility claims their maintenance practices would eliminate all possible common cause faults. Data on common cause battery faults is limited, but there are indications that not all battery common cause faults are maintenance, i.e., human faults. The claim that common cause faults can be completely eliminated through good maintenance practices appears to be overly optimistic.
In evaluating battery faults it is assumed that 14% of all batte"y faults would result in a loss of a DC bus as an initiating event. These are the faults deemed severe enough to cause battery charger instabilities and trips. Northeast Utilities admits this is a highly uncertain number and variations would affect the frequency of a loss of DC power.
4.3.3 Other Observations As with the diesel generator output breakers, the battery charger breakers have been assumed to be part of the battery chargers. However, due to the configuration and function of these breakers, their failure should not be a significant contributor to DC power unavailability.
4.4 Steamline/Feedline Isolation 4.4.1 System Description Steamline or feedline isolation is required for three types of events: a steamline break, a feedline break, or a steam generator tube rupture. Feedline breaks require feedline isolation only; of one feedline if the break is downstream of the common feedwater header, or of all four main feedlines if the break is between the feed pumps and the common header.
Steam generator tube ruptures require isolation of both the steam and the feed lines to the affected steam generator. Steamline breaks require isola-tion of all four steamlines for breaks downstream of the non-return valve, or iso'lation of the steam and feedlines to the affected steam generator for breaks upstream of the non-return valve.
Depending upon the type of break, the isolation may be either automatically or manually initiated. Feedwater isolation is automatic on a 4-10
,- . - - - - - - - - - - - - - - - - - . - , - - - - - - - - ,_,_-.------------,n--, -
y - - , , - , , , _ . . , - - - -
- - - , ------v- - - - - - -
steam generator tube rupture, but steamline isolation is completely manual.
Feedwater breaks must be manually isolated. Steamline breaks should gena-rate an automatic isolation signal, although the feedwater isolation in response to a steamline break, if required, is manual.
The components used to isolate the breaks include feedwater bypass valves, main feedwater isolation valves, non-return valves (steamline) and the main steam trip valves (MSTV). Depending on the locaticn of the break, local manual isolation actions may be possible; a steam generator tube rupture, for example, could be manually isolated locally.
System dependencies for the steamline feedline isolation are shown in Figure 4.4.
4.4.2 Comments For the case of a steamline break downstream of the non-return
valve and a loss of DC bus 1, the PSS lists the dominant cut sets as combinations of valve failures and actuation logic failures. Combinations of solenoid valve failures and failure of the feedwater bypass valve (due to the DC power failure) are not listed. These faults produce a system failure probability about 10'/. greater than the failure probability listed in the PSS (9.9E-2 ver. sus 9.1E-2).
4.4.3 Other Observations In the PSS it is assumed that a loss of service water results in a loss of isolation capability due to failures resulting from the loss of control air. However, control air is not lost automatically on the loss of service water. This conservative assumption affects the importance of this system only in those support states where service water is unavailable. The
! resulting overall sequence frequency (initiator, loss of service water, system failure) is very small. -
4 For a steamline break upstream of the NRV, one steam flow sensor I
may not see a high-steam flow condition, depending on sensor location and type and the break location. In the event of a loss of DC bus 2, this means that a high-steam flow signal may not be generated even if there are no 4-11
1
'. o steamline Feedwater Isolattan Isolation O I' .
T I I Main Feedwater Feedwater, Bypass Line Line
-- -s MCC-5 ;;
control Air ;; I3} O g, n (3) 2 . (1)(4:'
DC Power gj j [(IH4' s!As O (I Vital AC (2) et (5) i bI "I (1) Required only for automatic actuation which occurs only for an SGTR.
(2) Vital AC - 4 panels: I and 2 are powered from DC 1; 3 and 4 are powered from DC 2.
(3) Loss of support system results in MSTV closure and isolation.
(4) Train of DC power required depends on which SG loop is affected.
(5) Required for automatic isolation only.
Figure 4.4. Steamline/Feedline Isolation System Dependencies.
4-12
. S further component failures. This occurs if the break affects the output of a sensor that, through the vital AC bus, is powered from DC bus 1. As in the previous comment, the combined impact of initiator frequency, support state split fraction, and system unavailability is very small, so this is not a significant omission.
In the quantification of the operator response to an SGTR, a feedline break or a steamline break, all actions required of the operator once he has identified the event are assigned a value of 0.0. While we recognize that the human error probability will be dominated by the cogni-tive decision-making errors, the remaining potential human errors are not non-existent. However, they are most likely small and should not signifi-cantly affect the system unavailabilities.
