ML20247M663
| ML20247M663 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 08/31/1989 |
| From: | Cramond W, Susan Daniel, Kolaczkowski A, Maloney K, Sype T, Tyrus Wheeler SANDIA NATIONAL LABORATORIES, SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1228 NUREG-CR-4550, NUREG-CR-4550-V4R1P1, NUREG-CR-4550P1, SAND86-2084, NUDOCS 8909260025 | |
| Download: ML20247M663 (535) | |
Text
{{#Wiki_filter:__ > - l.,;,: Y
- S' NUREG/CR-4550-SAND 86-2084 !
Vol. 4, Rev.1, Part 1 r Analysis of L ' Core Damage: Frequency: L Peach Bottom, Unit 2
- Internal Events l
l' Prepared by A. M. Kolaczkowski, W. R. Cramond, T. T. Sype, K. J. Maloney, T. A. Wheeler, S. L Daniel
. Scndia National Laboratories Prepared for
. U.S. Nuclear Regulatory Commission
$0 Abd!k $7 P
I s' .% I AVAILABIUTY NOTICE Availability of Reference Materials Cated in NRC Pubhcations Most documents cited in NRC publications wl!I be available from one of the following sources:
- 1. The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Offlee, P.O. Box 37082, Washington, DC 20013-7082 I
3, The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majortty of documents cited in NRC publications, it is not j Intended to be exhaustive. Referenced documents available for inspection and copying for a fee from the NRC Public Document Roorn heli *de NRC correspondence and intemal NRC memoranda; NRC Office of inspection and Enforcement bulletins, ctroulars, information notices, inspection and investigation notices: Ucensee Event Reports; ven-dor reports and correspondence: Commission papers; and applicant and licensee documents and corre-spondence. The following documents in the NUREG ser.es are avahable for purchase from the GPO Sales Projram: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides. NRC regulations in the Code of federal Regulations, and NucIcar Regulatory Commission Issuances. Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commis-sion, forerunner agency to the Nuclear Regulatory Commirston. Documents available from public and special technical libraries include all open Sterature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legisla-tion, and congressional reports can usuapy be obtained from these libraries, Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference pro-ceedings are avaliable for purchase from the organization sponsorbg the publication cited. Sangle copies of NRC draft reports are available free, to the extent of suppfy. upon written request to the 3 Office of information Resources Management, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555. Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available there for refer-ence use by the public. Codes and standards ace usualty copyrighted and may be purchased from the originating organ!2ation or, if they are American National Standards, from the American National Standards Institute,1430 Broadway New York, NY 10018. l
. ,um DISCLAIMER NOTICE This report was prepared as an accotnt of work sponsorod by an agoney of tre Unhod States Govemment.
Neither the United States Government nor any agency thereof, or any of ttwir employees, makes any warranty, expresed or implied, or assumes any legal liability of responsibikty for any third party's use, or the resutts of such usa, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. i
NUREG/CR-4550 SAND 86-2084 : Vol. 4, Rev.1, Part 1 Analysis of Core Damage Frequency: Peach Bottom. Unit 2 Internal Events Manuscript Completed: July 1989 Date Published: August 1989 Prepared by A. M. Kolaczkowski', W. R. Cramond, T. T. Sype, K. J. Maloney, T. A. Wheeler, S. L Daniel Program Manager: A. L Camp Principal Investigator: W. R. Cramond Team Leader: A. M. Kolaczkowski' Sandia Nationall2boratories - Albuquerque,NM 87185
- Science Applications International Corporation 2109 Air Park Road S.E.
Albuquerque,NM 87106 Prepared for Division of Systems Research Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN A1228 i l l
' ABSTRACT-This document' -contains the . accident sequence analysis of internally initiated events for the Peach Bottom, Unit 2 Nuclear Power. Plant. This is -' one of the' five' plant analyses ' conducted as - part of the NUREG-1150 effort for the Nuclear Regulatory, Commission. The work performed and described here is an extensive reanalysis' of that published in October 1986 as NUREC/CR-4550. Volume 4. It addresses comments from numerous
' reviewers and significant changes to the plant systems and procedures made since the first report, The uncertainty analysis and presentation '
of results are also much improved, and considerable ' effort was expended
. on an improved analysis of loss of offsite power. The content and detail of.this report are. directed toward PRA practitioners who need to know how the work was done and the details for use in further studies, The mean core damage frequency ~ is 4.5E-6 with 5% and 95% uncertainty bounds of '3.5E-7 .and 1.3E-5, respectively. Station blackout type accidents (loss of all AC power) contributed about 46% of the core damage frequency with. Anticipated Transient Without Scram (ATWS) accidents contributing-another 42%. The numerical results are driven by loss'of offsite power, transients with the power conversion system initially available, operator' errors, and mechanical failure to' scram. External events were also analyzed using the internal event fault tree and event tree models as a basis, and are reported separately in Part 3 - cif NUREC/CR-4550, Volume 4, Revision 1.
iii/iv
I l I CONTENTS I i 1 Section Pare i
- 1. EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . 1-1 i 1.1 OBJECTIVES . . . . . . . . . . . . .. . . . . . . . . 1-1 1.2 . APPROACH , . . . . . . . . . . . . . . . . . . . 1-2 1.3 RESULTS . . . . . . . . . . . . . . . . . . . . . . 1-3
1.4 CONCLUSION
S . . . . . . . . . . . . . . . . . . . 1-6 1.4.1 Plant Specific Conclusions . . . . . . . . . . 1-7 1.4.2 Accident Sequence Conclusions . . . . . . . . . 1-7 1.4.3 Plant Damage State Conclusions . . . . . . . . 1-8 1.4.4 Uncertainty Considerations . . . . . . . . . . 1-8 1.4.5 Comparison to Reactor Safety Study (WASH-1400) . . . . . . . . . . . . . . . 1-8 1.4.6 Other Insights . . . . . . . . . . . . . . 1-10
- 2. PROGRAM SCOPE. . . . . . .'. . . . . . . . . . 2-1
- 3. PROGRAM REVIEW . . . . . . . . . . . . . . . . . . . . 3-1 3.1 SENIOR CONSULTANT GROUP . . . . . . . . . . . . . . . 3-1 3.2 QUALITY CONTROL GROUP . . . . . . . . . . . . . . . 3-1 3.3 UTILITY INTERFACES . . . . . . . . . . . . . . . 3-2 3.4 UNCERTAINTY REVIEW PANEL . . . . . . . . . . . . . 3-3 3.5 PEER REVIEW PANEL . . . . . . . . . . . . . . . . . . 3-2 3.6 AMERICAN NUCLEAR SOCIETY COMMITTEE . . . . . . . . . 3-3
.3.7 PUBLIC COMMENTS . . . . . . . . . . . . . . 3-3
- 4. TASK DESCRIPTIONS . . . . . . . . . . . . . . . . . . 4.1-1 4.1 TASK FLOW CHART . . . . . . . . . . . . . . . . . 4.1-1 4.2 PLANT FAMILIARIZATION . . . . . . . . . . . . . . . . 4.2-1 4.2.1 Plant-Specific Nature of the Analysis . . 4.2-1 4.2.2 Initial Plant Visit . . . . . . . 4.2-1 4.2.3 Information Obtained . . . . . . . . 4.2-3 4.2.4 Confirmatory Plant Visit . . 4.2-3 4.2.5 Subsequent Plant Visit for the l
Reanalysis Phase . . . . . 4.2-4 l l v
CONTENTS (Cont.) Section Page 4.3 INITIATING EVENT IDENTIFICATION & CROUPING, . . . . . 4.3-1 4.3.1 Scope of Events Considered . . . . . . . . 4.3-1 4.3.2 Support System and Special Initiators . . . . . 4.3-6
'4.3.3 Initiators Retained and Eliminated. . . . . . . 4.3-8 4.3.4 Initiating Event Assumptions . . . . . . . . . 4.3-8 4.3.5 Initiating Event Nomenclature . . . . . . . . . 4.3-9 4.4 EVENT TREE ANALYSIS . . . . . . . . . . . . . . . . . . 4.4 1 4.4.1 General Event Tree Assumptions . . . . . . . 4.4-2 4.4.2 Discussion of Success Criteria . . . . . . . . 4.4-4 4.4. 3 - Large Loss of Coolant Accident (LOCA) Event Tree . . . . . . . . . . . . .
. . . 4.4-4 4.4.4 Intermediate'LOCA Event Tree . . . . . . . . 4.4-8 4.4.5 Small LOCA Event Tree . . . . . . . . . . . 4.4 13 4.4.6 Small Small (Recirculation Pump Seal) LOCA Event Tree . . . . . . . . . . 4.4-26 l 4.4.7 Loss of Offsite Power Event Tree . . . . . . . 4.4-28 4.4.8 Transient Without PCS Initially Available Event Tree . . . . . . . . . . . . 4.4 47 4.4.9 ' Transient With PCS Initially Available Event Tree . . . . . . . . . . . . . 4.4-66 4.4.10 Loss of Feedwater Event Tree . . . . . . . . 4.4-69 4.4.11 Inadvertent open Relief Valve Event Tree . . . . . . . . . . . . . . . . 4.4-69 4.4.12 Loss of an AC or DC Bus Event Tree . . . . . . 4.4-73 4.4.13 "V" (Interfacing LOCA) Sequence . . . . . . 4.4-90 4.4.14 Discussion of Reactor Vessel Repture (R)
Event . . . . . . . . . . . . . . . . . . . 4.4-93 4.4.15 Anticipated Transient Without Scram Event Tree . . . . . . . . . . . . . . . . 4.4-94 4.4.16 Event Tree Nomenclature . . . . . . . . .. . . . 4.4-101 4.5 PLANT DAMAGE STATE ANALYSIS . . . . . . . . . . . . . 4.5-1 4.5.1 Plant Damage State Definitions . . . . . . 4.5-1 4.5.2 Descriptions of the PDS Vector . . . . . . . 4.5-5 1 4.6 SYSTEM ANALYSIS . . . . . . . . . . . . . . . . . 4.6-1 4.6.1 System Modeling Approach and Scope . . . 4.6-1 4.6.2 Identification of Systems . . . . . . . 4.6-6 4.6.3 Actuation and Control (Emergency Safeguard Features) System . . . . . . 4.6-6 4.6.4 Automatic and Manual Depressurization System . . . . . . . . . . . . . . . 4.6-8 4.6.5 Condensate System . . . . . . . . . 4.6-13 4.6.6 Residual Heat Removal: Containment Spray System . . . . . . . . . . . . 4.6-16 4.6.7 Centrol Rod Drive System-Enhanced and One Pump . . . . . . . . . . 4.6-21 vi w __ _____________-_ - --___ _ _ _ _ _ _ _ _ _ _ _ _ _
V 1 L CONTENTS (Cont.) Section Par.e 4.6.8 Electric Power System . . . . . . . . . . . . 4.6-25 4.6.9- Emergency Service Water System . . . . . . . . 4.6 30 4.6.10 Emergency Ventilation System. . . . . . . . . _ 4.6-38 4 . 6 .1 'r High Pressure Coolant Injection System . . . . . . . . . . . . . . . . . . . . 4.6-41 4.6.12 High Pressure Service Water System. . . . . . . 4.6-48 4.6.13 Instrument Air System . . . . . . . . . . . . . 4.6-53
-4.6.14 Low Pressure Coolant Injection System 4.6-59 4.6.15 Low Pressure Core. Spray System . . . . . . . . 4.6 64 4.6.16 Primary Containment Venting System . . . . . 4.6-69 4.6.17 Reactor Building Cooling Water System . . . . . 4.6-73 4.6.18 Reactor Core Isolation Cooling System . . . . 4.6-75 4.6-19 Residual Heat Removal: Shutdown Cooling System . . . . . . . . . . . . . 4.6-83 4.6-20 Standby Liquid Control System . . . . . . . . . 4.6-88 4.6-21 Residual Heat Removal: Suppression Pool Cooling System . . . . . . . . . . . . 4.6-92 4.6-22 Turbine Building Cooling Water System. . . . . . . . . . .. . . . . . . 4.6-97 4.6-23 Reae. tor Protection System . . . . . . .. . 4.6-101 4.6 24 . Justification for Systems Not Modeled . . . . . . . . . . . . . . . . . . 4.6-101 4.6 25 System Analysis Nomenclature. . . . . . . . . . 4.6-101 4.7 DEPENDENT FAILURE ANALYSIS. . . . . . . . . . . . 4.7-1 4.7.1 Scope of Dependent Failure Analysis. . . . . . . . . . . . . . . . 4.7 1 4.7.2 Treatment of Direct Functional Dependencies. . . . . . . . . . . . . 4.7-2 4.7.3 Common Cause Failure Analysis . . . . . . . 4.7-2 4.7.4 Analysis of Subtle System Interactions. , . . . . . . . . . . . 4.7-3 4.8 HUMAN RELIABILITY ANALYSES. . . . . . . . . . . . . 4.8-1 4.8.1 Summary of Methodology and Scope. . . . . . 4.8-1 4.8.2 Human Actions Analyzed. . . . . 4.8-1 4.8.3 Analysis of Pre-Accident Errors . . . . 4.8-2 4.8.4 Analysis of Post-Accident Errors (non ATWS). . . . . . . . . . 4.8-2 4.8.5 Analysis of ATWS Post-Accident Errors. . . . . . . . . 4.8-5 4.8.6 Analysis of Innovative Long-Term Recovery Actions. . . 4.8-6 4.8.7 HRA Nomenclature. . 4.8-6 4.9 DATA BASE DEVELOPMENT . . . 4.9-1 4.9.1 Sources of Information for the Data Base . . . . . 4.9-1 vil i
CONTENTS (Cont.) / Section gpg,e 4.9.2 Assumptions and Limitations in the Data Base . . . . . . . . . . . . . . . . . 4.9-1 ) 4.9.3 Plant-Specific Analysis and Use of Generic Data. . . . . . . . . . . . . . . . . . 4.9-2 . 4.9.4 Uncertainty Distributions . . . . . . . . . . 4.9-2 I 4.9.5 Complete Data Base Description . . . . . . . . 4.9-3 4.10 ACCIDENT SEQUENCE QUANTIFICATION. . . . . . . . . . . . 4.10-1 4.10.1 General Approach. . . . . . . . . . . . . . . . 4.10-1 4.10.2 Identification of Sequences Analyzed. . . . . . . . . . . . . . . . . . . . 4.10-3 4.10.3 Application of Operator Recovery Actions . . . . . . . . . . . . . . . . . . . 4.10-4 4.11 PIANT DAMAGE STATE QUANTIFICATION . . . . . . . . . . . 4.11-1 4.11.1 General Approach. . . . . . . . . . . . . . . . 4.11-1 4.11.2 Identification of Plant Damage States Analyzed . . . . . . . . . . . . . . 4.11-1 4.11.3 Quantification of Plant Damage States. . . . . . . . . . . . . . . . . . . . 4.11-1 4.11.4 Description of Plant Damage States. . . . . . . . . . . . . . . . . . . . 4.11-7 4.12 UNCERTAINTY ANALYSIS. . . . . . . . . . . . . . . . . . 4.12-1 4.12.1 Sources end Treatment of Uncertainties . . . . . . . . . . . . . . . . 4.12-1 4.12.2 Development of Parameter Distributions . . . . . . . . . . . . . . . 4.12-2 4.12.3 Elicitation of Expert Judgment. . . . . . . . . 4.12-3 4.12.4 Quantification of Accident Sequence Uncertainty. . . . . . . . . . . . . 4.12-8
- 5. RESULTS. . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1 CHARACTERIZATI'~ 9F CORE DAMAGE FREQUENCY AND UNCERTAINTY . . . . . . . . . . . . . . . 5-1 5.2 ACCIDENT SEQUENCE RESULTS . . . . . . . . . . 5-10 5.2.1 Accident Sequence 1 . . . . . 5-10 5.2.2 Accident Sequence 2 . . . . . . . 5-10 5.2.3 Accident Sequence 3 . . . . . 5-12 5.2.4 Accident Sequence 4 . . . . . . . . 5-12 5.2.5 Accident Sequence 5 . . . . . . 5-13 5.2.6 Accident Sequence 6 . . . . 5-13 5.2.7 Accident Sequence 7 . . . . . . . 5-14 5.2.8 Accident Sequence 8 . . . 5-14 5.2.9 Accident Sequence 9 . . . . 5-14 5.2.10 Accident Sequence 10 . . 5-15 viii
r_ _-- - _ __ __ l-CONTENTS (Cont.) I Page Section L 5.2.11 Accident Sequence 11 . . . . . . . . . . . . . 5-15 5.2.12 Accident Sequence 12 . . . . . . . . . . . . 5-15 5.2.13 Accident Sequence 13 . . . . . . . . . . . . .5-15 5.2.14 Accident Sequence 14 . . . . . . . . . . . . 5-16 5.2.15 Accident Sequence 15 . . . . .. . . . . . . . 5-16 5.2.16 Accident Sequence 16 . . . . . . . . . . . . . 5-16 5.2.17 Accident Sequence 17 . . . . . . . . . . . . . 5-16 5.2.18 Accident Sequence 18 . . . . . . . . . . . . . 5-16 5.3 PLANT DAMACE STATE RESULTS . . . . . . . . . . . . . . 5-17 5.3.1 Plant Damage State 5 . . . . . . . . . . . . . 5-17 5.3.2 Plant Damage State B . . . . . . . . . . . . . 5-17 5.3.3 Plant Damage State 6 . . . . . . . . . . . 5-20 5.3.4 Plant Damage State 1 . . . . . . . . . . . . . 5-20 5.3.5 Plant Damage State 2 . . . . . . . . . . . . . 5-21 5.3.6 Plant Damage State 4 . . . . . . . . . . . . 5-21 5.3.7 Plant Damage State 7 . . . . . . . . . . 5-21 5.3.8 Plant Damage State 9 . . . . . . . . . . . . . 5-22 5.3.9 Plant Damage State 3 . . . . . . . . . . . . . 5-22 5.3.10 Plant Damage State Split Fractions . . . . . 5-22 5.3.11 Super Plant Damage States . . . . . . . . . 5-23 5.4 IMPORTANCE MEASURES . . . . . . . . . . . . . . . . . 5-23 5.5 COMPARISON OF RESULTS WITH THE REACTOR SAFETY STUDY 5-30 (WASH-1400) . . . . . . . . . . . . . . . . . . . . . .
- 6. CONCLUSIONS. . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.1 GENERAL CONCLUSIONS . . . . . . . . . . .. . . . . 6-1 6.2 PLANT SPECIFIC CONCLUSIONS. . . . . . . . . . . . . . 6-2 6.3 UNCERTAINTY CONSIDERATIONS. . . . . . . . . . . . . . 6-2 6.4 OTHER INSIGHTS, . . . . . . . . . . . . . . . . . 6-3
- 7. REFERENCES . . . . . . . . . . . . . . . . . . . . . 7-1 ix t
I
J l LIST OF FICURES Section Ep_ge i l 1-1 Peach Bottom Core Damage Frequency Types . . . . . . . 1-4 l i 1-2. Total Internal Event Core Lamage i. Frequency for Peach Bottom . . . . . . . . . . . . . . 1-5 4.1-1 PRA Task Flow Chart . . . . . .. . . . . . . . . . . . . 4.1-2 l' 4.4-1 Large LOCA Event Tree . . . . . , . . . . . . . . . . . 4.4-6 4.4-2 Intermediate LOCA Event Tree. . . . . . . . .. . . . . . 4.4-10 4.4-3 Small LOCA Event Tree . . . . . . . . . . . . . . . 4.4-16 4.4-4 Small-Small LOCA Event Tree . . . . . . . . . . . . . 4.4-27 4.4-5 Loss of Offsite Power Event Tree . . . . . . . . . . . 4.4-32 4.4-6 Transient Without PCS Initially Available Event Tree. . . . . . . . . . . . . . . . 4.4-51 4.4-7 Transicnt With PCS Initially Available Event Tree. . . . . . . . . . . . . . . . . . . . . . . 4.4-67 4.4-8 Loss of Feedwater Event Tree . . . . . . . . . . . 4.4-70 4.4-9 Inadvertent open Relief Valve Event Tree . . . . . . . 4.4-72 4.4-10 Loss of AC or DC Bus Event Tree . . . . . . . . . . . . 4.4-74 4.4-11 Typical Valve Arrangement for High-Low Pressure Interface. . . . . . . . . . . . . . . . . . 4.4-92 4.4-12 Anticipated Transient Without Scram Event Tree. . . . . 4.4-95 4.6.1-1. Symbols and Abbreviations Used in Schematics. . . . . 4.6-3 4.6.3-1 Actuation and Control Dependency Diagram. . . . . . . . 4.6-7 4.6.4 1 Automatic and Manual Depressurization System Schematic. . . . . . . . . . . . . . . . . . 4.6-10 4.6.4-2 Automatic and Manual Depressurization System Dependency Diagram . . . . . . . . . . . . . . . 4.6-11 4.6.5-1 Condensate System Schematic . . . . . . . . . . . . . 4.6-14 4.6.5-2 Condensate System Dependency Diagram. . . . . . . . . 4.6-15 4.6.6-1 Containment Spray System Schematic. . . . . . . 4.6-17 4.6.6-2 Containment Spray System Dependency Diagram . . . . . . 4.6-19 4.6.7-1 Control Rod Drive System Schematic. . . . . . . . . . 4.6-22 4.6.7-2 Control Rod Drive System Dependency Diagram . . . . . 4.6-24 4.6.B-1 Electrical Power System Schematic . . . . . . . . . . 4.6-26 4.6.8-2 Electrical Power System Dependency Diagram. . . . . . 4.6-28 4.6.9-1 Emergency Service Water System Schematic. . . . . . . 4.6-32 4.6.9-2 Emergency Service Water System Dependency Diagram . . . . . . . . . . . . . . . . . . . . . . . 4.6-35 4.6.10-1 Emergency Ventilation System Schematic. . . . . . . 4 6-39 4.6.10-2 Emergency Ventilation System Dependency Diagram . . . . . 4.6-40 4.6.11-1 High Pressure Coolant Injection System l Schematic . . . . . . . . . . . . . . . . 4.6-42 4.6.11-2 High Pressure Coolant Injection System Dependency Diagram. . . . . . . . . . . . . . . . 4.6-44 4.6.12-1 High Pressure Service Water System Schematic. . . . . 4.6-50 4.6.12-2 High Pressure Service Water System Dependency Diagram. . . . . . . . . . . . . . . 4.6-51 4.6.13-1 Instrument Air / Nitrogen System Schematic. . . 4.6-54 4.6.13-2 Instrument Air / Nitrogen System Dependency Diagram . . . . . . . . . . . . . . 4.6-57 X 1
LIST OF FICURES (Cont.)
- f. aage Section 4.6.14-1. Low Pressure Coolantfinjection System Schematic . . . . 4.6-60
' 4.6.14-2 Low Pressure Coolant Injection System Dependency Diagram. . . . . . . . . . . . . . . . . .. 4.6-61 4.6.15-1 Low Pressure Core Spray System Schematic. . . . . . . . 4.6-65 4.6.15-2 Low Pressure Core Spray System Dependency Diagram . .. . . . . . . . . . . . . . . . . . . . . . . 4.6-67 4.6.16-1 Primary Containment venting System Schematic. . . . . . 4.6-70 4.6.16-2 Primary Containment Venting System Dependency Diagram. . . . . . . . . . . 4 . . . . . . 4.6-72
.4.6.17-1 Reactor Building Cooling Vater System Schematic . . . . 4.6-74 4.6.17-2 Reactor Building Cooling Vater System Dependency Diagram, . . . . . . . . . . . . . . . . . . 4.6 76 4.6-18-1 Reactor Core Isolation Cooling System Schematic . . . . 4.6-78 4.6-18-2 Reactor Core Isolation Cooling System Dependency Diagram. . . . . . . . . . . . . . . . . . 4.6-79 4.6.19-1 Residual Heat Removal System-Shutdown Cooling Mode Schematic. . . . . . . . . . . . . . . . 4.6-84 4.6.19-2 Residual Heat Removal System-Shutdown Cooling Mode Dependency Diagram . . . . . . . . . . . . 4.6-86 4.6.20-1 Standby Liquid Control System Schematic . . . . . . 4.6-89 4.6.20-2 Standby Liquid Control System Dependency Diagram . . . . . . . . , . . . . . . . . . . . . 4.6-91 4.6.21-1 Suppression Pool Cooling System Schematic . . . . . . 4.6-93 4.6.21-2 Suppression Pool Cooling System Dependency Diagram. . . . . . . . . . . . . . . . . 4.6-95 4.6.22-1 Turbine Building Cooling System Schematic . . . . . . . 4.6-98 4.6.22-2 Turbine Building Cooling System Dependency Diagram. . . . . . . . . . . . . . . .. 4.6-100 4.12-1 Battery Depletion Time-Peach Bottom . . . . . . . . . . 4.12-5 5-1 Uncertainty Distribution for Peach Bottom Core Damage Frequency.. . . . . . . . . . . . . 5-2 5-2 Density Estimation for Peach Bottom Core Damage Frequency. . . . . . . . . . . . . . 5-3 xi
LIST OF TABLES l f Table i fag,e 1-1 Comparison of-NUREC/CR-4550 Revision 1 and l VASH-1400 Sequences . . . . . . . . . . . . . . . . . . 1-11 4.3-1 Peach Bottom Initiating Events and Frequencies. l
. . . . 4.3-2
! 4.3-2 Primary Information Sources Used to Identify Initiators . . . . .. . . . . . . . . . . . . . 4.3-3 4.3-3 Initiating Event Information Summary. . . . . . . . . 4.3 10 4 . 3 '- 4 Success Criteria Summary Information. . . . . . . . . . 4.3-12 4.3-5 Initiators Reviewed and Eliminated From Further Analysis. . . .
. . . . . . . . . . . . . . . 4.3-18 4.4-1 Event Tree Nomenclature . . . . . . .
4.5-1
. . . . . . . . . 4.4-102 Peach Bottom APET Questions for Plant DLeage States . . . . . . . . . . . . . . . . . . . . . 4.5=2 4.6-1 Systems Included in the Peach Bottom Study. . . . . 4.6-2 4.6-2 System Identifiers. . . . . . . . . . . . . . . . . . . 4.6-103 4.6-3 Event and Component Type Identifiers. . . . . . . . . . 4.6-105 4.6-4 Failure Mode Codes. . . . . . . . . . . . . . . 4.6-108 4.7-1 Peach Bottom Common Cause Events. . . . . . . . . . . 4.7-4 4.8-1_ Summary of Pre-Accident Human Actions . . . . . , , . 4.8-9 4.8-2 Summary of Post-Accident LOCA and Transient Human Actions . . . . . . . . . . . . . . . . . . . 4.8 18 4.8-3 Most Important ATUS Human Errors From the BNL Analysis. . . . . . . . . . . . . . . . . . , , 4.8-27 4.9-1~ Peach Bottom Event Data . . . . . . . . . . . . 4.9-4 4.10-1 Accident Sequences Quantified Before Full Recovery Applied. . . . . . . . . . . . . . . . 4.10-6 4.10-2 Potentially Dominant Accident Sequences Prior to Full Recovery. . . . . . . . . . . . . . . 4.10-26 .4.10-3 Potentially Dominant Accident Sequences Before and After Full Recovery. . . . . . . . . . 4.10-30 4.11-1 Plant Damage States by Accident Sequence Before Simplification . . . . . . . . . . . . 4.11-2 4.11-2 Plant Damage State (PDS) Vector Groups.. . . . . . . 4.11-3 4.11-3 Interim Peach Bottoe Plant Damage States.. . . . 4.11-4 4.11-4 Final Peach Bottom Plant Damage States. . . . . . 4.11-5 4.11-5 Core Damage Frequency by Plant Damage State . 4.11-6 4.12-1 Battery Depletion Cut Set Substitutions . 4.12-6 5-1 Top Peach Bottom Cut Sets Contributing to Core Damage Frequency. . . . . . . 5-5 5-2 Description of Important Events for the Peach Bottom Core Damage Frequency Results. . . 5-8 5-3 Peach Bottom Accident Sequence Core Damage Frequencies. . . . . . . . . 5-11 5-4 Peach Bottom Accident Sequences Included in Each Plant Damage State (PDS). . . . . . 5-18 5-5 Peach Bottom Plant Damage State Core Damage Frequencies . . . .
5-19 5.6 Peach Bottom Plant Damage State Split Fractions 5-24 5.7 Peach Bottom Super Plant Damage States. 5-25 5.8 Peach Bottom Risk Reduction Events. 5 27 xit
i LIST OF TABLES (Cont.) Tab 1e Jiagg 5 9. Peach. Bottom Risk Increase Events . . . . . . . . . . . 5-28 5.10 _ Peach Bottom Uncertainty Importance . . . .. . . . . . . 5-29
-5.11 -Comparison of NUREG/CR-4550, Revision 1 and WASH-1400 Senuences (Most Dominant only). . . . . . . . . . . . . 5-32 xiii
r L i } FOREWORD \ This is one of numerous documents that support the preparation of the NUREG-1150 document by the NRC Office of Nuclear Regulatory Research. Figure 1 illustrates the front-end documentation. There are three interfacing programs at Sandia National Laboratories performing this work: the Accident Sequence Evaluation Program (ASEP), the Severe Accident Risk Reduction Program (SARRP), and the Phenomenology and Risk Uncertain';y Evaluation Program (PRUEP). The Zion PRA was performed at Idaho National Engineering Laboratories and Brookhaven National Laboratories. Table-1 is - a list of the original primary documentation and the corresponding revised documentation. There are several items that should be noted. First, in the original NUREG/CR-4550 report, Volume 2 was to be a summary of the internal analyses. This report was deleted. In Revision 1, Volume 2 now is the expert judgment elicitation covering all plants. Volumes 3 and 4 include external events analyses for Surry and Peach Bottom. External events for Sequoyah, Grand Gulf and Zion will be analyzed in follow-up studies after NUREG 1150 is published. The revised NUREG/CR-4551 covers the analysis included in tl.e original NUREG/CR-4551 and NUREC/CR-4700. However, it is different from NUREG/CR-4550 in that the results from the expert judgment elicitation are given in four parts to Volume 2 with each part covering one category of issues. The accident progression event trees are given in the appendices for each of the plant analyses. Originally, NUREG/CR-4550 was published without the designation " Draft for Comment. " Thus, the final revision of NUREG/CR-4550 is designated Revision 1. The label Revision 1 is used consistently on all volumes, including Volume 2 which was not part of the original documentation. NUREG/CR-4551 was originally published as a " Draft for Comment" so, in its final form, no Revision 1 designator is required to distinguish it from the previous documentation. There are several other repor'.:s published in association with NUREG-1150. These are: NUREG/CR-5032, SAND 87-2428, Modeline Time to Recovery and Initiatinn Event Frecuency for Loss of Off-site Power Incidents at Nuclear Power Pl an ts , R. L. Iman and S. C. Hora, Sandia National Laboratories, Albuquerque, NM, January 1988. { { NUREC/CR-4840, SAND 88-3102, Methodology for External Event Screeninr Ouantification - RMIEP Methodolorv, M. P. Bohn and J. A. Lambright, Sandia National Laboratories, Albuquerque, NM, July 1989. I Xiv
ta / gs m@ l
- NOITATNEMUCOC[ E E &
HCm (EOE K DNE-KCAB[ E $ z a I f V \ O j & TNEMEGANAM KSIR[ m 5 5$ T \ 2 g<
& STNEVE LANRETNI[
y ll 5 ' *' " \
@ y3, f j $ XIXNEPPA STNEVE LANRETNI[
& STNEVE LANRETNl{
m S
=m
? L
\
- N C Co XIXNEPPA STNEVE LANRETNl [
)( g w
g STNEVE LANRETNl[ O ~ a H 5 z @* \ < z 55 k $ STNEVELANRETXE [ 5 5 g 8< XIDNEPPA STNEVE LANRETNl[ $ E O d STNEVE LANRETNl[ y x g & - T gg C N STNEVE LANRETXE[
\
I "m G S" g a g XIDNEPPA STNEVE LANRETNl[ b STNEVE LANRETNI[ $ $ [! l b fj STLUSER FF ATS TCEJORP [ k T STLUSER LEN AP TREPXE [ g s g N YGOLODOHTEM [ xa
t m .f .t t nl rcf cu l eael al p l s u t emrTat snu an s s l CSCI e t u sit e R l s s eacc . . .S s su e t 2 vt urpjpCt des R sn - nrupopCl nce s i e t1 not ouruA u I CS5SPSM s eiR d el sd yi 1 nt i
- - - - - - - - e ,dnd s nc eais l c ac t Ui n . .
t tt.
.....R t ttttd enp l enc s apai ,dn nA 1i nU ,dl e 0A 0 e no iiiiiiii ccccccccai ncAA na pd 7 t r tUtf iiiiiiii l enpnc 4 ne i
nh ou tl llllllll ,d22 n apAA np ai
- ev UaBG EEEEEEEEl et apii tAA11 . n R ve y GES yohd n tt tt t t tt npnn22 tt a p
/
Gtl rucn rqaa os nnnnnnnnAAUU e eeee e e e ii np tt nnAA E na R ei ue er SSPG ik t s mmmmmmmm11 gggggggg nmiiUU oonn ai U mt Nnn l uR dddddddd uuuuuuuuiittt t t tUUff l l t i e 1234 at JJJJJJJJ nnoohh uuii at t o e vn tt t t tt tt UUBB a aGG yy nn nP m E e rrrr t r r r y yh h oodd C r o l u .i d yeeeeeeeerrccuunnnn gpppppppprraa qqa a oo o o 1 c oxxx xx xxx uueeeer rii f V 5 c 5 A lEEEEEEEESSPPSSGGZZ o 4 n - e d123456781212121212 o o Rr ht t t ttt trrrrrrrrrr t t t t t t tt t C e t rrrrrrrr i t a t 2
/v G e ES eaa aaaaaa aaaaaa MPPPPPPPPPPPPPPPPPP aa t n R n er t1 Uf 12 3 4 5 6 e d o i m if 1 nt N o e u c Ui m c cl t n u l
o - A ia ii mU o
.D 1 et no V 1 tut f s 5 rn i tl i
e s 5 ee nh ou p l 4 vt
- eo UaBG y f p y f b RSP yohd A p
_ a la C n rucn l a . p T n et sss _ /f eo r qa a p A A G ohi ue e r nS t t t p E t t SSPG a Pt p nnn A s s k n c e e e vvvss nnt 0 t c p 5 U od u t e 1 Nind 1234 rj A EEE t t e e 1 t a e a nnvv
- R e eosst tsla ll prt aavveeEE G us m xP nnnnnnEEll
_ E lkk u E - e e er rr R as s l a a _ U vii o vvveeell nn
. .EEEt t t aarr N ERR V t t iilllI I E rrt t nnxnne e cca aa eenn
_ ii nnn222 t tI I s l l rrr nn t y c
) y EE et tetiiiet t tI I11 ne d c
_ n e n tnnI t nnxnnn11 t t iiE v e e I EUUU _ e h e u s 2 1 u t t nn q es i q mm111 mmmiiUUl gg ooonn a rt l t i 1 ne or ddtt tt t tUUff n F n _bu n1 t uuiiit t t l l r e P iF JJ nnnooohh uue U i s ev t t UUUBBB a aGGt n t n i e yy 0 gE n _ o 5 a yo t1 miU on n vg ea r r y y yh h h ooddI _ i t 5 ml 4 aa gN t tUf 1 o R m e errrcc ypprrra a a qqa a1 c uunn o( it l t i a gx xuuue eee err a - D n l noh ui t ,D t R r o yU B aGn a 0 oEES SSPPPSS ggt n C ee d r y U t 5 e l o i _ e /rt e a yh od n 5 r n m u G on ECI h mrcunn e 4 o d121231231212U o t mr aqao m C _ c R e uue eri u R ht tt t t tt t t t t t n D o Uf m MSSPSGZ c Cf t rrr rrrrrrrrr o eaaa aaaaa a aa ai N oo o r D
/o G MPPPPPPPPPPPPZ l sF 1234567 E s 1 2
_ a i 3 4 5 6 7 n s d Ri i y e e U s e r m s Ny m _ l u i l u _ i a l v a r n o l o A V e n o R A V
% 6'
,i
1 NUREG/CR-4772, SANDB6-1996, Accident Secuence Evaluation Prorram i Human Reliability Analvsis Procedu 2, A. D. Swain Ill, Sandia National Laboratories, Albuquerque, NM, February 1967. i NUREG/CR-5263, SAND 88-3100 The Risk Manarement Implications of l NUREG-1150 Methods and Results, A. L. Camp et al., Sandia National Laboratories, Albuquerque, NM, May 1989. A Human Reliability Analysis for the ATVS Accident Secuence with MSIV Closure at the Peach Bottom Atomic Power Station, A-3272, W. J. Luchas , Jr. et al .1, Brookhaven National Laboratory, Upton, NY, 1986. l A brief flow chart for the documentation is given in Figure 2. Any l l related supporting docutte r 2 to the back-end NUREC/CR-4551 analyses are delineated in NUREG/CR-4531 A complete list of the revised NUREG/CR-4550, Revision 1 volumes and parts is given below. General NUREG/CR-4550, Revision 1, Volume 1, SAND 86-2084, Analysis of Core Damare Freauency: Methodolorv Guidelines f or Internal Events. NUREG/CR-4550, Revision 1, Volume 2, Part 1, SAND 86-2084, Analysis of Core Damare Fr e cuene,1 : Expert Judgment Elicitation on internal Events Issues - Expert Panel. NUREG/CR-4550, Revision 1, Volume 2, Part 2, SAND 86-2084, Analysis of Core Damage Trecuency: Exnert Judrment Elicitation en Internal Events issues - Project St'ff. Parts 1 and 2 of Volume 2, NUREG/CR-4550 were published in one binder. This volume was published in April 1989 and distributed in May 1989 with an incorrect title, i.e., Analysis of Core Damage Frequency from Internal Events: Expert Judgment Elicitation, without the Revision 1 designation. The complete, correct ' title is: NUREG/CR-4550, Revision 1, Volume 2, SAND 86-2084, Analysis of Core Damage Frequency: Expert Judgment Elicitation on Internal Events issues. Surry NUREG/CR 4550, Revision 1. Volume 3, Part 1, SAND 86-2084, Analysis of Core Damare F eouency: Surry Unit 1 Internal Events. NUREG/CR-4550, Revision 1, Volume 3, Part 2, SAND 86-2084, Annivsis of Core Damare Frecuency: Surry Unit i Internal Event s Annendices. NUREG/CR-4550, Revision 1, Volume 3, Part 3, SAND 86-2084, Analysis of Core Damage Frecuency: Surry Unit 1 Ext ernal Events. xvii
l _ h u _ a G - y y o d r u n n r q a o N u e r i S S G Z O - I S S E 0 R 5 G 1 O 1 R - P T G l T E R . R N ON U R E K PO D S PI N I I UT C R S A C . T A & DN NE B S EM I - U h S 1 KC Y 5 M CO L 5 O AD A 4T B - P N - T2 A RO CBT lll D / I 2 N GHN E ECU
- RA K UE C NP A -
i B F S E I C N E U DS Q NE E AR R U F NS 1 1 OA n A m E I E ny n o l y R I o T TM og o i a r I t A C i o i n n P e t T UY sl si r S v 2 o S DT i o i p es O o 7 B 2 EN vd vO t d s L c E RI eo e xo 3 h G 2 e e - c A Rh Rt Eh 7 r ,R A KT t r t 7 u A a M S R ,e ,e ,e 2 e A I E 4d 3 d ,P 0M 0 p 0M - e 0 t D RC 5 5 x 4 N 5 5 E R c 5 a pr 8 s C o - T &U 4 : 4 4 t /r R . R o N 1 - - n GP C q f A R R : R e E h L C . C2 /e cS P /l / C v RA G r eW G o
/E UR EF TT d . G NH S EV E l E R A I I b R R o R UE L S U NI Nf Y 0 - N U V U B o L N N 51 M A
N 5 4NT O - A - OT2 - RI O D CSBT N /I I E GVHN - T
- EECU RRA N U E O N P R
F 5h , l l
. Reach Bottom NUREG/CR-4697, EGG-2464, Containment Ventine Analysis for the Peach Bottom Atomic Power Station, D. J. Hansen, et al., Idaho National Engineering Laboratory (EG6G Idaho, Inc.) February 1987.
NUREG/CR-4550, Revision 1, Volume 4, Part 1, SAND 86-2084, Analysis of Core Damare Frecuency: Peach Bottom Unit 2 Internal Events. NUREG/CR-4550, Revision 1. Volume 4, Part 2, SAND 86-2084, Analysis of Core Demace Frecuency: Peach Bottom Unit 2 Internal Events Appendices. NUREG/CR-4550, Revision 1., Volume 4, Part 3, SAND 86-2084, Analysis of fore Damare Freauenev: Peach Bottom Unit 2 External Events. Seouoyah NUREG/CR-4550, Revision 1, Volume 5, Part 1, SAND 86-2084, Analysis of Core Damate Frecuenev: Seauovah Unit 1 Internal Events. NUREG/CR-4550, Revision 1, Volume 5, Part 2, SAND 86-2084, Analysis of Core Damare Frecuency: Secuovah Unit 1 Internal Events Appendices. Grand Gulf NUREG/CR-4550, Revision 1 Volume 6, Part 1, SAND 86e2084, Analysis M Core Damace Frecuencr;,_G;Jnd Gulf 1] pit 1 Jntf,rnillyents. NUREG/CR-4550, Revision 1, Volume 6, Part 2 SAND 86 2084, Analysis r1 Core Damare Freauenev: Grand Gt'I f Unit 1 Internal Events Appendife_s. Zion NUREG/CR-4550, Revision 1, Volume 7, EGG-2554, Analysis of Core Damare Frecuenev: Zion Unit 1 Internal Events. xix
ACRONYMS AND INITIALISMS ACP ac power system ACX air cooling heat exchanger ANS American Nuclear Society ADS automatic depressurization system AFV auxiliary feedwater system A0V air-operated valve ARI alternate rod insertion ARF air return fan system ASEP Accident Sequence Evaluation Program ATWS anticipated transient without scram BNL Brookhaven National Laboratory BWR boiling water reactor CCF common cause failure CCU containment atmosphere cleanup CCW component cooling water CDF core damage frequency CDS condensate system CFC containment emergency fan cooler CCC containment combustible gas control CHP charging pump CHW chilled water CIS containment isolation system CLS consequence limiting safeguards CPC charging pump cooling CRD control rod drive CS containment spray ; CSR containment spray recirculation I CGC closed cycle cooling CST condensate storage tank ; CSS containment r; pray system j CVC chemical and volume control DCP DC power system DEP depressurization DG diesel generator DWS drywell (wetwell) spray ECCS emergency core cooling system ECW emergency cooling water EHS emergency heat sink EHV emergency heating, ventilation EPG emergency procedure guideline EPRI Electric Power Research Institute EPS electric power system ESF engineered safety feature ESW essential service water ESW emergency service water EVS emergency ventilation system xx
-i I
ACRONYMS AND INITIALISMS (Cont.) FCD functional control diagram FHS fuel handling cystem FSAR final safety analysis report FW feedwater HEP human error probabilities HPCI high pressure coolant injection HPCS high pressure core spray HPR high pressure recirculation HPSI high pressure safety injection HPSW high pressure service water HRA human reliability analysis HTX heat exchanger IAS instrument air system ICS ice condenser system ICSR inside containment spray recirculation IE initiating event ILRT integrated leak rate test INEL Idaho National Engineering Laboratory 10RV inadvertent open relief valve IREP Interim Reliability Evaluation Program ISO isolation condenser LER licensee event report LHS latin hypercube sampling IOCA loss-of-coolant, accident LOFW loss of feedwater LOSP loss of offsite power LLNL Lawrence Livermore National Laboratory LPCI low pressure coolant injection LPCS Low pressure core spray LPR low pressure recirculation LPSI low pressure safety injection j LWR light water reactor MCC motor centrol center MCW main circulating water MFV main feedwater MOV motor-operated valve MSIV . main steam isolation valve MSS main steam system NHV normal heating, ventilation NPRDS national plant reliability and data system NPSH net positive suction head NRC Nuclear Regulatory Commission NSW normal service water OEP onsite electric power 00S out of service xxi
ACRONYMS AND INITIALISMS (Cont.)- ] ORNL Oak Ridge National Laboratory
'outside containment spray recirculation OSR P&ID- j piping and instrursntation diagram
.PCS power conversion system PCV primary containment venting PDS: plant. damage state PECO Philadelphia Electric Company PLG Pickard, Lowe, & Garrick PORV power-operated relief valve PPS primary precsure relief system PRA probabilistic risk analysis PRUEP Phenomenology and Risk Uncertainty Evaluation Program PTS ' pressurized thermal shock QCG quality control group RBCW ' reactor building cooling water RCS reactor coolant system-RCIC reactor core isolation cooling RCP reactor coolant pump RGW . radioactive gaseous water
- RHR- residual heat removal RMIEP - Risk Methods Integration and Evaluation Program RLW radioactive liquid waste RMT recirculation mode transfer RPS reactor protection system RPSE reactor protection system electrical RPSM reacter protection system mechanical RPT recirculation pump trip RPV reactor pressure vessel RSS Reactor Safety Study RUCU reactor water cleanup RWST refueling water storage tant SAIC- Science Applications International Corporation SARRP Severe Accident Risk Reduction Program SAS service air system SB0 station blackout SCG Senior Consultant Group SDC . shutdown cooling SGT standby gas treatment SIS safety- injection system SLC standby liquid control SNL Sandia National Laboratories SPC- suppression pool cooling i- SPM suppression pool makeup I I SRV safety relief valve SUS- service water system TBCW turbine building cooling water TDP turbine-driven pump xxii
._______ _-___ _____ __-___ - - - - - _ _ __ _ m
i ! l ACRONYMS AND INITIALISMS (Cont.) TEMAC Top Event Matrix Analysis Code TMI Three Mile Island-UFSAR updated final safety analysis report l VSS vapor suppression system
/,~ In the text, two methods were used to show success of an event.
Method one uses a slash preceding the event symbol, e.g., /LOSP or /C. Method two uses a bar over the event symbol, e.g., LOSP or H. i xxiii
i ACKNOWLEDGEMENTS The authors wish to acknowledge the efforts of all those involved in the Revision 1 analysis of the Peach Bottom plant. Major contributions were made by Ron Iman for his loss of offsite power analysis and TEMAC support, Michael Shortencarier for his development work on TEMAC, and
.Lanny Smith for his work on the ATWS thermal-hydraulic code simulations.
Also, the efforts of Greg Krueger of Philadelphia Electric Company (PECO) and other PECO staff members are greatly appreciated. Greg was our interface with PECO throughout the analysis and documentation tasks. The continuous interaction between PECO and the analysis team were invaluable to the successful completion of the models and accident sequence analysis. There were innumerable people involved in various support roles such as the reviewers, the quality control team, expert judgment elicitation participants, and the secretarial staff. In particular, Sarah J. Higgins organized numerous computer runs and Emily A. Preston prepared much of the documentation. A number of people at Science Applications International Corp contributed to this work; Mary Drouin, Steve Miller, Nancy Cabber, Vickie Lucero, and Lorri Howe. Their efforts are much appreciated. XXV
l 1. EXECUTIVE
SUMMARY
This document presents the final results from one of several studies that will provide information to the Nuclear Regulatory Commission (NRC) Office of Nuclear Regulatory Research about Light Water Reactor (LWR) risk. The Office of Research will use the results of this work, along with other inputs, to prepare NUREG-1150. Risk from a selected group of five nuclear power plants is examined in NUREG-1150 by incorporating the results of wide-ranging research efforts that have taken place over the past several years. These results will provide the bases for updating the perception of risk from selected plants, developing methods for extrapolation to other plants, comparing NRC research to industry results, and resolving numerous severe accident issues. The level of detail and subj ects covered are for the Probabilistic Risk Assessment (FRA) practitioner. Peach Bottom was chosen as one of the five plants to be analyzed to accomplish these goals. The Peach Bottom Atomic Power Station is located in southeastern Pennsylvania in York County on the west shore of Conowingo Pond and includes two Boiling Water Reactor (BWR) units each of 1150 megawatts (electrical) capacity. The reactors are both housed in Mark I containments. Peach Bottom Unit 2, analyzed in this study, began commercial operation in July 1974 and is operated by Philadelphia Electric Company (PECO). The Poach Bottom plant was previously analyzed in the Reactor Safety Study (WhSH-1400) . Other plants that were chosen to be analyzed are Surry, Sequoyah, Grand Gulf, and Zion. 1.1 Obiectives The primary objective was to perform an analysis to support the NUREG-1150 project that is an efficient Level 1 Probabilistic Risk Assessment (FRA) that is as near to a state of the art as possible. Corresponding Itval 2 and Lrael 3 analyses have ns : bpea performed and documented. External events were analyzed and are reported in Part 3 of this volume. Direct objectives of the annivsis are to identify potential, significant syrtem failures, to support improved plant operations, to provide insights of value to utilities, with plants of this type, end to support a detailed methodology that can be used by othere including utilitieu. The perspectives gained from NUREG-1150 will be used to zupport the NRC j severe e.ccident policy and a variety of regulatory issues dealing with j severe accidents. l This document presents the front-end part of the risk equation, i.e., the frequency of scenarios involving system failures which lead to severe core damage as a result of internal initiators.* I
- Core damage is defined as a significant core uncovery occurrence with reflooding of the core not imminently expected. The result is a prolonged uncovery of the core which 1 cads to damaged fuel and an expected release of fission products from the fuel.
1-1 i
1 1.2 Annroach A standard Level 1 PRA approach formed the basis for this analysis. Event trees were constructed, the top events were modeled using large fault trees where . required and quantified using the SETS and TEMAC computer codes. There is a wealth of information available on Peach Bottom since it has been the subject of many studies. Using this information, an experienced PRA team analyzed only those aspects of the plant that they judged to be important. Thus, time was not spent analyzing areas that had been shown to be unimportant in the past. Also, if the analyst determined that a system could be represented adequately with a simplified model rather than a detailed fault tree, then the simplified approach was chosen. However, if the analyst determined that a system was important enough to warrant detailed modeling, then t.he appropriate modeling techniques were chosen. As part of the basic PRA methodology, four areas merit comment. First, a human reliability analysis was performed on operator actions that surfaced in the PRA as potentially significant. Second, data was collected from several sources and verified for accuracy and applicability. Third, a recovery analysis was performed to assure proper credit was given for cperator intervention during the accident. Finally, an extensive uncertainty analysis was performed. This required l determining the uncertainty on the failure probabilities for basic events ) in the models. In some cases, no firm data existed, so expert judgment l was formally elicited from people with extensive experience on each issue ! in question. This is the subject of Volume 2 of NUREG/CR-4550, l Revision 1. 1 In addition to the typical Level 1 analy s. i s , the results were reconstituted in a form suitable for input to the back-end accident progression event trees. Plant damage states
- were defined in a joint l effort between the front-end and back-end analysts. Statistical analyses identical to thesa for the accident sequences were performed on the plant damage ststcs.
In order to maintain high quality, this work was reviewed by four different groups: an independent Senior Consultant Group (SCG), an independent Quality Control Group (QCG), Sandia staff and Gungsent, and j the NRC. In zddition, the staff at PECO were given an opportunity to j review this work at various stages. PECO's comments were addressed in j this ant.lyd s as were numerous comments received from the NRC, the ) public, and the nuclear industry. I
- A plant damage state is a grouping of accident sequences or parts of accident sequences that have similar characteristics such as vessel pressure, timing, containment response, and system failures which provides the necessary input for the accident progression event tree used in the Level 2 analysis.
l 1-2 i
)
- 1.3 Results The Peach Bottom PRA identified two major accident types which contribute
~89% of the core damage frequency (CDF) . These accident type., station blackout [ loss of offsite power (LDSP) transient with failure of the diesel generators] and Anticipated Transient Without Scram (ATWS), as well as other less important types of accidents , collectively cover a variety of plant damage states (see Figure 1-1). The mean core damage frequency at Peach Bottom was calculated to be 4.5E-6. The cumulative probability distribution and the corresponding probability density estimation for the total core damage frequency for Peach Bottom are given in Figure 1-2 where all of the accident sequences are combined statistically using a sample size of 1000. The corresponding statistics are:
Mean 4.5E-6 Standard Deviation 1.5E-5 Lower 5% 3.5E-7 Lower 25% 9.2E-7 Median 1.9E-6 Upper-25% 3.9E-6 Upper 5% 1.3E-5 Every accident sequence is the sum of one or more combinations of events that lead to core damage. These combinations of events are the detailed scenarios of the minimum sequence of failures (component and human) that result in core damage. They are defined as " cut sets." There were 1393 cut sets in the 18 dominant accident sequences in the final Peach Bottom front-end analysis. The top two cut sets contributed 36% of the total CDF. The top twenty cut sets contributed 68% of the total CDF. The top 350 cut sets account for 95% of the total CDF. Among the most important results of the analysis are the results of the importance measure calculations. It is most illus*.rative to look at each of the importance measures for the total CDF. The risk reduction importance measure ranks the basic events by tne reduction in CDP if that event probability were set to zero. The most significant risk reduction events for the Peach Bottom CDF are:
- Mechanical failure of the reactor protection system, e Transient accident initiator with the power conversion system initially available,
- Transient accident initiator from loss of offsite power, e Operator failure to restore the standby liquid control system after testing, e Other operator failures to initiate systems or miscalibration of sensors, and i
e Diesel generator failure-to-run. I 1-3
3% 6% ll ' l Id Q , . u
/[ < EQ , ss au j{.$
,-c 4.;f sa aMNi $j{w.,
g l:; 1 LOSP
, . . .,- . . . . . . , J .. > ., . .~ +: e 4
!!!49&ii -
M2%d!; ' R ATWS 6 ~ LOCA
~
s 4 e .- TRANSIENT
;> , x "v
c p. 9
.a ei a
LOSP ATWS
-s
@SFd r::. i!73%)
! !!}
k .x 4% \ % n] %.
,.l. jgg iW1Q%
'Y 6% 5%
l
- 1. :] STAT!ON BLACKOUT (SBO) BATT DEPL C STANDET UQU'O COOUNG(SLC) FNcVPI l l
POWER COWERSON SYS(PCS) AVNLABLE M SHORT-TERM 580 C SLC rNLURE W/ INADVERTENT OPEN REUET VAVE(IORV) E NON-SBO E OTHER SLC FAILURES 8 HIGH PRESSURE INJECTION (HPI)/ AUTO DEPRESSURIZATION SYS(ADS) FAILURE Figure 1-1. Peach Bottom Core Damage Frequency Types 1-4 I o
C: 1.0 - 95% 7 LU M O.9 - . f -
'U Mean L 0.8 - /
A. T I 0,7 - {.;0.6-Median
.R o 0.4 -
B A 0.3 - B i 0.2 - L' j 0.1 - 5% / Y ' 'O.0 - -' " - ~ 1E-8 1E-7 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY UNCERTAINTY DISTRIBUTION FOR PEACH BOTTOM D E N S l
\'
T Y - s z _.,__-).T1D - 1E-8 1E-7 1E-6 1E-5 1E-4 1E-3 CORE DAMAGE FREQUENCY DENSITY ESTIMATE FOR PEACH BOTTOM Tigure 1-2. Total Internal Event Core Damage Frequency for Peach Bottom 1-5
The inverse of risk reduction is risk increase, which estimates the CDF if an event probability is set to one. The importance of events ranked by this measure is that relaxed vigilance _ could cause significant CDP increases. Top risk increase events for Peach Bottom are: Mechanical failure of the reactor protection system, Operator miscalibration of the reactor vessel pressure permissive sensors used for low pressure injection, e Common cause failure of the station batteries, and e Two stuck-open safety-relief valves contributing to a loss of coolant injection following transient initiators. Several events appear high in both risk measures, especially mechanical failure of the reactor protection system. Much more extensive lists of events relating to the risk measures are given in Section 5.4 and Appendix F of this report. The third importance measure is the relative importance of event uncertainties in the analysis. This will be discussed in Section 1.4.4 1.4 Conclusions One of the major purposes of the Peach Bottom analysis was to provide an updated perspective on our understanding of the risks from the plant relative to the results of the WASH-1400 analysis. It has been determined that changes to the plant design and its procedures, the evolution of Probabilistic Risk Assessment (PRA) methodology and an increasing understanding of severe accidents have all impacted the
' perspectives on the dominant risks for Peach Bottom.
This study concludes that station blackout (loss of all AC power) accidents and Anticipated Transiente Without Scram (ATWS) scenarios are the dominant contributors to core damage at Peach Bottom. The possibility of succest.iul containment venting and realistically allowing for successful core cooling after containment feilure have considerably reduced the significance of the loss of long term heat removal accidents originally found to be importent in the Reactor Safety Study (WASH-1400). Giving credit for more injection systems, using realiscic system success criteria, and plant modifications have also collectively reduced the j importance of loss of injection type sequences. j { Given the considerable redundancy and diversity of coolant injection and i heat removal features at Peach Bottom, it is not surprising that common { features of the plant tend to drive the mean core damage frequency. j These include common cause failures of equipment, failure of common j support systems [AC power and Emergency Service Water (ESW)), and human error. In light of this conclusion, it must also be recognized that the calculated core damage frequency in this study is subj ect to the non-trivial uncertainties associated with the common cause and human error analyses. 1-6
The above insights can be considered applicable to other boiling water reactors of similar design to the extent that the redundancy arguments are true for other plants of interest. However, numerous subtleties in plant design and operational practices and procedures make it difficult to draw specific conclusions for other plants on the basis of this analysis without performing plant-specific reviews. Such reviews should consider plant-specific common cause failure potential and the location of equipment that might be subjected to possible phenomena such as steam entering the reactor building. 1.4.1 Plant Specific Conclusions As stated above, the core damage profile is primarily made up of two general types of accidents as indicated below:
% Contribution Mean to Mean Core Accident Type Frequency Damage Frequency
- LOSP 2.2E-6 49 ATWS 1.9E-6 42 All Others 4.0E-7 9
*Does not account for the ~3% contribution of sequences <1E-8 These gene ml accident typer arc. made up of efghteen individual accident sequences or, alternettvely, nine plant damage states, 1.4.2 Accident i.equence Conclusions The accident sequence with the highest contriht. tion to core damage frequency is a loss of offsite pewer transient with failure of the diesai generators (station blackout) and late fr.ilure of the high pressure systema. The high pressure systems are initially operating, but later in I the sequence eicher battery depletion or harsh environments cause system l failure. This is a late core damage sequence and contributes 36% of the l total core damage frequency.
The second highest accident sequence contributor is a transient with the power conversion system initially available and mechanical failure of the reactor protection system (anticipated transient without scram). The i standby liquid control system also fails, leading to core damage. This l accident sequence contributes 31% of the total core damage frequency. 1 l l 1-7 j
q -1.4.3 Plant Damage State Conclusions From a plant damage state perspective, two plant damage states dominate the core damage frequency. Plant d1 mage state 5 contributes 42% of the total. This plant damage state is a transient loss of offsite power and subsequent failure of all diesel generators (station blackout). The high pressure inj ection systems initially operate, but fail later due to battery depletion or harsh environments. The second highest contributor is an anticipated transient without scram with the standby liquid control system also failing. This plant damage state contributed 33% of the total. core damage frequency. 1.4.4 Uncertainty Considerations The process of developing a probabilistic model of a nuclear power plant involves the combination of many itdividual events (initiators, hardware failures, operator errors, etc.) into accident sequences and eventually into an estimate of the total frequency of core damage. After development, such a model also can be used to assess the importance of the individual events. The detailed studies underlying this report have been analyzed using several event importance measures. The results of the analyses using an uncertainty importance measure is summarized below. For this measure, the relative contribution of the uncertainty of individual events to the uncertainty in total core damage frequency is calculated. Using this measure, the following events were found to be important: Technical failure of the reactor protection system,
- Failure of the diesel generators to continue to run once started,
- Eattery depletion time in station blackout accidents, e Miscalibraticn of the low reactor pressne permissive instrumentation, i Operator failure to restore the standby liquid control rystcm after testing.
)
1.4.5 Comparison to Reactor Safety Study (WASH-1400) In over ten years betwben VASH-1400 and this study, the Peach Bottom plant design, as well as the industry's understanding of reactor operation and safety, has changed substantially. Any comparison of dominant contributors to core damage frequency between these studies must be balanced by a knowledge of the differences in plant design, study ; methodology, and success criteria considerations. j It is difficult to directly compare the total core damage frequencies calculated in the two studies. WASH-1400 calculated a total core damage frequency of approximately 2.6E-5, which is a sum of individual sequence median values (note that the sum is not necessarily a median value). 1-8
This study has determined the median core damage frr;tency at Peach { Bottom to be 1.9E-6 -with ' a corresponding mean value of 4. 5E-6. The modifications in plant configuration and procedures at Peach Bottom, consideration of realistic success criteria, as well as the evolution of analysis techniques since WASH-1400 have reduced the dominant results of the WASH-1400 study considerably. In fact, the two most dominant scenarios from the WASH-1400 study (transient with loss of long-term i decay heat removal [TW] and ATWS [TC) have been decreased by factors of approximately 1000 and 25, respectively. However, a rnore complete consideration of failures of DC-powered systems during station blackout and a more comprehensive treatment of common cause failures and support system (e.g., power, cooling...) failures combine to yield a mean core damage frequency of 4.5E-6. Some of the significant comparisons leading to these insights are presented below.
- Transients with loss of long-term decay heat removal are dominant in WASH-1400, but not in this study. This is primarily because of the consideration of containment l
venting procedures now in place at Peach Bottom and an examination of the survivability of core cooling systems.
- ATUS sequence frequencies are reduced over an order of magnitude in this study as compared to WASH-1400 because a l
more detailed analysis was performed which more accurately treats the sequence thermal hydraulics and accounts for the provisions of the ATWS rule.
- Station blackout (loss of all AC) sequences are estimated to be a factor of five higher than in WASH-1400 because of a more complete consideration of potential failures of DC-powered systems during a blackout, a more con.ple te common mode failure analysis (e.g., includes DC battery common mode failures), and a rwre cceplete analysis of suppcrt system effects on the AC power system (e.g., diesel cooling).
- All other transients and LOCAs combine to base a it.edian CDF cf 1.5E-6 in WASH-1400 and a median CDF of 7.5E-8 in this study. Thus, these sequences are a factor of 20 lower in this study.
- Based on the above, both stuc'ies conclude that transients, and not LOCAs, dominate the core damage frequency (and risk) at Peach Bottom. However, the types of transients are significantly different. WASH-1400 is dominated by A"lWS and long-term heat removal failure sequences, while this study is dominated by station blackout scenarios (47%)
and ATWS (42%). Table 1-1 summarizes the comparable core damage frequencies for the most dominant sequences as well as for the total core damage frequency results of both studies. The sum of the median frequencies from WASH-1400 is 2.6E-5. Although the overall TEMAC median result is 1.9E-6, the sum of 1-9
the individual PDS median frequencies, which is comparable to what was done in WASH-1400, is 9.1E-7. Thus, in comparable terms, the core damage frequency from the NUREG/CR-4550, Revision 1 analysis on Peach Bottom is about a factor of 30 less than the WASH-1400 value. 1.4.6 Other insights Some additional insights are noted by the team analysts as a result of performing the PRA update of Peach Bottom. The recent availabilities of the diesel generators at Peach Bottom generally are a factor of ten better than the industry average. This appears to be based on a deliberate attention to detail in the test and maintenance practices as well as an attempt to determine the root causes of failures so that effective actions can be taken. The importance of the Control Rod Drive (CRD) and High Pressure Service Water systems as injection sources to the vessel (the latter as a last resort) came through clearly ar the analysis evolved. The CRD system success probability might be further improved by examining whether the loss of air should be allowed to affect the operation of one of the CRD flow paths to the vessel. In addition, the use of CRD under depressurized conditions in the vessel could cause insufficient net positive suction head for the CRD pumps. An air pressure limit for Safety Relief Valve (SRV) operation of approximately 100 psia could affect the capability to continue low pressure core cooling under accident conditions when the containment is at high pressure (i.e., SRVs will not stay open). The conflicting requirements of first inhibiting the automatic depressurization system and then needing to rapidly depressurize in some ATWS sequences should be reciognized. The difficulties associated with venting the containment in a station hiackout und the harsh reactor building environments caused by venting in AfWS scenarios have significant core damage and consequence effecto. Finally, the varied t.nd more subtle failures of equipment because of unusual accident conditions are important factors. These failures include, for instance, turbine backpressure trip of the Reactor Core Isolation Cooling (RCIC) system when experiencing high containment pressure, the potential for High Pressure Coolant Injection (HPCI) and RCIC system failure on high suppression pool temperatures, the closing of the SRVs under very high containment pressures, the potential for loss of low pressure core spray and residual heat removal pumps under low , pressure saturated conditions in the containment, and the possible j effects of battery depletion when AC power is lost, among others. It is I these subtle and perhaps " unexpected" failure modes which affect multiple f equipment in the analyzed scenarios and ultimately contribute to the core ' damage potential at Peach Bottom. l l l-10
0 l 0 f a % % % % % 4 ot 1 9 5 3 3 1 o < 3 5 l
- % T iS A
W e t s a y e m nc 7 5 5 7 7 5 c i an - - - - - - n x i e E E E E E E e o d u 0 0 4 9 9 6 u r e q . . q o M e 1 1 1 7 6 2 e c r S A F 0 0 s - 4 e 1 t H a t S s A W 1 l e f a % % - % % g d n ot 7 2 - 6 5 a n o o 4 4 m) a i % T a6 1 s d - i E n v t9 1 o e ) 2 n . i R ( a1
) ) ) 1 ) l (
1 s . ) 7 7 8 8 7 p i ev 0 n) 1
- - - - - 6 l e 5 a( E E E E E l -
5 i s 5 8 4 l l aE bR 4 d e . . u5 a T , - ei 4 3 4 3 9 d . 0 R M c ( ( ( ( ( i 4 5 C ( n v 5
/ e 6 6 7 7 6 i e 4 G nu - - 8 - - - d r
- E aq E E - E E E na R e e l 9 E 6 5 i R
C
/
G T Rt M r F 2 1
< 2 M4 fl oa t
s E ) o R st U n N ad f i e o d n e~ t - mb t g m o e t n ro s o n) o i v eS L (
- o. c r T iW y a sT fl ) sl p
m t t nA oa s s nl o n u a( v t A t a a C e o r s o nC n e c d k T m s m aO e mi i c a oe l L i t c a d r LR o( s f s - l A c l B n e c t S a pt t t na e e o C s f n t T r n a oi ma ut t _ a o i u oe l i l S S r i co s d r l e t a i h nm a r si s c e a n t t h t ) ) e t ni r e oc t o 1 2 G S AW TT LA O T ( ( [~ l
l I
- 2. PROGRAM SCOPE The Peach Bottom Probabilistic Risk Assessment (PRA) was conducted during l two periods. During the first period, the objective was to complete a fast, efficient PRA in a short time. This was accomplished, and )
following a review and some revisions, the PRA was published as NUREG/CR-4550, Volume 4 in October 1986. This report received extensive distribution and considerable review. In response to the comments from reviewers and especially the NRC and Philadelphia Electric Company, an update of the report was initiated. During the interim period, several changes were made to the plant, and additional system and procedural details were examined. The result is the significantly revised analysis presented in this document, NUREG/CR-4550, Revision 1, Volume 4, Parts 1 and 2. This report combines the tasks performed in the original analysis with the tasks accomplished during the revised analysis. While the original objective was to perform a fast, efficient PRA, it became necessary due to comments and criticism to examine additional details and to refine the models and techniques during the revised analysis. One target in the reanalysis was to reduce conservatism as much as possible. To give the rcader a perspective of the scope of this work, a list of PRA tasks is given below describing what was done in this analysis. The level of detail is compared to a " state-of-the-art" PRA for each task and graded as (1) improved state of the art, (2) atate of the art, (3) slightly abbreviated, (4) abbreviated, and (5) vot analyzed.
