Nonproprietary Amend 1 to RESAR-SP/90 Preliminary Design Approval Module 16, Probabilistic Safety Study

ML20212Q772
Person / Time
Site:	05000601
Issue date:	08/31/1986
From:	WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML19292F839	List: ML20212Q763 ML20212Q772 NRC-86-3153, Forwards Nonproprietary & Proprietary Amend 1 to RESAR-SP/90 Preliminary Design Approval Module 16, Probabilistic Safety Study. Proprietary Amend Withheld (Ref 10CFR2.790)
References
NUDOCS 8609080038
Download: ML20212Q772 (21)
v • d • e

Text

_ _.- _ _. . - _ . _ _ _ _ _ _ _ _ . . _ _ _ _ . _ _ _ ~ . . _ __.. _ __ _ ___

l t

. WESTINGHOUSE CLASS 3 3

l O AMENDMENT 1 TO RESAR-SP/90 PDA MODULE 16 4 "PROBABLISTIC SAFETY STUDY" i

! i t

l9

~

l l

1 ,

?

l

, t

! i l  !

! l r

1 .

l l

l  ;

l l, t

l .

l l

l G

l e 8609090038 860825 PDR K

ADOCK 05000601 PDR n l

j i

WAPWR-PSS AMENDMENT 1

{

AUGUST, 1986 '

i i

t j-

• I,

! l l.

AMENDMENT 1 TO RESAR-SP/90 PDA MODULE 16 i

PROBABLISTIC SAFETY STUDY"

,. INSTRUCTION SHEET i

a Insert complete package behind Questions / Answers tab.

W I

4 a

i i

i l

'Il 1 .

i l

l i

j i' l

i l l .

e i t

i i

! MAPWR-PSS i AMENDMENT 1 AUGUST,1986 1

i 1

s-e--y-w-v- -.en-s--_

-- ---,-wwm_ =m ------e- e-- -e

4 O ENCLOSURE 1 Questions Resulting from Review of RESAR-SP/90, Module 16, Volumes 1 & 2 O

A. Modelino 720.1 Some internal initiating events (IEs) that were significant in other O similar studies (e.g., Millstone 3 PSS) are not addressed in the SP/90 PSS. Please provide the basis for disregarding the following initiators:

. - loss of de power (partial and total),

- loss of instrument and control power, and

- loss of instrument air.

l These events are of ten described as common-cause initiators because, in addition to causing a reactor trip, they may also impair the operability of systems required to recover from the trip. The inclusion of these events in the fault trees, when using a large event

! tree approach, is equivalent to accounting for a common event 1

O appearing n times as n independent events, tion of the sequence frequencies.

leading to an underestima-This is true of de power for example, if in fact loss of de leads to a trip. Similarly, if 120-V ac vital bus power is lost, several major safety systems would be affected in ways which have not been treated explicitly. It is not clear that this initiating event is negligible for APWR either. It is our impression that loss of instrument air will not affect the APWR as

strongly as it affects certain other plants, but this needs to be confirmed.

~

~

For example, de bus unavailability appears. in the system fault trees.

l In a fault tree linking approach, the multiple effects of a loss-of-dc 1 initiating event can straight forwardly be assessed. In the large j event tree approach used in the submittal, the corresponding I calculation would involve development of a support state corresponding i to a loss- of a given de bus, and computation of branch point I probabilities conditioned on this support state. It is our impression that the submittal has chosen not to do this, in the belief that these sequences are negligible in the context of a plant with extremely low overall core damage frequency.

O

RESPONSE

During this preliminary design PRA, the initiators mentioned in the O. Question were not explicitly addressed. However, the loss of DC power s

! WAPWR-PSS 720-1 AMENDMENT 1 5068e:ld AUGUST, 1986

l

' O initiator is discussed on page 1-3 of the module and is deemed to be

, bounded by the loss of AC power events, which are much more likely to occur. Also, on loss of only one train of DC power, or instrument and control. power, the plant is designed not to trip. Note that the T/D EFW pumps and the BSIP are independent of plant DC power, instrument air and control power.