4.5 High Pressure Safety Injection (HPSI) System 4.5.1 System Description The HPSI system consists of two redundant trains. Success criteria include one of two HPSI trains if three of three unfaulted injec-
! tion loops are available or two of two HPSI trains if two of three unfaulted injection loops are available. (It is assumed that the HPSI system is required after a pipe break, and that the pipe break occurs in one of the '
four injection paths, leaving three unfaulted paths.) During an emergency, the HPSI system automatically starts upon receiving an actuation signal from
! the safety injection actuation system. The HPSI pumps require DC power to start, and 4160V AC to run. And finally, MCC-5 provides motive power to i
open the MOVs on the injection loops. Figure 4.5 shows the support systems required for HPSI operation.
4.5.2 Comments In general, the model developed for the HPSI system is adequate for system analysis purposes.
Maintenance faults were handled in an inconsistent manner in the
! HPSI system. The same probability was used to represent the maintenance unavailability due to pump A or pump B being in maintenance and for the 4-13
. N NPs!
[\
T I l l ifs! HPsl HPSI J Pops Actuation Valves (1) b b I I .
' Pep A Pump B O O
-, .-s AC Power l g s O DC Power if ,
s!As O i
i nce.s e
! (1) If 3 of 3 injection loops are available this is an "and" gate.
! If 2 of 3 injection loops are available this is an "or" gate.
) <
S NOTE: PABventilationmaybeneededbutthisdependdncyisnotmodeled for short term use of the HPSI syster.1.
Figure 4.5. High Pressure Safety Injection System Dependency Diagram.
I 4-14 i
. 1 s I
E+
maintenance unavailability of pump A alone. The PSS treatment either ,
overstates the contribution of the maintenance unavailability of one pump train coupled with the random failure of the second pump train, or understates the maintenance contribution to system failure when both HPSI pumps are required to operate. (Some clarification of the maintenance data given in the PSS data section is required before the uncertainty regarding the impact of the maintenance modeling error can be eliminated.)
Common cause failure of the HPSI pumps to start was not considered in the PSS. Only common cause failures to run were considered. Some preliminary analysis shows that the common cause failure to start proba-bility (including command faults) would be two orders of magnitude larger than the common cause failure to run and would increase the system failure probability by almost 10%.
4.5.3 Other Observations The HPSI system takes suction from the RWST. However, this suction path was not considered in the analysis of the HPSI system. This suction path appears to be normally open (i.e., no closed valves) but failures on this flow path may or may not affect other systems. This omission probably does not significantly impact the system failure proba-bility.
In the PSS it is stated that the PAB ventilation may be required for HPSI, LPSI, and charging system operation but the failure probability of this ventilation sy' stem is so small that it would be a negligible contributor to the system failure probabilities. Based on our understanding of the PAB ventilation system operation and the layout of the equipment in 4
the PAB, ventilation may not be required for the short-term operation of the HPSI, LPSI, and charging systems. Even if ventilation is required, not modeling the PAB ventilation system in the HPSI, LPSI, and charging systems
! does not appear to impact the quantification of these systems failure probabilities.
4-15
fe 4 e
4.6 Low Pressure Safety Injection (LPSI) System
. 4.6.1 System Description The LPSI system consists of two redundant pump trains and four
~~core d61uge valves. The LPSI system is activated upon receiving an~~
'l actuation signal from the safety injection actuation system (SIAS). The LPSI pumps require DC power to start and AC power to operate. MCC-5 is also f required to provide motive power to the MOVs (or core deluge valve). Figure f
4.6 shows the system dependencies for the LPSI system. .
4.6.2 Comments In general, it appears that Northeast Utilities has performed an acceptable an:: lysis of the LPSI system. We have no significant comments on the analysis.
4.6.3 Other Observations Review of the LPSI system description indicates that the LPSI pumps draw suction from the RWST. However, there is no mention of how it was accomplished or of what component was required. As in the HPSI system, this omission should not significantly affect the quantification of the system failure probability since the flow path is tested monthly and the valves are probably normally open.
The fault trees are intended to be independent of each other.
However, we found*that failure of a single relief valve will cause failure of the LPSI system and also of the RHR system. (This valve is located on a pipe segment common to the suction lines of the LPSI and RHR systems.) A review of the event trees indicates this system dependency would not have any impact on the sequence of event level and therefore is not significant.