- Initial Information Collection -- The information collected from past Peach Bottom studies and the Final Safety Analysis Report (FSAR) was put together in an initial set of event trees, fault trees, and questions for plant personnel. The pre-visit information gathering took a month. One week was spent at the plant gathering information first hand and regular contact with the plant was maintained throughout the course of the study. A confirmatory visit near the end of the first analysis and two subsequent visits during the revised analysis were conducted. Numerous changes were made to the event trees and fault trees. (Slightly abbreviated)
- Initiatine Event Identification -- Initiating event information from plant-specific records and past studies were used. A search for support system initiators was conducted. During the revised analysis, these initiating events were reviewed. Interfacing system LOCAs (Initiating Event V) and reactor vessel rupture (Initiating Event R) were re-evaluated. The frequency and recovery of loss of offsite power were significantly improved. (State of the art) 2-1
e Event Tree Development (Non Anticipated Transient Without Scram. ATUS) -- Because the plant had been studied extensively in the past, functional event trees were not developed. Past studies and current NUREG-1150 containment analyses were used to identify the non-ATWS system event tree headings necessary to model all reactor functions. No significant shortcuts were used to develop the initial non-ATVS system event trees. Nevertheless, numerous refinements were made in the revised analysis. (Improved state of the art) e Eyent Tree Development (ATWS) -- Detailed examinations of the plant, procedures, and updated thermal-hydraulic calculations were performed to identify the ATUS event tree headings and to develop the ATWS sequences. (Improved state of the art) System Modeline -- The level of modeling detail was at the discretion of the analyst. If a system could be shown to be relatively unimportant, or if a detailed model would have taken an excessive amount of time, simplifications were made. If the system was considered important, a detailed modeling effort was undertaken. The models are therefore a combination of detailed fault trees, simplified 14 ult trees, and black box models. Fault trees for several systems were added in the revised analysis. The level of detail in many existing fault trees we d also increased. Common cause failures were included in the fault trees rather than applying such failures by hand to the cut sets. Fault trees were expanded from pipe segment modeling to individual components. This was done to a large extent for the benefit of the external events analyses, which use the internal events analysis models. (Ranges from abbreviated te state of the art, depending on the system)
- Analysis of Decendent Failures -- A significant effort was made to identify, model, and quantify dependent failures.
Intersystem dependencies were identified and modeled in the system analysis. Subtle interactions found in past PRAs were reviewed for their applicability to Peach Bottom. A review of licensee event reports (LERs) and other plant-specific reports for Peach Bottom was made to identify any unexpected interactions or common failures. (Slightly abbreviated) e Human Reliability Analysis (HRA) -- Except for the ATWS scenarios, a screening procedure was developed to calculate human error probabilities. Although an HRA specialist was present during the plant visit, there was not as much time available to interview operators as desired. The screening procedure was somewhat conservative and values that yielded high results were flagged and reconsidered. During the recovery analysis conducted in the revised analysis, each I l 2-2 l l l
l human error event. either pre or post-accident, was carefully tabulated, described, and re-evaluated. Only errors of omission were considered in this analysis. The ATWS HRA was extremely detailed with three specialists spending considerable time analyzing ATUS operator responses. (Slightly abbreviated and state of the art)
- Data Base Development -- A data specialist was present during the initial plant visit. A week for data collection did not permit an extensive effort; however, a reasonable amount of plant-specific data was gathered. Where plant-specific data were lacking, generic data were used.
(Slightly abbreviated) l e Accident Secuence Ouantification -- While there were no shortcuts taken that should affect the results, a screening technique was used to avoid running every possible core damage accident sequence through the entire Boolean computer code. All the accident sequences with the l
- potential for being greater than 1E-8 were completely analyzed. (State of the art) 1 e Plant Damage State Analysis -- The plant damage states (PDS) are defined by the back-end analyst, with the assistance of the front-end analyst to assure a clean
' inter face: Letween analyses. This requires continuous feedback while the accident progression event trees are being developed. There were 20 distinct PDSs that were grouped into nine larger PDSn for quantification. Finally, four super PDSs were formed covering very broad categories of accident types. (Irrproved state of the art) e Physical Process of Ref_ctor Meltdown Accidents -- Past thermal-hydraulic calculations and calculations performed by the NUREG-1150 containment analysts were used as required. New ATWS related calculations were run by the team analysts. (Slightly abbreviated) e Radionuclides Release and Transport -- This was handled by the NUREG-1150 back-end analysts.
- Environmental Transport and Consequence Analysis -- This was handled by the NUREG-1150 back-end analysts.
- Seismic Risk Anelvsis -- This is considered in Part 3 of Volume 4. (State of the art) e Fire Risk Analysis -- This is considered in Part 3 of Volume 4. (Slightly abbreviated) e Flood Risk Analysis -- This is considered in Part 3 of Volume 4. (Slightly abbreviated) 2-3
- Other External Hazards (e.g. Tornadoes) --
This is considered in Part 3 of Volume 4. (Slightly abbreviated)
- Treatment of Uncertainties --
Statistical uncertainty in the failure data, uncertainty associated with the application of the failure data, and uncertainty caused by modeling assumptions and success criteria were all treated in the analysis. In the original analysis, modeling uncertainty was handled to a large extent by sensitivity studies. In the revised analysis, modeling uncertainty was incorporated directly into the data. Expert judgment elicitation were conducted on all issues that could significantly affect uncertainty. Furthermore, several model and informational issues from the original analysis were resolved by additional study. (Improved State of the 3 art) ; In addition to this comparison with a state-of-the-art PRA, it is informative to identify factors that PRAs do not normally treat. The following list of items not usually included in PRAs is taken with some modification from NUREG-lll5 [1]:
- Partial Failures
- Design Adequacy
- Adequacy of Test and Maintenance Practices
- Effect of Aging on Component Reliability (also burn-in phenomena)
- Adequacy of Equipment Qualification
- Environmentally-Related Common Cause Similar Parts-Related Common Cause
- Sabotage 2-4
I l (
- 3. PROGRAM REVIEW To assure quality, two groups were chartered with the responsibility of reviewing the work and providing timely feedback. Because the time available to complete the tasks in the original analysis was short, these reviews had to be intense, and Probabilistic Risk Assessment (PRA) team response time had to be almost instantaneous. In the revised analysis, more time was available, but the review meetings were still intense and informative. In addition to their review, public comments were received by the NRC and three other groups reviewed the work for their specific purposes.
3.1 Senior Consultant Group The purpose of the Senior Consultant Group (SCG) was to provide a broad scope review of the methods and results of the reference plant PRAs. This high-level review was to further assure the validity and applicability of the products. However, the SCG was not expected to provide detailed quality control or assurance of the products. This group did not meet during the revised analysis. The members of the SCG are listed below:
- Dennis C. Bley, P14G e Michael P. Bohn, SNL e Gregory J. Kolb, SNL e Joseph A. Murphy, NRC e William E. Vesely, SAIC (formerly of BCL) 3.2 Ouality Control Group The goals of the Quality Control Group (QCG) were the following:
e to provide guidance regarding the methodologies to be utilized in the FRAs, e to ensure the consistent application of the methodologies by all FRA teams, and e to ensure the technical adequacy of the work These goals were met via periodic review meetings with the FRA teams. At these meetings, the QCG discussed the methodologies and reviewed, in detail, all technical work performed. l The QCG was composed of the individuals listed below; also shown is each individual's technical specialty: e Gregory J . Kolb, SNL (QCG team leader, systems analysis, original analysis only) e Gareth W. Parry, NUS (uncertainty analysis, systems analysis, reliability data) j 3-1 1
e John Wreathal, SAIC (human reliability analysis, revised analysis only) Barbara J. Bell, BCL (human reliability analysis)
- Arthur C. Payne, Jr., SNL (systems analysis, reliability data, back-end interface) e Eddie A. Krantz, INEL (systems analysis, original analysis only)
- David M. Kunsman, SNL (systems analysis, back-end interface) e Gary Boyd, SAROS (systems analysis, back-end interface) 3.3 Utility Interface A constant interface was maintained with the utility throughout the duration of the original analysis. The Peach Bottom team leader was in constant contact with Peach Bottom engineering and plant personnel to ask questions and verify information. The Peach Bottom contacts also reviewed the results presented in the first draft of the study and provided comments that were considered in the revised analysis. The same close interface was carried through the revised analysis. The utility support was extremely helpful.
3.4 Uncertainty Review Panel This panel was formed at the request of the NRC to consider the way in which uncertainty had been analyzed in the draft NUREG-ll50 and the supporting documents. A three-day meeting was held on April 20-22, 1987, where a number of contributors to NUREG-il50 were invited to make presentations to the panel, as were others who were known to have views that were important to the assessment. The panel addressed all areas of the uncertainty methodology including the statistical methods used, the way the results were presented, and especially the use of expert j udgment. As a result of the panel's findings, significant changes were made to the analysis [47]. The most important improvement was in the elicitation of expert judgment, which became a major effort in the revised analysis for both the front-end and back-end analyses. 3.5 Peer Review Panel After the publication of the draft NUREG 1150 and the supporting front-end and back-end documents, the NRC Commissioners recommended a peer review because of the potential importance of these documents to the i NRC's regulatory process. Lawrence Livermore National Laboratory was l selected to coordinate this effort. Although this review panel was initiated by the NRC, it functioned independently. l 3-2 l i
- _ -- - -- - -----_-- --- ------ - - ----- )
l Fourteen members were selected including national and international experts in the fields of nuclear . reactor safety, probabilistic risk assessment, and severe accident phenomenology. The individuals represented academics, research laboratories, electric utilities and-consulting companies. The first phase of their review was to address the draft documentation. The second phase is to review the final NUREG-1150 and related documentation including this report. At least five formal meetings were held during the first phase, and testimony was given by numerous people including the Peach Bottom analysts. The findings are given in Reference 46. In general, the panel had a number of comments on NUREG-4550, and those comments relevant to the study have been addressed. 3.6 American Nuclear Society Committee Many members of the American Nuclear Society (ANS) felt that the society should express its view regarding a document such as NUREG-1150 that has the potential to influence the perception of accident risks associated with nuclear power plants and have an impact on the regulatory process. Thus, the President of the ANS appointed a special committee to follow and comment upon the documentation and progress of the NUREG-1150 program. Their findings and recommendations on the draft NUREG-1150 are found in Reference 48. These findings and recommendations were based on a reviewa of the February 1987 draf t NUREG-1150, and the supporting documents , review of the public comments, briefings by the NRC staff and others, and visits to Sandia National Laboratories by the Chairman and Vice Chairman to observe the expert review panel process and to discuss the ongoing analysis leading to the revised document, 3.7 Public Comments During the severcl months when public comments were solicited, a number (approximately 50) of individuals and organizations performed detailed reviews of the NUREG-1150 related documentation. Their comments were extensive. These comments were submitted to the NRC and sorted by subject. Those comments applicable to the front-end analysis and, in particular, the Peach Bottom analysis, were reviewed by the analysts and considered to the extent possible during the revised analysis. 3-3
- 4. TASK DESCRIPTIONS This section contains information on the major tasks performed for this study. Section 4.1 provides a brief overview of the tasks. The remaining subsections within Section 4 address each individual task as it applies to the Peach Bottom analysis. Sections 5, Results, and 6 Summary and Conclusions , provide the information covered by the last task entitled " Interpretation of Results."
4.1 Task Flow Chart The major tasks performed for this study are indicative of the general tasks performed in any Level 1 PRA. Figure 4.1 1 displays the major tasks carried out in this analysis and shows the primary information flow paths between each task. The entire process has been performed twice. The first time was during the initial analysis which began in July 1985 and resulted in the first draft of this report printed in October 1986. Following a comment and review period, the entire process was performed again in order to update the analysis and respond to comments received on the first draft. The following subsections reflect the combined effort for both the first draft phase and the reanalysis for each of the major tasks. Volume 1 of this document provides more detailed descriptions of the methodology used in carrying out each task
-[2]. The reader is referred to that volume and the subsections which follow in order to obtain a comprehensive description of how the Peach Bottom analysis was conducted.
4.1-1
3{l1Iiil1 :j
~
N O I T A T EF RO P R E f f p g y g g g y g
, g
. . gT T
.e g g gg
. .s
.y gg yg g
m .a.t tg
. .m c ac yu
_a g a c n e mg. p g e e n T
- m. u t r
a
,g h
~
g C
- t t
- at w o
n .A s e..na o egM sma g aSr ,r l F
, c.i t a
g rII
- Pe e n e -
C l ew com c o sty mgN e, y g 4 Wt CA t k awat c E7 s a a s P 8 e t e S 0
- s. ,
PNA D T 8 T ML N A A A P. R P 1 A 1 T A . B g t g a 4 t g ny g g a en g g i e e t s y g c r
..e p m eg y r
s g u e ? p g g I ..u
.v g g
c Ag t p g i
..t.an ' 33 F
a'g ' 3g
'ggy
_ n' aus n e
- p. gg t
n I l A _ g e n s 0 g U m.
. 1 m
m
. g
...?isr tg .. CAu E
. e m,. neo t v? g f . c S 9 3g e 3 . sUB B Ms t t g E AN
,_. O R CO a
v W 9y sgn RM3
. ,A 0 V a
C ND _ =n n o T S 9
?
Ft 9n 9se 9a oE o g g 3 8UL 8 9 A . CE FNA RI IDC F se 4 1 rR 3 G 59 wo I t t D C O aPUec f R n a o CA P oR4 6P O vN a eE l D. 9g - , Mf E CF W P S C t 8 EE B S t t T. 9 f Uf AMM t E PO * , l i G M rA rI . T I eE s8 n W t4 R W P1 I W
.vP ?
r f A 4 P .m
.-. .P*
L Ds .
!1 ,l!li(I !t itl :!'ll
l 4.2 Plant Pariliariration 4.2.1 Plant-Specific Nature of the Analysis In order to assure that the analysis indeed reflected the Peach Botter Unit 2 plant, a plant familiarization task was performed. During this design. familiar with the specific effort, the analysts became operational, and historical performance aspects of the unit. As a procedures, and result, the analysis reflects the actual design, operating experience at Peach Bottom during the analysis periods, to the the extent possible. Therefore, the initiating event experience, models, failure data, and human reliability analysis are based on Peach Bottom specific inputs. The performance of this task included three maj or subtasks: (1) an initial plant visit, (2) a confirmatory plant visit near the end of the first draft period, and (3) a subsequent plant visit to begin the reanalysis effort. In addition, nearly continuous communication was maintained with the plant and the engineering staff to answer questions during both analysis phases. Prior to the initial plant visit, the Peach Bottom team reviewed the original Accident Sequence Evaluation Program (ASEP) analyses applicable to Peach Bottom 13), the fault tree and event tree sections of VASH 1400 [4), and Probabilistic Risk Assessment type studies related to Peach Bottom. Preliminary event trees, system f ault trees, and simplified system schematics were constructed; preliminary success criteria and dependency matrices were developed to identify specific areas where information was needed for accurate models. Based on these initial activities, a package was prepared that identified the required plant specific information and data and gave a sampling of generic and specific questions the team would ask concerning system design and plant operation. This package was s.e nt to Philadelphia Electric Company (PECO) so that their staff might better understand the team's needs. The following sections provide brief descriptions of each plant visit and the information obtained. 4.2.2 Initial Plant Visit The purposes of the initial plant visit were to (1) gain specific knowledge of those Peach Bottom aspects which had been identified as important to safety / risk and (2) collect the necessary data. The visit occurred in July 1985. Two days were spent at PECO's main headquarters in Philadelphia, a third day at the Peach Bottom plant, and a fourth day at the Limerick simulator (Peach Bottom's operators are trained at this simulator). The Peach Bottom analysis team consisted of the overall program leader, the team leader, two system analysts, a data analyst, a containment analyst, and four human reliability analysts (three of whom concentrated on Anticipated Transient Without Scram ( ATL'S ) scenarios). The team visited with PECO mechanical engineering staff members and various personnel in operations, training, and maintenance. 4.2-1
I
,The preparatory pacLaBe for the initial plant' visit consisted generally of the following items:
o Request for Piping and Instrumentation Diagrams (P& ids) g; and Functional. Control Diagrams (FCDs) for all front line systems and their support systems,-
.o^ Request-for Elementary Viring Diagrams (ane lines),
o ' Request for Layout Drawings (the reactor and control buildings) ., o Request for Emergency Operating and Test / Maintenance Procedures, o- Request for Data Information (maintenance logs, LERs, etc.), o Request- for Post-Three Island modifications, and Mile (IMI) and PRA o
' Lists of Questions (related to - system design and plant operation).'
The initial plant visit included the~following events: o discussions with PECO engineering staff concerning normal and emergency configurations and operation of the various systems of interest,
*. . system interdependencies, and a-design changes implemented at the plant; o~
' Discussions ~ vith PECO engineering .and operational staff concerning automatic and manual actions taken in response to various emergency. conditions, operational problem areas identified by plant personnel which might. impact the analysis, and detailed discussions regarding ATWS procedures; o Discussions with PECO engineering and maintenance staff concerning.
data: maintenance logs, LERS, etc., and implementation regarding test / maintenance procedures; o Discussions with PECO training staff concerning - training practices regarding various emergency conditions, and detailed discussions regarding ATUS training. 4.2-2
4.2.3 .information Obtained A considerable amount of information was obtained during and shor:1y ( ! following the initial. plant visit. This information allowed the analysis to consider the specific features and operational aspects of Peach Bottom Unit 2. The information obtained consisted generally cf the following: o Information requested in the pre-visit package including:
- the requested drawings
- PECO's Emergency Operating Procedures {41] and examples of test and maintenance procedures
- plant-specific failure data information on selected components considered likely to contribute the most to the overall results
- recent or soon-to-be included plant modifications as a result of TMI action items, the recent ATk'S rule ,
and utility-originated plant improvements
- miscellaneous items regarding specific questions from the analysts.
o Peach . Bottom monthly "hi-spot" reports for the period 1975-1965 {10) which summarize plant performance each month as well as providc information on every plant shutdown, and o The Updated Final Safety Analysis Report for Peach Bottom Units 2 and 3 [11). 4.2.4 Confirmatory Plant Visit The purpose of the confirmatory plant visit was to present the preliminary results ' of the first draft analyr.is and to confirm our knowledge regarding Peach Bottom. The plant visit occurred in December 1985. One day was spent at PECO's cain headquarters and one day at the Peach Bottom plant. The Peach Lottom analysis team con:'sted of the overall program leader, the team 1.eader, and three system analysts. The team visited with members of the PECO mechanical engineering staff and with various personnel in operations. The final plant visit included the following activities: o A presentation of the overall preliminary results, o Discussions with engineering staff on major contributors and assumptions, and o Discussions with operational staff on ' gray' areas concerning operator actions. a6ditional information was supplied to the analysis team by PECO in response to issues raised during the final plant visit. 4.2-?
4.2.5. Subsequent Plant Visit fc.r the Reanalysis Phase l In sarch 1988, a subsequent plant visit was made to the plant and PECO's I engineering offices to learn of any changes or other factors which I should be ref1seted in the reanalysis phase of the project. One day was f spent at the engineering offices and one day at the plant site. Team ' members, including the team leader and two system analysts met with members of the PECO mechanical engineering staff and with operators at the plant. Updated drawings and new procedures were provided and discussed during the plant visit. While numerous miscellaneous changes or clarifications were identified, four primary changes in the plant and procedures were presented to the analysts which had a considerable impact on the reanalysis. These were: o Modifications made to the Emergency Service Water (ESW) system hardware and operation since the first draft analysis, o A revised station blackout procedure which accounted l explicitly for stripping battery loads as well as actions l to prevent HPCI/RCIC failure in the Icng term, o A revised containment venting procedure which de-emphasized the use of local operations for venting and also required venting at 100 psig instead of 60 psig. o Additional information on the containment's ability to l withstand pressures closer to the 175 psia range instead l of the earlier 130 psia. l Each of the above caused a significant impact in either the event tree or fault tree constructions or in the possible recovery actions and l timing. This new information has been included in the reanalysis in order to properly reflect Peach Bottom's design and operational guidance as of early 1988. l 4.2-4
i l 4.3 Initiatine Event Identification and Grouoint i Following the initial plant familiarization stage of the analysis, the i l initiating events relevant to Peach Bottom were identified. Initiating events are those disruptions to the normal operation of the plant which cause a rapid shutdown of the plant, or a need to trip the plant, so as to challenge ~ the . safety systems in order to remove decay heat. The l initiators included in this study are summarized in Table 4.3-1 along , with their frequencies. ; The selection ' of the initiatort exan;ined in this study is described in ; the following subsections. Discussions are included regarding information sources used, the initiating . event selection process, the , resulting list of initiators, and the underlying assumptions. The nomenclature used to identify each initiator is provided in Section 4.3.5. The final list of initiators forms the basis for the event tree task which defines the possible accident sequences that could occur for i each initiator. It is these accident sequences that identify the possible scenarios leading to ccre damage (from internal initiators) for Peach Bottom Unit 2. l 4.3.1 Scope of Events Considered The scope of - this work encompasses only the so-called internal initiators, i.e., those which directly affect the systems within the ; plant. External events such as fires, seismic events, and flooding are j j considered in Part 3 of NUREG/CR-4550 Revision 1. ' Since a number of Probabilistic Risk Assessments (PRAs) on Boiling Water ] Reactor (BWR) plants have already been performed, this study made use of the combined list of initiators in those studies to derive its initiating ; event list. It should be noted that manual orderly shutdowns for j retueling or administrative reasons were not considered. Table 4.3-2 i summarizes the primary information sources used to identify the initiators examined in this study. The origi-nal WASH-1400 study, the Grand Gulf RSSMAP study, the IREP Browns Ferry study, and the Limerick and Shoreham PRAs were all reviewed for the lists of initiators in those studies based on actual events as reported in EPRI NP801 [13] and NP2230 [ 14 ] -. In addition, suc-cess criteria implications from GE-NEDO 24708A and the initiators formerly covered by the Accident Sequence Evaluation Program (ASEP) were also used to assist in the identification of initiators for this analysis. This informa-tion was supplemented with actual plant trip data for both Peach Bottom units covering March 1976 to June 1985 as reported in PECO's monthly "hi-spot" reports. These actual plant shutdowns were reviewed to ensure that all initiating events that had occurred while at power at Peach Bottom were represented by the initiating event list. Finally, a review of the Peach Bottom design for special initiators was also undertaken. Plant design information from the Peach Bottom Updated Final Safety Analysis Report (UFSAR), coupled with information gained during the initial plant visit and subsequent telephone discussions, was used for the examination of special initiators. Special initiators are those events not typically included in general lists of initiating events. Such special 4.3-1
!T
. Table 4.3-1 Peach Bottom Initiating Events and Frequencies MEAN INITIATOR DESCRIPTION FREQUENCY i NOMENCLATURE (per year) )
Tl Loss of offsite power (LOSP) transient 0.079 T2 Transient with the Power Conversion 0.05 System (PCS) unavailable T3A Transient with the PCS initially 2.5 i available T3B Transient involving loss of feedwater 0.06 (LO W) but with the steam side of the PCS initially available T3C Transient due to an Inadvertent Open 0.19 Relief Valve (IORV) in the primary system TAC /x Transient caused by loss of safety 5.0E-3 AC Bus "x" TDC/x Transient caused by loss of safety 5.0E-3 l DC BUS "x" A Large LOCA 1.0E-4 S1 Intermediate LOCA 3.0E-4 i S2 Small LOCA 3.0E-3 S3 Small-small LOCA 3.0E-2 V Interfacing system LOCA <1E-8 (failure of a high/ low pressure (see Section interface in the primary system) 4.4) R Reactor Vessel Rupture (see Section 4.4) i I 4.3-2 l 2 l
l Table 4,3-2 Primary _Information Sources Used to Identify Initiators o ASEP prior work [3] L o RASH-1400 [4] o Grand Gulf RSSMAP [5] o IREP Browns Ferry [6]
.o Limerick PRA [7]
o Shoreham PRA [8] o GE-NEDO 24708A [9] o PECO monthly "hi-spot" reports [10] o Peach Bottom UFSAR [11] o Minarick [12] i { l 4.3-3
l initiators which cause a plant trip and require decay heat removal are unique to the pie it being analyzed. Examples would be loss of a l particular DC bus or loss of service water. These are further discussed ! in Section 4.3.2. i PPAs typically divide initiating events into two major classes of events: loss of coolant accidents (LOCAs) and transients. While LOCAs of appreciable size. have not occurred, as evidenced by operating experience, LOCAs are stil; examined as possible initiators since they would cause a plant trip, require emergency cooling if the Power Conversion System (PCS) were lost, and represent a possible threat to both the core and containment. During review of the above mentioned information sources, it was found that the Shoreham and Limerick plant analyses and General Electric's study of typical BWR 4 designs in NEDO 24708A supported the use of three LOCA sizes. These sizes are based on different mitigation success criteria as was done in the original WASH-14'3 study of Peach Bottom. The large LOCA, labeled A, is a steam or a liquid break in which the reactor vessel will rapidly depressurize. Low pressure system injection will be automatic, restoring water level in the reactor vessel. High pressure system inj ection flow rates are either inadequate to restore level (low pressure systems have much higher flow rates) or the high pressure turbine-driven systems cannot be run efficiently because of low steam pressure. Break sizes of approximately 0.1 square feet or larger are typical of this size IOCA. The intermediate LOCA, labeled S1, is a steam or liquid break in which high pressure injection with the High Pressure Coolant Injection (HPCI) system is possible for a limited time period. This turbine-driven system can supply sufficient flow to the reactor until vessel pressure can no longer be maintained for successful HPCI operation. Low pressure injection must then be used to maintain water inventory in the core. Should HPCI fail initially, depressurization of the reactor vessel is required to allow for timely low pressure inj ection. Bre.ak sizes of approximately 0.004 to 0.1 square feet for liquid breaks and steam breaks of approximately 0.05 to 0.1 square feet are typical of this size IDCA. The small LOCA, labeled S2, is small enough to allow for long-term successful mitigation by either HPCI or the Reactor Core Isolation Cooling (RCIC) system (a smaller capacity, turbine driven system). Should both systems fail, depressurization is required for successful low pressure inj ection. This size LOCA can be approximated by a stuck-open Safety Relief Valve (SRV) for Peach Bottom. The break is any size smaller.than that classified as an S1 LOCA above; e.g., less than 0.05 square feet for steam breaks and less than 0.004 square feet for liquid breaks. In addition, a fourth LOCA category was defined to include the special recirculation pump seal leak. Such leaks have occurred in power plants, primarily because of the wearing-out of the pump seals during normal operation. Such leaks are well-instrumented and can be easily isolated. 4.3-4
Leaks up to a maximum of- 100 gpm could occur on a per pump basis although less than 5 gpm is more typical. Because the relative frequency of these leaks is considerably larger than for other IDCAs, and since these occurrences are easily detected and isolated, this type of LOCA was categorized as a separate small-small LOCA category, labeled 53. A brief examination of possible LOCAs within mitigating systems was also performed. One LOCA source, in particular, received more attention than others since it could cause a plant trip and affect multiple safety systems. This was a LOCA in the Normal Service Water (NSW) piping where the piping interfaces with the S 'nergency Service Water (ESW) system piping to feed a number of emergency core cooling loads and the diesels (see the ESW system write-up in Section 4.6). A pipe break in this location could disturb norinal service water flow so as to cause a plant trip along with possible loss of the NSW system. Subsequent ESW initia-tion would feed the break instead of cooling certain safety system loads. However, since (a) operation of the High Pressure Service Water (HPSW) is unaffected, as it has no dependency on ESW or NSW; (b) HPCI/RCIC are only affected indirectly by room cooling, therefore the systems can run 10 or more hours before failure of ESW or NSW would have any impact; (c) such a break could potentially be isolated; and (d) the probability of a LDCA having to occur in a specific location in a low pressure rystem is considered relatively low (<1E-6), we concluded that this initiator was not as important as other initiators of interest. i Even with a coincident loss of offsite power, core damage would require l the failure of HPCI and RCIC and the failure to recover AC power to l systems such as the CRD system. Using arguments such as this, it was
' decided - that LOCAs in the mitigating systems were probabilistically
, unimportant and, therefore, they were not included in this study. This finding is consistent with the scope of LOCAs analyzed in other PRAs. Possible inter 12cing system LOCAs were also examined for inclusion in this study. Interfacing system LOCAs, or the so-called "V" sequence, are a breach of a high pressure to low pressure interface with the primary system. Such a breach could cause significant low pressure system leaks or even a pipe rupture and result in a loss of inventory from the primary system while at the same time failing a low pressere mitigating system. Possible bypass of the containraent through the ruptured interface also represents a fission product escape path which could result in serious consequences. Based on actual experience as reported in References 12 and 49, focus for identifying sources for a possible "V" sequence included review of the high to low pressure interface in the Low Pressure Core Spray (LPCS) and Residual Heat Removal (RHR) systems. Precursors to the "V" sequence have occurred in BWRs during testing of both high and low pressure system valves which provide isolation from the primary system. Focus on the above low pressure systems is a result of the lower pressure design conditions of these systems which increases the chance of a significant loss of primary system inventory through a pipe break, relief valve, or pump seal rupture. Such a sequence has been examined as part of this study and is discussed in Section 4.4. 4.3-5 1 i
. _ _ _ _ __. -- _. A
I l L Transient ~ initiators .were . selected primarily on the basis of the-considerable prior' work in BWR . PRAs . In this earlier . work. . actual events have been grouped into major transient categories depending on the' plant response to each transient. Where "like" responses are expected (i. e . . . the - same systems are effectively failed. or otherwise-degraded resulting in similar overall plant effects and the same mitigating system success criteria apply), transients are grouped into major categories with each= category identified as a transient initiator for analysis purposes. This categorization' process- significantly decreases the amount of analysis effort without affecting the results.
. Using the ' original WASH-1400 categories (T1, T2, T3) as a guide, the previously mentioned PRAs and the interim ASEP work were reviewed to determine whether expansion of these categories was necessary. In addition, actual operating history for Peach Bottom was reviewed as reported in PECO's monthly "hi-spot" reports which summarize, among other things, the causes for plant shutdowns. This information was
. coalesced into:the list of transient initiators.
In general, it was found that transient events could remain grouped into the three main WASH-1400 transient categories. Tl events are those which involve a loss.of offsite power to the plant. T2 events are those involving loss of the PCS and include, for example, Main Steam Isolation Valve (MSIV) closure events and loss of condenser vacuum. T3 events are those in which the PCS initially remains operational and allows for core heat to be removed as steam to . the main condenser shortly after plant shutdown. Such events include turbine trips and IORV events.. The T3 events were further subcategorized into three groups: IORV events, loss of feedwater events, and all other events of the T3 type. While it was not within the scope of this study to perform a detailed analysis of a possible reactor vessel rupture as an initiating event, the possibility of such an occurre. ace has been considered. Instead, a review was conducted of previous work related to such a possibility to provide some insight as to the potential for such an event. Since, as a worst case, the initiator could preclude the ability to cool the core and hence define an accident sequence by itself, it is discussed as part of the Event Tree Section, 4.4, where accident sequences are defined in this report. 4.3.2 Support System and Special Initiators Besides the traditional transient categories discussed above, a review was conducted to identify possible special initiators or support system failures acting as initiators. Two special initiators were identified and called TAC and TDC initiators. During the review of the Peach Bottom electrical design, it was noted that safety and non-safety loads are eventually shared off buses that ultimately derive their power from the 4160 VAC and 125/250 VDC safety buses. Loss of these buses could possibly cause a trip of the plant and simultaneous degradation of safety systems depending on the specific loads off each bus. While specific pathways to a plant trip were not explicitly identified for either the loss of a 4160 VAC or a 125/250 VDC safety bus, it was noted that an actual occurrence of the de-energization of a 4160 VAC safety 4.3-6 i
bus'on January 27, 1983 did indeed require a rapid shutdown of one of the units based on subsequent condenser water level anomalies. This l fact and the sharing of safety and non-safety loads at Peach Bottom were i used as rufficient argument to conservatively treat the loss of any of the -have buses as a possible special initiator. A search for other special initiators was also perforraed and included l three maj or categories: loss of any service water system, loss of instrument air, and loss of heating and ventilation equipment. The NSW system, Turbine Building Cooling Water (TBCW) system, Reactor Building Cooling Water (RBCW) system, ESW system, and HPSW system were reviewed as possible sources for special initiators. Possible pipe breaks, the potential for causing a plant trip, and effects on safety systems such as loss of cooling or flooding were considered during the review. While detailed analyses were not possible because of the resources available for the study, no special initiators worthy of examination involving these systems were identified. This is based in part on the generally sharp separation between safety and non-safe ty cooling water systems (ESW, HPSW, and RECW are standby safety systems; NSW and TBCW are normally running non-safety systems) and, thus, the unlikely possibility of both a plant trip and degrading safety systems at the same time (see earlier discussion on a LOCA for the NSW system). Possibilities of flooding seem small based on the low pressure operation of these systems and their locations with respect to most other safety systems. Loss of instrument air / nitrogen can cause a plant trip through the dependency of the PCS, drywell coolers, and area ventilation systems on air supplies. Air or nitrogen is also supplied to the following acci-dent mitigating systems: (1) the Automatic Depressurization System (ADS) valves, (2) the Emergency Ventilation System (EVS) dampers which provide room cooling for the diesels, switchgear, and DC systems, (3) the CRD full flow path, (4) some containment vent valves used for containment venting, and (S) the MSIVs. However, the MSIVs and ADS valves can remain open for significant periods of time since they are backed by accumulators and other air / nitrogen supplies (these have been tested to show they reliably hold air to the valves for ~one hour). The critical EVS dampers fail open. The CRD system can achieve near full flow conditions without air through an alternate passive path. Containment vent valves each have a separate air bottle which could be used to operate the valve locally. Furthermore, HPCI, RCIC, LPCS, LPCI, and HPSW are available to operate given a loss of instrument air. These points, along with the expected low probability of loss of air / nitrogen as an initiator (from pipe break or the required failure of multiple compressors - note: Peach Bottom has additional diesel compressors besides the main compressors), were used to eliminate loss of air / nitrogen as a special initiator on probabilistic grounds. This finding is further supported by the conclusions in a report on the effects of a loss of instrument air [15] and based on a discussion with , one of the principal authors of that report. Finally, heating and ventilation systems were reviewed but discarded as possible special initiators. This is again based on the degree of separation in the design of these systems at Peach Bottom, the low heat i loads in critical equipment areas such as the AC bus rooms, and the 1 l 4.3-7 ' i l
1 1 I generally slow effects of loss of heating and ventilation ' equipment : which allow time for corrective action before a plant trip would occur. Also, PECO has performed analyses as part of the original FSAR questions to show that equipment in the control room, as an example, would not reach equipment qualification limits even with total loss of HVAC. In j addition, Peach Bottom does not have a history of significant HVAC j events. i 4.3.3 Initiators Retained and Eliminated Based on the-above described process, _ the resulting list of initiators identified in Table 4.3-3 represents the initiators retained for analysis and hence the output of this task. These initiators form che categories of events which were examined to determine the possible accident sequences. Frequencies are also provided in the table for easy reference (see Section 4.9). Note that each initiator affects the plant differently or requires some change in the plant success criteria as evidenced by Table 4.3-4. More information on the success criteria associated with each initiator is contained in Section 4.4 and the development of the criteria followed the guidelines provided in NUREG/CR-4550, Volume 1. Table 4.3-5 provides a summary of other possible initiators that were considered but eliminated from further analysis in the Peach Bottom study. Included are the primary reasons for each elimination during this screening step in the analysis. 4.3.4 Initiating Event Assumptions The following represent the primary assumptions used in the identification and categorization of initiating events for this analysis: o All initiators are assumed to originate while the plant is at high power operation. o Manual shutdown in an orderly manner is not included. o The initiator list is reasonably complete. Disregarding external events, the wide range of sources used and the inclusion of actual operation history allows for a
" reasonably complete" argument to be used. Any additional initiators would add further possibilities for core damage but should be of very low probability.
o Losses of Divisions A, B, C, or D of the 4160 VAC or 125/250 VDC safety buses are conservatively assumed to lead to a loss of the PCS (including condensate) and are included as TAC /x and TDC/x initiators where "x" represents the divisional bus which is failed. Since explicit pathways for failing the PCS were not found for these bus losses (see Section 4.3.2), this analysis has taken a conservative stance by including these as possible initiators. 4.3-8
i o Tha non-rigorous search for special initiators (dus to resource constraints) adequately . justifies the exclusion of such initiators except for TAC /x and TDC/x. 4.3.5 Initiating Event Nomenclature This subsection addresses the nomenclature used to identify each type of initiator. Table 4.3-1 supplied earlier presents the initiators
-actually examined in the analysis. Other initiators were reviewed but excluded from th<s analysis effort. The nomenclature in the table defines the short-hand identification of each initiator that is used in the remainder of the report.
4.3-9
6 t , 3 n 3 a 1 2 2.l
- 33 p v. sA e t t
s nnn R r ns t t o ooe oot r0 rii c R pi r oI ot t d n pc ce e A et o T S R c p Em C e eesi RSS a r U F ee nU W uO mAA b e p n "toASR m oF iRR s x o pRi sN rPP e e t SP r I 0 e i t 8 - e 0 tk mc c o i nt 4 nc a ni B nH e n 1 I ih ef o" hI EP e rqc r e ui hi e SE moe e ct a cC oE DrP ASih r p e eEhS NALSF s PSPSA ooooo o ooc y r A d e a R d n e n P a n u ) n 0 2 y d u 0 T t e e p S 4 s .e 1 e f u l u
- k a a b o n E i s c i r o S A
l ( e s s s g i W r u o e t r a b r p h a l a e h o t 3 s s y t a
- m n n c a n r i g
e ) n i s d s e i. o t a 3. 4 n f i r o C n o e s u) e g r i nd i e s r o n bR m t t e I f A e na a i o VS e e i l t FC r t S d s 0UA s t b n T e s 6 V e i n a e t rP o 1 m s i T v E dS eE L 4 o0 t6 A u Rb e f iA E P O s d n yt1 b o4 P y h t C nn ) a B et m g oi A d f me o l n c d ) 3 T e eh o f c hf t e at l a i spa n ) A v ( a n r s o t 23 ) e o e o o B o u TT Bk spi hC a os 3 i b a e( t ) SAh t i rA : e e gRdkk Tl ( s a3 ,V ca e t d us t 5 t i P eii r e bdia - P0 e a t sll on) s g7 E6P l n nR u( ( eW 2 o3 wC u C or2S1 Al e A4 r e r I iB A ep TdTA V d e(n1nyf o s R ri t R n nnP ur e ueP 0 e - i n o ai st ) khk 8 t e s a r i r k o tl cl eTl 1 i si lme 4 ad ed o t l r ef t a rc air c n(i ( l( b e yel e noa m e t r a si i r joieVbPt pm1 rSuVnnR r o e - u f S t re si mst f o eyi5 uOoa0h 9 aC c or on n MTL 1 TLLM1 S SPAfELi i f ooo o o o o oo s e c r u T o C 3 3 3 3 s N 9 - - - - NE 7 5 6 9 EEEE d AU 005 0 1 n E Q C. 0 0 O. a ME 002 0 0 5555 R s P t n e s n R e c O ABCD e T //// A A B C CCCC e I 123 3 3 A AA A h T TT7 T T TTTT T I N
- I bh4o
1 6 3 s t 3 F3 r 22 ok _ 1 ~ x4 pr b s 1 1 i e o g tA' d3 r w Fo r R e e n Og y o .A5 l l e .DS pcS bb pcOT Eg eeF3 a a peep Cn Rg RSU TTA ASA 0 0 d Uo mA m1 AA0 AAd n Op iR o RR7 RR na Sy rPt7 PP4 PP a y e t 0 2 0 t mo& 0 mk mkk0 naS 4 a cO a c c4 I h 8 1 h i D hii1 eh - erE er r - P r c E r eN r e aH E oa c. Sh e e S om-A hie omnS hiiA ASPS WSLG SLMW ooo oooo oooo
) .
d r. ) p e o m u t o o d y a t y r u t e i t s ou td g l f i ABt e c a yn C s h n sl i s nL Oh . t
~
e c t o yf ve or a w e E. ) i n C t oil e t b d oPG4 n i ( f gai k f - i s s a nvs a oyR e r y d a r si r s re o e stbW r e B u t o r o oa as p b r ed q a a l t af s oa h n t s e a As oi id ne i m d c C t i o ll s ut i m e t e s O ec pi a n u t i sh oa L e m sl i a nstt r yi m i o S l i o s shl o s e 3- - e l ,s u i t r at ti h n r n r ub h ait u t
- a aet t el r o b y 3 io b S C s nepD veC s ueB d e ct si l
d l l 4 P a owmV ehiih A s e a t oi rt t r c C a n e a A pB 5 e r c a O e i o Nd n Ri d2 dd a e L m t l m a P r e1 i epsP e a s b r t .d s s s( 2b xR e a fo t y m a t nvt di y nus e o i c s 5 n eW B t a e h nuoe c s ct g a s TnI f a ea orf rl f pa A nun AR g s a n c o At E a l y l e r sl op s RPi l mt P e
) h e s P s yp ai d v . n t eRS rbd y o meb k e i 4 o n rA a n 0 ad 4 d t c r t i aS ,fd oa 0 h d - e a i r a 4 t e hFP l l 4 e meR dh r u t a v SUE e u S s oyo f 1 r etW
- ot rB l ut e c mc l i nn or i E s nA uct Eh s o cd i o a i e e o a e s S S y ps nn L a
- t f g st nc sf s A s pr i a e q c n ut i ua o W& ue & v ei n b o Bd c tb sl
- l k c k s v o
yy l c mh a d e S f i t C e eC ne a ci r c l n a s no Dh nrD on nir e a e h s s i a V ciiV ni a md m i r ehh g e mt c c u i q et r n u c d e s i 5 e a 5 d a i miri pe oe s ec t 2P xo2 nx riL uh y r h v i r r i 1 ( EN1 a e OL( F w Tf SE D e u n vo os I c o oo oo o o oo o d s n na o i s
) ) st T a a s n C 33 3 3 4 4 3 2 ue N - - - - - - - - 8 e e c ew NE EEEE EEE E - t t s r AU 00 00 00 0 0 E o o i o EQ 1 N N) d c ME 5555 1 3 3 3 < e R e e r e e F e e u eh s ST
( (stp u r R ) ) O ABCD ab T //// l A CCCC -
- e I DDDD 1 2 3 V R s :
T TTTT A5S S " - s E I e T N v O I ( N D , W1 w
lill 1
) g ) g s n s n X e W i X e V i t d S t t d S t T E H o P n H o P n N R N m H e m H e E U O & V & V M S I y d y d E N S T R a d e t R ad e t T I E C H r nt I n H r n t rn A A R E R p a a Q e R p a a 2 e L T P T S m S m N R O 4 r
ic n 4 ic n O E R o i r o i C V P f o s a f o s a O o s t o s t C a n C a n 1 P o 1 P o S C S C ( (
) T E N R N ns E U O on Y M S I L N S T S S i o R I E C S S ti A A R E V V E T P T .
at N R O O E R mi C V P rn O oi ff ne Id 4 ym ry 3 an ) d d d )
.mo s y n a s n
a n e ad 4mr p l n p o uc Y N G I C m u o
- m s u s I
*s m eSa C I N L P p s e p eC e t l L r v v P v c E O S u l S L e bar G R
O C 4 rC o ra C I a l l ra j aio E f cP L h g v P R v4 D v n L Trf M E o 2 3 3 f 3 ( i e E R O 1 2 ( / 2 w
/ o w
/
wW ty C y I y I S i r n C P n P P P a ra P H E A D E D E H D Cs 1 s so sl eG c ce ue L s s _ Ss A T d T d _ ( R C P oT P oT O I R R P R R P T T S R S R C I P I& rl P n& rl A R R Q oad R n oad E C I u n I u n R B R n a R n a U A a A a . S M M s k a e r b t s o m r R o O f T A e I A 1 v T S i I t N a I v r e s n o C 3 [, 1llI llltl lll
- M S I y d E N S T R a d e t S T I E C H r n t rn rC - A A R E R p a a ne nP L T P T S i m _ N R O 4 c n O E R r o i C V P f o s a . O o s t C a n 1 P o S C (
)
d e u n T E i N R N t E U O n Y M S L N S T I S o R I A A R E E C S V C E T P T ( N R O O E R C V P n O o i t a A m C 4 r A. O o 3 L T 3f ) d
.n d n s a p d
n d n a d e n d a o ei k u 4I a i q G m e m l i Y N s u s I s t s l ey C I e p e C e a e t v c t N L v s P v s a 2 l r E O I C W l S l L l n l e e 5 ba G O C rI tF ra C ra t a e ra j r am R C E P H nC a R 1 n v P n v 4 av d n v n L n i t
,ki e
Tm M E 3 3 f 3 o 3 ( d u E R O
/ 2 w
/ o w
/ C w
/
wW e l S C P n y P I P 1 P P S t t a a E A E E E H e a D D D D 1 lo r s t i i r d d e n e t a t a i d l r e o C ) k t s c i a e s L A T s d C e r t t e o s R C P oT L T b d n e O T T I S R R P R S P Rm f f c C I P r& rl ry a I I c A R E C R n I n a d nl d e u n e n t u R B U R A n a a m a s S S M i T r o f ( R O T A I 2 3 T S S I N I 3
- hW
( V N P r d N R p d e S e t I E H S n t rC t rn A R R T U , a a g P oN g e m N S O S 4 C ic n P o e i C E f S s e a R o s s t P , a [ n R 1 C o E D V C S O (
)
d e u d d d d e
)
n G
)
w ] n s a p n a n a ] n d a o i Y N o ) m e) m t C I l a s u s I s t a s f ( e p eC e a ( n N L E O C W e v v P v s e t v c o G O I C rI rl rF t l l ra C I a S l L l ra e t n e l ra j e C R C E P oC G u n H R f 1 N o g v P Q v 4 c v d o nv n L ( M E n N i
- 3 3 f 3 o E R 3 (
O ( e /2 / o /C e / n C D e s w y w 1 w e s w V o R C [ P n E A P E P E 1 [ P P S i D D D E H D t 1 a m 4 r
- o 3f e .n E R
s o 4I U l S N c S O ey E I l r R T P C n ba R E e am E T V O p o Tm O R u S P V s S C R R S a . i d r e r e t o t s i e r r C L s i s A T d C s R C O I P R o T R P L T r e s T T S R S P R w e C I P r& Il ry o c A R E C R n I Q a d u n gl d e n p c R B U R A n a a m a e u S M i T i t S f s f o f i e l b a l R i O a T v A a I 1 T T y I l N n I O
)
a ( E T O N
*, yy
N ) O s I e g T d n C X o W i E t M S } t T T H P } n N O y H b e E R & a ( V _ M P r d _ N R pd e S e t I E H S n t rC t rn A R R , a a gP oN g em T U i N $ 4 C c n O S P o e i C E f S s e a R o s s t P , a [ n R 1 C o E D C V S D (
) d e
d r o e ) t u ) d n s d n d n d e n d s n G w o
]
)
a p m a I a e a o m e r i Y N a s u sC s t s t C I l f ( e p eP e a et e b n N L E O I C W e v S v L v s n l v c e o l l l l t GO C rI rl rF t ra C ra4 ra e ra j s C R C E P gC ou g H R f 1 N o g v P g v L f g v d D v n n i r ( M E - 3 3 o 3 o 3 ( i f E R ( e / 2 / /C / O e w w1 w wW n C D s y P 1 S t s o R C [ P n E A P E E F P E H u m i D D D D t 1 r a t e m a w 4r d
- o e e
3f e f
.n E R
s o , 4I U l r S N c o d. S O ey E I & t a e r lr R T o P C n i ba R E e t t s am E T V O p o i n e Tm O R i r u S P V s 2 e S C R R S T b e t a h t s r i i r f o f e t s t t r u i a m r p S C L s s a C P A T d C s R C O I P R oT R P L T S P t e s T T S R ry R s o h t e C I A R P I& rl oad gl d l c E C R g I u n e n y o s c R B U R A n a a m a l u i S M T e S k C S i P l e s h i t r f e o t a s w s d o R e l O e T t a A I 2 e s T T c i I n N i 2 I S T
) )
a b
- ( (
S E T O N
#.YU l l ll. <
d N R pd e S t I E H S n t rC rn A R R T U , a a oP ne m N O S S 4 C ic n P o i C E f S s a R o s t P , a n R 1 C o E D C V S O (
)
d e u d d d d
)
e n G
)
w n s a p n a n a n d a o i Y N o m I m t C I l s u s C s e s f e p e P e t n N L E O C W v v L v a e t v c o G O I C l rI rl rF ra C ra 4 ra n t a j l S l l s l e C R C E P H GC nu g
.R f o v P D v L f nv ed av n
( M E 1 i
- 3 3 o 3 n 3 (
E R ( /2 / / o / O n C D w y w1 w C wW o R C P n E A P E P E P P S i D D D E H D t 1 a m 4 r
- o 3f e .n E R
s o 4I U S N S O lc ey E I l r R T P C S C rn ba R E P o e am E T V O p o Tm O R u S P V s S C R R S a i r e t i r C L s A T d C s R C O I P o T L T s T T S R R P R S P R e C I P r& c Il r y c A R E E R I Q a d g l u n e n d c R B U R n a m a u S A a M Ti S R s O e T p _ A y _ I t T I 3 _ N T _ I o,yy
_ 'I C _ P __ H d n a _ e e _ t t a a _ r r - e e p p _ N o o O I o o _ ) T E T C t e t e _ d N T l l e E O N R b a b a _ d N P l l u I A E i a i a _ l T R v v c N U a a n O S C E s s o R P p m p m C R u u ( E p p V O C C n A A o s i t r e e w r e w e a f f 4' mr G e e _ Y N v v : a a - o C I N L h h s a 3f E O
.n GO R C l
a l a v d e 4I E v o o t _ ME a E R m m e ey O e R e r _ l r C R t ba t t . e am _ a a d b _ e e e _ Tm H H t l _ u l l c e l S i E a a f w
- R u u f U d d a e a
S N i v A A i S O s ise i s l C C A E I e a O O C r R T R R s v L L O e P C R E & & u f m m L t E T V O g g b e a a m i O R n n C i e e a r P i D l t t e S i e s s t C C l o l oh r 2 1 s R o o c n S 5 A s C C i e ' h p - - - s e e w o - - - e r o r o n - - - c C C o k c c L y y g u - - n u R C A c n c n n i t s e S O I e ed a n n e o p T T g g n C I r r e e p A R e e p h p o k E C m m e t o c R B E E d i k u U w k c t S t t e c u s p pl t u t n t s s e eb e s e c c a s v x x l is e e l e ei n v v a a a l l v 2 2 v r a a T T a t v v e n e R e e u y e o r O k k n n w h T i i e A O T T A L L b I T I X X N / / I C C : A D E T T T O N
- fw"
Table 4.3-5 Initiators Reviewed and Eliminated From Further Analysis ; INITIATOR TYPE PRIMARY REASONS FOR ELIMINATION LOCAs in Secondary Side of o Isolation potential Plant LOCAs in Mitigating Systems o Probability of occurrence o Isolation potential o Redundancy provided by other systems to prevent core damage Reactor Vessel Rupture o Qualitative discussion only Loss of Service Water o Redundancy of systems Systems o Functional and spatial separation of normally operating vs. standby systems o Probability of occurrence o Isolation potential Loss of Instrument Air / o Ability of most key systems Nitrogen to adequately perform with-out air / nitrogen o Probability of occurrence Loss of HVAC o Redundancy in equipment o Relatively low heat loads in critical areas o Slow effects allow recovery before plant trip o Limited PECO analyses and historical performance 4.3-18
4.4 Event Tree Analysis The next task involved the identification of the possible accident sequences for each initiator. This was done using the event tree approach which is commonly used in Probabilistic Risk Assessments (FRAs). The event trees are logic diagrams at the system level of detail which represent the combinations of system successes and failures forming possible sequences of events following each initiator. The philosophy behind the event tree analysis for Peach Bottom was to depict system successes and failures until the status of the core and containment are safe, vulnerable, or damaged and to display the status of other systems sufficiently to describe the plant damage states (see Section 4.11) applicable to each accident sequence. The construction of the event trees was performed using the knowledge and experience base already represented by other Boiling Water Reactor (BWR) PRAs and with consideration of the generic event trees created as part of earlier ASEP efforts. Two major expansions of previous BWR event tree work were included, however, in this study. (1) Formal analysis was conducted for more systems capable of core and containment cooling than considered before. Specifically, credit for the Control Rod Drive (CRD) system and the High I : essure Service Water (HPSW) system as inj ection sources to the reactor vessel was explicitly included in the success criteria and treated in the event trees and accompanying analyses. In addition, the Shutdown Cooling (SDC), Suppression Pool Cooling (SPC), and containment Spray (CS) modes of the Residual Heat Removal (RHR) system, as well as the latest containment venting procedures (called containment venting in the tree, Y), were explicitly analyzed. (2) The event tree analyses explicitly displayed and covered possible system success and failure paths beyond successful containment venting or containment failure. Therefore, the success or failure probabilities associated with continued core cooling were explic-itly and formally analyzed rather than assumed. The above expansion features of the event tree analyses provide, in general, more realistic analyses subject to less overall conservatism than previous analyses. However, as will become evident in the following sub-sections, conservative assumptions were still included in portions of the analyses so that the core damage potential would not be inadvertently underestimated. The above features of the analyses tend to provide lower core damage frequencies for some sequences than the reader may be accustomed to seeing in analyses for plants of similar design. The following subsections address other aspects of the event tree analyses. Section 4.11 introduces the subject of plant damage states into which the dominant accident sequences were binned. Overall assumptions for the event tree analyses and a discussion of system success criteria are contained in Section 4.3.5. Each event tree used in the Peach Bottom-2 analysis is then 4.4-1
. displayed by each tree. The reader is referred to Section 4.4.16 for the nomenclature used in the event tree headings and resulting sequenct !
identifiers. 4.4.1- General Event Tree Assumptions There are a number of assumptions which generally apply to the event tree analyses performed for Peach Bottom-2 regardless of the specific initiator j being examined. These assumptions are listed below with brief explanations i as required.
)
(1) Low Pressure Core Spray (LPCS), Low Pressure Coolant Inj ec tion -{ (LPCI), and RHR (all modes) pumps are assumed to fail following ' succestful containment venting or containment failure by l overpressure / temperature conditions. ' The suppression pool is assumed to reach near atmospheric saturated conditions shortly after either successful venting or containment failure. Partial boiling of the pool water is assumed j to decrease the net positive suction head (NPSH) for the LPCS/ ! LPCI/RHR pumps such that these pumps cavitate, if running, causing " subsequent failure. (2) LPCS/LPCI/RHR (all modes) pumps, which use the suppression pool for suction, will successfully operate using pool water at a temperature approaching 350*F (corresponding to saturation conditions near point of containment failure by overpressure). This assumption is based on (a) the corresponding pressure condi-tions of the containment which will assure adequate NPSH, (b) the pump seals and bearings being cooled by the Emergency Service { Water system, (c) the findings of General Electric as reported in Section 5 of Reference 16, and (d) the fact that the RHR pumps : normally pump water approaching such temperatures during the early phases of plant shutdown. (3) Lose of the Vapor Suppression System (VSS) was considered but 3 eliminated from the event tree as relatively improbable. Loss of the VSS function could affect the ability of the Mark I containment to withstand steam release from the primary system through either a break or the opening of Safety Relief Valves (SRVs). The three most probable failure mechanisms appear to be downcomer pipe failure, stuck open wetwell/drywell vacuum breakers, or a broken SR. tail pipe. Based on References 4 and 17, best estimates for downcomer pipe or SRV pipe failures arc
<1E-5 and -lE-7 respectively. Additionally, discussions with containment analysis personnel suggest that wetwell/drywell vacuum breaker demand is not expected in most scenarios of interest.
Considering these probabilities in the context of other system failure probabilities led to the conclusion that VSS failure could be excluded from further analysis. 4.4-2
"(4) High Pressure Coolant Injection '(HPCI)' and Reactor: Core Isolation
' Cooling (RCIC) will fail at pool' temperatures of'-210-260*F.
In all the' accidents of interest,x the HPCI system . vill eventually switch - suction source from the condensate storage. t'ank to the suppression pool automatically on high pcol water-level. Follow-
.g b
ing procedures . at Peach - Bottom, ' the operatar switches the RCIC system when he sees HPCI' switch [18). . Switching back requires overriding certain circuits and therefore would not normally be performed. 'If, . while - the systems are running, the pool . water K should reach the - 210-260*F range . (nominally -230*F), pump failure for.both systems'.is assumed since these pumps are not externally cooled. This is supported, - in part, by information supplied by Philadelphia Electric Company (PECO) [19), (5) CRD in~the enhanced mode (two pumps) is assumed to fail following reactor depressurization for SDC due to low NPSH. The CRD system pumps water from the CST in the enhanced mode at approximately 200 gpm, which increases to near 300 gpm following reactor.depressurization. The CST level is' assumed to be too low at the . time of reactor depressurization for SDC to prevent CRD pump cavitation due to insufficient NPSH. In some event trees,-the same event occurs more than once. A system may be successfully utilized in - a - sequence and later in the same sequence, following containment venting, may fail due to environmental conditions. In this analysis, credit is given for three injection systems (CRD (U4), Condensate (V1) High Pressure Service Water (V4)) to operate following the containment . venting event (Y) in aany of the event trees. If,-in a particular event tree, _the same injection system has been demanded before and after the containment venting event, then these events have different probabilities,. although they have the same designation in the event tree. In-this situation, the event demanded after containment venting refers to the survivability of the system, or its probability of successfully surviving containment venting. If the event i n, demanded only before containment venting, it refers to a hardware failure. If the event is
' demanded only after containment venting, it refers to hardware failure and survivability.
Core damage in many sequences is described as early or late. Early core damage refers to sequences in which loss of all coolant injection occurs soon after the initiating event and for which recovery is not performed. A late core damage designation is found in the Tl tree for sequences in which station blackout occurs and either HPCI or RCIC is functional. Inj ection may continue in these sequences for a substantial amount of time before injection fails and core damage occurs. A sequence designated as containment vulnerable indicates conditions (temperature and pressure) in containment constitute a risk of containment failure unless containment heat removal is effected. 4.4-3 _ _ _ _ _ _ _ _ _ ]
4.4.2 Discussion of Success Criteria The success criteria for the initiators of interest were presented earlier in Section 4.3.5. In the following subsections, the system success criteria for each initiator arr pirrt. nted again. The identification of initiators and the construction C the corresponding event trees is a very interactive process. Hence, muy of the same information sources listed in ! Section 4.3 were used in the development of the success criteria and the j event trees for each initiator [3-12). i 1 Additional thermal-hydraulic analyses were performed for Anticipated j Transients Without Scram (ATWS) scenarios as described in Section 4.4.15. ; For the most part, the other success criteria follow closely those used in ' the Limerick Probabilistic Safety Study [7] since Limerick and Peach Bottom have similar plant thermal ratings and similar emergency core cooling system designs and capacities. any specific peculiarities in the criteria are noted for each initiator in subsequent subsections. 4.4.3 Large Loss of Coolant Accident (LOCA) Event Tree This section contains information on the large LOCA event tree. Success criteria considerations are presented along with the event tree and its description. 4.4.3.1 Success Criteria A criterion specific to the larfe LOCA initiator is described below. For scenarios where core cooling is successful up to the time of con-tainment venting or containment failure: one Condensate, one HPSW, or two CRD pump operation is assumed to be adequate to continue successful ! core cooling. This is based on the low decay heat loads reached by j that time (many hours) and the fact that only small flow rates should be I required to maintain sufficient vessel inventory and adequate core cooling. 4.4.3.2 Event Tree Figure 4.4-1 displays the event tree for the large LOCA initiator. The following discussions define the event tree headings and describe the sequences presented. A bar over the event symbol or a slash preceding the event symbol both indicate success of the event. The following event tree headings appear on the tree in the approximate chronological order that would be expected following a large IDCA. 6: Initiating event, large LOCA. G: Success or failure of the Reactor Protection System (RPS). Success implies automatic scram by the control rods. LOSP: Success or failure to maintain offsite power. 4.4-4 l
Success or failure of the LPCS system. Success implies E: operation of any two of the four LPCS pumps through either or both LPCS injection lines. D: Success _ or failure of the LPC1 mode of the RHR system. Success implies operation of one of four LPCI pumps through either LPCI injection line to the reactor vessel. Success or failure of RHR in the SPC mode. Success implies E: at least one RHR pump operating in the SPC mode with the appropriate heat exchanger in the loop along nith the HPSW system in operation to the ultimate heat sink. Success or failure of RHR in the CS mode. Success implies at M: least one RHR pump operating in the CS mode with the appropriate heat- exchanger in the loop along with the HPSW system in operation to the ultimate heat sink. I: Success or failure of containment venting. Success implies that the six-inch integrated leak test line or larger size line is open so as to prevent containment failure by over-pressure. As necessary, water makeup is also eventually supplied to the suppression pool. Success or failure of the Condensate System. Success implies Vl: at least one pump operating with sufficient makeup to the condenser hotwell for a continuing water rupply. V4_: Success or failure of the HPSW system in the inj ect mode to the reactor vessel through a LPCI - inj ection line . Success implies manual operation of this injection source such that one HPSW pump successfully provides coolant to the reactor. The following descriptions refer to the sequences found in Figure 4.4-1. SEQUENCE 1 -- A*C*LOSP*V2*W1 Following the large LOCA (A), the RPS successfully inserts the rods into the core (/C). Offsite power remains available (/LOSP). High pressure cooling cannot be utilized because insufficient steam is available to run l the turbines and LPCG is initiated to provide core coolant (/V2). The suppression pool temperature is increasing since residual heat from the reactor is being dumped to it. SPC is initiated to provide suppression pool cooling (/W1). With coolant makeup and containment overpressure protection provided, the core and containment are safe. SEQUENCE 2 -- A*C*LOSP*V2*W1*W3 Same as Sequence 1 except containment overpressure protection is provided by the CSS mode of RHR (/W3) following the failure of SPC (W1). l 4,4-5
--mn- - - - , _ , , _
5 E I a 5 5 g I E ! 5 I l I
. E g g -
g a a 5 5 I- I E [o 5 s 3 I g i i-
,r; P s
=
a ! - r r r e < p
, ,i ,
< I.
r i;! i , B d 5 5 5 5 5 e f 5 5 E g i l i E I I ea?l .li ll1 i f ? !E !I i sis . Ig i i i g i , g , f E - e
- - - - - - . . e , , , , , , ,c , ,
We, si kw I 4 h k 5 z i . W 5
!! , o gt :
n* < I S ll.f rr 8 y
=
UP 4 la
- ##f i si
- 1 r' a r* #
c' l
!!! o s I
g
=
gk gb o N
. g m e
1 j- : E Ek
~
E E ej ! -C$ g
'1 C
l= ! t 413 "" upps i IE ! Wa u r{5 i I 4.4-6 I
SEQUENCE 3 -- A*C*1DSP*V2*W1*W3*Y*V1 The subsequent Same as Sequence 1 except both SPC (WI) and CSS (W3) fail. pressure rise in containment is alleviated by containment venting (/Y). LPCS failure is assumed following containment venting due to insufficient
- NPSH for the LPCS _ pumps. The operator then initiates Condensate (/V1) to continue to cool the core.
SEQUENCE 4 -- A*'CfLOSP*V2*W1*W3+Tevl*V4 Same as Sequence 3 except HPSW provides core coolant (/V4) subsequent to Condensate failure (V1). SEQUENCE 5 -- A*C*LOSP*V2*W1*W3*Y*Vl*V4 Same as Sequence 4 except HPSV fails (V4) to cool the core. At this point all coolant makeup is lost, which leads to core damage in a vented ( containment. l SEQUENCES 6 TO 8 Same as Sequences 3 to 5 excepr. containment venting fails (Y) leading to containment failure by overpressurization. SEQUENCES 9 TO 16 l Same as Sequences 1 to B except LPCS fails (V2) and LPCI provides initial low pressure coolant injection (/V3). SEQUENCE 17 -- A*C*IDSP*V2*V3 Following the large LOCA (A), the RPS successfully inserts the rods into the core (/C). Offsite power remains avail sble (/IDSP) . LPCS and LPCI fail to provide low pressure core cooling, resulting in early core damage. SEQUENCES 18 TO 19 Same as Sequences 1 and 2 except offsite power is not maintained (1DSP) . Onsite power is established which enables LPCS to cool the core (/V2) and SPC (/W1) or CSS (/W3) to provide containment overpressure protection. SEQUENCES 20 TO 21 Same as Sequences 4 and 5 except offsite power is lost (LOSP) and Condensate is therefore not available following successful containment venting. 4.4-7
-)
' i i e .. .
i
~ SEQUENCES 22.TO 23' g[.$v D " T Same! as Sequences 7 and 8lcxcept offsite power is lost (LOSP) and Condensate . is .therefore not available following failure of . contaL . 3nt venting.
h, c.
. SEQUENCES 24 TO 29 I 'Same;as Sequences.18 to 23 except LPCI provides initial low-pressure core cooling'(/V3) following LPCS failure.(V2).
[ ,
-SEQUENCE 30 -- A*C*LOSP*V2*V3 Same - as Sequence 17 except offsite power is. also lost (LOSP).
-SEQUENCE 31'-- A*C Following the large MCA1.(A) , the RPS fails to properly insert the rods into - the ' core (C). The sequence is. not developed further due to its low probability.
4.4.4 Intermediate-IDCA Event Tree v This section contains ' information on the intermediate IDCA event tree. i Success criteria considerations are presented along with the event tree and
'its description.
4.4.4.1. Success Criteria A criterion specific-to the intermediate LOCA initiator is described below. For- scenarios where core cooling is successful up to the time of con-tainment venting or containment failure: one Condensate, one HPSW, or two CRD pump operations is assumed to be adequate to continue success-b ful core cooling. This is based on the low decay heat loads reached by th:tt time (many hours) and the fact that only small flow rates should bs required to maintain. sufficient vessel inventory and adequate core cooling. 4.4.4.2 Event Tree Figure 4'.4-2 displays the event tree for the intermediate LOCA initiator. The fo110 win 5 discussions define the event tree headings and describe the sequences presented. The ' following event tree headings appear on the tree in the approximate
' chronological order that would be expected following an intermediate IDCA.
For convenience, high cnd then low pressure injection systems are shown first,- followed by containment-related systems, and finally by systems
- capable of long-term continued coolant injection.
4.4-8
. El: Initiating event, intermediate IDCA.
G: . Success or . failure of the RPS. Success implies automatic scram by the control rods. IDSP: Success or. failure to maintain offsite power. Success or failure of the HPCI system. Success implies
' Hl:
operation of the HPCI system for 2 hours until low primary syscem pressure causes isolation of HPCI either automatically or manually. U1' refers to the HPCI system without pump room ventilation. X1: Success or failure of primary system depressurization. Success implies automatic or manual operation of the Auto-matic Depressurization Systent (ADS) or manual operation of other SRVs such that three valves or more are opened allowing low pressure. injection. An intermediate IDCA may blow the vessel down sufficiently fast to preclude X1 operation. Success or failure ci the LPCS system. Success implies 22: operation of any two of the four LPCS pumps through either or both LPCS injection lines. yJ: Success or failure of the LPCI mode of the RHR system. Success implies operation of one of four LPCI pumps through either LPCI injection line to the reactor vessel. y4: Success or failure of the HPSV system in the inject mode to
'the reactor vessel through a LPCI injection line. Success implies manual operation of this injection source such that one HPSW pump successfully provides coolant to the reactor.