O 720.2 ~' Some combinations of events which have been considered significant in other similar studies, like

- sticking open SRV(s) following station blackout, and

- ATWS in conjunction with SGTR, o

apparently were not addressed in SP/90 PSS.

A secondary break or stuck-open SRV in conjunction with a blackout is relatively unlikely; on the other hand, this sequence may overcool the primary system leading to a potential of recriticality. Safety injection is required to provide boration but is not available due to -

station blackout. It is not clear that this sequence is negligible, compared to the other sequences included in the study. Please provide O justification for excluding these combinations of events from the SP/90 PRA.

RESPONSE

The double failure events mentioned in this question are not discussed in the module. These events are highly unlikely to occur. For example a station blackout followed by secondary side PORVs (DC powered) failing to open, leading to the challenge to the SRVs and failing of the SRVs to reseat is highly unlikely. Even if it happens and leads to a low power level recriticality, relatively long time 1

periods exist before severe core damage would occur. The BSIP will slowly borate the plant and the operator can take actions to stop the excessive heat removal and allow the plant to heat up and return O subcritical.

720.3 The probability of an Interfacing systems LOCA causing a break outside i

containment was calculated as 5.8x10-3 Provide the analysis developed to justify the icw failure probability of the RHR suction i lines outside containment when exposed to the nominal RCS pressure l (2250 psia).

WAPWR-PSS 720-2 . AMENDMENT 1

! 5068e:ld s AUGUST, 1986 t s

_ , . . . . _ , - _ . . . ~ . _t___.___

O RESPONSE:

in case of en interfacing systems LOCA, the flow is naturally directed into the EWST through the normally open sump line MOV (9007A). Note check valve (9008A) shown in RESAR-SP/90 Module 1, " Primary Side Safeguards System", has been removed. Thus the ISS piping will not experience a 2250 PSI pressure. Even then, page 4-15 shows that we considered that there was some chance that the pipe might fail as well as the MOV might be misaligned.

J20.4 How is long term cooling (LTC) quantified for the following initiating events (IEs):

- steam generator tube rupture (SGTR),

- large secondary side break (SSB),

- ATWS, and

- loss of auxiliary cooling?

Also, in the transient event tree where q=0 for LTC (p. 3.12-1) why O- are success / failure branches of LTC included in sequences where secondary cooling is sucqessful? In the ATWS event tree these branches are not included. Please explain. Furthermore, what are the values of LTC1, LTC2, and LTC3 for these event trees?

RESPONSE

I

, When the long term cooling period is reached, the plant is stabilized and does not have a memory of the initiating event. So only .three types of long term cooling success criteria are defined and used for transients (where EFWS is used LTCl); situations involving RHR cooling without depending on the CCWS due to operation of f an coolers (LT2),

and usino RHR cooling with dependence on CCWS when fan coolers fail (LTC3).

O The LTC node is left in some branches of the transient tree even though it is not utilized, because the event tree was originally constructed in that way.

The event trees mentioned in the question use the LTC2 and LTC3 values whenever applicable.

WAPWR-PSS 720-3 AMENDMENT 1 5068e:ld AUGUST, 1986

O 720.5 Turbine Trip (TT) or MSiv closure are important in ATWS sequences.

Why is the heading Turbine Trip (TT) or MSIV closure not included in the ATWS event tree? Does SP/90 hava an anticipatory TT logic for ATWS scenarios?

RESPONSE

The ATWS event trees of previous Westinghouse PWR PRA studies were C-) taken for turbine trip and closure of the MSIVs, these nodes did not appreciably affect the dominant failure sequences in the ATWS tree.

Thus, in this study, the ATWS tree was trimed by effectivaly assuming that turbine trip or MSIV closures may not occur.

720.6 For the SSS and SGTR initiators, it is appropriately stated that no credit is taken for operator actions in the success of safety injection (SI1). Therefore, the unavailability of SIl should be 1.8x10-5 (SS2) in these event trees. The sequence #15 in the SSB event tree, which is SSB and failure of SI1, should have a probability of 8x10-4 x 1.8x10-5 = 1.44x10-8, This would rank this dominant accident sequence (DAS) as #12 and not as #37, as shown in Table 4.3.1. Similarly, the sequence #31 in the SGTR event tree, which is SGRT, failure of safety injection, and operator fails to stabilize, should have a probability of 3.1x10-2 x 1.8x10-5 x 1x10-2 = 5.58x10-9 This would rank this DAS as #20 and not as #42, as shown in Table

4 . 3 -1.