6
, 4-16
LPSI .
O T
I I I LPSI LPSI LPSI i
Pops Actuation Valves F3 Q
s ;-%
l l Pump A Pumpi B h O Ac Power h5 _
DC Power h
ncc-5 ::
s!As ;;
NOTE: PAB ventilation may be required but this dependency is not modeled for the short. term use of the LPSI system.
A
-)
,) -
Figure 4.6. Low Pressure Safety Injection System Dependency Diagram.
4-17
4.7 Residual Heat Removal (RHR) System 4.7.1 System Description The RHR system consists of two redundant pump trains. Each RHR pump requires DC power to start and 480V AC power to run. The RHR system is dependent on service water to provide heat removal operation (indirectly through the component cooling water (CCW) system except during LOCA condi-tions, where the RHR heat exchangers are cooled directly by the service water system). It also depends on the Semi-Vital AC to provide the power to operate the pressure interlock between the RHR system and the reactor pressure. MCC-5 controls the operation of the MOVs contained in the RHR system, while PAB ventilation will provide cooling to the RHR pumps. System dependencies are shown in Figure 4.7.
4.7.2 Comments In the analysis of the long term cooling mode for the RHR system, Northeast Utilities does not give credit to the " core deluge valves" as an alternate path for the RHR system injection. This means of injecting water into the core is used in other low pressure applications of the RHR system.
This apparent omission results in a significantly increased RHR system unavailability in the long term cooling mode. The dominant faults in the fault tree for this RHR mode of operation are listed as a failure of the suction or discharge valves. Crediting an additional injection path would effectively eliminate half of the system cut sets. .
4.7.3 Other Observations There is no discussion of the possibility of one RHR heat l
cxchanger being out of service due to maintenance at the same time the other heat exchanger fails to work due to mechanical or valve alignment failure.
Due to the use of an undeveloped event in the fault tree l structure, we are unable to review the faults of the PAB ventilation system.
I i
4-18
- e M Syste O
T I I I y p*P, Valves / Heat Exchanger Ventilation Cooling
( 3 O I
., I I Pep A Pump B
\
Bus 8
AC Power g, 9 DC Power O MCC-5 O Seivital AC O ,
service Water O PAB Ventilation O l Component a
! dooling Water (1) Heat Exchanger Cooling is provided by Component Cooling Water System under nort1al conditions; Service Water in post LOCA conditions.
Figure 4.7. RHR System Dependency Diagram.
t 4-19 l
l
4.8 Charging System 4.8.1 System Description The charging system is comprised of two redundant pump trains (A and B) and a metering pump which is capable of providing about 30 gpm for RCP seal cooling. This system is designed not only to provide RCP seal cooling, but also to be used as a high-pressure injection system after a LOCA. Thus, in the RCP seal cooling mode, the charging system requires CCW, semi-vital AC (SV) and Control air (Air) to maintain a normal flow path to and from the charging system and heat removal. MCC-5 provides motive power to M0Vs which can be opened as an alternate path when the normal flow path is not available. The success criterion for the charging system in this mode of operation is one of three pumps. DC Bus 1 and AC Bus 2 (via 480V-AC Bus 4) provide power for the startup and operation, respectively, of the metering pump. For charging pumps A and B, DC buses are required for starting and AC buses for running the pumps. In addition, lube oil is also required to provide cooling to the chaiging pumps. Lube oil pumps require component cooling water (CCW) for heat removal, and either MCC-5, which provides motive power to the main lube oil pump, or AC Bus 9 (via MCC-8) for the auxiliary lube oil pump.
In the injection mode, the success criterion for the charging system is one of two charging pumps providing injection flow. The charging
' system is activated when it receives an actuation signal from the safety l injection actuation system (SIAS). MCC-5 is required to provide motive l power to the MOVs on the injection flow path. For the charging pumps, all l
dependencies are the same as described previously and shown in Figure 4.8.
4.8.2 Comments A review of the " charging system fault tree for vessel make-up after a loss -of MCC-5, Control Air or Semi-vital AC" indicates that Northeast Utilities has omitted the system unavailability contribution due to failure of a check valve on the charging system suction line from the RWST. In this case, the valve failure probability should increase the system unavailability valve from 5.3E-3 to 7.3E-3. This represents a 38%
increase in the system unavailability. Due to this significant impact on 4-20 l
l
. . - . = _ - . .
a ,
ACP Seal Cooling C4seging Systen Injec21on l l l Seal Cooling Pops ChargingInjectio/
Flas Path Flam Patt f3 ( 3 i T I I I l
} hornel A1temete Metering Pump Charging P ops I
I l Pac A Pep 8 l
A: Po er
[8 e 4
Bws 1 O E P8"" ' '
aus 2 O O CCW O O O stas e ncC.s O O U) d" O 4
so ivisai AC 0 Instroent Air t (1) MCC-5 and AC power train powered from Bus 8 or 9 supply power to the