W1.W3: Success or failure of the RHR in the SPC mode or CS mode, respectively. Success implies at least one RHR pump operat-ing in either the SPC or CS mode with the appropriate heat exchanger in the loop along with the HPSW in operatien to the ultimate-heat sink. Success or failure of containment venting. Success implies 1: that the six-inch integrated leak test line or larger is open so as to prevent containment failure by overpressure. As necessary, water makeup is also eventually supplied to the suppression poel. Success or failure of the Condensate system. Success implies 21: at least one pump operating with sufficient makeup to the condenser hotuell for a continuing water supply. The'following descriptions refer to the sequences found in Figure 4.4-2. 4.4-9
1 lid_ t u r m ar = g t t -__ m m = n . . 3_ eq t M M t e c r C T 8 D o e u s t o a w e
=
m a u t. e z x m " M f f o
%m =
m m m s W ,, B s g t O, F c
. a c
a n a ,. e 9, a s
" C a - r c = i i c o
Q. 9t r r e a = Ge A W E e w W W e m n e
=
,=
t t a n e e " f P 8
. s =
N . e e s t r W u . I o w r = . . W. F (
)8 m
s m M t t m w e s r a
=
=
s a s n e " ff f e e w ,o . a d n 8 a i
. a = e e E n a, s a AS m a s r n a C
s a " It 8 w a s
=
M, T v , t en 8E a N n tM = n m m W w ' t ,
- v. ,
E C C a c I ( r c ca r e c e - - G c o c "" t s t c w o c n a m c - . s a ~ a c D W J S . M m e 8 f s e . e 4 i o e e 7 9 a m D w
- 8 9 e e , w =
8 M . s e
=g g ta Se 8 Ma ts n
e Ng I ! i I f f a l W T T' E W a f e s ss ees st ae 9 e e Ww r T MSS t WC n S 4eO JwE W9 e Wte rG v 485 E Mc A P C W9 - O 4WF I A m . e L ewF t t . Mu 9tA r n a s Wl Ia l I a a e a C e w t s C
^
m a s a s a Mg d. te n i 4e 3m e e d Frg W e t s s e pt w t F m eg e 0 r l 9 W t e I t t W I W R E n I Ft Jser est mT 9 9 D 8 esc 9 85
*ra Deh I
vJ $r e . O E L G 2 FO 9 9 e
#p.
t 4 g go y-y w W o 4 sg d mt y r m 5 A e g b o d F r u 8 a u t9 e g tse sieR t 9sK o w i F geA a' g T t spn4 P fuX t II ga l u nest st a e ey sc t r py4 rt n efe e N g 2 e P Nc a - np y gf s N 2C w es I 2PD ga rs P - / n pe - AC F 23A e TTT n. mie wrete t C r tv eet: vcs e oP ac O G O 9 e 9 8t f e t S V,eepO
SEQUENCE 1 -- S1*C* MSP*U1'*V2*W1 Following the intermediate IDCA (SI), the RFS successfully inserts the rods into the ,, ore (/C). Offsite power remains available (/MSP) and HPCI (/U1') initially provides core coolant. The primary pressure decreases and steam is lost through the break, which eventually fails HPCI. LPCS is initiated to continue core cooling (/V2). Residual heat from the reactor is being transferred to the suppression pool. CPC is successfully initiated (/Wl). With LPCS and SPC providing adequate coolant makeup and containment overpressure protection, the core and containment are safe. SEQUENCE 2 -- Sl*C*LOSP*U1'*V2*W1*W3 Same as Sequence 1 except CSS (/W3) provides containment overpressure protection following the failure of SPC (Wl). SEQUENCE 3 -- Sl*C*LOSP*Ul'*"2*W1*W3*Y*V1 Same as Sequence 1 except SPC (U1) and CSS (W3) fail to function, which causes the pressure to increase in containment. Containment venting is successful (/Y) which causes the LPCS pumps to fail due to low NPSH. Condensate is initiated (/V1) for coolant makeup resulting in no core j damage in a vented containment. i SEQUENCE 4 -- Sl*C* MSP*Ul'*V2*W1*W3*Y*Vl*V4 Same as Sequence 3 except Condensate fails (V1) and HPSW is initiated to supply coolant makeup (/V4). SEQUENCE 5 -- 51*C* wSP*Ul'*V2*Wi*W3*Y*Vl*V4 Same as Sequence 4 except HPSF fails to provide coolant makeup (V4), resulting in core damage in a vented containment. SEQUENCE 6 -- Sl*C*MSP*U1'*V2*W1*W3*Y*V1 Same as Sequence 3 except containment venting fails (Y) following the loss I of containment cooling resulting in a pressure rise in containment which l 1eads to containment failure. This fails LPCS due to low NPSH. Condensato is initiated to provide coolant makeup (/V1). This results in no core damage in a failed containment. l SEQUENCE 7 -- S1*C*LOSP*U1'*V2*Wi*W3*Y*Vl*V4 I l Same as Sequence 6 except HPSW provides coolant makeup (/V4) subsequent to Ccndensate failure (V1). 4.4-11
~
l I SEQUENCE 8 --! S1*C*1DSP*U1'*V2*W1*W3*Y*Vl*V4 Same as Sequence 6.except both Condensate (V1) and HPSW (V4) fail to pro- ! vide coolant makeup resulting in core damage in a failed containment. l l SEQUENCES 9 TO 16 ' l Same. as Sequences'1 'to 8 except early low-pressure coolant makeup is I provided by.LPCI (/V3) following failure of LPCS (V2). i SEQUENCES 17 TO 24 Same development as Sequences 9 to 16 except HPSU provides early low-pressure coolant makeup (/V4) following LPCI (V3) failure. HPSW demanded following containment venting refers to. survivability. SEQUENCE 25 -- S1*C*LOSP*U1'*V2*V3*V4 Same.as Sequence 1 except all efforts to establish early low-pressure core cooling with LPCS (V2), LPCI (V3) and HPSW (V4) fail, resulting in early core damage in a vulnerable containment. SEQUENCES 26 TO 50 Same development as Sequences 1 to 25 except HPCI fails to initiate (U1') which. requires depressurization of the primary system (/X1) to allow the ! low-pressure systems to provide coolant makeup. i l 4 SEQUENCE 51 -- Sl*C*LOSP*U1'*X1 l Same as Sequence 1 except HPCI fails to initiate (Ul') and depressurization ; of the primary system is unsuccessful (X1), disabling the low-pressure core l coolant systems, leading to early core damage in a vulnerable' containment. .I i SEQUENCES 52 to 57 ' Same development as Sequences 1 to 8 except offsite power is lost (LOSP) early in the sequence and onsite emergency power is provided by the diesel generators. l
.Since offsite pcwer is not available, condensate cannot be asked after the containment venting event, resul ting in six sequences instead~of eight. .I SEQUENCES 58 TO 63
( Same ' development as Sequences 52 to 57 except LPCI provides early coolant makeup (/V3) following LPCS failure (V2). 4.4-12
SEQUENCES 64 TO 69 Same development as Sequences 58 to 63 except HPSW provides early coolant makeup (/V4) following LPCI (V3) failure. HPSW demanded following containment venting refers to survivability. SEQUENCE 70 -- Sl*C*LOSP*U1'*V2*V3*V4 Following the intermediate LOCA (51), the RPS successfully inserts the rods into the core (/C). Offsite power is lost (LOSP) and onsite power is established. HPCI provides coolant makeup (/Ul') until the pressure in the l primary reduces sufficiently to initiate the low-pressure coolant systems. LPCS (V2), LPCl (V3) and HPSW (V4) fail to operate, resulting in early core damage in a vulnerable containment. SEQUENCES 71 TO 89 Same as Sequences 52 to 70 except HPCI fails to provide early coolant makeup (U1'), followed by successful depressurization (/X1) of the primary system to enable low-pressure systems to initiate. SEQUENCE 90 -- Sl*C*LOSP*1 *X1 Following the intermediate LOCA (SI), the RPS successfully inserts the rods into the core (/C). Offsite power is lost (LDSP) and onsite power is established. HPCI fails to provide coolant makeup (Ul') followed by unsuc-cessful primary system depressurization (X1). This disables all low-pressure coolant systems, resulting in early core damage in a vulnerable containment. SEQUENCE 91 -- Sl*C The RPS does not respond (C) to the intermediate LOCA and the sequence is not developed further due to a low probability. 4.4.5 Small LOCA Event Tree This section contains information on the small LOCA event tree. Success criteria considerations are presented along with the event tree and its description. 4.4.5.1 Success Criteria Two criteria specific to the small LOCA initiator are described below. (1) For scenarios in which core cooling has been provided for a period of a few hours or more , two CRD pump operation is considered adequate for continued success of core cooling should the other cooling systems then fail . This is based on the low decay beat
)
4.4-13 l
levels and relatively small flow rates required by that time to make up for the small break. (2) For scenarios in wh__:h core cooling is successful up to the time of containment venting or containment failure, two CRD pumps or depressurization with operation of either one Condensate or one HPSW pump is considered to be adequate to continue successful core cooling. 4.4.5.2 Event Tree Figure 4.4-3 displays the event tree for the small IDCA initiators. The following discussions define the event tree headings and describe the sequences presented. The following event tree headings appear on the tree in the approximate chronological order that would be expected following a small LOCA. For convenience, the Residual Heat Removal (RHR) containment cooling choices are shown early in the tree to decrease the size of the event tree. Other-wise, the tendency is to show high and then low pressure injection systems, followed by containment venting, and finally long-term continued core cool-ing possibilities. Sl: Initiating event, small IDCA G: Success or failure of the RPS. Success implies automatic scram by the control rods. LOSP: Success or failure to maintain offsite power. Ql: Success or failure of the Power Conversion System (PCS). Success implies operation of the balance of plant by removing heat through at least one Main Steam Isolation Valve (MSIV) with operation of the condenser and circulating water system as well as one feedwater train. E: Success or failure of the HPCI system. Success implies operation of the HPCI pump train so as to maintain sufficient coolant inj ection. M: Success or failure of the RCIC system. Success implies operation of the RCIC pump train so r.s to maintain sufficient coolant injection. 3: Success or failure of primary system depressurization. Success implies automatic or manual operation of the ADS or manual operation of other SRVs such that three valves or more are opened allowing low pressure injection. Vl: Success or failure of the Condensate system. Success implies at least one pump operating with sufficient makeup to the condenser hotwell for a continuing water supply. 4.4-14
... . . .. . mmi.e.I
yl: Success or failure of the LPCS system. Success implies operation of any two of the four LPCS pumps through either or ? both LPCS injection lines. Conservative requirement since a small IDCA requires less makeup than two pumps provide. yl: Success or failure of the LPCI mode of the RHR system. Success implies operation of one of four LPCI pumps through either LPCI injection line to the reactor vessel. y_4_ : Success or failure of the HPSW system in the inject mode to. the reactor vessel through a LPCI injection line. Success. implier manual operation of this injection source such that one HPSW pump.successfully provides coolant to the reactor. W1.V3: Success or failure of the RHR system in. the SPC mode or . CS mode, respectively. Success implies at least one RHR pump operating in either the SPC or CS mode with the appropriate heat exchanger in the loop along with the HPSW system in operation to the ultimate heat sink. Ili: Success or failure of the CRD system as an injection source. Success implies one pump operation. Success or failure of containment venting. Success implies I: that the > six-inch integrated leak test line or larger size line is open so as to prevent containment failure by over-pressure. As necessary, water ~ makeup is also eventually supplied to the suppression pool. E: . Success or failure of the containment to withstand over-pressurization. Success implies the containment ruptures before core damage. D: Success or failure of primary system depressurization. Success implies automatic or manual operation of ADS occurs subsequent to an initial depressurization to allow low pressure coolant injection. The following descriptions refer to the sequences found in Figure 4.4-3.
. SEQUENCE 1.-- S2*C*LOSP*Q1 A small'LOCA (S2) generates a reactor scram condition and the RPS success-fully inserts the rods into the core (/C). Offsite power is maintained
(/LOSP) and the PCS functions to remove heat from the core (/Q1), resulting in no core damage in a safe containment. SEQUENCE 2 -- S2*C*LOSP*Q1*Ul*W1 Same as Sequence 1 except the PCS fails (Q1), HPCI is initiated to provide core coolant (/U1), and S?C provides containment overpressure protection (/W1). 4.4-15
)
g D M A A _ m t U
. M M
_ s ,c O = c m I B C m e t e t l t f ? t c f f C M O e t s 9e rr ? Y G me m. t r e - e. et s s s e m f t p ti t t e D r i
?
e v E C, t C,
- e. B e e e e
e s e s e s s T ea eA A A
. # p p W #
ep e 7 t s Y r A A A 9 R f _ m M
- w T T t
?A ?A A ff f A
E A A TW e e E w C C r M r G u y 9 t e e . e c C
- C C C t f 9C E E a e D e e s e s
o r s o D e O D e O C 4 C C . G G A s s e O WC p m m A a" e N s e N s e 2 D O r t r o o o m A m M $ t e s C E s E o r A o m A A f Af et s m R t t s a E m E E E o o u c u U C o a o a *t o s o a m A U a M O n o i o w E T o E R E 8 i E 8 E t C m C C n a N C G D D o D N C C a C a a s o u s e 2 s e
- r s a
e r e 9 = l t v . o t 5 9 4 7 9 . t r S 9 9 , N P a M S C x4 mt w.aN rr(ca m p a t s f fi e 8 _ m, 5 < a*4 v+Oe
- s MT
- m
)
a r t E tf 3
- f
.f t
o
=.ee g
==t
=
t v 1
*=fM e t
S g s a e e r s ,es.e w ( i m ,.CT v eE e
=cet o
e t r t a, T A t
- m. .
n
- m. w e
=m r
ce v t E e E A vA s TH C w e v R F U O r O L m T c w l f. R l
.s v f a
.es O emr,, g f m t
v e's S L vi e t xM wE , i c e r ee eO C m a F s n O F 3 e u f g - oe m.s A 4 c e a r e m.tmp u n 4 et a a xc t m a ( e
.- r n u u g
..Te u Af Nw s ,C i u
- c. F w.ns.CM tt s
A 3 e. n A
*m2 r t 1CC
. 1PD3
=.SF fi o mP o
/T -
=Gt AC c r23A 1 FTTTP 1 P
D l e F , I w fa* r s m m eh A A s o R r F
=ots r
ecn* a,S w,S f Y e 3 S m o r F a cc t , t s M s e s D w[* Il1lll}1fI(f , t 1
i e e e ii e s i i ji i l
'I!!!!
1liil!! !i
= ll
!!!!!iilllij i n. 1 i. t.
iiiei!Illl.1 1 l i i.
)
4 iiiii iiiiiiiiiiii,ii lI l! i.lI.l.l5E
!lll
.iiiiiiii 1i! .ti l *=,: : ........: : ..
=
llll ,_J g I . ! a I . i :
~
r I s=! n ?. .
;l' a
l II $ s 1 E s G A
! o 1 --
t 3 glggil = g
.. S h.g -
a - i = 11 1 I!!! __ __ T, k I rii E III rg si . li 1- 3 g _ s 4.4-17
!J!J!! 1lij) :
a s n u m o g o s o
=
o o o u w e . s m oe e-o e c o s n e n e . e s e s o c, e en - so c e, e s o e e s o w t u e ew s o c c c e m T e t s u ocm e s u O so e m o e s o u no c e mc
, e an h
e c a o n ..n . .. o s u e rc.n v a o c so c, C s s u a ae c o o v o c c , s n o c c o v o oC U e r e o w uro e w C r a ae c c . ne wmw v u ue ww w w*s w n w n w e u c o =w W s D. e e c, u o o c w ww s o e u as w w T w a n o w , mc e , e a s , w e t u c. ww r e r o
- c. t e a ,
E H = u o a = t C r t , o e o ne t. c. w , T e e n e n e em w e ww t e t u on r u ne e wm .. ? n oe e r r w ,
, n e > v e
-e m e r w u n a e m ww r G e s e
, w mw == =
r ww m , e n n a s s e e , r n ns o o s a e u n a n a u r s a c m m a e n a e v w . a aw m a w m m m m a
= D a a
m v u w t n w t u w m eo no t n r u r. u t n t r a u r w a r a
, co o o c moc ec n m -
s o o o o n u f
- oc ocw s
o t e c c c c c c o c oc o c - oc o c o oc - o o a w e D c C c e c o n o s e e a a e e *
- s s s e s o 7 0
3 u . , i i i s e t 1 e e a s a 9 . s e , 3 1 . ... i . 7 1 e sm ut sa sm e ea e w rrv mn we ss
,I
)
,I
,I
,I 8 3
-, f r
a s o n - e no 3 c
=
- x c o e e s g u f a rj P w se ( f e w s o c e mn s t e eu ccc s a U S r no e T o o s t c e a o t a m e e u f e a s u n s n a s m e u s a v m E o e w c n A - o r ,e r es u u C e e s, m, O o s s L c a s a l - e w a w l a s II s II a - e m s S ew wrm ere e s
=so
=es a .
3 wwe rvo is cc s 4 - nt 4 a I e s e e w r e v u g _ m y i w F - m _ a v w n o ei p u - s - i u o - n c m w sn i e I n u e r h s-s S s a w s . i
. n: C D
? l l t SEQUENCE 3-1 -- S2*C*LOSP*Ql*Ul*Wi*W3*U4 Same as Sequence 2 except containment overpressure protection fails with SPC (WI) and CSS (/W3) is initiated. HPCI fails due to high suppression pool temperature reached before CSS is initiated and CRD is initiated to provide coolant makeup (/U4). SEQUENCES 3-2 TO 3-5 Same as Sequence 3-1 except CRD fails (U4) and the primary system is depressurized (/X1) to allow the low-pressure coolant systems to cool the core. Either Condensate (/V1), LPCS (/V2), LPCI (/V3) or HPSW (/V4) func-tions to cool the core. SEQUENCE 3-6 -- S2*C*LOSP*Ql*Ul*W1*W3*U4*X1*Vl*V2*V3*V4 Same as Sequence 3-2 except all low-pressure core coolant systems fail (Condensate, LPCS, LPCI, HPSW) resulting in core damage in a vulnerable containment. SEQUENCE 3-7 -- S2*C*LOSP*Q1*Ul*Wl*W3*U4*X1 Same as Sequence 3-1 except CRD fails to provide coolant makeup (U4) and subsequent primary system depressurization is unsuccessful (X1). Since all low-pressure cooling syctems are disabled, core damage results in a vulner-able containment. SEQUENCE 4-1 -- S2*C*LOSP*Q1*Ul*W1*W3*U4*Y*U4' Same as Sequence 2 until both SPC (W1) and CSS (W3) fail to provide con-tainment overpressure protection. HPCI eventually trips on high suppression pool temperatures (Ul) and CRD is initiated (/U4). High containment pressure is reduced by containment venting (/Y). CRD survives the venting event and continues to provide coolant makeup, resulting in no core damage in a vented containment. SEQUENCES 4-2 TO 4-3 Same as Sequence 4-1 except CRD does not survive containment venting (U4) and the primary system is depressurized (/X1) to allow Condensate (/V1) or HPSW (/V4) to continue core cooling. SEQUENCE 4-4 -- S2*C*LOSP*Ql*Ul*W1*W3*U4*Y*U4'*X3*Vl*V4 Same as Sequence 4-3 expect both Condensate (VI) and HPSW (V4) fail to provide core cooling, resulting in core damage in a vented containment. 4.4-19
SEQUENCE 4-5 -- S2*C*LOSP*Q1*Ul*W1*W3*U4*Y*U4'*X3 Same as Sequence 4-2 except reactor depressurization is unsuccessful (X3), precluding the use of any low-pressure coolant systems, resulting in core damage in a vented containment. i SEQUENCES 4-6 TO 4-10 Same as Sequences 4-1 to 4-5 except containment venting is unsuccessful (Y) and overpressurization soon causes containment failure. All sequence outcomes are the same except the containment is not vented but failed. SEQUENCE 4-11 -- S2*C*LOSP*Ql*Ul*Wl*W3*U4*Y*R*U4' Same as Sequence 4-1 except containment venting is unsuccessful (Y) and rupture of the containment does not occur (R), although a leak in the containment has developed. CRD survives and continues to provide core coolant resulting in no core damage in a leaking containment. SEQUENCE 4-12 -- S2*C*LOSP*Ql*Ul*Wl*W3*U4*Y*R*U4' Same as Sequence 4-11 except CRD does not survive the containment over-pressurization and leak, resulting in core damage in a leaking containment. SEQUENCES 4-13 TO 4-16 Same as Sequences 4-2 to 4-5 except CRD injection fails (U4) following HPCI failure, the primary system is depressurized (/X1), and Condensate continues core cooling (/V1) prior to venting. SEQUENCES 4-17 TO 4-20 l Same as Sequences 4-13 to 4-16 except containment venting fails (Y) and the containment ruptures (/R), 1 l SEQUENCE 4-21 -- S2*C*LOSP*Ql*Ul*W1*W3*U4*X1*Vl*Y*R i Same as Sequences 4-17 to 4-20 except the containment does not rupture (R) { but only leaks following failure of containment venting. Increasing i containment pressure eventually causes closure of the SRVs and a pressure rise in the vessel which precludes low pressure cooling, and core damage results in a leaking containment. I 1 i 4.4-20
SEQUENCE 4-22 -- S2*C*LOSP*Ql*Ul*Wi*W3*U4*X1*Vl*V2*Y*X3*V4 A. small LOCA- (S2) occurs which generates a reactor scram condition and the RPS successfully inserts the rods - into the core (/C). Offsite power is maintained (/LOSP) and the PCS fails to remove heat from the core (Ql). HPCI is initiated for coolant makeup - (/Ul) . Containment overpressure l protection fails using SPC (W1) and CSS (W3), which eventually fails HPCI L due to high suppression pool temperatures. CRD fails to supply sufficient makeup (U4; . and' the primary system is depressurized (/X1). Condensate fails (V1) followed by successful operation of LPCS (/V2) to cool the core. High containment pressure is alleviated by containment venting (/Y), which fails LPCS due to low NPSH. The reactor is again depressurized (/X3) and HPSW continues core cooling (/V4), resulting in no core damage in a vented containment. SEQUENCE 4-23 -- S2*C*LOSP*Q1*Ul*W1*W3*U4*X1*Vl*V2*Y*X3*V4 Same as Sequence 4-22 except HPSW fails to initiate (V4) following contain-ment venting, at which point all coolant makeup is lost, resulting in core damage in a vented containment. (' SEQUENCE 4-24 -- S2*C*LOSP*Q1*Ul*W1*W3*U4*X1*Vl*V2*Y*X3 L Same as. Sequence 4-22 except reactor depressurization following containment l venting is unsuccessful (X3), precluding-the use of HPSW, resulting in core damage in a vented containment. SEQUENCES 4-25 TO 4-27 Same'as Sequences 4-22 to 4-24 except containment venting is unsuccessful (Y) and the containment ruptures (/R). SEQUENCE 4-28 -- S2*C*LOSP*Q1*Ul*Wi*W3*U4*X1*Vl*V2*Y*R Same as Sequences 4-25 to 4-27 except the containment does not rupture (R) following containment venting which recloses the SRVs and precludes reactor depressurization and HPSW initiation, resulting in core damage in a leaking containment. SEQUENCES 4-29 TO 4-35 Same'as Sequences 4-22 to 4-28 except LPCS fails (V2) prior to containment venting and LPCI provides coolant makeup (/V3). SEQUENCES 4-36 TO 4-42
.Same as Sequences 4-29 to 4-35 except LPCI also fails (V3) and HPSW provides coolant makeup (/V4) prior to containment venting.
4.4-21 1
SEQULNCE 4-43 -- S2*C*LOSP*Q1*Ul*W1*W3*U4*X1*Vl*V2*V3*V4 Same as Sequences 4-36 to 4-42 except HPSW fails (V4), which leaves no system available for coolant makeup, resulting in core damage in a vulner- l able containment. SEQUENCE 4-44 -- S2*C*LOSP*Q1*Ul*W1*W3*U4*X1 Same as Sequence 4-22 until reactor depressurization is unsuccessful (X1) following CRD failure. All low-pressure coolant makeup is now lost, which leads to core damage in a vulnerable containment. SEQUENCES 5 TO 7 ! l Same as Sequences 2 to 4 except RCIC provides early high-pressure coolant j makeup (/U2) following HPCI failure (U1). i SEQUENCES 8 TO 9 A small LOCA (S2) occurs which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). Offsite power is j maintained (/LOSP) and the PCS fails to remove heat from the core (Q1). 1 HPCI (U1) and RCIC (U2) fail to provide high-pressure coolant makeup. The ! reactor is depressurized (/X1) and Condensate successfully provides coolant ' makeup (/V1). Containment overpressure protection is provided by SPC (/W1) { or CSS (/W3), resulting in no core damage in a safe containment. l SEQUENCE 10-1 -- S2*C*LDSP*Q1*Ul*U2*X1*Vl*Wl*W3*U4*Y*U4' Same as Sequence 8 until SPC (W1) and CSS (W3) fail to provide containment overpressure protection, resulting in the eventual loss of Condensate due to high primary system pressure, which occurs after SRVs shut on high containment pressure. CRD is initiated (/U4) to cool the core. High containment pressure is alleviated by venting (/Y). CRD continues to cool the core (/U4') resulting in no core damage in a vented containment. SEQUENCES 10-2 TO 10-3 Same as Sequence 10-1 except CRD does not survive containment venting (U4'), the reactor is depressurized (/X3), and Condensate (/V1) or HPSW (/V4) provides coolant makeup. SEQUENCE 10-4--S2*C*LOSP*Q1*Ul*U2*X1*V1*W1*W3*U4*Y*U4'*X3*Vl*V4 Same as Sequence 10-2 except Condensate (V1) and HPSW (V4) fail, at which point all coolant makeup is lost, resulting in core damage in a vented containment. 4.4-22
SEQUENCE 10-5 -- S2*C*LOSP*Q1*Ul*U2*X1*Vl*W1*W3*U4*Y*U4'*X3 Same as Sequence 10-1 except CRD does not survive containment venting (U4') and. reactor depressurization is unsuccessful (X3), leading to core damage in a vented containment. SEQUENCES 10-6 TO 10-10 Same as Sequences 10-1 to 10-5 except the containment is not vented (Y) and eventually ruptures (/R). SEQUENCE 10-11 -- S2*C*LOSP*Q1*Ul*U2*X1*Vl*W1*W3*U4*Y*R*U4' l 'Same as Sequence 10-6 until the containment does not rupture but forms a leak, which does not affect CRD operation, resulting in no core damage in a leaking containment. SEQUENCE 10-12 -- S2*C*LOSP*Q1*Ul*U2*X1*Vl*Wi*W3*U4*Y*R*U4' l l Same as Sequence 10-11 except CRD does not operate following the leak in containment (U4), resulting in core damage in a vulnerable containment. SEQUENCES 10-13 TO 10-14 Same as Sequence 10-1 until CRD fails to initiate (U4) following the loss of Condensate. The containment is vented (/Y) to relieve the pressure and following reactor depressurization (X3), Condensate (/V1) or HPSV (/V4) provides core coolant, resulting in no core damage in a vented containment. SEQUENCE 10-15 -- S2*C*LDSP*Q1*Ul*U2*X1*Vl*W1*W3*U4*Y*X3*Vl*V4 Same as Sequence 10-13 except both Condensate (V1) and HPSW (V4) fail, leaving no system available for coolant makeup, resulting in core damage in a vented containment. SEQUENCE 10-16 -- S2*C*LOSP*Ql*Ul*U2*X1*Vl*W1*W3*U4*Y*X3 Same as Sequence 10-13 except reactor depressurization is unsuccessful (X3) following containment venting, which leaves Condensate and HPSW unavailable for coolant makeup, resulting in core damage in a vented containment. SEQUENCES 10-17 TO 10-20 Same as Sequences 10-13 to 10-16 except containment venting is unsuccessful (Y), leaving the containment overpressurized, resulting in eventual rupture of the containment (/R). 4.4-23
l l SEQUENCE 10-21 -- S2*C*LOSP*Ql*Ul*U2*X1*Vl*Wl*W3*U4*Y*R Same as Sequence 10-17 until the containment does not rupture (R), and core damage results in a vulnerable containment. SEQUENCES 11 TO 12 Same as Sequences 8 to 9 except LPCS provides coolant makeup (/V2) follow-ing Condensate-failure (V1). SEQUENCES 13-1 -- S2*C*LOSP*Ql*Ul*U2*X1*Vl*V2*Wl*W3*U4*Y*U4' Same as Sequence 11 until containment cooling with SPC (Wl) and CSS (W3) fails. High containment pressure eventually closes the SRVs, which allows the primary system pressure to increase, resulting in the loss of LPCS (V2). CRD is successfully initiated in the one pump mode (/U4) to continue coolant makeup. Containment overpressure protection is accomplished by containment venting (/Y). CRD continues to provide coolant makeup (/U4'), resulting in no core damage in a vented containment. SEQUENCE 13-2 -- S2*C*IDSP*Ql*Ul*U2*X1*Vl*V2*W1*W3*U4*Y*U4 '*X3*V4 Same as Sequence 13-1 except CRD does not survive containment venting (U4'), the reactor is depressurized (/X3) to allow HPSW to continue coolant makeup (/V4). SEQUENCES 13-3 TO 13-4 Same as Sequence 13-2 except either HPSW fails (V4) or reactor depressuri-zation fails (X3), leaving no systems available for coolant makeup, result- ; ing in core damage in a vented containment. ' 1 SEQUENCES 13-5 TO 13-8 Same as Sequences 13-1 to 13-4 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 13-9 -- S2*C*LOSP*Ql*Ul*U2*X1*Vl*V2*Wl*W3*U4*Y*R*U4' Same as Sequence 13-5 until the containment does not rupture (R) but develops a leak. CRD continues to provide coolant makeup (/U4'), resulting in no core damage in a leaking containment. i 4.4-24
ISEQUENCE 13 S2*C*1DSP*Q1*Ul*U2*XI*Vl*E*Wi*W3*5*Y*R*U4' Same as Sequence 13-9 except CRD does not continue to operate following the-leak in containment (U4), resulting in core damage in . a vulnerable containment. SEQUENCE 13-11 -- S2*C*LOSP*Q1*Ul*U2*X1*Vl*V2*Wi*W3*U4*Y*X3*V4 Same as Sequence 13-1 except CRD fails to initiate (U4) following the loss of LPCS. The. containment is vented (/Y) and the primary system is depres-surized (X3) to allow HPSW to provide coolant makeup (V4), resulting in no , core damage in a vented containment. SEQUENCES 13-12 TO 13-13 Same as Sequence-13-11 except either HPSW fails (V4) or reactor depressuri-
.zation is _ unsuccessful (X3), leaving no core coolant system available, resulting in core damage in a vented containment.
SEQUENCES 13-14.TO 13-16 Same as Sequences 13-11 to 13-13 except containment venting fails (Y) and the containment ruptures (/R). SEQUENCES 13-17 -- S2*C*LOSP*Q1*Ul*U2*X1*Vl*V2*Wi*W3*U4*Y*R Same as-Sequence 13-14 until the containment does not rupture (R), causing closure of the SRVs and hence no low pressure cooling, resulting in core damage in a vulnerable containment. SEQUENCES 14 TO 16 Same as Sequences 11 to 13 except LPC1 provides early low-pressure coolant makeup (/V3) following LPCS failure (V2). SEQUENCES 17 TO 19 Same as Sequences 14 to 16 except HPSW provides early low-pressure coolant makeup (/V4) following LPCI failure (V3). SEQUENCE 20 -- S2*C*LOSP*Ql*Ul*U2*X1*Vl*V2*V3*V4 Same as Sequence 17 except HPSW fails to operate (V4). At this point all core coolant systems are lost, resulting in early core damage in a vulner-able containment. 4.4-25
l r . l- SEQUENCE 21 -- S2*C*1DSP*Q1*Ul*U2*X1 Following the small LOCA (S2) and successful reactor scram (/C) , - offsite . power is maintained (/LOSP). The PCS fails to remove heat from the core (Q1). Both high-pressure injection systems, HPCI (Ul) and RCIC (U2), fail to operate. Depressurization of the reactor is unsuccessful (X1), which leaves no system available for. coolant makeup, resulting in early core damage in a vulnerable containment. SEQUENCES 22 TO 38 Same as Sequences 2 to 21 except offsite power is not maintained (LOSP) early in the sequence. Onsite emergency power is utilized for core cooling systems, with the exception of the Condensate system, which requires off-site power to operate. All sequence outcomes are the same, except the success paths for Condensate events in the tree are eliminated. SEQUENCE 39 -- S2*C The RPS fails to scram the reactor (C) following the small LOCA (S2). This sequence has a low probability and is not developed further. 4.4.6 Small-Small (Recirculation Pump Seal) LOCA Event Tree This section contains information on the small-small LOCA event tree. Success criteria considerations are presented along with the event tree and its description. 4.4.6.1 Introduction The recirculation pump seal LOCA (S3) was treated as either a small (S2) liquid LOCA or a transient with PCS initially available (T3A) depending on early actions of the operator (see Table 4.3-4 for corresponding success criteria). Experience suggests that the small-small LOCA category is dominated by recirculation pump seal failures. Such a leak would be easily identifiable for two reasons. First, the sources of such leaks are well-instrumented on recirculation pumps. Secondly, the Peach Bottom Emergency Procedure Guidelines (EPGs) call for the operator to first suspect a pump seal leak if drywell pressure begins to rise or unidentified leakage is detected. Procedures call for slowdown of the problem pump and then isola-tion of the pump. PCS operation would probably not be interrupted and power operation could possibly continue for a period of time. 4.4.6.2 Event Tree The Small-Small LOCA event tree is depicted by Figure 4.4-4. The S3 LOCA analysis and the corresponding event tree assume that conditions proceed to the need for a reactor scram. Otherwise, if the operator should detect and j isolate the leak before a reactor trip, the plant simply " rides" through ' the event resulting in no real challenge to the plant. l 4.4-26
i i)l ll y ;i y R S E E H C T N R E U U F Q E D E E E E S R E P T R O - F T L O A E - 3 2 E T S V M E O O O - O T T C T T O O O U G G N O e e r T O t n N e
. v O E E A S 1_. 2 3 C O
L l K l A~ a RE S m OL - T l AS L l a RE m ET S P L~ A OO . S~ I 4 4 4 e r N u RO' I i g OT M E F TC CE S T C AT Y EOS RR P L L~ A MA SC- 3 S LO LL A M S
*. {
I(
I The events in the tree include the following: 31: Initiating event, small-small LOCA (~50-to-100 gpm maximum). C: Success or failure of the Reactor Protection System (RPS). Success implies scram by the control rods. L: Success or failure of leak detection and isolation. Success implies the operator detects and isolates the leaky pump thus stopping the LOCA. With the reactor scrammed, the event becomes a transient with PCS most likely available. The course of events then follows the S2 LOCA or T3A transient tree as shown. See those tree descriptions for more information. The following descriptions refer to the sequences found in Figure 4.4-4. SEQUENCE 1 -- S3*C*L A small-small LOCA occurs (S3) which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). The operators isolate the leak (/L) and the sequence transfers to the T3A tree. SEQUENCE 2 -- S3*C*L Same as Sequence 1 except the operator fails to detect the leak and the sequence transfers to the S2 tree. SEQUENCE 3 -- S3*C Following the small-small IDCA (S3), the RPS fails to scram the reactor and the sequence is not developed further since the probability of such a sequence-(including additional failures which must occur to result in core damage) is sufficiently low. 4.4.7 Loss of Offsite Power Event Tree This section contains information on the loss of offsite power event tree. Success criteria considerations are presented along with the event tree and its description. 4.4.7.1 Success Criteria Two criteria specific to the loss of offsite power initiator are described below. (1) For scenarios in which core cooling has been provided for a period of approximately 6-8 hours or more, one CRD pump operation is considered adequate for continued success of core cooling. This 4.4-28
l
)
is based on the low decay heat levels reached by that time with no significant breach of the primary system. While the CRD failure model explicitly treats only the two pump criteria for cuccess, single pump operation was treated as success during these long-term scenarios by eliminating (by hand) failures of the CRD system which would fail only one pump. l (2) For scenarios in which core cooling is successful up to the time of containment venting or containment failure, one CRD pump or i depressurization with one HPSW pump operation is considered to be adequate to continue successful core cooling. 4.4.7.2 Event Tree Figure 4.4-5 displays the event tree for the loss of offsite power initiator. The entire PCS, Feedwater, and Condensate systems are not shown in the tree since loss of offsite power also prevents operation of these systems. Should offsite power be restored, these systems could be used to mitigate the event. The following discussions define the event tree head-ings and describe the sequences presented. The following event tree headings appear on the tree in the approximate chronological order that would be expected following a loss of offsite power. For convenience, the RHR containment cooling choices are shown early in the tree to decrease the size of the event tree. Otherwise, the tendency is to show high and then low pressure injection systems, followed by containment venting, and finally long-term continued core cooling possi-bilities. In addition, onsite AC power restoration is shown as a specific event so that station blackout sequences can be explicitly depicted. I1: Initiating event, loss of offsite power. G: Success or failure of the RPS. Success implies automatic scram by the control rods. H: Success or failure of Reactor Coolant System (RCS) over-pressure protection (if required) by automatic operation of the SRVs. Success implies prevention of RCS overpressure so as to avoid damage to the primary system. E: Success or failure associated with reclosing of any SRVs which should open in re.sponse to reactor vessel pressure rises throughout the sequence. Success implies reclosure of all valves when vessel pressure drops below the closure set-points. F1, P2 and P3 refer to the failure to reclose one, two and three SRVs, respectively. H: Success or failure of the onsite AC power system (diesel generators and associated equipment and emergency buses) in response to the loss of offsite power. Success implies operation of at least one emergency AC power division so that AC-powered mitigating systems can be utilized. Failure implies loss of p_ll AC, or station blackout. 4.4-29
E: Success or failure of the HPCI system. Success implies operation of the HPCI pump train so as to maintain sufficient coolant inj ec tion. Ul' refers to the HPCI system without ; pump room ventilation. ' i E: Success or failure of the RCIC system. Success implies operation of the RCIC pump train so as to maintain sufficient coolant inj ec tion. U2' refers to the RCIC system without ! pump room ventilation. H: Success or failure of primary system depressurization. Success implies automatic or manual operation of the ADS or manual operation of other SRVs such that three valves or more are opened allowing low pressure injection. Q: Success or failure of the CRD system as an injection source. Success implies two pump operation. H: Success or failure of the LPCS system. Success implies operation of any two of the four LPCS pumps through either or both LPCS injection lines. D: Success or failure of the LPCI mode of the RHR system. Success . implies operation of one of four LPCI pumps through either LPCI injection line to the reactor vessel. E: Success or failure of the HPSW system in the inj ec t mode to the reactor vessel through a LPCI inj ection line. Success implies manual operation of this injection source such that one HPSW pump successfully provides coolant to the reactor. W1.W2.W3: Success or failure of the RHR system in the SPC, SDC, or CS mode, respectively. Success implies at least one RHR pump operating in any one of the three modes with the appropriate ' heat exchanger in the loop along with the HPSW system in operation to the ultimate heat sink. M: Success or failure of primary system depressurization. ! Success implies automatic or manual operation of any three of eleven ADS valves to allow the SDC mode of RHR to be initiated. M: Success or failure of the CRD system as an injection source. Success implies operation in the one pump mode. X: Success or failure of containment venting. Success implies that the six inch integrated leak test line or larger size line is open so as to prevent containment by overpressure. As necessary, water makeup is also eventually supplied to the suppression pool. E: Success or failure of the containment to withstand over-pressurization. Success implies the containment ruptures before core damage. 4.4-30 ___-____-__w
X1: Success or failure of primary system depressurization. Success implies automatic or manual operation of ADS occurs subsequent to initial depressurization to allow low pressure coolant . inj ection. The following descriptions refer to the sequences found in Figure 4.4-5. ) i ( SEQUENCE 1 -- Tl*C*M*P*B*Ul*W1 A loss-of-offsite power occurs (TI) which generates a reactor scram condi-tion and the RPS successfully inserts the rods into the core (/C). Thc SRVs properly cycle to control reactor pressure (/M, /P) and onsite emergency AC power is established (/B). HPCI is initiated (/Ul) for core cooling and SPC is initiated (/Wl) for containment overpressure protection, resulting in a safe core and containment. SEQUENCE 2 -- T1*C*M*P*B*Ul*W1*X2*W2 Same as Sequence 1 but SPC fails to provide containment overpressure protecticn (U1) and SDC is initiated (/W2) following reactor depressurization (/X2). SEQUENCES 3-1 TO 3-4 Same as Sequence 2 except SDC fails (W2) and CSS continues to provide containment overpressure protection (/W3). HPCI has failed due to high suppression pool temperatures and either CRD (/U4), LPCS (/V2), LPC1 (/V3) or HPSV (/V4) continues core cooling. SEQUENCE 3-5 -- Tl*C*M*P*B*Ul*W1*X2*W2*W3*U4*V2*V3*V4 Same as Sequences 3-1 to 3-4 except CRD (U4), LPCS (V2), LPCI (V3) and HPSW (V4) fail, leaving no system available to cool the core, resulting in core damage in a vulnerable containment, SEQUENCE 4-1 -- T1*C*M*P*B*Ul*Wl*X2*W2*W3*U4*Y*U4' Same as Sequence 2 except SDC fails (W2), followed by CSS failure (W3), leaving the containment without overpressure protection. HPCI eventually fails due to high suppression pool temperatures and CRD is initiated (/U4). The containment is successfully vented (/Y) and CRD continues to provide core coolant (/U4'), resulting in no core damage in a vented containment. 4.4-31
O T T R R R R E E E A A A T T A T A A T T R E R R S L L E L E A A A E A L A L E T E F E E C E E G G G O E C E E A E O 1 A A A G G G O G G C L A A A L A O G E 1 M M M 2 M M M A A M T A A A S A 1 M M L M D D D A A S A A O O D D D D A A C E E O D D T T E T E E E O O U R R R R R T E E T E 0 O O R R R R O 0 C O 0 O O O O O C C 0 C C C O O O G C C G C O N O 2 F 3 3 S 1 3 4 3 5 3 8 7 8 9 0 3 3 3 3 4 1 2 3 4 5 4 4 4 4 4 E R ON COG I N RTL 2 OA TLO t t OO CSC AI E R E R UTN S S NO EAT I 1 L R C U P OE OJ HCN I G I H C A E Y R R T C E E IN SEW B N NGO T R ORP U E F M E D E P O L E V E E S D O T L C P O N S 1 2 3 v P P p E R C
& N E
U O E S N E P O S M Y R S N RO OTM TC E I
,C T
CE S C 23 AT Y TTC EOS D RH m ,/ P oAC r3A FTT E T I S F FR OE V Fn T1 OK S S O L
.OIwto
- -.. . -.. . , , j , , , ,
!!!!!!!y((((gyglilisill[!g5 i- i (([i!!
- !y ((((5 B 5 5 g[5 5 5 5 l g
! !!!!!ilis !!! g ,i ,i , .i l I I , I I I ! I , I I I, I,,,IIe,e,iti,itietti, 1 1 1 1 8 1 .8 1 1, 1 .8 1I r 1lE E E a e a ; t;;;1,g ; l i IIIIIIIIIIIIIIIIIIIIIIIIIIIii!![ t I - - - --.. .,: e c : e e e e e e a e a : a a =a a ,, , llI .t
- == == =- -- -- . .,, , , - __ __
D q m
- o r+i]
s, h r
- S irlt w
iji , i u 5 z r; u
!l
- f. 2
\h 5 m
ra-I
- a w
o itr i e II $ a e b a QJ II " Il s orI " E i Ist '
!il t
t 315 E 1l l ._ r e L l 4.4-33 ) {
s s ! a s
'iIIl! II I gl ll i l
i e g
)lii!1!lI i i i t I i ! l l
[ i er* !, l ! iggI l1 i, l e i i l l l i !!I I:
.I i 1 ili! !
l i I i. I i i I B I I II Il l l l - 1 II l l - I - . I II III [ 9 E . . . . . . . . . . e : e e E : I I a . ..... tg I lli j s g a g E o he e i m h ! . I E I
- i 6 i i e n
I __ E t-I!! l(! a
- o II .
[* i i
- v
__ a . m
~ ~
m ti Is g
'{
- f. Y tl 3 I r (i
t i a I ~ e
!l r I 8 L_ _
a c si li '
!l 1
_5 _ 1 E s _ b b b 4.4-34 l u____--__-
- till
. . . e ti: l ii l ll'l,
- ; i!!tlii
.. l .
tit 1j!!,! ig ! l llsi il !!Illi!'!!1.I ' I I i i1[lii !!!ii!!!! '- ll11.i.
,,rl IlsIt i e. r. l i ! I r l l r.i>iil li I I 5
i till,1IIllilitII I IItill iIItill!! l ....: .,.. . ,,,,: .: ,, ...:.,=,,,,,. o is 3 Ig In __ __
, ^
w t*g e g i (e i ! e i __ __ i l . . c 5 . : e e v i g - $ 1__ I __ g i!- u Id . E 1:1 - ._ a t hi g
~
s i " I I 3
.I 5
'E r : b l' o ij __ __ _
II i tg 1
*, 3 l Ib K *.
o l'I rI a I e c it if li ' 11 I. . t A e ~ I 4.4-35
p ; e I II g - i i i . .i . i
- r i iI - -
1 i 5 e e Iiii iiiiil!!I i lllg! 8 l l !l l fI i i i i . i ii i i i i i i . , riig f
~ ~ ~ - - * -
-.. .,il , , , , ,
h rg! - a b w O 3
! b p
a = a
~(-
g
! ~
. t i l ! 5 L I --
u i g. l,l l . I E
=
a h!' - E p . . . e u g _. a l A r: . fi E i:r l-b d e g! w If 5 is to
,f>
)
2 i e t . - h h 4.4-36
SEQUENCE 4-2 -- T1*C*M*P*B*Ul*W1*X2*W2*W3*U4*Y*U4'*X3*V4 Same as Sequence 4-1 except CRD fails during containment venting (U4'). Prior to containment venting, due to the loss of containment overpressure protection, high containment pressure forces the SRVs closed and the primary system pressure increases before injection is restored with CRD. The reactor is depressurized (/X3) and HPSW provides core coolant (/V4). SEQUENCES 4-3 TO 4-4 Same as Sequence 4-2 except HPSW fails (V4), or reactor depressurization prior to HPSW operation is unsuccessful (X3), resulting in core damage in a vented containment. SEQUENCES 4-5 TO 4-8 Saac as Sequences 4-1 to 4-4 except containment venting fails (Y) and the containment ruptures before core damage (/K). SEQUENCE 4-9 -- T1*C*M*P*B*Ul*W1*X2*W2*W3*U4*Y*R*U4' Same as Sequence 4-8 except the containment does not rupture (R) but develops a leak. CRD continues to operate (/U4'), resulting in no core damage in a leaking containment. SEQUENCE 4-10 -- T1*C*M*P*B*Ul*Wi*X2*W2*W3*U4*Y*R*U4' Same as Sequence 4-9 except CRD does not continue to operate (U4') following the containment leak and because high containment pressure, ADS ' cannot relieve primary pressure to allow HPSW to operate, resulting in core damage in a leaking containment. 1 SEQUENCE 4-11 -- T1*C*M*P*B*-Ul*W1*X2*W2*W3*U4*V2*Y*X3*V4 Same as Sequence 4-1 except CRD does not operate (U4) following HPCI failure. LPCs is initiated (/V2) to continue core cooling and the contain-ment is eventually vented (/Y). The LPCS pumps then fail due to low NPSH and the reactor is depressurized to allow HPSW to cool the core (/V4), resulting in a safe core in a vented containment. SEQUENCES 4-12 TO 4-13 Same as Sequence 4-11 except HPSW fails (V4), or depressurization prior to HPSW operation fails (X3), resulting in core damage in a vented containment. 4.4-37 l l I i
SEQUENCES 4-14 TO 4-16 ! i Same as Sequences 4-11 to 4-13 except containment venting is unsuccessful ! (Y) and the containment ruptures before core damage (/R). l SEQUENCE 4-17 -- T1*C*M*P*B*Ul*Wi*X2*W2*W3*U4*V2*Y*R Same as Sequence 4-11 except containment venting fails (Y) and the contain-ment does not rupture (R), thereby closing the SRVs due to high containment pressure and preventing low pressure cooling. This results in core damage in a leaking containment. 1 SEQUENCES 4-18 TO 4-24 Fame as Sequences 4-11 to 4-17 except, following LPCS failure (V2), LPCI l provides core coolant (/V3) prior to containment venting. SEQUENCES 4-25 TO 4-31 Same as Sequences 4-18 to 4-24 except, following LPCI failure (V3), HPSU provides core coolant (/V4) prior to containment venting. SEQUENCE 4-32 -- T1*C*M*P*B*Ul*W1*X2*W2*W3*U4*V2*V3*V4 Same as Sequence 4-11 except LPCS (V2), LPCI (V3), and HPSW (V4) fail and all core cooling is lost, resulting in core damage in a vulnerable containment. SEQUENCE 5-1 -- T1*C*M*P*B*Ul*W1*X2*W3*U4 Same as Sequence 2 except reactor depressurization for SDC is unsuccessful (X2) and CSS is initiated to provide containment overpressure protection (/W3). HPCI has failed due to high suppression pool temperatures before CSS is established and CRD is initiated to cool the core (/U4), resulting in a safe core and containment. SEQUENCES 5-2 TO 5-4 Same as Sequence 5-1 except CRD fails to provide coolant inj ection (U4), the reactor is depressurized (/X1), and LPCS (/V2), LPCI (/V3) or HPSW (/V4) provide core cooling. 4.4-38
SEQUENCES 5-5 TO 5-6 Same as Sequence 5-2 except either reactor depressurization fails (X1) or LPCS (V2), LPC1 (V3) and HPSW (V4) fail following depressurization, result-ing in core damage in a vulnerable containment. SEQUENCE 6-1 -- T1*C*M*P*B*Ul*W1*K2*W3*U4*Y*U4' 1 Same as Sequence 5 except CSS fails (W3), resulting in the loss of all containment overpressure protection. High suppression pool temperatures Increasing fail HPCI and CRD is initiated for core coolant (/U4). CRD survives containment pressure is relieved by containment venting (/Y). venting (/U4') and the core is safe in a vented containment. SEQUENCE 6-2 -- T1*C*M*P*B*Ul*Wi*X2*W3*U4*Y*U4'*X3*V4 Same as Sequence 6-2 except CRD does not survive containment venting (U4'), the reactor is depressurized (/X1), and HPSW continues core cooling (/V4). SQUENCES 6-3 TO 6-4 Same as Sequence 6-2 except either reactor depressurization fails (X1), or HPSW fails (V4) following reactor depressurization, leading to core damage in a vented containment. SEQUENCES 6-5 TO 6-8 Same as Sequences 6-1 to 6-4 except containment venting is unsuccessful (Y) and the containment ruptures (/R). SEQUENCE 6-9 -- T1*C*M*P*B*Ul*Wi*X2*W3*U4-Y*R*U4' Same as Sequence 6-5 except the containment does not rupture (R), but develops a leak. This causes closure of the SRVs and the inability to use low pressure cooling. CRD continuen coolant injection (/U4'), resulting in no core damage in a leaking containment. SEQUENCE 6-10 -- T1*C*M*P*B*Ul*W1*X2*W3*U4*Y*R*U4' Same as Sequence 6-9 except CRD fails (U4') following the containment leak, at which point all coolant makeup is lost, resulting in core damage in a vulnernble containment. 4.4-39
SEQUENCE 6-11 -- T1*C*M*P*B*Ul*Wl*X2*W3*U4*X1*V2*W2 i Same failure. HPCI development as Sequence 6-1 until CPS fails to initiate (U4) following The reactor is depressurized (/X1) to initiate LPCS for coolant inj ection (/V2). The reactor is sufficiently depressurized to ; initiate late SDC for containment overpressure protection (/W2), resulting in a safe core and containment. SEQUENCE 6-12 -- T1*C*M*P*B*U1*W1*X2*W3*U4*X1*V2*W2*Y*X3*V4 Same as Sequence 6-11 except SDC fails to provide containment overpressure protection (U2), followed by successful venting of the containment (/Y). Coolant inj e ction is restored using HPSW (/V4) following reactor depressurization (/X3), resulting in a safe core in a vented containment. SEQUENCES 6-13 TO 6-14 Same as Sequence 6-12 except either reactor depressurization fails (X3) or HPSW fails (V4) following reactor depressurization, resulting in core damage in a vented containment. SEQUENCES 6-15 TO 6-17 Same as Sequences 6-12 to 6-14 except containment venting fails (Y) and the containment ruptures (/R). SEQUENCE 6-18 -- T1*C*M*P*B*Ul*W1*X2*W3*U4*X1*V2*W2*Y*R Same as Sequence 6-11 until containment overpressure protection with SDC fails (W2), followed by failura of containment ventin6 (Y). The containment does not rupture (R), disallowing use of low pressure systems because of closure of the SRVs. Core damage results in a vulnerable containment. SEQUENCES 6-19 TO 6-26 Same as Sequences 6-11 to 6-18 except LPCI provides coolant makeup (/V3) following failure of LPCS (V2). SEQUbCES 6-27 TO 6-34 Same as Sequences 6-19 to 6-26 except HPSW provides coolant makeup (/V4) following failure of LPCI (V3). 4.4-40
SEQUENCE 6-35 -- T1*C*M*P*B*Ul*Wl*X2*W3*U4*X1wv2*V3*V4
-Same as Sequence _6-11 until LPCS fails (V2) following reactor depressuriza- . tion, followed by failure of both LPCI (V3) and HPSW (V4), at which point ali coolaut makeup is lost, resulting in core damage in a vulnerable containment.
SEQUENCE 6-36 -- T1*C*M*P*B*Ul*W1*X2*W3*U4*X1 Same as Sequence . 6-11 until CRD fails to continue coolant makeup (U4) following HPCI failure. Reactor depressurization fails (X1), which disables all low-pressure core cooling systems, resulting in core damage in a vulnerable containment. SEQUENCES 7 TO 12 Same as Sequences 1 to 6 except RCIC providcs high pressure coolant makeup _(/U2) following failure to initiate HPCI (Ulj. SEQUENCES 13 TO 15 Same as Sequence 1 until failure to initiate HPCI (Ul), followed by failure
.of RCIC (U2). The reactor is depressurized (/X1) and LPCS is initiated for coolant makeup (/V2). Containment overpressure protection is provided by SPC- (/W1), SDC (/W2), or CSS (/W3), resulting in a safe core and -containment.
SEQUENCES-16-1 TO 16-2 Same as Sequence 13 until SPC fails (Wl), followed by failure of SDC (W2) and CSS (W3). Without containment overpressure protection, the pressure in containment rises until the SRVs close. Primary system pressure then rises, eventually failing LPCS (V2). CRD is initiated (/U4) for coolant makeup. High containment pressure is relieved by containment venting (/Y) . CRD continues to cool the core, or the reactor is depressurized (/X1) and HPSW cools the core (/V4) if CRD does not survive the venting. SEQUENCES 16-3 TO 16-4 Same as Sequence 1 except CRD does not survive containment venting and either reactor depressurization is unsuccessful (X1), or HPSW fails (V4) following reactor depressurization, resulting in core damage in a vented containment. 4.4-41
l SEQUENCES 16-5 TO 16-8 Same as. Sequences 16-1 to 16-4 except containment venting fails (Y) and the containment eventually ruptures-(/R). t
' SEQUENCE 16-9 -- Tl*C*M*P*B*Ul*U2*X1*V2*W1*W2*W3*U4*Y*R*U4'
'Same as Sequence 16-5 except the containment does not rupture (R) but develops a leak. CRD survives (/U4') resulting in a safe core in a leaking containment I i
SEQUENCE 16-10 -- Tl*C*M*P*B*Ul*U2*X1*V2*W1*W2*W3*U4*Y*R*U4' Same as - Sequence 16-9 except CRD does not survive the development of a leak in containment (U4'), all coolant systems are lost, and core damage results in a vulnerable containment. SEQUENCE 16-11 -- T1*C*M*P*B*Ul*U2*X1*V2*W1*W2*W3*U4*Y*X3*V4 Same as Sequence 16-1 until CRD fails to initiate (U4) following loss of containment - overpressure protection. Increasing containment pressure is relieved by containment venting (/Y) and HPSW is initiated to cool the core (/V4) following primary system depressurization (/X1). The core is safe in a vented containment. SEQUENCES 16-12 TO 16-13 h Same as Sequence 16-11 except either HPSW fails to cool the core (V4) or j primary system depressurization fails (XI) prior to HPSW operation, result- j ing in core damage in a vented containment. ' SEQUENCES 16-14 TO 16-16 Same as Sequ;nces 16-11 to 16-13 except containment venting fails (Y) and the containment eventually ruptures (/R). i SEQUENCE 16-17 -- T1*C*M*P*B*Ul*U2*X1*V2*Wl*W2*W3*U4*Y*R Same as Sequence 16-11 until containment venting fails (Y). The contain-ment does not rupture (R) and continues to pressurize, resulting in core damage in a vulnerable containment since the SRVs are forced closed, preventing low pressure cooling. 4.4-42
h _ p SEQUENCES 17 TO 20 y p Same as--Sequences 13 to-15'except LPCI provides early core coolant- (/V3)
.following LPCS failure (V2);
SEQUENCES-21 TO 24-Same as Sequences ~ 17 to 20 except HPSW provides early core coolant (/V4) following LPCI failure (V3). SEQUENCE 25 -- T1*C*M*P*B*Ul*U2*X1*V2*V3*V4 p Same as Sequences . 21 to . 24 until HPSW fails (V4), at which point all coolant ' makeup / is lost, resulting in early - core damage in a vulnerable containment. SEQUENCE 26--- T1*C*E*P*B*Ul*U2*X1*U3*E Same - as Sequence 13 :until ' reactor depressurization fails (X1) .following failure to initiate high-pressure coolant. systems. CRD is initiated in the two-pump mode to provide sufficient inje: tion capacity (/U3). Containment overpressure protection is provided by SPC (/W1), resulting in'a safe core and containment. SEQUENCES 27-1 TO 27-3
-Same as Sequence 26 until SPC fails to initiate (W1), the reactor is depressurized : (/X2) , and SDC provides containment overpressure protection
(/W2). Reactor depressurization for SDC increases CRD flow rate which, when considering CST inventory is depleting, is assumed to fail the CRD pumps due to low NPSH. LPCS (/V2), LPCI (/V3) or HPSW (/V4) is initiated for core coolant, resulting in a safe core and containment. SEQUENCE 27-4 -- T1*C*M*P*B*Ul*U2*X1*U3*W1*X2*W2*V2*V3*V4 Same as Sequence 27-1 until LPCS fails (V2) to initiate after CRD fails, followed by unsuccessful operation of LPCI (V3) and HPSW (V4), resulting in core damage in a vulnerable containment. SEQUENCES 28-1 TO 28-4 Same as Sequences 27-1 to 27-4 except CSS provides containment overpressure protection (/W3) following SDC failure (W2). 4.4-43
SEQUENCE 29-1 -- T1*C*M*P*B*Ul*U2*X1*U3*W1*X2*W2*W3*V2*Y*X3*V4 1 Same as Sequence ~28-1.until CSS fails to initiate.(W3), at which point all containment cooling is lost. CRD failed due to reactor depressurization for SDC, so LPCS is initiated (/V2) to continue core cooling. Without 1 containment overpressure ' protection, the pressure in containment is ' increasing 'and eventually closes the SRVs. Containment venting (/Y) is successful to relieve containment overpressurization, which fails LPCS due to low NPSH. Since the SRVs are closed, a pressure increase in the primary
-system begins until the reactor is again depressurized (/X3) and HPSW cools
-the' core, resulting in a safe core in a vented containment. SEQUENCES 29-2 TO 29-3 Same as Sequence 29-1 except either HPSW fails (V4) or reactor depressuri-zation fails (X3) prior to HPSW operation, leaving no system available for coolant makeup, resulting in core damage in a vented containment. SEQUENCES 29-4 TO 29-6 Same as Sequences 29-1 to 29-3 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 29-7 -- Tl*C*M*P*B*Ul*U2*X1*U3*Wl*X2*W2*W3*V2*Y*R Same as Sequence 29 4. until the containment fails ' to rupture (R), which precludes HPSU operation because of forced closure of the SRVs. This results in core damage in a vulnerable containment. SEQUENCES-29-8 TO 29 Same as Sequencer 29-1 to 29-7 except LPCS fails to initiate (V2) following containment cooling failure and LPCI provides coolant makeup (/V3). SEQUENCES 29-15 TO 29-21 Same as Sequences 29-8 to 29-14 except LPCI fails to initiate (V3) follow-ing containment cooling failure and HPSW provides coolant makeup (/V4). SEQUENCE 29-22 -- Tl*C*M*P*B*Ul*U2*X1*U3*W1*X2*W2*W3*V2*V3*V4 Same as Sequence 29-11 until LPCS fails (V2) following containment cooling failure. LPCI (V3) and HPSW (V4) also fail to initiate, resulting in core ; damage in a vulnerable containment. ' 4.4-44 I i
SEQUENCE 30 -- T1*C*M*P*B*Ul*U2*X1*U3*Wi*X2*W3 Same as Sequence 26 until SPC fails (W1), followed by failure of reactor depressurization for SDC (X2). CSS is initiated to provide containment Since reactor depressurization was overpressure protection (/W3). unsuccessful, CRD does not fail, resulting in a safe core and containment. SEQUENCES 31-1 TO 31-2 Same as Sequence 30 until CSS fails (W3), at which point all containment overpressure protection is lost. Eventually containment venting is performed to relieve containment overpressure (/Y). CRD continues to cool the core in the one-pump mode (/U4), or CRD fails on containment venting and HPSW cools the core (/V4), resulting in a safe core in a vented containment. SEQUENCES 31-3 TO 31-4 Same as Sequence 31-2 6xcept HPSW fails (V4) or reactor depressurization fails prior to HPS2 operation (X3), resulting in core damage in a vented containment. SEQUENCES 31-5 TO 31-8 Same as Sequences 31-1 to 31-4 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 31-9 -- T1*C*M*P*B*Ul*U2*X1*U3*W1*X2*W3*Y*R*U4 Same as Sequence 31-5 except the containment does not rupture (R) but develops a leak. CRD continues to cool the core, resulting in a safe core in a leaked containment. SEQUENCE 31-10 -- T1*C*M*P*B*Ul*U2*X1*U3*W1*X2*W3*Y*R*U4 Same as Sequence 31-9 except CRD does not survive the containment leak (U4), resulting in core damage in a vulnerable containment. SEQUENCE 32 -- T1*C*M*P*5*Ul*U2*X1*U3 Same as Sequence 26 until CRD fails to initiate (U3) in the two-pump mode following failure to depressurize the reactor, which leaves no system available for coolant makeup. Early core damage results, with a vulnerable containment. 4.4-45
1 i t SEQUENCES 33 TO 34 i l A loss,of-offsite-power occurs (T1) which generates-a reactor scram condi-tion and the RPS successfully inserts the rods into the core '(/C). The SRVs - properly cycle _- to control reactor pressure (/M, /P) and onsite ' - emergency power ' fails to be established (B). .HPCI or RCIC is initiated
-(/U1', /U2') for coolant injection until it fails in the harsh environment or due to battery depletion, and core damage occurs late in a. vulnerable containment.
l
, . SEQUENCE 35.-- Tl*C*E*P*B*Ul'*U2' Same as Sequence 34 except RCIC : fails to operate (U2') and early core damage results with a vulnerable containment since no other coolant inject. ion is possible without AC power.
SEQUENCE 36'-- T1*C*E*Pl*E A loss-of-offsite-power _ occurs (T1) which generates a reactor scram condi-tion and the RPS successfully incerts the rods into the core (/C). The ! SRVs open to relieve reactor pressure (/M) but one SRV fails to close (P1), l creating a loss-of-coolant accident. Onsite emergency power is established (/B) and the sequence is. transferred to the S2 LOCA tree. 1 SEQUENCES 37 TO 38 Same as Sequence 36 except onsite emergency power is not established (B) and HPCI (/Ul') or RCIC (/U2') provides coolant injection until it fails in the harsh environment or due to battery depletion. This results in late j - core damage in a vulnerable containment. l^ l i-SEQUENCE 39 -- Tl*C*E*Pl*B*U1'*U2'
'Same as Sequence 37 except both HPCI (Ul') and RCIC (U2') fail to provide coolant inj e c tion , resulting in early core damage in a vulnerable containment.
SEQUENCE 40 -- Tl*E*E*P2*B l ' Same as Sequence 36 except two SRVs fail to close (P2) and the sequence is transferred to the S1 IhCA tree. SEQUENCES 41 TO 42 Same as Sequence 40 except onsite emergency power is not established (B) j and late core damage in a vulnerable containment results if HPCI (/Ul) 4.4-46
provides temporary coolant injection. If HPCI fails to operate, early core damage results with a vulnerable containment. RCIC does not have enough capacity to provide sufficient coolant in an S1 IDCA situation. SEQUENCE 43 -- T1*C*E*P3*B Same as Sequence 40 except three or more SRVs fail to close (P3) and the sequence is transferred to the A IDCA tree. l SEQUENCE 44 -- Tl*C*E*P3*B Same as Sequence 43 except onsite emergency power is not maintained (B) and high pressure coolant systems cannot operate in a large IDCA situation, j- resulting in early core damage in a vulnerable containment. SEQUENCE 45 -- T1*U*M i A loss-of-offsite-power occurs (Tl) which generates a scram condition and l the RPS successfully inserts the rods into the core (/C). The SRVs do not open to reduce reactor pressure (M). The sequence is not developed further because of its low probability. SEQUENCE 46 -- T1*C A loss-of-offsite power occurs (Tl) which generates a scram condition and the RPS fails to insert the rods into the core (C). The sequence is trans-ferred to the ATWS tree. 4.4.8 Transient Without PCS Initially Available Event Tree This section contains information on the transient without PCS initially available event tree. Success criteria considerations are presented along with the event tree and its description. 4.4.8.1 Event Tree
-The T2 transient event tree is shown in Figure 4.4-6. The following discussions define the event tree headings and the sequences.
The events in the tree include: IZ: Initiating event, transient without the PCS initially available. G: Success or failure of the RPS. Success implies automatic scram by the control rods. LDSP: Success or failure to maintain offsite power. 4.4-47
e 11 :' Success or ;. failure > of Reactor Coolant System . (RCS) over-pressure protection' (if required) by automatic operation of g e the SRVs. ~ Success; implies prevention of RCS overpressure.so as to avoid damage to the primary system. E: Success or failure associated ~ with ' reclosing of any . SRVs ! which should open in response . to reactor vessel pressure' j
-rises.throughout the seguence. Success. implies reclosure of '
I all valves when vessel pressure drops below the closure set-points. . P1, P2 and P3 refer to the failure .to reclose one, two, three or more SRVs,'respectively. ~ M: Success or failure of . the HPCI system. . Success implies operation of the HPCI pump train so as.to maintain sufficient coolant injection. E: Success or: failure of the RCIC system. Success implies operation - of the RCIC pump train so as to provide coolant inj ection. H: . Success or failure of primary system depressurization. Success implies automatic or manual operation of the ADS or manual operation of other SRVs such that three valves or more are opened allowing low pressure injection. H: Success or failure of the Condensate system. Success. implies at least one pump operating with sufficient makeup to the .,
. condenser hotwell for a continuing water supply.
E: Success or failure of the LPCS system. Success implies 3 operation of any two of the four LPCS pumps through either or both LPCS injection lines. E: Success or' failure of the LPCI mode of the ' RHR system. - Success implies operation of one of four LPC1 pumps through either LPCI injection line to the reactor vessel. _V4 : Success or failure of the HPSV system in the inject mode to the reactor vessel through a LPCI injection line. Success implies manual operation of this injection source such' that one HPSW pump successfully provides coolant to the reactor.
.E: Success or failure of the CRD system as an injection source.
Success implies two pump operation. W1.W2.W3: Success or failure of the RHR system in the SPC, SDC, or CS mode, respectively. Success implies at least one RHR pump operating in' any one of the three modes with the appropriate t heat exchanger in the loop along with the HPSW system in operation to the ultimate heat sink. 4.4-48
I i X1: - Success or failure of primary system depressurization.
= . Success implies . automatic or manual operation of the ADS to .
r allow the SDC mode of RHR to be initiated. U.4 4: Success or failure of the CRD system as an injection source. Success implies operation in the one pump mode.