RESPONSE

We agree with the discussion in this item. However, we would like to point out that not using operator actions is a very conservative

^

assumption and even a 50-50 chance of an operator action to seek another feed and blead action would further reduce these sequences.

t O

l t

WAPWR-PSS 720-4 AMENDMENT 1 5068e:1d AUGUST, 1986

-. . -_. - ._._ . - __- - -. .- -.--_- . ._ -- - - ._-.-~ -

720.7 What considerations have been included in the new design of the emergency water storage tank (EWST)? Is it possible to have overflow conditions due to extra inventory from the accumulators, core reflood tanks, and RCS (Reactor Coolant System) under large LOCA? If so, are there components inside the containment that may be affected?

O RESPONSE:

The worst case where all water sources dump into the EWST has been

, considered in the design process. Maximum flood level has been calculated. and was found that no critical components are af fected (flooded).

t ,

720.8 If there is a break outside containment in the RHR suction line, or HHSI suction line the EWST inventory may be depleted if the MOVs are not closed. Can neglect of these sequences be justified?

RESPONSE

O Probability of passive pipe breaks coupled with MOV failures during an event which require SI is deemed to be very unlikely, e.g. at the order of E-09.

, 720.9 Please discuss the significance of inadvertent opening of the valves l

in the steam generator overfill protection system.

l

RESPONSE

Such an event is classified as a small secondary line break, as discussed on page 1-5. Note that a block valve is present so that such a break is isolatible.

O 720.10 For a steam generator tube rupture initiating event, it is possible to have stuck open secondary PORVs or safety valves.

these sequences were not included in the analysis.

It appears that Can neglect of such sequences be justified?

lG l

l WAPWR-PSS 720-5 AMENDMENT 1 5068e:ld AUGUST, 1986 1

__ _ . ~ __

. O RESPONSE:

The PORV's and SRV's will not be challenged unless the condenser is l

not available. If the condenser is unavailable, the PORV's will be ,

4 challenged first, however, they have automatic block valves. The SRV's will only be challenged if the PORVs fail to open. The frequency of such a combination of events is very low.

i 720.11 Please provide a revised heat load table for the SW-CCW system including component identification (more specific than just the component type). In addition, if module 13 for auxiliary system is available, please provide it. Otherwise, provide P&ID diagrams of the SW-CCW system and other information required to complete the review of the SW-CCW system fault tree.

RESPONSE

The revised heat lead tables for SW and CCW systems are given by Attachments A and B. Also P&ID's for CCWS and a sketch-(Attachment C) for ESWS are included. Note that ESWS is outside the scope of the nuclear power block and the attached sketch constitutes interface requirements that will be included in RESAR-SP/90 PDA, Module 13

" Auxiliary Systems".

! Also note, this information is to be considered preliminary but provides sufficient information for your review.

i 720.12 Operator action to feed and bleed the reactor coolant system has been given credit (unavailability of 0.0i) if the steam generator overfill protection system (50F) fails. Is this action different from the OST (operator stabilizing the transient) already modeled in the event tree? For example, sequence #11 involves failure of both the OST and SOF. If OST fails, why does the SOF node still include the success of feed and bleed action?

i O between the failure of OST and-the caallenge of SOF7 How much time is available to the operator

l. RESPONSE:

OST and SOF are two dif ferent operator actions; OST is the set of l

operator actions that equalize RCS and SG pressures and stop the tube WAPWR-PSS 720-6 AMENDMENT 1 5068e:ld AUGUST, 1986

_ _ . . _ _ _ - - _ _ . . _ _ _ _ _ _ . _ _ _ _ - - - _ _ _ _ _ _ _ _ _ _ _ - ~ _ _ _ _ _ _ _

leak. If OST fails, and the automatic overfill valves fail the event will require a feed and bleed action since pressures are not stabilized and matched in the system and a small-LOCA type situation though a SG SRV will exist.