] charging pump lube oil pumps. The loss of MCC-5 alone will not fail i the lube oil pumps.
Figure 4.8. Charging System Dependency Diagram.
4 4-21
the system reliability, it is recommended that this fault be included in the above fault tree.
4.8.3 Other Observations In the same fault tree discussed in the above comment, the system unavailability value obtained for " loss of offsite power, one DC Bus, and one AC Bus" suppcrt state was 4.4E-2. However, if loss of the DC Bus is on a stand-by charging pump (Pump B), and loss of the AC Bus is on the normal running pump (Pump A), then, Pump A will trip on LOSP (since the DC Bus is available on this pump) but cannot be returned to operation since there is no AC power, and Pump B cannot be started (no DC power). As a result, both charging pumps will be out of service and therefore fail the charging system. Thus, the unavailability of charging system should be 1.0 in this case.
The above observation should also apply to the fault tree illustrated for charging system injection following a small LOCA.
According to the simplified diagram of the charging system, there exists an alternate return path to the Volume Control Tank (VCT) (through relief valve CH-RV-332) when the normal return path (through air-controlled valve CH-TV-334) fails. Failure of the relief valve on this alternate return flow path will prevent cooling flow to the RCP seals if the normal return flow path has failed. This failure was not modeled in the system fault trees. A review of the system indicates that the impact of the failure of the relief valve on the system unavailability is negligible.
4-22
5.0
~~SUMMARY~~
OF OTHER REVIEW WORK IN PROGRESS In addition to areas of the PSS that have been reviewed and are discussed in this interim report, several other sections of the PSS are currently going through different stages of the review process. These include:
~~1. Component data and reliability analysis ,~~
~~2. Human reliability analysis~~
~~3. Review of the plant LERs~~
4. Quantification With respect to the quantification, we are currently in the process of putting all the Haddam Neck event trees, including different support states, into an SAIC computer code called the Risk Management Query System (RMQS) (12). This code consists of a data base and update capabilities to modify and extract information from the data base. The data base maintains the plant risk model which could include event trees, fault trees, and risk measurement factors. The updating capabilities of this code allows any modification to the risk model and provides the revised set of information about the plant risk.
The objective of this task is first to duplicate the core melt ,
frqeuency of the plant as modeled in the PSS. This would provide an independent check on the PSS quantification process and verifies the correctness of the model that has been put into the code. The second objective of this task is to modify the PSS model based on our revised event trees and changes to the frequency of initiating events, system fault tree model s, component failure data, and human error probabilities produced as a i result of the review.
l The revised PSS model would then be used to generate the dominant accident sequences, their frequencies, and the total core melt frequency associated with the operation of the plant. This will be followed by an assessment of areas of plant vulnerability due to potential hardware, human error, or procedural problems at this plant.
5-1 l
l
O *
~~6.0 REFERENCES~~
~~1. " Connecticut Yankee Probabilistic Safety Study," Northeast Utilities Service Company, NUSCO 149, February 1986.~~
~~2. " Millstone Unit 3 Probabilistic Safety Study," Northeast Utilities Service Company, August 1983.~~
~~3. " Reactor Safety Study, An Assessment of Accident Risks in U.S.~~
~~Commercial Nuclear Power Plants," WASH-1400 (NUREG-75/014), October 1975.~~
~~4. Memorandum for D.G. Eisenhut, NRC, from T.E. Murl ey, NRC,~~
~~Subject:~~
~~Reactor Coolant Pump Seal Failure, nd.~~
~~5. "NRC Integrated Program for the Resolution of Unresolved Safety Issues A-3, A-4 and A-5 Regarding Steam Generator Tube Integrity," April 1985.~~
/
~~6. ATWS: A Reappraisal, Part: Frequency of Anticipated Transients, EPRI NP-2230, January 1982.~~
~~7. " Interim Reliability Program Procedures Guide," NUREG/CR-2728, SAND 82-1100, January 1983.~~
~~8. Stevenson, J.A. and C.L. Atwood," Common Cause Fault Rates for Valves,"~~
~~l NUREG/CR-2770, EGG-EA-5485, February 1983.~~
~~9. Kelly, Glenn, USNRC, Private Communnication, June 1986.~~
~~10. " Millstone Unit 1 Probabilistic Safety Study," Northeast Utilities Service Company, NUSCO 147, July 1985.~~
~~11. "Best Estimate LOCA Analysis," Northeast Utilities Service Company, l NUSCO 150, February 1986.~~
~~12. Riley, J.E. and B.F. Putney, "The Risk Management Query System (RMQS),"~~
Proceedings of the Annual Reliability and Maintainability Symposium, p.
358, January 1986.
6-1

ML20211P873

Contents

Text

1.0 INTRODUCTION

SUMMARY

6.0 REFERENCES

1.0 INTRODUCTION

SUMMARY

6.0 REFERENCES

Subject:

Navigation menu

ML20211P873

Text

1.0 INTRODUCTION

SUMMARY

6.0 REFERENCES

1.0 INTRODUCTION

SUMMARY

6.0 REFERENCES

Subject:

Navigation menu

Search