~
X: ~ Success or failure of containment venting. Success implies L that the six-inch integrated leak test. line or larger size line is open so as to prevent containment by overpressure. As necessary, water makeup is also eventually supplied to the suppression pool. E: Success or failure . of the containment to withstand over-pressurization. Success implies' the containment ruptures before core damage. Failure implies the' containment does not rupture. X1: Success or failure of. primary system depressurization. Success implies automatic or manual operation of ADS occurs subsequent to initial depressurization to allow low pressure inj ection. The following descriptions refer to the sequences found in Figure 4.4-6. SEQUENCE 1 -- T2*C*LOSP*E*P*U l*W1 A transient occurs without the PCS available (T2) which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). Offsite power is maintained (/LOSP) and the SRVs properly cycle to F control reactor pressure (/M, /P). HPCI is initiated for core coolant (/U1). Increasing suppression pool temperatures cause SPC to be initiated (/W1), and the core and containment are safe. SEQUENCE 2 -- T2*C*LOSP*M*P*Ul*W1*X2*W2 Same as Sequence 1 except SPC fails to provide containment overpressure protection (W1), the reactor is depressurized (/X2), and SDC continues to cool the containment (/W2). SEQUENCES 3-1 TO 3-5 Same as - Sequence 2 until SDC fails (W2) and CSS is initiated to provide containment overpressure protection (/W3). By the time CSS is initiated, the environment within the containment has failed HPCI. Core coolant is provided by Condensate (/V1), CRD (/U4), LPCS (/V2), LPCI (/V3) or HPSU (/V4), resulting in a safe core and containment. 4.4-49
b , SEQUENCE 3-6 -- T2*C*LOSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*V2*V3*V4 lL 1 Same as ( Sequence 3-1 except all low-pressure cooling systems fail (Con-
-densate, CRD (1 pump), L1CS, LPCI, HPSW) which results in core damage in a j vulnerable containment.
i SEQUENCE 4-1 -- T2*C*LOSP*M*P*Ul*Wl*X2*W2*W3*Vl*U4*Y*U4' Same as ' Sequence 2 until SDC fails to cool the containment (W2), followed
.by failure of CSS - (W3), resulting in the loss of all containment .,
j overpressure protection. HPCI has failed due to the adverse containment
- environment, and Condensate is. initiated for core coolant (/V1). ~ Pressure buildup in ' containment. eventually closes the ADS _ valves , resu1 ting in a pressure 1 rise in ~ the' primary. This higher primary pressure fails the Condensate system, and CRD is initiated to continue core cooling (/U4).
Containment venting is performed to relieve high containment pressure (/Y). CRD survives containment venting (/U4') and the core is safe in a vented containment. SEQUENCES 4-2 TO 4-3 Same as Sequence 4-1 except CRD does not survive containment venting. The reactor is depressurized again (/X3) and condensate (/V1) or HPSW (/V4) provide core' coolant. SEQUENCES 4-4 TO 4-5
' Same as Sequence 4-3 except either reactor depressurization fails (X3), or HPSW fails (V4), which leaves no system available for core coolant, result-ing in' core damage in a vented containment.
' SEQUENCES 4-6 TO 4-10 Same as' Sequences 4-1 to 4 5 except containment venting fails (Y) and the containment eventually ruptures (/R).
SEQUENCE 4-11 -- T2*C*1DSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*Y*R*U4' Same as Sequence 4-6 except the containment does not rupture (R) but develops a leak. CRD continues to provide core cooling (/U4'). i 4.4-50 __m _ _-_-___-________.___.-_________._mm._. . _ _ _ _ _ _ _ _ _ _ = . _ _ _ _ _ _ _ _ . _
j ll E C N E E E D E E E E U R R E E T T R P Q T O E E A A L E R S C C A E E T F O O C V R S O E O 1 L L L D T W E 2 2 t 1 T T S S A T T A M O O O O O O N O O C T T T T T T ) T O 5 U O O O O E O O O G G G G S G G f o 1 O e N g a P O 6 3- ( E 7 8 9 0 1 2 S 1 3 3 3 4 4 4 e I e r T E t S n O e L v C P 1 P 1 r i r E S e V l R b S a l i a v A N y E l P l O a i M t S i V n R I S S C P t R u E o W ED h ON PI P t i A S W ET O TN I I L t n SA e FM F i s O n a r T N RO I 6 OT M E - TCT CE S C 4 AT Y 4 EOS RR e r P u g i F OE
/L WB TL A B NIA 2 3
T EV I T m SA o N r AS F RC TP
?iE
l1 N M t L _ F 3 4 r 5 S 7 U a S 9 et u v t R F T 2 T T 2 T P F W P r f R st n T t s K t T t T', T T T S O O O O O O O O o O O O s O O 7 8f s O et C T N E T T T T T T T T T T T T T 0 O O O O _ C N N T T T T T T T O 8F O 0 O 0 N N o N N N C N N C N 4 o g O 0 O O o E W n o, 0 0 RE ag t E M G Y, 4 o F v. U 4 8 N E, N n a m o. h N 4 f O N L er 0 G nf o O A I A E E. E. I E I e E, R o R E. E. l A A I E L L A A A A t E. pl E. S T N T R B t s B Tt T T t 8 T T T L B A A M t A t A O N A A A A p N N A N N f A E T N 9 M T s s E O R R R R O O O f A A A A O
- s F
C C R O O R E O R R R O O E E E E C C C E C C C E G R N N N N C E F e C E D N D N t u L U t u L U D N O e s D N N L U D N D N O
*I N
L U 4 4 A A 0 N t a L N t D N t n A A V V V V A A A V A A A V e8 U U u N u A idu E R O E R O E R O E R O e R O E R E R E R E R E R E R E R E R E R D E R A E R V E R V E R V E R A E R v e R O E R ) G O - O O O O O O O O O O O C C C C C C C C C C C C C C
- - O O O O O 5 C C C C C C C C 0
0 f 9 o E O 2 1 7 4 9 7 S 1 t 3 4 s 9 7 3 1 14 5 1 6 1 7 1 9 9 0 1 5 9 D 1 2 3 4 s 2 1 1 7 1 1 7 3 3 3 3 3 s m L4
- e t
A AW g uTVm A cEOe w 3 a sHRS P ( RE 4C fFS e t L4 - I II e n AX r uTVM oA0S y T sea W SHnC E R tFD t 5S n e RSR v OSH: TE E CRRX 2 y ARRW e MOEO F l b E a t l A LD A e 9 b
!T i tA7VO t S S S a
eEa S W A A A SHh E EM W E E v R RS A A A A e A A S S S y E l RE R HDC 3gVT IT l NSRA 4 V a H4FW 8S i P t i E 8 g n
?8 I RtO je Ai T WgLLC OgO 3
v S LEOJ R F t C PC81 P Y t E RN u WSS OS U P W o LFE h RR t PO i C W D t OC EW n R N 3 CHP AL U e N f i E s E n T A a S r N 1 V T M- 6 Rg E - OgROIG N 4 TE CRCL AP O 1 x EF RO 4 ROOO F e r R eG t n u OEsN g TRTI f COAL O f t i ACXrO E F R RtC E T8 8 Hf RN0 A1T rat 1 eSOC 1 U F esEO0R C8 P 1 R EH rC i e N sea ~ AR RB T F.di l j1iill1ll
. a .
. e. e
. . .a . . .
. e .
. . . . . . s
.- . . .. .. . . . .. . . . =
. u .. .
= . . .
. . . . . . . = = . . - . . . ..
c . . . . . . . . . . . .
. . . . . . . e . . . . . . . . . .. .
)
5 f g . o
= .
3
=,
,' ,= B= e IlI ,'
g
. a
. P
(
.= .
. e e
- 1. li
[
.. r T
=.4 e
. t
=,
. - - e m
n
. d . e v
. Il . il iI Il1 E
- e. . .
a
. e
. l e b e
Il1 ,' ,' a
, l i
.g. .
a v g A Ig ,' ig y l l y_ i a [ t Ig i n I S C
,' ,' P I
. t u
o
= .
.u h
t Ig lg i l W t n
- e
- a. i Il
_ 1lI s n a r T a 6 c 6
- 4
. 2 T , 4 e
. r m u g
=_ i
- o. ,
F g
- a. .
I.l[ 2 3 2 2 I T f'd'u,G2
l1I4.1(] t1 l!! jI j 3Ii, 1,! 1 1 1l ]j 4 -! 1 i l1;l ;l 1 ,1 l 1l!ll
] -
J
. = . . ..
.. =. .. .. .
- e. .. .. . .
. a.
- m... . M
~
. =
- = W"
.. .. ..-. ...=. ... .. ..-
M .
. .. = = ..
M -
=
= . . ' . . . .. . . s . . . . . - . .
F. . - . . . . ........'. .
.... . )
5
= .
. f o
=
- l. ia ,' ,'
4 e -
~ .
g a
- . P
- l. I
( e
. e r
c.. _ .
. T h . : .. t l.
-. lI .
k _ n i l Ii e
- . . v
- . . . E
- =
.g e
j - l
b
. a l
=_ .
. i
~... a v
Ig ' 1I II , A
- . y l
l
- .. a I
g { - u i t i m.
. I n
S C
,i ,' P
= .
t u
= h t
o I1 i
~. .
W r . t a r e i
-: s
- n
. . a
. r T
- 6
- . 4
- 4 e
- .. r u
g
- r. _.
i F 5 2
- 7 T 2 T
y * ,Jo
!lt l 1li'lll!
!! jl llJ
, u s p
. o . a c sn a
=a t t u
c
. m n . cW t
u n a a m E n E. , man u nm E
- a. M mmo o o. = .
. . A o o o o o R1 E E n
E u E M t n E N r a.
, r .
o om sa N m u w m .,. m . m e G %e mr . iv o E a m .= E E f t o . .
. O n n C. A a C e o e Y c,
t i E C. C. C. c. C. o E E o r F E E M v T. e W e c C c c c . t m
= D D c.
o TI D, D
' w . . i =
u u w r ,
, w w t
U o i s x T w.et e a S s , m1 E f w B 1 ei,c c f N s t s e m T N m e t I E mw , e e P C 1 X x n a a . w e v E W 87 V
- i. e n u a se f
v f'V o w eo a. , n n J 8E
.c 0 8
94
- t. c.
T. sr wt s - s a.
,coe me E t E
, T ,
R T , i n t ,
. e. a i f f ,
tt M N 78 t 1 G C t C C C . o E
. r A
- er
. mm .
. ,, e , T a .
S A.
. P I
e . =v M A o s E. p M e ew ..
. . . e =
. , v w - o8U P p p
o s s a n er a e m OA . - P o 9 8
. . . . A . .
wM r e a f f D C
- wa r
c mf a E t1 I c M MMa m m o a a a a cw m =r ,, ma co t. r a a 5 f f 9 E n e c E n n E mm e a <x a E E t s
=
. )
5 o p f
. . a s
= . t 9 . . . . f t f 8 3 . . . e . . ,
, e s
s i 3 1 1 9 e t p e a 3 . . o 5 md4 e W e g 2 t W a
'v 8
P
.8
( I I ,' ,I ' e e
. 9 T
r 9 m t n a e v
. E .S p
1 e t 1
. l
,Ot E
. b
.E .
,u a
- c. R E
. - l i
m a
. a v u A m 4 .
_ . U . y
. = l e
t E. l u , a i E
,sE t
t r i
.eG sA A n .fI aA I SD F
A eE s
.Umt S
_ .PSC _ .s C P I t
- G u .Y e
9
- m o
.M 3 h V . t mE g E.
t u i s n s W t
=e t f
i n
=ds e 4
e T i
=E r i
s ttv E n S a I iI r T md3
.?e pt t .
C V nE 6 i0
.a9 -
w 4 4
.sn .pea e
r
.S P .t W u u g
- u. t U i F
E.
. t w . o . m - ,
2 E. 2 T
., T p btuw l l' 1 l-
I SEQUENCE 4-12 -- T2*C*LOSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*Y*R*U4' Same as Sequence 4-11 except CRD fails (U4') following the leak in j
' containment,-leading to core damage in a vulnerable containment.
SEQUENCE 4-13 TO 4-16 Same as Sequences 4-2 to 4-5 except CRD fails to initiate (U4) following Condensate failure. SEQUENCES 4-17 TO 4-20 Same as Sequences 4-13 to 4-16 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 4-21 -- T2*C*LOSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*Y*R Same as Sequence 17 until the containment fails to rupture, which inhibits other low-pressure systems from operating, resulting in core damage in a vulnerable containment. SEQUENCES 4-22 TO 4-23 Same as Sequence 4-1 until Condensate fails to initiate (V1) following containment overpressure protection failure. CRD provides core cooling (/U4) and eventually containment venting is necessary to relieve high containment pressure (/Y). CRD survives the venting event, or CRD fails and HPSW continues core cooling, resulting in a safe core in a vented containment. SEQUENCES 4-24 TO 4-25 Same as Sequence 4-23 except the reactor fails to depressurize (X3) for HPSW, or HPSW fails to initiate (V4), resulting in core damage in a vented containment. l SEQUENCES 4-26 TO 4-29 Same as Sequences 4-22 to 4-25 except containment venting is unsuccessful (Y) and the containment eventually ruptures (/R). SEQUENCE 4-30 -- T2*C*LOSP*M*P*Ul*Wi*X2*W2*W3*Vl*U4*Y*R*U4' Same as Sequence 4-26 except the containment does not rupture (R) but develops a leak and CRD continues to provide core coolant (/U4'). l 4.4-56
SEQUENCE 4-31 -- T2*C*LOSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*Y*R*U4' Same as Sequence 4-30 except CRD does not survive the containment leak (U4'),'which leaves no system available for core coolant, resulting in core damage in a vulnerable containment. SEQUENCE 4-32 -- T2*C*LOSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*V2*Y*X3*V4 Same as Sequence 4-22 until CRD does not initiate (U4) after Condensate failure and LPCS is initiated for core coolant (/V2). Containment venting is performed to relieve overpressure (/Y), which fails LPCS due to low NPSH. The reactor is depressurized again (/X3) and HPSW is initiated (/V4) to continue core cooling, resulting in a safe core in a vented containment. SEQUENCES 4-33 TO 4-34 Same'as Sequence 4-32 except HPSW fails (V4) or reactor depressurization prior to HPSW initiation fails (X3), resulting in core damage in a vented containment. SEQUENCES 4-35 TO 4-37 Same as Sequences 4-32 to 4-34 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 4-38 -- T2*C*LOSP*M*P*Ul*W1*X2*W2*W3*Vl*U4*V2*Y*R Same as Sequence 4-37 until the containment fails to rupture (R), which forces the SRVs to close thus precluding the use of available core coolant systems, resulting in core damage in a vulnerable containment. SEQUENCES 4-39 TO 4-45 Same as Sequences 4-32 to 4-38 except prior to containment venting, LPCI provides core coolant (/V3) following LPCS failute (V2). SEQUENCES 4-46 TO 4-52 Same as Sequences 4-39 to 4-45 except prior to containment venting, HPSW provides core coolant (/V4) following LPC1 failure (V3). SEQUENCE 4-53 -- T2*C*LOSP*M*P*Ul*W1*X2*W2fW3*Vl*U4*V2*V3*V4 j Same as Sequence 4-46 until HPSW fails (V4), which leaves no core coolant j system available, resulting in core damage in a vulnerable containment. 4.4-57
SEQUENCES 5-1 TO 5-5 1 Same as Sequence 2 until depressurization for SDC fails (X2), followed by CSS initiation-(/W3) for containment overpressure protection. HPCI fails j prior to CSS initiation due to the adverse containment environment. CRD is 1 initiated for core cooling (/U4), or, subsequent to CRD failure, the reactor is depressurized (/X1) and Condensate (/V1), LPCS (/V2),_LPCI (/V3) or HPSW (/V4) continues core cooling, resulting in a safe core and containment. SEQUENCES 5-6 TO 5-7 Same as Sequence 5-2 until reactor depressurization fails (X1) or all low pressure core coolant systems (Condensate, LPCS, LPCI, HPSW) fail to initiate, resulting in core damage in a vulnerable containment. SEQUENCES 6-1 TO 6-3 Same as Sequence 1 until all containment overpressure protection is lost (SPC, reactor depressurization for SDC, and CSS). High suppression pool temperature fails HPCI (U1) and CRD is initiated for core coolant (/U4). High containment pressure is relieved by containment venting (/Y), and CRD (/U4), Condensate (/V1) or HPSW (/V4) continues core cooling, resulting in a safe core in a vented containment. SEQUENCES 6-4 TO 6-5 Same as Sequence 6-2 except either reactor depressurization fails (X1) or Condensate (V1) and HPSW (V4) fail, which leaves no system available for core cooling, resulting in core damage in a vented containment. SEQUENCES 6-6 TO 6-10 Same as Sequences 6-1 to 6-5 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 6- 11 -- T2*C*1DSP*M*P*Ul*W1*X2*W3*U4*Y*R*U4 ' Same as Sequence 6-6 except the containment fails to rupture (R) but develops a leak. CRD survives venting (/U4'), resulting in a safe core in a leaking containment. SEQUENCE 6-12 -- T2*C*LOSP*M*P*Ul*Wl*X2*W3*U4*Y*R*U4' Same as Sequence 6-11 except CRD does not survive the containment leak (U4'), resulting in core damage in a vulnerable containment. 4.4-58 l l
~_ SEQUENCES 6-13 -- T2*C*LOSP*E*P*U5*W1*X2*W3*U4*XI* E* E Same as Sequence 6-1 until CRD fails to initiate (U4) following loss of containment cooling. The reactor is depressurized (/X1) and Condensate is initiated for core coolant - (/V1) . Containment overpressure protection is established with SDC'(W2), resulting in a safe core and containment.
SEQUENCES 6-14 TO 6-17 Same as Sequences 6-2 to 6-5 except CRD has failed (U4), the reactor is l depressurized (/X1) and Condensate continues core cooling (/V1). l SEQUENCES 6 18 TO 6-21 l f Same as Sequences 6-14 to 6-17 except containment venting fails (Y) and the
-containment eventually ruptures (/R).
l SEQUENCE .6 - - T2*C*1DSP*M*P*Ul*Wi*X2*W3*U4*X1*Vl*W2*Y*R Same as Sequence 6-13 until SDC fails (W2), followed by failure of contain- ! _ ment venting (Y) and containment rupture (R), resulting in core damage in a vulnerable containment. SEQUENCE 6-23 -- T2*C*LOSP*M*P*Ul*Wi*X2*W3*U4*X1*Vl*V2*W2 Same ' as Sequence 6-13 except LPCS provides core cooling (/V2) following Condensate failure (/V1). SEQUENCE 6-24 -- T2*C*LOSP*M*P*Ul*W1*X2*W3*U4*X1*Vl*V2*W2*Y*X3*V4 Same as Sequence 6-23 except SDC fails to provide containment overpressure protection (W2) and containment venting is performed (/Y), followed by reactor depressurization (/X3) and HPSW initiation (/V4), resulting in a safe core in a vented containment. SEQUENCES 6-25 to 6-26 Same as Sequence 6-24 except reactor depressurization prior to HPSW opera-tion is unsuccessful (X3) or HPSW fails to initiate (V4), resulting in core damage in a vented containment. SEQUENCES 6-27 TO 6-29 Same as Sequences 6-24 to 6-26 except containment venting fails (Y) and the containment eventually ruptures (/R). 4.4 59
I l 1
~
SEQUENCE 6 T2*C*IDSP*II*P*U5*Wl*X2*W3*U4*XI*Vl*V2*W2*Y*R Same as Sequence . 6 until the containment fails to rupture (R), which leaves no sys tem . available for core cooling because of forced closure of the SRVs. This results in core. damage in a vulnerable containment. SEQUENCES 6-31 TO 6 Same as Sequences 23 to 6-30 except LPCI provides core coolant (/V3)
'following failure of LPCS to initiate (V2).
SEQUENCES 6-39 TO 6-46 _ Same . as Sequences . 6-31 to 6-38 except HPSW provides core coolant (/V4) following failure of LPCI to initiate (V3) SEQUENCE 6-47 -- T2*C*LOSP*M*P*Ul*Wl*X2*W3*U4*X1*Vl*V2*V3*V4 Same as Sequence 6-39 until HPSV fails (V4) and all core cooling is lost, resulting in core damage in'a vulnerable containment. SEQUENCE 6 T2*C*LOSP*M*P*Ul*W1*X2*W3*U4*X1 Same - as - Sequence 6-13 until depressurization following CRD failure is unsuccessful (X1), precluding the use of low pressure core coolant systems, resulting in core damage in a vulnerable containment. SEQUENCES 7 To~12-Same as Sequences 1 ~ to 6 except RCIC provides early high pressure injection to the core (/U2) following failure of HPCI to initiate (Ul). SEQUENCES 13 TO 15 A transient occurs without the PCS available (T2) which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). Offsite power is maintained (/LOSP) and the SRVs properly cycle to control reactor pressure (/M, /P). HPCI (U1) and RCIC (U2)-fail to provide high pressure injection, the reactor is depressurized (/X1), and Condensate is initiated for core coolant (/V1). SPC (/Wl), SDC (/W2) or CSS (/W3) provide containment overpressure protection, resulting in a safe core and containment. 4.4-60
l 4 p . SEQUENCES 16-1 TO 16-21 Same as Sequences 4-1 to 4-21z except, following - failure of HPCI (U1) and
.RCIC (U2), Condensate provides early core coolant (/V1) prior to failure of j containment overpressure protection.
SEQUENCES 17 TO 19 Same as' Sequences 13 to 15 except LPCS provides early core coolant (/V2) following failure of Condensate (V1). SEQUENCES 20-1 TO 20-2
' Same' as Sequence 17 until all containment overpressure protection fails ;
(SPC, SDC, CSS), which causes increasing containment pressure, eventually ; closing the SRVs. The primary pressure subsequently increases which fails l LPCS, and CRD is initiated to continue core cooling (/U4). Containment i venting is performed'to relieve high containment pressure (/Y), and CRD or l HPSW continues to cool the core, resulting in a safe core in a vented containment. SEQUENCES 20-3 TO 20-4 1 Same as Sequence 20-2 except HPSW fails to initiate (V4) or reactor depressurization prior to HPSV initiation fails (X3), resulting in core damage in a vented containment. l SEQUENCES 20-5 TO 20 8 j Same as Sequences 20-1 to 20-4 except containment venting fails (Y) and the j
'J
- containment eventually ruptures (/R).
SEQUENCE 20-9 -- T2*C*LOSP*M*P*Ul*U2*X1*Vl*V2*Wi*W2*W3*U4*Y*R*U4' i l Same as Sequence 20-5 except the containment fails to rupture and CRD i survives (/U4'), resulting in a safe core in a leaking containment. l I I i SEQUENCE 20-10 -- T2*C*LOSP*M*P*Ul*U2*X1*Vl*V2*Wi*W2*W3*U4*Y*R*U4' Same as Sequence 20-9 except CRD does not continue core cooling (U4') following the development of a containment leak, resulting in core damage in a leaking containment, i SEQUENCES 20 11 TO 20-13 Same as Sequences 20-2 to 20-4 except CRD fails to initiate (U4) prior to the containment venting event. j i 4.4-61 j l
l SEQUENCES 20-14 TO 20-16 i Same as Sequences 20-11 to 20-13 except containment venting fails (Y) and the containment eventually ruptures (/R), SEQUENCE 20-17 Same as Sequence 20-16 except the containment fails to rupture (R), result-ing in core damage in a vulnerable containment. SEQUENCES 21 TO 24 Same as Sequences 17 to 20 except LPCI provides early core coolant (/V3) following LPCS failure (V2). SEQUENCES 25 TO 28 Same as Sequences 21 to 24' except HPSU provides early core coolant (/V4) following LPCI failure (V3). SEQUENCE 29 -- T2*C*LOSP*M*P*Ul*U2*X1*Vl*V2*V3*V4 Same as Sequence 13 until all low pressure core coolant systems fail (Condensate, LPCS, LPCI, HPSW). which leaves no core coolant system available, resulting in early core damage in a vulnerable containment. SEQUENCE 30 -- T2*C*LOSP*M*P*Ul*U2*X1*U3*W1 Same as Sequence 13 until reactor depressurization fails (X1) and CRD is initiated in the enhanced mode (/U3) to provide sufficient cooling capacity. SPC is initiated for containment overpressure protection (/W1), resulting in a safe core and containment. i l SEQUENCES 31-1 TO 31 4 Same as Sequence 30 until SPC fails (W1) and the reactor is depressurized (/X2) to initiate SDC (/W2). The decreased reactor pressure causes the CRD 1 pump flow to increase, and, considering the CST level is decreasing, the CRD pumps are assumed to fail due to low NPSH. Condensate (/V1), LPCS (/V2), LPCI (/V3) or HPSW (/V4) provides core coolant, resulting in a safe core and containment. l l l i l 4.4-62
SEQUENCE 31-5 -- T2*C*LOSP*Ul*U2*X1*U3*W1*X2*W2*Vl*V2*V3*V4 Same as Sequence 31-1 except all low pressure core coolant systems fail (Condensate. LPCS, LPCI, HPSW), resulting in core damage in a vulnerable containment. ! SEQUENCES 32-1 TO 32-5 Same as Sequences 31-1 to 31-5 except SDC fails (W2) and CSS is initiated for containment overpressure protection (/W3). SEQUENCES 33-1 TO 33-2 Same as Sequence 30 until all containment overpressure protection fails (SPC, SDC, CSS), although depressurization for SDC is successful. This depressurization increases the pump flow of CRD which, considering the CST level is continuously decreasing, is assumed to fail the CRD pumps due to low NPSH. Condensate is initiated to continue core cooling (/V1) . High containment pressure is relieved by containment venting (/Y). The reactor is again depressurized (/X3) and Condensate (/V1) or HPSW (/V4) provides core coolant, resulting in a safe core in a vented containment. SEQUENCES 33-3 TO 33-4 Same as Sequences 33-1 to 33-2 except HPSW fails (V4), or reactor depres-surization prior to HPSW initiation fails (X3), resulting in core damage in a vented containment. SEQUENCES 33-5 TO 33-8 Same as Sequences 33-1 to 33-4 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 33-9 -- T2*C*LOSP*M*P*Ul*U2*X1*U3*W1*X2*W2*W3*Vl*Y*R Same as Sequence 33-5 until the containment fails to rupture (R), which leaves no coolant system operable, resulting in core damage in a vulnerable containment. SEQUENCES 33-10 TO 33-16 Same as Sequences 33-1 to 33-9 except Condensate fails (VI) and LPCS provides core coolant (/V2) prior to the containment venting event, which results in two fewer sequences since no success path for Condensate exists subsequent to reactor depressurization (/X3). 4.4-63
4 i SEQUENCES 33-17 TO 33-23 Same as Sequences 33-10 to 33-16 except following LPCS failure (V2), LPCI provides core coolant (/V3) prior to containment venting. SEQUENCES 33-24 TO 33-30 Same as Sequences 33-17 to 33-23 except following LPCI failure (V3), HPSW provides core ecolant (/V4) prior to containment venting. SEQUENCES 33-31 -- T2*C*LOSP*II*P*Ul*U2*X1*ii3*W1*X2*W2*W3*Vl*V2*V3*V4 Same as Sequence 33-1 until Condensate fails (V1), followed by failure of LPCS (V2), LPCI( V3), and HPSW (V4), resulting in core damage in a vulner-able containment. SEQUENCE 34 -- T2*C*LOSP*M*P*Ul*U2*X1*U3*W1*X2*W3 Same as Sequence 30 until SPC fails (W1) to provide containment overpressure protection, followed by failure to depressurize the reactor (X2) for SDC. CSS is initiated (/W3) and CRD continees to function in the enhanced mode, resulting in a safe core and containment. SEQUENCES 35-1 TO 35-3 Same as Sequence 34 until CSS fails (W3), af ter which all containment overpressure protection is lost, although CRD continues to provide core coolant. High containment pressure is relieved by containment venting (/Y), and CRD (/U4), Condensate (/V1), or HPSW (/V4) continues core cooling, resulting in a safe core in a vented containment. SEQUENCES 35-4 TO 35-5 Same as Sequences 35-3 except HPSW fails (V4) or reactor depressurization prior to HPSW initiation fails (X3), which leaves all core coolant systems unavailable, resulting in core damage in a vented containment. SEQUENCES 35-6 TO 33-10 Same as Sequences 35-1 to 35-5 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 35-11 -- T2*C*LOSP*M*P*Ul*U2*X1*U3*Wi*X2*W3*YdR*U4' Same as Sequence 35-6 except the containment does not rupture (R) and CRD j continues in the 1 pump mode (/U4'), resulting in a safe core in a vulnerable containment. 4.4-64
h SEQUENCE 35-12 -- T2*C*LOSP*M*P*Ul*U2*X1*U3*Wi*X2*W3*Y*R*U4' Same as Sequence 35-11 except CRD does not operate (U4') following the development of a containment leak, resulting in core damage in a vulnerable containment. SEQUENCE 36 -- T2*E*LOSP*E*P*Ul*U2*X1*U3 Same as Sequence 30 except CRD (2 pump mode) fails to initiate to provide core coolant (U3) following failurc to depressurize the reactor (X1), which precludes the use of the low pressure core coolant systems, resulring in early core damage in a vulnerable containment. SEQUENCE 37 -- T2*U*1DSP*E*P1 A transient without the PCS available occurs (T2), which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). Offsite power is maintained (/LOSP) and the SRVs properly open to relieve the pressure (/M), but one SRV fails to close (P1) and the sequence is transferred to the S2 IDCA tree. SEQUENCE 38 -- T2*U*1DSP*E*P2 Same as Sequence 37 except two SRVs fail to close and the sequence is transferred to the S1 LOCA tree. SEQUENCE 39 -- T2*U*lOSP*E*P3 Same as Sequence 38 except three or more SRVs fail to close and the sequence is transferred to the A LOCA tree. SEQUENCE 40 -- T2*5*1DSP*M A transient occurs without PCS available (T2) which generates a reactor scram condition and the RPS succe ssfully inserts the rods (/C). Offsite power is maintained (/LOSP). The SRVs fail to open to control reactor pressure (M) and the sequence is not developed further due to low probability. SEQUENCE 41 -- T2*U*LOSP Same as Sequence 40 except offsite power is not maintained (IDSP) and the sequence is transferred to the Tl tree. l 4.4-65
SEQUENCE 42 -- T2*C Same as Sequence 40 except the RPS fails to scram the reactor, and the j sequence is transferred to the ATWS tree. 4.4.9 Transient With PCS Initially Available Event Tree ! This section contains information on the transient without the PCS initially available event tree. Success criteria considerations are presented along with the event tree and its description. l 4.4.9.1 Introduction i Transients in which the PCS remains initially available do not represent significant concerns for the plant unless the PCS is subsequently lost while the plant is being shut down. Should the PCS be lost, the sequence of events then proceeds similar to a transient in which the PCS was unavailable from the start. T3A represents all the transients of this type except Inadvertent Open Relief Valve (IORV) events and a loss of feedwater which can have somewhat different effects on plant conditions. 4.4.9.2 Event Tree The T3A transient event tree is depicted by Pigure 4.4-7. The following discussions define the event tree headings and the sequences. The events in the tree include:
.Tla: Initiating event, transient with PCS initially available.
C: Success or failure of Reactor Protection System (RPS). Success implies automatic scram by the control rods. LOSP1: Success or failure to maintain offsite power. The designa-tion LOSP1 is used instead of LOSP for purposes of computa-tional efficiency within the SETS code. Q: Continued success or subsequent failure of the PCS. Success implies continued operation of the PCS such that a safe cool-down of the plant is achieved using the PCS. H: Success or failure of Reactor Coolant System (RCS) overpres-sure protection (if required) by automatic operation of the SRVs. Success implies prevention of RCS overpressure so as to avoid damage to the primary system. f: Success or failure associated with reclosing of any SRVs which should open in response to reactor vessel pressure rises throughout the sequence. Success implies reclosure of all valves when vessel pressure drops below the closure set-points. P1, P2 and P3 refer to the failure of one, two or three or more SRVs to reclose, respectively. 4.4-66
o 6 w e 8 e W 5 5 5 e
< m E
E
- g 8 m
~
g < < < - w g W o g W
$ - 8 8 b . s a 9 - g 8 < y p <
$ $ ro g R $ 9 R o y 9 R R 8 8 8 8 8 0 8 8 25 8 .
s - e o E W ?, - a a e a C W
.. . b.
b g 4 g e
=
m h b 8 e
, s *
=
w LO O N 5
=a kOE O "6
~
22:a e E' 5 w x8 E 2E< E w w b 4 d O 4 b a A 2 r w to O $ 0
$25 E Z
WE3 $ gEc I2 IP 4.4-67
h J l
'The following descriptions refer to the sequences found in Figure 4.4-~7.
SEQUENCES 1 TO 36 -- T3A*E*LOSP*Q*E*E A transient occurs with the PCS initially available (T3A) which generates a reactor scram condition and the RPS successfully inserts the~ rods into the core :(/C) . Offsite power is maintained (/LOSP1). The PCS fails (Q) and
' the ' SRVs properly cycle to control . reactor pressure (/M, /P). All sequences _then transfer.to the T2 tree at the T2-l' branch.
SEQUENCE 37 -- T3A*C*1DSP*Q Same as initial development of Sequences 1 to 36 except the PCS remains available (/Q), resulting in a safe core and containnient. SEQUENCE 38 -- T3A*C*LOSP*Q*E*P1 Same as initial development of sequences 1 to 36 except one SRV fails to close (P1) and the sequence is transferred to the S21DCA tree. SEQUENCE 39 -- T3A*E*LOSP*Q*E*P2
-Scae as Sequence 38 except two SRVs fail to close (P2) and the sequence is transferred to the S1 LOCA tree.
SEQUENCE 40 -- T2*E*IDSP*Q*E*P3 Same as Sequence 39 except three or more SRVs fail to close (P3) and the sequence is transferred to the A LOCA tree. SEQUENCE 41 -- T2*E*LOSP*Q*M Same as initial development of sequences 1 to 36 except the SRVs do not properly open to control reactor pressure (M) and the sequence is not developed further due to low probability.. SEQUENCE 42 -- T2*3*LOSP A transient occurs with the PCS initially available (T3A) and the RPS successfully scrams the reactor (/C). Offsite power is not maintained (LOSP) and the sequence is transferred to the Tl tree. I 4.4-68 '
1 SEQUENCE 43 -- T2*C A transient occurs with the PCS initially available (T3A), the RPS fails to successfully scram the reactor (C), and the sequence is transferred to the ATWS tree. 4.4.10 Losa of Feedwater Event Tree This section contains infonnation on the loss of feedwater event tree. Success criteria considerations are presented along with the event tree and . l its description. 4.4.10.1 Introduction A loss of feedwater event (T3B) is, in part, similar to a loss of PCS event except that only the feeder is definitely lost from the balance-of-plant. !' It is possible that the steam side of the PCS to the condenser may still be operable as well as the Condensate system. Coolant injection could be performad with systems such as HPCI, RCIC, or Condensate (as well es. others) and heat removal might still be possible with the steam portion of the plant if condenser level and vacuum can be controlled. The success criteria would be as indicated for all T3-type transients already discussed. To facilitate the analysis under the resource constraints of the study, the T3B event was conservatively analyzed as if the loss of feedwater event also included loss of the entire PCS as well as the Condensate system. Therefore, the T3B event was actually analyzed as a T2 transient which is described in Section 4.4.8. While this "short-cut" is conservative, it was found at the conclusion of this study that this treatment of the T3B transient did not have a signif-icant impact on the results. 4.4.10.2 Event Tree The transfer tree for T3B is shown in Figure 4.4-8, since the event tree for T2 transients was conservatively used for the loss of feedwater initiator. The following description refers to the sequence found in figure 4.4-8. SEQUENCE 1 -- T3B A transient occurs in which feedwater is not available (T3B) and it is conservatively assumed that the entire PCS ic lost and the sequence is transferred to the T2 tree. 4.4.11 Inadvertent Open Relief Valve Event Tree This section contains information on the inadvertent open relief valve event tree. Success criteria considerations are presented along with the event tree and its description. 4.4-69
E C N E U Q E E S E F R O T e e r E 2 T M T t O n C O e v T T E U O r e O G t a w d e
. e F
O N f o s O s o E L S 1 8 4 R E 4 T e A r u WT g DN i F EE E S I B 3 FN T F A O TR S S O L rT3 1l
4.4.11.1 Introduction Should a primary system SRV inadvertently open during power operation, steam will be discharged to the suppression pool through the SRV tail pipe line. An open SRV will be easily detected by acoustical and temperature monitors on these lines. Procedures call for attempts to close the valve and, if unsuccessful, manually trip the plant and start shutdown pro-cedures. Since the PCS is likely to be initially available, this event is categorized as another T3-type of transient (T3C). It is separately analyzed since the open SRV will allow containment condi-tions to be at a somewhat higher stress level than other T3-type transients because of the initial steam release to the pool. It is, therefore, treated as a S2 steam LOCA and so is ultimately analyzed using the S2 success criteria (already described). 4.4.11.2 , Event Tree The T3C event tree is depicted by Figure 4.4-9. The following discussions define the event tree headings and the sequences. The events in the tree include: IlC: Initiating event, inadvertent open relief valve transient. E1: Success or failure of reactor scram. Success implies manual trip of the reactor or automatic scram by the RPS. LOSP: Success or failure to maintain offsite power. Q1: Continued success or subsequent failure of the PCS. Success implies continued operation of the PCS such that cooldown of the plant is successfully achieved before containment condi-tions reach challenging levels from steam discharge from the stuck-open SRV. The following descriptions refer to the sequences found in Figure 4.4-9. SEQUENCE 1 -- T3C*Cl*LOSP*Q1 A relief valve inadvertently opens (T3C) which generates the need for a reactor scram which is performed manually or by the RPS (/Cl). Offsite power is maintained (/LOSP) and the PCS functions properly to remove decay (' heat (/Q1) and the core and containment are safe. SEQUENCE 2 -- T3C*Cl*LOSP*Q1 Same as Sequence 1 except the PCS fails to remove decay heat (/Q1) and the sequence is transferred to the S2 LOCA tree. 4.4-71 1
S E T C N N E E M U IN E Q A E E T E R _ S N E _ E E T O R F R S O C T T D 2 W E S 1 T M N T A O A O _ O O - C E T T T T R _ U O O O O O C G G G O N' - O. _ E S 1 2 3 4 . N O RIM S E RE WE ST 1 Q OV Y PN O-S C R E W ED ON PI P A S _ ET O _ TN I I L _ SA FFM _ O RC OI LATM AM R A _ 1 UOC C _ NTS AU MA
.F TI E
_ RLE) E EV V V RLR C 3 D NAO T _ A E VI( N _ I P O Pin
SEQUENCE 3 -- T3C*Ci*LOSP Same as Sequence 2 except offsite power is not maintained and the sequence is transferred to the T1 tree. SEQUENCE 4 -- T3C*C1 A relief valve inadvertently opens (T3C) and a manual or automatic scram is unsuccessful (C1) and the sequence is transferred to the ATWS tree. 4.4.12 Loss of an AC or DC Bus Event Tree This section contains information on the loss of an AC or DC bus event tree. Success criteria considerations are presented along with the event tree and its description. 4.4.12.1 Introduction A loss of an emergency AC or DC bus as an initiator was assumed to lead to a total loss of the PCS including the Condensate system. 4.4.12.2 Event Tree The TAC /DC transient event tree is shown in Figure 4.4-10. The following discussions define the event tree headings and the sequences. The events in the tree include: TAC /DC: Initiating event, ' loss of an AC or DC bus. G: Success or failure of the RPS. Success implies automatic scram by the control rods. LOSP: Success or failure to maintain offsite power. M: Success or failure of Reactor Coolant System (RCS) over-pressure protection (if required) by automatic operation of the SRVs. Success implies prevention of RCS overpressure so as to avoid damage to the primary system. f: Success or failure associated with reclosing of any SRVs which should open in response to reactor vessel pressure rises throughout the sequence. Success implies reclosure of all valves when vessel pressure drops below the closure set-points. P1, P2 and P3 refer to the failure to reclose one, two or three or more SRVs, respectively. Success or failure of the HPCI system. Success implies E1: operation of the HPCI pump train so as to maintain sufficient coolant injection. 4.4-73
W O 2 W w
$ W w w O 8 h x W w : < < - 8 m
W W O 8 9 8a 8 a 8
*w $
x E m
< O "
1 w m - f
- = = < - p g <
e R R R 8 R e s 8 8 8 8 8 @ 8 8 8 O ~ ; 4, w 9 k $ @ Q
- 1 w e ,
D tt l b E I. O e. _ ~ _
' s A m , > w x H w
0 u C 0 z w m m s a
> c o
O
< l x -
O hO W m oE M CL i< ws w o bE oJ - m< . A2 o b T 8 5 8as w
=
oc Ho$ O$ 0 $ WO$ C:t Q. O O$ 0
=
gO 8 v) O
- v) 9 4.4-74
i f ) --.. --.. . . . .. . , IIII IIII 5 5 i 5 5 5 I-5 5 5 Ii
--5 iIi-5 -!i 5 5 s E
-*-5 2 2 9 2 5 5 5 *---5 I I E I 5 E E E 5 5 5 8 I E E 8 bi 2 R E R $ y I
s s s y l .a .s .s s y 3. g .s g g g s ; i i s;yassy8 r a i . . . . . 5 jl iIi, j e, ia;etie, i, ! [ [ l, i I,a I, itii j 8 j i, j B i. ! . . .tit,
. .1 i 1iie i , j j j l ~r1Ij i,I! I, j I, ~a J -l Ii!IIIIIIIi!IIIIIIIiiiiiiiiiiii!
s
; ......... =-,,,,,, .........., ,
il
- llI
-- -- -- -- g5
-- == -- -- --
W rgl Es
- N
-- g te e
s
;l u 5 5 !'[I, 5 m
I 3 so 53
- u I[
la C w 0 tl 51 IgI
- 5 o
w B
- o m
t, O g a ti
~ .
W o a t 3 ss o w f &
~
.t t
( Is
!,l s!
t Ill fii l l id 0 I e 4.4-75 l . _ _ _ _ - _ _
.i' I
m A G I G I G K K A O O m M A K O oM A A A M A
- R E D t
s t e D E E D D s O O C N R N R 4 n K K t K O O E E E N N f s T N T N T N Q W C n R O 1 O R E R R e O O O O N N c N E E C. O O C. t v C. O O V T T T T u A E D D. C C C Wi N N N N v t Y f M M d a E E D D C u d
# N p m T T N N E T N E N N T T E
M E R E s E c E A I A A o N N u E E H A K O T N E E O N N d A B e p s a m T N Y N s T T 7f E E T T E C t H H O A A O O N N n C. Y V L v T T C T A A C C F O C O C o E G T T D D T E. D D C. E E, N T N T N T N O C A N N E E N G E E O O O O E. E, D D U E E T T A m T T G G C C C C G G E N M M M N N E M E N N A A A A N N A F E M f M M D D m A A A D 88 #d v V N A a E E A A N N D D M M z A A I A D n V V D D A N N A A t f E E E E T T T T A A A A D D u R R R R N N N N T N E T T O O O R m N N N E E E E E E O C C O O O O O - O O O O O N l p R R n R C C C C C C C C C C C - O C - - O C o C O O fO O O C C C C C o N o E 9 4 t s ' 4 1 2 s 2 3 4 s 1 2 s 4 S 9 o t 1 2 1 3 4 F s 5 2 1 1 S i 2 3 n 1 2 3 4 s 9 E ETA D E emw us R v U T wsEc i P U mv n E R ) s T N 5 gI O
,1 C f aN s D E
T U o 0sn R S 1 U Cso mfr 3 x T P b 3 Eac U s mrO E n A e o T N E M g O A s a C P T ( w u U B e . a e
$ u s e D A n r e a E M T A
s I t mN s n sfOE E mnCG e eu EA n v AfaM Tr A E NumD E s ma e u l B m Esa C
=Tw , e D
AN . 7E s s r Mv A A m C E o M A S
.E s C n
ET E A RA auw f ns u ss c v o i mv n E s s s E I o n ,l l L uYN sNo s An s . mxC v aE u 0 wCe 1 O L - _ 4 E v mA 4 sn se s v a e mE n r wO u OC L g i mo F N nmu O o Tso cs c t a A r amE n DEO C e _ M r u 1 o D m m 2 3 Em -
- 4 rc sN C C -
NA D D C An / D ne C / T A c / C T A T A T p.nf"@ i
. - - e .
. . Il 11111 i
i i i i 11, i i. iiiiill'll ii l riiriil!!ii i i: i s!!ii i i!!ii
!!!ingi.i.i iiiiii i. 4
- j j il jilillilil! I 1111i! illi!I!!! )
i i ii.iiiiiiiiiii.i.iiiiii.iiiiiitti
*==
l . . ....,,,,,,,, . , ..-- 3 = > 11 8 Ig la __ __ __
^
il = i i 4 f i -- g __ i l
. 2 1 i ! -
i I = I__ - I __ g ill . 1 iti - w I lI , . . i; . e e e e o o g
'n ll 8 E
__ __ t ji tj i 3 1. 5 Ill ' T Igj . I 4 5 II , a [I i: rg c f k ! IL__ l
- i. .
B
, c i
n ; A A l 4.4-77
i u r s o f a n i s a A O G : C o C s e A K a s A s s m A C O s M s a ss w o D s E p a D A n o .o n e s e e C o C s u s n O v O F s a s C o .= o M M k O m o t u m t c o C. w C R
- o. Ut t
U O x n n, o. C C D C. C O s . . V f r r e n s w s D C n . V t p e s t e t o u r w e G 4 R = ?s 4 M e r o o f f f s s s e r s s A C W s r C C i e a e w v n M f H M G u = = O G p m h NI r o r r o c i C. s W T n . . C. C, ? A a t A e w s T O 0 n w i r N o T N T s r n n s e s d D e M C. s e s s m t E E T w G C O o n e a 9 e m G ff 9 N s s - r n A C C m
- e a
r r s a rr v r. e 9 T M r a rO a o s n T t p A W T s V T e m a r u n Aan D e m O m D N A D N A D N A a n a e ot a C o s c O - o N O 8 W N " - a fE s n M s E w C C C C C C o ro o s C C C C C" C C C
- - o C
- C o fo e r
C C C C o n o s s . . 1 e : . e 3 4 s 9 . t e t t 3 1 s . f s, 5 t i . t f S 1 : 3
- sa ms r a
aw s as pt v4 i wv xa seu s ) 5 I gI s f s e ns o rn au Ccc 3 5 m mo us ca e a g s n a P ( p e w e p r
, m i T o
a e t C g s n s e v s as E
-.mssa s em u so w
n B ms sa rno crc C m o D r o r e C ee s A on v mw cs v f o C b s h S o a A h s M s s A N A s s S o - wi L ss r wa ew . ns We pt a 0 am 1 n ae ss - 4 s I 4 s c ll s nn oC e su r
=
s 9 u
=r V g wo i oc t F to C
s n - o c s ne u a t v sm me w c t w c m R n 9 - 7 o - C n C D n D / C e / C D C A
/
w A T C n T A T k.klN ll'l'l llllll!
Success or failure of the RCIC system. Success implies M: operation of the RCIC pump train so as to maintain sufficient coolant injection. Z: Success or failure of primary system depressurization. Success implies automatic or manual operation of the ADS or manual operation of other SRVs such that three valves or more are opened allowing low pressure injection. Success or failure of the Condensate system. Success implies H: at least one pump operating with sufficient makeup to the condenser hotwell for a continuing water supply. Success or failure of the LPCS system. Success implies H: operation of any two of the four LPCS pumps through either or both LPCS injection lines. D: Success or failure of the LPCI mode of the RHR system. Success implies operation of one of four LPCI pumps throufh either LPCI injection line to the reactor vessel. M: Success or failure of the HPSW system in the inject mode to the reactor vessel through a LPCI injection line. Success implies manual operation of this injection source such that one HPSW pump successfully provides coolant to the reactor. M: Success or failure of the CRD system as an injection source. Success implies two pump operation. U1.U2.U3: Success or failure of the RHR system in the SPC, SDC, or CS mode, respectively. Success implies at least one RHR pump operating in any one of the three modes with the appropriate heat exchanger in the loop along with the HPSW system in operation to the ultimate heat sink. Z2: Success or failure of primary system depressurization. Success implies automatic or manual operation of the ADS to allow the SDC mode of RHR to be initiated. E: Success or failure of the CRD system as an injection source. Success implies operation in the one pump mode. X: Success or failure of containment venting. Success implies that the six-inch integrated leak test line or larger size line is open so as to prevent containment by overpressure. As necessary, water makeup is also eventually supplied to the suppression pool. B: Success or failure of the containment to withstand over-pressurization. Success implies the containment ruptures before core damage. l 4.4-79
I K3.: Success or failure of primary system depressurization. Success implies automatic or manual operation of ADS occurs subsequent to initial operation to allow low pressure inj e ction. The following descriptions refer to the sequences found in Figure 4.4-10. SEQUENCE 1 -- TAC /DC*C*LOSP*M*P*Ul*W1 A loss of an AC or DC bus occurs (TAC /DC) which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). The SRVs properly cycle to control reactor pressure (/M, /P) and onsite emergency power is established (/B). HPCI is initiated (/Ul) for core cooling and SPC is initiated (/Wl) for containment overpressure protection, resulting in a safe core and containment. SEQUENCE 2 -- TAC /DC*C*1DSP*M*P*Ul*W1*X2*W2 Same as Sequence 1 but SPC fails to provide containment overpressure protection (Ul) and SDC is initiated (/W2) following reactor depressurization (/X2). SEQUENCES 3-1 TO 3-4 Same as Sequence 2 except SDC fails (W2) and CSS continues to protect the containment from overpressurization (/W3). HPCI fails due to the adverse containment environment and either CRD (/U4), LPCS (/V2), LPCI (/V3) or HPSW (/V4) continues core cooling. SEQUENCE 3-5 -- TAC /DC*C*1hSP*M*P*Ul*Wl*X2*W2*W3*U4*V2*V3*V4 Same as Sequences 3-1 to 3-4 except CRD (U4), LPCS (V2), LPCI (V3) and HPSW (V4) fail, leaving no system available to cool the core, resulting in core damage in a vulnerable containment. SEQUENCE 4-1 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W2*W3*U4*Y*U4' Same as Sequence 2 except SDC fails (W2), followed by CSS failure (W3), leaving the containment with no overpressure protection. HPCI eventually fails due to high suppression pool temperatures (U1) and CRD is initiated in the one pump mode (/U4). The containment is successfully vented (/Y) and CRD continues to provide core coolant (/U4'), resulting in no core damage in a vented containment. SEQUENCE 4-2 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W2*W3*U4*Y*U4'*X3*V4 Same as Sequence 4-1 except CRD fails during containment venting (U4'). The reactor is depressurized (/X3) and HPSW provides core coolant (/V4). 4.4-80
SEQUENCES 4-3 TO 4-4' d Same'as Sequence 4-2. except ' HPSW fails (V4), or reactor depressurization I prior to HPSW operation is unsuccessful,(X3), resulting in core damage in a vented containment. ; p SEQUENCES 4-5 TO 4-8 Same as. Sequences 4-1 to.4-4.except containment venting fails (Y) and the containment ruptures before core damage (/R).
' SEQUENCE.4-9 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W2*W3*U4*Y*R*U4' Same'as Sequence 4-8 except the containment does . not rupture - (R) but develops a 2eak. . CRD continues- to operate (/U4'), resulting in no core damage in a leaking containment.
SEQUENCE 4-10.--' TAC /DC*C*LOSP*M*P*Ul*W1*X2*W2*W3*U4*Y*R*U4' Same as Sequence .4-9 except CRD does not continue to . operate (U4')
. following the con *ainment leak which forces the SRVs closed'and precludes
-low. pressure cooling. This results in core damage in a vulnerable containment.
SEQUENCE 4-11 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W2*W3*U4*V2*Y*X3*V4 Same ; as Sequence 4-1 except'CRD does ' not operate (U4) following HPCI failure. LPCS is initiated (/V2) to continue core cooling and the contain-ment'isleventually vented (/Y). The LPCS pumps then fail due to low NPSH and the ' reactor is ~ depressurized to allow HPSV to cool the core (/V4), resulting in a safe core in a vented containment. SEQUENCES 4-12 TO 4-13 Same as Sequence 4-11 except HPSW fails (V4), or depressurization prior to HPSU ' operation fails (X3), resulting in core damage in a vented containment. SEQUENCES 4-14 TO 4-16 Sameias Sequences 4-11 to 4-13 except containment venting is unsuccessful (Y) and the containment ruptures (/R) before core damage. l. I 4.4-81 q q I ___ n
L~ l
.t
-l
,. SEQUENCE 4-17 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W2*W3*U4*V2*Y*R
)
Same as~ Sequence 4-11 except containment venting fails (Y) and the contain-ment does not rupture' (R) ', resulting in core ' damage in a vulnerable containment. SEQUENCES-4-18 TO 4-24 Same . as Sequences 4-11 to 4-17 except, followilad LPCS failure (V2), LPCI
-provides core coolant (/V3) prior to. containment venting.
SEQUENCES 4-25 TO 4-31 Same as . Sequences 4-18 to 4-24 . except, following LPCI failure (V3), HPSV provides core coolant (/V4) prior to containment venting. SEQUENCE 4-32 -- TAC /DC*C*LOSP*M*P*Ul*Wl*X2*W2*W3*U4*V2*V3*V4 Same'as Sequence 4-11 except LPCS (V2), LPCI (V3), and HPSW (V4) fail'and all ' core cooling is lost, resulting in core damage in a vulnerable
. containment.
SEQUENCE 5-1 -- TAC /DC*C*LOSP*M*P*Ul*Wl*X2*W3*U4 Same as Sequence 2 except reactor depressurization for SDC is unsuccessful (X2) and CSS is initiated to provide containment overpressure protection (/W3). HPCI. has failed due to high suppression pool temperatures and CRD (1 pump mode) is initiated to cool the core (/U4), resulting in a safe core and containment. SEQUENCES 5-2 TO 5-4 Same as Sequence 5-1 except CRD . fails to provide coolant inj ection (U4), the reactor is depressurized (/X1), and LPCS (/V2), LPCI (/V3) or HPSW (/V4) provide core cooling. j i SEQUENCES 5-5 TO 5-6 Same as Sequence 5-2 except either reactor depressurization fails (X1) or LPCS (V2), LPCI (V3) and HPSW (V4) fail following depressurization, result-ing in core damage in a vulnerable containment. 4.4-82 E--_--- -------------_------------
t
. SEQUENCE 6-1 -- TAC /DC*C* MSP*M*P*Ul*W1*X2*W3*U4*Y*U4' Same as Sequence 5 except CSS fails (W3), resulting in the loss of all containment overpressure protection. High suppression pool temperatures fail HPCI and CRD (1 pump mode) is initiated for core coolant (/U4).
Increasing containment pressure is relieved by containment venting (/Y). CRD survives venting (/U4') and the core is safe in a vented containment. SEQUENCE 6-2 -- TAC /DC*C*LOSP*M*P*Ul*Wi*X2*W3*U4*Y*U4'*X3*V4 Same as Sequence 6-2 except CRD does not survive containment venting (U4'), the reactor is depressurized (/X1), and HPSW continues core cooling (/V4). SEQUENCES 6-3 TO 6-4 Same as Sequence 6-2 except either reactor depressurization fails (X1), or HPSW fails (V4) following reactor depressurization, leading to core damage in a vented containment. SEQUENCES 6-5 TO 6-8. Same as Sequences 6-1 to 6-4 except containment venting is unsuccessful (Y) and the containment ruptures (/R). SEQUENCE 6-9 -- TAC /DC*C*wSP*M*P*Ul*Wi*X2*W3*U4*Y*R*U4' Same as Sequence 6-5 except the containment does not rupture (R). but develops a leak. CRD continues coolant injection (/U4'), resulting in no core damage in a leaking containment. SEQUENCE 6-10 -- TAC /DC*C*LOSP*M*P*Ul*Wi*X2*W3*U4*Y*R*U4' Same as Sequence 6-9 except CRD fails (U4') following the containment leak, at which point all coolant makeup is lost, resulting in core damage in a L vulnerable containment. SEQUENCE 6-11 -- TAC /DC*C*WSP*M*P*Ul*Wi*X2*W3*U4*X1*V2*W2 Same development as Sequence 6-1 until CRD fails to initiate (U4) following HPCI failure. The reactor is depressurized (/X1) to initiate LPCS for coolant inj ection (/V2). The reactor is sufficiently depressurized to initiate SDC for containment overpressure protection (/W2), resulting in a safe core and containment. SEQUENCE 6-12 -- TAC /DC*C*LOSP*M*P*Ul*Wi*X2*W3*U4*X1*V2*W2*Y*X3*V4 4.4-83
Same as Sequence 6-11 except SDC fails to provide containment overpressure protection (W2), followed by successful venting of the containment (/Y). ! Coolant injection is restored using HPSW (/V4) following reactor depressurization (/X3), resulting in a safe core in a vented containment. SEQUENCES 6-13 TO 6-14 Same as Sequence 6-12 except either reactor depressurization fails (X3) or HPSW fails (V4) following reactor depressurization, resulting in core damage in a vented containment. SEQUENCES 6-15 TO 6-17 Same as Sequences 6-12 to 6-14 except containment venting fails (Y) and the containment ruptures (/R), SEQUENCE 6-18 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W3*U4*X1*V2*U2*Y*R Same as Sequence 6-11 until containment overpressure protection with SDC fails (W2), followed by failure of containment venting (Y). The containment does not rupture (R), and core damage results in a vulnerable containment. SEQUENCES 6-19 TO 6-26 Same as Sequences 6-11 to 6-18 except LPCI provides coolant makeup (/V3) following failure of LPCS (V2). SEQUENCES 6-27 TO 6-34 Same as Sequences 6-19 to 6-26 except HPSW provides coolant makeup (/V4) following failure of LPCI (V2). SEQUENCE 6 35 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W3*U4*X1*V2*V3*V4 Same as Sequence 6-11 until LPCS fails (V2) following reactor depressuriza-tion, followed by failure of both LPCI (V3) and HPSW (V4), at which point all coolant makeup is lost, resulting in core damage in a vulnerable containment. SEQUENCE 6-36 -- TAC /DC*C*LOSP*M*P*Ul*W1*X2*W3*U4*X1 Same as Sequence 6-11 until CRD fails to continue coolant makeup (U4) following HPCI failure. Reactor depressurization fails (X1), which disables all low-pressure core cooling systems, resulting in core damage in a vulnerable containment. 4.4-84 L-___________________ _ - _ - _ _
SEQUENCES 7 TO 12 Same as Sequences 1 to 6 except ACIC provides high pressure coolant makeup (/U2) following failure to initiate HPCI (U1). SEQUENCE 13-15 Same as Sequence 1 until failure to initiate HPCI (U1), followed by failure , of RCIC (U2). The reactor is depressurized (/X1) and LPCS is initiated for coolant makeup (/V2). Containment overpressure protection is provided by SPC (/W1), SDC (/W2), or CSS (/W3), resulting in a safe core and containment. SEQUENCES 16-1 TO 16-2 Same as Sequence 13 until SPC fails (W1), followed by failure of SDC (W2) and CSS (W3). Without containment overpressure protection, the pressure in containment rises until the SRVs close. Primary system pressure then rises, eventually failing LPCS (V2). CRD is initiated (/U4) for coolant makeup. High containment pressure is relieved by containment venting (/Y) . CRD continues to cool the core, or the reactor is depressurized (/X1) and HPSW cools the core (/V4) if CRD does not survive the venting. SEQUENCES 16-3 TO 16-4 Same as Sequence 16-1 except CRD does not survive containment venting and either reactor depressurization is unsuccessful (X1), or HPSW fails (V4) following reactor depressurization, resulting in core damage in a vented containment. SEQUENCES 16-5 TO 16-8 Same as Sequences 16-1 to 16-4 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 16-9 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*V2*W1*W2*W3*U4*Y*R*U4' Same as Sequence 16-5 except the containment does not rupture (R) but develops a leak. CRD survives (/U4') resulting in a safe core in a leaking containment. SEQUENCE 16-10 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*V2*W1*W2*W3*U4*Y*R*U4' Same as Sequence 16-9 except CRD does not survive the development of a leak i in containment (U4'), all coolant systems are lost, and core damage results l in a vulnerable containment. 4.4-85 t
f SEQUENCE 16-11.-- TAC /DC*C*LOSP*M*P*Ul*U2*X1*V2*W1*W2*W3*U4*Y*X3*V4 Same as Sequence 16-1 until CRD fails to initiate (U4) following loss of containment overpressure protection. Increasing containment pressure is relieved by containment venting (/Y) and HPSW is initiated to cool the core (/V4) following primary system depressurization (/X1). The core is safe in a vented containment. ; SEQUENCES 16-12 TO 16-13 Same as Sequence 16-11 except either HPSW fails to cool the core (V4) or. primary system depressurization fails (X1) prior to HPSW operation, result-ing in core damage in a vented containment. -l SEQUENCES 16 14 TO 16-16 Same as Sequences 16-11 to 16-13 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 16-17 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*V2*W1*W2*W3*U4*Y*R Same as Sequence 11 until containment venting fails (Y). The contain-ment does not rupture (R) and continues to pressurize, resulting in core damage in a vulnerable containment since the SRVs are forced closed preventing low pressure cooling. SEQUENCES 17 TO 20 Same as Sequences 13 to 15 except LPCI provides early core coolant (/V3) following LPCS failure (V2). SEQUENCES 21 TO 24 Same as Sequences 17 to 20 except HPSV provides early core coolant (/V4) following LPCI failure (V3). SEQUENCE 25 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*V2*V3*V4 Same as Sequence 21 until HPSW fails (V4), at which point all coolant makeup is lost, resulting in early core damage in a vulnerable containment. I SEQUENCE 26 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*U3*W1 Same as Sequence 13 until reactor depressurization fails (X1) following failure to initiate high-pressure coolant systems. CRD is initiated in the 4.4-86
two-pump mode to provide sufficient injection capacity (/U3) . Containment overpressure protection is provided by SPC (/Wl), resulting in a safe core and containment. SEQUENCES 27-1 TO 27-3 Same as Sequence 26 until SPC fails to provide containment overpressure protection (Wl), the reactor is depressurized (/X2), and SDC is initiated (/W2). Reactor depressurization for SDC increases CRD flow rate which, when considering CST inventory is depleting, is assumed to fail the CRD pumps due to low NPSH. LPCS (/V2), LPCI (/V3) or HPSW (/V4) is initiated for core coolant, resulting in a safe core and containment. SEQUENCE 27-4 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*U3*Wi*X2*W2*V2*V3*V4 Same as Sequence 27-1 until LPCS fails (V2) to initiate after CRD fails , followed by unsuccessful operation of LPCI (V3) and HPSW (V4), resulting in core damage in a vulnerable containment. SEQUENCES 28-1 TO 28-4 Same as Sequences 27-1 to 27-4 except CSS provides containment overpressure protection (/W3) following SDC failure (W2). SEQUENCE 29-1 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*U3*Wl*X2*W2*W3*V2*Y*X3*V4 Same as Sequence 28-1 until CSS fails to initiate (W3), at which point all containment overpressure protection is lost. CRD failed due to reactor depressurization for SDC, so LPCS is initiated (/V2) to continue core cooling. Containment venting (/Y) is successful to relieve containment overpressurization, which fails LPCS due to low NPSH. The reactor is again depressurized (/X3) and HPSW cools the core, resulting in a safe core in a vented containment. SEQUFNCES 29-2 TO 29-3 Same as Sequence 29-1 except either HPSW fails (V4) or reactor depressuri-zation fails (X3) prior to HPSW operation, leaving no system available for coolant makeup, resulting in core damage in a vented containmc.nt. SEQUENCES 29-4 TO 29-6 Same as Sequences 29-1 to 29-3 except containment venting fails (Y) and the containment eventually ruptures (/R). I t 4.4-87
i SEQUENCE 29-7 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*U3*W1*X2*W2*W3*V2*Y*R Same as Sequence 29-4 until the containment fails to rupture (R), which precludes HPSW operation because of forced closure of the SRVs. This results in core damage in a vulnerable containment. SEQUENCES 29-8 TO 29-14 Same as Sequences 29-I to 29-7 except LPCS fails to initiate (V2) following containment cooling failure and LPCI provides coolant makeup (/V3). SEQUENCES 29-15 TO 29-21 Same as Sequences 29-8 to 29-14 except LPCI fails to initiate (V3) follow-ing containment cooling failure and HPSW provides coolant makeup (/V4). SEQUENCE 29-22 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*U3*W1*X2*W2*W3*V2*V3*V4 Same as Sequence 29-11 until LPCS fails (V2) following containment cooling failure. LPCI (V3) and HPSW (V4) also fail to initiate, resulting in core damage in a vulnerable containment. SEQUENCE 30 -- TAC /DC*C*1DSP*M*P*Ul*U2*X1*U3*Wi*X2*W3 Same as Sequence 26 until SPC fails (Ul), followed by failure of reactor depressurization for SDC (X2). CSS is initiated to provide containment overpressure protection (/W3). Since reactor depressurization was unsuccessful, CRD does not fail, resulting in a safe core and containment. SEQUENCES 31-1 TO 31-2 Same as Sequence 30 until CSS fails (W3), at which point all containment overpressure protection is lost. Eventually containment venting is performed to relieve containment overpressure (/Y). CRD continues to cool the core in the one-pump mode (/U4), or CRD fails on containment venting and HPSU cools the core (/V4), resulting in a safe core in a vented containment. SEQUENCES 31-3 TO 31-4 l Same as Sequence 31-2 except HPSW fails (V4) or reactor depressurization f fails prior to HPSU operation (X3), resulting in core damage in a vented ; containment. 1 4.4-88 l
SEQUENCES 31-5 TO 31-8 Same as Sequences 31-1 to 31-4 except containment venting fails (Y) and the containment eventually ruptures (/R). SEQUENCE 31-9 -- TAC /DC*C*LOSP*M*P*Ll*U2*X1*U3*W1*X2*W3*Y*R*U4 Same as Sequence 31-5 except the containment does not rupture (R) but develops a leak, CRD continues to cool the core, resulting in a safe core in a leaked containment. SEQUENCE 31-10 -- TAC /DC*C*LOSP*M*P*Ul*U2*X1*U3*W1*X2*W3*Y*R*U4 Same as Sequence 31-9 except CRD does not survive the containment leak (U4), resulting in core damage in a vulnerable containment. SEQUENCE 32 -- TAC /DC*3*1DSP*E*P*Ul*U2*X1*U3 l Same as Sequence 26 until CRD fails to ir.itiate (U3) in the two-pump mode l following failure to depressurize the reactor, which leaves no system available for coolant makeup. Early core damage results in a vulnerable containment. SEQUENCE 33 -- TAC /DC*C*IASP*E*P1 A loss of an AC or DC bus occurs (TAC /DC) which generates a reactor scram condition and the RPS successfully inserts the rods into the core (/C). Offsite power is maintained .(/LOSP) and the SRVs open to control the pressure (/M), but one SRV fails to close (P1) and the sequence is trans-ferred to the S2 LOCA tree. SEQUENCE 34 -- TAC /DC*C*LOSP*E*P2 Same as Sequence 33 except two SRVs fail to close (P2) and the sequence is transferred to the S1 IBCA tree. SEQUENCE 35 -- TAC /DC*C*LOSP*E*P3 Same as Sequence 33 except three or more SRVs fail to close (P3) and the sequence is transferred to the A LOCA tree. SEQUENCE 36 - TAC /DC*3*LOSP*M Same as Sequence 33 except the SRVs fail to open to control reactor pressure (M) and the sequence is not developed further due to low probability. 4.4-89
l { l l SEQUENCE 37 -- TAC /DC*E*LOSP l A loss of an AC or DC bus occurs (TAC /DC) and the RPS successfully scrams the reactor (/C). Offsite power is not maintained (LOSP) and the sequence is transferred to the T1 tree. SEQUENCE 38 -- TAC /DC*C A loss of an AC or DC bus occurs (TAC /DC) and the RPS fails to scram the reactor (C) and the sequence is transferred to the ATWS tree. 4.4.13 "V" (Interfacing LCCA) Sequence This type of a scenario typically involves the failuro of a high-to-low pressure interface such that reactor pressure causes failure within a l b-pressure system. This could possibly create an unmitigatable LOCA (worst l case) with a fission product release path through the low-pressure system, thereby bypassing the suppression pool and containment. References 12 and 49 suggest that, on the basis of precursor events, such a failure is most likely to occur while performing stroke valve testing of isolation valves during power operation. In Reference 49, the U.S. Nuclear Regulatory Commission performed an analysis in which it was estimated, based on precursor events, that the frequency of inadvertent pressurization of a low-pressure line is approximately 1E-2/ year. Additional years experience since that analysis suggest this estimate should now be approximately SE-3/ year. In that analysis, it is judged that, given an inadvertent pressurization the probability of a significant open pathway, ruch as a pipe break, occurring so as to potentially cause core damage is 1E-2 to 1E-3. In Reference 50, the BWR Owner's Group provides a detailed analysis of a pipe rupture probability and estimates it at 3E-5. These results yield frequencies of a significant open pathway from the reactor vessel through a low-pressure system of -E-5 to E-7. While such a pathway would fail the low-pressure system involved, four other factors mrt be considered in order to arrive at a core damage frequency from such an occurrence. First, Peach Bottom's emergency core cooling systems (ECCS) designs are highly compartmentalized in flood-proof rooms. This means that other ECCS would likely be available to makeup cooling to the core. Secondly, Condensate would likely still be available in such a sequence since the majority of the equipment is outside the reactor building and hence not subject to any adverse environment caused by the scenario. Third, High-Pressure Service Water (HPSW) may still be available to use for coolant makeup. Last, operation of the Safety Relief Valves (SRVs) to depressurize the reactor (thus slowing the leak rate) and reclosing of the necessary valves to stop the leak (the valves are typically located in their own rooms high above the pump rooms) are likely to occur since the operator would receive numerous alarms when the leak occurs. With all these mitigative features, the core damage frequency resulting from a "V" scenario is estimated to be at or below E-8. 4.4-90
Since it is not apparent that the precursor events reported in Reference 49 are applicable for Peach Bottom, depending on design and operational differences among plants, a separate analysis was performed for this study as reported below. Review of the piping interfaces with the primary system showed that the two LPCS injection lines and two LPCI injection lines were possible areas where the "V" sequence,,as described, might occur. Testin5 procedures were reviewed. In each case, because of the equipment configuration and testing procedures, it was found that two hardware failures and two human errors would have to occur to initiate the 'V" sequence during testing (refer to Figure 4.4-11 later for typical arrangements). Fitst, the testable check valve must leak or rupture and go undetected. Since the MOVs are stroke tested at least quarterly, and using 8E-7/hr (mean) and 2.7E-8/hr (mean) based on WASH-1400 data for leak and rupture failure rates [4] of the testable check valve, the probability that there has been a failure of the check valve between tests is ~9E-4 (mean value using 1/2At where A are the rates above and t is equal to 3 months). Note l that if the valve were to fail, detection is likely since Peach Bottom has I disc position indication for such valves. The operator must then have failed to reclose the normally open MOV used to maintain the high-low l pressure interface during the test. Using ASEP's nominal Human Reliability Analysis (HRA) value of 0.02 for failure of a step-by-step task performed under moderate stress [25], and further reducing it by a factor of at least five (i.e., using the suggested lower bound value) to account for the clarity in the procedure and the , nonstress situation, yields an operator failure probability to close the l MOV of 4E-3 (mean). Following procedures, the operator is to open the bypass valve and then pressurize the line segment using the air test connection to near reactor pressure before opening the MOV being stroke-tested. Such a process would be virtually impossible if the previously mentioned MOV had not been closed to hold the pressure. Otherwise, pressure could not be maintained and the relief valve would lift before the pressure in the line could reach high pressure. Therefore, a nonrecovery probability is applied to failure to close the normally open MOV. This probability must be very small; estimated at IE-4 to account for a possible plug in the line such that the operator could still pressurize the line segment. Then, an interlock exists between the normally open MOV and the MOV to be stroked such that both valves cannot be open at the same time. Failure of this interlock would have to occur and is estimated at 2.5E-2 based on possible limit switch failure (2.4E-2 per Indian Point study data [20]) or failure of the circuitry (IE-3 per ASEP generic data). Combining all these failures leads to a very small probability for the "V" sequence's occurring in this way ( 1E-8 per year). Other lines were examined, such as the RHR shutdown cooling path and HPCI and RCIC lines. In such cases, these paths also appeared to offer low chances for the "V" scenario, considering similar interlock failure requirements or, in the case of HPCI and RCIC, the fact that an additional feedwater check valve would have to fail and that high-pressure piping exists for much of the system. In addition, these rooms are normally 4.4-91
g
- i n
r t s u e D t s T d e e s T o f lo g C in tr w
. s t
a
~
de BeD u r o A t t o e n s n d e T i L C e - ev e t n e eh la h p o V T
" r o, Se
" t n o
, M W E
s v v Bo Oy A p e T ir s R N s T e E E. P' ' Ue
.g.