RESAR-SP/90 PDA Module 6/8, " Secondary Side Safeguards System / Steam and Power Conversion", shows that with SAR assumptions the OST may O take as long as 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to complete. At that time, the SG 1evel is still well below overflowing which gives the operator significant lengths of time (- 30 min.) to accomplish SOF.

720.13 Should core melt sequences involving the sticking open of PORVs or the leakage of RCP seals be categorized .into small LOCA core melt instead of transient core melt for the purposes of back-end analysis? For example, transient event tree sequences 4, 6, 8, 10, etc. involve small break and are categorized as TLFC, TLC, TLF, and TL, respectively.

RESPONSE

Release fractions associated with T and S sequences are the same for most coremelt categories. Initial assignment of coremelt categories was done under the assumption that T sequences are similar to S in consequences. An examination of the containment matrix shows that

'this assumption is not valid for all cases. However, the results are not very sensitive to this assurrption.

B. Assumptions 720.14 What is the basis for assigning to-the consequential LOCA frequency a value equal to 20% of the random small LOCA frequency?

O RESPONSE:

This value was assigned conservatively on the basis of the assumption I that consequential LOCAs are at least 10 times less likely than the LOCAs, and after examination of the values used in other Westinghouse PRA studies.

EAPWR-PSS 720-7 AMENDMENT 1 5068e:ld AUGUST, 1986

O 720.15 Some success criteria were assumed which are not included or are a relaxed version of the SAR success criteria, without any specific' system analysis justification. Among these are:

O - feed and bleed (one of three PORVs).

- ATWS pressure relief (3/3 safeties and 1/3 PORVs),

- ATWS emergency feedwater (2/4 pumps to all 4 SGs).

safety injection for small LOCAs, including RHR pumps, and long term cooling for large and small LOCAs including containment fan cooling system (CFCS) operation.

At this point, it is our impression that relatively little plant-specific analysis has been performed to support these assumptions. As defined, it appears that the ATWS emergency feedwater function would be unavailable in the occurrence of SGTR in conjunction with ATWS.

,~ This is because one loop would be unavailable, while all four loops are required. Please clarify this point. PORVs at many plants are unavailable on short notice because the block valves are closed due to PORV leakage. If PORVs are really required during ATWS, then blocking them will significantly increase core damage frequency. Are they really required? Please clarify the, treatment of this point.

RESPONSE

For the most part APWR specific analysis was not done to justify the l success criteria used in these areas. Success criteria from previous Westinghouse studies are used. In some cases, the failure of the operator actions dominate (such as feed and bleed operator action) and the random failures of components become relatively insignificant.

If SGTR occurs 'in conjunction with ATWS, the event will be dominated i by ATWS and faulted steam generator need not be isolated until the l

ATWS event is tenninated. Although SGlR may occur, the steam j generator and the T/D EFW pump will continue to fulfill their cooling l functions.

i 720.16 Please explain the rather high beta factor (0.4) used for containment -

i fan cooler's control and actuation circuits.

RESPONSE

The reason for selection.of this beta factor value is discussed on page 3.6-4 of the module.

WAPWR-PSS 720-8 AMENDMENT 1 5068e:1d AUGUST, 1986

O 720.17 The. runout head for HHSI pump is approximately 1000 ft. Please ,

discuss the potential of overspeed and cavitation under large LOCA '

conditions where rapid 'depressurization may lead to much lower pressure than the runout head. Similarly, discuss whether RHR pumps

^

would have the similar concern when operating at a lower pressure than the runout head (340 f t), e.g., large LOCA when they are used as RCS injection pumps.

RESPONSE

O By design, sufficient piping resistance exists so that even with zero RCS pressure, the HHSI and the RHR pump flows will not exceed their specified run-out values.

720.18 A three week test interval has been used in the quantification of the '

backup seal injection system unavailability. Since the backup seal injection system is an important mitigation system for accidents involving seal leakage, its unavailability plays a significant role in the quantification of total core melt frequency. Since it is designated as a control grade system, not a safety grade system, please clarify the basis for essuming three weeks es the test interval.