os. t t. e p 1 s a p e r e) V2 la
)
v m a r o u N) 3 h S
)
4 p p gjI ! Ih,;s ::j :: ( ( ( ( I,b:tc g 3) W. ( -
. f f
O eS D. S. f k I k JE T T SC) 4 sSm uN J 1 d L YNE( N U. d) O C
..b( ?
h l. E RM, AtCvt
, '. MT
,F- 4 Cva S8 E
f - y N. _ ~ m l n.pgWw
secured closed and leak tight so that only one room (and system) should be affected. Also reviewed was the chance that two valves in series (typically a check valve and one MOV) leaked or ruptured between tests and went unnoticed (again refer to ' Figure 4.4-11). Allowing leak or rupture of the check valve and the MOV within a quarter year time period results in a probability of such an occurrence as approximately 8E-7 (mean) during any one quarter, or about 3E-6 per year. However, with pressure switches located in each line so as to detect such a dual failure, the probability of going undetected appears small. In addition, a catastrophic failure to create the LOCA would have to occur, and more than one room would have to be aifected in order to prevent successful mitigation. These last two considerations would appear to suggest that at least another factor of 1E-2 should be applied before the "V" sequence actually leads to core damage. On the basis of this review and the quantitative and qualitative arguments l supplied above, it appears reasonable that the "V" scenario can be estimated at or below 1E-8 per year. This is the threshold value used in the Peach Bottom analysis for defining dominant accident sequences, and so the "V" sequence is not examined any further. 4.4.14 Discussion of Reactor Vessel Rupture (R) Event The frequency of a rupture of the reactor vessel large enough to be beyond the capacity of the ECCS was estimated in the Reactor Safety Study (RSS) [4] to have a median value of 1.0E-7/yr. with an error spread of a factor of 10. This value is based on an Advisory Committee on Reactor Safeguards report which examined actual data on many types of non-nuclear pressure vessel failures and data from the United States Navy and commercial reactor experience. The important conclusions reached from this analysis are that the disruptive failure probability of reactor vessels designed to nuclear j standards is less than 1.0E-6/yr., and the disrupture failure probability of such vessels beyond the capability of engineered safety feature is even , lower. The RSS value of 1.0E-7/yr. represents the only estimate of a I reactor vessel rupture beyond the capability of the ECCS used in previous ! PRAs. l Recent analyses of Pressurized Thermal Shock (PTS) in Pressurized Water Reactors (PWRs) are useful in determining the adequacy of the RSS estimate. The PTS analysis was conducted for three plants believed to be particularly susceptible to PTS and evaluated the frequency of flaw propagation through the vessel wall (i.e., vessel rupture) during overcooling transients. ) Overcooling transients are of particular concern for PTS because thermal l stresses are superimposed upon hoop stresses present while the vessel is at i or near operating pressure. The frequency of such overcooling transients l was calculated using PRA techniques. The thermal-hydraulic conditions in the vessel downcomer region for the overcooling transients were calculated , using thermal-hydraulic computer codes. The results from these l calculations were used as boundary conditions for a probabilistic fracture-mechanics analysis of the reactor vessels. l
)
4.4-93 l
The results of these PTS analysis indicate that the frequency of vessel rupture due.to PTS is highly uncertain. For the H. B. Robinson plant [51), which is a PWR, the frequency of vessel-rupture due to PTS was calculated to have a point estimate of 1.5E-8 and the following distribution: 95% Upper Bound 1.5E-5 Mean 8.4E-6 Median 2.3E-8 5% 1.ower Bound 1.9E-11 These values were calculated for a hypothetical reactor vessel as the results for the actual H. B. Robinson vessel were too low to permit an illustration of the probabilistic fracture-mechanics analysis method. The ; large uncertainty analysis is a result of the large uncertainty on the i density of the flaws in the vessel. Three general observations can be drawn from the PTS work concerning the potential for vessel rupture in a BWR. First, the potential of vessel rupture due to PTS in a BWR is generally expected as being substantially less than for a PWR. The fact that BWRs operate at a lower pressure reduces the hoop stress and the design of the vessel allows natural circulation, which reduces thermal stresses during overcooling transients. Second, the PTS calculations for scenarios involving small thermal transients provide some indication of the probability of vessel rupture due to random failure (i.e., flaw propagation occurring with hoop stresses only). A reactor trip situation at H. B. Robinson analyzed in Reference [51] provides such a minimal thermal transient. The frequency of j vessel rupture for this situation was calculated as less than 1.0E-10/yr. ' Third, the frequency of vessel rupture due to PTS is highly uncertain, and
.the published results for H. B. Robinson are overly conservative since they were calculated for a hypothetical reactor vessel which would be more susceptible to PTS.
i Based on these observations, the frequency of vessel rupture in a BWR used j in the RSS is believed to be overly conservative. A frequency of less than 1.0E-8/yr. would appear to be more realistic. Therefore, vessel rupture was not considered further in this study. 1 4.4.15 Anticipated Transient Without Scram Event Tree ; 4.4.15.1 Event Tree The ATWS event tree is shown in Figure 4.4-12. The following discussions define the event tree headings and the sequences. Events in the tree include: I: An initiating event occurs which requires the reactor to be tripped. 4.4-94
w-----,-___ _ 5 5 E $
- i E
i i E h W E
- . . . e e g
a s O o e o
- o 8 G ,
8 - N g E E E E 8 g 8 y
< s, -
B l g S u = e E E E E $ 8 s
- h 5 s
5 - %. w " " M w e h D ] e v5 E
!h5 h a
=s $O a
J y og~ E U N= 3 92 a E 18 8 n m W w E,2 k bh5 5 92 - A sp!e r"
- ag $" U 4
sh!, p a h 3 m W 5 4.4-95
_ O O N N O N. S L t t ) E T T U U T U T C N N V V N V X N E E E E E M M T. T. T. T U N N N N M N D I E I E O N E E Q A L A O f A E O E P E T D T L B C C T L B C S O S N N N ( F O M I O M E E. O A R E, E L E C E C IE G G G G V O N A A C E E D N N A A D E L D t M M D L M M M N U N U A A N U A A T O A V A V D D A V D D O C E E E E E E E E E E N T R R R R R R R R U O R R O O O O O O O O O O O C C C C C C C C C C E S R i _ E B M U N E C N E U Q E S 1 2 4 5 6 6 7 8 9 10 1 1 13 1 1 1 C) fS SS (C W R f R IVO WUEP NG l SR l OSOO V L ECO R P C E RSRG O T EOIN RCL CP AERO O 1X E RDOC F E TN RN O 4GSL UAT I 1 HESO C E U R OJ t PCR D E ST I DU A1 i e R Y L BDO OlRTt C L AON P TLO S S C N E P O s M V R S 2 r S W T A ob l
i l
\
EESH: Success . or f ailure of the . Reac tor Protection System-Mechanical (RPSM) Success implies the mechanical portion of
- the RPS functions proper"; and reactor scram is imminent upon receipt of the RPS electrical signal. Failure assumes that all rods. are inoperable or otherwise left in the position j that they. occupied before the transient occurred and the cperator cannot manually scram the reactor or manually insert the rods.
EEEE: Success or failure of the Reactor Protection System-Electrical (RPSE). Success implies the reactor scram signal
. operates and reactor suberiticality will be achieved if the rods insert. Failure implies the scram valves did not receive the RPS signal to scram and the control rods are not l
inserted into the reactor. AB1: Success or . failure of the Alternate Rod Insertion (ARI) I system. Success implies the scram valves receive the actua-l. tion signal from the system separate from the previously failed RPSE system. Failure implies the actuation signal was not- received by the scram valves and the rods are not inserted into the reactor. SCRM: Success or failure of an attempt to manually scram the reactor. Success implies the operator has activated the
- reactor scram hydraulic system, the control rods are inserted into the reactor, and suberiticality is achieved. Failure I implies the control rods are not inserted into the core.
EEI: Success or failure of a trip of the recirculation pumps. Success implies the recirculation pumps are automatically or manually tripped. RPT success reduces moderator effectiveness, thereby reducing both the power and pressure increase. If manual or automatic pump trip fails, the pumps will cavitate and fail when the operator drops the level to near the top of the active fuel. E03: Success or failure of manual rod insertion. Success implies the operator inserts the rods individually into the core and suberiticality is achieved. Failure implies operator cannot manually insert the control rods into the core. M: Success or failure of overpressure protection by the SRVs. Success implies the SRVs open and the reactor vessel pressure drops or is otherwise stabilized. Failure implies that an insufficient number of SRVs operate to control pressure. SJ&: Success or failure of the Standby Liquid Control System. Success implies the operator initiates the SLC system and one or both pumps function to decrease the reactivity of the core. Failure implies insufficient boration of the core to achieve subcriticality in a timely manner (4 minutes used in this analysis). 1 4.4-97 l J
g 1: Success ? or failure to inhibit the ADS system. Success implies the reactor remains at high pressure to allow HPCI to operate by preventing the ADS from activating to depressurize the - reactor. -Failure implies ADS is not inhibited and . the reactor is _ subsequently depressurized because of low water level and high drywel1~ pressure conditions. l E: Success or ' failure . of the High Pressure Coolant Injection (HPCI) system. Success implies HPCI-automatically actuates or is manually actuated to provide coolant makeup. Failure implies HPCI does not initiate to provide coolant makeup or operates an insufficient amount of time. X1: Success or failure of reactor depressurization. Success l implies the operator lowers reactor pressure with SRVs to use l low pressure cooling following high pressure cooling failure. Failure imptles the reactor remains at high pressure, i 2: Success or failure of low pressure systems to cool the core. ! j Success implies the reactor water level is maintained so as { to provide sufficient core. cooling (defined as a reactor l water level of two feet above the bottom of the active fuel) ! using the Condensate, LPCI. LPCS or other low pressure '! systems when the reactor pressure drops to approximately.400 ! psig. Failure implies low pressure cooling systems do not provide sufficient injection capacity to the reactor. 1: Success or failure of the RHR system in the SPC or CSS mode. Success ' implies that the RHR system is operated to provide sufficie'nt containment overpressure protection so that containment integrity is not jeopardized. Failure implies j
.that containment venting must be performed or containment '
failure occurs because of insufficient heat removal. The following descriptions refer to the sequences found in Figure 4.4 12.
-SEQUENCE 1 -- T*RPSM*RPSE ,
A transient occurs that requires the reactor to scram (T). The mechanical RPS functions successfully (/RPSM). The RPS electrical system sends the ! scram signal to the scram valves (/RPSE). All of the rods are assumed to j go into the core and reactor shutdown is achieved. The event then becomes j a normal transient and is transferred to the appropriate transient event ! tree depending on the initiating event. l SEQUENCE 2 -- T*RPSM*RPSE*ARI I l A transient occurs that requires the reactor to scram (T). The mechanical RPS functions successfully (/RPSM) but the RPS electrical system fails (RPSE). A diverse scram signal is successfully sent to the alternate scram i 4.4-98 I
valves by the ARI and the reactor is scrammed (/ARI). The sequence is then the same as Sequence 1. j
)
i SEQUENCE 3 - .T*RPSM*RPSE*ARI*SCRM Same as Sequence 2 except ARI fails to signal the scram valves to function. The operator then succeeds in scramming the reactor manually (/SCRM). SEQUENCE 4 -- T*RPSM*RPSE*ARI*SCRM* ROD Same as Sequence 3 except manual scram of the reactor fails (SCRM) and the operator successfully inserts the rods into the core by manually driving in the rods (/ ROD). SEQUENCE 5 -- T*RPSM*RPSE*ARI*SCRM* ROD Same as Sequence 4 except the operator fails to manually insert the control rods (ROD). This sequence is not developed further since the probability of this sequence is currently estimated to be below 1.0E-8. SEQUENCE 6 -- T*RPSM*RPT*M*SLC*I*Ul*W A transient occurs that requires the reactor to scram (T). The mechanical RPS fails (RPSM) which eliminates any possibility to scram the reactor or manually insert the control rods. The recirculation pumps are tripped (/RPT) and the SRVs properly cycle to control rea tor pressure (/M). SLC is initiated to inject borated water into the reactor to reduce reactivity (/SLC). The ADS valves are inhibited (/I) to maintain sufficient reactor pressure to initiate HPCI for coolant makeup (/U1). The RHR system is initiated in the SPC or CSS mode (/W) to provide containment overpressure protection, resulting in a safe core and containment. SEQUENCE 7 -- T*RPSM*RPT*M*SLC*I*Ul*W Same as Sequence 6 except the RHR system fails to provide containment overpressure protection (W). This results in a core vulnerable state. (Note: Since this sequence probability was estimated at or below 1.0E-8 at this point (see Section 4.10), resolution of the vulnerable state was not necessary). SEQUENCE 8 -- T*RPSM*RPT*M*SLC*I*Ul*X1*V*W Same as Sequence 6 until HPCI fails (U1). The reactor is depressurized (/X1) and a low pressure core cooling system is initiated for coolant makeup (/V). The RHR system in the SPC or CSS mode provides containment overpressure protection (/W), resulting in a safe core and containment. 4.4-99
SEQUENCE 9 -- T*RPSM*RPT*M*SLC*I*Ul*X1*V*W Same as Sequence 8 except the RHR ' system fails to provide containment
' overpressure protection.(W), resulting in a core vulnerable state. (Note: !
I Since this sequence probability was estimated at or below 1.0E-8 at this point (see Section 4.10), resolution- of the vulnerable .' s ta te was not necessary). SEQUENCE 10 -- T*RPSM*RPT*M*SLC*I*Ul*X1*V
-Same as-Sequence 8 except low pressure core cooling fails (V), resulting in core damage in a vulnerable containment.
SEQUENCE 11 -- T*RPSM*RPT*E*SLC*5*Ul*X1 Same as Sequence 10 - except reactor depressurization fails (X1) and coce cooling capability- is lost, resulting in core damage in a vulnerable containment. SEQUENCE 12 -- T*RPSM*RPT*E*SLC*I*E*U A transient occurs that requires the reactor to scram (T). The mechanical RPS fails (RPSM) which- eliminates any possibility to scram the reactor or manually insert the control rods. The recirculation pumps are tripped (/RPT) and the SRVs properly . cycle to control reactor pressure (/M). SLC is initiated to-inject borated water into the reactor to reduce reactivity (/SLC). The ADS valves are not inhibited-(I) and the reactor depressurizes which - allows low pressure core cooling systems to operate (/V). The RHR system in the SPC or CSS mode is initiated for containment overpressure protection (/W), resulting in a safe core and containment. SEQUENCE 13 -- T*RPSM*RPT*E*SLC*I*5*W Same as Sequence 12 except the RHR system fails to provide containment overpressure protection (W), resulting in a core vulnerable state. (Note: Since this sequence probability was estimated at or below 1.0E-8 at this point (see Section 4.10), resolution of the vulnerable state was not necessary). SEQUENCE 14 -- T*RPSM*RPT*E*SLC*I*V Same as Sequence 12 except low pressure core cooling is unsuccessful (V), resulting in core damage in a vulnerable containment. 4.4-100
SEQUENCE 15 - T*RPSM*RPT*M*SLC A transient' occurs that requires'the reactor to scram (T). The mechanical
~ RPS fails -(RPSM) which eliminates any possibility . to scram the reactor or manually insert the . control reds. The' recirculation pumps are tripped
(/RPT) and the SRVs properly cycle to control reactor pressure (/M). SLC fails to initiate . (SLC) which initiates a ' series of events that lead to core damage. Steam from the reactor vessel is continuously dumped into the suppression pool, which increases the pool' temperature and pressure. HPCI might be used for - core cooling .'until it . fails on high suppression pool temperature, which is likely to occur in approximately 15 minutes. The. ; reactor must then be depressurized to allow low pressure systems to cool the core. - The containment is becoming overpressurized and venting . is likely to be' performed.to prevent rupture of the containment. Iow pressure core cooling systems (LPCS,- LPCI) are assumed to fail during containment l , venting or subsequent containment failure due to insufficient NPSH for the - l
. pumps. Containment venting or containment failure will begin to fill the reactor building' with ' steam and could potentially enter the . turbine building by failing the blowout panels that lead to .the turbine building.
Core cooling must be initiated at this point with a large capacity system. Condensate . could be initiated but is likely to fail because of limited capacity in' the conderwer or because of eteam effects. HPSW is the final system with the capacity to provide sufficient cooling, However, the expert elicitation process indicates that the presence of steam in the reactor building will very likely fail HPSV valves with a probability of 20.7. Since all core cooling systems are very likely to be lost in this sequence, the development of the event tree was constructed to simply show j that failure to scram and loss'of SLC will lead to core damage. However, ' this assumption does not seem too conservative in light of the very high probabilities associated with the loss of both high and low pressure ;
-cooling systems of sufficient capacity to mitigate this accident sequence.
i j SEQUENCE 16.'- T*RPSM*RPT*H ! Same as. Sequence 15 except the SRVs fail to control reactor pressure (M) j and the sequence is not developed further due to an estimated probability I I below 1.0E-8. SEQUENCE 17 -- T*RPSM*RPT A transient occurs that' requires the reactor to scram (T). The recircula-tion pumps fail to trip and the sequence is not developed further due to an estimated probability below 1.0E-8. 4.4.16 Event Tree Nomenclature Table 4.4-1 contains a summary of the nomenclature used to identify the systems on the event trees. 4.4-101
Table 4.4-1 Event Tree Nomenclature ARI - Failure of the Alternate Rod Insertion Syst.em B - Failure of all AC power (station blackout) C - Failure of the Reactor Protection System (RPS) C1 - Failure of RPS and manual scram I - Failure to inhibit the ADS system L - Failure of operator to isolate S3 " leak" LOSP,LOSP1 - Failure to maintain offsite power; Different Designations for this Event are for Different Frequencies M - Failure of Safety Relief Valves (SRVs) to open
.P -
Failure of SRVs to close P1,P2,P3 - Failure of one, two or three SRVs to reclose Q,Ql,Q2 - Failure of the Power Conversion System (PCS); different designations for this event are for different frequencies ROD - Failure to manually insert the control rods RPSM - Failure of the mechanical RPS RPSE - Failure of the electrical RPS RPT Failure to trip the recirculation pumps SCRM - Failure to manually scram the reactor SLC - Failure of the Standby Liquid Control System Ul - Failure or the High Pressure Coolant Inj ection (HPCI) system Ul' - Failure of HPCI without ventilation U2 Failure of the Reactor Core Isolation Cooling (RCIC) system U2' - Failure of RCIC without ventilation U3 U4 - Failure of the Control Rod Drive (CRD) system (2 pump mode) U4' Failure of the Control Rod Drive (CRD) system (1 pump mode) Failure of CRD to survive containment venting V1 - Failure of the Condensate system Vl' Failure of Condensate to survive containment venting V2 Failure of the Low Pressure Core Spray (LPCS) system V3 Failure of the Low Pressure Coolant Injection (LPCI) system V4 - Failure of the High Pressure Service Water (HPSW) system as an injection source to the reactor V4' - Failure of HPSU (injection source) to survive containment venting R - Rupture of the containment W1 - Failure of the Suppression Pool Cooling (SPC) mode of RHR U2 - Failure of the Shutdown Cooling (SDC) mode of the RHR W3 - Failure of the Containment Spray (CS) mode of the RHR XI - Failure to depressurize the primary system via SRVs or the Automatic Depressurization System (ADS) X2 - Failure to depressurize the primary system to allow SDC to operate X3 - Failure to depressurize the primary system subsequent to an initial primary system depressurization Y Failure of Primary Containment Venting system (including makeup to the pool as required) 4.4-102
4.5 Plant Damace State Analysis The plant damage states are the interface between the front-end analysis, or system analysis leading to core damage accident sequences, and the back-end analysis. In order to provide for this interface, the cut sets for the accident sequences contributing to core damage must be sorted into groups with common attributes relative to the back-end accident progression event trees. This could be accomplished by constructing a bridge tree between the sequence event tree and the containment event tree or by answering selected questions for each cut set that specify the state of the systems or phenomena when core damage occurs. The latter approach was chosen for Peach Bottom. 4.5.1 Plant Damage State Definitions Sixteen questions were determined by the back-end analyst to properly ; describe the state of the systems as the plant accident progresses into a core damage situation. Each unique set of answers to the sixteen questions is defined as a plant damage state (PDS), Each unique plant damage state potentially results in a different challenge to the containment and ultimately a different source term release to the environment. Table 4.5-1 lists the sixteen questions posed for Peach Bottom. The total possible combination of answers, and hence plant f damage states, is the product of the number of answers for each question. This is a very large and clearly unmanageable number. However, a number of combinations are not logical and many combinations are not significant for any given analysis. Thus, the expectation was that a reasonable number of plant damage states would evolve, which was the actual outcome of the analysis. j During the process of examining each cut set, certain information was i useful in determining the answers and providing guidelines to simplifying the task. Questions 1 (initiating event) and 5 (stuck-open relief valve) can be answered by inspection of the accident sequence itself. Question 6 concerning success or failure of HFCI and RCIC may or may not be obvious from the accident sequence. If the initiator is a large or medium LOCA, steam to HPCI and RCIC will be lost early so that, effectively, both f ail. The word " initially" used in these questions means during the period prior to the time of core damage. Answers to several questions include a case where the system has not failed due to hardware, but due to loss of power. Thus, if power were restored, the system potentially could operate. The purpose of these questions, as well as some others, is to determine if water could be injected later during the accident progression. Injection could mitigate the core melt or it could cause detrimental effects. That is a back-end concern, but the answers to these front-end system questions establish the input state to the back-end analysis. Similarly, several questions have answers indicating that the system is available. That is, the system may be operating, but the pressure is too high for injection, or perhaps the number of pumps is insufficient for 4.5-1
- Table ' 4. 5-1:. Peach Bottom APET Questions for Plant Damage States 'In order to define the plant ' damage states for Peach Bottom, the following information is needed for each cut set of each accident sequence.such'that each question is uniquely answered.
- 1. What is the Initiating Event (IE)?-
1). A-Large LOCA
- 2) Sl-Medium LOCA
.3) S2/3-Small/small-small LOCA
'4) T-Transient (all other transients)
- 5) TC-Transient without scram (ATWS)
- 6) 10RV-Inadverteitt open relief valvo 2.
Is there a Loss of Offsite Power (LOSP)?
- 1) Seismic induced t0SP
- 2) LOSP IE'or random LOSP
- 3) No LOSP 3.
Is there a station blackout (Event B)? 1)' Yes - LOSP IE'or random'LOSP and loss of all Diesel Cenerators (DGs)
- 2) No - At least one DG working
- 4. Is DC power available given a station blac'kout?
- 1) . No - All DC is failed 2)- Yes - At'least one train of DC is working
- 5. .Does a safety relief valve (SRV) stick open early?
- 1) Yes - At least one SRV sticks open (P1,P2, or P3)
- 2) No - No stuck open SRV
- 6. Are .the High Pressure Inj ection system (HPI) and Reactor Core i Isolation Cooling system (RCIC) initially working (Events Ul and U2)?
l
- 1) No - Both HPCI and RCIC have initially failed. l i
- 2) Yes - Either HPCI or RCIC is initially working.
If these systems work initially, there is no core damage. There is no recovery after core damage since no steam will be available. Both systems work after LOSP and at high pressure so there are no recoverable or available questions.
- 7. Is the Control Rod Drive system (CRD) initially working (Events U3 and U4)?
l 4.5-2 l i
.c Table 4.5-1. l Peach' Bottom APET Questions for Plant Damage States (Cont.)
C
- 1) 'fCRD - CRD is definitely failed. .
- 2) rCRD CRD is not on but has not failed either (i.e., depends on; LOSP or Tl restored).
3)1 Yes.- CRD is working.
'(This assumes that if it can work - then it's normally on; therefore,-no availability question is asked).
8' . What is the initial vessel pressure (Events X1 and X2)?
- 1) FADS - ADS has. failed; therefore, the vessel can not go to low pressure.
Auto ADS has failed and the vessel can go to low pressure p
- 2) High
" but the operator has not depressurized.
- 3) Low - Auto ADS or Manual depressurization has worked or any LOCA or_ transient and stuck open SRV has occurred except for
-ATWS.
- 9. What is the initial status of low pressure ECCS (Events V2 and V3)?
- 1) fLPC - Both LPCI and LPCS have failed and can not be recovered.
.2) Recoverable - Both are not currently available but can be
~ recovered.(i.e., if LOSP and B or T1 and B restored).
- 3) Available - One pump is running but no injection due to high vessel pressure.
- 4) Yes --Either LPCS or LPCI is working
- 10. What is the initial status of Residual Heat Removal systems, RHR (SCS, SPC, CSS) 1.e. , W1, W2, and W37 1)- fRHR - All RHR modes are failed.
- 2) Recoverable - All RHR modes are currently unavailable but can be recovered after LOSP and B or T1 and B restored.
- 3) Yes - One RHR mode is available and working.
(no available question, since if on, it will work).
- 11. What is the initial status of Condensate (Event V1)?
- 1) fCOND - condensate is failed.
- 2) rCOND - condensate is recoverable (after LOSP or Tl restored).
- 3) aCOND - condensate is available but not inj ecting.
- 4) Yes - condensate is working (not possible given core damage).
4.5-3
ar y < [
-l i
Table 4.5-1. ' Peach Bottom APET Questions for Plant.
. Damage States-(Cont.)' ,
l t i 12. What'is the . initial. status , of High ' Pressure Service Water system,
-HPSW (Event V4)?.
1)' fHPSW -'.HPSW is failed.
- 2) rHPSW - HPSW is recoverable. (after LOSP'and B or T1 and B restored).
3)' aHPSW: ,HPSW is'available. Manual lineup and actuation required. 4). Yesl-'HPSW is working (not possible given core damage). y L13. What is. the initial status 'of the Containment Spray System (CCS)
-(Event W3)?,
1)- fCSS - CSS is faile"d.
- 2) rCSS'- CSS is recoverable (after LOSP and B or T1 and B restored).
l 3) aCSS - CSS is available, but manual' actuation is required.
- 4) Yes~- CSS is working.
14, is the containment vented before core damage'(Event Y)? 1)No - Containment is not vented.
- 2) DW-Drywell vent (not likely at Peach Bottom).
- 3)- uDW - Drywell is vented in ATWS, but pressure still high.
- 4) uWW .Wetwell is vented in ATWS, but pressure is still high.
- 5) . WW - Wetwell vent
- 15. What.is the level of containment leakage?
- l): No leakage in excess of tech spec.
- 2) Level 2 leakage occurs after accident (leak).
- 3) Level 3 leakage occurs after accident (rupture).
4)- Level 2 L leakage occurs before accident or isolation failure (leak).
- 5) Level 3 leakage occurs before accident or isolation failure (rupture).
(A leak vs. rupture depends on the sequence. In non- ATWS sequences, a lenk would be about an 8 inch line or less. For ATWS sequences, a leak would be less than two 18 inch lines.) i
- 16. What is the location of leakage?
- 1) Containment intact j
- 2) Drywell
-3). Dryvell Head i
- 4) Wetwell 4.5-4
,p success in preventing core damage, but could affect the back-end. a situation. Also, the system could be available if the operator should choose to use it.
-The answer to Question 14 is 1 if anything fails - that would prevent venting and X where. venting is possible, but not asked in the system
. event trees.
l Containment leakage - is derived . from the. containment isolation system fault. tree. Initially,-if isolation failure occurs with probability one,
-it is in the drywell and designated as 22 for the answers to Questions 15 and 16. This is the case for loss of the 4160 volt AC bus B. If random failures of valves cause the . leakage , the description . is Y2 given LOSP and X2 otherwise. Subsequently, it was determined that containment isolation failure-does not result in a significant leak at Peach Bottom.
An isolation fault tree was constructe:1 and two paths had the potential to be unisolated with a - significant probability; the RBCW RCP seal cooling line.:. and, the drywell (DW)- drain lines. From the back-end perspective, neither of these was important. The RBSW lines are not connected to the primary and leakage into the R'6 CW system is unlikely.
~The DW . sump lines require a double random valve failure which has a probability low enough to be neglected.
A complete discussion of the plant damage states is given in the accident progression event trees section of NUREG/CR-4551, Volume 3. 4.5.2 Descriptions of the PDS Vectcr The-sixteen character vector describing the plant damage state (i.e., the answers to the 16 questions) can be subdivided into seven groups of questions that fit together logically. Question 1 - W at is the Initiating Event? Questions 2, 3, and 4 - Wat Electric Power is available? Question 5 - Do any Safety Reliet' Valves stick open? Questions 6 and 7 - What is the status of the High Pressure Systems? Question 8 - What is the status of RCS Depressurization? Questions 9 to 13 - What is the status of the Low Pressure and decay heat removal Systems? Questions 14 to 16 - Is the containment Vented or does Isolation fail? As will be seen in Section 4.11, there are a limit.d number of answers to each of these groups of questions, and only a few combinations of these groups out of the large number possible actually show up as dominant in the analysis. This is explained further in Section 4.11 in the process of delineating and quantifying the plant damage states. 4.5-5
4.6' System Analysis Section 4.6.1 provides an introduction to the system modeling performed in the Peach Bottom analysis. Sections 4.6.2 through 4.6.23 describe the modeling effort ' for each system. These subsections contain a system description, identification of interfaces and dependencies, discussion of operational constraints, a description of the models developed, specific assumptions used in modeling, and a discussion of any unique operational
- experience for each of the systems. Justification for those systems not l modeled are presented in Section 4.6.24. The systems which were modeled in the Peach Bottom ' study are shown in Table 4.6-1. The nomenclature used to identify system failures is described in Section 4.6.25.
I_ 4.6.1 System Modeling Approach and Scope System models were developed for each of the front line systems identified in the event tree headings and for all support systems required to operate the front line systems. Fault tree models trees or were
. constructed for most of the systems using either detailed f.ault simplified trees focusing on major failures. For those systems where fault tree models were not constructed, actual data could be used to l.
L represent the dominant failures of the systems (including interactions). For example, sufficient data exists to estimate the probability of loss of the power conversion system following a reactor trip without having to i perform a fault. tree analysis. These failure models were developed with l top events corresponding to the success criteria used in'the event tree l analysis. Some systems have different success criteria in different l circumstances and hence different top events. A few events in the event l trees, such as the probability of a stuck-open valve, are single data values presented in the data section and hence are not discussed in this section. Modeling of the systems was performed at the component level but with pipe segments, when deemed appropriate, indicated on the schematics. A pipe segment is a series collection of components within the system which could be modeled as one super-component or module independent from the rest of the system. The independent failure probability associated with a pipe segment could then be estimated as the sum of the individual failure probabilities of the components wi':hin the segment. Operator actions in response to plant conditions were included in the models where specific procedures for these actions were available. Operator errors of commission were not included in the fault tree analysic. Recovery actions for each accident sequence are handled at the cut set level of analysis and are covered in Section 4.8. Details of the modeling process and assumptions were made throughout the system analysis process. The assumptions about the specific systems are provided in the system write-ups. Figure System schematics are provided for most of the systems analyzed. 4.6.1-1 provides symbols and related abbreviations used in the schematics. 4.6-1
1-
\
Table 4,6-1. Systems Included in the Peach Bottom Study SYSTEM TYPE OF MODEL Actuation and Control-(ESP) Fault Tree Automatic and Manual Depressurization (ADS) Fault Tree Condensate (CDS). Fault Tree Containment Spray (CSS) Fault Tree Control Rod Drive (CRD) Fault Tree Electric Powtr (ACP,DCP) Fault Tree Emergency Service Water (ESW) Fault Tree Emergency Ventilation (EHV) Fault Tree High Pressure Coolant Injection (HCI) Fault Tree High Pressure Service Water (HSW) Fault Tree Instrument Air (IAS) Fault Tree Low Pressure Coolant Injection (LCI) Fault Tree Low Pressure Core Spray (LCS) Fault Tree Primary Containment Venting (PCVi Fault Tree Reactor Building Cooling Water (..BC) Fault Tree Reactor Core Isolation Cooling (RCI) Fault Tree Shutdown Cooling (SDC) . Fault Tree Standby Liquid Control (SLC) Fault Tree Suppression Pool Cooling (RHR/SPC) Fault Tree Turbine Building Cooling (TBC) Fault Tree Reactor Protection (RPS) Data Value Power Conversion (PCS) Data Value 4,6-2
i l W Normally Open Manual Valve
$>d" Normally Closed Manual Valve Normally Open Motor Operated Valve cA"
.2 r , Normally Closed Motor Operated Valve i- $-ikP Motor Driven Butterfly Valve
$-{h Testable Check Valve Normally Open Air Operated Valve
$ Ek & Normally Closed Air Operated Valve l
$ 3- " Normally Closed Explosive Valve Three Way Valve (Any shaded portion of valve implies valve is normally closed to flow in shaded direction) l (Safety) Relief Valve (Normally Closed)
$-Q Check Valve
$- h Motor Driven Check Valve Heat Exchanger Or Cooler
$4vvw-+
Motor Driven Pump Turbine Driven Pump I g-g-+ Positive Displacement Pump N/NA/ Heater
$~,mm> Spray Header Orifice HlH Figure 4.6.1-1. Symbols and Abbreviations Used in Schematics.
4.6-3
l}.
- r. .
l'; 1 i - n ... l
' i o.
Fan ' J
\ .
Compressor Tank 1
'i A
Reactor - V Containment
< Drywell 1
-)
Suppression Pool l
$ > Fluid Line
$f[ f[ t Air Line Duct Work Figure 4.6.1-1. Symbols and Abbreviations Used in Schematics.
(Continued) 4.6-4
Diesel Generator c Charger l [ Battery I inverter i s Transfer Switch Bus 1 i LO Locked Open LC Locked Closed NC Normally Closed NO Normally Open FC Fails Closed FO Fails Open Figure 4.6.1-1. Symbols and Abbreviations Used in Schematics. (Concluded) 4.6-5
4.6.2 Identification of Systems The systems modeled in the Peach Bottom analysis were: Actuation and Control (ESF), Automatic and Manual Depressurization (ADS), Condensate (CDS), Containment Spray (CS), Control Rod Drive (CRD) -- (Enhanced and One Pump) , Electric Power (ACP,DCP), Emergency Service Water (ESW), Emergency Ventilation (EHV),' High Pressure Coolant Injection (HPCI), High Pressure Service Water (HPSW), Instrument Air / Nitrogen (IAS), Low Pressure Coolant Inj ection (LPCI), Low Pressure Core Spray (LPCS), Primary Containment Venting (PCV), Reactor Building Cooling Water (RBCW), Reactor Core Isolation Cooling (RCIC), Shutdown Cooling (SDC), Standby Liquid Control (SLC), Suppression Pool Cooling (SPC), Turbine Building Cooling Water (TBCW) and as data values, the Reactor Protection System (RPS) and Power Conversion System (PCS). 4.6.3 Actuation and Control (Emergency Safeguard Features) System 4.6.3.1 ESF Description The function of the ESF system is to initiate appropriate responses from
.various cooling systems so that the fuel is adequately cooled under abnormal or accident conditions.
Only that equipment required for the initiation and control of HPCI, RCIC, Automatic Depressurization System (ADS), LPCS and LPCI (the major Emergency Core Cooling System [ECCS) equipment) were modeled. Any additional unique instrumentation and isolation features were modeled as part of the associated systems. Actuation of other systems are addressed in the individual write-ups. The ESF system is automatically initiated. Manual actuation is provided in the control room so that operator action is possible if there is a deficiency in the automatic actuation of the equipment or to provide control over long term accidents. The success criteria for the ESF system is actuation of the cooling systems in time to limit fuel cladding temperature to acceptable levels. The specific success criteria of the actuation circuits depend on the success criteria for the front-line systems they support. The response of the ESF systems is provided to the operator in the control room. 4.6.3.2 ESF Interfaces and Dependencies A simplified dependency diagram of the HPCI, RCIC, ADS, LPCS and LPCI systems is provided by Figure 4.6.3-1. Shown are the major support needs for the systems as indicated by the solid diamonds. Specific actuation and control descriptions can be found in the individual system sections. 4.6-6
j 1 ;Ij ! i11 i i - 1' 1!j l!: 1li 1
.7 7.
Lr Lr 2' a' BN PO OT OA LU IT C _ P C .r LA 'r
', 2' Lr gr AN 7 PO OT OA LU tT C C P
L A m a r Lr gr g BN 2, ;' a i PO OT D OA L
. y S TU CC c PA L 'r <r n
~
', >' e d
n e p A N gr 2 gr
;' e P D O TO OA l L
STU o CC r PA .' t L
.' n o
a
. .C d
ta e d
'k D n N '3 c g
a O I o ST DA L n AU e o T i w i
- C gr a t A
F l a a u u tc t A c F ro A s e
-N er O
CT I Tt 1 fA ' Lr lu - C 2' a RUT F e 3 C h A T 6 o T r o 4 N e r &' . r N
, 2' c
y u g O L o I i ICT e F PA h r HUT ia C F A I g I m s U nw o h S is A9CD m a r g i
) u t 1 L ) O e
E-R0 0 1 L E WR E. E2 R5
)
R
)
2 7 - R 2 7 3 y m V U-1 RU . U3 o 23 o 1 SiR S4# Sl G DS, GoS S PcSL 2 TR L2 TRL CEEL 2
- a 1
S ES SH E cEE -L AT L Cp D GPRt( P 2 P PG R 2HP I S- 0 5,o E 4 RIS P( P oTAVS
,WL( EL EAVS RWL( E L e
r l, D eiN f ,!!I . l l lll :1,
4.6'.3.3' ESF Test and Maintenance Testing : requirements for actuation ~ and control are addressed in the
, individual' system sections.
4.6.3.4' ESF Technical Specifications All technical specifications for actuation and control are addressed in the individual system sections. 4.6.3,5 ESF Logic Model The ESF system - was modeled using a fault tree for generation of all signals required to actuate . HPCI, RCIC, ADS, LPCS and LPCI. The fault tree model is presented in Appendix B. Three human errors .were incorporated into the ESF fault tree model. These errors are; operator miscalibration of all reactor level sensors,
-operator miscalibration of all high drywell pressure sensors, and operator miscalibration of all reactor pressure sensors.
4.6.3.6 ESF Assumptions (1) ' Tes' ting usually places components in the " trip" state. Therefore test unavailability or failure to restore after testing are not considered. (2) Maintenance unavailability and failure to restore are considered part of the system data values, therefore no new values were added to the data list. 4.6.3.7 ESF Operating Experience
. Any peculiarities in the operational history of the ESF system are addressed.in the individual system sections.
4.6.4 Automatic and Manual Depressurization System 4.6.4.1 ADS Description The ADS is designed to depressurize the primary system to a pressure at which the low pressure inj ection systems can inj ect coolant to the reactor vessel (event tree nomenclature--X1,X2,X3). The Automatic Depressurization fault tree (event tree nomenclature--X1) is used for the automatic or, if required, manual operation of the ADS system to depressurize the primary system. This allows the low pressure injection systems to be used to cool the core. The Manual Depressurization fault tree (event tree nomenclature--X2) is used exclusively for manual operation of the ADS /SRV system to depressurize the primary system. This allows the SDC mode of the Residual Heat Removal (RHR) system to be used. A data value is used for the event tree
. question," Do the ADS /SRV valves reopen following containment failure or 4.6-8
venting?" (event- tree nomenclature--X3). This is strictly a survivability concern. The ADS consists of five safety relief valves capable of being manually opened. Each valve discharges via a tailpipe line through a downcomer to the suppression pool. Relief valve capacity is approximately 820,000 lb/hr. A simplified schematic of the ADS is provided by Figure 4.6.4-1. The ADS is automatically initiated. The operator may manually initiate ; the ADS or may depressurize the reactor vessel using the six relief ; valves that are not connected to ADS logic. The operator can inhibit ADS l operation if a spurious ADS signal occurs or if the operator desires to do so (as in an Anticipated Transient Without Scram [ATUS) scenario). The success criterion for the ADS is three of five valves opening to depressurize the reactor. For further information, refer to success criteria discussions in Section 4.4. The ADS valves are located inside the containment. ADS performance is not normally affected by accident conditions since the equipment is qualified for accident conditions and the air / nitrogen supply pressure is judged to be sufficiently high to allow valve operation under most ! containment conditions. However, shoul d containment pressure be !' excessively high (-85 psig or greater), the valves could not be kept open since the air / nitrogen supply pressure is limited to ~85 psig. This is based on discussions with Philadelphia Electric Company (PECO) personnel, who have indicated the supply is orificed to that limit. 4.6.4.2 ADS Interfaces and Dependencies ; The ADS depends upon air / nitrogen and 125 VDC power sources. A simplified dependency diagram of the ADS is provided by Figure 4.6.4-2. Shown are the major support needs for the ADS as indicated by the solid diamonds. Air / nitrogen pressure is used to open the ADS valves. Accumulators for each ADS valve contain enough pressure for approximately five valve operations. In addition to the accumulators, there is a nitrogen bottle supply that can be manually valved in and an additional outside hook-up capability to a nitrogen truck or other source. ADS logic consists of two divisions. Power dependencies for each division are the 125 VDC/A bus as a primary source and the 125 VDC/B bus as a backup source. ADS ' valve power is from either 125 VDC/A (the primary DC supply) or 125 VDC/D (backup DC supply). ADS logic is failed if 125 VDC/A and the relay that switches power fail. However, each relief valve has its own relay that switches power for solenoid operation. Automatic ADS initiation occurs upon receipt of a low-low reactor water level signal (with an -eight-minute time delay), a low-low level and high drywell pressure signal with a two minute delay. Any of these must be concurrent with one LPC1 or two LPCS pumps running, for ADS to work automatically. 4.6-9 J l
- _ - _ _ _ _ _ _ _ _ _ - _ _ - _ _ _ _ _ _ _ - _ _ _ - _ _ _ _ _ _ _ _ _ _ - _ ____ . _ . . I
1l. i
~
,gng e
- y. E
'y -
N I L
~
.f b
. .a T .
-: !- S c
?s ,,;~
N ( I i t a y I'$
- .R>
. m p
..O T +% e
;A2 T y y e h kB , Wmk N [f J
. L: .
7U# .'s ,. 0 h' c
; Mz ~
S MsN - , S
.,., U g :
- ?
O V _C: C n. .
,.1 ,_
S=BgK$ 5$ ~. R 9 m e
- -A :. g = s S
T-
- Y ;
t c[
$,,f~_. S s V tgmN: h E D R m :'
l A- S y sMS g_
. ~
S N J*s, . " ; e%. s V S m' t .- T O n D [3 o R S A y j M&.NLA E i:5
- i S
.T ,g t L . . .
D ha
+wy~y _l}
a A A , I' C R C I k I P z E P i n g:#yI 's n Y H ,(: ~ r T Y .' T
~.
0 T $ u 0 $ i: . s T 2: f- n s r 2' e f g h - ;
$ r us .
p
,, s c.%
e$_ e E.z D g
,Y
,k :,s_ R 4
.y l
E S ee; ;,x a g"(N - l H TS #N u 1 OD .g % n O A ^ '. a
'" T 4
.e rh3 m M s m' %
" d n
x < c a
'- r i c
l N t a m o N s s t u
- A x (N N.
1 { E 4 D , E s s O 6
" - M 3O Y B 4 2Q A 9
, D N e k,,,
6 A r
' g y_ O3V 9 T S u E A R g L l E i T H T
O T F s , B N Nm " - I EA N Ge W O O H H T S I N () (2 E R e A T A T S NR EE NR Et N MD MD O I UA U IT RE Rm S TH T O SN d SN N P PE I S G E MO OR bm O V L RT A F! N F Am V d' c
!Il l l tIilll
f' REACTOR DEPRESSURIZATK)N f 1 I AJTOMATIC MANUAL DEPRESSUR2ATON DEPRE SSUR2ATON SYSTEM SYSTEM I l l I UCPOWLR AIRSUPPLY ADS DC AIR ACTUATON TO NON ADS TO NON-ADS ACTUATON POWER SUPPLY VAL VES VAtVE S
;L 2u DC12$V A
'r POWER B C 2 d'
D ir , 'r ACTUATON AD s n nr MANUAL ,- ACCUMULATOR < 2, r
;t !
UdSTRUMENT ;< Ai4NffROGEN NiTROGEh BOTTLE 26 EANK 'F (ADS BACKUP SUPPL Y) Duponoency Degram N Shown Usmg Falore Logo. Figure 4.6.4-2. Automatic and Manual Depressurization System Dependency Diagran). 4.6-11 f
g i l Low-low reactor water level sensors are shared with the LPCS and LPCI l' systems. j 4.6.4.3 ADS Test and Maintenance ' i i
- A simulated automatic actuation of the ADS is performed prior to startup after each refueling, i j
4.6.4.4 ADS Technical Specifications
'If any one ADS valve is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that the HPCI system is operable. If this requirement cannot be met, the recetor is to be shut down.
4.6.4.5 ADS Logic Model The ADS was modeled using two fault trees for the depressurization of the reactor either automatically or manually (see Appendix B and the discussion in 4.6.4 1). Piping ruptures were considered to be negligible compared to other failures. Four human errr>rs were incorporated into the ADS fault tree model. These errors are (1) failure to valve in the backup nitrogen supply, (2) sensor miscalibration, (3) failure to manually depressurize, and (4) ADS inadvertently inhibited. 4.6.4.6 Assumptions in the ADS Model (1) Although the random independent hardware failure of a significant number of either the ADS safety / relief valves or the non-ADS safety / relief valves is felt to be negligible compared to other system failures, an event for the hardware failures of these valves is included. Common mode failure of the valves is also included. (2) Failure of the operator to manually initiate the ADS and/or to manually depressurize the reactor >essel in order to achieve low pressure core cooling, are felt to be strongly coupled and are assumed to be the same event. (3) Failure of the accumulator is included in the undeveloped event representing ADS valve hardware failure. 4.6.4.7 ADS Operating Experience Nothing was peculiar in the operational history of the ADS which would affect either system modeling or failure data. 4.6-12
4 6.5 Condensate System 4.6.5.1 CDS Description The functfon of the CDS system is to take condensate from the main condenser and deliver it to the reactor at an elevated temperature and pressure (event tree nomenclature--V1). The CDS system consists of the condenser hotwell, three condensate pumps, feedwater heaters and associated piping, valves, and controls. The condenser hotwell has a working capacity of approximately. 100,000 gallons. The condensate pumps provide the required head to overcome the flow and static resistence of the condensate system, and provide excess over the suction pressure requirements of the feedwater pumps . The reactor vessel must be depressurized to approximately 600 psig in order to use condensate as an injection source without the use of the feedwater pumps. Injection to the reactor vessel is via the two feedwater lines. The CDS pumps have a 10,870 gpm rated flow head. A simplified schematic of the CDS system is provided by Figure 4.6.5-1. The CDS system is normally running. The success criteria for the CDS system is removal of decay heat (when the reactor has tripped). This can be sufficiently accomplished with only one pump train operational. Virtually all of the CDS system is located in the turbine building. 6.6.5.2 CDS Interface and Dependencies The CDS system requires offsite power, instrument air and TBCU for operation. A simplified dependency diagram is provided in Figure 4.6.5-
- 2. Shown are the major support needs for the CDS system as indicated by the solid diamondr..
4.6.5.3 CDS Test and Maintenance The CDS system har no special test and maintenance requirements. 4.6.5.4 Technical Specifications The CDS system has no specific technical specifications. 4.6.5.5 CDS Logic Model 1 I The CDS system was modeled using a fault tree for injection of water at an elevated temperature and pressure to the reactor vessel. The fault j tree model representing the CDS system is presented in Appendix B. The l fault tree has been simplified to cover only the major active components, interfaces and dependencies. The CDS purcp s , feedwater heaters and condenser hotwell were not explicitly modeled since the system is normally running and considerable 4.6-13
5 E! + Eg d=
-iR; l h N ><
e 55
- 5 5' Eu b
8 W s V V e Ut a e n .- 5 o 2 $ @ S2 u d 8
> o V
-iR: l h e "
sa ze g e BE y z 55 e d* u % 8 m a o
> b 3 s
-iRi !
e W 55 " M2 7 T. /. . , a C (
\
n u?= rE ER 1 I l l 4.6-14 L . - - - - - - - - . - _ _ _ _ _ _ _ - - - - - - - - - _ _ _
) e h t t o r f e e E R T . AM ic SE Ywr wr g o NT wF L ES . 2, 2, 21 e DY L r NS u s . O l iail C Ft a g e nD isc Uig n Lo w o er hu Si l s a iF mla au rt gc iaA Dr o C yf A cs E ne TR ee I W dr S E nT FW S C B et FO A pu l OP I T ea DF y TC
redundancy exists (only need one of three trains working for success) . All of the. equipment hardware has been lumped into one event. The model focuses on the loss of the support systems as the most likely reasons that CDS would be lost. 4.6.5.6 Assumptions Only maj or active components (lumped into one event) and major dependencies were modeled. These were assumed to dominate system failure.
.456.5.7 CDS Operating Experience There was nothing peculiar in the operational history of the CDS system which would affect system modeling. .4.6.6 Residual Heat Removal: Containment Spray System 4.6.6.1 CS Description The function of the CS ' system is to suppress pressure in the drywell during accidents (event tree nomenclature--W3). The CS system is but one mode of the RHR system and, as such, shares components with other modes.
The RHR system is a two-loop system consisting of motor-operated valves and motor-driven pumps. There are two pump / heat exchanger trains per loop, with each pump rated at 10,000 gpm with a discharge head of 540 - feet. Cooling water flow to the heat exchanger shell side is considered required for the CS mode. The CS suction source is the suppression pool. A simplified schematic of the CS (RHR) system is provided in Figure 4.6.6-1. Major components are shown as well as the pipe segment definitions (e.g., PS-25) used in the system fault tree with the CS portion highlighted. The CS system is manually initiated and controlled and would be used if the LPCI mode (see 4.6.14) is not simultaneously required (i.e., LPCI la the preferred mode of RHR in accident situations). The success criterion for the CS system is injection of flow from any one pump / heat exchanger train to the spray ring. For further information, refer to success criteria discussions in Section 4.4. Most of the CS system is located in the reactor building. Local access to the CS system could be affected by either containment venting or failure. Room cooling failure is assessed to fail the CS pumps in ten hours (see Section 4.6.6.6). 4.6.6.2 CS Interfaces and Dependencies Each CS pump is powered from a separate 4160 VAC bus with control and actuation power being supplied by a separete 125 VDC bus. All pumps require pump cooling. For further information on pump cooling, refer to Section 4.6.9.8. Each loop's normally closed spray valves receive notive 4.6-16 l
-w---.-y - . _ _ _ , , _ _ .
L
= g D
2 y- [*E , o I,p, u :, -- ! r; $ l h
,e i i g ED!
- ! E . = e i w'8' DI! . .
I - R 3 8
!= '
h 3 4
,l (l g at #
Ci (l @C l 1 . !
$ C!< r N! Ig b o E 8 g a:' : :
p r- -
^
- t E $,
_E__.I. I.- . Ng ( ?<
't E
A WI j -,
= 4 r
a 2 < a (l< av v (! {! 4l t
- !: 2e y e
B (! *i g 8 I a
. : ,,= ,,
i. El c 8 A,a, pig BDil I a .. si l W , w ay I
- x1 !
~1' l l'l 5
o .
, e r
i :
- -: m,w g
I 4.6-17
p .. f. 1. power from one 480 VAC source. A simplified dependency diagram of the CS 1 system is provided by Figure 4.6.6-2. Shown are the major support needs ; L of the CS system as indicated by the solid diamonds. ' i Many components of the CS system are shared with the different modes of the RHR. system. These commonalities are as follows: (1) the RHR pumps l are commen to the CS, SPC, LPCI, and SDC modes; (2) the suppression pool suction valve for each pump train is common to the CS, SPC, and LPCI modes; .'and (3) heat exchanger cooling is common to the CS, SDC, and SPC i: modes. l CS control circuitry is divided into two divisions. Division A is associated with control of components in Loop A, and Division B is associated with control of components in Loop B. Reactor water level above the shroud (312 inches above vessel zero) and high drywell pressure (2 psig) permissive signals must be present before the CS system can be manually' initiated. The water level signal can be overridden. Although the CS has no isolation . signals , there are permissives which will prevent the operation of certain components. CS pumps are <1emanded to stop or prevented from statting 11 the suppression pool suction valve or any of three SDC suction valves is not fully open. 4.6.6.3 CS Test and Maintenance The CS surveillance requirements are the following: (1) pump operability---once/ month, (2) MOV operability--once/ month, (3) pump capacity test---once/three months, (4) simulated automatic actuation test--once/ operating cycle, and (5) logic system functional test-- once/six months. 4.6.6 4 CS Technical Specifications Technical specifications exist based on sharing of the CS and LPCI modes. If any one LPCI pump or LPCI subsystem (i.e., loop A or B) is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that the remaining LPCI components and both loopt of the LPCS system are operable. If this requirement
-cannot be met, the reactor is to be shut down.
4.6.6.5 CS Logic Model The CS system was modeled using a fault tree for pressure suppression in the drywell. The major active components were modeled for the CS system. The faul.t tree model representing the CS system is presented in Appendix
.B.
Piping ruptures were considered to be negligible cc,mpared to other system failures. Only piping with a diameter of greater than or equal to 1/3 of the main system piping was considered as a potential diversion path, 4.6-18
u ( .. r RESOuAL HL AI REMOVAL: ' CONTAINMENT SPRAY I I Cs toop cstooP A ' 8
;t ,,
W PUMP $MK C8 LOOP $ fDR PUMPSMK c6 LDOP A TacNs macia. mains ucioN UNE AsC UNE BSD 1 E I 1 PW MX PWPMK PVMPMK PUMPMX DC 12BW .^ A b2' 0 2L POWEER $ d'
'r C ' 2<
D AC A ' '
'*E"
- m 2<
d 2, ' >< < 2, MANUAL su 2w aw ACTUATON ,a.r ,2 r 'r
,2.r 1r E w Rr.ENew
("?gTER ,,,,,,,4p , , , , , , ,4p,,,,,,,,,4p, , , , , , ,4p, coouMom EW RGENCY 2L 2' 2& 2& BERVICE EATER 'F ' (pump MOTOR COouMG) mou
,',,"5 .... ..q>.......o . . . . . . . . .q>......q>.
d'
*eGH PAESSURE A ' d' SERVCE B JL WATER sHXCODUNG)
C O p Dependericy Degram is Shown Usag FaRufe Logc. (1)Depencercy Not Requeed Dufusg $ hon Term Operaton. I Figure 4.6.6-2. Containment Spray System Dependency Diagram. 4.6-19
. _ _ _ _ - - _ _ - _ _ _ - _ _ _ - _ . _ _ _ _ _ - - __ _ _ _ A
' Three human errors were incorporated into the CS fault tree model. These
. errors are failure of manual initiation, failure to override an erroneous shroud level permissive signal, and failure to properly restore key components following maintenance.
.4.6.6.6 CS Assumptions (1) Positions of all manual and motor-operated valves are indicated in the control room. Failure of these valves after testing and maintenance due to incorrect positioning is therefore felt to be negligible. The injection valves receive open signals on a real: demand. Thus, unavailability from testing and failure to restore after testing is not important.
(2) During construction of the fault reee, it was necessary to determine which components could be taken out of Service (OOS) for maintenance. It was assumed that maintenance would require. components to be effectively removed from the system. Standard safety precautions of component isolation were used to decide which components could be taken 00S for maintenance while the plant was at power or normal operating pressure. The general guidelines used for component isolation were double blockage for high pressure piping or components and single blockage for low pressure piping or components. (3) Pump isolation because of spurious signals is assumed to be negligible compared to other system faults. (4) The CS control circuitry was not modeled at a great level of detail. Only elements which were felt to be potentially important were included in the fault tree model. Except for the shroud water level permissive, high drywell pressure permissive, pump power permissive, and pump suction source relay, the hardware failures of relays and permissives are grouped into one term. The initiating signal sensors and their support systems were explicitly modeled since they are shared between various ESF systems. (5) Based on a PECO response, it is assessed that the CS pumps will fail because of insufficient Net Positive Suction Head (NPSH) once the suppression pool has reached saturated conditions. (6) Diversion of flow to the suppression pool is felt to be negligible compared to other system failures. (7) A suction path must be available from either the suppression pool or the SDC path to start a CS pump. (8) Failure of the suppression pool because of random failure or the plugging of all its strainers is assumed to be negligible compared to other system failures. 4.6-20
l (9) The unavailability of the CS pumps due to testing does not defeat'a real' demand from operating the system. Therefore, it was not considered. Failure to restore the CS pumps after testing does not apply. (10) Failure of room cooling'(if not recovered) is assessed to fail CS in ten hours. This is based on utility calculations [52) which demonstrate that for approximately 50 hours or more without room cooling, operability is expected even with continuous pump operation. The ten hour CS failure value was chosen to be consistent with the general assumptions made for HPCI and RCIC (see Section 4.6.11). It is believed to be a conservative value. 4.6.6.7 CS Operating Experience Nothing was peculiar in the operational history of the CS system which would affect either system modeling or failure data. 4.6.7 Control Rod Drive System--Enhanced and One Pump 4.6.7.1 CRD Description l . The CRD 'syster; was modeled as a backup source of high pressure inj ection, '- event tree nomenclature--U3 (CRD Enhanced Mode--2 pumps required) and U4 (CRD-1 pump required). The CRD pumps take suction from the condenser hotwell in the Condensate system or the Condensate Storage Tank (CST). A flow control station is installed downstream of the tap from the Condensate system and ties into the CRD pump suction line before the CRD suction filter. The flow control station will divert 250 gpm from the Condensate system. This will supply the CRD system with the remainder of the water being passed on to the CST. In the event that flow from the Condensate system is interrupted, the CST provides a backup source of water to ensure CRD system operability without operator action being required. A simplified schematic of the CRD system is provided by Figure 4.6.7-1. The CRD pumps, together, can achieve a flow rate of approximately 210 gpm with the reactor fully pressurized and approximately 300 gpm with the reactor depressurized. Two discharge paths- are provided for the CRD pumps. One discharge path is through an air-operated valve control station. When instrument air is lost, this path is closed. With both CRD pumps running and the reactor at nominal pressure, the second discharge path restricts flow, by means of an orifice, to approximately 180 gpm. Normally one CRD pump is running, with the suction and discharge valves to the standby pump closed. Should the operator be required to realign the CRD system as a sole source of early high pressure injection, the standby CRD pump must be placed into operation to achieve sufficient flow to the reactor vessel. 4.6-21
fl !!! t* f
- l l l l ~! f* 7 l
l l U
. . n l c l ! !
E e :
! ! l l
- i tl 5 l. a V u k
- t w l u
-- ---------- p..
.. . 5 3. ...... y 1
I i 1 i es
! 2u
~
'0)(5 j j Ohjl m
! I I l u
e t.. W ..s...:.9........ v3 0 5 v5 na t
- a E
g {Jg lE -d O c:: l v4 og - u u C R O
! El o
$l 4 4
se si e b
.9
- 4-q(g 1
, vp
- h *t g m w
- 6. g 5
Y E
! h R a US ha E
g k
. 5 s
" i e s <!! E
'it! w 4.6-22
________w
In general, the CRD success criteria (as a sole injection source to two discharge the paths reactor) requires both pumps running and one of the available. If some other injection system has been operating successfully for -6 or more hours following an initiator the CRD success criteria changes to one pump running and one of two discharge paths available. For further information, refer to success criteria discussions in Section 4.4. Most of the CRD system (except for piping and a few valves) is located in l the turbine building. Any physical impact of accident conditions on the ability of the CRD system to perform its function would be minimal. Since the system is located in a large open area, room cooling failure is not applicable to the CRD pumps. 4.6.7.2 CRD Interfaces and Dependencies CRD Pump A is powered from 4160 VAC/A with control and actuation power supplied by 125 VDC/A. CRD Pump B is powered from 4160 VAC/D with A simplified control and actuation power supplied by 125 VDC/D. dependency diagram of the CRD system is provided by Figure 4.6.7-2. Shown are the maj or support needs for achieving full flow operation of the CRD system as indicated by the solid diamonds. The CRD pumps receive no automatic initiation signals. The CRD pumps are normally cooled by the TBCW system. If the TBCW is lost, cooling is performed by the RBCW system, which is automatically or manually transferred. 4.6.7.3 CRD Test and Maintenance No specific CRD (in the high pressure injection mode) test and maintenance requirements are identified in the Peach Bottom technical specifications. 4.6.7.4 CRD Technical Specifications No reference is made to the CRD high pressure injection mode in the Peach Bottom technical specifications. 4.6.7.5 CRD Logic Model The CRD system was modeled using two fault trees for its high pressure inj ection mode. The enhanced mode fault tree has as its success criteria The success criteria for the one pump operation both pumps working. fault tree is one pump operational after ~6 or more hours. Piping rupturer eie con 03ered to be negligible compared to other system failures. Only piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. . 4.6-23
I I te a L O nr e m h NE A
., CA OLV gr gr n
;, ;, A
. WV e O s
. L u F a
. c e
. B
. D
. R
)
. C E a DMD . i V
OEO . r RTM L S . e n o
) lw tc OYN U PB ) h gr a RSOI D j I ;,
Lr R e TET R 2' NVC I C T o OREJ CD N c. no ( ig t o c L j e e r i n lu la i F ia F t g o P N W M in s s U PA )lv ) j I I I LF U g. e n o D ;' niD wta R C or h elv e Spa sOV i yl l o . ml a at nb rle ABCD A8CO r gr moa R aoCda v O R GE iNmA D yak GDT cpFi s DLA T n mfh N LBW N e V LI O O R S E duOt n P eP a 5R R A TA EO N GM M e u w r 2E E U U I TNE BCLT U R pD l 1 W W NT eRioal CO CO AC RA OS UEOY T S1 f DCFF) DP AP MA TRCS N A )2 1 I (( OmtoP
4.6.7.6 CRD Assumptions (1) Pipe segments less than one third of the main system pipe ) diameter are not considered to be diversion paths. (2) The orificed discharge path provides sufficient flow for successful high pressure injection as evidenced by the LTAS computer runs for Peach Bottom (See Appendix A). (3) The test mode of the CRD system would place the system in a "run" configuration. Therefore, the unavailability of the j
~
system from testing is inapplicable. The same reasoning applies for a failure to restore the system after testing. (4) The position (open or closed) of the train B valves do not affect a failure to restore the system af ter maintenance. However, maintenance staff could leave a breaker out of the ' This circuit thereby defeating Pump B's ability to start. has been addressed in the fault tree. 4.6.7.7 CRD Operating Experience Nothing was peculiar in the operational history of the CRD system which would affect either system modeling or failure data. 4.6.8 Electric Power System 4.6.8.1 EPS Description The EPS is designed to provide a diversity of dependable power sources which are physically isolated from each other. The Peach Bottom station receives power from two separate offsite sources. If both offsite sources are lost, auxiliary power is supplied to both Unit 2 and Unit 3 from four onsite diesel generators shared between the two units. Loads important to plant safety are split and diversified. Station batteries provide control power for specific engineered safeguards and for other required functions when AC power is not available. A simplified schematic of the EPS is provided by Figure 4.6.8-1. Each diesel generator unit consists of a diesel engine, a generator, and The continuous the associated auxiliaries mounted on a common base. The engine is rated for a rating of the diesel generators is 2600 kW. ten percent overload for any two of every twenty-four hours. There are two independent 125/250 VDC systems or divisions per unit. Each division is comprised of two 125-V batteries , each with its own Each 125-V battery charger (i.e., each unit has four 125-V batteries). is a lead-calcium type with 58 cells. The chargers are full wave, silicon-controlled rectifiers. The two batteries for each unit are Loads are diversified between these systems so that each redundant. Power for larger system serves loads which are identical and redundant. 4.6-25
.l1 \i i1 I
"3 J' OT I TNJ t
"083 7
C4D "A
"80 4 C40 "A 1 ll 4
0 2 1 C A 0 " D 0 " ] - . e 0 z E "1 @ - ] C A 4D C 4 C T . A m A0 0 ,s o 0 0 C B m 4 s 0 8 "482 ,C i - t 4 CD &s D a C C A
"A T= "o A c i -
t l f 1 a
. W I m "83 0 4B 1_T = T t h
e - 4 "AC r T A8 0 s c B r S e c C D
@] s mC . 4 m
e 0* 0 t 82 4B 2 1 s C C y A A S 8 r G " e D 4" ] .C 4 w 8 *1 4B [s
-1 2 o P
i C w -C A - s A 8 B
& 4 8
"084 48 i c
"AC 1 4 4
C C A . r A ) 3 t D c N e A l 2 E "4 S
'4 "84 "CC T "A M U 1 N - _
0
- E 8 E
"4CC 83 W 6 "A T E
D 4 B 4 2 1 D C A E R e C <, A r O D ] - 4 i u g 0 8
@ - ]
2 C S i s E 1 4 [ A CC R F _ C C - A 4 m T B AC
*c
,s
=
r A E 4 0 8 4
"4CC 82
" C o R 1
4 C =A "w A C A A T= O D D D 1 N A, 4 iw C,
=8 C4A l 1T = T 7D B, T
A AA A B G D m
=
M' E m S (
= - A E S
Mg M I U C C B A A 3 T I A =0
- N G =83 U D =4A
=C O A T S
E A 4 O 4 0 8
=4 84 4 G 1
4 4 C A ) C C =A 1 A ( A
& 6* MO Il ll; ! !tlllill lllllj,l lil lll ll ! lll\ lll lllll1lill, l l
loads, such as DC motor-driven pumps and valves , is supplied at 250-V from two 125-V sources. Selected batteries from Unit 2 and from Unit 3 are r,eeded to start Diesel Generators 1, 2, 3 and 4, respectively. Esch standby diesel generator automatically starts. The diesel generator may be. stopped by the operator after determining that continued operation of the diesel is not required. 'Most of the EPS is located in the diesel building and in compartmentalized rooms within the reactor building. Any physical impact of accident conditions on the ability of the EPS to perform its function would be minimal. It is assumed that room cooling is not required for the AC switchgear or DC battery rooms since the heat loads are small and no sizeable heat loads are near these rooms. Diesel generators are assumed to fail in less.than 30 minutes without room cooling although it is recognized that diesel performance would degrade before actual failure of the diesel and provide a warning to the operators that a problem existed. Possible recovery actions (by opening doors) could therefore take place. Complete failure of the EPS would cause a station blackout. After a total loss of AC power, DC-driven components could operate until the station batteries are depleted (estimated at about 12 hours based on PECO input, see Section 4.12), 4.6.8.2 EPS Interfaces and Dependencies Each standby diesel generator automatically starts on total loss of offsite power, low reactor water level, or high drywc11 pressure Two sources of offsite power are coincident with low reactor pressure. available to each 4-kV emergency bus. The failure of one offsite power source results in the automatic transfer to the other offsite source. When the diesel generators are demanded, essential loads are automatically sequenced onto the emergency bus. N?nessential 480 V loads are prevented from being automatically sequenced. Each diesel generator can be started locally, but can be electrically connected to its bus only from the main control room. A simplified dependency diagram of the EPS is provided by Figure 4.6.8-2. Shown are the major support needs of the EPS as indicated by the solid diamonds. The diesel generator circuit breaker is tripped by protective devices under the following abnormal conditions: (1) engine overspeed, (2) jacket coolant high temperature, (3) jacket coolant low pressure, (4) lube oil high temperature, (5) lube oil low pressure, (6) crank case high pressure, (7) after-cooler coolant low pressure, (8) fuel oil low pressure, and (9) carbon dioxide fire extinguishing system discharge. Protective tripping of the diesels is announced in the main control room and locally at the unit. A two-out-of-three tripping logic prevents spurious trips of the diesels. These protective trips are overridden on a Loss of Coolant Accident (LOCA) signal. Both the control and power battery systems operate ungrounded, with a ground detector alarm in the main control room. 4.6-27
D N \ CO fW I AS I
&v 2 L" 2 LV 2
V I
\
D C N \ CO AS I I IV D 0v { v gr 2, LF 2' 2V B N \ CIO AS
\ w
,y LF &
I V I [ u 2' 2V c D ig o L e r lu A ia N F CO y g AS VI I D 0 s @ LF 2' w 2V U n n is w o h S ABCD is G m N I G a L N r R O I g L E T O O ia Y C A C YN CO OC D y N W: E T V EEG K NIT: M nc 5R 2E GCNC I I E IAM GL Oe E O dn 1 W RVLA RTT R CO E ROJ MEOG ENS e DP ESCD MEYG p EVSD e D e,
l 4 6.8.3 EPS Test and Maintenance l When it is determined that one diesel generator is inoperable, the other diesel generators are to be demonstrated operable immediately and daily thereafter. The diesel generators are tested by starting each generator every week. During these tests the starting air compresr.or, diesel fuel oil transfer pumps, and diesel starting time are checked. The diesel is started and brought up to full speed while - isolated from its loads. Since the auto sequencing is turned off during the test, and so would not automatically operate, test unavailability was modeled. Once per operating cycle, the condition under which the diesel generator is l required will be simulated. This test demonstrates that the diesel will ' start and accept the emergency load within a specified time sequence. Each diesel generator is Si ven ' an annual inspection in accordance with L instructions based on the manufacturer's recommendations. l Unit batteries' specific gravity, voltage and temperature of the pilot L cell, and overall battery voltage are measured weekly. Every three months, the voltage and specific gravity of each cell are checked while the battery is still floating on the bus. This test also includes temperature measurement of.at least every fifth cell. Once per operating cycle, unit batteries are load discharge tested. Experience at Peach Bottom demonstrates that battery checks are staggered using different personnel to examine redundant battery trains. 4.6.8.4 EPS Technical Specifications During any period when one diesel generator is inoperable, continued reactor operation is permissible for seven days if the remaining diesel generators are operable If this requirement is not met, the reactor is to be placed in a cold shutdown condition within twenty-four hours. During any period when one 125-V battery system is inoperable, continued reactor operation is permissible during the succeeding three days. The reactor cannot be taken critical unless all of the following conditions are satisfied: (1) both offsite sources and startup transformers are available and capable of automatically supplying power to the 4-kV emergency buses , (2) the 4 diesel generators are operable with a minimum of- 104,000 gallons of diesel fuel on site, (3) the 4-kV emergency buses and the 480 V emergency load centers are energized, and (4) the 125-V batteries and their chargers are operable. 4.6.8.5 EPS Logic Models The EPS was modeled using fault trees for its AC and DC power portions. Only the major buses and power sources were modeled in the fault trees. One human error, failure to restore the diesel systems after test or maintenance, was incorporated into the fault tree model. Human /EPS
' interactions were considered part of the recovery analysis. The fault tree model representing the EPS is presented in Appendix B.
4.6-29
4.6.8.6 EPS Assumptions (1) A simplified lumped AC model is used. This is judged to be adequate since the failure of all AC buses-is dominated by diesel generator failures. (2) All valves powered from 480 V Motor Control Center (MCC) buses take their control power from the 120 V control bus associated with the same MCC bus. (3) No safety load is connected to 120 VAC Buses 20Y33, 20Y34, 20Y35, 20Y50, and 00Y03 with the exception of accident monitoring sensors. The accident monitoring sensors are powered by 24 VAC buses. (4) If an AC bus from Unit 3 is used by modeled equipment, the comparable bus from Unit 2 is used instead. Since the same diesel generator feeds the same emergency AC buses of both units, it is very likely that failure of one bus in Unit 3 is followed by failure of the similar bus in Unit 2. , (5) If a DC bus from Unit 3 supplies modeled equipment, the i battery is assumed to be the sole source of power for that component. ( (6) Short circuit faults and the potential effects of fault propagation are not modeled. (7) Loss of ventilation can affect the diesel generators, but not the emergency switchgear or batteries as previously indicated. j i (8) Unavailability of the diesels during tests is based on ! engineering judgment assuming that the diesels are unavailable approximately one hour during each test and that each diesel experiences an average of twenty tests per year. 4.6.8.7 EPS Operating Experience The operational history of the Peach Bottom diesel generators justifies using plant specific failure data. In particular, operational data since 1980 indicate the diesels at Peach Bottom are achieving a much better reliability than the industry average. 4.6.9 Emergency Service Water System 4.6.9.1 ESU Description The function of the ESW system is to provide a reliable supply of cooling water to selected equipment during a loss of offsite power. The ESW system is common to both Units 2 and 3. The system has two full capaci ty pumps installed in parallel. The normal water supply to the 4.6-30
- _ - - _ _ _ w
~
l suction of the ESW pumps is from _ Conowingo - pond. The pump discharge consists of two headers with service loops to the diesel-engine coolers and selected . equipment coolers. The modeled components supplied with . I
- l. ' cooling water 'are the LPCS pumps and pump room coolers, the RHR pumps and
[
. pump room coolers, the HPCI pump room cooler, and the RCIC pump room A common cooler. Valves in the supply headers provide loop isolation.
' discharge header directs effluent to Conowingo pond. A simplified l
-schematic of the ESU system is provided by Figure 4.6.9-1. Maj or l components are_ shown as well as the pipe segment definitions (e.g. , PS-8) used in the system fault tree.
The ESW pumps are vertical, single-stage, turbine types with an 8000 gpm capaci ty.. Their normal discharge head is 96 ft and their shutoff head is 132 ft. The ' cooling:for all modeled equipment, with the exception of the diesel' generator coolers, is normally provided by the Normal Service Water (NSW) system which operates on offsite'AC power only. Should the preferred flow paths described above be unavailable or the bay level preclude normal flow path _ operation, the ESW system may also be operated in conjunction with the Emergency Heat Sink (EHS) in a closed or open loop fashion. In the closed loop mode, two ESW booster pumps take return water from various coolers, boost it in pressure, and deliver the water to the emergency cooling tower structure. The booster pumps are One horizontal eplit types, with 8000 gpm flow at a head of 100 psig. Emergency Cooling Water (ECW) pump then takes suction from the cooling tower structure. It delivers water through a motor-operated gate valve to the ESW heat loads. The ECW pump and motor are identical to those of the ESW pumps. The only difference between the ECW pump and the ESW pumps is pump column length. While the booster pumps would normally be used in this mode, they are not required since it has been demonstrated by recent tests that booster pump failure will not fail the cooling function of the ESW. In the open loop mode, the ECW pump delivers water from the cooling tower. structure, through the ESW loads, and back to the bay. There is sufficient water supply in the cooling tower structure to last for days; hence the open loop mode is considered a success path. Upon_ system automatic initiation, the operator checks discharge pressure for the two primary ESW pumps. If discharge pressure appears normal, the operator turns off one ESW pump at his discretion (i.e., he mayHe not do also this right away, but instead shut the pump off some time later). shuts down the ECW pump (the ECW pump also has an automatic trip in -45 seconds if the discharge pressure is adequate). At some later time, if the operating ESW pump trips and the standby ESW pump fails to start, the operator must manually start the ECW pump. In the EHS closed loop mode, cooling tower fans must be manually started. The success criterion for the ESV system is either of the ESW pumps or the ECW pump supplying cooling water to system heat loads. Most of the ESW system is located in pump rooms external to the reactor and turbine buildings. Any physical impact of accident conditions on the 4.6-31
illi ;1
._3 E.
> U m 4 8 e e s
o s y 4 SvM o
$ X R E
T W mx v M Xot
,s
,P
,oA g
,. t ,q O P pW P T
SS OM BU c S -
- ,f . i R Tl! S t E S a G R E N E m A
H C J yW-i i L O O S R M b c h e c X E T r i m C P M L O E O E E G A P C e S m A U C E E P S ( e H S G t W C E Vw
~ -
C C E D E S y s
'F
;:" r yj. e
=
.7 A 0
a c
'o i t a
m :o o s t y 5 v M 4m hw W) 2 x e . Nc O e t 5 v mc s 1 5 v n TE g C v "a. E 0 QVce r o s
)Tc
\o 2
s icf v o r 1 e S e y a g o5 7 1 4 "sE X$x 5 V1 X c P tVX mM X n e( g n , C* l r W A' r A 7 A i L P P" e o0Xt t5V X W i , t nE uT R W C 0W h m E m
- SA TbX a
nA oW NE u1C 9 7 S-E A
,se D 8
2 V N Y B P M D 1 1 om n VN 5 c , rES M T 9 l. t A 4 SE .
- o D., RE nM - 8 6 I
ET F A 2 V HT .
, O E M TL WU A 4
- N. -
NF WW O HD e r S( g l.'.L SE L u g P 3 M T FEE D U P m w u o AO SM NY i F W T KL1 Tf S l 1C E {i
%U RP X R1VER _
EE V n- !j L LT AO VN i I)I ) 1 (
>.TU
>IlI 1 ! ll
\il 1 a a R a r t t t t 0 m N 0 x x ( a t O T c T T . E _ N "c c _
-* M O
C a C J a o o d i t a G
= M D c m E t E e
t m h n m c n a m S a m h
+-
e Q.
"o m. 2 t s
. . . . y t
S S A..- T. 2 3- r t e 4-j a i . e - i. -
. t P
w- - . - a v T t lW-W)2
, _ e,,..
_ t. e s a..
- a. cf a]..'s
. r., i
.-- t.
v o _ ,[ r 2 e
" b s S
ya e g cP n( e g r e m
. m " R E
E R a n , i L O R E L O t l o W t x x x c i x x x c x x m t0 c 0
=
- 0 c
= 1 T 0 M
C O m 0 0 u 0 0 n u 0 0 a S _ 0 0 n u
- 0 A
O 9 s a A A o u R
.. n M D t a t D N n n a
l a m 6 t N a a 0 t 0 a n n 0 e L a n t C t 0 4 0 c t x E L t ot x x u 0 m 0 0 e = 0 C
= 0 e
n O x x c x C r c x c D A 0 m. e P c D P r a a B e P P u u n P P P P u u u - U u u w u u u u W P 0 P P g m u U a P P, s 8 c i s. s m c P w P H m u t R t c P c
& - P L F r w ^
o. nh EW h 8 .. 8 DW D
' .D
^W
_ DTjlJ.,. a .# w.g. , a.a oe e g o "" . o-y,, g o. W ',
- i
. tw t"
- o. >o*
4.*** . ao~ =o Ma- , . . 3 . t
,t" =t _A .
is cc, 9. ~ 4... g s _ e,g
- n.
S _
- 9. =
A .a s u
. i l =R_
dA ** _ gy;'
- -:-"A* f.g a
- i 2 c.*9.~
. .* _ . I s
- s W
eo . %ra. ak, O_ o.*,f. a _ ' -a r k.i.~.g 5
- v i-r "
+[k.=I.iwr s
q .,; 51 I^ .. a '
" ^ . g.l. g1r "c~1Wi "r n
w' a g ,. - Q w' "rr .Vw.w.j b, _> M.I w' v w . e
,,gI a=a _v. xg m r r r r
. ri
~W1 I _i r ' i r
j r w.
.: . o
- a::A it==i.:s. s..z g= i3 yh .: axA_2 _v,.v.x s g ^- o,* . a=-s*"i t~
u===oh^. __' :a __gr _
=
t
.r . .
e s t n til
' zs
" m a s
x m a N N *1 _ m- " u = 0 n u
-- T . yI W1i e1 l m Y.
; -T$iI lvI m n,u msIlm amM
. 1 m a 3
p-a5 2N~a Y " Y Y a" m a t m c $I* m m k. M a- , v r a v 9-s ma a, w.mbW I t i ii
ability of the ESW system to perform its function would be minimal. Room j cooling failure is assumed not to fail the ESW pumps, ESU booster pumps, j and ECW pump. l Failure of the ESW system would quickly fail operating diesel generators and potentially fail . the LPCS pumps and RHR pumps. The HPCI pumps and RCIC pumps would fail by a loss of their room. cooling ten hours after a
-loss of the ESW system if other recovery actions were not taken.
I 4.6.9.2 ESW Interfaces and Dependencies The ECW pump, ESW booster pumps, and ESW pumps are all self-cooled. ESW pump A and ESW booster pump A are powered from 4160 VAC/B with control and actuation power supplied by 125 VDC/B. ESW pump B and ESU booster pump B are powered from 4160 VAC/C with control and actuation power supplied by 125 VDC/C. The ECW pump is powered from 4160 VAC/D with control .and actuation power supplied by 125 VDC/D. A simplified dependency diagram of the ESV system is provided by Figure 4.6.9-2. Shown'are the major support needs for the ESW system as indicated by the solid diamonds. Cooling tower fans are shared with the HPSW system. These fans are used in the EHS closed loop mode should the normal bay level be either too high or too low. Both ESW pumps and the ECW pump start on a diesel start signal or a LOCA signal (low water level /high drywell pressure). If all three pumps start successfully, the operator will shut off one ESW pump and the ECW pump will automatically shut down as described above. If the running ESW pump fails, the other ESW pump will receive an auto start signal on low discharge pressure. When both an ESW pump low discharge pressure signal and a diesel generator auto start signal occur, after a 30 second delay, the ECW pump discharge valve MV0841 opens. For the closed loop mode, if an emergency cooling tower fan fails to start or trips on high vibration, its associated inlet valve automatically closes. High vibration alarms actuate in the control room. 4.6.9.3 ESW Test and Maintenance The ESW system is tested once every three months as follows: (1) pump operability--the pump is manually started and flow capability checked and (.2) valve operability--the automatic valves are stroked individually from their control switches. The associated pump room fans are tested for ope.rability every three months. The ECW pump, ESW booster pumps and emergency ~ cooling tower fans are tested once per operating cycle to verify operability. Because of diesel generator test requirements, the ESW system is realistically tested more often (~ weekly). 4.6-34
l l i EMERGEtCY SERVICE WATER SYSTEM f I I I I EMERGENCY HEAT ESW ESW SirM MODE PUMP A PUMPB I EMS F ANS (1) EMS BOOSTER PUMPS g) i EMS BOOSTE R EHS BOOSTER ' ECW PUMP PUMP A-B PUMP SB DC 125V A POWER B O , if ,, y C ,, A ', AC POWER 8 j) , II , g
,r p g II ACTUATON ESW N O MANUAL Q O O N Dependency Diagram is Shown Using Failure Logc (1) tieto in EMS Cksed Loop Mode Only (2) Nd Realty Required To Operate; Shown for informtVa Only.
Figure 4.6.9-2. hergency Service Water System Dependency Diagram. 4.6-35
4.6.9.4 ESW Technical Specifications -The ESW system shall be operable at all times when the reactor coolant temperature is greater than 212*F. If two ESW pumps become inoperable, the reactor may. remain in operation for a period not to exceed one month. ~ To consider the ECW ' pump operable as an equivalent ESW pump, at least one ESW booster pump and two emergency cooling tower fans must be operable. To consider the ESW pump operable, the associated pump room fans must be available for normal operation except that (1) one pump room supply and/or exhaust fan for each compartment may be out of service for one ; l month or (2) temporary fans may be used in place of permanently installed fans to provide room temperatures of less than 120*F. 4.6.9.5 ESW Logic Models The ESU system was modeled using fault trees for both its normal heat removal mode and its EHS open loop mode. The EHS closed loop mode was not modeled. The major active and some passive components were modeled for the ESW system. The fault tree model representing the ESW system is presented in Appendix B. Piping ruptures were considered to be negligible compared to other system failures. Only piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. Two human errors were incorporated into the ESW fault tree model. These errors are (1) operator failure to restart the ECW pump should the preferred path have a delayed failure and (2) operator failure to restore equipment properly after maintenance. 4.6.9.6 ESW Assumptions (1) The ESW pumps do nct require room cooling. These pumps, which are pumping cold water, are located in the service water pump structure which is a large building. By opening the door (which is not likely to be required) adequate cooling can be provided. (2) The cross-tie valves between the two ESW pumps are not modeled. Each pump feeds into a common header; therefore, the cross-tie does not have significant impact on the dominant failure modes of ' the system. The only time the, cross-tie is important is when manual valve 507A plugs and ESW Pump B (OBP57) fails or manual valve 507B plugs and ESW Pump A (OAP57) fails. These failures are judged to be negligible compared to the failure of both pumps. (3) Diesel generator EDGA, EDGB, EDGC and EDGD jacket cooling failures, by means of one header failing because of valve plugging and the other because of ESW pump failure, are not modeled. This simplification was made since the likelihood of a manual valve's plugging and a pump's failing is insignificant compared to two pump failures. 4.6-36
(4) A system initiation signal starts both ESW pumps and the ECW pump. The operator shuts off one ESU pump and the ECW pump after checking discharge pressure. Failure of the operator to trip the two pumps is not considered a system failure mode. (5) Cooling for the ECCS pump rooms is provided by fan cooling units. Operation of both the fan and coolant flow through the coil is needed for cooling the room. (6) All of the air-operated valves in the ESU system fail open on loss of air. (7) Both fan-coil units for each pump room receive the same operational signal and are supplied from the same power source. (8) Test unavailability or failure to restore following test are not considered for the ESW system. Tests of the system typically involve simple start-up of the equipment such that little reconfiguration of the system has to be performed. (9) No need for makeup is modeled for the EHS mode. This assumption is made because the amount of evaporation in the emergency cooling towers is expected to be low. (10) Plugging of the strainers in the service water pump bay is considered insignificant. Since the NSW pumps are normally operating in the same bay, plugging of strainers would be Plugging of easily detected prior to ESW operation. strainers during ESW operation is considered very small since it would have to happen within minutes. After a few minutes, the EHS mode may be initiated. (11) Closure of valve MV-0498 is virtually never expected. The valve has been placed in the open position with its wiring removed so that water flow will always be in the open loop mode. 4.6.9.7 ESW Operating Experience Nothing was peculiar in the operational history of the ESW system which would affect either system modeling or failure data. 4.6.9.8 ESW Special Issues There is one controversial issue regarding the need for ESW. That issue involves whether or not the LPCS/RHR pumps really require ESU cooling. PECO has stated that these pumps are designed to operate with working fluid temperatures approaching 160*F without pump cooling. This implies that in scenarios where the ESW system has been lost, these pumps could still operate; some RHR pumps would be placed in the suppression pool 4.6-37
I cooling mode and therefore keep the working fluid at less than 160*F. It is felt that there is significant validity to these arguments. However, because it is uncertain whether the suppression pool water can be maintained below 160*F in some sequences and whether PECO has properly accounted for pump heat addition to the system, the base case analysis assumes these pumps will fail upon loss of ESU cooling. 4.6.10 Emergency Ventilation System 4.6.10.1 EVS Description The objective of the EVS is to maintain suitable temperatures in equipment rooms to preclude component failures. The EVS cools the fcllowing: (1) standby diesel generator rooms, (2) pump structure service water pump rooms, and (3) pump rooms for the RHR, RCIC, HPCI and LPCS pumps. The pump rooms use small individual fan coolers in each room. A simplified schematic of the EVS is provided by Figure 4.6.10-1. Major components are shown as well as the pipe (duct) segment definitions (e.g., PS-4) used in the system fault tree. The service water pumps, emergency switchgear, and battery rooms are assumed not to require room cooling. Pump room cooling loss for the RHR, RCIC, HPCI, and LPCS pumps is incorporated into the ESW and individual system models. Therefore, the EVS system model does not include ESW, RHR, RCIC, HPCI, and LPCS pump room cooling. Each standby diesel generator room is provided with ventilation air supply fans and an exhaust relief damper. Diesel generator room cooling requires operation of one of two supply fans. Any physical impact of accident conditions on the ability of the EVS to perform its function would be minimal. It is estimated that failure of the EVS would fail operating diesel generators in less than 30 minutes. In actuality, the diesel may not fail, but a load drop is still likely. 4.6.10.2 EVS Interfaces and Dependencies The standby diesel generator room fans are powered from their respective diesels. A simplified dependency diagram of the EVS is provided by Figure 4.6.10-2. Shown are the maj or support needs for the EVS as indicated by the solid diamonds. Diesel Cenerator Room Fans 7, 9, 11, and 13 outside air supply dampers, AV25, AV28, AV31, and AV34, open on 65*F fan discharge temperature and fail open on a loss of instrument air. Diesel Generator Room Fans 7, 9, 11, and 13 room air supply dampers, AV26, AV29, AV32, and AV35, close on 65'F fan discharge temperature and fail closed on a loss of instrument air. Dampers AV27, AV30, AV33, and AV36 open on Fans 7, 9, 11, and 13, starting signals respectively and fail open on a loss of instrument air. Fans 7, 9, 11, 13 automatically start on a diesel generator actuation signal. Fans 8, 10, 12, and 14 automatically start on an automatic start signal of Fans 7, 9, 11, and 13 respectively. Diesel generator room supply fans trip on a carbon dioxide discharge signal except when a LOCA signal is already present. 4.6-38 I l 1 l l E_________----_------ - - - - .]
E E E E D D D D sn Sn Sn - I I Sn . t t TA tA TA TA U u U U C e3 o,e O ei O e; l ) )
) 3- d 2
1 2 ; 2 g04 2 go ys 4 M y00( 4 y5 5 0 D 3,
- 8 72( 8 gm ( .
_ c i t s s a s a m _ s a s e e
) ) ) h
)
1 01 10 -j
,1
,9
, 1
,9 c 9 S v , Dv V
A Me fV C
,o(
O Fo g O ( m ( e
' L
' y " ' ;
t s y 1l 3 4 2 V W S R F s s s s n g r s s i o
-- ,- t a
l i t n e
) ) ) V A) e C( D
( t ( y
*u *u 3 *m 4 c 1
Eo wu o o Ea
- o E
*o n
- o Gn Gn on Gn D D e
g D D E E E E r e m E
.- .- .- .- 1 E -
# s p y D 0 s s s e O 1 M
,4
)
D4s
)
- 4) 3,s)4 Y 6 6 y v B Ny
, YG V D D A Ae 4 O
( Fo( I O( fo( N A T S e r R u g I E
) i
) )
4 1 2- H 2-9 34 4 5 T F 2 7 s 2 v2 7 y , 7 2 s ,72 N I s ,0 2 s A0 s ,0 e ,0 N 0 0 0( 0( ( ( AW R O H T S N ) E D 3' E 1 g7 2 2 a R 8g1 M 2 2 8 G E M gM 2 7 p2 7 0 8g'25 y*( A S S ( I 0( N E O I PI T P L e> e> e> ea IS O A E E E E P C D D D D ) P I Sn I s Sn t Sn t R Y Tp sm i TA U TA U E P U O T C w O M A D 7 8- g g E ( V S S 3 g, L A P P p p V w*
YN M) CO NI M OG GLAT TRI EON )w E L r Lr RI E TYS NSG O DO (u ,m 2, ME D C EV ( G D g YN M) n CO G id NITMEOON n o E A GL TR U ) v ,
,, L r p s
RITY E SC NSG O O( 2 , e r r o ME D C C EV ( s it f YN O CO M) la NI E T M OG n A EON
. g GL TRIL D w O Lr ci ig S RI E
TY SBO [ u 2, ot r La MENSGO t DC eS r EV ( lue h iaTy F YN M gB n CO ) NI E T M OG is d U e A EON D t V a GL TRI L
^
Lr n u RITY E S AO ( NS G O u 2, wtc hoA ME DC S o EV ( su t iA ms ai ABCD gan r a iF DS yV cE n N deG O I nD R T eh pc E A U ea W T DE CO GC) DAp ) AP 1 (
~. $
j:.. L 4.6.10.3 EVS Test and Maintenance No ' specific EVS test and maintenance requirements are identified in the Peach Bottom technical specifications.
~
'4 .6.10.4 EVS Technical' Specifications No reference is made to the EVS in the Peach' Bottom technical specifications.
4.6.10.5 EVS Logic Models 1 The EVS was modeled using a fault tree. The major active and some passive components are shown as duct segments which were defined for the EVS. The fault tree model representing the EVS is presented in 1 Appendix B. l Duct ruptures were considered to be negligible compared to other system failurer.. One human error was incorporated into the EVS fault tree model. This error is failure to properly restore equipment following maintenance. 4.6.10.6 EVS Assumptions (1) EVS failure is dominated by failure of fans and failure of ) closed dampers to open when demanded. (2) Testing unavailabilities are negligible since tests include simple startup of the system. f 4.6.10.7 EVS Operating Experience Nothing was peculiar in the operational history of the EVS which would affect either system modeling or failure data. 4.6.11 High Pressure Coolant Injection System j 4.6.11.1 HPCI Description l The function of the HPCI system is to provide a makeup coolant source to f the reactor vessel during accidents in which system pressure remains high (event tree nomenclature--Ul). The HPCI system consists of a single train with motor-operated valves and e turbine-driven pump. Suction is t.iken from either the CST or the : l f suppression pool. Inj ection to the reactor vessel is via a feedwater ! line. The HPCI pump is rated at 5000 gpm flow with a discharge head of l 1135 psig. A simplified schematic of the HPCI system is provided by Figure 4.6.11-1. Shown are major components that were modeled in the system fault tree. l The HPCI system is automatically initiated and ccatrollen. Operator intervention is required as follows: (a) to prevent either vessel l l l 4. 6 ':1 l
g l eM
,sIJ tsE aS T
p v E _ N L o. ' R . E T A W D E U.%N" S E : ' 0
'1
/'E 2 E
F s s T
/ e S un n
e= rt
=
7 p Ps wW E R3' 1 bC A P O B O P m v eE cN aL L W g= E W'S Oa,P L O C L s Rc i uT OS nET O R n i, W= W L l L C S O LP ce I,(,, T Sa lT u. iyA M T U On m = U t T T O T 2'M n= 2 N c gm. J 3 E
- M cY 3, 7-1 o
M
= "n A
c 9em m me==- m w
,m om 7m sA '
u a M4m *m, 2 S E
*==
Ng n]f oi To s g~~
~ .
s E D a_ s ~ O M c " Y nU R D N A T SC l AT
!A
% E m" & HM TE eO" U a q WC NS H
t l WO OC HR SN EO A _ A N
. S W NG a
c. mV Ou Is T lo ss Ot PA i,3 gv D d,e Et vv t lt AA Vvj e
,' T n as
overfill if - high ' level sensor failures occur, or continuous system trip / restart cycles, (b) to manually start the system given an auto-- start failure, and (c) to setup the system for continuous operation under long-term station blackout conditions. The success criteria for the HPCI system is injection at rated flow to ; the reactor vessel. For further information, refer to success criteria ; discussions in Section 4.4. Most of the HPCI system is located in a separate room in the reactor building. Local access to the HPCI system could be affected by either containment venting or containment failure should steam be released to ; the reactor building area. Room cooling failure is estimated to fail the HPCI pump in ten hours (see Section 4.6.11.6). 4.6.11.2 HPCI Interfaces and Dependencies The HPCI system major dependencies are DC power for short term and long term operation and room cooling for long term operation. Although there are AC-powered motor-operated valves, these valves are not required to . change state during normal system operation since they are only used to isolate the system. A simplified dependency diagram of the HPCI system ) is provided by Figure 4.6.11-2. Shown are the major support needs for the HPCI system as indicated by the solid diamonds, i The HPCI system requires both 250 VDC/B and 125 VDC/B. 125 VDC/B is used j for actuation and control power while an injection and a supply valve are ! powered from 250 VDC/B. ; The HPCI and RCIC systems share a common CST suction valve. This is a , normally open manual valve and is identified as XV-1 on the HPCI schematic. Failure of this valve will fail the CST as a suction source to both the HPCI and RCIC systems. Upon system actuation, HPCI injection valves receive a signal to open and HPCI test valves receive a signal to close. The HPCI system is , automatically inittsted on the receipt of either a high drywell pressure ; (2 psig) or low reactor water level (490 inches above vessel zero) '{ signal. The low reactor water level sensors are shared with the RCIC system. The CST is the initial suction source for the HPCI system. Suction is automatically switched to the suppression pool upon eit.her low CST level i or high suppression _ pool 1cvel. Automatic switchover will not occur if l there is an automatic isolation signal present. The CST suction valve ' does not close until both of the suppression pool suction valves are I fully open. The HPCI system is automatically isolated by high steam line space temperature, steam line high differential pressure (dP), or high turbine exhaust pressure (150 psig). Both the high temperature and high dP signals are used to detect a steam line break.
^
l 4.6-43
- m a - r g
a _ i D y c n e d
, , n
, , e p
e
- D
_ , , m
, e t
s y
, , S
, , n N s o
E O
, , . r
_ I , no i _ RT oo t
. ar Dg
_ UC , it c SEM , , c en e
- , j SJ EN E \ g igpi n Q
_ R TI T S W nv g' LoOenp I P N Y f , , emO t HA S r r n _ , , luey GL iT a I a b H O l _ , , Frd t o
. O , , oe o C , , ngh m C
_ iSr s o e U gf nr r _ , , nie r u
, , wuP ode s
s
, , B h d e Seo sisr P r
l
, , iuA mq h a et g ABCD rRg h g it i
H iaoM R DNg E ) 2 yyn i T ccl 2 V N Y A M )( nno ' 5 2 O CWO( N 1 O)G ee o ddC 1 1 1 I EE R nn
/
0R 5E T A GC PI NL eem ppo 6 2W I U RV M eeo ER MO ON() CT 2 4 CO PC ME U O DDR) OA) DP HA ES(C P RF( 1
)2 1
e (( r u g i F
# Tp l
._,,,..:ww,------w----ww-- - - - - - - -
The - HPCI turbine trips on high exhaust pressure, high reactor water level, low ' pump suction ~ pressure, lou steam pressure, or an auto isolation signal. 4.6.11.3 HPCI Test and Maintenance The HPCI system surveillance requirements are the following: (1) pump operability--once/ month, . (2) motor-operated valve operability-- once/ month,- (3) pump capacity test--once/three months., (4) simulated automatic actuation test--once/ operating cycle, and (5) logic system functional test--once/six months. 4.6.11.4 HPCI Technical Specifications If the HPCI system is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that l the ADS, RCIC, LPCI system, and both loops of the LPCS system are operable. If this requirement cannot be met, the reactor is to be shut down. l 4.6.11.5- HPCI Logic Model 1 L The HPCI system was ecdeled using a fault tree for the injection of coolant to the reactor vessel. The major active components were modeled l for the llPCI ' system. The fault tree model representing the HPCI system is presented in Appendix B. l [ Piping ruptures were considered to be negligible compared to other system i failures. Only the piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. The gland seal condensate pump and the gland seal vacuum pump were not modeled since their operation is not essential to system operation. Six human errors were incorporated into the HPCI fault tree model. These errors are (1) failure to trip the HPCI system and realign its suction source on low suction pressure, (2) failure to realign the suction source for the HPCI and RCIC systems in other circumstances, (3) failure to control HPCI flow (reactor level), (4) f ail';te to manually backup automatic HPCI actuation, (5) miscalibration of CST level sensors, and (6) miscalibration of certain ESF senrors. 4.6.11.6 HPCI Assumptions (1) The HPCI test return lines were not considered as potential diversion paths because the probability of two normally closed Motor Operated Valves (MOVs) failing to prevent flow wa.a felt to be negligible compared to other system faults. 4.6-45
t :.n s 2, -^. i
= (2) = Failure _ ofi the system to isolate given certain conditions was not considered since the system is ' effectively "non-
. operational," These conditions are: (a) high steam line space temperature, (b) . high steam line dP, (c) low steam ,
- pressure, (d) high s te am '.' line exhaust pressure, and H
- (e) manual isolation.
t (3) Failure of . the minimum flow line to open does not
- constitute system failure since the time.between pump start and. opening of the injection valve is small' i 1
L (4)- The gland seal condensate pump and vacuum pump are not i I
. necessary for system operation. Therefore, their failures
, - were not modeled. j (5) Spurious signals are felt to be negligible compared to other system failures because of their low probability of. occurrence. 1 1 (6) The HPCI system is ; estimated to fail in a non-recoverable state if it fails to trip on low suction pressure or high reactor water level because of expected damage to the pump or turbine. (7) HPCI pump bearing cooling fails if pump suction is from the suppression pool and the working fluid temperature reaches between 210 and 260*F. In the analysis, this was nominally assumed to occur at 250*F.without any uncertainty in order , to facilitate the. analysis. Therefore, the uncertainty in ! the results does not reflect the temperature range over l which failure might occur. ; (8) The HPCI turbine auxiliary oil pump, stop valve, and
-governor valve failures were included in turbine failure data.
(9). System failure because of valves being left in the wrong position after test or maintenance is felt to be small ' compared to other system faults. The position of key manual and MOVs is indicated in the control room and the MOVs ~ receive signals to realign on an actual demand. System operation must be assured of valve positions before startup of the plant following shutdown and concurrent i maintenance activities. In addition, PECO maintains a control log of all " locked" valves in the plant to assure their correct position. 1 (10) Testing of TCV18 (PS-9) will not prevent flow from reaching the reactor vessel should a real demand cccur. j l 4.6-46 i s
W
^
l H __ (11) During' construction of the fault tree , . it was necessary to ~ determine l which components could be taken OOS for
' maintenance. It was' assumed that maintenance would require
. components to be . effectively removed from the system.
. Standard . safety precautions of ' component - isolation were y used ' to. ' decide which components could be taken 00S for ;
maintenance. while - the plant was at power or normal operating pressure. The general guidelines used .for component" isolation were double blockage for high pressure piping or components and single blockage for. low pressure
, -piping or components. ]
[ (12) An event-- for depletion of the CST .was included for those , cases . where HPCI and/or RCIC operation was judged to be '! b .sufficiently long. l l (13) Failure of the suppression pool by random failure or the j
- l. plugging of its strainers is felt to be negligible compared l to other system failures. l (14) If the HPCI or RCIC minimum . flow line. has been demanded open and subsequently fails to close on a system trip, there . is the possibility that the CST will drain to . the
- suppression pool because of their differences in elevation. l (15)' Lube oil cooling'is required for bearing cooling.
(16) The HPCI actuation circuitry was not modeled - to a great j degree -of ; detail. Only elements which were felt to be potentially important were included in the fault tree model. The initiating signal sensors and their support systems were explicitly modeled since they are shared' between various ESF . systems . The power supply for the actuation circuitry.was also included. Hardware failures of relays and certain permissives were grouped into one basic event. (17) It is assumed that calibration ' of . the low and low-low reactor vessel water level sensors is performed at the same time. Miscalibration of these sensors is assumed to be the same event. (18) Failure to recover an initial loss of the normal suction ) source (the CST) will be treated as a recovery action. l Operator error appears to dominate failures of suppression ! pool valves and their manual actuation circuitry. Failure i of suppression pool valves from maintenance outages or l' support system failures appears elsewhere in the fault tree. I (19) Failure - of the system to automatically realign to the suppression pool after a loss of the normal suction source (the CST) is treated explicitly with manual switchover being treated as a recovery action. . l 4.6-47
l,
.(20) The suction pressure trip is "ANDed" with a duumy event to account for the probability that low suction pressure exists.
(21) System unavailability due to testing is considered small compared with other system faults since it appears that the ' majority of testing requirements would not preclude proper j system operation following a real demand. Hence this contribution to failure of the system is small compared with other system failure probabilities. (22) Failure of room cooling (if not recovered) is estimated to fail HPCI in ten hours. This is based on utility calculations [52) which demonstrates that in 100 hours without room cooling, operability is expecaed assuming i intermittent pump operation. Since in tbe accident sequences of interest continuous operation may be performed, this value was re adj us ted to 10 hours using l- engineering judgment. l 4.6.11.7 HPCI Operating Experience Nothing was peculiar in the operational history of the HPCI system which I would affect system modeling. Plant operational data indicates a higher value for Turbine-Driven Pump (TDP) failure to run than the generic data base. The difference is that the generic value was calculated using plant operational hours instead of HPCI operational hours. The values compare . closely when HPCI operational hours are used in the generic calculation. Therefore, the plant specific value for TDP failure to run 1 is used. 4.6.12 High Pressure Service Water System 4.6.12.1 HPSW Description The HPSW system is designed to supply cooling water from the ultimate heat sink to the RHR system heat exchangers under post-accident conditions and can provide an additional source of water to the reactor vessel (event tree nomenclature--V4) through a cross-tie to the RHR injection lines. The HPSV system consists of four 4500 gpm pumps installed in parallel. The pumps are a vertical multi-stage turbine type with a discharge head l of 700 ft. Each pump is sized to the design heat removal capacity of one RHR heat exchanger. Normal water supply to the suction of the pumps is from Conowingo Pond. In the EHS mode of system operation, suction comes from and discharge goes to the emergency cooling towers. The pump discharge is split into two headers with two pumps in each header. The headers are split by a normally closed, motor-operated gate valve. Each header delivers water to two RHR heat exchangers in parallel. The pump discharge head is sufficient to maintain the HPSW system at a higher pressure than the RHR system, thus precluding leakage of radioactivity and permitting operation in conj unction with the emergency cooling l 4.6-48
towers. As an injection source to the reactor vessel, the HPSW discharge to the RHR injection lines is from the pump B/D header. This connects to the RHR header. A simplified schematic cf the HPSW system is provided by j Figure 4.6.12-1. Major components are shown as well as the pipe segment
' definitions (e.g. , PS-10) used in the system fr. ult tree.
The operator is required to initiate the HPSV system. To initiate the system in the RHR cooling mode, the operator must start the appropriate HPSW pump and open the appropriate motor operated discharge valve
-depending on which RHR heat exchanger (s) is used. These discharge valves are arranged as one valve downstream of each of the four RHR heat exchangers. To inject water into the reactor vessel via the RHR system, the operator starts HPSW pumps B and/or D and opens MOV-176 and MOV-174.
The success criteria for the HPSW system in the RHR cooling mode is one of four pumps supplying flow to the appropriate one of four heat exchangers. This is based upon the RHR system success criteria. As a last effort injection source, either- Pump B or D must supply flow through the cross-tie and corresponding RHR inj ection line under depressurized conditions in the reactor vessel. Pump A or C can be used with operation of a cross-tie valve. For further information, refer to the success criteria discussions in Section 4.4. Most of the HPSW system is located in pump rooms external to the reactor l and turbine buildings. Any physical impact of accident conditions on the ability of the HPSV system to perform its functions would be minimal except for the injection valves (MOV-174, 176) which are in the reactor building and could be affected by a harsh environment. Room cooling failure does not fail the HPSW pumps (see Section 4.6.12.6). Failure of the HPSW system in the RHR cooling mode would fail the RHR cooling function. Failure of the HPSW system in the injection mode would fail one source of water for reactor makeup and containment spray. 4.6.12.2 HPSW Interfaces and Dependencies The HPSU pumps have both a normal and a standby power supply. In the evene of a loss of offsite power, each pump is powered by a different diesel generator. Corresponding DC power is required for all pumps for actuation purposes. The pumps are self-cooled and room cooling is not required. A simplified dependency diagram of the HPSW is provided by Figure 4.6.12-2. Shown are the major rupport needs for the HPSW system as indicated by the solid diamonds. The HPSV system can inject water from the B/D header to the RHR system B header through a line containing two normally closed, motor-operated gate valves and a check valve. Cooling tower fans are shared with the ESW system. These fans are used in the EHS mode of operation should the normal bay level be either too high or too low. The EHS mode requires power from three of the four divisions to operate the inline motor-operated valves. 4.6-49
l E G RD OAN THO CP S I D ho,y t 0 x 1 S- s P s 4 . 2 c w i t a m 0 O O e 1
,, 1 1
3 o h 2-S g S P bw s 2 S c P% p Xovx i OH TR R CA P > 4 c m e t 2 e s O O _ 23 24 _ mas 2 c o 1 o1 o1 4o y O.m S P EsoSv
- s -
Es a S Om w Om s y uP wP w r j 'c G2) 3 O21 *" 3
)
2 3 e t . gc R3 gD K K x a - R* c gx
- gx o W
*H
- 5-7-
I'MI I gN *H 6-iT m gMi II gH 0 A6 4 71 5 1 W VA gBprdN( 6 1 7 1 A e c m m 2- - - - i S S S g S S S S v P P P s p <ys P i s P l P l P ' r ._ v )x t ( 4 d" e x K A6 S wv C _ O W7 ) q g' m e r u 9 3 s S- T s P
)
"n I e
q , N r t v 9 U P 0 ) O (
) q x 1
- O 4 S T h g
4 3 P i 2 W H _ y O j 1 c e o 2 A i s l 1 1 0 c o o XVX 5 s v x Xsyx s y x a o s E D 6 O
%2v e M 4 .
A c s u Y 8 e a r b 2 , D r o c o N NsVL s v c Nvsc c A T S u g i
%m R I
E H T F N N
" 7,j, 3
A# 23 W p m4 m2)4 O o "p UC o o po H
' u#' J ' uW f urt S E
A A 1 3 2-4 S . S S- S S-P P P P U
\ ) T I .
S - O
- P C , O pUM ,~ BAY g E V
L A l V b h'. X~ . l l llllll1!
ll1Il n M Y gr Lr (lC j, ;m m R a r g a i X D M y P D c M Lr n UIN ,, r j, r 2m e PA I R d WT n S e P i p e D ER X RE . r UT M r o e SAM P t c t SWE E T MC UIN ,r ,r j, Lr 2, a a RES II PA jm e W PICY R R WT e e HVSR S P h c G IE H T i HS o v T r X ec e M r u S P o M B e r S I UIN PA O O nm .n r u R cio s WT S it gc s P oe Lj e n r ei rn P X iuA las hg M FA P gd MA i
) Lr ne H I
UtN PA R d U 2m is s UU WT nis . S w 2 Pi om he - Sts 2 sy 1 iS ABCD ABCD me ah 6 rT g 4 an ie Dh e N yW c r O ny u V LI T e ln g 5R R AA i 2E E UU dO n F 1 W W NT ed CO CO AC ees DP AP MA DU) 1 ( N '
#.C b *-
l ll l!
The HPSU system is initiated manually, either locally or' from the main control' room. 4.6.12.3 HPSW Test and Maintenance l The HPSU surveillance ' requirements are the following: (1) pump operability--once/ month, (2) motor-operated valve operability-- once/ month, and (3) pump capacity test--after pump maintenance and every three months. 4.6.12.4 HPSW Technical Specifications i-The HPSW system shall be operable whenever irradiated fuel is in the reactor vessel and the reactor coolant temperature is greater than 212*F, as well as prior to reactor startup from a cold shutdown condition. If any two HPSW pumps are made or found to be inoperable for any reason, continued reactor operation is permissible for thirty days. If three HPSW pumps are made or found . to be inoperable, continued reactor operation is permissible for fifteen days. If three HPSV trains are made or found to be inoperable, the reactor can continue to operate for seven days. If these requirements . cannot be met, the reactor is to be shut down. 4.6.12.5 HPSW Logic Models The HPSW system was modeled using fault trees for both its heat removal mode (including the EHS configuration) and its vessel inj ection mode. The major active and some passive components were modeled for the HPSW system. The fault tree model representing the HPSW system is presented in Appendix B. Piping ruptures were considered to be negligible compared to other system failures. Only the piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. Two human errors were modeled and include (1) failure of the operator to initiate the system, and (2) failure to restore equipment after maintenance. 4.6.12.6 HPSW Assumptions (1) The HPSW pumps do not require room cooling. These pumps are located in a large building. By opening some doors (which is likely not to be necessary), adequate cooling can be provided for the pumps. (2) The system is switched to the EHS mode when the sluice gates in the pump bay are closed and the water level drops. It is estimated that the EHS mode can also be switched on if MOV-2468 to the discharge pond fails closed. 4.6-52
(3) The design basis criteria follow. The emergency cooling towers require the fans for adequate heat removal. One induced-draft cooling tower is needed for heat removal from one RHR heat exchanger. One cooling tower is also needed for removal of heat from ESW loads. The cooling towers may be able to remove heat without induced-draft, but the success criteria would be different and would require further analysis. This has a negligible effect on system reliability since the emergency cooling towers are the secondary source of heat sink for the RHR heat exchangers. (4) The emergency cooling tower reservoir is needed for successful operation of the HPSW system in the EHS mode. The HPSU system is switched to the EHS mode when the water level in the pump bay is already low. Without added water from the reservoir, the pumps will not have adequate NPSH either at the time of switchover or after when there will be further drainage from the pump bay. (5) If the reservoir is providing water to the pump bay, failure of the pond discharge valve IW-2486 to close during the EHS trode of operation does not result in system failure. If this valve fails to close and the reservoir is supplying make up water, the reservoir will be depleted faster. Reservoir depletion will take three and a half days instead of seven days since approximately half the flow is diverted into the pond. This is considered casily recoverable. (6) Test unavailability or failure to restore after test for the HPSW system is considered insignificant. The system is essentially aligned to its desired configuration for test. 4.6.12.7 HPSW Operating Experience Nothing was peculiar in the operational history of the HPSU system which would affect either system modeling or failure data. 4.6.13 Instrument Air System l 4.6.13.1 IAS Description The IAS provides a pneumatic supply to support short-term and long-term operations of safety equipment. The IAS and Service Air System (SAS) consist of three, in parallel, air compressors supplying a common discharge header via individual air receiver tanks, ductwork, valves, and instrumentation. A fourth air compressor is tied into the SAS header and is common to both units. Two compressors, one IAS and one SAS, normally supply all compressed air requirements. The other IAS compressor serves in a standby capacity. A simplified schematic of the IAS is provided by Figure 4.6.13-1. Shown is the tie-in with the Instrument Nitrogen System which is the preferred 4.6-53
m Z lp0 h 4 hZ E a A
.. .. a v u
*4
! k U f 4, g
6 w h5 g- 4 4 JL g- ,, JL c a e 9 7 9P $ hg hg JL JL $ ih$ e os i e os S e d NN d t$ 8 eases e as sa
. 8* .. Em h
h t g <- E 4 C<F>4C<h , hg gg
>< >G- A h $
fed ~
~ ~ ~
#d g "
e h 4 , h 4 e 4 4 h 4 "h 4 N
- m I
s$ E is, s! e X X! :
. a ii ii i i
~: i s c !
E e e l l!ig" ll*E l0I e l0l5 " g lI !, f 4.6-54
!Ii c
- i t
" a m
e h c h1 S m e t s y S
"a n N e g
o A r t)
"a i2 A f f p
N
/f ro
# i 0 A2 t e ng
' ea mP 2 u(
r P*j, "a t
; s n
E I y ; . D "l
' n.
o S, AC O f M .
" Y 1
, > l'ra 0 D
Ns 3
%g - <
'e"rN N
A T S 1 6 4 e R SS I
,Sa E E 4 rGa ", H
,a( P N T e
" ,, r mRE NI u
uD SU mH Ys J E X N W O i g
/T " R. H F a O S S
c S E
,- 2'r "dR R A
E S
$ O N
I N T J r < "O" d U MT E IS O o RT P A u S ) W R E
) P M
A D( m E [n V 7 L A V E w x 5ato ll ll
l\ l i supply to the Main Steam Isolation Valves (MSIVs) and ADS /SRVs. 'In addition to these compressors, the IAS is currently backed up by a f portable diesel compressor and will be backed up by two diesel l compressors (not shown) in the future, and can be served by the Unit 3 IAS/SAS. I Each of the three parallel compressors is a vertical, single-stage, double-acting, non-lubricated, reciprocating compressor rated at 377 scfm at 100 psig. Each has an aftercooler, moisture separator, and air receiver tank. The standby SAS compressor consists of a non-lubricated compressor, aftercooler, moisture separator, and two receivers. This compressor is rated at 400 scfm at 100 psig. The IAS supplies clean, dry, oil-free air to EVS and ESW system air valves, the CRD control system, and containment venting air valves and is a backup to the Instrument Nitrogen System. When offsite power is lost, the air compressors trip. The operator is required to manually restart the air compressors when power is restored. The success criterion for the IAS is that any one of the compressors supply air to system pneumatic loads. Any physical impact of accident conditions on the ability of the IAS to perform its functions would be minimal. Room cooling failure is deemed not to fail the IAS and SAS compressors. Even if this were to occur, the diesel compressors or unit 3 compressors could serve the necessary loads. Failure of the IAS does not directly fail any safety systems because (1) accumulators are on the MSIVs and ADS valves, (2) instrument nitrogen is the preferred source to the MSIVs and ADS valves, and (3) other safety systems " fail-safe" on loss of air or have dedicated air bottles. 4.6.13.2 1AS Interfaces and Dependencies Cooling requirements of system air compressors and aftercoolers are normally supplied by the TBCW system. In the event of offsite power failure, the RBCW system cools the air compressors and aftercoolers. Motor-driven air compressor A is powered from 480 VAC/C with control and actuation pover supplied by 120 VAC/C. Air Compressor B is powered from 480 VAC/D with control and actuation power supplied by 120 VAC/D. Air Compressors C and D are powered from non-safety Buses 20B13 and 20B31, respectively. Their control and actuation power comes from 120 VAC non-safety buses. Following a loss of offsite power, standby onsite power is provided to the air compressors to replenish compressed air storage as required. A simplified dependencf diagram of the IAS is provided by Figure 4.6.13-2. In addition, two diesel compressors are normally on-line as backups. 4.6-56
. , l I ,i )ji ljlli l;
Y" 1-
~
~
E R S' LOM CSE NST ES _ SRY APS .
, YM3 BO m
T a DCI EL N r g KEU CSD a A EN i BDA I D
. y c
n R ) e O 2 ) d S ( i n S gr gr r e E ;' p i RD P
;m ;,
e M D O m C e t s T R ) y NM EE O S 2 ( ) I S T S gr n MS E gr
;, V e
_ UY RS RC P
; m 2 g
TR M o SI O r NA I' C t i N
/
R ) r O l i S : A S wr gr gr r k E ;' g i RB A, 2m ;, o t _ P L n M- e e O- r u m C l u a r F t g s. s R ) ni l n O ia S S l dr UsF I E gr gr gr nW . i RA ;m ;m 2, 2' wCs oBs e P M hTu 2 O C S ishy eB 3 1 n!Tte f a!pSa 6 ABCD G yku-n 4 GG ico NG M DN dan yB y e NNM I LUE DUE LOT IUOT CAB n r I UOS BOS esd u g N BCYS di er _ O RCY S nWe i R LIT ED NER OD TER e w pC F _ AA BSE CSE E W UU NT ROTA AOT eBo DRP AC EL A - CO UL RCW )) _ AP MA TCW 12 ((
~.-*$
l! lI(lllIll ',ll1 lfI(lIi
4.6.13.3 IAS Test and' Maintenance No IAS test and maintenance requirements are identified in the Peach Bottom technical specifications. 4.6.13.4 IAS Technical Specifications IAS degradation does not limit plant operations. 4.6.13.5 IAS. Logic Models ' The IAS - was modeled using a very simple fault tree covering only the failures of the compressors and loss of support system needs. The fault tree model representing the IAS is presented in Appendix B. This j simplified modeling approach was used since the importance of this system to other systems modeled in the study is limited. Therefore, a detailed analysis was not warranted. Ductwork ruptures were considered to be negligible compared to other system failures. Only ducts with a diameter of greater than or equal to 1/3 of the main system ducting was considered as a potential diversion path. One human error was explicitly incorporated into the IAS fault tree model. This error is the operator's failing to restart the system following a loss of offsite power. 4.6.13.6 IAS Assumptions (1) All IAS loads can be supplied from both IAS headers. (2) The IAS trips on loss of offsite power and needs to be restarted manually. (3) Failure of the TBCW system to provide cooling is dominated by TBCW pump failures and loss of offsite power. (4) Failure of the RBCW system to provide cooling is dominated by RBCW pump failures and failure of switchover to the RBCW system for cooling. (5) Due to the large number of compressors available even under partial losses of power, the IAS hardware was largely black-boxed with an assumed unavailability of 1E-4 using engineering judgment. 4.6.13.7 IAS Operating Experience Nothing was peculiar in the operational history of the IAS which would j af fect either system modeling or failure data. 4.6-58 _L___----_________.____._ __
l 4,6.14' Low Pressure Coolant Injection System 4.6.14.1. LPCI Description
~The function of the LPCI system is to provide a makeup coolant source to the reactor vessel during accidents in which system pressure is low (event tree nomenclature -V3). The ADS can be used in conjunction with the LPCI system to attain a' low enough system pressure for injection to occur. The LPCI system is but one mode of the RHR system and, as such, shares components with other modes.
The RHR system is a two-loop system consisting of motor-operated valves and motor-driven pumps. There are two pump / heat exchanger trains per loop, with each pump rated at 10,000 gpm with a discharge head of 540 feet. Cooling water flow to the heat exchangers is not required for the LPCI mode. The LPCI suction source ' is the suppression pool. A , simplified schematic of the LPCI (RHR) system is provided by Figure 4.6.14-1 with the LPCI portion highlighted. Major components are shown as well-as the pipe segment definitions (e.g., PS-19) used in the system . 1 fault tree.
)
The LPCI system is automatically initiated and controlled. Operator l intervention is required to manually start the system given an auto-start failure and to stop the system or control flow during an ATWS if required. The success criterion for the LPCI system is injection of flow from any one pump to the reactor vessel. For further information, refer to success criteria discussions in Section 4.4. Most of the LPCI system is located in the reactor building. Local access to the LPCI - system could be affected by either containment venting or j containment failure. Room cooling failure is deemed to fail the LPCI pumps in ten hours. l 4.6.14.2 LPCI Interfaces and Dependencies J Each LPCI pump is powered from a separate 4160 VAC bus with control and actuation power being supplied by a separate 125 VDC bus. All pumps require pump cooling. For further information on pump cooling refer to Section 4.6.9.8. Each loop's normally closed injection valve can receive mntive power from one of two 480 VAC sources. The Loop A injection valve sources are either 480 VAC/A or 480 VAC/C, and the Loop B injection valve sources are either 480 VAC/B or 480 VAC/D. A simplified dependency diagram of the l LPCI is provided by Figure 4.6.14-2. Shown are the major support needs for the LPCI system as indicated by the solid diamonds. Many components of the LPCI system are shared with the different modes of the RHR system. These commonalities are as follows: (1) the RHR pumps are common to the LPCI, SPC, CS, and SDC modes; (2) the suppression pool section valve for each pump train is common to the LPCI, SPC, and CS 1 l l 4.6-59 l 1
x _s' ' l{tA.z.N --:; e ! y
- h. ,
=
g zi 2 .. g I!
! rvy" ED!! j si a .. s 'g'Dgg.
e a
,; 2
( a ( B <,,
*. s d, f. . 8 l s f; R l
t g " $a e m d,.g i ig a sqH e 0 $ $ 3 I
.1
( m: I' s em t l x =o w
\g ( r a
t - d :
- 3 =
a O 4
" f 3 41' v 8 5
+1
( , (1 4; e 4: :, a 0 g (1 el 1 g a
*l a.g I g' !E E=
a ,B, [3[ - e h a s. ., N , l g bl E si g g {!
=
e,g ,
- . g I : A io "
l g f 4.6-60
LOW PRESSURE COOLANT h)ECTON I I LPCs to0P LPciLoor 8 a r r WMA pp4RPUMPs WW5 pggpyypg MW MC# BSD tml asc UNE PUMP PUMP PUMP PUMP oc mv a ; , S PDwER c
,n o
ac a ;; < . Powen s , C I? , ,
,r D
LPci u actuation u, u, u, ,mm , EMERGENCY
.....,qg......qp.........qp..... 4p.
$ TER
, E RVlCE p
COOLINGX t) fMEPCfWY s a' 2' 2L SERVICE WATER ~ (PUMP MOTOR CODUNG) Room Faas .......q) . . . . . . q p . . . . . . . . , q p . . . . . . < >. Depanoency thag'am is Shawn Usmg Fadute Logc. (1)Dupendency Ncn Reqwred Dormg Snod Term Ops ston, Figure 4.6.14-2. Low Pressure Coolant Injection System Dependency Diagram. 4.6-61
modes; and (3) Loops A and B injection valves are common to the LPCI, SDC, and HPSW injection modes. Upon the receipt of a LPCI injection signal, start signals are sent to all pumps, Loops A and B injection valves are subsequently demanded to i open when the reactor pressure is low enough, and the test return valves are demanded to close. The LPCI system is automatically initiated on the receipt of either a low-low reactor water level (378 inches above vessel zero) or high drywell pressure (2 psig) and low reactor pressure (450 f psig). All actuation sensors are shared with the LPCS system. LPCI actuation and control circuitry is divided into two divisions. Division A is associated with the actuation and control of components in Loop A, and Division B is associated with the actuation and control of components in Loop B. Each LPCI pump and loop injection valve receives an actuation signal from both divisions. Although the LPCI system has no isolation signals, there are permissives which will prevent the operation of certain components. LPCI pumps are demanded to stop or prevented from starting if the suppression pool suction valve or any of three SDC suction valves are not fully open. Loops A and B injection valves are prohibited from opening unless a low reactor pressure permissive (450 psig) is met and will reclose if reactor pressure becomes too high. 4.6.14.3 LPCI Test and Maintenance The LPCI surveillance requirements are the following: (1) pump operability--once/ month, (2) MOV operability--once/ month, (3) pump capacity test--once/three months, (4) simulated automatic actuation test-
--once/ operating cycle , and (5) logic system functional test--once/six months.
4.6.14.4 LPCI Technical Specifications If any one LPCI pump is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that the remaining LPCI components and both loops of the LPCS system are operable. If this requirement cannot be met, the reactor is to be shut down. 4.6.14.5 LPCI Logic Model The LPCI system was modeled using a fault tree for the injection ot coolant to the reactor vessel. The major active components were modeled for the LPCI system. The fault tree model representing the LPCI system is presented in Appendix B. Piping ruptures were considered to be negligible compared to other system failures. Only piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. 4.6-62 L____- -__ _ . _ . -
Three human errors were incorporated into the LPCI fault tree model. These errors are miscalibration of various sensors, failure to manually backup automatic actuation, and failure to properly restore key components following maintenance. 4.6.14.6 LPCI Assumptions (1) Positions of all manual and motor-operated valves are indicated in the control room. Failure of these valves after testing and maintenance from incorrect positioning is therefore felt to be negligible. Test diverting flow causing LPCI system failure is also felt to be negligible since valves receive signals to close from both Divisions A and B actuation on a real demand. Thus, unavailability due to testing and failure to restore after testing is not important. (2) Dering construction of the fault tree, it was necessary to determine which components could be taken OOS for maintenance. It was judged that maintenance nould require components to be effectively removed from the system. Standard safety precautions of component isolation were used to decide which components could be taken 00S for maintenance while the plant was at power or normal operating pressure. The general guidelines used for component isolation were double blockage for high pressure piping or components and single blockage for low pressure piping or components. (3) Pump isolation because of spurious signals is assumed to be negligible compared to other system faults. (4) The LPCI actuation circuitry was not modeled at a great level of detail. Only elements which were felt to be potentially important were included in the fault tree model. Hardware failure of relays and permissives are grouped into one term. The initiating signal sensors and their support systems were explicitly modeled since they are shared between various ESF systems. (5) Based on a PECO response, it is estimated that the LPCI pumps will fail because of insufficient NPSH once the suppression pool has reached saturated conditions. (6) A suction path must be available from either the suppression pool or the SDC path to start a LPCI pump. (7) The unavailability of the LPCI pumps due to testing does not defeat a real demand from operating the system. Therefore, it was not considered. Failure to restore the LPCI pumps af ter testing does not apply. 4.6-63
(8) Failure- of the suppression pool because of random failure or the plugging of-all its strainers is assumed to be negligible compared to other system failures. (9) It is assumed that calibration of the low and low-low reactor water level sensors is performed at the same time. Miscalibration 'of these sensors is considered to be the same event. (10) Failure- of room cooling (if not recovered) fails LPCI in ten hours. This is based on utility calculations (52] which demonstrate that for approximately 50 hours or more without room cooling, operability is expected even with continuous pump operation. The ten hour LPCI failure value was chosen to be consistent with the general assumptions made for HPCI - and RCIC. It is believed to be a conservative value. 4.6.14.7 LPCI Operating Experience Nothing was peculiar in the operational history of the LPCI system which would affect either system modeling or failure data. 4.6,15 Low Pressure Core Spray System 4.6.15.1 LPCS Description The function of the LPCS system is to provide makeup coolant to the reactor vessel -during accidents in which system pressure is low (event tree nomenclature--V2.). The ADS can be used in conjunction with the LPCS system to attain a low enough system pressure for inj ection to occur. The LPCS syst;m is a two-loop system consisting of motor-operated valves and motor driven pumps. There are two fifty percent capacity pumps per loop, with each pump rated at 3125 gpm with a discharge head of 105 psig. The LPCS system normal suction source is the suppression pool. Pump suction can be manually realigned to the CST. A simplified schematic of the LPCS system is provided by Figure 4.6.15-1. Major components are shown as well as the pipe segment definitions (e.g., PS-27) used in the system fault tree. The LPCS system is automatically initiated and controlled. Operator intervention is required to manually start the system given an auto-start failure and to stop the system or manually control flow during an ATWS if required. The success criterion for the LPCS system is injection of flow from any two pumps to the reactor vessel. For further information, refer to success criteria discussions in Section 4.4. Most of the LPCS system is located in the reactor building. Local access to the LPCS system could be affected by either containment venting or containment failure. Room cooling failure is assumed to fail the LPCS pumps in ten hours. 4.6-64
l
,\ll1 i
e a m nh4 n i m e m v e xG " e n
" m m, a r t u ^
u a E N L W O s a'lCg l t" e
=m c L i E
F '" t
... M M_ l a A. L T
S p la m e E h T
. c _
?:.. - mA== k= S .
z m e - m t 1 s - - y _ i S y a r
,. p S .
,, e r
g, o C . e _ V r u s
-&9 s -
e N r _. T N P _. E . M w . o C E s S L E
. a P I
P .
/
m F O 1 N OI 5 T 1
- i. n&==
m kw H . 6 i a T E D - 2 I F 4 C mn e 2 E 7 F C T A I r u
, M g t % NE OH i _
n am 2Mp- =\ TIC IS S F
~
u u _ OV s PG ._ z Wt ME m, n u E
~ g M S, A
~
TC ST HM I A i 1s a _ wA . a, fE iH T - r C 2 e o l, NS - m m NU nc a - W4 O6 HN u M4 lu a. c. SO ED TL AT SA NC
"' a OO IL
- =
o m
< T IS S O
- OL PA EE
, VV LL
- AA VV
)
t { n ns cv t l,ltJ' 'lt
l' L 4.6.15.2 LPCS Interfaces and Dependencies Each LPCS pump is powered from a separate 4160 VAC bus with control and actuation power being supplied by a separate 125 VDC bus. All pumps i l require pump cooling. For further information on pump cooling, refer to Section 4.6.9.8. Each loop's normally closed injection valve receives its motive power from a separate 480 VAC bus (480 VAC/C for Loop A, 480 VAC/D for Loop B). A simplified dependency diagram of the LPCS system is provided by Figure 4.6.15-2. Shown are the maj or support - needs for the LPCS system as indicated by the solid diamonds at the appropriate places in the diagram. Upon the- receipt of a LPCS injection signal, start signals are sent to all LPCS pumps, both injection valves are demanded to open, and the test return valves are demanded to close. The LPCS system is automatically initiated on the receipt of either a low-low reactor water level (378 inches above vessel zero) or high drywell pressure (2 psig) and low reactor pressure (450 psig). All actuation sensors are shared with the LPCI system.
-LPCS actuation and control circuitry is divided into two divisions.
Division A is associated with the actuation and control of the components in Loop A, and Division B is associated with the actuation and control of the components in Loop B. Each LPCS pump has a minimum flow line valve (normally open) which is demanded to open given a pump start. Both injection valves are prohibited from opening unless a low reactor pressure permissive (450 psig) is met. 4.6.15.3 LPCS Test and Maintenance The LPCS system surveillance requirements are the following: (1) pump operability--once/ month, (2) MOV operability--once/ month, (3) pump capacity test--once/three months, (4) simulated automatic actuation test-
--once/ operating cycle , and (5) logic system functional test--once/six months.
4.6.15.4 LPCS Technical Specifications If any one LPCS loop is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that the remaining LPCS loop and the LPCI system are operable. If this i requirement cannot be met, the reactor is to be shut down. 4.6.15.5 LPCS Logic Model The LPCS system was modeled using a fault tree for the inj ec tion of coolant to the reactor vessel. The major active components were modeled for the LPCS system. The fault tree model representing the LPCS system is presented in Appendix B. l 4.6-66
)
LOW PRESSURE COFE SPRAY i 1 l l l' (2) (2) l I 'l i i I I LPCE LOOP B LPCS PUMP LPCS PUMP LPCS PUMP LPCS LOOP A LPCS PUMP p NECTION NJECTON 4 g c VALVES VAL.VE S DCit5V A II j,
,r ;g POWER S mr ,
C ,r D AC A N ;g
,r ;g POWER B , ,, 2,
- e ,, ,, ,,
o ,, LPCS A I II I?