RESPONSE

The BSI system is routinely used for accumulator re-fill function.

l The accumulators are assumed to be re-filled once a quarter per accumulator. Thus it is assumed that the BSI pump will be utilized at least sixteen times a year. This assumption is consistent with the actual plant operation, although the refilling of the accumulators is not a scheduled event and its frequency will fluctuate considerably.

O 720.19 Loss of de power was included in the fault trees of safety systems in SP-90 PRA. However, it is not possible to assess potential system interactions without information regarding components fed by the dc busses. Table 8. 3 -1 of Module 9, provides some clues to the O identification of major interfaces between dc busses and major safety systems. Please clarify what constitutes load groups 1 and 2 and separation . groups 3 and 4. In addition, clarify the relationships between components (e.g., pumps) 1, 2, 3, and 4 and trains A, B, C, O

WAPWR-PSS 720-9 AMENDMEN1 1 5068e:1d AUGUST, 1986

O and D. Does SP/90 PRA assume, in general (i.e., except service water / component cocling water system), that trains A and D share the same ac and dc buses.

RESPONSE

It is assumed that the DC buses follow the same distribution pattern as the AC buses and two independent DC trains exist.

O In case of 4-pump trains, the pumps 1 and 4 are fed by the first AC train and the pumps 2 and 3 by the second AC train.

C. Documentation 720.20 In Table 4 .1 -1, the non-recovery probability of. one-of-one DG is listed as 0.21. It seems that this value should be 0.7 according to what is stated on p. 4-2. Please explain. -

! RESPONSE:

j The value in the medule is a typo. The reviewer's observation is

! correct. ,

1 720.21 What was the success criterion used for the accumulator system? In i Table 2.1-2 (p. 2 -20)', 1-out-of-3 is listed while on p. 2-90, i  : 2-out of-3 is stated. Also, Table 3.4 seems to indicate a 2-out-of-3 success criterion. Which was the success criterion used in the large LOCA analysis presented in Module l?

RFSPONSE:

4 A success criteria of 2-out-of-three accumulators on intact loops is -

i used in the study, and the calculations are shown on page 3.4-17.

O

Actually, a success criteria of 1-out-of-three is probably applicable j to the present design. However,  ?/3 success criteria is conservatively used.

MAPWR-PSS 720-10 AMEN 0 MENT 1 5068e:ld AUGUS1, 1986

4 720.22 The definition of error factor (p. 118) is actually what's connonly i defined as the range factor. Please explain.

RESPONSE

. O The error factor is defined on page 1-18: this is consistent with the i definition on page 7-11 of NUREG/CR 1278. Note that this is the square of error factor as defined in page 0.12-8 of the ZION PSS.

I 720.23 In Module 1, p. 6.3-15, it is stated the RHR heat exchangers would i have CCW cooling automatically when EWST water temperature goes above 195"F. It is not clear why operator action to align CCW to the heat

, exchangers is required for LTC3 as stated on p. 2-21. Please explain.

RESPONSE

i No operator action to align CCW is needed, as observed by the reviewer.

720.24 Please explain why transients with late core melt are not included in i O the definition of plant damage states in Table 2.1-1.

RESPONSE

i An examination of the containment matrix shows that TE and TL j sequences are not different from a consequence point of view l  ; (page 5.6-13) . Since the time periods involved with the TE sequences

! are very long for the APWR design, initially TL was not considered.

TL sequences were added later for completeness and they are not shown in Table 2.1-1.

720.25 The air operated valves in the steam supply lines to the

Turbine-Driven Pumps (TDP) need, according to the FT logic module

! (Figure 3.10.2-8), an "S" or other ESFAS to open (see p. 3.10-7 ) .

Therefore, for any transient initiator in conjunction with IPS i failure, the following CM sequince would appear to exist according to

the methodology adopted in the study

! TR4.IPS. REC = 10/yr*5.7x10-7*0.5 = 2.8x10-6/yr i where REC is failure probability to recover the IPS signal within 2 or l 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the accident. Basically, failure of IPS renders all l safety systems inoperable, including the TDPs of the EFWS. This

! scenario was, however, omitted from the analysis. Please explain.