;< 2, ACTUATON y
,r ,r B ,r EME MENCY SERvcE WATER ................. 4p.... 4p.... 4p.....qr (PUMP ROOM C00 LNG)(1)
EME%ENCY 2m s& s& 2& SERvCE WATER 'r 'r 1F 'F (PUMP MOTOR CoouNoi Room FANS , . . . , . . . . . . . . . . . . ( h . . . . . ( p . . . . .q ) . . . . . q g . m Dependency Diagram is Shown Using Failure Logic. 1 Dependency Not Hequired During Short Term Operation. 2 See i PCS Fautt Tree For Success Cnteria. 1 Figure 4.6.15-2. Low Pressure Core Spray System Dependency Diagram. 4.6-67
Piping ruptures were considered to be negligible compared to other system failures. Only piping with a diameter of greater than or equal to one third of the main- system was considered as a potential diversion path. Three human errors were incorporated' into the LPCS fault tree model. These errors are miscalibration of various sensors, failure to manually backup automatic actuation, and failure to properly restore key components following maintenance. 4.6.15.6 LPCS Assumptions (1) Positions of all manual and mo tor- ope ra te d valves are j indicted in the control room. Failure of these valves after testing and maintenance due to incorrect positioning is therefore felt to be negligible. Test diverting flow causing LPCS system failure is also felt to be negligible j since valves receive signals to close from both Divisions A ' and B actuation circuitry. The injection valves receive open signels on a real demand. Thus, unavailability due to testing and failure to restore after testing is not important. { (2) During construction of the fault tree, it was necessary to i determine which components could be taken 00S for maintenance. Maintenance would require components to be effectively removed from the system. Standard safety precautions of component isolation were used to decide l which components could be taken 00S for maintenance while l the plant was at power or normal operating pressure. The l general guidelines used for the component isolation were double blockage for high pressure piping or components and ' single blockage for low pressure piping or components. ! (3) Pump isolation because of spurious signals is assumed to be negligible compared to other system faults. (4) The LPCS actuation circuitry was not modeled at a great level of detail. Only elements which were felt to be potentially important were included in the fault tree , model. Hardware failures of relays and permissives were grouped into one term. The initiating signal sensors and their support systems were explicitly modeled since they are shared between various ESF systems. (5) Based on a PECO response, the LPCS pumps will fail because of insufficient NPSH once the suppression pool has reached l-saturated conditions. (6) The CST is an alternate suction source which must be mancally valved in and therefore is not explicitly included in the model but can be handled as a recovery action. (7) The LPCS pumps do not trip on low pump suction pressure. 4.6-68 1~ . _ _ _ - - - - - - _ . -
(8) The unavailability of the LPCS pumps from testing does not defeat a real demand from operating the system. Therefore, it war, not considered. Failure to restore the LPCS pumps after testing does not apply. (9) Failure of the suppression pool becaw.e of random failure or the plugging of all its strainers is assumed to be negligible compared to other system failures. (10) It is assumed that calibration c.1 the low and low-low reactor water level sensors is performed at the same time. Miscalibration of these sensors is considered to be the same event. (11) Failure of room cooling (if not recovered) is assumed to fail LPCS in ten hours. Thia is based on utility calculations [52] which demonstrate that for approximately 50 hours or more without room cooling, operability is expected even with continuous pump operation. The ten hour LPCS failure value was chosen to be consistent with the It is a genc ral ' assumptions made for HPCI and RCIC. conservative value. 4.6.15.7 LPCS Operation Experience Nothing was peculiar in the operational history of the LPCS system which would affect either system modeling or failure data. 4.6.16 Primary Containment Venting System 4.6.16.1 PCV Description When torus and containment sprays have failed to reduce primary containment pressure, the PCV is used to prevent a primary containment pressure limit from being exceeded (event tree nomenclature--Y) . The preferred primary containment vent paths include: (1) 2-in torus vent to the Standby Gas Treatment System (SGTS), (2) 6-in Integrated Leak Rata Test (ILRT) line from the torus, (3) 18-in torus vent path, (4) 18-in torus supply path, (5) 2-in drywell vent to the SGTS, (6) two 3-in drywell sump drain lines, (7) 6-in ILRT line from the drywell, (8) 18-in drywell vent path, and (9) 18-in drywell supply path. A simplified schear.atic of the PCV is provided by Figure 4.6.16-For decay heat loads alone it is expected that the drywell pressure rise will be relatively slow. PCV success in this case is the 6-in vent path (or larger) being operational. However, if the rate of pressure rise is significantly faster as in the ATWS scenarios , success criteria dictate three or four 18-in vent paths as a minimum (assuming power levels -15%). For further information, refer to success criteria discussions in Section 4.4. 4.6-69
Iil ff w _ r. M _ E D s T ,. - u o
] r i
A c i
, t y a gA r m y 1 e g" , #-
h S c A- ~ r o-t m
& r, e t
", - s A y r '4 S t ,
, r - g A-i n i
- g t s n i
e V t n e m n i a t n o C y r a m i r P f 1 "e 6 t 1 E 6 f D O 4
, M
'4 "-
B Y e F f " 8 D r 1 N u A g T
- S i A ,
4 F I E I F f "
" Y D
- # s N I
s
? r" r1 N
W f- f O H
- ' s o
S s A' & E R A T G " f S
- s W
[4 K T t s s" O P f_. E s .S V Oi OT L A TG TG V s S b p ~C
,(
Current venting procedure requires a vent path to be established if containment pressure rises to 100 psig (PECO is considering changing this to 60 psig). In the case of an ATWS, or if it can be inferred that the } suppression pool is being bypassed, the operator is required to directly establish the 18-in vent paths. 4.6.16.2 PCV Interfaces and Dependencies The PCV major dependencies are AC power and instrument air. A simplified dependency diagram of the PCV system is provided by Figure 4.6.16-2. Shown are the major support needs for the PCV system as indicated by the solid diamonds. The drywell and torus vent paths to the SCTS are assumed to be successful whether or not the SCTS dampers are open. With the dampers closed, a rupture of the SGTS ducting in the reactor building is assumed to occur. With a loss of instrument air, all air-operated valves fail closed. Backup air bottles are installed to facilitate opening air-operated valves locally. With a loss of power, motor-operated valves fail in an "as is" position. These valves can still be opened with a handwheel or wrench on the stub protruding at the top of the motor operator. 4.6.16.3 PCV Test and Idaintenance The PCV system has no special test and maintenance requirements. 4.6.16.4 PCV Technical Specifications The PCV system has tio special technical specifications. However, the vent paths are used for inerting and de-inerting the containment as well as leak testing of the containment during refuelings. 4.6.16.5 PCV Logic Models The PCV system was modeled using a fault tree for reducing primary containment pressure. The fault tree has been simplified to cover only the major active components, interfaces and dependencies, and human errors. These have been lumped into one event. The PCV fault tree model is presented in Appendix B. One human error was incorporated into the PCV fault tree model. That error was operator failure to vent. 4.6.16.6 PCV Assumptions (1) Only major active components and maj or dependencies were modeled. These were assumed to dominate system failure. 4.6-71
e h t T o N t r E e MM f e N E I T R AS . TY ic NS & r &r 'r g OG o CN W2 , 2' 2, L e YIT r RN lu ls . A E iai MV Ft a I R ge P nD isc Ug i n o wL o er hu Si l s a iF mla au rt gc aA T iDr N yf o E D D M cs A NC B NC U ne ee C AA A C AAV B R 0 V dr A 60 S A 060 S T nT P 1 8 U P 1 8 U SR et pu l E44B E44B NI A I ea DF
> Tg i
4 4.6.16.7 PCV Operational Experience Nothing was peculiar in the operational history of the PCV system which would affect system modeling. 4.6.17 Reactor Building Cooling Water System l '4.6.17.1 'RBCW Description The function of the RBCW system is to provide a means of cooling auxiliary plant equipment which is located primarily in the reactor building (e.g., recirculation pumps, sump coolers, radwaste, etc.). The RBCW system is a backup for cooling CRD pumps and IAS compressors and aftercoolers should the TBCW be lost. The RBCW system is a closed loop system consisting of two full-capacity pumps, two full-capacity heat exchangers, one head tank, one chemical feed tank and . associated piping, valves, and controls. The RBCW system is designed for an ' operating pressure of 140 psig. A simplified schematic of the RBCW system is provided by Figure 4.6.17-1. The operator uses RBCW to cool certain critical loads if the TBCW systera is lost. The RbCW system usually has one pump continuously operating. Control. and instrumentation is designed for remote system startup from the main control room. The success criteria for the RBCW system is one pump and one heat exchanger train operating, providing sufficient cooling to the loads. The cooling water pumps and heat exchangers are located in the reactor building auxiliary bay. The head tank is located on the reactor building refueling floor. The specific RBCW loads are distributed throughout different areas of the plant. 4.6.17.2 .RBCW Interfaces and Dependencies Cooling is maintained on critical equipment during failure of off-site power. Electrical power for operating the RBCW systo.n pumps during such periods is supplied by the diesel generators. In the event of off-site power failure,the ESW system can supply cooling water to the RBCW system. The RBCW system supply to the reactor cleanup system non-regenerative heat-exchanger is isolated, and the cooling water supply is maintained to the reactor recirculation pump motor oil and mechanical seal water coolers and the reactor building equipment drain sump cooler. In addition, cooling water is supplied to the drywell air cooling system and the drywell equipment drain sump cooler, which are nominally served by the chilled water system, and to the CRD pump oil coolers and air compressor jacket and after coolers, which are normally served by the TBCW system. The RBCW system can also supply cooling water to the fuel pool cooling heat exchangers, via removable spool pieces, in the event of loss of normal cooling water. 4.6-73
I o MW OS R rE O - L V65 cC NF O1 A8
?
's jii s v
l WS CA D Y_ % C c OO R L ~~ O _ V3 b i t a O5 2 # R O m A2 E N e G N h A L_ / ,- c H S CB X m O E T T e A t
, l E V^ s
'l H y S
K N t r WA T e ED Ol N/ R E O t RA G N a E H l
. N L. /,
W l A .
, H g CA X
n i E l T l A o o E _ RS H C EP l iM L g U - n P i R d E IT l MA i EW D u B MW F r O l o R F l
/ '/ t c
L AN a NCOK e R I TN ' ' DIMIA t I ED T HD CA 1 V4 A B O53
; P P 7
1 A2 M M
; U U 6 P P 4
R&S e AGR I E
,/, !
' r u
TFOL g - N SO i E SO P MEC URRE HP W F LS TMT MIR S N OF UOE FEL ICA . DBO W HUO CLC OC TB T V45 O1 A8 X \ V25 CC O3 NF A2 dp$
(y b .A radiation monitor is provided at the cooling water return header to L indicate, record, and alarm leakage of radioactivity.
~
'A. simplified dependency diagram of.the RBCW system is provided by Figure 4.6.17-2. Shown are the major support needs as indicated by the solid diamonds.
4.6.17 3 RBCW Test and Maintenance The RBCW system has no special test and maintenance requirements. 4.6.17.4 RBCW Technical Specifications The RBCW system has no specific technical specifications. 4.6.17.5 RBCW Logic Model The. RBCW system was modeled using a fault tree for the loss of cooling water to auxiliary plant equipment. The fault tree has been simplified to cover only the major active components, interfaces and dependencies, and human errors. The head tank and chemical addition tank were not modeled since they are passive . devices and their failure probabilities are not expected to dominate system failure. Seven human errors were incorporated into the RBCW fault tree. These errors are; failure to restore train 2354 valves after maintenance, failure to restore train 2352 valves after maintenance, operator failure to reclose the CRD-RBCW breakers given loss of off-site power occurs, failure to restore pump B train after maintenance , failure to restore manual valve 517 after maintenance, operator failure to open locked closed valves in the ESW system which cools RBCW, and pump B train
' failure to start due to operator error.
4.6.17.6 RBCW Assumptions
~ 0nly major active components and major dependencies were modeled. These were assumed to dominate system failure.
4.6.17.7 RBCW Operating Experience There was nothinb peculiar in the operational history of the RBCW system which would affect system modeling. 4.6.18 Reactor Core Isolation Cooling System 4.6.18.1 RCIC Description The function of the RCIC system is to provide a makeup coolant source to the reactor vessel during accidents in which system pressure remains high (event tree nomenclature--U2). 4.6-75
4 5 1N 8 r r
' /A ,
2R ;, 5T 3 [ 2 ~ R1) E( FS ' l S E N AL V RA TV 6 5 1 N 8I I /A r r 4R 5T 3 2 [ , ,, G NR IE DT L IA UW B R G OI N [ 1 TL CO AO EC R P M gr r r t I U B ;, i j, lu P a F . e t n h e o mp t t r e iuq P S f e E MIN l UA PRT OI Rc. i ig L o A t r n e e m r u r lu t s ia n P F i M A r LF r g .d I U 2, J' , ns na P is ia l s Ut ep nDm w c u oiP h g sod A B is LR E eC C I mue aih l r V r at R D D gF o E N N ial t S AA AB Y 0S 0S Duag in C S 6U 6U ytcl U c N E D 41B 1 4 B nAo o GR C A- CA BC erC o RE ET D CV A 0 CV A A Mf e so r MA 5 P 8 0 pef EW 2 1 E4 P E4 8 e re) D T (1 n a;e s
The RCIC system consists of a single train with motor-operated valves and a L turbine-driven pump. Suction is taken from either the CST or the suppression pool. Injection to the reactor vessel is via a feedwater line. The RCIC pump is rated at 600 gpm flow with a discharge head of 1135 psig. A simplified schematic of the RCIC system is provided by Figure 4 . 6 .' 18 - 1. F.ajor components are shown that were modeled in the system fault tree. The RCIC system is automatically initiated and controlled. Operator intervention is seguired as follows: (1) to y prevent either vessel overfill or continuous system trip / restart cycles, (2)'to manually start the system given an auto-start failure, and (3) to L set up the ~ system for continuous operation under long-term station I-blackout conditions. The success criteria for the 'RCIC system is injection at rated flow to I the reactor vessel. For further information, refer .to success criteria discussions in Section 4.4. l Most~ of the RCIC system is located in a separate room in the reactor building. Local access to the RCIC system could be affected by either containment venting or containment failure should steam be released to the reactor building area. Room cooling failure is assumed to fail the RCIC pump in ten hours. 4.6.18.2 RCIC Interfaces and Dependencies The RCIC system major dependencies are DC power for short term operacion and room cooling for.long term operation. Although there are AC powered motor-operated valves, these valves are not required to change state during normal system operation since they are only used to isolate the system. A simplified dependency diagram of the RCIC system is provided by Figure 4.6.18-2. Shown are the maj or support needs for the RCIC system as indicated by the solid diamonds. The RCIC. system requires both 250 VDC/A and 125 VDC/A. The 125 VDC/A is used for ~ actuation and control power while an inj ection and a supply valve are powered from 250 VDC/A. The RCIC and HPIC systems share a common CST suction valve. This is a normally open manual valve and is identified as XV-1 on the RCIC schematic. Failure of this valve will fail the CST as a suction source to both the RCIC and HPIC systems. Upon system actuation, RCIC injection valves receive a signal to open and RCIC test valves receive a signal to close. The RCIC system is automatically initiated on the receipt of a low reactor water level signal (490 inches above vessel zero). The low reactor water level sensors are shared with the HPCI system. The CST is the initial suction source for the RCIC system. Suction is automatically switched to the suppression pool on low CST level. Automatic switchover will not occur if there is an automatic isolation signal present. The CST suction valve does not close until both of the suppression pool suction valves are fully open. i 4.6-77
1iiIl11j 7 s c e i Jm t t sm n y a m _ e _ w h A isve ooE i c S S - E - - m e
/N"" t s
i y u e p s c S
. A n
P> f.,- P B g "a a r - "f O n _ v u e t
> OP i
" ewno e l
ii L O v 2 aE vx C L o S' = - HT r P S o s L CI
~
A oS iE T ov-tx A'C s e v }T OP L PC OH C n S . s T O o v vw e 3 T i
%,,) e v 2.be, ?:"* ?= M t
- a 6 : 2 l
- z. a 8l r o i
ci s
".w c Ovx I
. = ?e"* - i - e 4 i r E 9v o g= _ 3'l C
- y. N T
r o k . W P F C t c
, N a e
0 _ - 1
' /-
T R l
. 1 9
c i F t E k v'(. - ( R . O _ F 1 t c t a 8 - - M. 1
/
N . _ A' eS C 6 gr
- mO
- uPH Il~ y eE 4
oE m S. e yC sf r nAAs u g m A wH E i ar e vC nS eQ F
;u "
i v b w oW wN sO
]o eD nE aT sAC d**
wO tL mO mS eA U eE vV tL _ aA wV)1 (
#.o o a
G EIN , RL , . .s OO. nr COM . oo io g
, t R CE T ) Lr .aD
. ON S TOY ( W $ 2a 4 c r ieg gpn LoOin CITS l
A emp e E A L r r RO lueO Ty S ia I , , FrB t
, , gh od
, , n e
, , ism s
Ugro
, , nf
, nirr
, wu e oD P hde SeB
, r isiuso m qleA ABCD a rRn g t a ia oC R DNg E )
2 yyn i ccl Y TAM) nn o ( V N 1 ee o 5 2 O C N WO( O)G ddC EE RN nn eem I 1
/
T 0R A GC M d 5E C U I PU ON(
)
2 ppo eeo RV M O 2W I T ER OA) DDR CO CC ME PUO R F (1 )) DP RA ES(C 1 (( 2
& m'
- m
The RCIC system : is automatically isolated by high steam line space temperature, steam line high dP, or high turbine exhaust pressure (65 psia). Both the high temperature and high dP signals are used to detect a steam line break. The RCIC turbine trips on high exhaust pressure, high reactor water level, low pump suction pressure, low steam pressure, or an auto isolation signal. 4.6.18.3 RCIC Test and Maintenance The RCIC system surveillance requirements are the following: (1) pump operability--once/ month, (2) motor-operated valve operability-- once/ month, (3) pump capacity test--once/three months, (4) simulated ! automatic actuation test--once/ operating cycle, and (5) logic system functional test--once/six months. 4.6.18.4 RCIC Technical Specifications If the RCIC system is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that ADS, HPIC, LPCI, and both loops of the LPCS system are operable. If this requirement cannot be met, the reactor is to be shut down, 4.6.18.5 RCIC Logic Model The RCIC system was modeled using a fault tree for the inj ec tion of coolant to the reactor vessel. The major active components were modeled for the RCIC system. The fault tree model representing the RCIC system is presented in Appendix B. Piping ruptures were considered to be negligible compared to other system failures. Only the piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. The barometric condenser condensate pump and vacuum pump were not modeled since their operation is not essential to system operatien. Seven human errors were incorporated into the RCIC fault tree model. These errors are (1) failure to trip the RCIC system and realign its suction source on low suction pressure, (2) failure to realign the suction source for the RCIC and HPCI systems in other circumstances, (3) failure to control RCIC flow (reactor level), (4) failure to manually backup automatic RCIC actuation, (5) miscalibration of CST level sensors, (6) miscalibration of certain ESF sensors, and (7) failure to isolate the RCIC system given high exhaust pressure. 4.6.18.6 RCIC Assumptions ! (1) The RCIC test return lines were not considered as potential diversion paths because the probability of two normally closed MOVs failing to prevent flow was felt to be negligible compared to other system faults. 4.6-80
(2) Failure of the system to isolate given certain conditions was not considered since the system is effectively "non-operational." These conditions are (a) high steam line space temperature, (b) high steam line dP, (c) low steam pressure., (d) high steam line exhaust pressure, and (e) manual isolation. (3) Failure of the minimum flow line to open does not constitute system failure since the time between pump start and opening of the injection valve is small. (4) The barometric condenser condensate pump and vacuum pump are not necessary for system operation. Therefore, their failures were not modeled. (5) Spurious signals are felt to be negligible compared to other system failures because of their low probability of occurrence. (6) The RCIC system is assumed to fail in a non-recoverable state if it fails to trip on low suction pressure or high reactor water level because of expected damage to the pump or turbine. (7) RCIC pump bearing cooling fails if pump suction is from the suppression pool and the working fluid temperature reaches between 210 and 260*F. In the analyses, this was nominally assumed to occur at 250*F without any uncertainty in order to facilitate the analysis. Therefore, the uncertainty in the results does not reflect the temperature range over which failure might occur. (8) The RCIC turbine shaft-driven oil pump, stop valve, and governor valve failures were included in turbine failure data. (9) System failure because of valves being left in the wrong pocition after test or maintenance is felt to be small compared to other system faults. The position of key manual and motor-operated valves is indicated in the control room and the motor-operated valves receive signals to realign on an actual demand. System valves must be in their correct positions before startup of the plant following shutdown and concurrent maintenance activities. In addition, PECO maintains a control log of all " locked" valves in the plant to assure their correct position. (10) Testing of TCV22 (PS-6) will not prevent flow from reaching the reactor vessel should a real demand occur. (11) During construction of the fault tree, it was necessary to determine which components c oul d be taken OOS for maintenance. Maintenance would require components to be 4.6-81
effectively removed from the system. Standard safety precautions of component isolation were used to decide which components could be taken 00S for maintenance while the plant was at power or normal operating pressure. The general guidelines used for component isolation were double blockage for high pressure piping or components and single blockage for low pressure piping or components. (12) An event for depletion of the CST was included for those cases where RCIC and/or HPCI operation was j udged to be l- sufficiently long. (13) Failure of ' the suppression pool by random failure or the plugging of its strainers is felt to be negligible compared
.to other system failures.
(14) If the HPCI or RCIC minimum flow line has been demanded open and subsequently fails to close on a system trip, there is the possibility that the CST will drain to the suppression pool from their difference in elevation. (15) Lube oil cooling is required for bearing cooling. (16) The RCIC actuation circuitry was not modeled to a great degree of detail. Only elements which were felt _to be potentially important were included in the fault tree mode l .. The initiating signal sensors and their support systems were explicitly modeled since they are shared between various ESF systems. The power supply for the actuation circuitry was also included. Hardware failures of relays and certain permissives were grouped into one basic event. (17) It is assumed that calibration of the low and low-low reactor vessel water level sensors is performed at the same time. Miscalibration of these sensors is assumed to be the same event. (18) Failure to recover an initial loss of the normal suction source (the CST) will be treated as a recovery action. Operator error appears to dominate failures of suppression pool valves and their manual actuation circuitry. Failure of suppression pool valves from maintenance outages or support system failures appears elsewhere in the fault tree. (19) Failure of the system to automatically realign to the suppression pool after a loss of the normal suction source (the CST) is treated explicitly with manual switchover being treated as a recovery action. (20) The suction pressure trip is "ANDed" with a dummy event to account for the probability that low suction pressure exists. 4.6-82
l l l
.(21) The operator is required to manually' reset the RCIC turbine i trip valve if either high steam flow or high steam line temperature occurs. Manual reset is not required for either high reactor water level or low suction pressure.
1 (22) System unavailability from testing is considered small compared with other system faults since it appears that the majority of testing requirements would not preclude proper system operation following a real demand. Hence . this contribution to failure of the system is small compared with other system failure probabilities. (23) Failure of . room cooling (if not recovered) fails RCIC in l ten hours. ~This is based on an utility calculations [52] which ~ demonstrate that in 100 hours without room cooling, operability is expected assuming intermittent pump operation. Since in the accident sequences of interest continuous operation may be performed, this value was readjusted to ten hours using engineering judgement. l 4.6.18.7 RCIC Operating Experience
.Nothing was peculiar in the operational history of the RCIC system which would affect system modeling. Plant operational data indicates a higher value for.TDP failure to run than the generic data base. The difference is that the generic value was calculated using plant operational hours instead of RCIC operational hours. The values compare closely when RCIC operational hours are used in the generic calculation. Therefore, the plant specific value for TDP failure to run is used.
4.6.19 Residual Heat Removal: Shutdown Cooling System 4.6.19.1 SDC Description The function of the SDC system is to remove decay heat during accidents
.in which reactor vessel integrity is maintained (event tree nomenclature-
-W2). The SDC system is but one mode of the RHR system and, as such, shares components with other modes.
The RHR system is a two-loop system consisting of motor-operated valves and motor-driven pumps. There are two pump / heat exchanger trains per loop, with each pump rated at 10,000 gpm with a discharge head of 540 feet. Cooling water flow to the heat exchanger is required for the SDC mode. The SDC system suction source is one recirculation pump's suction line. A simplified schematic of the SDC (RHR) system is provided l by Figure 4.6.19-1 with the SDC system highlighted. Major components are shown as well as the pipe segment definitions (e.g., PS-9) used in the system fault tree. The SDC system is manually initiated and controlled. The success criterion for the SDC system is injection of flow from any one pump / heat exchanger train to the reactor vessel. For further information, refer to success criteria discussions in Section 4.4. 4.6-83
i' ! Ijl! - s m us w os h Z1, m-o
'g ,
i {m: o r n r' mH w t e o 7,,. . e a - ~ J, m ,, , .v c
- .e E .
M I E
,w c
i c
- u. t E s a N -
T L s E N v e. EmUM m e 2 L e s h E T S E w o a- S c
? - I 9 m- n s
r UM [
's e
- a u
u t. i. d 5 E
- i. " u E A S
o A w E M H w 1 gm=, g
., 5 E n A;_
e [ Aa* :g
. i
" e.
l
- m. . t o m A%- T 2*w 1
1
- 2 s
E C o G
-- E M n w
ra _/. d o t u v^ h Nc,D[P S
) m a ., 1 e
v g g-w l s E t s o h* s 6'i S y [e i l a 7 $p v o 8 m e 3D f o
^
i R
.' t
-, , ' a
-N '
e H W M t s l a m 2a-Tg Am, x c.,
=
a E d u Am_ b s 2 s s 1e O l m ( i s e a E pm, E O R t A._ [A, = R G u E ., E Y
- m E B
( .- E .; l o
= D 1 N
A m% R E E e. E E.e. Q.[ s m T S RE 9 1 v c w m6 mng-
-v .
N 4 a m e
= . . o r N v, e w H
s u
- t g M .c r
A i m ,,e ,
= e a
v s F m Y u A o A. t 4 S { r s P oS ., m-a o p t D ., a t A E H o y,.
, m g
o v v t n m =
.?m
' j 1 :i
Most of the SDC system is located in the reactor building. Level access to the SDC system could be affected by either containment venting or containment failure. Room cooling failure is assumed to fail the SDC ] pumps in ten hours. 4.6.19.2 SDC Interfaces and Dependencies Each SDC pump is powered from a separate 4160 VAC bus with control and actuation power being supplied by a separate 125 VDC bus. All pumps require pump cooling. For further information on pump cooling, refer to Section 4.6.9.8. A simplified dependency Shown are diagram of the SDC system is the major support needs of the provided by Figure 4.6.19-2. SDC system as indicated by the solid diamonds. Each loop's normally closed injection valve receives motive power from one of two 480 VAC sources. The Loop A injection valve sources are either 480 VAC/A or 480 VAC/C, and the Loop B injection valve sources are either 480 VAC/B or 480 VAC/D. Many components of the SDC system are shared with the different modes of the RHR system. These commonalities are as follows: (1) the RHR pumps are common to the SDC, SPC, CS, and LPCI modes; (2) Loops A and B injection valves are common to the SDC, LPCI, and HPSW injection modes; and (3) heat exchanger cooling is common to the CS, SDC, and SPC modes. The two SDC suction valves (MV18 and MV17) are common to all four SDC Complete puaps. MV18 requires 480 VAC/A and MV17 requires 250 VDC/B. to fv_ lure of the SDC system will occur if either of these valves fails
< gen.
Each pump's suppression pool suction valve and SDC cooling suction valve are interlocked. One valve must be fully closed before the other valve can be opened. SDC is initiated after emergency core injection is successful and reactor pressure is low, If an injection signal subsequently occurs , the RHR system will automatically be realigned to the LPCI mode. SDC cannot be initiated if any of the following conditions exist: (a) reactor pressure greater than 225 psig, (b) high drywell pressure, or (c) low reactor water level. SDC pumps will stop or be prevented from starting if a suction path is not available. 4.6.19.3 SDC Test and Maintenance The SDC surveillance requirements are the following: (1) pump operability-- once/ month, (2) MOV operability--once/ month, (3) pump capacity test---once/three months, (4) simulated automatic actuation test-- test--once/ operating cycle, and (5) logic system functional once/six months. 4.6-85
*WE#
m anuToown COOUNG I I "a" *" e N=Ys" J Q Q O 1 mmO
=rr m '
O O 'O I i-r i l ,- i O O O- O oc v a o NY -$, ' su o ' be s , ; , E" , , , su mm acy mam mun .....4p.... cm .on,i . 45....... 4p....4g....... s amma nce "ru"w*ES " , coca se euw
;,p . ......o .....o........o.....o........
usua m sang a -- '
"4"am e , ! '
Dependency Deg'am is Shown Usm0 F abe Lege.
- (1)Depenaency Not Regured Dunng Snort Term Opecaton.
Figure 4.6.19 2. Residual lleat Removal System - Shutdown Cooling Mode Dependency Diagram. 4.6-86
wa===, 4.6.19.4 SDC Technical Specifications To the extent that the SDC and LPCI modes are shared, certain technical specifications are required because of the LPCI mode of the RHR system. If any one LPCI pump is made or found to be inoperable for any reeson, continued reactor operation is permissible for seven days provided that the remaining LPCI components and both loops of the LPCS system are operable. If this requirement cannot be met, the reactor is to be shut down. 4.6.19.5 SDC Logic Model The SDC system was modeled using a fault tree for removal of decay heat The maj or active from the reactor vessel following transients. components were modeled for the SDC system. The fault tree model representing the .*'DC system is presented in Appendix B. Piping ruptures were considered to be negligible compared to other system failures. Only piping with a diameter of greater than or equal to one third of the main system piping was considered as a diversion path. Three human errors were incorporated into the SDC fault tree model. These errors are miscalibration of various sensors, failure of manual initiation, and failure to properly restore key components following maintenance. 4.6.19.6 SDC Assumptions (1) Positions of all manual and motor-operated valves are indicated in the control room. Faflure of these valves after testing and maintenance due to incorrect positioning is therefore felt to be negligible. The injection valves Thus, receive open signals on a real demand. unavailability due to testing and failure to restore after testing is no important. (2) During construction of the fault tree, it was necessary to cetermine wFich components could be taken 00S for ma:ntenance. It was assumed that maintenance would require compenents to be effectively removed from the system. Standard safety precautions of component isolation were used to decide which components could be taken OOS for maintenance while the plant was at power or normal operating pressure. The general guidelines used for component isolation were double blockage for high pressure. piping or components and single blockage for low pressure piping or components. (3) Pump isolation because of spurious signals is assumed to be negligible compared to other system faults. 4.6-87
'}
t ) (4) The SDC control circuitry was not modeled at a great level of detail. Only elements which were felt to be potentially important were included in the fault tree model. Hardware failure of relays and permissive is grouped into one term. The permissive / isolation signal sensors and their support systems were explicitly modeled since they could be potentially important to system failure. (5) Based on a PECO response, the SDC pumps will fail because of insufficient NPSH once the suppression pool has reached saturated corditions. (6) SDC failure because of a test diverting flow is felt to be negligible because this mode ' is manually initiated and aligned. (7) A suction path must be available from either the suppression pool or the SDC path to start a SDC pump. (8) Failure of the suppression pool because of random failure or the plugging of all its strainers is assumed to be negligible compared to other system failures. (9) The unavailability of the SDC pumps from testing does not defeat a real demand from operating the system. Therefore, it was not considered. Failure to restore the SDC pumps after testing does not apply. (10) Pump room cooling is dircussed in LPCI Section 4.6.14.6. 4.6.19.7 SDC Operating Experience Nothing was peculiar in the operational history of the SDC system which would affect either system modeling or failure data. 4.6.20 Standby Liquid Control System 4.6.20.1 SLC Description The SLC system provides a backup method, which is redundant but independent of the control tods, to establish and maintain the reactor suberitical (ATWS event tree nomenclature--SLC). The suction for the SLC system comes from a control tank. The control tank has sodium pentaborate in solution with demineralized water. Two parallel positive displacement pumps are each sized to inject the sodium pentaborate solution into the reactor. Two parallel explosive valves are downstream of the pumps' common discharge. SLC discharge enters the reactor vessel near the bottom of the core shroud where it mixes with cooling water rising through the core. A simplified schematic of the SLC system is provided by Figure 4.6.20-1. 4.6-88
I1lI!. U OC TW R - m. u gwv s t i g,y i d O - i c t Mr Tc i v a m e h n c S
%.u Tc i
v m e t s y g,,v , S l o r t n B o i C g a d
/ 'sa i i.
[v O" u q i L e cr tv y fd X b i d n a t
, S fm D,,,
3 Wd a e 1 mir 'f N snv ie 0 v Ie mi '[ e 2 a w n v 6 v j n E 4 a ba ir e f 4
# m4 l
N Lw u bou e R r U a , m u T o E R Dx u v Xf, ',y u v e i g K T N S e F A E w T T T s L O - m H T w N oi t i O tv C :R W
*mTE E m C tua /^ e L
S S TE H A I. m A S a n E n e e a C
, m m
v d o K c p N n fo
' a v
i t a v
.m$e l ll1 l l
The operator manually activates the SLC system with a three-position keylock switch on the control room console. If the pump lights or the explosive valve light indicate that liquid may not be flowing, the operator can turn the keylock switch to the other side to operate the other pump. The success criteria for the SLC system are one of two pumps running and one of two explosives valves open. Most of the SLC system is located in the reactor building outside of the drywell. Local access to the SLC system could be affected by containment failure or containment venting. 4.6.20.2 SLC Interfaces and Dependencies SLC Pump A is powered from 480 VAC/A with control and actuation power supplied by 125 VDC/A. SLC Pump B is powered from 480 VAC/B with control and actuation power supplied by 125 VDC/B. Both pumps are self-cooled and do not require room cooling. A simplified dependency diagram of the l SLC system is provided by Figure 4.6.20-2. Shown are the major support needs for the SLC system as indicated by the solid diamonds. The SLC system has a common test return line. This piping originates at the punps combined discharge. If this line is not isolated following a test, pump discharge in the event of system actuation would preferentially flow to either the test or control tanks. Switching from "Off" to either " Pump A" or " Pump B" on the three-position keylock switch starts the respective pump, opens both explosive valves, and closes the Reactor Water Cleanup (RWCU) system isolation valves (see PS-7, Figure 4.6.20-1). The RWCU isolation valves are closed to prevent loss or dilution of the boron. The SLC pumps have control room informational lights. A green light indicates that power is available to the pump motor contractor but the contractor is open and the pump is not running. A red light indicates the contractor is closed and the pump is running. The explosive valve shearing plunger is actuated by an explosive charge having dual ignition primers. Ignition circuit continuity is monitored by a trickle current. If either explosive valve circuit opens, a control room alarm actuates. 4.6.20.3 SLC Test and Maintenance once per month each pump loop is functionally tested by recirculating demineralized water to the test tank. The SLC system is tested once every operating cycle as follows: (1) relief valve settings are checked, (2) the system is manually initiated except for the explosive valves, and (3) one :2 LC pump takes suction from the test tank and discharges demineralized water into the reactor vessel. Both systems, including bot'n explosive valves, are tested in the course of two operating cycles. When a component is found to be inoperable, its redundant component is to 4 6-90
i m)1 u J i m u N I A m a r i D g a m I R TB C r r
, Am r y c
n e u L S d n e p e D m M e DE I t s UT y QS I Y S LS YL I l o BO r DR NT t AN n T o SOC . C c
'g d o
L i u e q r i u il L a y F N I g b A r n d R ) ) is n I TA j - d nm U a C n t L S S w o h S s 2 i - ABCD ABCD m 0 a r 2 g 6 ia D 4 N y O c e LI T n r V e 5R R AA d u g 2E E UU n 1 W W NT e i CO CO AC p e F DP AP MA D s n'a S lll
l be demonstrated operable immediately and on a daily basis thereafter until the inoperable component is repaired. 4.6.20.4 SLC Technical Specifications When fuel is in the reactor and prior to cold startup, the SLC system must be operable. With a redundant component inoperable, continued reactor operation is allowed for seven days, j 5.6.20.5 SLC Logic Model The SLC system was modeled using a fault tree for the injection of sodium pentaborate into the reactor vessel. Besides major components, human errors were incorporated into the SLC system fault tree. These errors include operator failure to start the L system and operator failure to properly restore the system following test and maintenance. Unavailability of the system during testing was also modeled. 4.6 20.6 SLC Assumptions (1) Pipe aegments less than one third of the main system pipe diameter are not considered to be diversion paths. (2) Failure to heat the sodium pentaborate solution is not assumed to fail the system, based on information in the Peach Bottom UFSAR. [11] 4.6.20.7 SLC Operating Experience Nothing was peculiar in the operational history of the SLC system which would affect either system modeling or failure data. 4.6.21 Residual Heat Removal: Suppression Pool Cooling System 4.6.21.1 SPC Description The function of the SPC system is to remove decay heat from the suppression pool during accidents (event tree nomenclature--W1). The SPC system is but one mode of the RHR system and, as such, shares components with other modes. The RHR system is a two-loop system consisting of motor-operated valves and motor-driven pumps. There are two pump / heat exchanger trains per loop, with each pump rated at 10,000 gpm with a discharge head of 540 feet. Cooling water flow to the heat exchanger is required for the SPC mode. The SPC suction source is the suppression pool. A simplified schematic of the SPC (RHR) system is provided by Figure 4.6.21-1 with the , . SPC mode highlighted. Major components are shown as well as the pipe segment definitions (e.g., PS-26) used in the system fault tree. The SPC system is manually initiated and controlled. 4.6-92
I 1:
- -: [wj: ,
.o
- I p--
pEsu :, 4 e
#g8 ll l Jj 2
@ e! s E
m W
' W g #
)Il o
. . . _, ( -
p: , o, g a g 7 ' 2 3 (! *! 2 ,i mi e 8
- 3
{,i {! I , e l {l< r #! Ig j o $ $ e
^ 3:
. .5
, l ? :- 1 l 8
/ m
<@g (
xbiv,,i b 8 E g* k E k ,e SI l' ' " j, NM g a
- O t
3 " nW' W
- !: $e
{l {l ' 1 a 'l s" 0 '
@ Cl #! i '
@c i' ' @
I 5, glf
.P w
i' ,
.n B h3,[Ji!' ' I a[3I a ,i l.
g a : 1e- .. 3! VI >, s! ! e e i ; " l i e : :r: m.b: I O 1 4.6 93
The success criterion for the SPC system is injection of flow from any one pump / heat exchanger train to the suppression pool. For further Information, refer to success criteria discussions in Section 4.4. Most of the SPC system is located in the reactor building. Local access to the SPC system could be affected by either containment venting or containment failure. Room cooling failure fails the SPC pumps in ten hours. l 4.6.21.2 SPC Interfaces and Dependencies Each SPC pump is powered from a separate 4160 VAC bus with control and actuation power being supplied by a separate 125 VDC bus. All pumps require pump cooling. For further information on pump cooling, refer to Section 4.6.9.8. Each loop's normally closed suppression pool inlet valve receives motive power from one 480 VAC source. A simplified dependency diagram of the SPC system is provided by Figure 4.5.21-2. Shown are the major support needs of the SPC system as indicated by the solid diamonds. Many components of the SPC system are shared with the different modes of the RHR system. These commonalities are as follows: (1) the RHR pumps are common to the SPC, LPCI, CS, and SDC modes; (2) the suppression pool suction valve for each pump train is common to the SPC, LPCI, and CS modes; and (3) heat exchanger cooling is common to the CS, SDC, and SPC modes. SPC control circuitry is divided into two divisions. Division A is associated with control of components in Loop A, and Division B is associated with control of components in Loop B. The SPC mode is manually initiated. If an injection signal is generated subsequent to the initiation of the SPC system, the SPC system will automatically realign to the LPCI mode. Besides a time delay, a permissive indicating that the reactor water level is above the shroud (312 inches above vessel zero) must be present prior to aligning to the SPC mode. However, this permissive may be overridden by a switch in the control room. The SPC control circuitry is not common to the LPCI actuation and control circuitry but is shared with the CS mode. Reactor water level sensors are shared with the CS system. Although the SPC system has no isolation signals, there are permissives which will prevent the operation of certain components. SPC pumps are demanded to stop or prevented from starting if the suppression pool suction valve or any of three SDC suction valves is not fully open. 4.6.21.3 SPC Test and Maintenance The SPC surveillance requirements are the following: (1) pump operability--once/ month, (2) MOV operability--once/ month, (3) pump 4.6-94
F4L 51 DUAL ML A1 RE MOVAL: si.PPRLSSON POOL COOUNG i 1 spc Loop
$PC LOOP g A
6PC LOUPY 8PER P PWHA
' bPC A %P 8%A TRAH5 TRAN5 hECTION klECToh NF SSD NE A&C 1
- puups puupm ruuem ruu mx 4, :
oc mv A e poetR C ( D - AC A , PCWER
- P o
;e MANUAL ,r 2
ACTUATON 1- ir
,r ,
b surRatwev 4r......qs. . . . . . . . .
.q)...... (p.
StugTER ..... COOUmnt) a (MERGENCY ,r SERV 0E METER ,
,--r (PUMP coaum MrE, O84 secu
......yp......qp.......... o......qr
' A,NS MGM PRE $$JRE A ^
B S& RelCE wATEn C O wcmumi o Deceewy Dgr,wn is Shown Lamo Faeom Logc. p)Degenaency Not Regowee Dunng Snort Term Ope'aien. Figure 4.6.21-2. Suppression Pool Cooling System Dependency Diagrun.
- l. 6-15
capacity test--once/three months, (4) simulated automatic actuation test-
-once/ operating cycle, and (5) logic system functional test--once/six months.
4.6.21.4 SPC Technical Specifications Technical specifications exist because of sharing of the SPC and LPCI modes of the RHR system. If any one LPCI pump is made or found to be inoperable for any reason, continued reactor operation is permissible for seven days provided that the remaining LPCI components and both loops of the LPCS system are operable. If this requirement cannot be met, the reactor is to be shut down. 4.6.21.5 SPC Logic Model The SPC system was modeled using a fault tree for the removal of decay heat from the suppression pool. The major active components were modeled for the SPC system. The fault tree model representing the SPC system is presented in Appendix B. Piping ruptures were considered to be negligible compared to other system failures. Only piping with a diameter of greater than or equal to one third of the main system piping was considered as a potential diversion path. Three human errors were incorporated into the SPC fault tree model. These errors are failure of manual initiation, failure to override an erroneous shroud level permissive signal, and failure to properly restore key components following maintenance. 4.6.21.6 SPC Assumptions (1) Positions of all manual and motor-operated valves are indicated in the control room. Failure of these valves after testing and maintenance due to incorrect positioning is therefore felt to be negligible. The injection valves receive open signals on a real demand. Thus, unavailability due to testing and failure to restore after testing is not important. (2) During construction of the fault tree, it was necessary to determine which components could be taken 00S for maintenance. Maintenance would require components to be effectively removed from the system. Standard safety precautions of component isolation were used to decide which components could be taken 00S for maintenance while the plant was at power or normal operating pressure. The general guidelines used for component isolation were double blockage for high pressure piping or components and single blockage for low pressure piping or components. (3) Pump isolation because of spurious signals is assumed to be negligible compared to other systems faults. 4.6-96 ___ _ _ _ _ _ _ _ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- --~-----
(4) The SPC control circuitry was not modeled at a great level of detail. Only elements which were felt to be potentially important were included in the fault tree model. Except for the shroud water level permissive, high drywell pressure permissive, pump power permissive, and pump suction source relay, the hardware failures of relays and permissives are grouped into one term. The initiating l signal sensors and their support systems were explicitly l modeled since they are shared between various ESF systems. (5) Based on a PECO response, the SPC pumps will fail because of insufficient NPSH once the suppression pool his reached saturated conditions. to (6) Diversion of flow to the containment spray line is felt be negligible compared to other system failures. (7) A suction path must be available from either the suppression pool or the SDC path to start a SPC pump. (8) Failure of the suppression pool because of random failure or the plugging of all its strainers is assumed to be negligible compared to other system failures. (9) The unavailability of the SPC pumps from testing does not defeat a real demand from operating the system. Therefore, it was not considered. Failure to restore the SPC pumps after testing does not apply. (10) Pump room cooling is discussed in 1.PCI Section 4.6.14.6. 4.6.21.7 SPC Operating Experience Nothing was peculiar in the operational history of the SPC system which would affect either system modeling or failure data. 4.6.22 Turbine Building Cooling Water System 4 6.22.1 TBCW Description The function of the TBCW system is to provide cooling water to auxiliary plant equipment associated with the power conversion system. The TBCW system in a closed loop system consisting of two full-capacity pumps, two full-capacity heat exchangers, one head tank, one chemical fuel tank and associated piping, valves and controls. A simplified schematic of the TBCW system is provided by Figure 4.6.22-1. The TBCW system is normally running. One pump is required to supply cooling to all TBCW loads. 4.6-97
l
] -
~h p-
=. 1_ 3
~
~
- I k I J m, 1-mw R R E E .
G G c N N i A A t a H H m Cg X X e E E h T c T S A A E E m. H H e t s y S r X M e W SD t a CA W BO T L g n i l o ~ o C g - n i d L l EGAN O i INN CIK I u BDMITN I B RLEDA I UUHD T e n TBCA W "x i b r u T 3 . RY EL N N 1 2 ZP- 2 LPR I MAUE 6 ORSD 4 RERA FNE HE I e MTA r u E g DW ' i F y o e K EGN NNA BDT II o RLDI UUA TBEH g 5m
' . ! lI
The success criteria for TBCW is one of two pumps and either of the two heat exchangers operating. This will provide sufficient cooling to the TBCW loads. The majority of the TBCW system including the cooling water pump;,, heat exchangers and associated piping, valves and controls are located on the turbine building ground floor. The specific TBCW loads are distributed throughout different areas of the plant. 4.6.22.2 TBCW Interfaces and Dependencies The TBCW system is not operated in the event of offsite power failure. Under loss of offsite power, the cooling water supply to the air compressor jackets and after coolers and the CRD pump lube oil coolers is maintained from the RBCW system. In order to operate, the TBCW system must have offsite AC power and NSW for the ultimate heat sink (see Figure 4.6.22-2). 4.6.22.3 TBCW Test and Maintenance The TBCW system has no special test and maintenance requirements. 4.6.22.4 TBCW Technical Specifications The TBCW system har no specific technical specifications. 4.6.22.5 TBCW Logic Model The TBCW system was modeled using a fault tree for the loss of cooling water to auxiliary plant equipment. The fault tree has been simplified to cover only the major active components, interfaces, and dependencies, and human errors. The head tank, heat exchangers and chemical addition tank were not modeled since they are passive devices and their failure probabilities are not expected to dominate system failure. One human error was incorporated into the TBCW fault tree model. That error was failure to restore the pump B train after maintenance, 4.6.22.6 TBCW Assumptions (1) Only major active components and major dependencies were modeled since it was assumed that these dominant system failure. 4.6.22.7 TBCW Operating Experience There was nothing peculiar in the operational history of the TBCW system which would affect system modeling. 4.6-99
a P M B U l PN I & r & r M WA R 2 , 2 ' C B T E GST T N I Y e DS ht L I R UE t o BT r e E A NW I O f R e BG . RN ic UIL g TO P o L O M A e C U PN r I I mr & ' lu . WA R 2 , 2 ' iails C T Fa t B g e T nD isc Ug i n o wL o e r h u Si l sa iF mla au rt gc iaA Dr o R yf E cs E TW LE ne ee I O AC R S FP MIVE dr nT R RT et FC OE A plu OA NSW ea DF c m4g
l I
+
i
<w j
'4.6.23 Reactor Protection System C 4.6.23.1h RPS Description The~ function-of the RPS is to provide timely protection against the onset j and' consequences of conditions that threaten the integrities'of the fuel l
, barrier and the nuclear system process. barrier (event tree nomenclature-- J C). l The - RPS includes the motor-generatied power supplies with associated ')
-c' control and indicating equipment, sensc.s, relays, bypass circuitry, and switches that cause rapid insertion ~of control rods (scram) to shut down the reactor. ,
4.6.23.2- RPS Interfaces and Dependencies Power to each of the two reactor protection trip systems is supplied, via La separate bus, by high inertia AC motor-generator sets. Alternate power is available ' to either RPS bus from an electrical bus that can receive
. standby electrical . power. The alternate power switch prevents simultaneous 1y' feeding both buses from the same source. DC power is supplied .to the backup scram valve solenoids from the station batteries.
' Power is.not needed.to scram the reactor. l 4.6.23.3' RPS Logic Models The RPS was ' not modeled in any detail . RPS electrical failure and mechanical failure 1 probabilities on demand were assigned values of 2E-5 !
and ; 1E- 5 ' . re spectively ' (i . e. , the system was simply treated as a data
- value) .
4.6.23.4L RPS Operational Experience 2 Nothing was peculiar in the operational history of the RPS which would affect ~either system modeling or failure data. 4.6.24 Justification for Systems Not Modeled i All. systems (front-line and their supports) that are important to providing. core, cooling or containment cooling functions were modeled. Other systems such as firewater, ECCS (keep-full systems), etc. which could provide cooling were not'modeled since procedures don't exist to use them as reactor vessel injection sources or their flow rates are so small.that it is uncertain if they would provide adequate cooling. These would be third or fourth order systems. In addition, the PCS/Feedwater system was not modeled but instead treated as a data value because of l sufficient failure experience with this system. 1 4.6.25 System Analysis Nomenclature A standard coding scheme was established to describe the basic events [2]. This consistency is necessary to assure that the dependencies and 4.6-101 1 n! I
interfaces between the systems are properly accounted for when the ,
' individual . system fault trees are merged with their support systems and l the merged fault trees are -linked together to perform the accident sequence quantification. In addition, the standard coding scheme provides the. analyst or reviewer a traceability of the events from the j cut sets resulting from the accident sequence quantification to the i individual fault trees, n
Each basic event is made up of a maximum of sixteen characters composed of four pr . a system identifier, an event or component type identifier, 'Wilure mode code, and a unique event identifier. Each of these parts is separated . by a dash for readability. The first three characters denote the system to which the basic event belongs or to which it is related. Table 4.6-2 contains a list of the system identifiers. The second three letter code denotes the level of modeling corresponding to the basic event type. These event and component type identifiers are listed in Table 4.6-3. The third group consists of a two-letter code
~ denoting the failure mode associated with the event (see Table 4.6-4).
The final five chapters are for an alphanumeric event descriptor. These are used to identify individual components according to their numbering on the system schematics, or to use any other designator that will readily identify the event. Eighteen special events were identified using a modification of the above coding scheme. .These were specific Common Cause Failures (CCF) which were' broken into a basic event multiplied by a Beta-factor. In this way, importance measures and uncertainty analysis of the Beta-factor itself could also be performed. The basic event was denoted using the same scheme as described above except for the five character unique event identifier which was replaced with a CCF term. The Beta-factor time was described by a BETA followed by a unique component type descriptor. The Beta-factor values are from generic common cause data [2]. All eighteen special events are incorporated into Table 4.9-1. 4.6-102
i, Table 4,6-2 System Identifiers SYSTEM IDENTIFIER (XXX) SYSTEM NAME i ACP AC Power System ARF Air Return Fan System ADS Automatic Depressurization System AFW Auxiliary Feedwater System or Emergency Feedwater System CPC. Charging Pump Cooling System CHP, Charging Pump System CVC Chemical and Volume Control System CHW Chilled Water System CSC Closed Cycle Cooling System CCW Component Cooling Water System CST Condensate Storage Tank CDS Condensate System CLS Consequence Limiting Safeguards System CCU Containment Atmosphere Cleanup CGC Containment Combustible Gas Contrc>l CFC Containment Emergency Fan Cooler System CIS Containment Isolation System CSR Containment Spray Recirculation System CSS Containment Spray System CRD Control Rod Drive System DCP DC Power System DWS Drywell (Wetwell) Spray Mode of RER System EHV Emergency Heating, Ventilation, and Air Conditioning System ESF Engineered Safety Feature Actuation System ESW Fssential Service Water System FHS Fuel Handling System HCI High Pressure Coolant Injection System HCS High Pressure Core Spray System HPR High Pressure Recirculation System HPI High Pressure Safety Injection System HSW Uigh Pressure Service Water System ICS Ice Condenser System ISR- Inside Containment Spray Recirculation System IAS Instrument Air System ISO Isolation Condenser System LCI Low Pressure Coolant Injection System LCS Low Pressure Core Spray System LPR Low Pressure Recirculation System LPI Low Pressure Safety Injection System MCW Main Circulating Water System (Main Condenser Cooling Water) MFW Main Feedwater System MSS Main Steam System 4.6-103
Table 4.6-? System Identifiers (Concluded) j i SYSTEM 1 IDENTIFIER (XXX) SYSTEM NAME l NHV Normal Heating, Ventilation, and Air Conditioning System NSW Normal Service Water OEP Onsite Electric Power System OSR Outside. Containment Spray Recirculation System PCS Power Conversion System PCV Primary Containment Venting PPS Primary Pressure Relief System (PORV/SRV) RGW Radioactive Gaseous Water System RLW Radioactive Liquid Waste System RBC Reactor Building Cooling Water System RCS Reactor Coolant System RCI Reactor Core Isolation Cooling System RPS Reactor Protection System RMT Recirculation Mode Transfer System RHR Residual Heat Removal System SIS satecy injection Actuation System SWS Service Water System SDC Shutdown Cooling Mode of RHR SGT Stendby Gas Treatment System S LC - Standby Liquid Control System SPC Suppression Pool Cooling System (or Suppression Pool Cooling Mode of the RHR System) SPM Suppression Pool Makeup System TBC Turbine Building Cooling Water System l 4.6-104 L L
s Table 4.6-3 Event-and Component' Type Identifiers i- COMPONENT IDENTIFIER (YYY) p Air Cooling Heat Exchanger ACX l Sensor / Transmitter Units: Flow ASF Level ASL Physical' Position ASD or ADS Pressure ASP Radiation ASR Temperature AST F Fiux ASX Circuit Breaker CRB Calculational Unit CAL Electrical Cable CBL Signal Conditioner CND Control Rods: Hydraulically-Driven CRH Motor-Driven CRM Ducting DCT Motor-Driven Compressor MDC Motor-Driven Fan FAN Fuse FUS Diesel Generator DGN Hydrogen Recombiner Unit HRU j Heat Exchanger HTX Inverter INV Electrical Isolation Device ISO Air Cleaning Unit ACU Load / Relay Unit LOD Logic Unit LOG t 4.6-105 L
( %, . I
. Table 4.6-3 Event and Component Type Identifiers'(Continued) l COMPONENT. IDENTIFIER (XXX) ' Local-Power Supply LPS Hotor-Generator Unit MGN Motor-Operated Damper MOD Pumps:
Engine-Driven- EDP Motor Driven MDP Turbine-Driven TDP Positive-Displacement PDP Manual Control Switch XSW Rectifier REC Transfer Switch TSU Transformer TFM Tank TNK Bistable Trip Unit TXX Air Heating Unit AHU Electrical Bus.- DC BDC Electrical ~ Bus - AC BAC Manual Damper' XDM
-Pneumatic / Hydraulic Damper PND Battery BAT Valves:
Check Valve CKV Hydraulic Valve HDV Safety / Relief Valve SRV Solenoid-Operated Valve 50V Motor-Operated Valve MOV
- Manual Valve XVM Air-Operated Valve A0V Testable Check Valve TGV Explosive Valve E P .'
Pressure Control Valve PCV 4.6-106
. Table 4.6-3 Event and Component Type Identifiers-(Concluded)
COMPONENT IDENTIFIER (YYY)
' Filter ALT Instrumentation and Control Circuit ICC Strainer STR Heater Element HTR Pipe Segment PSF
' Pipe Train PTF
. Actuation Segment ACS Actuation Train ACT L AC Electrical Train TAC l
l DC Electrical Train TDC Operator Action XHE Common Cause Event CCF Miscellaneous Aggregation of Events VFC Phenomenological Events PHN System SYS Performance (Signal Operating) PER Power PWR 4.6-107
j "- Table 4.6-4 I Failure Mode. Codes
- FAILURE MODE CODE (ZZ)
Valves, Contacts. Dampers 1 Fail-to Transfer FT Normally Open, Fail Open 00 Normally Open, Fail Closed (Position) OC Normally Closed, Fail Open CO Normally Closed,. Fail Closed CC Valves, Filters, Orifices, Nozzles Plugged PG Leak CB Putaps, Motors, Diesel, Turbines, Fans, Compressors Fail to Start FS Fail to Continue Running FR Sensors,, Signal Conditioners, Bistable Fail liigh III Fail Low LO No Output NO Segments, Trains,.and Miscellaneous Agglomerations Loss of. Flow, No Flow LF or PF Loss of Function FC Actuation Fails FA No Power, Loss of Power LP Failure (for miscellaneous fault VF agglomerations not based on segments or trains) liardware llW Battery, Bus, Transformer No Power, Loss of Power LP Short ST Open OP Tank, Pipes, Seals, Tubes Leak LK Rupture RP
.-* Crouping of failure modes by events or components are only suggestions.
The failure mode listed may be used for any applicable event or component type. 4.6-108
Table 4.6-4 Failure Mode Codes * (Concluded) FAILURE MODE CODE (ZZ) Human Errors Fail to Operate F0 Miscalibrate MC Fall to Restore from Test or Maintenance RE Normal Operations (unavailable due to planned activity) Maintenance MA Test TE Test and Maintenance TM
- Grouping of failure modes by events or components are only suggestions.
The failure mode listed may be used for any applicable event or component type. 4.6-109
4.7 Dependent Failure Analysis TNe system failure models and . analyres explicitly accounted for the various system dependencies such as the need for power, room cooling, etc. These dependencies can be a source of possible system interactions as- well as representing a common cause failure potential for the accident mitigating systems. In addition, specific tasks were performed as part of this study to address particular subtle interactions as well as common cause failures among components based on available failure data. The following subsections address each of these tasks performed as part of a more comprehensive dependent failure analysis. 4.7.1 Scope of Dependent Failure Analysis Several attempts have been made to develop cete6eries of dependent l~ failures. The major purpose of this categorization is to allow the risk analyst to select a method for performing the dependent failure analysis. In the Peach Bottom Probabilistic Risk Assessment (PRA), essentially three categories of dependent failures were examined and explicitly included in the event and fault tree models: direct functional dependencies, common cause and subtle (peculiar or unexpected) interactions. Direct functional dependencies are those dependencies that are required for a system to perform its function. Generally these dependencies include: (1) Initiator Dependencies -- This includes the effects of events which cause a plant transient and causes or increases the probability of mitigating system failure. An example in the Peach Bottom PRA is a loss of an
+
emergency AC bus initiating event. All such initiators are identified and discussed in Section 4.3. (2) Support System Dependencies -- Failure of a single system such as Emergency Service Water (ESW) can fail multiple front-line systems which it supports. Inclusion of appropriate support systems as failure modes of front-line systems is used to ensure such dependencies are properly accounted for. Support system dependencies are further discussed in Section 4.7.2. (3) Shared-Equipment Dependencies -- Components utilized by multiple systems when failed can potentially fail multiple systems. It is essential that the analyst uniquely identify such components in the system fault trees. Common component failures are included in the fault trees described in Section 4.6. Common cause failures are those failures that result in failure of "like" components because of factors such as common maintenance or common manufacture. These dependencies are discussed further in Section 4.7.3. 4.7-1 j a __ :_ __ h
Subtle interactions, or sometimes referred to as peculiar or unexpected interactions, .are those physical interactions of the system .with potential dependent failure mechanisms. They are called ' subtle interactions' becaus2: by-their nature can be easily overlooked in a PRA unless the analyst explicitly looks for them. Two methods were employed .i to' account for these types of interactions. Review of (1) the system ) design and interfaces and (2) the Licensee Event Reports (LERs) and other plant data were used to identify any peculiar or unexpected interactions. An example of this type of interaction in the Peach Bottom PRA is tripping of the Reactor Core Isolation Cooling (RCIC) turbine by a high turbine exhaust pressure signal following failure of containment heat removal. Such dependencies are included in the event tree construction described in Section 4.4. Additionally, many of these types of failures have been found in past analyses. Each of these interactions were reviewed for applicability to Peach Bottom. Section 4.7.4 presents descriptions of identified subtle interactions and the resolution of each for Peach Bottom. 4.7.2 Treatment of Direct Functional Dependencies Operation of the so-called front-line core and containment cooling systems (e.g. , HPCI, LPCS, RHR. . . ) are directly or indirectly dependent on certain support systems. Examples of direct dependencies include AC/DC power to pumps and valves, service water cooling for pump bearings and seals, and instrument air to valves and dampers. Indirect dependencies include for example, room cooling via use of service water cooling and fans for room heat exchangers. By virtue of a delayed phenomena, front-line system failure or isolation is ultimately postulated because of room heat-up effects. In addition, some support systems are dependent on yet other supports (e.g., service water needs power). Presented in each systems analysis section under Section 4.6, are descriptions of each system dependency which is modeled, accompanied by a dependency diagram which pictorially describes the relationship of each dependency to the system being analyzed. These dependencies are explicitly handled in the fault tree models for each system. 4.7.3 Common Cause Failure Analysis The inclusion of residual dependent failures not already explicitly l modeled but for which some data exists, were handled as non-descriptive common cause failures based on a review of plant specific failures and generic failure information. A review of Peach Bottom maintenance logs, "hi-spot" reports, and LERs was conducted to search for significant common cause events in the past five years of experience. No significant common cause failures were identified. The fault tree for each system contains, where appropriate, common cause failure events. Such events (e . g. , ESW-CCF-LF- A0VS) were modeled using the single event name in the fault tree but broken out into an independent failure term and a corresponding common cause factor for the dominant sequence cut sets. This was done so that the common cause factor uncertainty and importance measures could be calculated and 4.7-2 =__ _ _ - _ - -
examined separately. The choice of common cause events to bu included' was based on availability of estimates from an EPRI study [23] and other common cause failure . amlyses [37,38,39,40] for events involving 2 or more "like" component failures (e.g., common cause failure of four air-
' operated valves) . Since the estimates are only readily available for common cause failures of "like" components within a system, common cauce modeling cross system boundaries was not included in . the Peach Bottom analysis.
I The equipment failure ' common cause events explicitly modeled in the
- system fault trees are listed in Table 4.7-1. For those events appearing in the~ dominant accident sequences, the corresponding break out of these terms into an independent failure term and an overall common cause factor was'used. Note that human-related common events such as miscalibration of "like" . sensors is covered under the human interface analysis (see Section 4.8).
Too few Peach Bottom failure data were available to quantify plant-specific common cause factors. Therefore, EPRI report NF-3967 [23] and other analyses [37,38,39,40] were used to quantify all common cause probabilities with the exception of common cause battery failure. The calculated values.were taken as mean values assuming an error factor of
- 3. In each case,.the number of actual events as well as potential events were considered using the methodology in References 37 thru 40 to arrive at the data value for each event.
A battery failure common cause factor was determined utilizing the DC power study (NUREG-0666 [24]). That study suggests a worst case Beta factor of 0.4'for failure of a second battery given the first battery has
' failed. The first battery fails randomly at the probability assigned for a single battery failure. However, Peach Bottom's DC power system is better than the minimum system analyzed in the DC power study.
Considering-Peach Bottom's system, the report recommends a Beta' factor of 0.4x0.02 or 8E-3 for the second battery. The estimate for additional coincident battery failures was arrived at assuming that the probability of common cause failure of each successive battery was half-way between unity and the common cause factor for the preceding battery (e.g. , the common cause factor for the 3rd battery was (1.0 + 8E-3)/2 or approximately 0.5 resulting in an overall common cause factor of 8E-3 x 0.5 or 4E-3). This method is discussed in the dependent failure chapter of the NUREG/CR-4550 Methodology document [55]. Hence an overall failure rate for.three batteries is determined by multiplying the random failure of the first battery times the factor, 4E-3. This approach was successively performed for the 4th battery, etc. i A summary of the common cause values used in this analysis is presented l as part of the Data Section, 4.9. 4.7.4 Analysis of Subtle System Interactions The first type of subtle interactions examined were ' peculiar' or
' unexpected' physical interactions or phenomenological dependencies.
These are modeled by virtue of the event tree constructions. For example, HPCI success followed by containment cooling failure will ultimately lead to HPCI failure because of high suction water 4.7-3
Table 4.7-1 Peach Bottom Common Cause Events EVENT NAME DESCRIPTION ACP-CCF-LP-DGS Common cause failure of all (ACP-DGN.LP-CCF* BETA-4DGNS) four diesel generators ADS-CCF-CC-ADSRV Common cause failure of at (ADS-A0V-CC-CCF* BETA-3SRVS) least three ADS valves to open ADS-CCF-CC-NADSV Common cause failure of at (ADS-A0V-CC-CCF* BETA-4SRVS) least four non-ADS safety relief valves to open ADS-CCF-LK-ACC Common cause failure of ADS (not separated into two events; accumulators (leakage) value based on engineering judgment) CSS-CCF-LF-MOVS Common cause failure of the (CSS-MOV-CC-CCF* BETA-2MOVS) two containment spray injection valves to open DCP-CCF-LP-BAT Common caase failure of at (DCP-BAT-LF-CCF* BETA-5 BAT) least five batteries to supply sufficient power to their loads EHV-CCF-LF-A0VS Common cause failure of at (EHV-A0V-CC-CCF* BETA-6A0VS) least six ventilation dampers (for diesel room cooling) to open ESW-CCF-LF-A0VS Common cause failure of at (ESW-A0V-CC-CCP* BETA-3A0VS) least three emergency service water valves (to supply diesel jacket cooling) to open ESW-CCF-PF-MDPS Common cause failure of the (ESW-MDP-FS-CCF* BETA-2SWPS) two primary emergency service water pumps HSW-CCF-LF-MDPS Common cause failure of all (HSW-MDP-FS-CCF* BETA-4SWPS) four high pressure service water pumps 4.7-4
1 Table 4.7 1 Peach Bottom Common Cause Events (Concluded) EVENT NAME DESCRIPTIc' HSL-CCF-LF-M0'JS Common cause fa!. lure of all (HSi-MCV-CC-CCF* BETA-4MOVS) four high pressure service water valves (used for supply to RHR heat , exchangers) to open LCI-CCF-LF-MOVS Common cause failure of the (LCI-MOV-CC-CCF* BETA-2MOVS) two LPCI injection valves to open LCS-CCF-LF-MOVS Common cause failure of the (LCS-MOV-CC-CCF* BETA-2MOVS) two LPCS injection valves to open LCS-CCF-PF-MDPS Common cause failure of at (LCS-MDP-FS-CCF* BETA-3RHRMDPS) least three LPCS pumps RHR-CCF-PF-MDPS Co.nmon causa failure of all (RHR-MDP-FS-CCF* BETA-4RHRMDPS) foar RHR (also used for LPCI) pumps SLC-CCF-PF-MDPS Common cause failure of both (SLC-MDP-FS-CCF* BETA-2SIPUMPS) standby liquid pumps SPC-CCF-LF-MOVS Common cause failure of the (SPC-MOV-CC-CCF* BETA-2MOVS) two suppression pool cooling valves to open l I l l 4.7-5
temperature if the suppression pool is being used for suction. Elence other systems must then be used to prevent core damage. Such a dependency is explicitly covered by the event tree construction which requires success of such systems as Condensate, CRD, etc. following success of 11PCI but failure of RIIR (all modes) . Further information on such dependencies is covered in each event tree writeup (See Section 4.4) where appropriate. Past PRAs and actual events are available information sottrces for identifying particularly subtle failures which an analyst might normally overlook. As part of this effort, other knowledgeable experts in analyzing power plant safety were asked to identify subtle system interactions which they were aware of and which could cause mitigating system failures [21,22]. To the extent possible, recognizing resource and priority constraints, these interactions were to be reviewed for applicability to the Peach Bottom analysis. Any found to apply were appropriately accounted for in the analysis. The remainder of this section summarizes the Boiling Water Reactor (BWR)-related subtle interactions identified and their corresponding resolutions by the Peach Bottom analysts. Air binditm of cooling water systems The failure or partial failure of cooling water systems has occurred because of air binding caused by leaks in a load being cooled. Plant air compressors usually are cooled by some cooling water system. Air inleakage into the cooling water system can cause failure of multiple systems because of air binding and loss of cooling. l The two most critical service water systems (Emergency Service Water, ESW, and liigh Pressure Service Water, liPSW) do not directly interface with air systems. Review of the Peach Bottom licensee event reports and maintenance records did not reveal problems in this area. Ilence this does not seem to be significant at Peach Bottom and so is not explicitly modeled. (See Item #1 of Reference 21.) Steam-line break isolation circuitry Steam-driven systems usually have isolation circuitry to protect against steam-line breaks. This circuitry uses temperature readings as an indication of a line break and may include all locations containing the steam piping. Therefort, when assessing the need for room cooling, the cooling requirements of areas where temperature measurements are taken must be examined. Failure modeling in the Peach Bottom system fault trees for liigh Pressure Coolant Inj ec tion (llPCI) and Reactor Core Isolation Cooling (RCIC) have accounted for this potential interaction. (See Item #2 of Reference 21.) fa_ssive component failures This type of interaction ii.volves component failure modes that might not otherwise be modeled (e.g., valve failure 4.7-6 i
1 j because of steam / disc separation, pipe breakage, blockage). These failures should be added to the models particularly where the impact of failure affects multiple trains of equipment. Additionally, these events can be potential initiators. These were considered particularly wherever they mid t cause a disruption in normal plant operation and' degrade mitigating systems. One source as a possible initiator (pipe break in the Normal Service Water (NSW) line near the Emergency 1 Service Water (ESW) interface) is discussed in Section 4.3 In other areas where passive but deemed insignificant. ' failures - (such as valve disk separation) were deemed as potential significant contributors, the failures were explicitly modeled in the system fault tre e:: . (See Item #3 of Reference 21.) Isolation of nonessential cooline water loads This failure mode occurs when nonessential headers of important cooling systems are not isolated. Because such a failure can result in 4nadequate cooling of the essential loads, care should be aken when determining the impact of potential diversion pat.ns from support cooling systems. Diversion paths were considered for all systems, including cooling water systems. Possible significant ones are explicitly modeled in the fault trees. (See Item #4 of Reference 21.) Cross-tied numps' discharre check valve failures This type of failure occurs when the discharge check valve in one train of a two-train, cross-tied system fails open. Various problems can result from this interaction, including functional failure of the system because of backflow, inability to actuate an idle pump because of the stuck-open valve, or system rupture from attempted actuation of an idle pump with a stuck-open valve. Five years of plant data on major important systems reviewed for failure data did not mention problems of this type. Two areas in the ESW system were explicitly modeled (available test procedures were obtained) for this failure mode because of the possibility of occurrence and the fact that ESU failure could potentially affect so many other systems. (See , l i Item #5 of Reference 21.) Failures followine station blackout The treatment of the failure mode of reactor pump seals and battery depletion during a station blackout has varied among past PRAs and can be plant specific. Both failures can adversely affect the capability to cool the plant. Seal loss of coolant accidents (LOCA) are not to significant for Boiling Water Reactors (BWRs) because of HPCI and RCIC l 4.7-7
_ _ ___ _ . - _ - - -- ~ capabilities. Battery depletion was considered and a nominal 12 hour time was used based on Philadelphia Electric Company input and internal expert opinion analysis. Uncertainty in the battery depletion time was explicitly factored in to the uncertainty analysis. (See Item #6 of Reference 21.) Pependent events based on operatinc experience There have been a ntrmber of recent activities to better scope out the problem of dependent and common cause events. Probably the best current collection of actual events that are in the nuclear data base are compiled in EPRI NP-3967 [23). While there is considerable controversy on how to account for common cause events, the report clearly demonstrates the inaccuracy of models that do not specifically treat common cause events. While it has been a frequent criticism that quantification of these events leads to numbers but not indication of how to improve plants, a review of the events in EPRI NP-3967 will demonstrate that causes are known for a large percentage of these events. A review of Pe < h Bottom maintenance logs and post-trip analysis reports since 1980 indicated that insufficient data exists to determine whether any actual common cause failures have occurred. However, potential common cause failures were included in the system models for the types of components listed ir EPRI NP-3967. (See Item #7 of Reference 21.) Main feedwater availability The unavailability of main feedwater after a plant reactor trip is highly ' plant-specific. The consequences of this interaction will vary depending on whether the loss is total or partial and the potential for recovery. With a recent change to a Level 1 trip for closure of Main Steam Isolation Valves (MSIVs), little experience exists at Peach Bottom. Many initiators will cause MSIV closure and hence loss of feedwater (turbine pumps). A conservative analysis was performed for Peach Bottom in which feedwater and condensate were assumed initially lost for most initiators. (See Item #8 of Reference 21. ) Turbine-driven numn failure by overfill This interaction specifically involves failure of a tt.rbine - driven pump because of steam generator or reactor vessel (for BWRs) overfilling. The loss of a turbine-driven pump can be immediate or delayed (i.e., water carryover through the steam lit (s to the turbine can lead to a sequence involving successful initial response followed by a later loss of the turbine-driven pump); therefore, its impact / consequence will vary depending on the timeframe of the loss. 4.7-8
HPCI and RCIC were modeled for this potential failure mode. In most cases, such an event would be prevented by high level trips of these systems. Feedwater, also turbine driven, was already conservatively assumed lost for most sequences. (See Item #12 of Reference 21.) DG load secuence problem The diesel generator load sequence system is a circuit designed to strip off non-essential loads from the diesel generators following loss of offsite power (LOSP). The to design of such a circuit usually involves redundant means strip all loads following a LOSP. However, such circuits may not always contain redundant means for subsequently reloading i essential loads. In such a case failure of the load sequeticing circuit could potentially result in common cause failure of multiple systems following a LOSP. Peach Bottom uses individual time delay relays for the sequencing of most safety loads. Thus the potential for common cause failure of load sequencing was deemed quite low. The problem described here did not appear to be appropriate for consideration for Peach Bottom. (See Item #1 of Reference 22.) Sneak circuits The RCIC system at one Boiling Water Reactor was found to contain a sneak circuit whichThiscould result in an unintended could occur during a loss isolation of the RCIC pump. of offsite power and subsequent energization of the RCIC steam leak detection circuit. Three subtle design aspects lead to the occurrence of this failure mode: (1) the RCIC system contains a steam leak detection isolation circuit, (2) the isolation circuitry is deenergized given a loss of the circuitry is not fed by a offsite power (i.e., non-interruptable battery-backed vital AC power supply), and (3) the isolation circuit contains a seal-in circuit. The problem requires that some isolation-related control AC powered. All such circuitry circuitry for HPCI/RCIC be at Peach Bottom is DC powered and hence the problem does not exist at Peach Bottom. (See Item #2 of Reference 22.) Bus switching problems Two subtle aspects concerning bus switching have been identified at one power plant: (1) a safety-related DC power supply is also being used to perform a bus switching operation in the switchyard and safety-related loads are normally powered from the unit transformer rather than from offsite power, and (2) a safety-related AC bus does not have a diesel directly powering it; it must rely on diesel power from another bus via a breaker which only closes given a loss of offsite power. W 4.7-9
Resources did not permit a detailed review of bus switching at Peach Bottom. The analysis methodology called for
" simple" modeling of the onsite bus arrangement. Since there are not similar bus-to-bus cross feeds in normal use at Peach Bottom and since a diesel exists on all four division safety 4160V buses, the problem did not appear important for Peach Bottom. (See Item #3 of Reference 22.)
Normal operatinn configuration This interaction involves the differences between the plant operations documentation (e.g., Piping and Instrumentation Diagrams, P& ids) and the actual operating practices and configurations. For example: (1) the P&ID may show valves as normally closed which, during plant operation, are actually open; or (2) the P&ID indicates a room containing the high-pressure injection pumps with two room coolers, each receiving power and cooling water from different divisions when, in actuality, only one cooler is operating during normal plant operations plus the procedures relating to these coolers do not prohibit the operator to provide power and water to the cooler from two different divisions. Therefore, application of only the plant documentation could give erroneous results in the event analyses and quantification. For the Peach Bottom study, the normal operating configurations and practices for all systems modeled were verified to the extent possible by plant visits and personnel interviews. All system fault tree models reflect the information obtained from these visits and interviews, thereby ensuring the most accurate representation of actual plant operating conditions, configuration, procedures, and practices. (See Item #4 of Reference 22.) Room cooling Several aspects concerning pwnp room cooling must be considered in a PRA systems analysis. First, a given plant's design may be such that, given loss of room cooling, the maximum room temperature remains below the temperature for which a pump and its control circuits are qualified. A system analyst may, therefore, conclude that the room cooling for the pump is not required. However, in some cases, a room temperature signal is used to trip the pump. The potential for reaching this temperature given loss of the room cooler should be examined. Second, pump room coolers are often standby systems that actuate only upon actuation of the pump through a slave relay or by a thermostat. In either case, test procedures should be such that all of the actuation circuit is verified to function properly. Finally, credit for opening pump room doors for cooling the room given failure of the room cooler should only be taken 4.7-10
after. considering administrative controls and technical specifications which may prohibit such action. Peach Bottom predominantly uses slave relay type circuits and high ~ room temperature trips of HPCI/RCIC because of the une of steam-line break detection thermocouple in the turbine rooms. There are typically numerous ways to detect loss of room cooling: steam line break detection circuitry, cooling trouble alarms, . separate fire detection . circuitry, etc. Failure of all indications seems small. Isolation and even failure of systems caused by high temperatures in rooms was considered for systems where appropriate (see individual systems analysis sections of this report). While it may be possible for plant staff to recover room cooling failures (such as opening doors to critical areas normally locked) credit was not given for such recovery due to the uncertainty as to whether or not such actions would successfully restore adequate cooling (some rooms represent closed-in, static areas where adequate flow is uncertain). (See Item #5, #6,
#7 of Reference 22.)
Voltane droop Not all LOSP events occur instantaneously. There have been events in which it . took several minutes for the grid to degrade to the point at which offsite power was totally lost. During these several minutes, the grid voltage or frequency
" dropped" out of tolerance causing the potential for breakers to open or fuses to blow on equipment normally powered from the grid. Particularly for the fuses, replacements need to be found before the equipment can be returned to service.
We did not rigorously pursue this issue. Effects of voltage droops and/or surges are subject to much uncertainty and speculation. In addition, nearly all of the systems analyzed in this study are normally in standby mode; therefore, their breakers should not be affected and fuses should remain intact. Balance-of-plant loads are normally powered by the unit generator and are not immediately affected by a grid voltage droop. There are also redundant means of separating the plant from the grid when the voltage and frequency are out of tolerance. Experience at Peach Bottom (no total losses of offsite power) makes this less important as well. Therefore, this interaction was not considered further. (See Item #8 of Reference 22.) { I Terminal blocks in containment A terminal block is located in an electrical junction box and is used to connect wire ends within a circuit. Many types of terminal blocks may not perform adequately in a steam environment. Instrument errors can occur in circuits that contain terminal blocks when exposed to a high temperature (>10000) saturated steam environment. Such instrumentation failures can potentially prevent ECCS actuation following h loss of coolant accidents. 4.7-11
Virtually all electrical portions of safety equipment . are outside containment in BWRs. However, safety relief valve circuits do- contain terminal blocks within containment. These and the possibility of terminal blocks for other systems' being in the reactor building were considered in the
' analysis and treated as possible failure modes of the systems they serve. The redundancy of equipment and the fact that e
exp'cted leakage currents are small compared with the normal current relativelyflow of ' the concerred circuits made this issue unimportant. (See Item #9 of Reference 22 ) Alternate core cooline systems There are methods of core cooling available, which although not preferred' and not necessarily safety grade, could possibly be used in emergency situations. Some examples of such methods include: o use of service water to supply makeup to the reactor, o aligning a fire water pump to supply makeup to the reactor, o increasing control rod drive injection system flow, o aligning the boron injection pumps from a large water source. In order to qualify as an alternate core cooling method during a transient (with scram) condition,-several criteria are essential: (1) Procedures must call out these systems and adequately describe their use (it is additionally useful if there is appropriate training on use of the systems and if procedures define the time order in which each system implementation should be attempted).
-(2) The ability to deliver a flow rate of at least 200 gpm to the reactor must exist.
(3) The time required to establish flow from these systems must not be too long. Appropriate systems, particularly the Control Rod Drive (CRD) and llPSW, are considered in the Peach Bottom analysis as alternate core cooling systems. (See Item #11 of Reference 22.) Level instrument error caused by hich containment temperatures j' Level instruments could read high upon flashing of the reference legs when containment temperatures are high and the primary system is being depressurized. I i 4.7-12
-gg m=; -- -- -
)
Yb ,,. > W , 4 k(7 y - s
- Peach - Bottom operators are very aware - of this patential a w, problem.. The . Emergency Procedure Guidelines (EPGs) call for mai.ntaining' primary prescure >BO. psi above- containment l
, pressure-so as to' avoid this problem. J As a further back-up, '
@((h EPGs1 call for reflooding of . reference legs if anomalies
; : develop (there are ways to do. this).. Discussions with Oak i S Ridge National- Laboratory personnel further substantiate that
- this is not a serious : problem and will,' at ~ worst, only cause j
l nomentary _ anomalies' if, the vessel is ravidiv depressurized M (such as in a large :LOCA). Everything considered, this did l
.not seem to be significant at Peach Bottom. (Verbal concern l ^ '
raised at a quality assurance meeting.) ,
% /i
.. 1
.i l
1
!i .'l f: l L 1 I
+
'f.
%h i
i n s L. r 4.7-13 i L F L _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ J
4.8 Human Reliability Analyses
}
This section contains a summary of the human interface analyses performed
-for. the Peach Bottom study. Details of the study can be found in b
! Appendix C. . 4.8.1- . Summary of Methodology and Scope Only one type'of human action error was analyzed in this study--errors of
' omission (e.g., failure to diagnose, miscalibration, failure to operate a system . . .). Errors The of commission were considered outside the scope of human actions analyzed were divided into three this analysis.
categories: (1) pro accident human actions such as component misalignment after test,'(2) post-accident human actions such as failing to start a system for Loss of Coolant Accidents (LOCAs) and regular transients, and (3) post-accident human actions of Anticipated Transient
- Without Scram (ATWS) accident . sequences. In the Peach Bottom analysis the post-accident human actions include ny human action that occurs from the time of the initiating after the accident has started (i.e.,
event). With few exceptions, only those actions specified in the plant procedures were considered. System failures caused by hardware faults and maintenance outages were considered to be nonrecoverable. Additionally, only - one human action event was allowed (per cut set) unless the actions could be judged to be independent. The Human Error Probabilities (HEPs) evaluated for the pre-accident human errors and the post-accident human errors for LOCAs and regular transients are nominal values based on a simplification of the THERP method. This simplified method is documented as the " Accident Sequence Evaluation Program (ASEP) Human Reliability Analysis (HRA) Procedure" [25]. However, there were several human action errors that were not evaluated using the ASEP HRA procedure. These actions (or failure to perform) were ' estimated using the ASEP generic data base [2] and the specific: analysis performed for offsite power recovery (26]. These include all human action errors regarding recovery of electrical faults
.and the Power Conversion System. These are explicitly noted in Section 4.8.2. Additionally, for the ATWS post-accident human actions a detailed HRA was performed by Brookhaven National Laboratory (BNL) specialists and described in detail in Section 4.8.5.
4.8.2 Human Actions Analyzed The specific human actions analyzed in this study were identified in either the system failure models, by examining failures in the cut sets or the event trees. The system descriptions (see Section 4.6) summarize the human actions that were modeled as part of the system fault trees. These include all the pre-accident human errors such as misalignment after test and some of the post-accident human errors such as failure. to back up auto start failure, system realignment failures, and manual start failure. In addition, other human action errors were analyzed. These included those actions the operators could successfully perform to mitigate the ongoing accident and prevent core damage or containment failure if taken in time and were identified in either the event trees or 4.8-1
by examining the individual cut sets. In all cases, evaluation of the specific HEPs was such that individual events were given values of IE-3 or higher unless justification could be provided for using a lower value. Similarly, 1E-4 was used as a cut-off for multiple, dependent events unless justification ~ could also be provided to support a lower value. ; The analyses of the human actions are discussed in the following sections. 4.8.3 Analysis of Pre-Accident Errors Pre-accident human errors were considered where appropriate, for all the systems analyzed in the Peach Bottom analysis. Pre-accident failures , ' include all human action errors prior to the start of the accident: (1) failure to restore a component or system following either scheduled or' unscheduled axintenance, (2) failure of a component or system because of miscalibration errors, (3) failure to restore a component or system following testing, or (4) other miscellaneous plant specific actions. Each system was analyzed to identify components that might require maintenance while the plant is at power or may have been maintained while the plant was down; manual valves were assumed to be maintained l infrequently and were not considered. For each component identified, the evaluation of the operator falling to perform the required task (i.e., restore) was performed in three steps. The first step (1) identified all activities (i.e., closing valves to isolate the component, pulling pump breakers, etc.) associated with performing each task (i.e., failure to restore pump after maintenance) and (2) determined dependence between the activities. Based on the activities, the nexc step involved identifying any potential for catching any errors made (e.g., written checks ter shift on component status) for each task. The third step incorporated the results of the first two steps and evaluated the HEPs. Systems that need to be realigned after testing were identified and a failure to restore the system to its proper alignment was modeled following the same three steps for failure to restore after maintenance. Sensors were analyzed for potential miscalibration errors. The sensors were grouped as to their type and location; for example, all condensate storage tank low level sensors were put in one group and all high drywell l pressure sensors were put in another group. A separate miscalibration l error was assigned to each gro 2p. Failure to miscalibrate was also performed in three steps: (1) identification of the calibration activities, (2) identification of any potential to recover mistakes, and (3) computation of the HEP. All failure to restore probabilities were calculated using the methodology presented in Reference 25. Table 4.8-1 lists the pre-accident failures used in this study. The detailed derivation of the probability of each pre-accident failure is presented in Appendix C. 4.8.4 Analysis of Post-Accident Errors (non-ATUS) l Post-accident human errors are those operator actions performed by the operator after the accident has started. With few exceptions, only those 4.8-2 l
1 actions specifically addressed in the plant procedures are credited and evaluated. These include such actions as manually initiating a system, aligning and actuating a system for inj ec tion , recovering a failed system, etc. This section only discusses those actions involving LOCAs non-ATUS transients). If a single post and regular transients (i e., accident HRA value was less than 10-3 or multiple HRA events were less than 10-4, the HRA value was re-evaluated. This added further assurance that unrealistically low values were not used. Post-accident human errors were identified in two steps: (1) system models and (2) sequence cut sets. When developing the system models, any post-accident operator action required for the system to successfully function when demanded was identified and added directly to the system model. This process only identified the action or task (e.g. , manually align CRD for full flow) and did not identify the individual activities required in order to accomplish the task. These activities are identified as part of the task action (task evaluation) and discussed later. The post-accident human errors considered in the Systems Analysis task were generally those actions performed by the operator for the system to properly function: o Manual operation of any components, o Manual initiation as backup to auto-initiation. By identifying human action errors in the systems models, the potential for more than one human action event to appear in a cut set existed when linking the system models to form the accident sequence. This occurrence presents a problem when the actions are dependent. Only independent human actions can be multiplied together if the dependence among the actions is not considered. Since the failures (which dictate the conditions under which the operator is working) are identified in the sequence cut sets, it is impossible to evaluate the Therefore, HEPs for post-these accident human errors at the system model level. actions were assigned a screening value, generally 0.5, in the initial quantification step. Only the screening values were used unless the human failures were important (i.e., appeared in a dominant accident sequence). In this latter case, if a cut set appeared with one or more of these actions, the appropriate post-accident human error was assigned depending on whether the actions were dependent or independent, considering the sequence timing and specific failures that had occurred. The cut set was' also evaluated for any additional recovery credit. For example, the following cut set wou?d be examined for any terms that are post-accident failures: IE-T1*DCP-INV-LP 24C*ESW-CKV-CB-CV514
*ESW-XHE-FO-HCILV*ESF-XHE-FO-RCILV
*IESPNR150 MIN 4.8-3
7 l~ The terms with '...-XHE ...' are post-accident failures. These terms are failures of the operator to manually control the operation of high l pressure systems. coolant injection and the reactor core isolation cooling ! A Level 8 protective trip for these systems has failed because of the indicated 24 VDC failure. Since these two actions are highly dependent and essentially considered as one action, the two XHE terms were evaluated as e activity. That is, the operator is likely to i either notice the Level 8 trip failure and control both systems, or he does not control either system. As a result, the human action error probability was evaluated as one event, its probability determined and then that probability was equally distributed to the two XHE terms such that the collective probability of ESF-XHE-FO-HCILV*ESF-XHE-FO-RCILV was equal to the correct valt.a. In this example, an additional recovery term involving the restoration of pcwer (LOSPNR150 MIN) was added to the original cut set. In this case, since the initiating event (IE-TI) is a loss of offsite power, it was j udged that activities associated with recc.vering AC power are independent of the Level 8 issue and hence the independent recovery action could be applied. This basic approach was followed in evaluating each cut set for potential recovery. The majority of the HEPs for each recovery action were derived using the general HRA methodology outlined in Reference 25 which involved the following general steps: (1) Identification of the sequence and subsequent accident conditions. (2) Based on the cut set (and sequence), the timing of the events (i.e., occurrences, failures, alarms, indications, etc.) was established. (3) Based on the cut set (and sequence), the symptoms and therefore the possible recovery actions (and required activities) were identified. (4) The time available to the operator to diagnose and perform the action (and activities) was establir.hed. (5) The probability of the operator failing to properly diagnose the accident tas determined. This considered such things as operator tral ing, simulator exercises, etc. (6) The type of recovery action (whether ' dynamic' or ' step-by-step') was determined considering such things as the plant using symptom oriented procedures, operator training, etc. (7) The stress-level of the operator was determined considering such things as time available, difficulty of the action, training, number and timing of equipment failures, etc. i (8) The probability of the operator failing to perform the recovery action was evaluated. 4.8-4
i The exceptions to this procedure are: (1) the recovery of ot. site power(e.g., faults (e.g., the recovery of diesel generator hardware faults, DGHWNR3HR), (2) the recovery of the PCS, (e.g., PCSNR13HR), and (3) the recovery of offsite power (e.g. , ISSPNR12HR) . The electrical fault and PCS recovery values came from the ASEP generic data base [2], and the recovery of offsite power was provided by Reference 26. Table 4.8-2 lists the post-accident events analyzed for Peach Bottom for IDCAs and transients. Appendix C contains the detailed analysis of these post-accident human actions. 4.8.5 Analysis of ATWS Post-Accident Errors The post-accident human errors for ATWS sequences were identified and evaluated similar to that discussed for the LOCAs and transients including the re-evaluation on the 10-3 and 10-* HRA values which check for unrealistically low values. Personnel from Brookhaven National i ! Laboratory (BNL) performed a detailed HRA regarding the operational activities associated with postulated ATWS accident sequences at Peach i Bottom, Unit 2. Visits by BNL personnel and the Peach Bottora analysis team were made to 1 1 the Peach Bottom Atomic Power Station and the Limerick training simulator (used by Peach Bottom operators for training) for the purpose of acquiring plant-specific information on (1) training, (2) procedures, (3) human engineering, and (4) experience and educatien levels of the operations crew. Interviews were conducted with training instructors and reactor operators. A detailed task analysis was performed based on consideration of staffing, team interaction, and control room layout at Peach Bottom. ATUS scenarios developed by Oak Ridge National Laboratory, Idaho National Engineering Laboratory, and General Electric were reviewed [30,31,32,33, l 34]. Thermal-hydraulic runs performed for various ATWS scenarios to determine the success criteria were included. . 1 In the original analysis for Peach Bottom, the systems analysts provided . the Brookhaven HRA analysts with an ATWS event tree (Case B in that ! analysis) which identified five major operator tasks that needed to be quantified. These were; \
- Initiate Standby Liquid Control (SLC)
- Inhibit the Automatic Depressurization System (ADS)
- Control of Water Level Near the Top of the Active Fuel at High Pressure
- Manual Depressurization of the Reactor
- Control of Water Level Near the Top of the Active Fuel at Low Pressure
{ l 4.8-5 I i
i In addition, estimates were made for the following two events:
- Manual Scram e
Manual Rod Insertion Preconditions for each of the above tasks differ as a result of the success or failure of previous tasks and safety systems. Each set of preconditions and relevant performance shaping factors were considered when the human error probabilities were assigned for the above events for each branch point on the ATWS event tree. These branch points were quantified using procedures which included a review of other PRAs end subj ective judgment methods based on the structured assessment of performance shaping factors and the use of a time-reliability correlation. Because of the extensive nature of that analysis, the reader is referred to Reference 29 for details of that effort. In the reanalysis phase of this proj ec t , the ATWS event tree was simplified considerably. This was done on the basis of improvements in the understanding of ATWS scenarios (with focus on only the most important phenomena and human actions) and as a result of comments received after the original analysis. As a result, the two previous assessments involving the " Control of Water Level" were no longer required, and the " Manual Rod Insertion" term did not have to be evaluated since this event only appeared in already non-dominant (<1E-8/ year) accident sequences. The other events were used in the reanalysis with their original values as assessed in the first analysis, since the appropriate preconditions and performance shaping factors still applied. Table 4.8-3 summarizes the most critical human events in the reanalysis and the corresponding conditions and factors that most affected the ultimate value for each human error. The median value shown is out of the BNL analysis. The mean value was calculated using the uncertainty values provided in the BNL analysis. 4.8.6 Analysis of Innovative Long-Tern Recovery Actions There analysis. were no innovative long-term recovery actions applied in the l 4.8.7 HRA Nomenclature The three types of human actions in the Peach Bottom study are depicted in several forms as follows: Pre-Accident Human Actions -- There were two types of actions modeled: (1) failure of the operator to restore and (2) miscalibration of equipment by the operator which is a common cause failure. These were designated in the analysis, respectively, as follows: 4.8-6 l
t AAA-BBB-RE-CCCCC . l Unique L<ent Identifier Failure to Restore Event or Component Idettifier System Identifier AAA-XHE-MC-CCCCC l Unique Event Identifier Miscalibration Failure Common Cause Failure or Human Error System Identifier Post-Accident LOCA and Transient Human Actions -- These were modeled in two manners: (1) those act:9ns (events) modeled explicitly in the fault trees and (2) those .c t Lins (events) added directly to the cut sets as a recovery action. These were designated in the analysis, respectively, as follows-- AAA-XHE-FO-CCCCC l Unique Event Identifier Failure to Operate Human Error System Designator AAAA-NR-ZZZZ l Time Period Identifier Action Not Recovered Equipment and Failure Mode Being Recovered Post-Accident ATUS Human Actions-- These were modeled in two manners: (1) those actions (events) modeled explicitly in the fault trees and (2) those actions (events) modeled explicitly in the event trees. These were designated in the analysis, respectively, as follows-- AAA-XHE-FO-CCCCC l l Unique Event Identifier Failure to Operate l Human Error System Designator FFF l Human Action Event Identifier 4.8-7
._____.._______.._)
Two exceptions are noted to the above coding schemes. These include ADS-IDG-HW-INHIB and RAXV503NC which used a different nomenclature and are defined in Tables 4.8-1 and 4.8-2 respectively. The specific coding used for each' human action modeled in the analysis is presented in those two tables with the exception of those events coded in the ATWS event tree (as top events). Section 4.4 depicts the coding used for the ATWS event tree headings. 1 l l f 4.8-8
5 6 l 6 6 3 3 0 N . A 6 2 5 1 1 2 E M l
- e l
- v l e d e l e l w r y e e r r v o w e t _ o d u s l s l hg s e e r r T r o _ S i y _ C h p t l _ c r s f f r a - n o o o e e o t r p o i n n c r t o o a l p c i i e l A t t r a t a a o n N r r s s n a O b b e e m i i t t u I l l a a B _ l T a r r _ l P a pe 1 I c c b b mc _ - t R s s s i i un 8 n C i i r l l pa _ . e S m mos a a n 4 d E c c d _ i D e en s s e ne _ e c s s e i i t e t l c u us m m i vn ii _ b A a a b a - c ce r r i r a T e s r os os h d m r nr nu t r t r n - _ P oo os ao ao I rr ms ms r s rs o e me en t t f mn e n S o oe or pe pe D of C s C p O s O s A M a y r a m m u S M E T S Y M S E T N S O Y I M S T E A T L Z S O I Y R R S M U R T S E E N B V T O V S L S C L R S V E l I T T P E L R i i R D D R S P N D B N S E P E N C I P V- I D A - I
- - D - D -
I C C C C Ji O E C N M M M M C i l R R
- I - -
C O - - E E T G L E A I E E
- T l 1 l i li A O O l i
E A i X 1 X X X- M L R X R U - - - O - T - P T F F F F T S N D C S S S S U D O R A E E E E A A C C (4 I
7 sD 2 7 3 M - P C A g g 2 n n 7 i i 9 l l n 2 o oo o oi e c e e Ct v c a l A c yr a l n l n cb v r ea e a ni o s n s n ev d t ee ee g e a s it it rf t r n D n D n eo a e o ya i ya i m r n i E n e e e t cm n cm o p gc c n l i o n A er go er l t - l a go aa r e n n r r r o s e a N et et fb t m O ms ms oi o et i n u I E e E e l m di H T t t e a a 1 ) P e e rc e em
- t d I rr rr us r e r 8 ne R oe oe l i oc or e u C t t t t i m t n t e 4 d n S sf sf a s a st ii E e a e a f o e n ef e ct D r r t re ra l c n A
- e t b A o o o d e on os a C t r t r ou t i t t T e( o o md a n r et et s em ee P ra ra ns r r r n ur ur oro ur uo f l e l e me s l e l p o i n ae i n ae mwn ooe it i m y FG FG cts af ao F a F c r
a m m u S M
, E T
S Y S R
) E M D T E A M T r W R S o E Y E T S C C 2 A
- I 7 T R G G , V T 9 A N E D DB R C 2 G E
D W E E E E M D O - - s S - - - I P E Ei C E E C R R Y M R C C - -
- C -
R A I N N N F V F
- R G G e E C O T E T D D r G C M P R C - - e R - - -
P E P L C Ph C w E M W S W S W S E A A( E E E E
> b L,
A . aT . . E 2 2 sP 2 2 7 3 M - W S E r r r e n n e e r t i i t t e B a a a a a t W t r t r W W f a d n g e e a n 1
- c c 7
_ i e i i 1 A _ l c r r v v 5 s o n e e r r g e e e e oa g _ s C n n n S e S e v v _ n . e a a c c l l _ o yt h h yn yn a a i cn c c ca ca v v t c ci x x nn nn e a E E e e ee l l _ A gm gt gt a a n r t t rn rn u u n N e r a a ei ei n a m O me e e ma ma a a _ I Et H H E m E m m m _ u T f H er er e e P ea e e _ 1 ) I r r e r e re r e r r _ - td R on oc oc ot ot o o _ 8 ne C t i t n t n tf tf t t
. e u S s a sa s a s a s a s s 4 d n E er en en e e e e
_ ii D rt re r e rA rB r r _ e ct t t e l cn op on on on on oc o b A o t m ti t i ti t i t n t a C u a a a a a _ T e( ep em em er er e n e r r r r rt rt r e r P u) ur ur u u ut u f l W l e l e l p l p l n l i C i t it i m i m i i i _ o aE af af au au a a a _ y F( F a F a F p F p F m F r a m m u S
)
9
, , r 54 o 12
, ,7 32 12 ,
6 M , , R 21 , E 124 T 7 A B 1 B T W 1
- 023 P P 5 A N C X X1 D D V V E E H H , ,
M M X F D - - - s98 - - - I E E Ei1 2 E E E E C R R R R R R R C - - - * , , - - - A F F F 8 7 F F M M
- T T T e1 2 T T V V E P P P r P P X X R - - - e , , - - -
P W W Wh65 W W V W S S 5 S w1 2 S S S E E E( E E E E
" . T0
E sX - 2 sT 1 M sT P P W S E V I V l H E E r r r e e e t t t f f f a a r a r e e
- 4 t 1 t 6 f 9 f s V a V e s e A A n l v O
- O
- o a i n n n n t v i i i i c a a a a A l r r r r a t t t t n u a N n n n n n m O a a a a a u I m f f f f l
T l P e e e e 1 ) I r r r e
- td r r 8 ne R o o o o o e u C t t t t t 4 d n S s s s s s ii E e e e e e e ct D r r r r r l c n e e e e e b A o oc oc oc oc oc a - C t n t n t n t n t n T e( a a a a a r en en e n en en P r e r e r e r e r e ut ut ut ut ut f l n l n l n l n l n o i i aa ii ii i i i i a a a a aa aa y F m F m F m F m F m r
a m m u S M E r r J T o o E I S T Y 4 1 l S 6 9 W i V V G N C C E
) O O O M ,T I I R FS T , ,
V E E T , A 4 4 6 1 1 R
,R l 9 E I 6 V 9 V S T
- DQ T V B V B N VC N A O A O E E X ,
E 0
- 0
- R D - sP V - - s - - s U I EiO E Ei E Ei S C R Y R R R R S C - * , C - * -
- E A M N N F F ) F F ) R V eM E T T e4 T T e1 P E X r G P P r6 P P r9 R - e R - eV P VhL, E V VhD V
- - eV VhD 1
1 G S wK M l l l l wO H l l wO 1 E( E E E( E E( 1 1
*?C
A . aF . aT , aT E 7 3 sT 3 sP 2 sP M P -
- W W WS S
H H n n i i _ e a a l v t r t r r r _ a r r e e v t e t e A
- t f
t f _ d f f r r a a _ e a a e e g g n n _ s t n a n n n n i i o r i i a a a a - i e a a h h r r t p r r c c t t c o t t x' x A
- e e A
- r A
- p o t t p
_ n N t e n n a a m m _ a O oc a a e e u u _ m I mn f f h h p p u T a _ H P en e e e e e e 1 ) r
- td I r e r r re re r
_ 8 ne R ot o o oc oc o o C t n t t t n t n t t
. eu S si s s s a s a s s 4 d n E ea e e e n en e e ii r e ct D rm r r e
re r e r e c n e t t l b A o or oc oc on on oc oc a C t e t n t n t i t i t n t n T e( t a a a a a _ r ef en e n em em en r e en re P ra re r e r r _ u ut ut ur ur ut ut l n f l 3 l n l n l e l e l n i0 ii ii i t i t ii ii o a8 aa a a af af aa aa . y F2 F m F m F a F a F m F m r a m m u S
)
C F T C r E o r C M o X R H E B T A F , 3 F T B A T 0 T C A X P N 8 C E X H D E 2 E
- H
- M
- D - - - s - - s - -
I E E Ei E Ei E Ei C R R R R R R R C - - - * - - * - A V F F F F F F
- O T T e T T e T T e E M P P r P P r) P P r R - - - e - - eD - -
P W W Wh W WhX W Wh S S S w S S wH S S w l i H H( H H( H H(
" . ?U
E 1 2 2 3 3 M . 4 A B 4 4 5 5 - r r r 1 1 r e e e e t e e t f f t f t v v f a a a l l a a a 0 8 0 v v 5 1 1 3 2 d d P t t e e A s t t t 2 n n n n a a o e e e r r n i m m m e e i t g g g p _ e p a c e e o o r A s s s - - t r r n e e e o o p a N p p p t t m m O i i i o o u u I p p p m p T m H 1 ) P e e e e e e
- td I r r r r e r e r 8 ne R o o o oc oc o e u C t t t t n t n t 4 d n S s s s s a s a s ii E e e e e n e n e e ct D r r r re r e r l cn e e e t t e b A o oc oc oc on on oc
_ a C t n t n t n t i ti t n T e( a a a a a a r en en en em em en P r e re re r r r e ut ut ut ur ur ut f l n l n l n l e l e l n o ii aa ii ii i t it ii aa aa af af aa y F m F m F m F a F a F m r a m m M u E S T S Y S N O I T C E J N I T M N R E A 1 T 0 5 0 8 0 0 A B 3 T 1 1 2 C 4 4 P N S S S 5 5 A E P P P E 1 1 2 D - - - R - - - I E E E U E E E C R R R S R R R C - - - S - - - A F F F E V V F
- T T T R O O T E P P P P M M P R - - - - - -
P W S W W W I I I S S O C C C U H H L L L L h *-
E 4 4 3 3 4 sT M P S C L r e e e t r r v v f r e e l l a t t a a e f f v v n t a a i f d d a a s s e e r s e e t t t n n v v a a i l l r r p a o a a e e m r i t v v p p u t o o p c A B - - p A r r 7 m p p o o 3 u n N o o t t P p a O o o oe oe A m u I l l mc mc 2
- H T n n P e e e a e a e e l'
td
)
I r r rn rn r r R o o oe oe o o 8 ne C t t t t t t t t
. e u S s s s n s n s s 4 d n E e e ei ei e e e
ii D r r r a ra r r ct e e m m e e l cn oc oc o o oc oc b A o t n t n t r t r t n t n a C a a - e e a a T e( e n en et et en en r r e re rf rf re r e P ut ut ua ua ut ut l n l n l l l n l n f ii ii i A i B ii ii o a a aa al a1 aa aa y F m F m Fl F1 F m F m r a m m u S M E T S r Y o S 7 Y 3 A P R C P 2 M S R , E E 7 T A B R A B 7 3 P P O l l 3 P T O O C l i P B N O O V V A 2 E L L E M H 2
- D - - R - - - - s I E E U E E E Ei C R R S R R R R C - - S - - -
- A F F E V V F F )
- T T R O O T T e7 E P P P M M P P r3 R - - - - - - eP P l l _ S S S ShD C C V_
O C C C C w2 L( L L L_ L L L a
E 2 2 3 3 7 7 M t s e d d r t e e s s e r r e e t r o o v v f e t t l l a t s s a a f e e v v f a r r o f f m y y s o o n e l l n i t r r o n n a s e e i i i r y p p t a a t s o o c r r r r A t t B e p p r n 2 4 p o t t a N 5 5 m t o o m O 3 3 u s n n u I 2 2 p e l T r A B 1 l
) P e e e 4 4 - td I r e re r o 1 e 1 8 ne R oc oc o t c e u C t n t n t e n e 4 d n S s a s a s s va v ii E e n e n e l l n l e ct D r e r e r i ae a l cn t t e a vt v b A o on t i on oc f n a - C t i t n ei ei T e( a a a r va v r em r
em en o i m i P r re t s s ur ur ut a or o f l e l e l n r l e l o i t it ii e pt pt af af aa p xf xf y F a F a F m O E a E r - a m m M u E S T S Y S R E M T E A T W S Y G S N I L L O O R M O T R C N E O T G C R A B N 2 4 E 4 4 T I 5 5 D V 1 1 N D 3 3 B I I V V E L 2 2 P U D E E D I - - - O - - - I U E E E I E E E C B R R R L R R R C - - - - - - A R F F F Y E E E
- O T T T B H H H E T P P P D X X X R C - - - N - - -
P A C C C A C C C E B B B T L L L R R R R S S S S
*.?"os
E 3 3 M y l r e . r e _ t p f o a r s p n i _ n t a o i o r t n t c e A nc B i n aa p n N rn m a O t e u m I t p u
'B H T n 1 ) P i e td I pa r 8
ne R mm o _ ed C u t _ S pr s _ 4 d u E e e _ il r e cc D nt _ cn ef e l b Ao va oc a C i t n rd a T e( d e en r - r re _ P ro ut _ f ot l n o t s ii _ oe aa y Mr F m _ r a m M . m E u T _ S S . Y S R E _ T A W G N _ I L O M O R C E T G B B N P T P I M N D D U _ E M L P D - I - I E U E _ C R B R C - - A E E F
- H N T E X I P R - B -
P C R C L U B S T T o'co _ lihi tI!ll
-, .;; --q 1
;D s
m7 m7 m7
? o3 o3 o3 o e y g
yr g e e yr yr u - u u g - g - l o o f l l o f o f 1 C 7 a l] l a a l C 7 l C 7 0 S V o9 V V dod
.4 dod 4
dod 4 T d2 - - - N g n S o[ o e sC g g o e sC o e sC f o E Wh h p n n h p h p M i Tt L t o eh i i t oeh g t oeh e M n AeN ell g n n el 1 u el 1 g u O e MB Me bo u e e Me b o u C e e e Me b o l a r c A R RAve a hr r c r c Av R e a h r A v R e a h r v S H HDTt S S HDTt HDTt d e r i s I e I C d r r C P e s o o P H h n S t t H t o W c a c r i T a r o - t e A e e o f c l r r f 2 A t n s ) t a e e l l l 3
'n o z z e e e 3 a b g i i v v v m n r r e e e (
u n i u u l l l H e r s s s g u s s r r r t t o d e e o o o e n r r r t t t g e t e p p c c c i i z e e a a a e s N i d d e e e n n r r r r o a n u y y r i s l l l l l r T s l l o o o e 2 N e e a a r r r h
- d O v r u u t t t t 8 n I l p n n n n n e a T a e a a o o o g
.4 P
I v d m m c c c o A R o o o o o o t e C o
.l O C t t t t t t t ;
b L S V a E s s s s s s s L T 't D l l l l l l l I i i i n a a a i a i a i i C e f f a a R d f f f f f - i
'r r r r O c r r r F c o o o o o o o -
t t t t t t E A a a a a t
- a a a l t r r r r r r r i
X s e e e e e e e - p p p p p p p o O F P O O O O O O S E f o E h t y U 2 i . r L 1 2 1 1 wd a A - - - - e m V M 5 E E 5 5 E E ss m E 0 O . 3 O ru u N T . a S A S 2 1 3 1 ee E Y pr M S pa L a s O sm R yr T ae N wt O T S E D L V 8 l C B W R S C L L ae S T P P I I I s M R D N D A A D E D E D C H C I I C H me rh E A - - - - - - - et T O O O O O O O t N F F F F F F F e Y O - - - - - - - sr R I E E E E E E E i e E T H H H H H H H hh V A X X X X X X X T w O U - - - - - - - C T F F F F F F F ) E C S S S S S S S 2 R A E E E E E E E ( fyg il 11l!l
E n n h p h p n h p M i i t oeh t o eh g i t o eh g i M n n ell g e n el l O e e P e u M l l u e M e u C e e b o eb o e b o r c r c Av Rea h r Av a r R e h r c A v a r R e h S S HDTt HDTt S HDTt S s m n e e e o c t c n i r s r o t u y u i t o s o t c s s c A e e n n r n j a o u o n i s i i m t s t u c e c r H u r u o s p s f t n I I I hg I W e C C C C S i P P P P s P i n l l H l l h H H l a n e e p n n r g t t u g g T ) N i a a i i 2 O l u u k l l k
- dd I a t t c a a 8 ne T e c c a e e
. au P r a a b r r b 4 ' n I Ai R o o o o o o e C t C t t t t t t l O n S b L o E s s s s s s a C D l l l l l l l T t( i i i i i i i n a a a a a a e f f f f f f f d n i
r r r ro r r c o o o oi o o c t t t t t t t A a a a aa a a t r r r ru r r e e e et e e s p p p pc p p o O O O O a O O O P f o E y U 1 1 r L 2 a A - E E 5 V 5 5 E 5 m . . 0 0 . 0 m N u A 6 1 1 S E M L T C T L N T R C A A R I I A S S P S W S S M C P P lP R l i H H H l H L E - - - - - - T O O O O O O F F F F F F Y - - - - - E R E E E E E E H H H I I H H V X X X X X- X O - - - - - C F F F F F F E S S S S S S R E E E E E E l f 1
n h p h p n h p M i i i t oeh t oeh i t e?o M n n n ell g el l g n O e e e M e u M e u e C e e e b o M e r r r b o e c A v r A v r r Av S S c c R e a h R e a h c R e S HDTt HDTt S l l DT e v i C C C s I I I s s C C C n i R R R e o m r r c i r r r t e o o o u c p f f f o A l l s e l l d n e e e e n o a v v v v o m m e e e e i i u l l l l t g l d r r c n u r u i t o o o s l n o t t t o e r c C c c C h a a o i s e I a I c s C e e C n r R r r R R a e l r d l e l l n i R T i o t o o g N _ 2 ) r r a r r i n
- dd O r t l t t l g 8 ne I e n o n n a T v o i au P o c s o o e l
. 4 n I i c c r a _ Ai R o o e C t o o o o o _ l O n C t t t t t t t b L o S a C E s s s s s s D l l s T t( l l l l l n i a i i i i i i e a a a a a a _ d f f f f f f f i r r c r r r r r _ c o o o o o o o A t t t t t t t a a a a r r r a a a t r r r r s e e e e e e e o p p p p p p p _ P O O O O O O O f o E y U r L 1 1 A 5 a V 5 m 5 5 E E 5 E m . 3 0 N 0 u A S 3 1 1 E M _ 3 D L O V 8 L T _ I C C L L R _ R I I I I A M V C C I R _ C C C l R 0 R R R R R i . E - - - - - R T O O O O O F F F F O O Y - - - F F F _ R E E E E E _ E 1E 1 i 1 E V 1 X 1 I 1 H l ! _ X X X X i X IX O - - - - - - _ C F F F F F E S S F F _ S S S S S R E E E E E E E _ w * ,6 O
E n n h p n n i M i i n tello geh i n n M n e O e e M u e C e e eb o e e Av r r r r c R e a hr c c c S S S S HDTt _ n e t _ s p a 4 n e _ o 4 o h 3 i 2 _ t W C d n y c B a c e A R n v
/ p e l
- n D m g a a R u r v _ m C p e _ u m e _ H e d e n t s n i o o e l n l c t e c e a s i e s i s s r t a _ n e i p _ a o t n y r t a i b T N i 2 ) O s t o n t
- dd I l i t e n 8 ne T i n p e au P a i r o v
_ 4 n I f o _ Ai R o t o o _ e C t C r t a t t l O n S o r b L o E t s e s s a C D a l p l l _ T t( r i o i i n e a a a _ e p f f f f d o o _ i s r r r c rr o e o o c oe t s r t t A t k ae u a a ca rv l k r r t ae el i n e e s e r pa ai p p o RB O v F s O O P M M f E E o E T T S S y U Y r L M 1 Y A E - S S a V 5 5 T E 5 5 m . . S 0 R . G . m N Y E N u A S 9 T I S E M A T M E R V N T E E S T E V Y A C S W I T V N E E R E V S C E M I R I S N R K D V S 9 I V M D R R R l l E S A C R B C E E R P T P E D - - S - U - N - T O O O O S O O O R F F Y F S F C F Y - - C - E - - R L E E N E R E Y E E O l i 1 1 E l i P l i R l i V R X X G X X A X O T - - R - l i
- M -
C N D D E W G W S I R V C E O R R M S I P P R C C C E E I I i l P
l l l l M i Tt L o o o o o M n A eN d d d d d O e MB o o o o o C e h h h h h r A t t t t t - c R e e e e e S H M M M M M s n o i t c A m s s e n e e t a t u m s t u n s s y s r r u s n i r u u H i m u o o W m o h h t 0 h n C 8 5 2 3 B e C 6 1 9 1 1 i R L s o S n n n n n n i i i i i a t e _ r t d d d d d T h a e e e e e 2 ) N c i r r r r r
- dd O t t e e e e e 8 ne I i i v v v v v au T P s w n o o o o o 4 n i c c c c c Ai I R o e e e e e e C t C t o r r r r r l O n t '
b L o S t t t t t a C E sP s o o o D a o T t( l S l n n n n n n iO i e f aL a e e e e e d - g f r r r r r i a a a a a c rn r w w w w w c oi o d d d d d A t w t r r r r r
- ao a a a a a a t rl r h h h el e h h s po p o C C C C C P Of O D D D D D f
o E y U r L 2 1 1 2 2 2 a A M - - - - - - m V 5 E E E E E E E m . T 0 0 0 0 0 0 u N S . S A Y 2 5 4 3 3 3 E S M L O R T N O i C l C D C M R W I L S U S Y N E - O - R N I T O I O E I M R R F L F V M 0 R H 1 Y - - O 8 5 H 2 1 3 R E Y E C 6 1 9 1 1 E I B 1 E R R R V I X D 1 R R X R N N N N N O - N - - W W W W W C C A C N H H H H l E B T L O C C C C i R R S C S N D D D D D P?y {
l l l l l l E l l l l M o o o c o o o o o o - + M d d d d d d d d d d O o o o o o o o o o o C h h h h h h h h h h t t t t t t t t t t e e e e e e e e e e M M M M M M M M M M _ s s s r r r u u u s 'd o o o n e h h h o r i t A c e v o c 3 i n 5 i n 7 i n e s s n s r s s s r r d d d _ a m u r u t r u r u r u u o u o e r e r e e e r e o o o o o h h _ i l h n h h h v v v 2 6 o o o t 8 n 5 7 9 1 1 c c c n 1 o e e e _ e i n n n n n r r r i s n t i i i i i t n i a t t d d o o o u d d d a d t e e e e e n n n r . e c r r r r r T : N r a e e e e e e e e 2 ) O e v v v v v r r r - 8
- dd ne I v ) o o o o o c
u u u T o G c c c c l l l au n P c D e e e e e i i i 4 I e ( r r r r r a a a Ai R r f f f e C t C r t t t t t l O n S t o o o o o o e e e b L o E o t n n n n n s s s a C D n a u u u T t( r n n n n n a a a n - e e o o o o o c c c e r ns i i i i i d a er t t t t t n n n i w G u a a a a a o o o c d o u u u u u m m m c r lh t t t t t m m m A a e c c c c c o o o t h s3 a a a a a c c c s e C i n G G G G G G G G o D Di D D D D D D D D P . f o E y U 2 2 1 1 1 r L 2 2 2 2 2 a A - - - - E E E E E E V E E E E m 0 0 0 0 0 0 0 0 0 0 m N . u A 2 3 3 3 2 2 1 7 6 5 S E M M R E R R T R R lR R R. 1 1 1 1 R 1R R H R i 1 1 H 2 6 1 1 1 H Y 8 3 S 7 9 1 1 3 5 7 R 1 R R R R R R R R R E R N N N N N N N N N V N T T T T T T F F F O W C C C C C C C C C C H A A A A A A C C C E C G G G G G G G G G R D D D D D D D D D D
.Ty
E l l l l o o o o o l l l l M o o o o o o o o l M d d d d d o O o o d d d d o o o o o o o C h h h h h h h t t t t t t h h e t t t e e e e e e e e M M M M M M M M M s r u _ s o n h o 2 i t 1 c A n i n s s d r r a s s u u m e s s s s r r o u - r r r r r u o e u u u u h h H v o u o o o o o h h 3 5 t o h h h h n c n e e 3 5 7 9 2 1 6 1 n r i i i s n n n n n n d d n t i i i i i i e e a o r r r n d d d d d d e e T e e e e e e v v 2 ) N e r r r r r r o dd O r e e e e e o u v v e c c 8 ne I T o v v v v e e au l o o o o o r r 4 n P i c c c c c a e e c Ai I R e e e e t t e C t f r r r r r r o o l O n C b L o S e t t t t t n n E t a C s o o o o o o e e t ( D u n n n n n n c T. n a c n n e c e e e e e e a a d r r r r r r n L. i n a a a a a n o w a e e c w w w w w t t c m d d d A m r r r d r d r d n n o a a r i i
- a a a a a a t c h h h h h h s m m o G G G G G G G G P D D D D D G D D D D f
o E y U r L 1 1 1 1 1 1 1 A - 1 1 a - - - - - - m V E E E E E E E E m 0 0 0 0 E 8 5 0 0 0 u N . . . S A 4 8 7 6 5 5 5 7 E 6 M M R E R T l i R R 2 R R R R 1 1 R Y 1 1 1 H 1 1 2 1 1 6 1 R R 1 R 1 3 S 71 9 1 1 E N R R 1 3 51 R R R R R R V F N N N N N O C W N N N C C l W l W l W 1 W l W A A E G i G i G i G 1 i l i M M R D G G G G G D b D D D D D D
~
s h 'ts i ,l
- il l q l l l l l Ill\
] ] ] ]
]
6 6 6 6 _
] ] ] 6 2~ 2 2 2 2 2 2 2
[ [ [ [ [ [ [ [ y y y y y y y y S g g g gD gD gD gD gD T o o o o o N o o o l x l x l x E l l l l x l x oi o o o oi oi oi oi M dd dd dd dd dd M d d d on O o o o on on on on . C h h h he he h e h e he _ t t p t p t p t p t p t t ep ep ep e e e ep ep MA M M M MA MA MA MA t u o s h n o 3 i 1 t s c s s n s s s s e A r r i e e e e t u u t t t t u n o o d u u u u n a h h e n n n n i m r i i i i m u 2 6 e m m m m H 1 1 v - 0 o 5 0 5 8 5 t 6 1 n n n c 1 3 4 i i e n u e r n n n i ' i d i i i s d n e e t d d d r r o d d e e a e e n e e e r r v v r r r r T N o o m o o o o o 2 ) t t t t O c c e t s s
- dd I e e t s s s 8 ne T r r s e e e e e au P y r r r r r 4 n I t t S t Ai o o t t t t e R o o o o o Ct C n n n n n l O n S o n n n b L o E e e i a C D c c s r r r r r T t( n n r e e e e e n a a e w w w w w o
e n n v o o o o p d e e n p p p p i t t o e c n n C e e e e c i i t t t t t i A a a r i i i i m m e s s s s s t f f f f f s w f f G G o f f f o o D D P O O O O P f o E y U 1 2 1 1 1 1 2 r L 1 a A - E E E E E E V E E 6 m O 0 0 0 1 3 1 m N . u A 4 2 1 6 3 1 1 9 S E M M N R E N N N N I T R R I I I I M H H R M M M M 0 H 5 0 5 8 5 Y 2 6 1 3 4 6 1 R 1 1 3 R R R E R R 1 R R N V N N R N N N N A N P P P P P O A S S S S C M M S S O O E G G C 0 0 D 0 L L R D D P L 1
". [
- ll1!IA l' l l'
] ] ] ] ) ]
6 6 6 6 6
} )
2 2 2 6 6 6 ( 2 2 2 2 [ [ { ( ( 2 [ [ - S y y y y y T g D. gD gD y y y gD gD gD gD N o o o o o o gD E l x l x l x l x o o M oi oi oi l x l x l x l x M dd oi oi oi oi oi dd dd dd dd dd O on on on on on on dd o n dd C h e h e h e h e h e h e on t p t p t p t p t p t p h e h e ep ep ep ep ep t p t p ep ep ep MA MA MA MA MA MA MA MA s n o i t c A n s s s s s a s s s r r r r r m r r r u u u u u u o u u u o o o o o o H o h h h h h h h h t 2 3 n 5 7 4 7 8 9 1 1 1 1 e 1 i n n n n n n n s i i i i i i n n i i a d d d d d d d r e e e e e e e d T r r r r r r r e 2 ) N o o o o r O t o o o o 4 dd t t t t t t 8 ne I s s s s s s s t ad T e e e e e s 4 u P r r r r e e e Al I r r r r e C c R t t t t t t t l On C o o o o o o t b L o S n n n n o o a C E n n n n T t( D r r r r r r r n e e e e e r e w w w e e e o w w w w d p o o o o o o w o i p p p p p p p c ^ c e e e e e e e
..A- t t t t t t e
i i i t t i i i i t s s s s s s s i s f f f f f s f f f o f f f f f f f P o O O O O O O f O f
.o E y U r L 2 2 2 2 2 2 a A - - - -
3 3
.m V E E E E E E E E m B 2 3 5 3 2 u N .
l 3 S A 4 3 2 1 1 1 8 E 7 M M R E - T R R R R R R H R - Y 1R H 1 H H H H 1 2 3 4 R 5 7 1 9 1 1 7 8 E R R R 1 1 1 _ V N R R R R R N N N N N N N O P P P P P P P C S S S S P E S S S S O O O O O O O R L L L L L L O L L
* . yy r
j Table 4.8-3 l Most Important ATk's 11uman Errors froat the BNL Analysis 2 Median /Mean llaman Error Event Description Conditions / factors Probability Manual Scram -- <1E-4/<3E-4 Initiatt SLC
- Mechanical failure of 0.005/0.02 control rods
- At least 4 minutes available e No reluctance Inhibit ADS
- Mechanical failure of 0.02/0.09 control rods e SLC successful Manual Depressurization e Mechanical failure of 0.14/0.2 control rods a SLC successful e ADS originally inhibited (1) See Reference 29 4.8-27
_______________-______-_j
.l I
I 4.9 Data Base Development This section describes the development of the data base The first subsection identifies the sources used to establish the data base for _requantification of the Peach Bottom sequences. The assumptions used in the data development, limitations and uncertainty distributions associated with the data, and the use of plant-specific and generic data are presented in subsequent subsections. Finally, the data is described j on a system by system basis. 4.9.1 Sources of Information for the Data Base I A revfew of plant-specific data was conducted. Major system pump and l valve histories as well as "hi-spot" reports [10] were reviewed. It was j found in almost all cases that plant-specific data fell within the bounds j of current Accident Sequence Evaluation Program (ASEP) generic data. ; This was determined with help from the QCG data specialist who used statistical tests to demonstrate the viability of using the generic data. The ASEP data was updated to incorporate the LaSalle information [45). In a few cases, plant-specific data were used as noted in the data table. Other. sources of data included WASH-1400, other Probabilistic Risk Assessments (PRAs), and miscellaneous reports as indicated in the data table. The initiating event plant frequencies are plant specific except for A, S1, S2, S3, and the bus initiators which are ASEP generic. Recovery data and other human error probabilities were derived from the Human Reliability Analysis (HRA) and generic ASEP recovery data as indicated in Section 4.8. 4.9.2 Assumptions and Limitations in the Data Base The System Analysis section (4.6) describes. assumptions associated with a particular system. There are generic assumptions applicable to several systems. These assumptions are described in this subsection. Failure to restore the system was treated at the component level. The two main contributors to the failure to restore terms were; failure to restore the circuit breakers for pumps, and failure to restore the valves to operability after they had been isolated for maintenance. HRA and ASEP rules were used to obtain a nominal estimate of pre-accident and q post-accident f ailure probabilities. The pre-accident and post-accident l HRA values {25] make use of generic values but consider plant-specific l j procedures. Therefore, the HRA values are calculated with plant-specific considerations but are not plant specific numbers. The pre-accident failure probabilities are based on Peach Bottom normal maintenance practices for isolating a portion of the system when the system is under maintenance and normal practices in restoring the system. In calculating the post-accident failure probabilities, the time available to perform recovery actions., indicators to operators for diagnosing a problem, and complexity of recovery actions were considered. Anticipated Transient Without Scram (ATUS) HRA values were derived from a detailed analysis covered in Reference 29. 4.9-1 i I
In general, the beta common cause factor values were based on the data !
- and methodology of Karl Fleming's report on reactor operating experience
[23]. Higher order common cause factors for failure of more than two components are from Corey Atwood's common cause fault rate documents for valves, diesel generators, pumps and instrumentation {37,38,39,40). There were some exceptions to the above technique. These include the battery common cause values which were based on NUREG-0666 [24], and the
~
common cause value for air-operated valves which used a " generic" 0.1 beta value. Finally, multiple SRVs failing to close was based in part on the assumption of zero events in the available BWR reactor years. More , on the treatment of common cause can be found in Section 4.7. ) i i 4.9.3 Plant-Specific Analysis and Use of Generic Data l When ' plant-specific. data fell within the bounds of ASEP generic data, generic data were used. Plant-specific failure values that were based on zero or one failure were not used. It was felt that, in these instances, there were too few corresponding trials represented in the Peach Bottom experience base. The generic data represent a much larger experience base leading to a more certain estimate in the failure probabilitica for most components. Therefore, generic data were once again used. Appendix D summarizes the plant-specific data values used in the Peach Bottom analysis. 4.9.4 Uncertainty Distributions For most of the parameter estimates used in the study, lognormal uncertainty distributions were assumed. This is a common practice used in many of the PRAs conducted to date. Two general exceptions were made to this standard practice. First, the uncertainty distributions for human error events have a less extensive data base to draw upon than the component event data base. Confidence did exist in the mean estimates and the corresponding upper and lower bounds of the human error data. For- this reason, a maximum entropy distribution was frequently used by fixing the mean and upper and lower bounds in the analysis. This type of distribution was used for many of the human-related events in the study. The other exception is the ATWS human-related error estimates. Since the ATUS analyses conducted by Brookhaven National Laboratory provided lognormal distributions for the human error uncertainties, these were used "as is" for most cases in the study. In a few cases, distributions were such that probabilities of greater than 1.0 were possible out at the 97th percentile or beyond. In these cases, log-uniform distributions were developed using parameters of the lognormal distributions (i.e., j mean, variance) but with the upper bound limited to 1.0 in accordance with the axioms of probability. { The loss of offsite power initiating event and recovery times were modeled using Bayesian methods [26). The modeling utilizes a composite , s probability model fitted to three sources of data as a method of predicting the time to recovery (including uncertainty) of loss of offsite power. The three sources are plant-centered losses, grid losses and severe weather losses. A Bayesian epproach was also used to model the uncertainty in the frequency of the initiating events. Combining the 4.9-2
) - - _ _ _ _ . - - _ - _ _ }
composite model and the initiating event model yields a complete model that incorporates uncertainty into the loss of offsite power events. 4.9.5 Complete Data Base Description
.This subsection contains the data used in the analysis to quantify the accident sequence frequencies. Table 4.9-1 presents the majority of the data used in the analysis.. Additional data on recovery actions can be found in Section 4.8. The information inAthe table is presented in miscellaneous heading has alphabetical order by major system heading.
been developed for basic events that don't fit logically into a maj or system heading. Data for the initiating events and beta factor values are presented at the end of the table. 1Jithin each system category, the basic events are listed alphanumerically. l l l l 4.9 3
C N 0 u r s 6 n t t h i 3 a c 0 L T iE 0 l 4
/ m a - 0 -
i s 6 f d f O tt 1 a i -E a o n - 4 - S o - f a r 0 1 C H e 6 h e o 1 S e t 6 t m s r H A h a i i r r f S W T r 2 w t b e o A W A A t P 3 n D t n 1 e M I N v e L O e C v - I e C T t T F P n - t - I e S n S R n C e D C o A n A S p - o - E m F p F D o S m S c E o E c e s s t a e a s e l g n m e i a n m s s i a s s 3 4 4 N - 3 - -
- E A E E E Y E 0 5 3 T M 0 7 7 a I L
1 1 3 3 t I a B A D L F 0 I E 1 - 3 - t A V 1 n A
- e N U
F A 4
- 4 9 v I E - .E D - E -
4 E B. 0 m M 3 3 eo l t N b t O ) ao I S M R E S TB S I H I T ( h M - c a E e T F E 0 1
- 3 -
P A R R R E E O d d R J T ) / / t ( D R 3 4 L N U -
- E I E A O E -
A T M H 0 3 7 F A E R D 1 3 p o o - - t t s r E s i e s - A s - 8 R N s l r 3 l r 3 U O m v p i o 1 i o 1 l 3 r o o a t L I a t I T i a t e t f o e f o e A P p o s M vl f i t h M vl F I R A n B 3 c e a h c e a T C p ve U p l t s t t V n t t V n N S m i e i a e i a e E E u s d m i i w c d p w c d p N D P s i l u a n s i e o s i e o O i r a P f U l d t d t a t n a y P E M D L: I C r e m r ng I e e n i i r l t n a y i i r l OO C v d g m O P e v i P i i i e l m e l CM R L p o s L s r s i o p u i o p u T L t O f L t O f N O A C A B T P B 3 3 N D F 1 D D I 1 E N M I V A - M L L E C - N F C C C C O - F F F I I S S S S T C S A A A C D D B U - A A A T F F C S F F A E S S S E E E
- k. g
/ S E T C N - - - -
R E - UN O t S c C A A A A A 3 3 3 S 3 I I 1 I I I I I I I L L L L L - - - N - C C C O C C F F F I F T - - T S S S S S P D D D I D D A R A A A A - C - F F F F F S S S S E S S E E D E E E s s s s s a a a a a e e e e e m m m m m a a a a a
) s s s s s
d e u 4 4 4 4 4 n N E E E E 5 E 5 i 5 5 A 5 7 7 7 t Y E 7 7 n T M 3 3 3 3 3 o I L C I B ( A - - - - L F - 1 a I E
- t A V
9 a A
.D N N U A - - -
4 I - - t D E en M l e b v aE N T O ) I E S - m S M K - - - - o S I H t I T ( M - t o B E F - - - - - T E h A c R R R a E E O e R F ( D R
)
P U. l N U - - - - A TEM A 80 l 1 F A E R D s - C s - 0 s - A s - 8 s - C l r 3 i r 5 l r 5 l r 5 E l r 3 1 t o 1 i o 1 i o 1 R N i o 1 i o a t a t a t e t a t U O o e o e f o e f o e L I f o e f f M v M vl I T M vl M v M vl h h h l h h A P F I c e a c e a c e a c e la c e a t t V n t t l V n t t V n T C R t i a t V n e i a e i tac d Vp ne i a w c d e p i a w c d p e N S w c d p w c d p w s e o s i e o s i e o s i e o s i e o E E d t d t d t d t di t N D t n a y t n a y t n a y t n a y O t n a y i i r l i i r l i i r l i i r l i i r l P E e l m e l m e l m e l m e l H DO m i o p u i o p u i o p u i o p u i o p u t CM L t O f L t O f L t O f L t O f L t O f C D A B C 3 5 5 5 3 1 1 1 1 T 1 C N I I C C L S S S E L - - V - - - C C E C C C F F F F F C - - D D D I S S S S D D S S A A A A A A B - - F F F F F S S S S S E E E E E _ V.eiw l
_ E T 0 _ C N 0 R E U f 5 O f - E - - . S O E _ C E I . A A A A _ 3 I 3 3 2 A _ 1 1 t 2 I I 7 7 n L I L L T T _ N - - - e L L _ O C C C v - - _ I F F F e C C T -
- - F F P S S t - -
_ I D S n L R D D e L _ A A A S S C - - - n A A S F F F o - - E F S p F F _ D E E S m S S E o E E s s s c a a a s s _ e a a e e e l g _ m m m e e a a a n m m _ s s s i a a _ s s s
)
d 4 _ e 4 4 _ u N A E E
- 4 4 4
_ n Y E D. 7 5 5 E E E _ i T M . 7 0 0 I 0 t L 3 3 3 n I 5 5 5 _ o B A C L F - - ( I E - 3 - - _ A V 1 a A t N N _ 9 a U A 4 I - -
. D D - - E - -
4 E 0 t M 4 en _ l e N b v O ) aE I S MI E S T R - - 0 S I I
- 6 -
m I T ( 3 _ o M - _ t _ t _ E F o T E
- - - 3 -
_ B A - R h R R E E O r c R F ) h a ( D R t U' N U e I E A O 6 P A T M F A E I F E R D 4, 1 s - D s - l s l s l s E r 5 s - e l e l R N l l r 7 l r 8 v i e l i o 1 l o 1 v i v i U O a t a t i o 1 e a e a e a L I f o e a t l f l f I T f o e f o e l f A F M v M v M vl h l h l h r A r B r C F I c e a c e a e e e R t t V n t c e a t r t r t r T C N S i a e i ta V ne i t t V n a e a e w t a e a e E E w c d p s s e o sw c i de po w c d p t w t t w t t N D d t d t s i e o r i r i r i O P E t n a y t n a y t n a d t y t o ms o ms o ms i i r l i i r l t t M C O D m e l m e l i i r m e l c n a a c n c n i o p u i o p u i o p u l e r a a a a C M e r _ L t O f L t O f L t O f R t R e r _ t R t D 7 S 5 1 I A B C T 1 2 2 N C C C 7 7 2 7 E D D T S S S T T V - - L L L E C - - C C C F F F C C C - - F F F I D D D S S S L L L A A S S S B - A A A A S A F F F S S F F F E S S S S E E E E E f y@ , l
0 t
/ S E T C N R
L E 0 t 0 4 1 a d t 0 4 1 H n a d t f O f E n S a - S o C S a A l p A l W p W A 1 A A 1 L 1 1 0 0 t T t 0 1 n S 1 n 1 F F e C-e F - v N v C C C e W O e F F f I F - t - T t L L n L F n L S S e S I e S A A n A R u A - - o -
- p C p F F F F S S S S m S E E E o E D w E c c s s s s a e a e a a l l
g e e e g e n m m m n m a a a a i s i s s s s s
)
d 3 3 3 3 3 e N 3 E u A E E E E E 0 0 n Y E 0 0 0 C. i T M 1 1 1 1 1 1 I t L n I o B A - 0 - C L F 0 - - 1 ( I E 1 A V 1 a A 4 t N N 4 - U A - E - a I}}