WAPWR-PSS 720-11 AMFNDMENT 1

5068e

1d AUGUS1, 1986

O RESPONSE:

In the event described, the operator can activate any pump f rom the control room. This includes turbine driven and motor driven EFWS pumps as well as the BSI pump. Moreover, the turbine driven pumps and BSI pump can also be started manually outside the control room.

Considering operator actions, the frequency of this event is deemed to be at the order of E-09: this value depends upon the HEP assigned to the operator action. Failure of such an operator action is deemed to be highly unlikely.

1 Also note that the SFW & BSI pumps are actuated by the ICS, not the IPS, which should provide some additional reliability in addition to the operator actions.

O o

!O l

l l

O l

i i

O WAPWR-PSS 720-12 AMEN 0 MENT 1 5068e:ld AUGUST, 1986 l__.---- -__ _- ____ . _ __ . _ - . _ - - _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - , _ _ _ _ _ _ _ _ _ _

i i

I l

~

ATTACm ENT A

]

l

ESSENTIAL SERVICE WATER SYSTEM i

FLOW VS. OPERATION MODE (a,c) 1 t

)

4 j

j I

1

}

I i e 4

1 l ,

I i

I

)

l 4

I i

}

i s Am nt 1

-WAPWR-PSS August 1986 5000e 1d/000586 720-13 i

i

) ..I

t ATTACmENT B (SHEE1 1 of 4) .

WAPWR COMPONENT COOLING WATER SYSTEM '

FLOWS AND HEAT LOADS

+(a,c)

?

l l

l l

l l

i j

l l

l l

~

4 4

I 4

I l

1 i

l *

~WAPWR-PSS Amendment 1 August 1986

) i.

720-14 l 5

k<

g

• l 1 l i '

ATTAcimENT B (SHEET 2 of 4)

• WAPWR COMPONENT COnLING WATER SYSTEM FLOWS AND 6: EAT LOADS l

1 >

1  !

i

+(3,C) i i

l 4

b i

i l

5 1

1 i

i I i i

l 1

I l

h l

i

( WAPWR-PSS

• Amendment 1  !

l August 1986

720-15  !

i I  !

a

o  ; i.* '

h i ,'

- )

c,

(

a

+

1 6

. 8 t9 n1 e _

mt ds _

nu eg mu AA

~

• I M

E -

T S -

Y -

) S 4

R f ES o TD AA 3 WO L

T G 5 E NT 1 E I A H LE -

S OH 0

( O 2 CD 7 B N TA T N N ES E NW OO .

m PL C MF A O T C T

A R W

P A

W~

w

_ a s

o S

S P

- m.

i R

W P .,,

A s W

i iilqI1 , '

l i

• l 6 4

i i

j ATTACHIENT 5 (SHEET 4 of 4) ,

i j WAPWR COIIPONENT COOLING WATER SYSTEM

! FLOWS AND HEAT LOADS l

l i

l I

t I

+(a c) e i

l 1

4 e

I t

I i

I 4

I t

l i

?

4 i ,

l  !

l l r  ;

J 4

i f {APWR-PSS ,

Amendment 1 I

) August 1986 l 500se id/0005ee

r

! 720-17 '

i I

--(

6 O O O '

O O O O~~

ATTACmENT C ,

APWR - ESSENTIAL SERVICE WATER SYSTEM

( DNE DF TVD SUB-SYSTEMS ) ,

I

'i

+(3,C) l i

I l

) '

I i

I I

i 1

i l WAPWR-PSS Amendment 1 August 1986 5066e-1d/0605a6 l

! 720-18

i

= ,

l O

+

(a,c)

O  :

I l

O l s

WAPWR COMPONENT COOLING WATER SYSTEM FLOW DIAGRAM (SHEET 1 THRU SHEET 7) i i

i i

O i

O i

AMENDMENT 1

)(APWR-PSS AUGUST, 1986 i

- - . - . . _ - _ - - _ _ _ , _ - . - . _ - _ _ _ _ _ _ . _ . . _ _ . . _ , _ _ - _ _ - , . . . _ . _ _ - - - _ , . . . . . , , . . . , . . .